Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:53
How's it going , Andy and Hellmuth ? It's really
0:56
good to finally have you guys on the podcast
0:58
. I'm really excited for our conversation today
1:01
. Same here .
1:01
Excellent , good seeing you .
1:04
Yeah , it's that time of the year where
1:06
you debate about
1:08
taking time off of work or
1:11
if the work is going to be so light
1:13
that there's no point
1:15
in taking any time off , and so I'm in that
1:17
conundrum right now with
1:20
my day job .
1:21
It's a weird wind down this year because the stock market
1:23
keeps going up , so I think people are keeping people
1:25
glued to the screen a bit , isn't it ?
1:27
Right . Yeah , it's an interesting time . I'm waiting
1:29
for it to all come back down . Honest
1:31
, it's a little alarming that it's going up right
1:34
now . I feel like it should be going the other way , but whatever .
1:36
I think , enjoy it while you can . It's probably the adage , isn't
1:39
it Right ?
1:40
Right , yeah , I got a couple of friends
1:42
that are definitely enjoying it
1:44
. Right now we have a group chat and it's always
1:46
fun to see what they're saying about
1:49
it Absolutely .
1:50
What are your expectations for 2024 ?
1:52
Yeah , I think 2024
1:55
is going to be an interesting year . I
1:57
think it'll be a year of
2:00
reinvention and emergence of new skills
2:02
and new demand and whatnot . But before
2:05
we dive into all of that , how about we start
2:07
with your guys' background
2:10
? How did you get in IT ? How did you get into
2:12
security ? What made you want
2:14
to go down that path ? And the reason
2:16
why I started everyone off with this
2:18
question is because
2:21
I have a section of my audience that
2:23
is trying to get into security . They're
2:25
trying to get into IT , they're trying to make that
2:28
jump , and I've always found that
2:30
hearing someone else's story and maybe
2:32
you relating to that story , makes
2:34
it easier , opens up that possibility
2:36
in your mind to say , hey , I could do this
2:38
too . So , helm , youth , why
2:40
don't we start with you ?
2:42
So actually I didn't start off
2:44
in IT . I started
2:46
more running different businesses
2:48
, a large conglomerate at
2:50
Siemens , where I was responsible
2:53
for different regional businesses , and
2:55
then businesses managed
2:58
from outside of headquarters
3:01
, namely mostly from the US . Siemens
3:04
started to explore the
3:06
future of their industrial business
3:08
, going more and more into software and data analytics
3:10
. We acquired a software company had
3:13
quoted in Plano
3:15
, texas , and Forma , eds offspring
3:17
, and that brought me closer and closer
3:19
to the IT world
3:21
, but really coming from the software
3:23
angle , and the idea was
3:25
to bring the physical and the virtual world together
3:28
. And so I had then different responsibilities
3:30
in the industrial sector , in Siemens , and
3:33
my last role in Siemens
3:35
before I retired after almost 30 years
3:37
was their global CIO . So
3:40
coming more from a business angle into
3:42
the IT world , and the idea
3:44
here was to make sure that IT and
3:46
business is really closely
3:49
interconnected and creating value
3:51
, one together with the other . Most
3:53
of the businesses in the industrial
3:55
world today , even so , they come from very
3:57
much from a physical world . They're now
3:59
enhanced by data analytics and enhanced
4:02
by software and bring , then , these two
4:04
worlds together . That was the task at Siemens
4:06
and this was also the task of bringing
4:08
IT and the business closer together
4:10
and in this context you can imagine
4:13
, cybersecurity plays an absolutely
4:15
key role . Cybersecurity on the
4:17
IT side , but as much and
4:20
as important on the OT side . And
4:22
that brought me closer and closer to
4:24
the cybersecurity world which
4:26
we will be discussing today .
4:29
Yeah , it's a . It's an interesting
4:31
time right
4:33
In history when the worlds started
4:36
to kind of merge together . I
4:38
feel , and you
4:40
know it like opened up the world
4:42
of possibilities , of , oh
4:44
, I can control that pacemaker
4:47
and I'll control it in a way
4:49
to where no one knows
4:51
that I ever did it right . I'll erase
4:53
all the logs , I'll erase everything
4:55
that was on it and whatnot , and so
4:57
it it opens up a
5:00
really a really big world for IT and everything , interesting
5:02
space where you know
5:04
I think it's even described pretty well in the zero
5:06
day book by Kim Zader you know she
5:08
talks about how you know
5:10
these generals and these colonels you
5:13
know watched as this generator just
5:15
blew itself apart because someone with a
5:17
computer you know from a mile away
5:19
decided to hack it and put
5:21
some malware on it that made it operate
5:23
at speeds that it shouldn't have been operating
5:25
at . So , andy , how about your journey
5:28
? What was that like ?
5:29
Well , I started off with a typical scientific
5:31
degree in chemical physics and
5:34
did some programming on the
5:36
BBC micro when I was at college , but not
5:38
much , but I know basic pretty well
5:40
. So from
5:42
there I went to work in pharmaceutical
5:44
research and actually built a molecular
5:46
graphic modeling system , which was a
5:48
ton of fun . They taught me how to program and
5:51
I learned in 4Trend , 4 with
5:53
variables that weren't even declared and stuff
5:55
like that . So within a couple of years
5:57
I discovered that assembler was quite interesting
6:00
and that understanding how computers worked
6:02
was pretty interesting as well , and
6:04
I spent 10 years just writing code
6:06
. I kept being asked to take management positions
6:08
but didn't want to , and in the end I
6:10
became a contractor for six years when
6:13
I worked at Mark Coney's and BT and built
6:15
a whole bunch of different things as well Outside
6:17
of my day job , just so that I
6:19
could continue programming . So by the
6:21
time I went back into the corporate workforce
6:24
in 1994 when
6:26
I joined Paribas , I had
6:28
a lot of programming experience , and during
6:30
my time at BT we'd also run the
6:32
ARPANET Janet project , which was the
6:34
first connectivity across the Internet in
6:37
the days when gopher and FTP were probably
6:39
the only mechanisms you had for
6:41
collaboration and sharing . So
6:43
it was a very interesting time . Obviously the rise
6:45
of Mosaic and Netscape and so on
6:47
happened in that period as well . Then eventually
6:50
the Microsoft all out
6:52
gushed out to go to the Internet , which was
6:54
also quite fun to watch . I
6:56
had 20 years in financial services in
6:58
various different jobs , always technical
7:00
at one level or another . So CTO
7:02
roles , for example , had security report
7:05
to me two or three times over that period of time
7:07
as well . So pretty honestly , going back to
7:09
the ARPANET Janet connection , I think from
7:11
that point on security was born
7:13
. As soon as you could address everything
7:15
from the network , then it became the
7:18
protection , became like one of the most
7:20
important things . In the beginning
7:22
, as you probably remember , there was no real commerce or payments
7:24
, but as soon as that stuff started to emerge
7:27
then people started to worry about fraud
7:29
and so on . So I
7:31
feel like I kind of grew up in the environment
7:34
where security started and
7:36
many of my friends who've been SISOs
7:38
on Wall Street all came out of Bell
7:40
Labs in the US and the same is true in the UK
7:43
. Many of them came out of multiple labs , actually
7:45
into the SISO roles in UK companies
7:47
too . So I feel like I've been
7:50
at this for 30 years or so actually
7:52
, and for the last 10 or so
7:54
have been investing in companies , have been on
7:56
the board of Zscaler , watched Zscaler
7:59
grow from nothing
8:01
really to something pretty substantial , and
8:04
also watched Zero Trust grow
8:06
as a way of thinking , a philosophy
8:08
, if you like , for defense , which I think any
8:11
football coach would understand , strategy
8:13
around defense and attack
8:16
being very important . I think that's now true in
8:18
the enterprise as well .
8:19
Yeah , it's really interesting
8:22
. So it sounds like you were at
8:24
the start of the internet and you
8:26
were in the space , I guess , learning
8:28
as everyone else was . What was that
8:30
time like ? Because learning back
8:32
then is a lot different from
8:35
learning right now . You know , if
8:37
I want to learn a topic , I'll go on YouTube , right
8:39
, I can hear lectures from MIT
8:41
, Harvard , you know whatever it
8:43
is right , but that's all on the internet
8:45
, right ? I'm basing all of my learning
8:48
of a new topic on the internet . You're
8:50
at the forefront of the internet
8:53
. So what was learning
8:55
about what this thing was ? What
8:57
was that like ?
8:58
Well , I mean there's a lot of reading , to be honest . So
9:00
I mean I read , I think , every VAX
9:02
manual , every PDP manual , front
9:04
to back basically , and
9:07
while I was programming Assembler , I mean you need all
9:09
the help you can get . I also discovered
9:11
early on that Microfeesh was really useful
9:13
because you could actually read how
9:15
the systems programmers were writing
9:18
code , and I followed
9:20
like Bill Lang who designed Bliss
9:22
, and so I would basically look at the code
9:24
they'd written in a new release of the operating system
9:27
to learn the tricks and techniques from them . Obviously
9:29
, being surrounded by great people really helps
9:31
. The person who sat next to me
9:33
at ICI was a guy called John Farringdon
9:36
. He taught me what symbolic debuggers
9:38
were , and before then I was just , you know
9:40
, using print and stuff like that , and you
9:42
take these kind of massive increases
9:44
in performance just by meeting people and
9:46
, to be honest , that that's something that I've
9:49
continued to this day . If you want to know
9:51
a subject , go to a subject matter
9:53
expert and find out what their points
9:55
of view are , what they think is interesting . And so
9:57
I remember one particular incident at Paribas
9:59
where DEC actually bought in a guy
10:01
called Scott Davis and I'm like are
10:03
you the Scott Davis that wrote DECnet and he's
10:06
like , yes , I am that Scott Davis , and
10:08
who's the man , who's the TCPIP consultant
10:10
into Paribas and I'm like , dude , I mean , you're
10:12
my hero . And
10:15
so I think you've
10:17
got to kind of think about every
10:19
protocol in terms of how it could
10:21
be breached . And often people
10:23
forget about those legacy protocols , by the way , and
10:25
that actually is a mistake . But
10:28
largely they're gone , but not totally . I mean we
10:30
still see mainframes in probably most of the Fortune
10:32
500 . And where there are mainframes
10:35
you'll find SNA not far away . So
10:37
just a quick in
10:39
touch with the past comment there .
10:41
But , joe , actually let me add to this
10:43
I think some things have changed
10:45
, some things have not changed . So number one is
10:47
you get a lot of basic knowledge going
10:50
on the internet , watching
10:52
YouTube , using chat . Gpt gets
10:54
you , gets you all into into the area
10:57
, but to really
10:59
develop deep thinking
11:01
and new reflections , what has not
11:03
changed talking , go and see number
11:06
one and see . The second part is what
11:08
Andy just described be with people
11:10
that are really in the subject matter . And
11:13
I remember , andy , we spoke a lot virtually
11:15
together , but it was so different when we
11:17
met the first time and I
11:19
tell you , being two hours with Andy , you
11:21
learn a lot , much more than you can learn in
11:24
several days on YouTube . So I
11:27
don't think this is really replaceable . I
11:29
think you know then you might
11:31
get a certain basic knowledge , but if you really
11:33
want to get deep into any subject , it's
11:35
the best thing for developing your critical thinking
11:38
and this domain is being with people
11:40
that are experienced and willing to share
11:42
.
11:43
Yeah , it's really interesting . You know , do you think
11:45
that that also translates into
11:48
work from home culture
11:50
that we kind of got it became more prevalent
11:52
with COVID , right , where more
11:54
and more companies are working from home and
11:56
now employees don't really want to
11:58
go back to the office because they're not finding the
12:00
value in it . Right , and I
12:02
think from my perspective , right , my
12:04
stance on it is I'm very pro work
12:07
from home , but there could be
12:09
absolutely something that you're losing
12:11
with not going to the office and
12:13
for me it's difficult to
12:15
try and put a value to that
12:17
, right . So then it's , it's harder
12:20
, at least for me right now . So
12:22
, like , put a value to that , to say like , okay
12:24
, should I go in , should I stay at home
12:27
? You know all these sorts of things , right
12:29
? What's your opinion on that ?
12:31
Yeah , Joe , I think you know that , that I
12:33
teach at a business school and it
12:35
was very interesting , Of course , when COVID hit . We
12:38
had to go virtual from one day to the other . Then
12:41
there was a way , for everybody wants to be back
12:43
. Now what turns out is
12:45
we get more and more into a hybrid situation
12:47
where a lot of the material is
12:49
actually prepared , for example , in videos
12:51
. You get to this basic knowledge Once
12:54
in a while . A lecture can be perfectly
12:56
done virtual . It works very
12:58
well , but only in the combination
13:00
with being back in the classroom
13:03
, especially in group work , being
13:05
in a group where students work with other students
13:07
in a life setting , and then going again
13:10
for a while virtual . That works , but
13:12
I think it's really critical , this
13:14
direct personal interaction . So
13:17
I'm , I'm neither one nor the
13:19
other . I think the hybrid is really the most
13:21
effective way of working together now and
13:23
going forward . Andy , what do
13:25
you think ?
13:26
I think randomized hybrid is the worst
13:28
possible outcome . So when
13:30
people go to work when they feel like it , that never
13:32
works . The companies that seem to be doing this successfully
13:35
are saying let's go into the office Tuesday
13:37
and Thursday , and they actually specifically
13:40
look out for social moments , teaching
13:42
moments , you know , water
13:44
cooler moments and so on . So
13:47
my point of the honor is that there is
13:49
no substitute for John Farranden
13:51
teaching Andy Brown . There isn't , but
13:54
you know , during there isn't . I mean , I would never
13:56
have advanced as quickly without his
13:58
help . Right , and he was . You know
14:00
, he's a genius . He actually worked at ICI
14:02
, invented Diquart , and then he
14:04
did a computer aptitude test with borers and he got
14:06
100% . So borers recruited him
14:08
. So suddenly he came back when he was , when
14:10
he was older . He's an absolutely brilliant
14:13
guy , and so I don't
14:15
really think there is a substitute for that
14:17
. But I do think that once
14:19
you've built relationships with people , you
14:21
can work very effectively with them remotely because
14:23
you know them . But if you don't spend the time at
14:26
the beginning to build the relationship capital that
14:28
you need , I think it's hard to approach
14:30
people with a problem that you don't know
14:32
well . So I think that that's that's
14:34
the point I would make . I think familiarity
14:36
is very helpful in relationship
14:38
management , and being prepared
14:41
to not know the answer and ask somebody
14:43
for help is a sign of strength
14:45
in every organization that I've ever run .
14:47
So yeah , I think that there is
14:49
a lot of benefit going to
14:51
a hybrid model , especially
14:54
for the people starting out Right , I couldn't imagine
14:56
trying to get into this field , right
14:58
? So , you know , I got my bachelor's in criminal
15:00
justice , right , nothing computer related
15:03
. I didn't code before and I
15:05
still don't code today , right
15:07
, like thankfully right
15:09
, somehow I have missed that , that skill
15:12
curve , and I couldn't imagine
15:14
how difficult it would have been getting into
15:16
the field with without having
15:19
that face to face interaction
15:21
with my leads , with my , you know
15:23
, engineers , and saying like
15:25
, hey , what is this thing , you know
15:27
? And they actually pull it up , pull it
15:29
up on their screen , show me , talk
15:32
me through it , guide me doing
15:34
it , doing it myself . You know , those
15:37
sorts of things are really
15:39
, they're irreplaceable . You know , a screen
15:41
share doesn't do it justice because , you
15:44
know , with a screen share , once it's over
15:46
, it would to me
15:48
it would be rude to start it back up again
15:50
and , you know , ask more
15:52
in depth questions , right , it kind of puts that
15:55
barrier and I consider myself not to
15:57
be very , I guess , extroverted
15:59
or whatnot . I mean , people would probably contend
16:02
with me running a podcast if
16:04
I'm actually extroverted or not . But you
16:07
know , once the conversation is
16:09
over . You know , most people are not going to fire
16:12
it back up . Start diving into
16:14
it again . Right ? It's a complex
16:17
social situation , I feel
16:19
.
16:21
Hi , gary , with you , I mean , I think the one thing
16:23
that's probably good is that you can
16:25
ask multiple people the same question and
16:27
actually essentially crowdsource the
16:29
answer , which can be very helpful . And
16:32
if you look at how Slack is often used on
16:34
tech channels , that's often the way it's being
16:36
used . So I think , pros and cons . Personally
16:38
, I think I would rather have not read the
16:40
microfiche my glasses may not be so thick
16:42
right now if I had . So
16:44
if I hadn't rather . So you know
16:46
, they're definitely better off
16:48
today and it's much easier to come up with learning
16:50
curve faster . However , you
16:53
have to be intellectually curious and sometimes
16:55
you have to look onto the cover , because often
16:57
I think cloud programmers haven't
16:59
gone deep inside to really understand
17:01
how the computer works to allow them to
17:03
optimize their code , and many people would
17:05
say you don't need to do that . But I've seen code
17:08
written by people that do do that and they're usually
17:10
extraordinarily thoughtful about how they write
17:13
code . So I like a combination
17:15
of the two .
17:16
It's interesting , you know it
17:18
sounds like I mean , this
17:20
was one question that's taken 20 minutes
17:22
right , it sounds like the
17:25
winding path through
17:27
your career is the best route to
17:30
you know security , right Overall
17:32
. I think we would all probably
17:34
agree on that , which is it's not
17:37
what the younger generation wants
17:39
to hear . Right , I've done
17:41
mentorship sessions , right , with
17:43
people that are fresh out of college
17:46
or maybe they're just about to finish up college
17:48
and they're asking me what's the best way to get into
17:50
security . You know , and I
17:52
take them down , this , you know , kind of winding
17:54
path right , of being one option , and
17:56
they're like , well , if I do this boot camp over here
17:58
, you know it's eight weeks or 16
18:01
weeks , whatever it is , and I'm in . So
18:04
, yeah , you might , you might be in , but
18:06
you're not going to have the level of experience
18:09
that the industry is expecting of you . You
18:11
know you're not going to have the skill sets that
18:14
everyone else is expecting you to have
18:16
. You know , for instance , right
18:18
, if I went to work at Siemens and
18:21
they deal in in nothing
18:23
but IoT devices pretty
18:25
much , you know the the hardest
18:27
devices to secure
18:29
on any network , that's
18:31
what they deal with , that's their bread and butter , right
18:34
, if I , as
18:36
an experienced engineer , if I go in
18:38
as an analyst , I'm going to be in over
18:40
my head most likely , I feel you know , because
18:42
it's a section of security and
18:44
IT that I've never touched before . Is
18:47
that also what you guys recommend
18:50
to people getting started in security
18:52
? To have that winding road , to not worry
18:54
, you know , about maybe
18:56
not having that , that direct path ?
18:59
I'm not sure . I think what you just described
19:02
is exactly . What's necessary is
19:04
curiosity . I mean going , even
19:06
if it's just an eight week or 16 week workshop
19:09
. I mean , if you expect , then you know everything
19:11
. That's probably a pretty unrealistic expectation
19:14
. But if you're willing to keep on
19:16
learning , that's probably the best . It's
19:18
the best road to get into
19:20
it and it's always a mix
19:22
between getting a foundation
19:25
, a theoretical foundation , understanding
19:27
the topic , similar to what Andy said
19:29
before . You know at some point in time
19:31
if you , if you're an IT , it's probably
19:33
best you have coded at some point in time . You
19:35
don't have to do everything , but going
19:37
deep for a certain period of time
19:39
and understanding the dynamics
19:42
helps you enormously afterwards and
19:44
putting the applications into context
19:46
. And I think that's true what you just described
19:48
also on cybersecurity . You
19:50
just have to go deep and for
19:52
a certain period to get the foundations
19:55
, and then it's all about practical applications
19:58
. It's about understanding what is it actually
20:00
really used for ? Where does it create
20:02
value ? So , not staying in the theory
20:04
, but creating a theoretical base
20:06
and starting from there in certain
20:09
directions understanding where's the application
20:11
, where the risks , but also , and most
20:13
importantly first , where the opportunities
20:15
and where's the value created . We
20:17
start a little bit off this on kind
20:20
of the negative side all about . You know
20:22
it needs to be protected . Well , the first question
20:24
is why do you want to protect it ? So where do
20:26
you create the value that actually creates business
20:28
value ? And you just described the IoT
20:31
world . I think there's an enormous opportunity
20:33
for using the data
20:36
that are collected , be
20:38
it on a factory floor and one
20:40
of the Siemens factories . It's a factory
20:42
in the thousands of Bavaria , in Hamburg it's
20:45
several times the factory of the year and
20:47
in Europe and now from the World Economic
20:49
Forum . Why ? Because they have
20:51
a lot of people that have deep domain
20:53
knowledge in their segment
20:55
, and then they bring this together
20:57
with IT knowledge and then all
20:59
the cybersecurity knowledge , and I think that's
21:02
a combination which is really the winning one
21:04
. Coming back to your question winding
21:06
road or not , creating a good
21:08
foundation , building on it and then
21:10
being exposed to the real applications
21:13
that create value for clients , and
21:15
then thinking about how
21:17
do you secure it to make it consistently
21:20
successful . I think that's really
21:22
always a good approach , and then you
21:24
probably want to go back and go back into learning
21:26
mode again .
21:28
Yeah , I mean , I think there's kind of two things
21:30
that I would just pick up on there . The first
21:32
one is that this generation
21:34
of workers has to be lifetime learners
21:36
, and AI is
21:38
going to change the jobs that are useful . They're
21:41
going to change the pay rates for jobs as AI's
21:43
get more and more clever and
21:46
able to orchestrate . So whatever
21:48
you're doing right now , in five years
21:50
time it could actually be valueless . So
21:53
you have to stay ahead of that and you have to keep
21:55
thinking about what's going to get commoditized next
21:58
. If it's a skill that I'm currently
22:00
have , that's good because you can build from
22:02
it , but the question is , where's the part going
22:04
? I think . So reskilling and relearning
22:06
and learning new things is
22:08
super important . The second
22:11
thing is that you can't restrict yourself
22:13
to a single industry . Many people
22:15
in financial services work in financial
22:17
services their entire career . Many of the best
22:19
sites those I know came from telecom into
22:21
financial services and then went on to do a whole
22:23
bunch of other things after that . The
22:25
way I looked at programming when I was 21
22:27
is that programming
22:29
itself is a completely transferable
22:32
skill into any industry . I
22:35
used it to learn how to model
22:37
protein binding sites , how to automate
22:39
refineries , and how to automate an entire
22:42
telecom company that used to be a
22:44
public utility , which is not easy , by
22:47
the way . So
22:49
, in financial services , same thing , but
22:51
again , each business parable , very
22:53
different than Merrill , very different from Credit Suisse
22:55
, very different from UBS . And now , in the
22:57
last 10 years , working on everything
23:00
from how do you optimize wine growing
23:02
to how do you build security companies
23:04
. So , to me , the transferability
23:07
of the skill gives you the opportunity to
23:09
learn many different industries . Iot is obviously
23:11
an up and coming one and a good one to learn , but
23:13
that's about where the puck is moving . The puck's
23:15
moving to IoT . That's a good skill to learn
23:17
. As a security professional , you can start
23:19
to push your career in that direction fairly easily
23:22
. So the winding road is often , I think
23:24
, dictated by future market
23:26
trends , but your intellectual curiosity
23:28
and your ability to keep reading is what helps
23:31
you identify what those trends are . So
23:33
that's the way I would say it
23:35
.
23:35
Yeah , I guess it's not fully
23:37
accurate for me to say that I've
23:40
never coded or anything like that
23:42
. I say I've probably learned
23:44
Python like five times over . The
23:46
issue is that I don't use it
23:49
regularly so I forget
23:51
things that I learned six , seven
23:53
months ago and now it's like I have to
23:55
go relearn strings or
23:57
functions or whatever might be . But
23:59
I do fully agree with what you're saying
24:02
. Coding is one of those basic
24:04
foundational principles where you
24:06
take that learning and then everything
24:09
else starts to kind of make sense and it fits
24:11
into its place . I just haven't thought of it like
24:13
that in such a long time , because
24:15
now I just do it so innately
24:18
of deconstructing a problem or
24:20
deconstructing a system to seeing
24:22
how it works , when I'm picturing it in my head
24:24
, right of what that is you know in
24:26
Python or what that is in
24:28
code , and I'm doing that without even thinking
24:30
about it . But in the beginning you're learning
24:32
these things . It's like an epiphany . But
24:34
it's like , oh my God , that's how , that's how
24:37
the network stack works , that's how this
24:39
server works , that's how it communicates
24:41
to something else , all those sorts
24:43
of things . It just becomes an epiphany .
24:45
I think many theoretical things , Joe , also
24:48
. You only actually get them when you see
24:50
a practical application of them . String
24:52
theory , graph theory , I mean you know , graph
24:55
theory , yeah , okay , kind of get it , no , it's okay
24:57
, but as soon as you see the power of building
24:59
a graph , you're like , wow , this is really
25:02
cool . So I totally
25:04
think what you're saying is 100% right .
25:06
Yeah , it's fascinating , right . Like
25:09
you talk about being a lifetime learner
25:11
. I mean , it's never ending . I guess that's what
25:13
drew me to security personally , right
25:16
is being able to be a lifetime
25:18
learner , because for a long time I
25:20
was in the mentality that IT was
25:22
like the most boring thing , because I had only seen
25:25
help desk and I only did that
25:27
one thing and I'm like man , this would be miserable
25:29
If I have to spend my entire
25:32
career in help desk . I didn't even
25:34
think that there was another side of IT or
25:36
anything like that . It's that always learning
25:38
part that drew me in
25:40
is because once I figured out like , oh
25:42
wait , like I can literally dive
25:45
deep into hacking cars
25:47
Right , just hacking cars , and
25:50
I'll spend an entire career there . Or
25:52
hacking factories , hacking IoT
25:54
, all these different things it's
25:56
really fascinating . So I
25:58
do have a question , though so you guys have
26:00
your PhDs . A
26:03
German doctorate Well that's
26:05
like what Three American
26:08
PhDs right there , no , no , no , no , no . I
26:10
can't say that 100% is .
26:13
Not at all . Some people would say
26:15
it's proper American PhD .
26:17
So yeah , well , those people don't know
26:19
the German education system . So
26:24
I was studying German in college
26:26
in my undergrad , and
26:29
part of it was spending six weeks in Germany
26:31
, and I couldn't tell you the
26:33
amount of times that I was impressed
26:35
with just the intellectual
26:38
knowledge that Germans and other
26:40
Europeans had compared to
26:42
my own knowledge , joey , you
26:44
just made a lot of Germans very happy because
26:46
the latest PISA study was actually not
26:48
that positive about German education
26:51
.
26:51
I question that study . Okay
26:53
, but coming
26:56
back to the point I think
26:58
I just want to , this is
27:00
lifelong learning aspect , because
27:02
, as you know , andy and I
27:04
we just sat down and wrote actually
27:06
a book for board members and
27:08
good board members are actually lifelong
27:10
learners and they know that I don't know
27:12
. So part of being a board
27:15
member is asking a lot of questions , ideally
27:18
good leading questions and sometimes
27:20
completely open questions , but really
27:22
the willingness always to keep on learning , to
27:25
keep on understanding what's the
27:27
opportunity in the business , but also
27:29
what are the risks in the business . And
27:32
this is why Andy and I sat down and
27:34
wrote this book about seven steps for
27:36
cybersecurity for board members , because
27:38
they are lifelong learners and want to have deep understanding
27:41
on many subject matters and
27:43
one of them is actually cybersecurity .
27:45
That makes a lot of sense
27:47
for board members to be lifelong learners . I
27:51
find that as you
27:53
become more experienced , as you
27:55
get higher level roles and whatnot , it's
27:57
more important not for you to
28:00
know everything , but for you to surround
28:02
yourself with the right people that are experts in those
28:04
other areas . So
28:07
you could say , hey , can you handle this question for me ? Can
28:10
you drill them in this way , because
28:13
I don't know this side of it like you do ? And
28:15
, andy , do you find that true
28:18
with Zscaler right from the
28:20
beginning to the end right now , because
28:23
you're a board member of Red Zscaler ? Zscaler
28:25
is a fantastic product . By the way , I've
28:28
used them personally , and
28:31
I mean for a web
28:33
proxy solution to say that I enjoyed it . That's not
28:35
something that you hear every day , that's
28:38
true .
28:41
Look , I think board members generally need to be
28:43
people with lots of experience , and my experience
28:45
is that you get the most experience on the
28:47
winding road , which
28:50
is what leads you to the level of curiosity that Helmuth just described . But
28:52
I think your point was going a little deeper than
28:54
that and I just want to touch on that for a minute . When
28:56
you're building an organization that's growing quickly
28:58
, what you have to do is hire people smarter than
29:00
you in every role underneath you . If
29:02
you want to be carried on the shoulders of
29:04
giants and it takes a lot of confidence to do that and
29:09
for many SISOs who are being
29:11
promoted early in their career
29:13
into the lead role
29:15
because of the lack of qualified resources
29:18
and because they're ready but
29:20
they're ready in an environment where people
29:22
are fishing upstream to
29:26
try and get people to take these jobs the danger is that you're
29:28
not ready . You're not mature enough yet to know that you
29:30
need to hire people smarter than you to
29:33
work for you in every single role reporting
29:35
to you . And this is how you actually are able to first
29:37
of all , make sure
29:39
you've got a great succession plan
29:41
in your organization and , second of all , make the next step , which
29:43
many companies you're
29:46
moving from SISO maybe to chief risk officer and
29:49
promoting somebody from within . The
29:51
promotion from within parts in the industry is not
29:53
happening often enough , in my opinion . Right now , there
29:55
are so many searches out at any given point in time
29:57
for SISOs . I'm aware
29:59
of about 10 right now as an example . I think not only
30:01
do you need that from board members to the point that you made
30:04
, you need people
30:06
with enough experience , but oftentimes board members
30:08
who've been in the role for a long time maybe
30:12
haven't had to deal with the level of cybersecurity
30:14
threat that exists today , and
30:16
those are the people that we were at the board with . Right
30:19
, I mean , it's written for everybody , but most of all , it's
30:22
written for people who want to come up to speed with . Okay
30:24
, how do I get my head around this ? How
30:27
do I think about the right questions to ask and
30:31
how do I make sure that we are hiring people really smart , one down
30:33
and two down from the SISO to
30:38
make sure that every defensive angle that we can
30:40
pursue has been pursued ? Yeah , it's a fascinating
30:42
world , right .
30:44
Because I guess for me right , I'm not a
30:46
person who's not a person . I'm not at that level
30:49
yet , and so it's always interesting to
30:51
hear how that world operates . And
30:53
as I become more experienced
30:55
in my own career , I
30:57
start seeing things from a different
30:59
perspective . I start seeing things kind of from
31:02
the top down , being able to
31:04
rationalize different decisions
31:06
that are made within businesses and with
31:09
organizations and whatnot . Is there any
31:11
value to jumping
31:13
ahead , Like , let's say
31:16
, for instance , you go from
31:18
being an individual contributor to a manager
31:20
faster than what you probably should have been . Is there
31:22
any value in biting off more
31:24
than you can chew and
31:27
trying to work through it ? Or
31:29
are there critical skills for you to have that will make
31:31
you successful , like what you
31:33
mentioned of being
31:36
able to hire people that are smarter than
31:38
you in every role beneath you ?
31:40
I think the first step is to recognize
31:42
what you know and what you don't know . And
31:46
we all have a certain profile and background and
31:48
have some depths in some areas and maybe
31:50
are not that strong in other areas , and
31:53
that's hard sometimes . You know a really
31:56
realistic view on yourself and then you take
31:58
the next step and you try to
32:00
find exactly those people and
32:03
put around you that don't look like you , that exactly have
32:05
those skills that you are missing . So
32:09
it's always in every company , in every
32:12
organization . It's not CSOR
32:14
, not only the IT organization or cybersecurity . I
32:17
think in any organization the only
32:19
one who wins is a team . It's never one individual
32:21
. There might be one person
32:23
who is a CEO , but still
32:26
who wins is a team and
32:28
a good CEO . She
32:30
is able to bring the right people together and
32:34
covering those areas where he
32:36
or she is maybe a little weaker and strengthens
32:39
and makes a team really a strong team . I
32:41
think that's number one , and number two is exactly
32:43
what Andy said . Then you look for
32:45
the best people that are much smarter than you are , especially
32:48
in the areas which you don't cover that
32:50
well , and that takes a certain
32:52
level of maturity . That's
32:55
not just knowing a subject matter . Now
32:57
you have to have the maturity to accept that
33:00
you actually work with people that report to you , that
33:02
know their subject matter much better than you do , and
33:06
this is the only way , I think , to
33:08
really advance strong people strongly and
33:10
get ready , as Andy described , potentially
33:12
even for a next level .
33:15
I mean , there's a bit of science on this , joe to some
33:17
. Mckinsey has a fantastic report on this
33:19
that talks about skill distance , which
33:21
is the distance of the role you're going
33:24
into versus the one that you're in . Basically
33:26
, one of my mentors always said to me
33:28
if you're a sixty percent sure that you can
33:30
do the role , take the job , but
33:32
if you're fifty five percent sure , do not take
33:34
the job . Right , because the
33:37
thing is you have to have enough competence , which
33:39
comes from the experience of your current role
33:41
, that you can transfer into
33:43
the new role while you learn the new skills . So
33:45
you're both teaching and learning at the same time
33:48
when you take the kind of step that you just talked about
33:50
before . You know , and my
33:52
one of the favorite , my favorite quote
33:54
of all time is from Julius Caesar
33:56
, and the quote is experience is the teacher
33:59
of all things , and and and
34:01
the order I've become , the more
34:03
I realized how true that is . How
34:05
you attain the experience is very important
34:08
, right ? So people who take more career
34:10
risk earlier , but not too much career
34:12
. This sixty , forty things like very important
34:15
. You take too much and you don't do well
34:17
, you lose confidence and actually go backwards
34:19
. So so the people that take
34:21
more risk earlier , other people who do well
34:23
later . Not surprising , but it is . It
34:25
is a fact from the , from the McKinsey analysis
34:28
, that that that that is true , and
34:30
the thing that they do more of is acquire
34:32
new skills more frequently and
34:34
more often and faster . That's what that's
34:36
what that's what they do well . So
34:38
. So I think many CEOs that
34:40
I've worked for , and what with , have
34:42
that skill . They've been able to basically acquire
34:45
skills quickly and acquire knowledge quickly
34:47
in roles . But I think the theoretical
34:50
learner is different than the person with
34:52
experience . And this is a point I'm with made
34:54
earlier , and that's what season you about war
34:56
. He knew that the people with
34:58
the most experienced on the battlefield new
35:00
all the tricks that the enemy was going to
35:02
deploy . So I think I think that
35:05
is super important and that's what you're trying to get . As
35:07
a thirty something or forty something
35:09
, you're trying to become as experienced
35:11
as possible to allow you to deal with anything
35:14
that life throws at you and in a security
35:16
role , anything that life throws that you could be
35:18
the survivor of your business . So it's it's kind
35:20
of a . It's super important
35:22
to understand that , I think .
35:23
I have a corollary to this and I fully agree
35:26
with Sandy to the sixty , forty and
35:28
I think as bad as if it's a ninety
35:30
, nine one . So if , if you're
35:32
a hundred percent sure you will do great in
35:34
this job , then you're standing . So
35:37
the you have to feed your gross mindset
35:40
by continuously challenging
35:42
yourself . Just don't over stretch to extreme
35:44
. Then you fall into the trap that Andy
35:46
described . But if you do the other
35:48
extreme , it's not helpful either , because
35:51
you're not advancing anymore . You're not . You're not growing
35:53
mentally , you're not growing this experience . So
35:56
my recommendation to the listeners that are
35:58
at this stage where they considering a
36:00
next step , always try to find
36:02
something where you have a strong base
36:04
is sixty percent , but where you
36:06
also see it . Maybe it's just thirty
36:08
five percent , but you see that there's a material
36:11
increase in challenge , in
36:13
responsibility and then , out
36:15
of this , also in professional personal growth .
36:18
Yeah , it's very true , and I find myself
36:21
even going down that rabbit
36:23
hole right now with debating of if I should
36:25
get my PhD or not . You know
36:27
I don't want to get my PhD just to have a PhD
36:30
. I feel like there's no value in that
36:32
. You know , I want to get a PhD . I want to get a PhD
36:34
to stretch myself , to
36:36
really push myself to learn a topic
36:38
in depth that builds on
36:40
my previous experience . But I'm
36:43
also not sure of the value that
36:45
it holds in the marketplace , necessarily
36:47
, but obviously if I go into education it holds
36:50
a lot of value . And so I'm weighing
36:52
all of this out right , because I'm
36:54
always looking for the newest
36:56
ways to push myself in learning
36:58
a new topic and kind of redefining
37:00
my skill set right . I've
37:03
done it a couple times now in my career and it's been
37:05
beneficial every single time that
37:07
I've done it . You know , I went from being
37:09
just an IT help desk to , you
37:12
know , doing a specialist with this little
37:14
security kind of flavor to it
37:16
, to being dedicated security engineer
37:18
for organizations , to going into cloud security
37:21
. That graduation is
37:23
, you know , different skill sets all along
37:25
the way . For sure it's an interesting
37:28
balance , I think . What advice
37:30
would you give to someone debating
37:32
about getting a PhD or
37:34
taking another level of education
37:37
.
37:37
I think you know it's , it's less title
37:40
. If it's , if it's a PhD or whatever
37:42
it is , that is actually secondary
37:44
. I think number one is the process . But
37:47
if it's only the process , without
37:49
a product at the end , there's
37:51
a high risk to stop somewhere at seventy
37:54
five percent . The advantage
37:56
of an and it's again it can be a PhD
37:58
or something else on a level where
38:00
you have to , you know , where you have to let
38:02
do the very tough last five
38:05
percent to . You have to really
38:07
fully complete it , and I think there's
38:09
there's something in there in this process
38:11
until the final end . And
38:13
there it doesn't matter exactly which type of
38:16
final end is in there . But
38:18
I think what you describe before , this process
38:20
, is critical , because going through
38:22
the process and going through the process was
38:24
all the hurdles you have to jump over
38:26
. I think that's that's really strengthens
38:29
your knowledge base and also
38:31
your confidence that you can actually
38:33
master these challenges .
38:36
Yeah , I actually have struggled with that
38:38
same thing in my twenties , joe , honestly
38:41
, and I ended up
38:43
managing a student who
38:45
I see I was sponsoring for their PhD
38:47
, who was on my undergrad course in
38:49
London at Oxford . And so
38:52
because my boss my boss left to have a baby
38:54
and I was left in charge of the student , who
38:56
was one of my friends from college , and
38:58
every every two weeks I go to Oxford
39:00
and I've meet with Graham Richards and who
39:03
was her professor , and he would
39:05
try to recruit me to do a PhD , and
39:07
I was very tempted to do it , to be frank
39:10
, and I think the thing is that
39:12
that the role I had at ICI
39:14
was actually in the research organization
39:16
, doing research science , so I
39:19
kind of felt like I was already doing
39:21
what I would see . One
39:24
of the reasons why I chose not to become
39:26
a manager early in my career is that
39:28
I wanted to be really deeper programming . I
39:30
did not want to be broad , which is what management
39:32
gives you Later on
39:34
, coming back to it was better . Being older
39:36
, by the way , too , in my opinion , for me , that
39:39
was better , I think , if you have
39:41
the desire to go really deep
39:43
on a topic , particularly if you want to start a business
39:45
on something and you're really curious to
39:47
go explore a topic , then
39:50
going really deep can be great . While
39:53
I was mentoring this
39:55
other student , they were actually building
39:58
a competitive product to the one we built at ICI
40:00
. It was called ChemGraph . So I
40:02
was able to see both sides of it both
40:04
the student who tried to turn that into a business
40:07
when he left college and was very successful
40:09
actually in the end , and the way
40:11
the academics felt about that , which was not
40:13
great actually , and then just
40:15
doing a commercial product . We had so
40:17
much resource , I mean it was just so much easier
40:20
for us to be successful . So
40:23
I think you can sometimes take your
40:25
pet project and build a startup Instead
40:27
of doing a PhD , as long as you're confident
40:29
that you have enough knowledge to actually
40:31
go after it . There's a lot of work
40:33
, by the way , around depth in
40:36
startups , particularly in security . Because
40:38
there are so many startups , the
40:40
space now is getting so thin
40:42
in terms of what you need to be good at
40:44
to build a company that's valuable . That
40:46
could be another way to satisfy or scratch that
40:48
itch , I guess . But I
40:51
know exactly what that feels like and I used
40:53
to talk to my dad about it all the time , like
40:56
I should do that on art , and he's like well , I said , it looks
40:58
like you're doing really well at work , so why
41:00
would you do it ? But on the other hand , he of course wanted me to get
41:03
a PhD from Oxford and he used to push
41:05
me very hard to do it but ended up not
41:07
doing it and not regretting it actually . So it
41:09
just depends on kind of where you land
41:11
, I think , in the end .
41:12
Yeah , it makes a lot of sense . So , Andy
41:15
, in the beginning of our conversation
41:18
you talked about how you were with Zscaler
41:20
from the very beginning .
41:22
Not from the very beginning , but early on 2013
41:24
.
41:25
That's still pretty early on . As
41:27
someone from the outside , I've always found it interesting
41:29
as to how Zscaler
41:31
went from being obviously
41:34
the best web proxy to kind
41:36
of even developing this area that we
41:38
now call Zero Trust . What
41:42
was that like ? Because to
41:44
me as an engineer , once
41:47
I understood it as oh , this is least
41:49
privilege for your entire network . Once
41:51
I understood it as that , it made a lot more sense
41:54
to me and it kind of opened the door . But what
41:56
was that shift like internally at Zscaler , making
41:59
that shift from okay
42:02
, we're a web proxy solution
42:04
company to we're a Zero
42:06
Trust ?
42:08
leader essentially so many
42:10
of the engineers at Zscaler
42:12
came from Net Scaler , and Net
42:15
Scaler was a very , very performant
42:17
the founding engineers I'm talking about and
42:19
Net Scaler was an extremely performant
42:21
reverse proxy solution . So
42:24
one of the things they focused on was getting packets
42:26
from the left hand side , or the north , to the south
42:28
side of the Zenboxes very
42:30
, very fast less than a millisecond
42:32
, and
42:35
with a web proxy , that's extremely
42:37
important . So there are many benefits of
42:39
putting the proxy in the cloud . The
42:41
management of pack files I mean the whole policy
42:44
management massive benefit . But
42:47
this idea of what could you do to the packets
42:49
while they were traversing the edge of the network
42:51
became super
42:53
important for the business . But you
42:56
have to do it without impacting the performance
42:58
. So what you can run in
43:00
line between the north
43:02
side and the south side of the interface still
43:05
has to be faster than 10 milliseconds . It really
43:07
wants to be more like two or three milliseconds
43:10
or less , and so the
43:12
challenge always was how much
43:14
functionality , how many algorithms
43:16
can you run on those packets
43:18
while they're passing through the box to
43:20
enable you to put things like DLP
43:22
in line and all these other capabilities
43:25
that we now deliver ? And so , to
43:28
me , the thing that amazed me
43:30
the most was the original design
43:32
of the engineers . You know Z Scaler stands for Xenith
43:35
of scalability , as you probably know , and
43:37
it's the scalability of both
43:39
. The architecture , which is , you
43:42
can add as many pods as
43:44
you need worldwide to deal with the traffic
43:46
that you have . Most people have never
43:48
heard of Terabit networks , but we run them
43:50
, and so the bottom line is
43:52
that not only do you have to have boxes
43:54
that are very fast , but you have to deal with a lot of scale
43:57
on the bandwidth side as well . I
43:59
haven't seen this recently , but they used to in every
44:01
board meeting . Show us , you know , Z Scaler
44:03
versus Google , facebook , tiktok
44:06
and YouTube in all the major cities in
44:08
the world , and I start watching when we hit
44:10
number three , basically . So I
44:12
don't know what the numbers are now , to be honest , I haven't looked
44:14
them for ages , but that scale that we're
44:16
running in the enterprise , there's no one
44:18
else in that scale . I mean there are people who have
44:20
consumer businesses at that scale , but
44:23
not not . So the scale itself
44:25
. I remember being in a meeting with Google when Google were on
44:27
the board , where we exceeded Google's
44:29
throughput and it literally blown away
44:31
. I mean it was amazing , you
44:34
know , I think you have
44:36
to . You have to lead with performance
44:38
. You have to think about then the SLA
44:40
, that's open , which is about two milliseconds
44:42
, and then you think about well , what else can
44:45
we do in that two milliseconds to
44:47
add all of the functionality that we've
44:49
added today ? And , by the way , mostly we're
44:51
less than one millisecond today because what's happened in
44:53
the meantime is Moore's Laws continued
44:55
. Networking interfaces have become
44:57
more performant . You can buy more capacity
44:59
from fiber companies , so you know there's
45:02
an all , all boats rise in that ocean
45:04
kind of model there as well . That's
45:06
helped us along the way . But running
45:09
a network at that scale is I
45:11
mean , I worked in telecom , I know
45:13
what that is like , right and so and
45:15
I ran networks , by the way , in financial services
45:17
too . So the scale itself
45:20
still is is unbelievable
45:22
. It's kind of like the scale of some
45:25
things that SpaceX are doing , for example , just
45:27
in terms of how much of a reach it is
45:29
to be able to do that . So
45:31
I still find that amazing today . But that's
45:34
basically the , architecturally speaking
45:36
, that's kind of how that works , if that makes sense
45:38
.
45:39
And Joe , maybe from a customer perspective
45:41
. No , we at Siemens we are customers
45:43
of Cscaler and we started
45:45
really with a point solution with the so
45:47
called Cscaler Internet Access , connecting
45:50
directly to software as a service
45:53
provider like Salesforce , and then Microsoft
45:55
when we introduced 360
45:57
. And what was really interesting , traditionally
46:00
we had always this triangle
46:02
between cost , usability and security
46:05
and usually the discussion was always
46:07
well , let's spend a little more than we get a little
46:09
bit more security , but then usability
46:11
went down because it became more complicated . So
46:14
somehow the triangle was always unbalanced
46:16
and for us it was the first time
46:19
when we introduced zero trust and Cscaler
46:21
that in all three dimensions we had
46:23
improved . We had actually higher security
46:26
, we had higher usability and
46:28
we had less communications costs . So
46:30
it was a very interesting game changer for
46:32
us that what we thought
46:34
were trade offs were not trade offs anymore
46:37
and we could drive all three dimensions
46:39
in the right direction .
46:40
Yeah , it's a really fascinating area and I feel
46:43
like we could have a whole other episode just talking
46:45
about Cscaler and the capabilities and
46:47
the future of it . Right , but we're coming
46:49
to the end of our time here , but before I
46:52
let you guys go , let's talk quickly
46:55
about the book that you guys put together
46:57
. What's the book title ? And I'm
46:59
wondering is there a common
47:01
language when dealing with the boardroom
47:03
that you have found to be
47:06
very efficient ? Right , and I asked this as someone
47:08
that is graduating in their
47:10
career . Right , I'm learning
47:13
how to structure different conversations
47:15
with different parties within the company
47:18
, so what's your opinion on that ?
47:19
So let me start with the easy part . What's the title
47:22
? It's Cyber Security Seven Steps
47:24
for Board Directors , but then it has a subtitle
47:26
and it's called the
47:28
Guide to Effective Cyber Risk Oversight
47:31
from Board Members for Board
47:33
Members . So number one is , the
47:35
idea was , as Andy and I described
47:38
before , that we make a very
47:40
practical description
47:42
. That's really helpful for board members , that
47:44
where many of them do not have
47:46
very detailed knowledge of cybersecurity
47:49
, but a lot of curiosity and
47:51
, naturally , a responsibility
47:53
, a fiduciary responsibility for
47:55
the companies they represent on the board . And
47:58
so the book is full of
48:00
specific examples you know what's
48:03
happening in the cybersecurity environment
48:05
, and it also translates technical
48:07
terms into real life terms . And
48:10
I think they're coming back to your other
48:12
question . How is it helpful
48:14
? Actually not for board members , but
48:16
for , for example , cisos that communicate
48:19
regularly with the board . And
48:21
I would say just number one , as
48:23
when you walk into the boardroom as
48:25
a CISO , you can assume
48:27
that everybody in the room is prepared
48:30
. You can assume that everybody in the room
48:32
has a very strong interest to make
48:34
the company even more successful , and cybersecurity
48:37
is one part of it , but you also
48:39
have to assume that not everybody in the room
48:41
has the same technical depth as
48:44
you as a CISO have . So
48:46
make sure you have enough time
48:48
to translate what you want
48:50
to achieve , on what you're working on , into
48:53
a relatively normal business language
48:55
and how it relates directly
48:57
to the business that the board has
48:59
its fiduciary responsibility for . And
49:02
I think there the book is helpful in both directions
49:04
it's helpful for board members , but it's
49:06
also helpful for the IT professionals
49:08
that regularly have a dialogue with
49:11
the board .
49:12
Maybe I'll pick up on a few other points . The
49:14
first one I'd pick up on is often
49:17
members of the executive team in companies
49:19
are also not cyber
49:21
aware or not as cyber aware
49:23
, and we're certainly seeing collective responsibility
49:26
emerge as a theme around both
49:28
the lawsuits against Uber
49:30
and SolarWinds and , more deeply
49:32
now with the SEC changes that
49:34
require material disclosure
49:37
after four days . So everybody
49:39
on the on the executive committee of a company
49:41
now needs to really be on the same page with
49:43
filing an AK after an event like
49:46
that has occurred . So I think there
49:48
are now not just knowledge
49:51
requirements of board members to Helmholtz point
49:53
but there are also transactional
49:56
decisions that the board are going to participate
49:58
in , where board members are required
50:00
to be well enough informed
50:02
to make a decision on what materiality is
50:05
. The second thing there , I think , is that
50:07
not acting too soon is
50:09
super important . We've seen with the Clorox incidents
50:11
that that that when you react to
50:14
early you often have to retract or
50:16
react again , basically
50:18
when you find out more
50:20
things later on . And there have been a number of breaches
50:23
and exfiltrations recently where the
50:25
initial extent of the exfiltration has
50:27
been found to be much
50:29
, much greater than was originally
50:32
disclosed . So I think that's another
50:34
area that we've put into the book
50:36
, which is about kind of the process that you
50:38
put around the assessment of
50:40
materiality as well
50:43
, but mostly that the book
50:45
is . The book is really organized around
50:47
process and what process
50:49
you should run , both to
50:51
get people up the learning curve to
50:54
what they need to know , to
50:56
have a common language that they
50:58
can actually converse with the SISO in
51:00
. Often SISOs are very technical and
51:03
converting the way a technologist
51:05
speaks to the way a business risk needs
51:07
to be encapsulated is a trick
51:10
, and I think you know you can't expect SISOs
51:12
to learn overnight , particularly given the conversation
51:14
we had earlier about how often they are
51:17
kind of quite young when they're put into that role
51:19
. They can't overnight understand
51:21
what the business risk is . So I think the executive
51:23
team needs to work with them and that's also
51:25
something that we cover in the book
51:27
as well . And then the use
51:29
of public framework , so like the NIST assessment
51:32
framework and so on , to get a really tight
51:34
view on what
51:37
would an outside party say
51:39
if they were doing an assessment of your company
51:41
and actually having someone like EY , kpmg
51:44
or PWC run an assessment
51:46
like that . So you know where you stand and
51:48
you know what you need to improve . So
51:50
I think all of those things are important
51:53
. I mean , the whole risk surface area
51:55
is a topic that we touch on a fair amount
51:57
in the book as well . It's just understanding
51:59
what that is and where your current
52:01
weaknesses and strengths are as well , super
52:04
important . But I think that if you
52:06
ask it at a macro level , I think that's probably about
52:09
the scale of it .
52:10
Sounds really interesting . I'll definitely have to pick
52:13
up that book at some point . Well
52:15
, guys , unfortunately
52:17
we're at the top of the hour and I know that we
52:19
already went over , so I
52:21
really appreciate you hanging on Before I let you
52:24
go . How about you tell my audience where they
52:26
could find you if they wanted to
52:28
learn more and reach out ?
52:29
Sure , I'm very easy to find on
52:31
LinkedIn . By all means , reach out
52:33
with questions on the book on LinkedIn and
52:36
obviously you can channel those through ZSCADER as well
52:38
.
52:38
Yeah , same thing . Linkedin is the
52:40
easiest and if you
52:42
can make available the link to download
52:45
the book if they're interested , it's
52:47
publicly available , so easy , accessible
52:49
, and if there are any specific
52:52
questions , linkedin is always a good
52:54
way to connect .
52:55
Awesome . Well , all the links will be in the description
52:57
of the episode and I really appreciate you guys
52:59
coming on . Thanks everyone . I
53:01
hope you enjoyed this episode .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More