This week our guest is Peter Soulsby, Director for Security Practise at NTT. Peter’s background in finance lends a business lens on his experiences of working with organisations that have just endured a cyber security breach.
Looking behind the breach, Peter speaks about the stories the media miss, where IR plans can fail, the psychology and human side to dealing with a breach as emotions run high and low, the value of external IR teams and how they can best work with internal teams, and the popular topic of prevention vs response/recover and where we should be spending our time and money.
The Get Cyber Resilient Show Episode #86 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. The conversation today is with Peter Soulsby, who's the direct for the security practice at NTT. Peter's background in finance puts a business lens on his experiences on the ground working with organisations that are going through the hell that is a cybersecurity breach. Looking behind the breach, Peter speaks about what the breach stories in the media miss, where IR plans can fail, the psychology and the human side to dealing with a breach as emotions run high and also low, the value of external IR teams and how they can best work with those internal teams, and then the popular topic of prevention versus response/recover, and where we should be spending our time and our money. Over to the conversation.
Today, I'm joined by Peter Soulsby, who's the director of security practice at NTT. How you going today, Peter?
Peter Soulsby: Yeah, good, Gar, how are you?
Garrett O'Hara: I am doing well. We were speaking just before we started recording, and I was saying that there is a huge thunderstorm happening here at the moment, so if you heard the dramatic sound effects as Peter's talking, that's, that's all that's going on there. How's the weather your side? I'm guessing no- not the same.
Peter Soulsby: Gar, that's one of the reasons I live in sunny Melbourne, [crosstalk 00:01:16]-
Garrett O'Hara: Yeah. [laughs]
Peter Soulsby: ... sunning today.
Garrett O'Hara: Good to hear, good to hear. Well y- so we crossed paths through the Summer Leadership Institute, so a f- I suppose, a free plug for tho- for those guys. You know, they,
Peter Soulsby: Yeah.
Garrett O'Hara: ... they do some good work and good courses, and yeah, with tha- that sort of mutual contact from there put us in contact, and so-
Peter Soulsby: Yeah.
Garrett O'Hara: ... lovely to have you on the podcast.
Peter Soulsby: Yeah, thanks, thanks so much for having me, Gar, I do appreciate it. And the sort of, the Cyber Leadership Institute, the Cyber Leadership program it's a fantastic it's a fantastic program for anyone who's dealing with CISOs or is aspiring to be a CISO, I highly recommend you take a look at the course. But, but this is an advert for the program, but-
Garrett O'Hara: [laughs]
Peter Soulsby: ... [inaudible 00:02:00] a, a different take on, on the industry, on what's required to be successful as a CISO, and it's certainly afforded me a lot more empathy into the role and life of a CISO.
Garrett O'Hara: Yeah, I, I totally agree. And it's, it's actually sounding like they sponsored this, they didn't but it is a ph- a phenomenal phenomenal course, having been through it. I really [inaudible 00:02:18] got so much out of it, and just, yeah, I mean, the, the guys are I think they're coming from the right place, and it tell- you can tell, you know, as you, as you go through the course. Peter, it'd be great to kinda understand. Obviously you're, you're the director for the security practice at NTT, be lovely to understand your journey to that role and, and how did you kinda get to where you are?
Peter Soulsby: Sure, so so Gar, I, yeah, I actually grew up in finance. Studied a bachelor of accounting at Wits University back in South Africa and I joined Dimension Data as it was back then 10 years ago, in 2011, as a management accounting. And I promised myself, having done that degree, that I'd never become an accountant or a financial manager. And, and after joining Dimension Data in that position, I got promoted to a financial manager role, and I was decided [inaudible 00:03:04] unhappy with me job. It got a bit boring after the second month in.
So I spoke to my boss at the time, and I'd always been the captain of the cricket team and, you know, the chairman of the sports club, so to speak, so I thought, "Well, I can lead people from a s- you know, on the sports field, surely I can run a business." so my boss he took a, a bit of a gamble on me at the time, so to speak. Sent me to Cape Town to run Dimension Data's applications business, and so I spent three years in the applications industry, understanding the world of SAP, Oracle, and Microsoft. We did a pretty good job, we grew that business quite substantially over those three years. And then came the opportunity to move into the world of cybersecurity. And so I got transferred to the cybersecurity business, got asked to run that for Dimension Data back in the Western Cape in South Africa.
Did that for a bit of time, and, and decided to do something different. After seven years with the group, started my own company. Didn't get very for- far from Dimension Data, 'cause in starting my own business, my first company was- no, my, my first client was Dimension Data, and my second client was a subsidiary of Dimension Data. And then they tapped me on the shoulder to come and [inaudible 00:04:11] Australia and head up the security practice for for Victoria. So was Dimension Data at the time, we've since rebranded to NTT about two, two and a half years ago. And I've now spent three years in the position and thoroughly enjoying it. So-
Garrett O'Hara: Yeah.
Peter Soulsby: ... I guess I bring a slightly different aspect to cyber in that I didn't grow up in the industry. I look a bit more from a, from a business, commercial, numbers, and, and people side. So I rely heavily on my team for advice and guidance um, and yeah, rely on my leadership and business skills to try and be successful in my role.
Garrett O'Hara: Yeah. It's, it's an interesting perspective, and I, I think some of the, the best people in cyber that I've met, and sort of, you know, the hardcore practitioners they've come from other places. And I think that's a really useful lens to see you know, the, the function of cybersecurity through, you know, it is, it's a, it is a business function, fu- fundamentally and once you get away from the technology, I think having that business lens incredibly, incredibly useful.
Peter Soulsby: Yeah. To your point, Gar, we've, there's a lot of us in the industry have come into the industry and not grown up in it. And it's also a relatively young industry as well, so I think as it matures, as, as it becomes more business-focused, more business-savvy, as it gets to board levels and, and you've gotta sort of talk English about a very complex problem you know, the more people that come into the industry from different, different sectors, different verticals, I think the better for the industry.
Garrett O'Hara: Yep. No, totally agree. When, so when we were chatting before the, the sorta holidays, I think it was back in December, probably, at this stage um, when w- when we were chatting originally um, we, we got to talking about some of the kinda, you know, the things you'd done in the past, and was very keen to get you on to talk ab- specifically about sort of breaches and, and behind the breach, you know, as a sort of theme for-
Peter Soulsby: Uh-huh [affirmative].
Garrett O'Hara: ... the episode today. And we've seen, you know, in the media, you see so, so many stories of breaches these days. You know, it seems like every day there's, you know, something happening. And certainly even in the mainstream media. But I'm sorta wondering, 'cause it feels like rarely if ever does the coverage that I've read sorta give any real sense of the rollercoaster that's happening in the background within an organisation as they're going through you know, those early stages of, of their instant response and a breach is happening. Very keen to like, as an opening question, what do you see the kind of majority of breach stories missing?
Peter Soulsby: That's, that's a fascinating question, Gar. So having been involved in a fair number of incidents myself, and then, you know, understanding what media gets published around those incidents and seeing some of the sensitivities, both from, you know, internally within businesses that we work with, as well as, you know, from a media and just the general market wanting to know what's going on and what happened. think it's unique to every business. I think every business has its own sensitivities around what they do and don't say, which is completely and utterly understandable. I, you know, every business has got a different risk appetite for very different reasons. They may not want certain things in the public domain, and that's, that is, I mean, that's, that's fine. That's up to each business to sort of navigate and understand.
I think in the stories that are published about breaches and incidents and, and what have you, some of the things that I th- I think may be missing that we could do better and, as a- as an industry is, so the recovery. So not just the breach itself and what went wrong, but how that business actually recovered itself, recovered its operations were able to spin up applications again to deal with their clients to get back to day to day business. Because a breach can be short and sharp in terms of wri- you know, isolation by taking a breach of, of a network, or isolating endpoints and then, and then, you know, wiping malware and so what and what have you off systems.
But the, the recovery aspect and bringing businesses back online is a long, it can be a long and arduous process. And I don't think the industry spends enough time talking about recovery, or sharing experiences on recovery. So that, that, that would be a fascinating thing for businesses to discuss, as they go through and [inaudible 00:08:09] against cyber incidents. And I think the, probably the other thing that's often unspoken about, and it's a bit of a, a sad fact about cybersecurity incidents is the human impact of an incident. So the business impact is often understood, that's visible. You know, business can't trade you can't withdraw money, whatever it is that, that, that cybersecurity incident impacts from a business point of view.
But the people behind the scenes that work around the clock to bring that business online, so their individual stories, how, how did they handle the pressure, how did they handle the stress? You know, the long-term effects of [inaudible 00:08:42]? Because again, the incident- i- incident doesn't just take a week and then everything's back up and running. An incident takes a long time to recover from. And I think those human stories would be, would be really interesting, as well as how organisations actually physically recovered their business.
Garrett O'Hara: Yeah absolutely. I, there's an article that was in Lawyer Weekly, and that [laughs] I got to read. I'm, I'm not a lawyer, so don't even ask how I ended up reading this article, but it was around the DLI- DLA Piper experience. And it was incredible, it was, you know, sort of a 15 page deep dive into the timeline from the perspective of various people that were involved, form the literally, you know, somebody sitting in a meeting room, and they get a Wha- WhatsApp message saying, "Are you aware of the problem with the IT systems?" You know, and that's the, the first kind of inkling that something is going wrong. But it runs through-
Peter Soulsby: Yeah.
Garrett O'Hara: ... and how close to the precipice they actually were, and the long days the exhaustion and to your point, like the scramble to just, business continuity first of all, and then, you know, start on that long road to, to recovery. I- I suppose the, the comment would be that like the media just, so often it feels like we, we hear abou- to your point, we hear about the breach, but we never, ever read about a- all the work that it then takes to, to kinda recover from that.
Peter Soulsby: Yep. And I, and I think, Gar, that's probably the, the biggest thing that you can do as an organisation is practice that recovery, make sure you're able to recover quickly. Because tha- that is the only important part of, of an incident. Containing, yeah, isolating, sure. Getting your business back online, that's where you're gonna spend the lion- you know, the lion's share of your time in an incident.
Garrett O'Hara: Yeah. Yeah, no, absolutely. And, and that's something I, actually keen to kinda dig into a little bit later in the conversation. But, but just kinda zoning in on the, the sort of, I suppose, that moment of the incident. And I've seen a lotta people talk about Mike Tyson's, you know, the, the famous quote, "Everyone's got a plan until they're, they're punched in the face." I'm seeing that kinda quote a lot lately. And i- I th- I suppose it applies, right? You know, you build this amazing plan, and then when the thing really happens, I mean, that's a very, very visceral and very different thing, and, you know, regardless of tabletop exercises or, you know, full-on simulations, I'm sure it's impossible to get anything close to what it's like in the reality as you're, you know, i- in that moment, in an instant.
Peter Soulsby: Yeah.
Garrett O'Hara: ... and I think ev- like, everyone gets they should have an incident response plan, right? But when that punch comes, I'm guessing y- like you've been through this a few times. Where do you see it fall apart? Like where, where do the incident plans stop working?
Peter Soulsby: Whoo. So incident response plans I think are, are ... It's a great place to start. I think every organisation must have an IR plan in place. And if you don't, you know, please, the first thing you need to do right now is go and consider your incident response plans and, and, you know, get that [inaudible 00:11:30], get that plan in place if you don't have one already. Because the chaos that comes with an incident, if there's no plan in place um, you know, quite frankly, quite frankly, you probably don't stand a chance. Th- having an IR plan in place again, having that first step in place is great, but I'd say the next step or next iteration in that, in, in planning, testing, planning, testing, and making sure that you run through that IR plan for as many different scenarios as possible.
What I see a lotta businesses do is, is look at y- you know, DFIR organisations and buy a bucket of ours, get a retainer, and that's fantastic. And then move on and think, "Okay, well, I've got my incident response in place, I've done my planning, I've got my retainer, I'm good. Now I'm gonna focus on the next thing." You should be spending a lot more time in those plans and in, in that incident response readiness to make sure that, you know, when the inevitable happens, everyone understands their roles and responsibilities. Everyone's well-versed on what needs to happen, why it needs to happen.
And, you know, the first 24 hours, 48 hours, week, can often just be spent herding cats, so to speak. Because everyone just running around trying to put out fires, no one understands their roles and responsibilities. You get, committees form, subcommittees forms, WhatsApp groups formed. All sorts of stuff happens, but it doesn't necessarily happen in a coordinated fashion. So as it relates to incident response and, and plans and, you know, the, when the punch comes from Mike Tyson, well, make sure you've done 12 rounds with Mike Tyson already, 'cause then that punch won't be be as heavy, so to speak. So yeah, that would be my advice to organisations. Don't just get a plan and move on and do something else. Practice, practice, practice, practice, practice. 'Cause you won't know how much you need that plan and that readiness around a, a response until the day it happens, and then, you know, chaos hits if you haven't, you haven't played it through. Tabletop exercises, whatever it is that you need to do, and make sure that you're familiar with the plan and you know what your role is, and how your business is going to respond.
Garrett O'Hara: Yeah. Wh- what are your thoughts some of the things I've read recently, Gartner analysts sort of have written papers on this, but the idea that y- you read sometimes about CISOs being fired or security leadership being fired because a breach has happened, and, you know, flipping that on, on its head and saying, "Well, actually they're m- way more valuable, because they've actually, they've been through it now." You know, they've, they've lived through the, the horror of a breach and come out the other side, and they kinda get it in a way that somebody who hasn't obv- obviously experienced that just won't. what are your thoughts on that? 'Cause it does feel like there's more value in people who've actually lived through it versus, you know, what seems to happen, which is quite often, CISO gets fired and, you know, it's probably a PR exercise, but actually what you're doing [laughs] is firing somebody who's now better-talented and more valuable to the organisation. Unless they're negligent, but ...
Peter Soulsby: Yeah, Gar, to your point, i- i- if there's negligence involved, or is, it's just a complete and utter lack of care [inaudible 00:14:34] breach, then sure, you could argue that that may be the right course of action. But I, I, I get a little bit disappointed every time I hear stories about that, because it doesn't help the industry. It doesn't help aspiring CISOs. Doesn't help CISOs in their current job to know that, you know, should something go wrong, I'm going to lose my job. That, I don't think that's, that's not the positivity or the, or the, or the sorta culture that we need to foster in the industry.
I look at people that I've dealt with that have been through an incident, and there's a change. There's a, there's a change post-breach, they're a little bit more hesitant, they're a little bit more considerate and careful in what they do and how they do it, and, and yeah, I mean, that's, it's, it's interesting. I've dealt with organisations that you'd be speaking to the CEO of the business side, you know, in the evening, and they can't put thoughts together. Um, and then they move past that and, and, you you know, the CISO may or may not keep their job, or whatever it might be, businesses need to remember, and to have people that have been through it, that understand it, that have got that practical experience, I think, is incredibly valuable.
Also kinda get to the point now where I- I'd advise CISOs and members of the security community more broadly that we've spent a lot of time on preventative postures and protecting businesses and, and putting controls in place to make sure we keep the bad guys out. But a lot more time now needs to go into when it happens what, you know, what do I do? So my advice is almost 50/50. 50% of your time should be spent on preventative measures, 50% of your time should be preparing for rebuilding your business, preparing to respond. Because it will happen, and it's, there are things you can, can control, and there's lots of things that you can't control. And those things that you can't control are what's gonna go wrong, and then to have someone with a pedigree of having done, you know, run through an incident before and a, a CISO or a security team I think is incredibly valuable for a business. The first time anyone goes through, you know, it's, it's pretty visible, it's, it's panic, it's chaos.
Garrett O'Hara: Hm.
Peter Soulsby: And they'll take a couple of days to calm down and get their head straight and, and remember what it is that they need to do. And that first 48, 72 hour window, if you have someone with experience and, and pedigree and a bit of a track record as it relates to incidents, which might not look good on a CV, but from a practical experience point of view is incredibly valuable, will help you recover and respond from, r- respond to and recover from an incident far more quickly and better than someone who, who has never been through that process.
I think the, the unfortunate thing about a breach is you haven't, until you've been through one and experienced the absolute panic of a, of a massive outage of, you know, information technology, of your a- ability to pay people, of your ability to trade um, until you've experienced that, it's, it's kinda hard to explain it. And it's, you know, as much as you can practice, practice, practice, that experience is all valuable. So to your point, sure, if there's a bit of negligence, you gotta, you gotta deliberate carefully over that. That's, but for me, CISOs are, CISOs and, and security teams are the champions when it comes to these breaches, and they should be, um, you know, they should be put on a pedestal. Because without that capability and experience, post-breach you know, you're gonna be in trouble.
Garrett O'Hara: Absolutely. Is there anything in, you know, without us going too far down the rabbit hole of psych- psychology [laughs] here, but as you're talking through that, in life it seems like sometimes the, the fear of the thing can be worse than the thing itself. And with CISO burnout being such a huge problem, you know, I'm wondering is there a part of that is the, the apprehension about the potential event that's gonna happen at some point, re- reasonably on a timeline for a CISO if they're practicing over, you know, a couple decades, it's gonna happen. You know, they'll, they'll have to live through that. Do you, do you see that, is that the change you're kinda referring to, they've been through it, that resilience kind of increases, because now the ... It's not unknown anymore, they've actually, you know, it's real, they- they're, they're one of the team, or th- the cohort of people that can actually describe what it's like to have been through, is that wh- what you're getting to with the, when you make the comment that they're more resilient afterwards?
Peter Soulsby: Yes. And, and again, going back to roles and responsibilities, and understanding your makeup as an individual, your character as an individual, not everyone is designed to be the firefighter on the front line. And I think it's important for all of us in the cybersecurity industry to understand you know, what your personal makeup is, what your capabilities are, and whether or not you're the right person to run th- at the forefront of an incident. They, there's a, there's a bit of hardening, there's a bit of yeah, I mean, there's ... When you face all that pressure, and, you know, having worked inside and alongside organisations when that pressure hits there's definitely a, there's definitely a b- bit of a change in psyche, a bit of a change in makeup having gone through it.
I, I view DFIR consultants, incident responder consultants, those people that are on tap 24/7 and respond to these incidents, they are a special, special character. I myself, I, I know in terms of my character makeup, I wouldn't be the right person for that job. There's there's a certain specialty to, I, I suppose, their makeup that keeps them calm in the face of adversity, keeps them calm in the face of shouting people, keeps them calm in the face of panicking people who can't communicate correctly, appropriately, who can't think straight. And, and again, having that experience come into, you know, having gone through a breach you sort of pick up some of those skills. You sort of, you pick up some of that resilience and it'll definitely foster sort of a better response the next time 'round.
Garrett O'Hara: You've hit on something that I, I think is kind of an interesting conversation, and I've spoken to some of the guests about this before, but the, you know, you're, you're part of those internal teams. You- you've spoken to the breach scenario, and, you know, presumably there is an internal IT/security team. You know, ideally [laughs] security team. And I've always been curious about the kinda, I suppose the dynamics of how those kinda two sets of people work together in the moment. You know, and I would assume that, you know, internally, there's knowledge of the systems, you know, the integrations that are in place, the kinda peoples and the personalities that are in play in that organisation. And then the external teams are bringing in that kind of, I suppose, a removal from the emotion of what's happening. You know, it's a, h- your hope is kind of clear thinking. I'm very keep to hear like your actual lived experience of, like when it's gone well, you know, and that, that is how it's working, or, or, you know, times where maybe there's a resentment that, you know, an external team is coming in, and, you know, "It's our systems and we can deal with it," or, or is that just not what happens in reality?
Peter Soulsby: Definitely have interesting, [inaudible 00:21:26] perspectives on that. So where, where I see internal and external organisations working together in, in the event of something going wrong you know, where it doesn't work, let me start there. So when there's too many stakeholders involved. When there's too many third parties and there's coordination across multiple towers, organis- you know, third-party providers, people. You've also got your internal complexities to navigate. Where there's too many parties involved, it becomes very difficult to operate quickly and effectively in that situation.
So my advice would be work with external parties, because they're gonna bring the skillset, the capability, the experience that you need in the event of something going wrong. But think carefully about your supply chain, the third parties that you have in your business, and, and try simplify that as much as possible. My experience tells me that coordinating along many different service providers and towers in the event of a breach is difficult. You've got different management approvals, you've got different processes, you've got different SLAs, you have different IT systems, ticketing systems, and so on and so forth that you may be working with. And that's hard, and it won't move you as quickly as you probably need to move.
Where it has worked really well is where organisations, you know, certainly for, for me, where organisations have, have entrusted us to really embed ourselves in their businesses and help them through. From a communications standpoint, from a response standpoint we're looking at things like Office 365 and getting email back up and running, helping them make decisions that they need to make for their business, you know, guiding them along the, what's required to bring their business back online, that's where, where that model is as simple as possible, and there's less stakeholders, or, or the least possible amount of stakeholders for an efficient response, I would always tend towards that.
I think trying to deal ... And a caveat there as well I'll add to that, trying to deal with breaches just internally and holding that to yourself and trying, you know, to not let that get out or reach out to third parties for help is probably also, you know, that's, that's on the other end of the scale, is completely detrimental. You won't have the scale, the experience, and everything else that you need to respond appropriately and get your business back up and running. So it's good to have third parties involved. As much as you know, internal parties understand systems and processes and how to do things, your external party will bring scale and speed, which is what you need when a breech happens. But think carefully about the number of third parties that are involved, because the more that get involved, the more challenging it becomes.
There's also, God and it's, and it's very unfortunate, there's still lots of businesses out there that hear about a breach and want to sulk. And I think that's, you know, so you, so, so limiting the number of third parties that you enac- interact with will also keep, you know, control of the message or the breach within a, within a small subset of providers or third parties, whatever it is that you want to do, and then you won't be getting phone calls all day long from different service providers and technology providers trying to sell you the latest gadgets to fix all your problems, and that's just not helpful.
So I think that's something that as an industry we need to consider very carefully as well, is these are sensitive situations. You know, you're dealing with people, you're dealing with people's lives. If you heard that something has gone wrong, you can be empathetic, be considerate, because those people are, you know, they're gonna be, they're gonna be in a world of pain trying to figure out how to f- how to fix the problem. And you know, there's a time and a place ... Look, I run a business. There's a time and a place for a sales pitch. A breach is when, you know, you obviously need to get involved, you'll be, you'll be available, you'll be ready to help out, and you do what is needed from the business that you're working with. So empathy and, and those ... Consideration for your the organisation that's going through the pain is all-important. I don't know if I answered that in, in in a way that you were sort of searching for from me, but yeah, I think it is very important, again, to keep things simple have a trusted service provider can wo- external party convenient to you that you know that you can reach out to and they will respond and help.
Be very selective about who that is, because you don't want the wrong people running around your business trying to sell you things and, and cause chaos in the midst of a breach. And then with that external provider, practice, practice, practice, practice. So that, you know, we know that when you find an external team and say, "I've got a problem," there's no panic, there's a calm response. Everyone knows their place everyone knows their own responsibility, and you deal with it in a more black and white manner than a, you know, absolute panic.
Garrett O'Hara: Yeah, absolutely. A- and to your point around, in, in the moment of a breach or anything going wrong, it's the worst time to be making any kind of decision about a, you know, new pr- you know, service provider. You know, when emotions are running high and you're desperate, that's th- that's the last time you wanna be tryna make a decision on who's gonna kinda help out. So definitely take your point on that. I'd be very keen the, the sort of, for want of a better expression, the command structure you know, between internal/external, and to your point, the, the management or herding of cats to, to try and get the job done, certainly in those early days when emotions are running high. How does that play out? Wha- what does it, you know, f- like I say, for want of a better expression, the command structure? Who, who owns it, who can direct other teams, like what's the hierarchy?
Peter Soulsby: So yeah, that's, interesting question and it's, and it's an important question for businesses to ask themselves as to, as they consider how they respond to a breach. Because it's very easy for an executive to get excited and, you know, jump in and become highly operational. And that, but that's not, probably not the right goal for that person, right? You need, you need established committees and methods of communication whereby not, you know, you're not getting 100 phone calls a minute as a CISO, because everyone wants an update. Establishing that hierarchy, so to speak, for that incident response, and having that in your plan I think is e- exceptionally important.
As to dealing with third parties and how they get involved, I think that's a, it's a, it's a rather interesting question and it's, it's, and it's, it's a, probably you need to be honest [inaudible 00:28:00] business by business case. Some organisations are quite happy to hand over the tools to the kingdom, or the keys to the kingdom, so to speak, and step back and say, "I need to get back online," "You guys have control, and let me know what I need to do." Other businesses prefer taking control and have different risk appetites, and will only be very specific what they use DFIR or incident responders for. It comes down to, again, wi- if you, if you practice enough, if you're ready en- if you're ready enough, if you know what you need in the event of an incident, you can quite quickly establish those line of communication, you know, who does what and where, how the external service providers function, what the internal teams do.
And, and it's also s- Gar, it's a, it's, it's something as simple as, well, who, who has the authority and the decision-making power to say, you know, "Switch off the internet," by way of example. And who has the authority, then, from then on to switch on, you know, access to the internet from each different business application?
Those are important questions that often don't get answered pre-breach. And often during a breach, you know, there's just, there's a lack of coordination and defined response plan as to who can, who can do what, who has the authority, who can talk, which person talk to who. You know, there's nothing worse than being a, a CISO or a security team and getting phoned every five minutes for an update from the board. That's not helpful. Because you spend your time managing your board. What you should be doing is spending your time managing the incident or the breach. So establishing those, those lines of communication, those groups, to your point that hierarchy, I think not just have them planned and established but r- respect them. And then, in the event of a breach as well, respect the fact that, may- you may have security engineers running around, making changes on firewalls installing EDR software onto endpoints, tryna f- you know, tryna figure out patient zero, tryna plug back holes. That should be their focus, and they shouldn't be bothered by anything else, because that's their, that should be their priority.
If, if the, if organisations understand that, understand that the role, you know, the role of the board versus the role of the executive verse the role of the security and network and operations and applications teams and they respect those boundaries, it's very, it's very easy to not respect those boundaries. Because if I'm, if I'm running a business, I want to know what's going on, and I want an update every five minutes. But it's often not the most helpful thing in the event of a breach. You need teams to be able to focus, you need teams to be able to remain calm, and the more communication and, and, and chaos that kind of happen as a result of everyone phoning everyone and trying to get an update you know, that, that's not, it's not helpful.
And i- back to the, the question about service providers and internal verse external. It's interesting. So, so my advice often is just let the external party do their job. You brought them in for a reason, you have them on a retainer for a reason, trust them. They know what they're doing, this is their job, that's what they do on a daily basis. And to get in the way of that often is not gonna be helpful and deliver the best possible outcome for your business. So yeah, tha- fascinating question. I, I, I think the many different ways to, to answer that um, going ... I, I sound like I'm uh, echoing myself a lot here, but understanding your role, understanding your responsibility, understanding who to communicate with and when, and allowing people to do their jobs in [inaudible 00:31:42], you know, in a structured manner, I think, is exceptionally important.
Garrett O'Hara: Yeah. And, and you mentioned, obviously, you know, having those third parties on retainer. W- you know, something I've, I've thought about, and it might just be my tinfoil hat, but the, the idea that, you know, if we saw a really sorta significant and very widespread attack that hit many, many organisations at the same time, is there a way we could see kind of collisions on the, those third parties? The, their availability, their resources? You know, we've got 10 companies, and, you know, there's a, th- you know, they, they, they sorta work on the, the probability of anyone being breached at any one given time, and they resource accordingly. But if it happened more broadly, could you see a time where, you know, 10 companies are trying to get access to the same thr- you know, three units of an external organisation's incident response?
Peter Soulsby: Yes. And, and I've a- yeah, I've, I've seen that happen live.
a- an organisation has been notified that there's a problem, and the incident response retainer didn't work as well as it probably should've, because they're one of many organisations that had been hit. And in advice of the IR team in that case their [inaudible 00:32:58] provider was "There's a lot in the gullet, and we don't think you're that badly hit, so, you know, give us, just bear with us as we, as we respond to the businesses that have been harder-hit, and we'll, we'll come back to you."
And that's very harrowing advice, or, or was very difficult to hear as a business. You know, that's, that's not what you, what you want to hear. How you mitigate against that, that, you know, maybe the answer is have multiple IR parties and multiple IR plans. That's probably gonna be expensive and onerous, so, so ... and may not actually help, because then you're going to practice with, you know, multiple external parties and, and that may just may that, that may not have the benefit that you intend to bring.
The [inaudible 00:33:47] and say, if you, if you ... The faster you can recover, the better and more resilient your backups are, and the faster you can restore applications and get systems back up and running, the less you need to worry about that eventuality. I think with, ... I'm not questioning the role of an instant responder, I think that's a- it's all important. They know what they're doing, you must let them do their jobs. But if you know, if you're, if you're better-planned, if you're better prepared, and you know that you can get back up and running quickly, because you have the right systems, processes, technology people in place to, to recover, then should that eventuate you know, you're probably gonna be in a, in a better position.
The unfortunate nature of what we do you know, in the world at the moment with digitization, with everything going online, is our digital footprints are so huge that, you know, there's, there's a r- a very real possibility that all those DFIR companies out there are gonna get phone calls tomorrow because something's happened and, you know, some third-party supply chain software is, has created vulnerabilities in thousands of organisations. And, you know, we've got a big problem. It's happened before, it will happen again. So yeah, I, I, I, I imagine that we probably need to grow the DFIR industry, build out more IR capabilities. That's a, that's a real opportunity in the cybersecurity industry, and finding those people with a, you know, the right personalities and approach is gonna be, is gonna be crucial to the industry.
But again, back to my previous advice. If you focus on ... Don't just focus on preventative measures, but focus on recover as a CISO, as a business, then I think, I think you've almost got to ask yourself, what security is good enough? And once you've got that in place, then really focus hard on how you recover, how you bring applications back online, how you make sure that your backups don't get encrypted. And you can, the faster you can respond, the less problem a cybersecurity incident becomes.
Garrett O'Hara: Yeah, absolutely. I- i- it's interesting, you know, I think you mentioned 50/50, you know, in terms of resources going on, the kind of perimeter/preventative stuff versus the response/recovery. I, I don't know if somebody may have sorta waved a magic wand, or I'm just becoming aw- much more aware of it, but it does feel much more prevalent as a conversation and you know, analysts talking about minimal viable security, and it makes sense to me, the diminishing returns. I mean, you see this in organisations so often where they spend a truckload of money on a ton of preventative controls that, you know, as you spend more and more money, there's diminishing returns, because you already got most of the way there with the things that are already in place, but, you know, the, for an extra dollar, you're getting, really, you know, cents worth of value. Um, But the brochures are amazing and they're impressive, so, you know, why, why no- why not do that, and, and-
Peter Soulsby: [crosstalk 00:36:42]-
Garrett O'Hara: ... look good at the RSA conference? And, and actually, when i- when you think that through, so often the time burned managing those platforms, or if they're misconfigured, they actually kinda add to the problem sometimes, rather than help. But yeah, it certainly seems to make way, way, way more sense to kinda start shifting some of that budget towards the response/recovery side of things, knowing that at some point it's gonna go badly.
Peter Soulsby: Yeah, yeah. And Gar, may sound a little bit controversial, but I, I, you know, there's a saying in the industry that's never waste a good breach, or a good audit. 'cause then you get access to budgets to go and fix things. But maybe, I'd say be wary of that as well. So I mean, don't get me wrong, if you have been breached, then make sure you've put in controls to mitigate from that breach happening again in the same way that it happened, because if, if you get hit in the same way twice, that's, you know, that's a big, big no-no. You, I mean, that's, that's not what we should be aiming for as an industry. You have to put in mitigating controls and make sure that your security posture post-breach ensures that that doesn't happen again. That's, that's a given.
Where we've spent a lot of time in the industry sort of running around tryna, tryna you know, just responding to as many different things as possible, just post-breach often an audit gets done. Often, you know, a three-year roadmap and, and, and that can be, that can create a huge amount of work and, and opportunity for organisations such as ourselves, which is, which is wonderful. Don't get me wrong, I am a business manager. But I often question the effectiveness of that. Because, you know, that audit will often try to solve for every possible or every possibility and every eventuality, and as a result, introducing more complexity into a business that potentially they don't need, and, and may actually slow them down in the event of a, of another breach happening, or, or just day to day operations.
So you've gotta, and I, and I think again, the role, as you said here, is all-important. You know, some of the CISOs that I deal with who are incredibly effective in the space can quantify the value of an audit and quantify the value of a you know, post-breach sort of remediation exercise and go, "Well, with a level head, what's right and what's wrong? Do I have to do everything that I've just been told to do? Because we've just paid a lot of money to a consultant to tell us what to do? Or, or, you know, what's more appropriate for my organisation? Because I understand how my organisation works, I understand what risk means to my business." So let me apply my own lens to that, that audit, let me apply my own lens to that, you know, that finding report, or re- remediation report, and unpack that and question and interrogate it. Because it doesn't actually, in my experience, it doesn't help to just take that remediation report and, and what have you and then just go do everything that you've been told to do.
Because that- that'll be a, a relatively speaking, generic report done by people that may not understand your business as well as you do. So not questioning the value of it, necessarily, I mean, it's, it's good for people to come in and question your processes and your thinking and apply cybersecurity, you know, industry knowledge and experience and give you that view and roadmap and audit, that is absolutely essential. But you can't just take that and, you know, post-breach, just do everything you've been told to do because you're trying to appease your stakeholders. You've actually gotta interrogate that based on your understanding of your business, and make s- making sure that you're not introducing complexity for the sake of complexity, and making sure that you increase your security posture such that you're safer and better than you were before, now that you know how a breach works and, and what happened. But not, not doing everything just for the sake of it because it appears in a report.
That's a fine line, 'cause you, you, you, you also gotta have the experience and, and, and the trust of your business to, to argue that report. But I, I still think it's your responsibility as a stakeholder to apply your business's lens over anything that comes out post-breach.
Garrett O'Hara: Absolutely. On that, that measured and and positive commentary and sorta insight we've pretty much hit time. So I, I just wanted to, obviously thank you really enjoyed the conversation, and certainly what felt like a different lens to, to have this conversation through, somebody who's actually been through what you've, what you've been through and lived through, so really, really appreciate the insights, and and the conversation, Peter.
Peter Soulsby: Yeah, Gar, thanks so much for having me. Appreciate the time and, and lovely to sync up with you again.
Garrett O'Hara: Thanks so much to Peter for joining us, and as always, thank you for listening to the Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe, and leave us a review. For now, stay safe, and I look forward to catching you on the next episode.