Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Gar O’Hara is joined this week by Phil Zongo, author of The Five Anchors of Cyber Resilience. Phil has over 15 years experience in risk management and cyber security working with some of the biggest companies out there. His focus these days is on cyber resilience and his work within the Cyber Leadership Institute which he co-founded with Jan Schreuder and Darren Argyle. Gar and Phil dive into a range of topics over the course of this 40-min episode with some terrific insights provided by Phil on how to achieve cyber savvy workforces, key pain points for CISO’s, how to get cyber security strategy right, stakeholder management, the value of automation and of course the impact of COVID-19 on the industry.
#cybersecurity #cyberresilience #getcyberresilient
The Get Cyber Resilient Show Episode #16 Transcript
Garret O'Hora: [00:00:00] Welcome to the Get Cyber Resilient Podcast. I'm Garret O'Hora, and this week I'm excited to be joined by Phil Zongo, author of the Five Anchors of Cyber Resilience. Phil has 15 years in risk and cybersecurity working for some of the biggest names out there. He now focuses on cyber resilience, and with that, co-founded the Cyber Leadership Institute with Darren Argyle and Jan Schreuder with the mission to develop the skills of cyber strategy, leadership, and risk management in CISOs and security leaders.
Phil and the team at the Cyber Leadership Institute have produced an excellent playbook for CISOs, which we'll include in the show notes, and a link to the Five Anchors of Cyber Resilience. I cannot recommend that book enough. In this episode, we talk about cyber savvy workforces, key pain points for CISOs, and the recommendations for getting cyber strategy rights. We talk about stakeholder management with some excellent insights from Phil on getting buy-in from the broader business, the importance of agreement on target state from the start, the value of automation. And, of course, we touch upon COVID and the impact that that's going to have.
I'm a huge fan of Phil's work. I regularly refer to him when I'm doing speaking spots. So, I really enjoyed speaking with Phil, and I hope you get a lot from the conversation. Please enjoy.
Good morning, everybody, and welcome to the Get Cyber Resilient Podcast. This morning I'm joined by Phil Zongo. Morning, Phil.
Phil Zongo: [00:01:29] Hi, Garret. How are you, man?
Garret O'Hora: [00:01:31] I'm doing well. Thank you. Beautiful day here in Sydney today. And, uh, yeah, apart from the lockdown, feeling pretty [laughs] good about life. Yeah. So, Phil, we, uh, look, we crossed paths, it's a couple of years ago now, at an Asia branch meeting and you were on stage, you were giving a talk. Um, and it was at that point I heard about the Five Anchors of Cyber Resilience. And we were chatting, just before we started recording, that it's the one book that I recommend everybody read when they join the Mimecast team. I think it's a phenomenal, uh, phenomenal book.
And- but for those who, who maybe don't know you, could you just kind of run us through briefly, you know, what you've been doing, where you are currently, and, and just some of the stuff that you've been up to?
Phil Zongo: [00:02:12] Yeah. Yeah, thanks, Garret. I'm really excited to be here. Uh, my career, uh, I've been working in technology risk and cybersecurity for the last 15 years. Originally, I come from Zimbabwe. Uh, I started off my career there, uh, working with Deloitte, and moved here to Australia in 2007 working with, uh, PWC. Uh, [inaudible 00:02:37] teams at Dimension Data after I left PWC, and then spent about, uh, um, six years working at AMP as a technology risk manager.
But during my time at AMP, I decided to move into cybersecurity and really position myself as an expert. And, um, you know, over the last few years I have done a lot of stuff. Uh, predominantly, I, I'm a writer, so I've published quite a number of dozens of articles, mostly with the ISACA International Journal based in Chicago. Uh, quite a number of, uh, other magazines and newspapers as well.
Uh, but most importantly, in the last three years, I, uh, I started writing my book, which is the Five Anchors of Cyber Resilience, which is basically a contemporary strategy book that absolves the complexity of this important subject, and passes on practical guidance to senior business leaders. Uh, I have also worked as a, as a technology risk manager for Preston Wealth Management, which is actually my primary responsibility. I've been waiting there for the last three years.
But in the last 12 months, I joined up with two other cybersecurity veterans, Darren Argyle and, uh, Jan Schreuder. And we founded... we co-founded what's called the Cyber Resilience- Cyber, Cyber Leadership Institute. Uh, we, basically, we train senior business leaders to become world class CISOs. So, pretty much, that's, that's my career in brief. And, uh, right now, really, really involved, uh, with our work at the Cyber Leadership Institute.
Garret O'Hora: [00:04:18] So, that sounds really interesting. Could you kind of tell us a bit more about what that work is that you're doing, uh, with the Cyber Leadership Institute?
Phil Zongo: [00:04:26] Yeah. So, having been in cybersecurity for quite some time and interacting with other CISOs as well, uh, we realized that there's quite a number of challenges, especially around skills shortage. Uh, the way we are solving the cybersecurity skills shortage at the Cyber Leadership Institute is taking the down approach. So, our flagship program is called the Cyber Leadership Program where aspiring CISOs, uh, or senior business- senior technology leaders from all over the world, uh, they enroll for an eight-week intensive program, uh, which is designed to impart, uh, skills around, you know, how do you communicate to the board of directors? How do we... how do you influence the chief executive officer? How do you, uh, position cybersecurity as a business enabler, not as a, uh, not, not as a necessary evil?
So, our main focus is to, you know, empower senior cybersecurity leaders with, you know, those executive influencing skills, strategy, design governance, uh, and being able to pass that from the top point downwards. Uh, I'm very excited to say, uh, we had our first cohort of online cyber leaders graduate from the Cyber Leadership Institute, uh, about two weeks ago. Then, we had delegates attend the program from the United States, from Europe, from Asia Pacific. And we do have another class starting in one, in, in one June.
What really differentiates us though is, you know, uh, the Cyber Leadership Institute, uh, the program itself is underpinned by what we call the cyber resilience hub, uh, which is an online repository of, uh, high quality, uh, CISO strategy booklets or playbooks, uh, uh, resource guides, and other templates that you can easily download and tailor-make to, uh, to the needs of, of your organization. So, it's not just training cyber leaders, but giving them the platform for them to excel in their roles as well.
Garret O'Hora: [00:06:37] That sounds phenomenal. And, and you shared one of the playbooks, uh, yesterday, actually, which I, I kind of read through and it was very impressive. One of the things, and you just mentioned that there is part of the, the training program, um, was the, the focus on business outcomes, but, you know, that that idea that you really kinda need to get buy-in from key stakeholders. I'd be, if it may, it'd be great if you could kind of run us through some of those recommendations that you'd make for a, a CISO when they're kind of building at that stakeholder engagements.
Phil Zongo: [00:07:06] Yeah. So, the consistent mass message that we have in the Cyber Leadership Institute is cybersecurity is no longer an IT issue. It's a broader business issue that can only succeed... You can only achieve cyber resilience if you've got, uh, effective buy-in from the most senior business leaders and the board of directors. Without their support, your program, uh, really fails before it even takes off.
So, one of our primary recommendations is, when you come up with a cybersecurity strategy, you need to engage the senior business leaders from the outset. You know, it's one thing for you to walk up, uh, to senior business leaders and say, "This is the cybersecurity strategy," which is the old way of doing things. Uh, but what we really recommend is you engage them, and you get their input from the start.
So, when you join a new organization as a new CISO, the number one thing you need to do is to develop those strategic relationships with, you know, key stakeholders such as the chief, chief risk officer, your CFO, chief operations officer, and most importantly, your CIO, who, who maybe will be your primary stakeholder. And, uh, as part of that strategy as well, you need to find an executive sponsor because as you appreciate, you know, when you are spending millions of dollars in cybersecurity, you are always going to run into politics. Uh, there's going to be other priorities within the business.
Uh, so, with an executive sponsor on your side such as the chief opera- uh, operations officer or the CFO, or ideally the C- CEO themselves, you know, your program is likely to succeed. So, basically, what we are saying is before you draft the strategy, make sure you solicit the input of the senior stakeholders, you agree on what the target states looks like, and then, you know, it, it, it will, it will be much easier for you to gain the support to fund those, uh, that cybersecurity transformation program.
Garret O'Hora: [00:09:13] Yeah, definitely understand. And, and one of the things that I think has been consistent in the conversations on this podcast is, while we work in cybersecurity... And that's obviously very heavily technology-related for the most part, and obviously there is people and process involved too. Um, but one of the consistent themes has been how important it is for cyber leadership to be able to navigate the human side of things, um, and reflect perfectly what you just said around navigating politics, getting buy-in. And in some ways, being kind of an internal sales person for a program of works. Is that a, is that a fair comment to make, Phil?
Phil Zongo: [00:09:49] Oh, yeah, definitely. Uh, you know, so one of the... That's why in the Cyber Leadership Institute, one of our... we actually have an entire week that's dedicated to stakeholder engagement because it's one thing, you know... uh, uh, the problem we, we, we have inside the security is we overemphasize the, uh, the effectiveness of technical controls. If- they definitely have their part to play, but a lot of this lies around, you know, how do you, uh, translate cybersecurity in a way that senior stakeholders understand, and more then, it motivates them to action.
So, you need to be a good storyteller. You can't just wake up and say, "You know, we, we want to mitigate threats." You need to translate the subject into, into the language that the business understands and motivates them to, to action. So, I do agree it's about transforming culture, about driving change, and pushing responsibilities beyond the periphery of the cybersecurity function to the frontline staff, up to the board of directors.
Garret O'Hora: [00:10:55] Absolutely. And actually on, you know, on the, um, the area of frontline staff, that's, for me, one of the kind of particularly interesting areas that we're, uh, looking at these days, um, around how do you create good behavior change in a workforce. I think in your, in your book, you even call them as cyber savvy workforce. And I think what we've seen is that there's been a lot of failings in the approaches in the past, and we've learned a lot, I think, about what, you know, what it takes to create a cyber savvy workforce. And from your perse- perspective, Phil, like what are the- some, some of the things that companies kinda get wrong when it comes to cyber awareness?
Phil Zongo: [00:11:30] Okay, great. A really good question there, Garret. Uh, cyber awareness, I, I think, the- there's quite a number of challenges that, that we have. Number one is people don't really understand what's cybersecurity awareness. Uh, when I started working with these organizations as a virtual head of cybersecurity or interact with other CISOs, uh, what I see is the old school way of things, uh, which causes cybersecurity awareness as this necessary evil.
So, people are required to, every 12 months or even six months, complete some really mundane, uh, clients module. And, you know, people really hate doing this because they get being told the same old things like, you know, eight character passwords, uh, you know, don't leave your laptop, uh, unlocked. Um, we really have to change the old way of doing things because it's boring, you know? So, the lessons don't stick.
Uh, there are quite a number of ways. I, I think the organization is leading in that as well. You know, the micro-learning kind of where you, you know, push this three or four minutes videos to staff every month, really highly engaging. You need to read that in stories. You know, uh, the, the, the basic, uh, principle for me is people have to relate to what you're saying. That's why if you look into my book, for example, uh, I've got more than 200 references, and a lot of them are case studies. So, if you, you know, translate that into real-life scenarios, you know, uh, bring in case studies, uh, and, you know, segment it into micro modules, that people can easily consume and move on in their lives.
Uh, the other area as well that I see very important is, you know, it's one thing to run a cybersecurity awareness program, but how do you know it's working? It's always comes back to testing. So, for me, the phishing simulations have been, uh, incre- uh, incredibly powerful as a way of trans- transforming a culture wi- within our organizations.
So, the phishing simulations that we have run have really- have had some of the really, uh, blindness spots. Uh, so, you know, people who, who make mistakes but they're not willing to own up to their mistakes, I think that's a big, big issue. So, I've had people, you know, uh, make mistakes, but are not really willing to come forward and say, "This is what I've done."
So, I think we need to revamp the entire cybersecurity, uh, awareness program. We have this one-size-fits-all. It's not all about that. So, you know, we need to segment those communities, you know, because the risks and threats that are faced by your frontline staff are, are quite different to those that are faced by the board of directors or by your systems administrators. So, by being able to segment those, uh, populations into different segments and tailor-make the cybersecurity awareness, uh, into something that they really relate to, I think it's, it's important to drive change.
Garret O'Hora: [00:14:35] So, I really... uh, that comments about it being relatable resonates with me. I think that is one of the... I think the key issues that we've seen time and again in this industry is that we, we've rolled out compliance-based training, and you mentioned this earlier. It's mundane. It's probably a, a learning management system. It runs for 45 minutes or an hour, and people are just bored. They don't engage with it, they don't learn anything from it.
Phil Zongo: [00:14:59] Oh, yeah.
Garret O'Hora: [00:14:59] Um, it- it's interesting, we, we just went through a research, um, kind of project with Forrester where they kind of surveyed, you know, business leaders, uh, around, uh, Australia, New Zealand, Singapore, and some of those kind of the Asian countries. And, um, overwhelmingly, the feedback from both the leadership and the end users is they're bored. You know, they, they, they just don't learn anything from the, the kind of current way of doing things. So, definitely, uh, I agree with you on that one.
And, and actually the- your comments around culture, um, I think that is an incredibly important part. And, you know, I think you mentioned that people are maybe sometimes afraid to come forward if they've made a mistake. And I, I think you're spot on there because I think we need trust in organizations for then the, you know, post-incident analysis to be good because you need the, the staff to be able to come to you and say, "Hey, I think I did this thing. Um, I think I'm the person who maybe started all of this, uh, [laughs] this breach." Um, but you need that openness so people will come forward and sort of be honest about what has, what has happened. Um-
Phil Zongo: [00:16:02] [inaudible 00:16:03].
Garret O'Hora: [00:16:04] Yeah, look, and Phil, in your interactions with CISOs, and I'm guessing there's quite a few of those for you, like what are some of the key pain points that they have when they're kinda developing their cyber resilience strategies? What are some of the things that you, you hear quite often when you're talking to CISOs?
Phil Zongo: [00:16:19] Yeah, there's quite a number of challenges, and I think the number one issue is, uh, a lot of our colleagues are hired to salvage, uh, serious problems. So, normally, organizations have, uh, low ranking cybersecurity, uh, staff running their cybersecurity function. Only after when they've got a serious data breach, or they have a hefty fine from regulations, uh, or the big business construct, that's when they decide to hire a CISO. And that's always a problem because you, you are not thinking about cybersecurity, uh, from the outset, which is one of the things that I talk about in the Five Anchors as well, that we need to consider cybersecurity, uh, early, uh, when we are doing business.
So, these CISOs are hired to solve this, uh, some serious problems. And in there you need to, uh, start, you know, forensics and do root cause analysis over a, a serious data breach. You don't have time to forge your own agenda and create a cyber resilience strategy, and that's a big problem. You know, after 15 months into your role, you'll realize that, you know, you haven't really achieved anything meaningful except, uh, cleaning, cleaning, cleaning, cleaning up, cleaning up the, the messes. So, that's, that's a big problem for me.
The other frustration that we see as well is a consistent message from the CISO community that cyber resilience programs are receiving a lip service from the board of directors and senior business leaders. Uh, I think this trend is starting to change. And, you know, thankfully, because of tightening regulations such as the GDPR or the mandatory data breach regulations here in Australia. Uh, but I think, you know, it will... we, we still have a long way to go. You know, senior business leaders have to be, uh, uh, involved in cyber resilience programs from, uh, from the start. And they need to demonstrate unshakeable commitment.
Because without their commitment, like I said before, cyber resilience programs, they fail before they even take off. Because this is about culture. This is about funding. You know, if your cyber resilience programs are underfunded, there, there is not really much you are going to do. Um, the other issue as well is, you know, strategy design in cybersecurity is a relatively new concept. Uh, we have had... Uh, there's several books about strategy design, and that's one thing that I, I recommend my cybersecurity colleagues to, to, to do. Uh, you know, really immense yourself in books that are beyond our, uh, our subject, you know, strategy design. Like Blue Ocean Strategy, for me, is one of the best books that I've ever, ever read.
Uh, so those principles around, you know, really how do you focus on high value activities and relegate everything else that's, you know, maybe urgent, but not essential in the long term. How do you relegate that? You know, that discipline is largely lacking. So, uh, in talking with our colleagues, you know, the concept of, of really building a business-centered cyber resilience strategy is, is lacking. You know, uh, a lot of the strategies that we see are just, you know, NIST frameworks, or ASD top eight, or copied five. That's not really a, a business strategy that we can sell to the board or senior business leaders.
So, I, I think, you know, those are maybe my, my top three. Uh, the- maybe the fourth one really, uh, quickly here is, uh, the ability to stra- to prioritize, it's, it's a big, it's a big problem within cybersecurity teams. I think like I write again in the su- in the Five Anchors an average financial services institution has got about 600 core applications. You know, if you've got a team of maybe 12, or 20 people, or 10 people, how do you really... how do you prioritize those resources to, uh, focus on what really matters? So, the ability to, uh, define what are our crown jewels, those most important digital assets, which when they are hacked, uh, the business is likely to go into deep trouble. I, I think that's, that's a lacking discipline as well.
So, cybersecurity teams are fatigued, and they are really frustrated, and some of their programs have become bottomless money pits because, you know, they're trying to mitigate every possible cybersecurity vulnerabilities across, you know, all digital assets. And that's, that's, that's a failing strategy.
Garret O'Hora: [00:20:59] Yeah. And you, you've talked- definitely talked about that in the, uh, the Five Anchors there, the crown jewels. I, I completely agree around, you know, the exhaustion being experienced by security teams. Um, you know, we, we obviously spend a lot of time talking to those folks in the, the job that I do day to day, and they, they really are. They're overworked. They tend to be underfunded compared to what they would like to, you know, have in terms of budget. Um, and they're expected to really do more but, you know, have less in terms of kind of, um, yeah, of that budget.
And you mentioned the, the idea of prioritization and the... just the sheer volume of apps, and, and sort of platforms, and technology. Do you see like the play for soar type technologies helping there? Like the level of automation that could be achieved, it's probably, let's be honest, longer term. You know, it might be 12 or 18 months out after implementation, but how do you see technologies like soar playing out to give some time back to those SOC analysts?
Phil Zongo: [00:21:58] Uh, it's not really a long term. And if you look into our cyber resilience strategy playbook, that's one thing that we, we recommend. And that's very important for the CISO to say, when, when, when you come up with your list of, say, top 12 initiatives, uh, you really have to be smart and say, you know, what stuff can we do in-house and what can we outsource to organizations that can do at scale and use advanced te- te- technologies.
And I've seen this play in real life. You know, I, I have had clients that I've helped push, you know, really advanced secu- 24/7 security operation centers. And, you know, being able to deliver that complex program, uh, in about six to eight weeks, is really amazing. So, these technologies are already there. You know, think of machine learning and artificial intelligence, really mature now. There's huge volumes of data in the... you know, thanks to, you know, uh, high-powered computers, and cloud, and big data platforms.
Uh, so, one of these technologies that I've used in real life is, you know, uh, you bring in consultants, they identify your crown jewels. They, you know, plug in their technology. We take security logs from all the, you know, high risk applications, like your files, active directory, uh, you know, core banking applications. Uh, you know, the data is, uh, up to 24/7 to a security operation center, a global one that's used by big American banks and, you know, the... it provides you pinpoint accuracy.
You know, even if I'm playing golf and I look into my app, you know, it tells me that, you know, you've got some directors in your active directory, I have to leave everything I'm doing. So, just imagine if I was trying to build these capabilities in-house, you know, it would take me at least 18 months to-
Garret O'Hora: [00:23:52] Yup.
Phil Zongo: [00:23:52] ... find the talent, which maybe I won't be able to attract this top talent anyway because, you know, our teams are much smaller. So, the, you know, ability to automate is, is really amazing. And this is the way I see a lot of frustration now as we speak. You know, small teams trying to build, to build their own security operation centers. [laughs] Uh, you know, that's why security teams are fatigued. It's not necessarily that, you know, the threats are, are much more than they were two years ago. I think it's about your strategy.
That's why, for us, strategy is, is key. You know, you're trying to build capabilities in-house that can easily be outsourced, uh, you know, and be done at scale. It much lower the cost and give the board even a much higher level of comfort because if we tell them, you know, this is the same te- technology that's being used by, you know, a large bank in America, for example, that gives them comfort than, you know, telling them this is something we are building on our own. So, automation, to your point, is already playing a huge, huge role in, you know, uh, taking away all the mundane stuff so that the CISO and their team can, you know, really focus on, you know, value-adding stuff rather than, you know, looking at, you know, 300,000 alerts every day.
Garret O'Hora: [00:25:07] You have what you have. And, and most of those alerts are false positives anyway, so-
Phil Zongo: [00:25:11] They're rubbish. They're [inaudible 00:25:12].
Garret O'Hora: [00:25:13] [laughs]. Um, in, in your latest playbook, and we'll include the link to the playbook in these show notes, but, um, you advocate actually shifting away from a risk-based cyber resilience strategy, Phil. Like, why is that? What's the thinking there?
Phil Zongo: [00:25:27] Yeah, so, you know, u- up to now, because we, we, we are in a very privileged, uh, situation because we interact with other CISOs and we help other organizations as well build cybersecurity strategy, I would say maybe 60, 70% all cybersecurity strategies that we come across, they are risk-based. And there's a- there is merit around that because this is what we have always done to say, you know, as a new CISO, you go in and you do a risk assessment, you identify maybe five to 10 higher risk issues or critical issues. Then, you, you know, you focus your next 12 months on, uh, reducing those high-rated risks to low or medium, or to within appetite.
And, you know, that, that approach definitely is what merit is. It's easy to sell to the business, it gets you going fast. But I think it's got a lot of, uh, limitations. And number one is it doesn't change the narrative. And this is what we're trying to do to say cybersecurity is no longer a compliance issue. It's not a necessary evil, but it's actually a powerful enabler to the business, you know?
So, in other organizations that I've helped myself, cybersecurity is a critical business enabler. When we are going to look for new business, we, we, we, you know, we talk about our cybersecurity capabilities and how we are able to, uh, protect sensitive customer information. So, cybersecurity is no longer, you know, just about compliance, just about putting controls, but how do we really help businesses move? And, and [inaudible 00:27:02] those enabling technologies such as, such as, uh, cloud computing, machine learning, blockchain, you know? But building cybersecurity early so the business can be really comfortable. So, I think that's the number one issue.
So, your compliance-based, risk-based cybersecurity approaches, they're really hard to sell those business leaders. But we need to flip that, that conversation and pose cybersecurity as a, as a, as a business enabler and, and, and differentiator. The other issue is, you know, if you stick with this old style approach... You know, this is what I often see. You know, a CISO comes in, then you realize that maybe you've got maybe 20, uh, database platforms or databases that are- that have got un-encrypted customer, customer data, it's very easy for you to mark that as a higher risk and then commit to the board and the CEO that you're going to encrypt all these databases in the next, uh, six months. But that's, that, that by itself is a terrible mistake.
Why do I say so is because, uh, when you start working deeper with IT teams and understand the nuances around these applications, then you realize that, you know, some of these applications you [inaudible 00:28:13] them at all because they are running on legacy technology. By doing so, you could break the application, or the vendor doesn't have the capability to do so. So, the problem with the risk-based cybersecurity approach is it treats, you know, cybersecurity initiatives in isolation. So, if you promised the board that, "In the next six months, I'm going to encrypt [inaudible 00:28:34] databases," and then you realize later on, oh, you know, there are critical dependencies within the IT infrastructure. And then you back off from such a promise, your credibility just taints, you know?
And credibility is the currency of the, of the CISO. You know, if you're able to, to, to promise the board this is- these are the initiatives I'm going to deliver and you deliver those initiatives, your credibility goes up. If you promise and you don't deliver, then your credibility really taints, and you're gonna be punished.
Garret O'Hora: [00:29:06] Yeah, it's, it's a very interesting comment. I think we're seeing that more and more the, the idea of CISO or security, in general, being a competitive differentiator. You know, it's a good thing. It's a, a thing that will allow a business to proceed faster and, and more securely.
Phil Zongo: [00:29:22] Yeah.
Garret O'Hora: [00:29:23] Um, I heard an analogy, it's like, um, you know, you, you can only drive a car really fast if you know that the brakes are very good. And, and maybe cybersecurity and cyber resilience-
Phil Zongo: [00:29:32] I love that.
Garret O'Hora: [00:29:32] ... is a li- [laughs] a little bit like that. Um, we, we, look, we talked about some of the key pain points when you're developing your kind of cyber resilience strategy, what, what are like some of the recommendations you would make around getting the- those strategies right? You know, we talked about the pains. What are the things that a CISO or security leaders can do to, to really think about their cyber resilience strategies and get it- get them right from the start?
Phil Zongo: [00:29:58] Yeah. There's quite a number of, a number of, uh, um, recommendations in our, in our playbook. The number one that I recommend is you need to measure... You, you need to, you know... When you get in as a new CISO, uh, you need to... the first question that you, you have to ask is, you know, what's going on? You know, what's going on here? Because the temptation is to rush into execution mode. But that's, that's very, that's very dangerous because you need to understand your current state. You need to understand your existing capabilities, and only that can you be able to focus your budget on, on, on areas of highest risk exposures.
So, what I recommend is, you know, spend some time, read your assurance reports, your team, uh, uh, uh, results, board papers, risk assessments, governance reports to, uh, to risk committees and, and boards of directors. And then, you know, you really understand what are the, what are the key gaps and what, uh, what are the, uh, the capabilities that we have.
Uh, the second one I've already talked about, know your stakeholders, get that buy-in from the start, mostly from the CEO who is the linchpin of your, of your money. If the CEO is on board and provides you with the unwavering support, then it's easy to drive cultural change. Then, the other recommendation is you need to agree [inaudible 00:31:24], and that's very important. And I always use the golf analogy to say, when you stand on the, on the Tee, uh, you know, you look on the scorecard and you realize this is a par five, which means you need to hit five shots to get into the hole.
Uh, a lot of cybersecurity strategies that we see don't have, uh, an end state. So- and that's very dangerous. You know, for you, it's o- once you understand what are the critical issues, uh, is to say in the next 12 months to 36 months, this is my, my roadmap. And then, that actually becomes your, your governance mechanism [inaudible 00:32:03] for every month. They come back to the risk management committees. Every three months, they go back to the board and say, "This is how we are tracking against the, uh, the initiatives."
Um, what I recommend there is there's always a temptation to over commit, and that's a big problem [laughs] I see in cybersecurity. You know, we get in there, we're going to, uh, give you the utopian view, uh, of the world, we're going to mitigate, we're gonna comply with NITS, we're gonna comply with this framework. Very, very dangerous. So, just make sure that, you know, you understand the, uh, you know, do you have the budget? Do you have the team to deliver such complex [inaudible 00:32:43] then. You know, so don't, don't over promise. Don't bite more than you can chew.
Uh, the other issue is working to link your business goals to the digital transformation agenda. This is where the conversation with the CIO is very important. Uh, we see that disconnect as well when we talk to CISOs. They come in and say, "You know, my number one strategy is to comply with the NIST framework." And that's just, you know, that's just boring. And more so, because they, they're not, uh, aware that, you know, the, the CIO plans to decommission all the data centers and move into public cloud in the next 12 months, your, you know, their, their strategies quickly become, uh, obsolete.
So, you really need to, you know, tie your cyber secu- security strategy to the business value chain. You know, how are you going to enable, you know, the business to build new strategic partnerships? How are you going to secure your products, or enhance customer trust? Uh, you know, maybe the business is planning mergers and acquisitions. How do you build cybersecurity, uh, into these strategic initiatives? So, there's quite a number of initiati... you know, a lot of recommendations, but I think those are, those are, you know, my, my top.
Uh, maybe one last one before I go here, Garret, is, you know, do- never forget the basics, and that's what we see. You know, a new CISO comes in and say, "I'm going to, uh, deal with, uh, advanced persistent threats, and then, you know, really complex ticket items, machine learning, blockchain and all this." That's all good. But seriously, when we look deep in all this high-profile data breaches, you know, someone is- gets in trouble because they didn't patch their systems. They didn't know what are their crown jewels. You know, they had high-value systems that were exposed to the internet without ma- without two-factor authentication.
So, really focus on the basics as well, uh, in your roadmap, as you rush to deliver bleeding edge technologies, you know? If there are some open penetration test findings, make sure those, those get tested because if you get hacked, you know, regulators come in and realize you're the core banking application sitting on the internet without TFA, certainly, you lose your job.
Garret O'Hora: [00:35:03] It's funny when you mentioned that, Phil, because one of the things our threat center produces is threat intel reports. And part of that is, uh, kind of identifying campaigns that, uh, have hit sometimes just Australia. And it's amazing to me how often, uh, those campaigns are using threats that are five years old or, you know, CVs that are dated from the sort of 2014, 2016. Um, it, it is amazing, you know, getting the basics right and, and doing that before you even look at the stuff that's more recent or more advanced. Um, yeah, look, I, I totally agree with you.
Um, one last question, I'm, I'm hoping you, you have time. Um, how do you see, uh, COVID-19 changing the cybersecurity landscape? Do you, do you feel like it's gonna change the voice of, of the security teams of CISOs, and maybe give them more, more amplification and volume? Maybe open some of those kind of, uh, budgets to do security programs of works, or get buy-in for cyber resilience strategies? How do you feel like COVID-19 is gonna change the landscape for us?
Phil Zongo: [00:36:06] Yeah, you know, I think that's a brilliant, brilliant question [laughs]. Uh, it comes back to, you already answered this, I think, uh, when you used that, you know, cars and the brake analogy.
Garret O'Hora: [00:36:18] Yup.
Phil Zongo: [00:36:19] That's what I've seen interacting with other CISOs. Say, organizations that had built cybersecurity early into their business processes, they, you know, shifted to this remote work environment seamlessly, and they didn't really go through all the pain points that we see. You know, what do we see now? You know, there's organizations that, you know, they didn't have any [inaudible 00:36:42] capability for people to securely log in from home. And those that did, you know, the VPN tunnels could not sustain the... you know, they never anticipated, you know, if maybe 20 people were logging in remotely, now you've got 6,000 people who have to log in remotely.
So, a lot of businesses were really hurt because they didn't have the security, uh, infrastructure to support remote work. Um, you know, a lot of, uh, cybersecurity phishing attacks that we see targeting all this, uh, COVID looking like government websites. So, your point is very, is very important. You know, uh, I think this [inaudible 00:37:23] has awakened people to something that we were always talking about for years, but not necessarily, uh, you know, getting hacked.
Um, the thing though that I see is, you know, us, the cybersecurity people, we've got this tendency to assume that, you know, the culture will change by itself because, you know, we had a data breach, or we had some regulatory issue, or we had COVID-19. Um, it's up to us to, you know, how do we leverage this scenario to, you know, build that story again and, you know, uh, drive cultural change to the business. So, I think the responsibility is within the CISO and all the senior cybersecurity leaders to say, how do we then position this, you know?
Because it's not just the [inaudible 00:38:15] team, it's about how we then, you know, bundle that into a story and communicate it back to the board, back to the senior business leaders, back to, you know, the entire staff in a way that, you know, they can buy it. Does that make sense? So, it's not just, you know, letting, you know, COVID unfold, we need to, we need to advantage of the situation. You know, uh, that's why I call, you know, The Gift of Adversity, um, which is a new book I'm writing to say, you know, it's not all doom and gloom. Sometimes, you know, difficult situations can actually, uh, land us in a better place, you know, maybe 12 months from now.
Uh, so, I think there is heightened awareness around cybersecurity, uh, but we, we, we can't just, you know, sit back and relax. We need to be able to tell that in a way that, you know, captivates senior business leaders and gets them into action.
Garret O'Hora: [00:39:10] Absolutely. And, and hopefully, as a, as an industry and individual organizations come out of this all just stronger than we are today, I mean, I think that's the hope most of us would have.
Phil Zongo: [00:39:20] And that's an important point. Uh, I think we are. You know, think of collaboration, for example, before COVID, there was very limited collaboration amongst CISOs. Uh, what happened is, post-COVID, we came together with some of the CISOs that I know, so, you know, half a dozen of us. And we actively collaborate on, you know, the initiatives that we are undertaking within our organizations to reduce the risk profile. So, we are much stronger together. You know, we actively share information. We- you know, if, if we do some awareness training staff, you know, blogs that we write and send to staff, you know, we share with other organizations. So, I think there is some good coming out of this from a security perspective. We are much stronger together.
Garret O'Hora: [00:40:05] Yup. As we always are. I think that's the easier tagline for the conferences as, [laughs] as well, isn't it? Stronger together. Uh, um, Phil, we, we've, again, run over time, which I think is always such a good indication of a good, uh, conversation. It's, uh, it's been an absolutely pleasure to speak to you. And, uh, again, thank you for the work that you do. Thanks for the Five Anchors of Cyber Resilience. Like I say, it's an awesome book. We'll include a link to that in the show notes, um, and also to your, uh, latest CISO playbook, uh, which I think is, is phenomenal stuff as well. Um, really appreciate it, Phil. And, um, yeah, I hope the rest of the lockdown treats you well.
Phil Zongo: [00:40:41] Yeah. Thank you so much, man. Have a great day. And, uh, we'll chat soon.
Garret O'Hora: [00:40:50] What a pleasure it was to speak with Phil. As always, I learned something and had some of my thinking challenged. What more can you ask for? Thanks again to Phil Zongo for taking the time out, and thank you for listening to the Get Cyber Resilient Podcast. I look forward to catching you on the next episode.