A perfect fit: Using risk to get the right sized security with Christopher Hodson

August 7, 2024
  • copy-link-icon
  • facebook-icon
  • linkedin-icon
  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Is ‘Security Theater’ plaguing your efforts for cyber resilience? Chris Hodson, author of "Cyber Risk Management", gives us a reality check on SecureTalk. Discover why understanding risk is the cornerstone of every security program and how his book guides CISOs and security leaders through effective security posture scoping.

Explore cybersecurity risk management with expert Chris Hodson and Strike Graph CEO Justin Beals. Delve into aligning security with business goals, evolving CISO roles, compliance challenges, and the impact of AI. Understand the importance of risk acceptance in corporate decision-making, the role of AI in security, multi-factor authentication, and the real-world implications of security breaches.

 

View full transcript

Secure Talk - Christopher Hodson

Justin Beals: Hello everyone and welcome back to Secure Talk. It's a pleasure to have all our listeners back today. We have a really special guest in store for us. Today we're meeting with Chris Hodson. Chris is the author of an exceptional book, Cyber Risk Management. He's also the Chief Security Officer and Chief Product Officer for Cyber Haven.

Chris, thanks for joining us today on Secure Talk. 

Chris Hodson: Thank you, Justin. Pleasure to be here. 

Justin Beals: So, Chris, first, I want to applaud the book. I have had a chance to read it. It is quite extensive, 500 pages or so, but really one of the most comprehensive books that I've read, not just on cybersecurity or maybe how a CISO works, but really the critical need of risk management in planning a security program whatsoever.

And I thought maybe we'd kick off there a little bit. Risk gets passed over a lot of times. There's much more exciting things to work on, but obviously you think it's critical to developing a security program. 

Chris Hodson: Yeah, absolutely. I mean, otherwise, how do you prioritize? Do you know what I mean? I think historically our industry has been pretty bad anyway of, you know, buying tools because our predecessor had a tool or we're familiar with the vendor or we used it in another organization and you know, I think there was a period of time in a lot of industries where you just kind of went along with that, I think in these cost-conscious times, you know, CISOs across the board in all regions are being asked to, you know, slash their budgets, and if it's not people, then  it's tech. And if it comes to, in fact, even if it's people, you know, you have to have a risk-based conversation. People need to understand the potential ramifications of either having or not having a solution or a process or a person in role.

So yeah, I genuinely believe that risk is the cornerstone of everything. Kind of all security programs, and I would say also, like, it's our best route into getting business resonance as well, you know, going and talking about how many, you know, DDoS attempts we blocked this month is probably not going to gain you much favor with a CFO, but, you know, if you're talking about, you know, mitigations and preventions of like regulatory fines or, frankly, anything, you know, these days, cyber is so interconnected.

So, yeah, it's a long intro. So, sorry, but yeah, that's kind of where and how I see risk, to be honest. 

Justin Beals: Yeah. Every time I talk about risk, my CFO gets very excited. Of course, it's very different than I want to spend more money. 

Chris Hodson: Um, yeah, excellent though. Like I, I find this doesn't happen in all organizations, but in a lot it's the CFO who's sort of chair of the audit and risk committee as well.

Like I found a lot of organizations, not just ones where I've worked, but you know, peers have said this as well. You know, if the CSO is pretty tight with the CFO, then. You know, it's, it's a much easier set of monthly reports and, you know, budget requests I find. 

Justin Beals: The reason I was really interested in the book and I enjoy the topic, even though it seems dry at the outset, when I was developing our compliance management platform for security, one of the challenges I had as a product designer, right in the beginning is how am I going to help our customers design?

The right security posture and you know, I read a lot and then I actually went back to kind of what I felt like was 20 years ago. The theory on management and it came back to risk. And so we started with that as a major tentpole. Our product that, hey, you can't decide what security you need if you don't know what risks you're mitigating at the end of the day.

Chris Hodson: Yeah, completely. And I know in the book, I was very data focused. It's not because I work for a data vendor, just the first edition predated that anyway. But, you know, that's the best way I think of taking a risk-based approach. Certainly, when you're talking to your cross-functional stakeholders. Is, you know, data is the cornerstone, you know, intellectual property is so important in all industries and starting that conversation around impact there is certainly a strong way, a strong way of approaching a security program, I think.

Justin Beals: So, Chris, a lot of our young and career listeners are always interested in how someone like yourself has reached the accomplishments you have. How did you ever get interested in computers generally or security? 

Chris Hodson: It's a great question. I wouldn't say I fell into it, but certainly, maybe fell halfway into security.

Do you know what I mean? Like, I've always been interested in how things work, and possibly in a slightly malevolent fashion, like, what would happen if you did this? would it break? And, you know, how would you safeguard? Maybe not as defined as that during kind of childhood or adolescence or whatever, but it was certainly,  certainly there.

I kind of fell into like IT support. And from IT support, I worked at a very small law firm. So I'm from Peterborough in the UK. And small law firm there where, you know, it's like two, three people in the entire IT department. So at that time, you know, everything from, I mean, I'm showing my age now, but we're talking sort of Delphi from a development perspective and Novell Network, you know, sort of NT4, just the genesis of Active Directory and, you know, lots of VB scripts and Visual Basic more generally.

So kind of got the opportunity to try lots of things. When you're a small team, you do everything, don't you? So you can try your hand at a bit of WMI scripting or VB scripting rather, or, you know, building out like networks in the office and at home and kind of just evolve from there, I sort of learned the fundamentals of initially support, which is great, because it's back to that things are broken.How do you fix them? And that's kind of a consistent theme. I think of my career, I sort of moved from there. I tried my hand at being a developer pretty badly in the sense of, you know, I actually went to college. I can show my age, but VB6. So I got into development, you know, pre, pre. net. Should we say? Yeah, that was pretty fun.

And then from there, just a pretty natural kind of technical CISO track from there. So I did my MCSE. You get to the end of an MCSE, a Microsoft Certified Systems Engineer, and then you have the fork in the road of, do you want to do databases, messaging or security as like electives? I'm a bit sad. So I think I did all three .I did do all three. Security just really, sort of stood out. I just loved building at the time. It's like ISO servers and securing Active Directory. Do you know what I mean? And how you could use GPOs to like fortify and harden an environment. And I was like, heck, I really enjoy this. And then just continued with certifications.

I think I made up for a lack of experience. This is a hot topic, I suppose, but I was quite young when I started doing security architecture, like kind of mid-Twenties, maybe security architecture, which, you know, for some large financial services organizations, I remember day one, I'm like, I am so fit, you know what I mean?

Like very established, well recognized people, you know, in the industry working there. And did that for a number of years, got my first kind of head-off gig. And then from there, kind of moved to sort of the dark side of vendor world. We've been building security orgs for 10 years now, and yeah, it's been a good ride.

Justin Beals: Yeah, I do think there was a time, and I, I feel a little sad that some of our new talent that's coming into this field doesn't get this opportunity to see the stack from top to bottom. Like, I remember, you know, writing the web server, writing the code that goes on the web server, deploying the database, writing the SQL queries, doing the design for the website.

You know, you really got to touch all aspects. of an application. It's not that way anymore. 

Chris Hodson: You're so right. And think about it from the other side. And I'm, I'm, I remember my first apartment flat, as we would say over here. It was on a desk, not dissimilar to the desk I have here, like a kind of like an L shaped or a T-shaped desk, but with physical machines on it, you know, CRT monitors.

And if you wanted to do testing, you didn't spin up ESX or build something in GCP. You built a box, do you know what I mean? And you had, you had a Netgear five port switch on your desk. So that's the other side. Like it's not just the software as a service is like eating all of this away from the development perspective, but like network security, I mean, philosophically you could argue it's not as important now, maybe actually understanding security across the OSI stack.

I don't think, I think that's kind of a bit sad that that's been lost a bit. As well, yeah.

Justin Beals: Of course, there were the mistakes that we made where we were running the company software on the laptop underneath the cubicle desk. 

Chris Hodson: Yeah, where's where's the DNS server? It's under someone's desk. 

Justin Beals: You know, one of the things that I enjoyed about your book, when you do discuss education and skill acquisition and security professionals, is that there are both technical skills and business acumen, especially in the security field.

I think because it's such a horizontal practice, right? Like it touches everything in the business in a way. How do you, how do you kind of think about the hard choice of being a generalist? You know, it's easy to get specific, but it's hard to pull yourself back and learn something new sometimes. 

Chris Hodson: Yeah, that's a really good question.

I don't think the industry necessarily, I'm going to like alienate some people that I, I work with and some friends in saying this, I think, but we almost obsess. I think I wrote, no, I did write this in the book around, we're almost like the inverse of the medical profession. Do you know what I mean?

In the sense of, in the medical profession as a, before you become, you know, an anesthetist or a surgeon or whatever, a heart surgeon or whatever, brain surgeon, whatever it is that you do, you try everything, don't you? You're a general practitioner. You spend time in different departments in a hospital.

We should do more of that in security, because I've seen many people, really good people come in and then exit this profession because they knew they liked something about it, but they got too deep too early in something. Like they might decide, you know, they saw it on Twitter that hey, learn to be a pen tester in four seconds.

So like they take a pen testing course and then do it for a bit and realize it's not for them, whereas actually they'd have been better as maybe a GRC analyst or working in on the blue team side of things and stuff. So, I try and stay, you know, what do we say about this CISSP exam? It's an inch thick and a mile wide.

I try and stay like that across the industry as things stand today to keep that like generalist nature. Because even in a CSO role or a CPO role, whatever, whatever you've got, people deem that to be. You know, the, I don't want to say the apotheosis, certainly not, but you know, the, the role where you're least connected to the tech, should I say, you still need to understand it because back to this risk conversation, you know, someone's coming to you and asking you something very specific, almost esoteric in the space of like GCP, Kubernetes hardening.

Chris Hodson: Yeah, you still need to understand maybe not at the level of detail something DevSecOps does, but you still need to understand what's going on there. So I think industry groups help. I'm such a nerd. I still do like online CBT based security. I mean, again, the tech has evolved so much that, you know, you can do so much of this online in bite size.

Kind of, it's not just watching three hours of videos anymore, which yeah, time or energy for. 

Justin Beals: Yeah, it's really helpful. And I also think that, no, I, I think you're learning this technical issue, right? Like you have a deep understanding of what a firewall needs to be configured, you know, to work effectively or encryption levels, but then at the same time, you need to understand business.

Like there's a, there's a deep business acumen, like why does HR exist? Why do I need to make them an ally? 

Chris Hodson: I think that's where resilience comes in. So in a couple of roles recently in the last 10 years, I've had business continuity is reported into the security function. I feel that that is a great way of staying connected to the business, right?

Because you're then doing that decomposition because BCP level, resilience level, you need to understand first off the business processes. Do you know what I mean? Like before you even know that it's running on this web server that's connected to XYZ with these people, you fundamentally need to know how the reconciliations team processes financial transactions, right?

You need to learn that first. So you learn that from a process perspective. And I think BCP is a really good way of kind of business resilience more broadly is a really good way of doing that. So you do. I don't know how much of it you learn. I was actually writing spoiler alert. I was writing some stuff.

Okay. recently for, for maybe, I don't know if you do this, Justin, but it might become a book. It might become a blog. I don't, you know, I don't know at this stage. You're starting out with some 

Justin Beals: inspiration. 

Chris Hodson: Yeah. Some notion documents that are very poorly formatted, but around how much of it is nature versus nurture or how much of it, when people say, Hey, you know, you need someone with strong business acumen, how much of that is actually experience and how much of that is just your character innately being good at.

Listening and, you know, taking triggers and I can't answer that today, but I like to think I'm okay at that. I hope I am anyway. 

Justin Beals: Well, I think there is like, there's like raw talent and then there's skill that you build, right? Doing business is an emotional intelligence thing. You know, as much as we've fed technology into the engine, the more technology we put in the engine, the more I feel like I have to talk to people about it.

Chris Hodson: Yeah, yeah, that's fair. Is that your segue into AI? I don't know. Yeah, I know what you mean. I know what you mean. 

Justin Beals: Well, uh, you know, not a not a bad way to discuss the future here a little bit. Maybe that is a good segue. I do have this emerging theory that I'm playing with where it's like when we add AI to our work, you know, like, let's say I'm a software developer and I'm using AI to write code, now I've got to explain to everybody why it's okay. Now I've got to explain to everyone why it works all right. Now I have to understand even more deeply what was put in there. So it does actually require, I think, higher order thinking on my part to stay ahead of what's being put together. 

Chris Hodson: It's like a paradox, isn't it?

The thing that's supposed to automate and make you more efficient is requiring you to do more to explain why you're doing less.

Justin Beals: I feel like the flywheel is rolling.

Chris Hodson: It's like, I had this conversation with one of our founders actually around, it feels very much like the early days of, Of cloud, doesn't it?

In terms of, I don't want to go on a massive rabbit hole with AI, but I remember my early days at Zscaler. So it was out of early 2016. And, you know, we talked to some customers or we talked to prospects about, you know, moving like proxy security to the cloud. Well, and, and it was, I mean, it was unfathomable people in some cases, especially financial services were like, you're crazy.You are absolutely crazy. And you look at kind of where the world is today. I feel, I feel there's certainly some of that with not just AI, but just many kind of things around cloud native security and automation. 

Justin Beals: Yeah, well, it is, I never felt like the big changes in the language models were such a, even with chat GPT that there were such that immense a leap, but I have for our work, my hands in the guts of it for a long, long time.

So it's felt like the appropriate amount. It's just that we found applicability for some of these solutions for some business things. And that's what's driving the adoption, the revenue side, the valuations that we see. Of course, there's always the hype engine of Silicon Valley, you know, to deal with.

It's a little hard to swallow. 

Chris Hodson: Yeah, we were talking, weren't we, off air around both of us being at RSA next week. Yes. And I'll be interested this year to see the vendor hall and how much of it, I remember last year, it quite literally, if you had a bingo card, was just AI enabled everything. And I wonder if potentially in some areas there'll be like a trough of disillusionment, that now actually, you know what I mean?

Because there are so many So many awesome use cases. I mean, you know, shameless plug, but we've certainly built and we're delivering a number of them at cyber Haven, but I have also seen like a lot of AI shaped hammers where everything just looks like an AI nail, you know? So it'll be interesting to see where we go over the next 12 months, I think 

Justin Beals: it's a tricky technology to productize, you know, you can, you can certainly put it into systems quite easily. You could have for a long time, but to actually get value out of it is a whole nother challenge. Yeah. 

Chris Hodson: An economic point that makes sense as well. Financial point that makes sense because obviously GPUs are incredibly expensive.So yeah. Yeah. 

Justin Beals: Well, you know, one of the things, you know, speaking of the broader business discussion that's going on for security is you talk a fair bit about where the CSO should sit inside the leadership team. Yeah. What's your current thinking on that, Chris? 

Chris Hodson: Oh, it's so, I don't remember what I wrote.

I'm not sure if I updated that in the second edition. I think it takes up an inordinate amount of space on social media and says the person who wrote about it, but I feel disingenuous now. But like, it doesn't, it doesn't really, I'm not sure it matters enormously. Like, it's completely dependent on the organisation, is my honest, my honest view.

And I'm in a lucky position, I think, that I get to talk with so many. Business execs, so many CSOs, either through like industry work or through the day job, going out and talking to them both as a CSO and as a product officer. I've seen some highly efficient, performant, like traditional CSO into IT that everyone says is the worst thing in the world.

I've seen some really good kind of implementations in that, especially in like engineering led organizations where so much of the business is time to market in terms of like technical delivery. Like in those organizations, like [ invariably the friction would come from, heck, we have a security update or we can't ship it because this is going through a beta test or we can't have downtime.

In those organizations, I think it makes sense for like a CSO to report into, I don't know, CIO, CTO. Then you have other organizations where, you know, it is much more like downstream client and supply chain risk where, you know, potentially in those organizations, having the CISO much closer to like legal and finance makes way more sense.

And I think there's an issue of scale. And size as well. Like, you know, in my organization currently, like 120 users, previous organization, a thousand, you know, in those kind of organizations, you have quite often a relationship where you report to the CEO, which is fantastic in many, I don't know if he's listening, so be careful what I say, but fantastic in many, in many ways, you know, there are some downsides and drawbacks to that level of broad exposure at an executive level, so we can get consumed into like [non security things quite easily. And I think as organizations get bigger. Your listeners maybe can tell us, but if you're in an organization of 40, 80, 120, 200, 000, it's improbable that the security officer there is going to be, like, leadership team.

There are some exceptions. There are some wonderful CSOs I know who are operating at that proper, you know, level. quote unquote top table, but they generally have more than just the S in their type, or they're generally like chief risk officer, or they've got like all of privacy or resilience or like a much an abstracted function, I think that other business execs, this is contentious, like other people in that leadership team sometimes feel a little bit nervous of the security people. Do you know what I mean? Because like they all kind of understand finance to a certain degree, or HR, or, you know, various other business business functions, but maybe not security.

Justin Beals: It's because some of the the risk concerns can feel a little esoteric, right? You know, it's it's easy to understand. Hey, we're going to go out of business because we didn't make enough money. It's a little harder to understand. Hey, we're going to go out of business because someone stole all our data.

Chris Hodson: Yeah, 100%. We have to have health and safety training because it's this requirement for us to have it. But then people kind of generally understand what that entails. Not necessarily like developer capture the flag training for these various security things. You know, I agree completely. This is a much better parallel actually.

Yeah, definitely. 

Justin Beals: I think one of the other nuances that you're tapping into here a little bit is And a lot of the companies where you and I work, which are very technology forward, maybe providing even a security product or something that is storing very sensitive data. I think the CISO is a part of the settling, you know, part of why you can trust us as a solution, whereas, you know, a large food establishment, it's just not part of people deciding to buy your product or not.

Chris Hodson: Yeah, that's a, that's a really good point. I think we have, so you, when you're in the security space on both sides, right? So you're building a product, you're securing a product, it's both functional and non functional, isn't it? You have both facets from a security perspective. Well, and you have a third, which is generally customers want the assurance that you're doing that stuff as well.

So you almost act as like a sales, I don't know about you, Justin, but you kind of act as almost a sales overlay. It's where you parachute it into like big deals to say, Hey, look, here's our SOC 2 cert and here's how we do these things. Yeah. If you're in a like. Maybe not healthcare. I, now, just, just because of the just insane kind of growth explosion, I should say, ransomware, maybe in like healthcare people get it.

Now, the retail, you know, if you're selling tins of baked beans and French fries, it's a much harder gig set. I've done one of those roles in a security role. It's a much, it's much harder to get people to appreciate and understand why security projects need to be prioritized. It really is. I feel for those guys and girls, like it's, it's difficult.

Justin Beals: You know, one of the things I've noticed for CISO style leadership lately as well, especially at the larger organizations, let's say more than 500 employees, is a more federated approach where they kind of deputize different departments and have to act at a much higher level than maybe they were used to prior in their career.

Are you seeing that transition as a security leader in a more federated work? 

Chris Hodson: It actually nicely ties into what I was saying on resilience. It's kind of like a similar principle. I'm seeing many more kind of BISO type roles. So rather than calling them like a deputy CISO or whatever. The kind of the security owner for that like unit, as it were, I see a lot of that in financial services, you know, where the CISO is as much like a business PM almost like they understand all of those processes I was talking about earlier that are intrinsic to the success of that business unit.

That's the security person who understands those inside out. They're involved in all kinds of business decisions are having weekly meetings with other stakeholders in that unit. Because, you know, that that level of federation, you know, it transcends everything, doesn't it? You're seeing engineering operating like that business functions are operating like that, like a CISO can't really oversee all of those with the level of kind of visibility and control that they would need. 

So it's too bad I'm seeing, yeah, it is. And again, it's difficult as well in global organizations to have like one security function overseeing like all of those compliance and regulatory considerations and regional considerations as well.

There are so many. And this is like that, like, like inflection or cross section, I suppose, of privacy and security as well. There are so many more privacy regulations now on how data can be handled and where you can store it and who can access it. So having, having a regional approach or a federated approach to that.

Yeah, good idea. 

Justin Beals: You know, it's interesting because I think early on when we were dealing with some of the compliance issues, you know, we got a lot of pushback from CISOs. They're like, I know how to, you know, architect our good security. I don't need this standard to necessarily tell me. But now I see it flipping in these federated models where they're like, I don't know how I'm going to manage all these divisions, unless I tell them you need to comply with the security standard.And that gives me a framework to drive at, in a way. 

Chris Hodson: Oh, how long have we got? Yeah, that's right. There's, what you'd write in a book, well, there's what you'd write for an exam question, isn't there? Which is, hey, if we know risk and we do risk reduction correctly, by consequence, we'll satisfy our compliance obligations.

Now, that is very much how the world should be. Not always how  things work, right? So I think it's two ways of it. Sometimes you just have to do something for a compliance. reason, you know, I mean, I, I work with organizations, you know, like I said, the data protection role at the moment, but you think about legacy DLP, like last mile DLP, which, you know, is very prone to false positives, kills workstations, but still organizations have it.

[You go and ask them why from time to time. Yeah. And they'll say, well, it's our interpretation of how we comply with PCI. And then you walk them through, well, do you use it in other environments? No, we just have it here because we need it for that. So you, you get that, which isn't great. You can use it to your advantage, like CISO's out there, little tip.

Chances are, you know more about that compliance regulation than the person you're asking to do a thing. So at times, yeah, especially when they're the more opaque, like regulatory rather than industry compliance, I think a great example would be GDPR where interpretation is key. So it'd be, I don't know, maybe hypothetically people could do this, could say, well, you need to do that to satisfy GDPR requirements, people generally go and do it. Yeah. 

Justin Beals: So I loved your chapter on scoping. Definitely because it's certainly something we deal with a lot in our product and our customers as well. And they're always asking questions, you know, what's the right security here or there. And sometimes people are definitely stepping into roles or you're a new CISO.

You know, you've been at CISO at a number of organizations and maybe the first CISO in some organizations that you joined. How do you think about that first 30 days as a security leader? 

Chris Hodson: Wow, what a great question. I think, I don't know if I wrote this in the book or not, but I made a joke somewhere, possibly in the book, about, you know, your best ally as a new CSO is a Starbucks card, other coffee places are available. 

You know, in that you should just be meeting as many other execs. As possible early on, not with a particular mandate or, you know, any kind of authoritative position on security, but back to that business processes kind of conversation just to listen. Listen about how things work today and ask them really, you know, what do they want from security?

Like, I've worked in organizations before. Oh, gosh, I shouldn't say I should have said I know of, but now I've worked in organizations before. Well, you know, the first meeting with me, The other person said, well, I don't really understand all of this security stuff and, you know, I don't see how it affects me.

That's possibly the way, it's either the best opportunity to turn someone round or you can get quite disheartened when that happens. But like understanding what they care about, like genuinely what's] important to them, what do they get pressure for? And if you want to go a step further, ask them what's on their balance scorecard.

How do they get their bonus? I mean, they're not going to tell you the specifics of that maybe, but they might, they might talk about audit points that they need to clear. They might talk about, like I said, you know, what's, what, what OKRs do they have if they, if they go with that kind of approach. Because then you can really build trust and resonance in, in how you approach security.

If you go in and you, and maybe I failed doing this earlier in my career. If you go in and, you know, you're dogmatically, like, wedded to a particular framework, you go in and say, we must adhere to all 400, I'm going to get this wrong, tell me how many there are, 450 controls of NIST 800 53 Revision 5, and you go and try and tell someone who works in HR.

They're going to be like, yeah, I don't really care, mate. Like, you know what I mean? So try and be as flexible as you can. As I'm quoting NIST, I will say that abstracting things to like the cybersecurity framework and working on those domains is a much stronger way. Because people understand that, you know, if you talk about prevention, detection, recovery, response, governance, they get it.

And they're like, okay, that's, that's broadly what Chris is doing. I'll just have a temperature check on each of those. I don't need to know the minutiae of, different categories of controls and stuff. I don't think that works. Certainly doesn't work at a board level. It doesn't really work at a leadership team level. Might work with your compliance.

Justin Beals: yeah. Yeah. You know, I tell people work, beginning to work on this security implementation for their companies a lot of times that it's a very broad thing and you're going to have to meet with other executives. And they're going to know your business very well, like your VP of HR, they're not going to know security.

That's what's going to scare them a little bit. But it doesn't have to be scary, right? Like, they understand what it is they're trying to achieve. They just also need to understand what the risks and good habits are going to be. So that they can be a good participant in security as well. 

Chris Hodson: Yeah, completely.

I was, I was just going to write that down around the kind of security. It doesn't have to be scary. That's a great way of kind of looking at it, I think. Because to my point earlier, like I do feel that that's possibly why security doesn't get a seat at the top table. And a lot of organizations because it can, it can expose people and I think we as a security function need to do a much better job of kind of breaking down those barriers.

[Do you know what I mean? Yeah, I've explained it. It's such a nice kind of kind of cyclical sort of almost return on this one. You know, we don't help ourself. You know, if you go to RSA or Blackcap or whatever, it's all nation state adversaries are going to compromise you regardless of anything you do. It just creates this futility, doesn't it?And then if you're a business stakeholder, you're like, well, what's the point then? 

Why should I do this? And, you know, the chances of you being compromised by an organized state group as opposed to, you know, You haven't updated software components. Do you know what I mean? Where there are updates out there, you know, or a misconfiguration or you're handling data inappropriately, all things that you can, which are like eminently, you know, easy to fix a lot of the time.

So yeah, we need to do a better job of not scaring people. I know it's, it's try it. I know loads of people have said this before, but it's true. Like, you know, don't go out there and say the world's ending. Go out and say, look, with some simple safeguards, we'll build some foundations in the company. As the risk appetite of the company develops and well, we create a risk appetite for the number of organizations who have said, Oh, this is outside of risk tolerance or appetite. And then you say, well, can you explain to me what that is? And they're like, well, no, just on just today, that doesn't feel right. Do you know what I mean? That's, that's something we need to fix as well.

I try to help companies with that. What's in scope? And the book talks about this. What's in scope for you? Yeah. Which adversary is. Do you care about because there are thresholds and you build controls commensurate with that. And once you do that, you can report on progress against that. You can start to provide regular briefings on what's going on in the industry, but it's much more likely to land if you've tied it to the things that, you know, the organization ultimately cares about.

Justin Beals: Oh, you have a, there's a part in your book and I'm quoting now. “A control is a safeguard. A control exists to remove a risk”. I mean, yeah, it can't be more plain than that. And as someone that's been trying to develop product that helps people scope their security practice, that's exactly what we thought too, right?

Like I have a risk, I need some mitigation tactic around that, that risk that comes in the form of a control. Usually these days, Yeah.

 Chris Hodson: Definitely. And you know, not all controls are absolute, are they? And this is where the, the, the art over the science, I think, a few people have tried science on this, but I'm not sure it's always worked in like how yeah, how effective is a control? It fascinates me. I want to do some more research on this because how do you prove a negative, you know, you spend a million dollars on a CNAP solution or you've bought new EPP for you. Nothing happens for 12 months, go back to the CFO, 11 months in, can I have another million dollars for next year?

And we're like, well, nothing happened this year. And they're like, well, so yeah, that's where I think the experience comes. You know, we said, Oh, how much of this is natural talent versus how much of this, I think that's where the experience comes in for how you position the requirements of those controls.

Because another completely acceptable risk process and phase is acceptance. You know, you can, you can say, right, okay, yes, I've acknowledged that I've considered it. And okay, it might happen, but actually we're willing to accept the repercussions if that does, but I'll quote myself because I definitely said this, like risky ignorance and risk acceptance and not the same thing.

You need to have that. Yeah. You have to have that adult conversation. Don't you, where you're talking through. Like, are you sure you're okay with this happening? Cause this isn't a retrospective thing where you can say no after the, after the fact. So yeah, definitely. 

Justin Beals: I think you, you've got to have buy in on that risk acceptance too, right?Like everyone has, you don't want to be the sole CISO that says, Oh, we won't worry about that one. Cause I can accept it. 

Chris Hodson: Yeah. Yeah. Well, wow. That's actually a really great point is there's, there's still in a lot of companies, this view that the security function makes that call. Do you know what I mean?

We accept a risk about not having the latest version of Nginx running in this pod, for example. No, that's not a security decision. You know, security is there to provide some form of qualification on likelihood and impact and what those mitigations might look like. But, you know, it has to be some form of business stakeholder who ultimately says yes or no. And insecurity often painted into a corner, unfortunately, do you know what I mean? They push back to ultimately almost make that decision for another organization, which is very dangerous. 

Justin Beals: Yeah, if you take responsibility for that as a CISO, not bringing the business owner into the discussion, then when something does go wrong, you are the point of contention.

Chris Hodson: Yeah. You massively are. And  there's a wide, and I think it's top of mind in a number of cases, especially in the U S. Most recently, anyway, around liability as well, which I think you're finding more in our CISOs are being, you know, much more vocal, demonstrative in terms of evidencing that, hey, look, you were all complicit in this, and I did communicate this appropriately, and if this happens, You know, you're involved, essentially is probably the nicest, the nicest way of phrasing that. Yeah. 

Justin Beals: You know, I think it's a little, this has been long in the process, but one of the things I found interesting was kind of the shift from a more narrative driven security, like the policy authoring into the control area, and one of the things that really. Uh, resonated for me as I started looking at controls, reading them and writing them was that they're much like user stories and that they're testable and assignable. And I liked that a lot. 

Chris Hodson: I like, yeah. Yeah. I love all of that. Like, I love codifying, sad, isn't it? But I love codifying security in general anyway.

Everything from like GitOps through to what we're talking about here. But user stories, yeah, I mean, I've gone as far in some cases as to sort of write adversarial misuse cases. Do you know what I mean? Because I think that's a way to really, certainly in engineering discussions, like if you write as a, I'm now going to do it with nation states, as a nation state capable adversary, I want to X, Y, Z, for example, through A,B,C, like, Oh, right.

Okay. Because quite often we go in, don't we? And we say, you must do this. So we go and talk to the head of ENG and we say, you know, we require this environment to be hardened like this. And it's almost like we're stamping our fist on there. I mean, obviously me and you don't do that, Justin, clearly, because we're much more emotionally intelligent than that, right?

Yeah,You're much more unstable and mature. I hope, athetically, people may do that. It's just not the way of doing it, is it? You might get what you want. You might get what you want, but you're building up barriers and it becomes a very frosty working relationship. So, explaining why is So important, like, you know, threat modeling is why I'm such a big fan proponent of, of threat modeling, you know, a couple of, a couple of friends in the industry, quite prominent in, in that space.

And it certainly just helps understand, doesn't it? It starts on the left hand side and starting to understand why it's important in your environment. Definitely. 

Justin Beals: I've, I've certainly had some conversations with people coming up in career that started more on the IT and engineering side, where I was like, Hey, if you need a mathematical way of thinking about how well you're doing, think about like your bank account of political capital and the more you demand, the less you've got in your bank account.

Chris Hodson: I really like that. Yeah, yeah, that's brilliant. Very true as well. That's very true. 

Justin Beals: So I want to circle back to some of the A. I. work that we're talking about a little bit. Certainly, I think we're seeing a lot of innovation around the space in the security product space as well. You know, I talked to a lot of new product companies that are like, Oh, we're embedding A.I in our security product. Everyone. You know, I had an interesting conversation with the team at Akamai recently, and some of their security products, and they're very intelligently driven. How do you think, you know, where's the best opportunity to apply AI as you think about product, and maybe even at Cyberhaven, you know, how are you guys thinking about it in your product suite?

Chris Hodson: It's a great question. Broadly, I, in fact, I'll abstract it a level if I may, but one of the biggest challenges is, and I'm not saying it's a skill shortage, I'm just saying it could be a financial reason or whatever, or just finding the people, but it is people, certainly on the opposite side, you know, we're creating more data than we ever have. I know everyone says that every year, but it seems to keep being true. 

Justin Beals: Oh, it's metastasizing, right? Data gets data. Like we get data and then we invent data to describe the data we just got. 

\Chris Hodson: We do. That's a brilliant way of phrasing it. Yeah, we do. So there's always more data, which means invariably there's more things logged, which means there's more alerts, there is a greater requirement to triage. More detection feels good, but it creates more work. So this is a long winded way of saying most, like, of the practical applications of AI in the security space I've seen be successful are around the SecOps side of things, right? So, you know, being able to do more with less, getting a head start.

Like quote, like the funnel of fidelity here, but you know, if you think about collection, that's where we're now getting more stuf rRight?. You still, when it comes to actually having like true positives and incidents, you need to investigate, you kind of want a hand between sort of detection and triage.

So I think that's certainly how we've, we've approached it when we've built linear ai, which is, you know, the AI empowerment, empowerment, powering, I should say of, of kind of our product is how do you take just a ton of raw events and rather than having to create policies and data sets, come in in the morning, grab your cup of coffee, and have a large language model, filter out what looks like suspicious activity based on a learning of your own environment, and that's no mean feat that comes with, you know, a lot of not only security work, but just product development and engineering to make that efficient and effective. But I think there's enormous benefits there. 

And I suppose on the other side, if I think about, I'm trying not to say kill chain here, but you think about like most attacks, you think about the maturity, and evolution of phishing, for example, there's been some fairly solid advancements from the AI side of things in identifying, you know, malicious content that historically would just sail through, kind of sail through mail gateways. It's certainly here to stay. I've seen some fantasticAI driven offerings.

I've seen some fantastic kind of orchestration, SOAR 2. 0. capabilities now with automated playbooks and runbooks, certainly around, yet again, like IR, MDR type practices, being able to know what to do, being able to identify an incident, triage it, provide a smart response, potentially go and do some form of remediation on user's behalf.

There's still reluctance though, isn't there? There's still this, like, I don't want to call it neophobia, because it's not really that, it's natural and understandable, but nervousness. Yeah. Because a lot of these models are closed box. People are a little bit like, well, hold on a second. You're telling me that's suspicious, why, you know, and that's, that's an interesting one. I completely understand it, to be honest. 

Justin Beals: Yeah, I think it's a fair question, especially when so few AI features in our products really reveal the relative accuracy of that, right? Like how many true negatives, true positive, false positives, false negatives are we getting out of these prediction engines?

And I think those of us that. Are developing these types of features. We owe it. To our customers to say, Hey, it's 80 percent accurate or it's 60 percent accurate. Like you deserve to  know what the accuracy level is. 

Chris Hodson: Completely. And that's the thing, isn't it? It's all great until it isn't. And then, you know, if you're not transparent about that upfront, you know, if you're walking through a vendor hall and someone says, we will catch 100 percent of all malware ever using the latest, it's going to be facetious then and say AI blockchain.

Justin Beals: I feel the, I feel the Silicon Valley thread through your marketing statement there. 

Chris Hodson: Completely. As soon as that doesn't happen, if you're going in with that absolute silver bullet view of the world, as soon as it's a false positive or a false negative, whatever, something that isn't what it purports to be. All trust in that solution is lost. So, you know, showing that yes, AI can improve efficiency. It can help with analysts well being. It can improve, like, meaningful metrics. It can enrich and augment. I think that really should be our messaging in security now. It's dangerous when we say, hey, don't worry, you don't need any SOC analysts  anymore, because this machine It's going to do everything.

I think that's like, I did a lot of market research and kind of customer engagement and, you know, just general analyst sentiment around AI for our own products. And that's what most intelligent people are saying is, you know, it's there to help us like anything else. 

ustin Beals: I think so too. You know, in our world, what we're trying to do is automate the testing that typically happens for control operation.

Two things, you know, one is, is that I think when you're using AI, it's a poor implementation if you don't take in some flexibility for the input data, right? If you're just like, oh, everything, we're just going to scrape webpages and synthesize that information. Um, you're not really taking in the variability of input data that your customers are going to ask for,  and it's going to be a poor feature. It's going to be paper thin. And on the flip side, if you can't be like, and this is what we expect from an accuracy on the prediction outcome, then also they're not going to know how to use it. 

Chris Hodson: No, I agree. Wow. It's like we're having an internal work conversation now.

Like, these are the things, these are the things that we've looked at. Like, you know, I think, I think in the first wave of, AI is amazing and it's going to solve everyone's problems. Everyone looked at it and thought, well, hey, you know, you're not going to need any configurability and, you know, everyone's just going to use an LLM and gen AI is wonderful.

And people are now thinking, well, there is nuance. There is like organizational context where you need that flexibility and there is going to be some work for the end user to train. Yeah. Like there's lots of stuff that vendors can do, but the people using products are going to have to give like a, an Amazon style thumbs up or thumbs down to certain alerts, and you need that transparency to say, Hey, you know, the more effort you put into this, the more efficient and effective this solution is for, for you. Yeah. Yeah, definitely. This is super interesting. Yeah, you're right. 

Justin Beals: Yeah, we're deep into this thread, but I think it's really valuable. There were a couple of years ago where I was trying to, you know, play forward the AI work a little bit and the human to machine learning interaction, you know, what were we going to see?

And one of the use cases that really stood out to me is one of my hobbies is sailing and I was watching ocean racing. And I noticed that the navigators were talking about all the different models they use. They're like, Oh, I have five or six different models for current and weather. And my job is to decide which one is right or how far off the model is.

And they needed to, like, learn the model almost like a coworker. Yeah. I think we see that in security or we will, right? It's not just one model saying this is what the threat attack situation looks like, but there's multiple decisions around it. 

Chris Hodson: Definitely. Yeah. That's a really good analogy.

Justin Beals: Well, you know, Chris, one of the things we love to do is talk a little bit about a breach. We think it's, it's really valuable for us to kind of review what's going on with an eye wide open. This is not meant to beat up on anybody or make them feel worse. We all go through a security incident at least once or twice in our careers.

And so if you'll permit me, I'll talk a little bit about what's happening with United Healthcare Group and you and I can chat about it a little bit. So just a little background, you know, UHG, United Healthcare Group, is a health insurance company with a presence across all 50 U. S. states. The organization is the world's largest healthcare company by revenue at 324 billion in 2022, and they employ 440,000.

One of its subsidiaries, Optum Solutions, operates the Change Healthcare Platform, which is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the U. S. healthcare system. On Wednesday, February 21st, 2024, United Healthcare Group filed a report with U. S. Security and Exchange Commission, and the report stated that UHG had identified a suspected nation state associated cyber threat actor that had gained access to change healthcare information technology systems. In the filing, UHG said that they had  proactively isolated the impacted systems. 

However, uh, not only is the impact going on, it was pretty broad for us. One of the things that we noticed in the United States is that pharmacies, healthcare providers, hospitals, and other organizations within the life sciences spaces had to disconnect from UHG. As an example, the American Hospital Association recommended disconnecting from systems, uh, during the major breach.

And that's because this Change Healthcare Platform facilitates a real variety of transactions. You know, as an example of the impact, Tricare, which is the U. S. military's healthcare provider, we're filling prescription requests on paper again. Now, the attack continues to go on. There has been some information about the attack.

A bleeping computer was told via some Zoom calls that the attack was linked to Black Cat Alpha, or a ransomware gang that was involved by forensic investigators. Experts in the response and Reuters also reported black cat link on Monday, February 26. So let's just pause for a second. I think there's one other piece of data that I recently read yesterday about this hack is that it seems that the hack was perpetrated by almost brute forcing access to the system where multi factor authentication wasn't in place.

I think I'm starting to be concerned. I'm not sure how you are with username password systems. Like, are we past that? Do we need to go full MFA? 

Chris Hodson: I mean, yeah. 

Justin Beals: Yeah. 

Chris Hodson: It's just available. Now we can have, we can have a, you know, like an over a pint of beer discussion on. This comes back to risk. It's so nice. It comes back to risk, you know, on different type, what that second factor is, but it's just so generally available now.

I remember when I worked in financial services, I sound so old today, well, I worked in financial services and second factor meant expensive RSA key forms and it just doesn't anymore. It's readily available in pretty much. In fact, if you're brute forcing a front end, you have an issue with a lack of MFA.

You also have an issue with just even those. single factor controls that you could, that you could possibly even do that. So yes, like I think we're in a world now where MFA. Of some description. And again, it's layered. And it's risk based in terms of like how strong that second factor is like, you know, is it, is it Fido compliant hardware keys for production environments?

I mean, I'll answer that. It should be, but yeah, we're definitely at that point. I mean, the thing that stood out to me, we started to talk about it earlier in terms of sort of the linking of digital and physical, this gives a very kind of credible, visceral, real world impact of a thing that maybe three or four years ago, people would have gone, Oh, that's the thing that Chris and Justin do in the basement.

Yeah, you know, I mean, now, holy crap, this is so I mean, like, people don't dying because they can't get prescriptions and, you know, it's it also and again, I don't know the specifics of this in terms of, like the solution provider who provided change healthcare platform, but I imagine somewhere along this lifecycle, there's a series of like acquisitions and third party supplier relationships.

And I say that just because history kind of repeats itself and, you know, various other major breaches you've seen, things like that. So, so there was that. 

Justin Beals: That is true. I think Optum was a third party acquisition and I'm sure there's process with M& A and security, you know, ingestion. Yeah. 

Chris Hodson: I mean, yeah, in those scenarios, it's super difficult, isn't it? because the security function in the acquirer is under a lot of pressure to do their due diligence as quickly as possible.

They're often brought in very late in the process. And they're often brought in, you know, if it's an acquisition strategy within an organization, healthcare or otherwise, they're generally moving at pace and acquiring lots of different solutions to build out a presence in a particular domain or in a region.

So, you know, I feel for the \security organizations in that scenario, lends itself to what we said earlier around federation as well, like, you know, who, who's only accountable for security across the entire UHG group. I don't know. You see, so over there, I'm sure they had a pretty, pretty hectic time.

Justin Beals: Of course. 

Chris Hodson: The other thing as well is the filing of these 8k reports that we're seeing now, you know, it's an SEC requirement. We're seeing people have to file them. They have to be filed within four days. I'm not sure. I'm not sure how, how much benefit there is forensically to filing something so great. I mean, you've seen how, how much this story has evolved over the last kind of month or so.

Justin Beals:We're still learning. Yeah. 

Chris Hodson: So it can be, it can be pretty, pretty difficult, but yeah, this is one that will be used for years to come in terms of, in terms of impact, in terms of what can happen if security isn't considered. Across the life cycle and from inception, 

Justin Beals: especially if there's no other big breaches, but if another breach comes along, we seem to forget about the last one.

Chris Hodson: Well, I had, yeah, I have a chapter on breach shameless plug again. You know, I talked about breaches in the book, not because I want to call anyone out because everyone's got, you know, terribly difficult jobs in security, but just around the business impact kind of side of things. And it does seem, I don't want, I don't want us to get desensitized to breach it. Do you know what I mean? Like I, on one hand, yes. And it's, I don't know, I can't remember who initially said it's, you know, it's when, not if you will be breached. That's true. But let's not build an apathy about this. Like in this scenario, if what you say is true and it was like front door knocking on a web server, for example, there are things you can do that, right?.

And depending on the adversary, yes, they may look for another route. But, you know, if they're a generalist, I'm just trying to get in somewhere. Like, Black Cat are financially motivated, if my memory recalls me correctly. Yeah. So, you know, chances are they'd have looked for another major target, maybe. Anyway, I'm waffling now, but you know what I mean. 

Justin Beals: Well, one thing you touched on that I think is really interesting is, I think we need to let go of this every breach is a nation state actor. Discussion like it's so blurred between. Sure. You know, there are nation states supporting groups that have a financial motivation.

And but then there's a lot of them that are just like, yeah, we just live in this country. And that's where we operate from 

Chris Hodson: precisely. And again, back to that point on apathy. I feel sometimes. I feel sometimes some people feel it's easier if they say it's a nation state and then, oh, well, there's nothing we could do about it.

There, the two are not, it's not mutually exclusive. There are lots of, I mean, everyone, you know, it's an economy, isn't it? It's the lowest bar to penetrate your, your target. So you know, it doesn't always mean burning a 2 million Mac OS zero day, you know, it's often. It's often not that, so yeah, 

Justin Beals: Chris, as always, I'm just amazing discussion and really am a fan of, you know, your approach.

We're both going to RSA this year. It's next week. You're doing a book signing, I think, at the conference. Is that correct? 

Chris Hodson: I am. Yeah, it's Monday evening. Two hours. And my handwriting is appalling. So I'm not sure if it'll take the full two hours. My children are incredibly like cringy about this as well. They're like, oh gosh, dad. Yeah. South Hall. I think it's South Hall. I should know all of this, shouldn't I? Check the Cyber Haven on Twitter and LinkedIn and stuff. But yeah, it should be a good, should be a good time. And I hope to see you there, Justin, definitely. 

Justin Beals: Oh yeah. I'll definitely come and say hello. It'd be great to meet in person. So just for our listeners, I highly recommend Chris's book, Cyber Risk Management. There's no better manual I've read for scoping an effective security posture that you can confidently communicate with the rest of your organization and get buy in. It is really the road map for that type of work. And Chris, I'm very grateful to have been able to read it and learn from your expertise. 

Chris Hodson: Oh, thank you, Justin. It means a lot. It means a lot for you to say that. Thank you. I'm glad, glad you enjoyed it. Glad other people are enjoying it. So yeah, thank you. Good. Well, have a great day, 

Justin Beals: Chris, and hopefully, we'll talk again soon.

Chris Hodson: I'm sure we will. Thanks, Justin. Bye, everyone.

 

About our guest

Christopher Hodson Chief Product Officer, Chief Security Officer Cyberhaven

Christopher J Hodson is the Chief Security Officer for Cyberhaven, where he oversees all facets of security to protect Cyberhaven customers and employees, including cloud and application security, security operations, and risk management. In addition, Chris serves as a board advisor at the workforce development platform Cybrary and is a fellow of the Chartered Institute of Information Security. He has previously held CISO positions with Contentful, Zscaler, and Tanium. He is a guest lecturer at Royal Holloway, University of London, where he also holds a master's degree in computer and information systems security.

His latest book, Cyber Risk Management, covers the latest developments in cyber security for those responsible for managing threat events, vulnerabilities, and controls. These include the impact of Web3 and the metaverse on cyber security, supply-chain security in the gig economy and exploration of the global macroeconomic conditions that affect strategies. It explains how COVID-19 and remote working changed the cybersecurity landscape.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.