Beyond the Blinky Lights: Why Security Governance Drives Technology

Justin Beals:  Hello everyone, and welcome to SecureTalk. I'm your host, Justin Beals. 

In February 2024, a cybersecurity disaster unfolded that would become the largest healthcare data breach in history. Change Healthcare, a company that processes roughly 15 billion healthcare transactions annually, fell victim to a devastating ransomware attack. The company had invested millions in technical cybersecurity measures, but within hours, their systems went dark across the nation.

What went wrong?

As the investigation revealed, attackers gained access through a simple vulnerability, a Citrix server without multi-factor authentication enabled. 

This single oversight led to the compromise of data from an estimated 190 million Americans and disrupted health care payments nationwide. UnitedHealth Group, Change's parent company, ultimately paid a $22 million ransom and reported total losses exceeding 2.9 billion. 

The painful truth emerged. Despite substantial investments in technology, they had missed critical elements of comprehensive security governance. This situation plays out repeatedly across organizations of every size. 

We've convinced ourselves that cybersecurity is primarily a technical problem that can be solved with better technology. But in reality, up to half of our attack service lies completely outside of technology in our governance, our policies, our people, and our processes. 

Today, we're diving into what it truly means to build a comprehensive security program that addresses not just the technical controls, but the entire ring of security. We'll explore why frameworks and checklists, while valuable starting points, are insufficient on their own. And we'll discuss how creating a culture of security means connecting protection of company assets to protection of personal assets. 

And finally, we'll learn why, despite billions spent on security technology, breaches continue to increase at an alarming rate. 

Our guest today is Bryant Tow, the chief security officer at LeapFrog. Bryant and his team assist clients with complete security programs that include strategy, governance, and operations, focusing on managing risk within LeapFrog's ring of security methodology. 

Bryant has more than 25 years of experience leading teams focused on technology, cyber risk management and physical risk management. He has held responsibilities as an entrepreneur and a senior executive in all aspects of risk management, including thought leadership in the area of cybersecurity, award- winning development of security solutions, and management within large global enterprises. He has held executive leadership positions in multinational consulting firms and been involved in several startups. Recently, he was the chief security officer for CSC’s financial services group, and was responsible for securing 143 applications in 52 different countries. 

Bryant’s leadership positions across the security industry include the Department of Homeland Security Sector Coordinating Council, ISSA, ISAKA, and as a board member and vice president of Infragard National Members Alliance. 

He has also published several books and articles on cybersecurity topics and has received several awards, including the Governor’s Office of Homeland Security Award for exceptional contribution, in recognition of outstanding support of Tennesee’s counter-terrorism program. 

Join me for this eye-opening conversation about why cybersecurity is never just a technology problem, and how to build a security program that protects what matters most.  

—-

Justin Beals: Brian, thanks for joining us today on SecureTalk. We really appreciate it.

Bryant Tow: Absolutely, glad to be here. Thank you.

Justin Beals: Now, you're the chief security officer at LeapFrog services. Tell us a little bit about how those interconnect, being a chief security officer and what LeapFrog does and why it matters.

Bryant Tow:  Yeah, a bit of an interesting story how all that came to pass. The Cliff Notes version is of speaking, speak around the country, I was speaking at a conference in Atlanta and a gentleman that was a LeapFrog customer who was basically the VP of IT, I guess, for his organization had seen me speak and we were, guess, I was top of mind when there was a security event.

So he had reached out to my local people there in Atlanta. Because at that time, I owned a cybersecurity consulting company called Cyber Risk Solutions, that I owned for seven years. So LeapFrog was absolutely wonderful to work with. So you can imagine being the third-party security guy coming into the IT provider, where there was just an event. It could be pretty contentious, but it was never that way at all.

They were always just so great to work with and just very forthcoming with information and sharing ideas, and we need to do this and this and this,  and all that. So, cut to over the course of about the next three years or so, we ended up working together with many, many clients, and that eventually led to an acquisition. So LeapFrog bought my company, Cyber Risk Solutions, and I've been here for about two and a half years now. 

So, essentially bringing the consulting services into the managed IT world, right? Because everybody, all the clients at LeapFrog, you know, LeapFrog is fantastic, world-class  at providing IT services, but when it comes to, you know, the other services, something we call the ring of security, you know, that's why we work together so well. So after a while, it just kind of became an acquisition, and here we are.

Justin Beals:  Yeah, the Ring of Security concept was a big part of a lot of the background work I did, reading about some of your work. Maybe I'm just going to allow you to introduce what it means, Ring of Security, and how you approach it.

Bryant Tow: Yeah, great. So this has been around, I guess, the concept I originated probably around eight years ago, nine years ago or so. And it still holds up today. But basically, it's this:  when you do the root cause analysis on any of the headline breaches that we all know, when you really get into the five whys and really get down into it, nearly if not all of them I hate to speak in and finites, but nearly all of them the the source of the actual breach started somewhere outside of the technology,  right?. 

So the one that I use that's kind of become the poster child, even though it might be a bit stale now Is the Equifax breach right those patches had been out for six months, right? And it's still funny to me that you know, the word patch is in Apache, so you'd think they would have seen that coming. 

But right, so what exactly was missing? Was it time? Was it resources? Was it budget? Why weren't those patches put in place? Was it something where, you know, because we all know sometimes when you patch things, they break. 

But if you know that, there should be a plan in place for how you do those kinds of things, right? So that is one of the examples that I use, and I can give you pages and pages of them. When you look at how you approach security programmatically, it is not just a technology solution. So MIT, Columbia University, there's been a number of studies that will tell you that even if you do your technology perfectly, you're leaving half of your tax surface open.

Now the purist will tell you, yeah, well, that number varies based on the type of industry and the amount of technology footprint. Yep, yep, absolutely. We can get into that if you wanted to get granular on it. But generally speaking, I mean, half of it is technology, but the other half is how that technology is used, right? So, configuration errors because somebody was too quick to throw something up because they didn't have a secure technical installation guide or something, or they didn't do something that needed to be done to properly harden that as part of a normal process and part of a normal program, it got stood up. 

Turns out it was a payment server, and the payment server got creamed, right? So why? Well, because we know that the hardening process, the hardening program exists for those things, and it's part of our policy, it's part of the program, somebody didn't follow it, and then bad things ensued, right? So that is not, there's no blinky light that fixes that problem. That is programmatically a problem.

So, when, like I said, so when you do the root cause analysis, you know, there's nothing new about people, processes, technology, and facilities, right? Those are the four pillars that have existed since, I guess, probably the first transistors were ever invented. But when you wrap that attack surface around those four pillars, we very quickly learned that our attack surfaces is largely open in process and in governance. 

So, I created Cyber Risk Solutions to solve that problem and doing virtual chief security officer-type services, building programs, third-party risk is now everything's cloud, right? So, which is just, yeah, it just kind of translates into somebody else's computer. So you think you're transferring that risk out of the organization. In fact, you are not, you've just transferred it to somebody else. So, how are we handling that, right?

You're building governance programs and building all of that around the entire security program as components is kind of the birth. where the ring of security came from. And that's pretty much how I run my organization. Many of the components out of it came when I was chief security officer for CSC back in the day on the financial services group side, right? We had 143 applications in 52 countries we were managing.

And the amount of programmatic, what we would call today now DevSecOps, right?, around operational security and development. So there's a lot of those kind of things. So a lot of the concepts that I still use today in my programs come from that era, right? So they still come.

Justin Beals: Yeah, I, it's certainly interesting to me. I feel like about the time that you were working on this ring of security information is when we started seeing some of these governance requirements come out that did touch on all these aspects. You know, I talked to folks all the time that are just coming into their first compliance outcome and they're like, this is a cybersecurity issue. I'm like, couldn't be farther from the truth. That's what I thought when I sat down and looked at it. And then I started getting a bunch of requirements.

Bryant Tow Right, yeah, so even today. And one of the battles that I fight on a fairly regular basis is because LeapFrog is a technology provider. Most of our points of contact into our clients are technologists, right? That wouldn't make sense, right? So you have the point of contact. So we are seen as technology only.

So, and then trying to go back and say, you know, this only covers half of your attack surface. We really need to look at all these others. Okay. And so because of that, when the technology side of the house, when they look at security frameworks, you know, they immediately go to the CIS. And, you know, I roll my eyes because I'm like, you know, CIS is great. I have no problem with it on the technical side of things, but there's nothing in the CIS that's going to framework you a business impact analysis, right? 

There's, mean, it will mention training, but it doesn't mention culture. It doesn't mention culture. doesn't mention, you know, we would ever, I think everybody agreed from SANS all the way down that a once-a-year training might get you compliance, but it does not protect your organization.

We want to build a culture of security within the organization, and what that looks like programmatically. So CIS, I mean, because of the position in the organization and the technology there, I very often have to go back and try to have people understand that CIS is great for technology, but it does not build programs.

Justin Beals Yeah.

Bryant Tow And no one framework is gonna fit any organization. mean, whether it's 853, 2700, EIEIO, whatever they are, know, CMMC for federal, whatever. There's still gonna be areas programmatically that you're gonna want to amplify in some cases and then de-amplify in other cases and have compensating controls around things, right? Cause they might not exactly why.

Justin Beals: Yeah, this resonates with me, but I'm curious. I think there's a lot of ideas on building up this culture, so to speak, training being the most common lever people pull. What do you like doing from a cultural perspective, you know, even inside your own teams focused on security themselves?

Bryant Tow:  Yeah, anybody that knows me knows I do things just about, as we say here in the South, about half a bubble off plum. Right?, so I do look at things a little differently and the standard answer is going to be something around small doses, like micro-dosing security. Thoughts of the day, thoughts of the month, posters, things like that. Phishing testing is, of course, great, right?

Justin Beals : Yeah.

Bryant Tow: And all of those kind of things. One of the things that I have done over the years that has been the most successful, I would say the most impactful on culture, is to step outside of the organization, and we would do training on cyber at home. And we would talk about their kids, talk about the websites, talk about the apps, talk about all of the things, like that that you would want to be concerned about for cyber in your home. 

Okay, so when we break that way down, those same behaviors that we want walk right back through the front door for our organization, so we have indirect, well, when the mommy and daddy clause come out, right, when you attach that emotional thing to the behavior that you're going for, that really kind of socially invests your audience into those things. 

And it generates that culture, it generates that mindset from a different perspective than I just had to point and click on a thing and play solitaire while I had this training video on, you know what mean? Right, so when you commit to that and that the security and the protections that we are putting in place are not just the digital assets. We want to protect the human asset on that side of it, right? Because at the end of the day, the paycheck that they are counting on to come home so they can put food on the table, I mean, you have, and people think I'm insane, but I got a call late this past Friday from a smaller firm that got ransomware, had nothing in place, had no cyber, and.

ransom was more than their annual budget. Right? So we call those extinction level events. And people think I'm nuts, but it is happening more and more and more and more. So building that culture is very, very important. Right?

Justin Beals: I think this is intriguing to me because by teaching them about cybersecurity was probably something they're very intrinsically motivated around. I mean, we have to be fair that like, this seems like something that's changing about your job when we talk about security training in the company space, but we're intrinsically motivated to protect our family. And now you're pulling that back, as you say, I back in the door. Yeah.

Bryant Tow (

Yeah. Yeah. So, yeah. So find, find that idea in one of these frameworks, right? That's not there, right? Because it's not, as I say, it's about half a bubble off, off plum, I guess. But, you know, I do events, you know, typically in October, cybersecurity awareness month. So everybody does their stuff around, around that time, but we do something called a cyberpalooza.

I literally have a crime tape from the FBI and I'll mark off a cube and put a red light in it and put five or six security violations in the cube and then have people guess on it and then draw a thing to win a gift, to win some kind of a prize or something like that, right? Make a game out of it. And then just relish in the people that are in the break room cheating.

Did you get that one? Did I get that? I didn't get that one. Man, I need to do it, right? Which is awesome. I love that. I love the conversation. I love the interaction. I love the whole thing around all of that. So, when you attach that emotion to it, when you make it social and you make it more inclusive and all of that, then you're going to get a lot more thought process.

A lot of that too, coming back to the home cyber training, when people take a test or they take a training and then maybe it has a quiz or a test or something after it, that's going to teach you the what. Don't do this. This is what a phishing email is. This is what that is. That's what that is. And very, very few of these trainings ever actually get to the why. Why is this actually important to the organization? , What is the actual risk? What could happen if you click down on that thing and launched a wiper or some kind of malware or rant, whatever, what could the, and most of these cyber trainings don't get into the, the reason we are doing this is because this is a significant risk in the organization. A lot of them will throw a bunch of statistics, right?

Sales 101: facts tell and stories sell. So they'll start, 75 % of this and 90 % of that and all that and it goes right by them. But when they start, I'll come back to the thing when you start talking about your kids or when you start talking about the potential loss in the business. mean, this could potentially be your job.

You know, not because you clicked it and got fired, but because now we're sitting on $5 million with no cyber insurance, so we have no data left and our reputation's been damaged and we have to close the doors. Right? It may seem a touch dramatic, but you know, I don't know how else to explain it.

Justin Beals: The stakes are high. And I think we've got to be self-aware about that as a team too. One of the things I've found that helped us with our security culture is transparency around responsibility. So like everybody knows what everybody's supposed to do. And in that transparency, it kind of creates this culture of expectation that like I do some security and you do some security. And that's helped too, to your point about it being a social construct that we need to work with.

Bryant Tow: Yeah, and so we use the Know Before product, not to particularly promote a product, but whether, you know, lot of learning management systems have cyber training in them, and the bulk of them do pretty well. But, dot, dot, dot, right? That application, that program, regardless of which one it is, cannot know what your incident response plan is.

It cannot know what your social media policy is. It cannot know where to get information on your policies. Right, go down the list. It is teaching you the what's. So, for all of our VCSO, the Virtual Chief Security Officer clients, where we do fractional CSO services, all of our VCSO clients, we do supplemental training to the know before. 

So you're gonna get 30 minutes of know before, whatever, some clients have compliance targets, HIPAA's obviously different, whatever. But we also do the training on if something like this happens, right? So we go back to the incident response plan and we look at your level and say, okay, if this happens, this is what you do, right? A standard box training program can't do that. 

And that's really where it becomes effective is when it becomes personal enough within the organization that if it's this, you need to contact your supervisor. If it's this, you need to go straight to HR and not contact your supervisor, right? And we can kind of imply what those incidents might be, right? So, yeah.

Justin Beals: I, you know, it's interesting. feel a little like a Luddite saying this, but we went back and we have our, security leader do an annual security training with our team. And for that point, like I'd rather him spend an hour constructing what, what are our methods and processes and expectations? What type of data do we deal with? Like a lot of people only have one perspective of the data that we manage and not understand what the other data elements are.

And why they're valuable and what the risks are around them, that is specific to us.

Bryant Tow:  Well, it is. I'm going say, yes, it is individualized and specific, but it is, to me, one of the most common things that is missed. Because if you don't have a business impact analysis, that's really where the core of all of this starts. And the more of these things that we do for clients, you realize people just really genuinely don't know, A, the value of their data.

So, I mean, if you get into a ransomware attack, are you going to wait until then to determine the valuation of your data, determine whether or not you're a payer? You know, one of the first ones, gosh, four or five years ago, ransomware that hit a major household name healthcare company, I was in San Antonio coming back to Nashville, and I had to redirect my flight. Because on Good Friday, they got hit. And, you know, what are we going to do?

And the CEO comes off with well, we don't negotiate with terrorists. So all right, I love that stance. That's great.  And they had they they bragged about their IT spin to the market how little It was and how you know, they're they're they're patient-focused and they're all these kind of things, right? So turns out they have no business impact analysis. They have no back; somebody used the word bluebird all lowercase for their password on their administrative remote access for their backups. So the backups got burst and then the encryption, right? Okay, so cut forward, and well, you have a homegrown HR system. We have reverse engineers as best as we can. It's gonna take somewhere between five and six, maybe seven engineers, upwards of four months to get this rebuilt in such a way, and you're 10 days away from cutting payroll checks. 

So are we a payer or are we not? Nothing, nothing like that at all. No consideration for this is a homegrown HR system, we might need to have some remutable backup somewhere and an ability to at least restore that right, so there was no consideration for impact analysis, no consideration for incident response, business continuity, disaster recovery, throw all of the words out there, right? And you don't want to wait until your hair is on fire and you're running down the street to have to make what was potentially millions of dollars in business decisions.

Justin Beals: Yeah. Bryant, I read in your background that you served on the Department of Homeland Security Sector Coordinating Council. 

Bryant Tow: Yeah, that's right.

Justin Beals: Tell me a little bit about what your role was there and the purpose of that group. And I some questions about the impact.

Bryant Tow: Yeah, there are a couple different models. So you have the ITISACs, the Information Sharing and Analysis Centers, that at that point had been stood up. Pete Aller was one of the original founders, I believe, of all that, and worked with those guys. And then DHS decided they wanted to do an information sharing analysis center type model around federal. And that's where the sector coordinating councils kind of got born.

So basically there's 17 critical infrastructures, I think at that time. The number seems to change from time to time based on administrations and what critical priorities are. But however many critical infrastructures that there were considered and then each sector within that area. So if you are, know, SCADA systems on bridges or transportation and that kind of thing, right.

So we learned working with the truckers' associations and that kind of thing in transportation. learned, I live in Nashville, Tennessee. We learned that something like, I shouldn't throw a number because somebody's gonna go look it up. But like 80 % of the toxic waste drives right down I-40 through Nashville. So there's things like that that we needed to consider. Across all of the different sectors, being the IT guy, I was obviously involved in the IT sector coordinatingng council, which was really unique in its position because we touched a lot of the different sectors. 

Because IT, being IT, you can't make carpet in a manufacturing warehouse now without having a significant IT function, mean, McDonald's has as many programmers as some consulting companies, right? Because they ask you if you're going to order with the app when you pull up.

So we touched a lot of those. But the mission was not just around information sharing, it was around setting best practices based on threats. So being able to have some really good threat modelling, really good visibility into tools and technology as it's coming up and just really kind of become the center point for all of those things with some really, really smart people.

Justin Beals: And so with this group, did you work on the NIST cybersecurity framework, the CSF work broadly and use for multiple marketplaces?

Bryant Tow: Yeah, this was pre-CFS, yeah, part of the work was developing a consistent structure. We had NIST in the room, of course, so a lot of the things that came out of the 800 series would have come out of that room very much so. Everybody spouts off 53, right, but the 800-61, right, that you don't hear a lot about, the incident response portion of that, those types of documents would have heavily been influenced by that council.

Justin Beals:  Yeah. What do you think about the proliferation of compliance frameworks broadly? Has it been helpful to have a lot of them, Catch-22? Maybe it's better to view it in an increasingly threatened world where we need more more precision. I don't know.

Bryant Tow: Yeah, yeah, and I'm gonna give you again, you know, half a bubble, but I'm gonna give you two completely juxtaposed opinions on this same exact topic, okay? Yeah, so the first one is we love our frameworks because it gives, it brings a commonality, which there's another tangential spectrum too, because commonality means a single way to attack because we know what people that are using this framework are doing. But it also brings that way that everybody's able to do something. So frameworks give an organization a good place to start. So, people that are maybe more new in the industry, it gives them a place, it gives them a series of checklists and things that they can do.

Right? And from a compliance perspective, or maybe if you're a pilot, we love our checklists, right? We go down everything and make sure everything's exactly the way it so that you try to keep us safe. So we love our frameworks from that perspective. 

On the other side of it, there is no framework that fits every single organization. Right? So I feel like some people lean too heavily on the framework and they think that if I'm in this framework and I have gone through all those check boxes that I'm okay. And fact of the matter is that you are absolutely not. Coming back to the ring of security that we talked about at the very first part of that conversation, I can go through any of the standards. I can go through any of those with you and literally do a crosswalk across what we do as best practice in the ring of security and I can take a great big highlighter and can show you where those gaps are. 

Because not every framework considers that, right? So just like CIS, there's no business impact analysis in the CIS. And if you don't have that information, if you don't have your proper incident response plan, and I'll give you another thing too. In those, so we talk about business continuity and disaster recovery, we talk about, well we mentioned cloud, right? So uptime, okay?

We're good, right? We're going to keep you up to five nines. And that's what the technology business continuity disaster recovery person is going to stand on. They're going to stand on we're good to five nines. Well, that's technology continuity. That is not business continuity. So that system can be up and running. But if I have a force majeure event, right? Something where I don't have the people, know, a snowmageddon or who knows whatever those kinds of things are. You know, when you run, I've run exercises like this globally for many, many years, but when you have to move 300 call center agents from Chennai to Bangalore, the technology part of that is very easy, right? We change the NX record, and the calls go up there, but I've got 15 empty seats because pet care.

People can't go because they don't have somebody to watch their dog. Where's the blinky light that solves that problem? So I promise I'm gonna bring all this back to frameworks. But the framework in and of itself, wonderful place to start, horrible place to finish. Don't rely on them too much.

But really consider your business internally and what all of that actually looks like from a from a business perspective and that's a whole different conversation about You know talk more like the businesses and so forth and actually knowing what that is and it's very often not you know That's that's a different conversation. But so there's two completely different opinions on frameworks for you

Justin Beals: Yeah, one thing that does deeply resonate with me is I don't think enough people read the actual frameworks when they get into them because when I read them, I'm like, yeah, that fits what I do. Like we do it this way. It's slightly different than than other companies. It's the process by which we do it or who owns that particular role is a little different. And I have to say that most of people that write these frameworks take that into account, they give you room to design your own business the way you need. Yeah.

Bryant Tow: Well, it's designed to be that way. It's a framework. It's not an architecture. Right. And most people, when they're looking for it, I would love to get into the Google Analytics of this, but I would argue that most people, when they're looking for the framework, they're not looking for the framework document. They're looking for the spreadsheet. They're looking for the item so they can score it or check the box.

They're not looking for the actual document that provides the context around the checkbox. Right, because you can have a score of one to 10, or in some cases one to five, and what you're missing from that score is the impact and the weight of that particular control. Right, well that's a little bit deeper down, not get into GRC and audit and a bunch of those kind of things. 

But just that, just that simple little checkbox spreadsheet. And I would really love to know what the numbers are behind that between people that are looking for the actual standards themselves or something that they can look for that's a shortcut to operationalize and actually be able to check a box and do something with it right away. You know what I mean? 

Justin Beals: Yeah, yeah, certainly. I think when I first started having to meet compliance outcomes as a CTO, right off the bat was like, give me the template, give me the checklist. You know, I just want to take care of this. And I think taking one step back and being a little bit more strategic and planful, which I like your, your, your ring of security. It kind of gives you a model with which to approach the organization, you know? Yeah. But how do you?

Bryant Tow: Right. Well, if nothing else, just want people, for somebody to take away, I just want people to take away that this is not just a technology problem.

Justin Beals: Right. Well.

Bryant Tow: This is an organizational problem that we use technology as a tool to solve a good portion of it, right? But it's not just a technology.

Justin Beals: And we may pat ourselves on the back too strongly by thinking that, this is all automated or it comes out of the box, you know, configured the right way. that, you know, that is never the case. I've had to manage the, you know, identity and access settings on every server I've ever stood up from screwing it into the rack to provisioning it on AWS. Uh, very dangerous to think that the technology solves a problem. It creates more, I think, than it solves at the end of the day. Yeah.

How do you, you've worked with a lot of customers as a security advisor, a VCISO, know, this security expert in the room. You know, what advice, let's say you're, I'm interested in you engaging with the group that hasn't planned ahead, but they're thinking that maybe they should. 

So we're catching them before a breach happens. It's a good time to bring in some expertise. How do you assess them and how do you want them to assess themselves, perceive where they're at?

Bryant Tow:  Ugh, gosh.

Well, depending on what level, if we're talking at the executive and the board level, that's a completely different conversation, right? So if we're talking at that level, then what I want them to understand is, and I typically do it through a series of questions, if you were to get hit today and the ransom was this much money, what would you do? Do we know?Right? the questions are not designed to get an answer. 

They're designed to provoke a thought. Right? So, what is the most important part of the business? Right? So when you look at your accounts receivables, and where's the bulk of that money coming from, and what is our attack surface, is our protection plan, our systems architecture is that design commensurate with how we're running the business. Right? Because, know, Bruce Schneier once said, you know, something is properly protected when you spend more money to protect it than it's worth. Right? Which, you know, which is still kind of funny to say. 

But I was speaking at a conference in Dallas this past weekend and with five other or four other five of us told, brilliant technologists. And the question was asked at the end: What keeps you up at night? It's always the way people like to end these panel discussions. And once again, doing things a little bit differently. What keeps me up at night is that this room is not completely full. We had about half of the conference in the room.

This room is not completely full. What that tells me is there is not a universal understanding of the actual risk that's involved. For the things that we are talking about right now and the problems that we are trying to help you solve, that this room is not full. That bothers me. More than whether or not it's scattered spider or some groups that's doing this or doing that or whatever the latest thread is. Yeah, because those things come and go. 

But just getting, just having that board, coming back to your question, having that board, having the awareness of the criticality of the actual threat. You'll put on a helmet if you get on a motorcycle or you put a seatbelt on on your way home, because that's your tendency now. 30 years ago we didn't do that.

30 years ago, we were not as aware of the potential threats as we are now. So there's a direct correlation between traffic safety and internet security. I can literally look, and I've had a couple of people suggest that I write that, but you can literally look at the evolution of traffic safety from making the roads safer, making the vehicles safer, and then changing the culture of the user.

You can look at how those things evolved and how the internet use, right? So, making the devices, the cars, making our workstations safer, making the infrastructure safer, and then changing the perspective of the security and how we address the drivers or the users, right? But there's a direct parallel.

Justin Beals: Yeah, absolutely. But the pace of change feels like it's continuing to speed up. mean, I've been paid to work on computers for a long time, and I feel like it is. What are you seeing from a change perspective that I guess I won't use the exact same phrase but keeps your eyes peeled?

Bryant Tow: Yeah, so we can't do any of these without saying AI, right? So here it comes.

Justin Beals: I'm so sorry. No, thank goodness. No, I'm glad we're here. Can I just say, Bryant, that for me, I like the machine learning data science terminology a lot better. Yeah.

Bryant Tow : Yeah, yeah, exactly. So when you talk about speed of change. So one of the things that many of our customers are coming to us and asking are, what do we need to be doing to be properly prepared for AI? So we've developed an AI readiness assessment that talks about the data itself, of course, the governance that goes around that, proper licensing for whatever. So there's four or five categories in there and helping them get right, because to your point of the speed of change, you know, getting properly prepared. 

But interestingly enough, going through the 42,000 standard that this has out right for the AI and the governance, when you really get down into that, when we're doing our readiness assessment, there's fundamentally no monumental difference between being properly prepared for and having a good solid governance program, good solid IT, all those kind of things, that prepares you. 

So it's been really, really interesting. So we're using AI preparation very much in a way to say that you're not ready for AI until you're on our full security stack, for many of those things.

There are a few exceptions, and I'm kind of speaking in generalities. One of which, again, the things that in the frameworks that don't exist that aren't actually there until you get into it and then you become a practitioner of doing it. One of the things that they'll tell you very much is they'll start with data classification. Very, very important, right? We want to know what's critical, what's not, that kind of thing.

Right, and things that we want to plug into large language models, we want to preserve for data classification. Okay, that's where they tell you to start.

But that's not practical. That's not really where it starts, because when you actually get in and start doing it, nobody ever moved across the country without having a yard sale. Right? So maybe we need to start at the 0.5 instead of the one. Maybe we need to consider our data retention policies and what that actually looks like first. Purging the things that are outside of our policy. Let's go back one notch. Thank you, Mr. Standard. Thank you, Mr. Framework. Appreciate that. Back into the real world when we're actually dealing with our actual data. 

I'm suggesting, and what I've seen from client to client to client when they come in and say, okay, classification, we're gonna be doing this. And when I started asking about retention, we found in one client's data that had been sitting there near time or near-line data, completely accessible, over 20 years old.

So, how about we go through a retention policy and because chances are, if you've used that template, you've used that framework, you have a retention policy in there somewhere. Are you actually using it? Well, let's come back to the governance thing now, to what we were talking about before, and all that seems to be somewhat circular. I don't know, maybe a ring of security. Right?, so going back into data retention, executing those things, getting that cleaned up first.

Now let's classify it, and now let's get it plugged in in whatever way that we intend to use that data, right? So that's kind of a culmination of two or three things, talking about frameworks, talking about governance, talking about speed of change and data and kind of where some of those things hit and miss.

Justin Beals: I think what you and I probably deeply agree on is that you need this strategic approach to your security before you can really even adopt a framework. Because if you just don't have an internal muscle for managing, same word as governance, governing, how these operational characteristics are gonna work, then you're not gonna really have a successful compliance outcome and a lasting impact from it.

Bryant Tow:  Strategy drives governance. Governance drives operation.

Justin Beals: What does risk fit in that for you? Does that happen through the governance process?

Bryant Tow: Well, it does. Okay, so risk will have a different label and it will have a different meaning at each of the layers of the pyramid. What I just described to you is the ERM, the enterprise risk management pyramid. That's not new. I didn't come up with it. It's been around for 20 years, but strategy at the top of that, at the pyramid. 

Risk at that strategy level goes across the organization, right? I mean, where we typically draw the line is like interest rate fluctuations, right? We don't get into that part of it because they have a lot of great analysts, and you get into compliance and that kind of thing in the banking world, those are two different things. But when we look at risk overall, at the strategic level, we're looking at risk in valuations, right? We're looking at risk  and loss of sales loss of shareholder value looking at risk and and that's where you hear especially now with the SEC stuff. 

 You're really starting to hear thank God and we're going in the right direction, but you're starting to hear the word materiality come out of a security person's mouth and that is wonderful right because what that is forcing is that is forcing the security guy to look through that lens of business and even understand what materiality is.  Righ? t because and then so the common definition of materiality by the SEC's definition is when a decision can, if a decision on a stock price on a buy or sell could be made based on that topic, then it's material, right? So as a security person, we have to look through that lens of business, on, well, okay, we have this security event, and we're talking about a million dollars of a multi-billion dollar company. Is that material? Well, the ransom might be a million, but we also have reputational damage. 

We've got breach notification. We've got all these other different things and costs that could end up being right. So a lot of questions that we have to answer. So, coming back to your question about risk, it's different at each level.

Justin Beals: Yeah.

Bryant Tow: Right, so materiality being at that top part of the triangle and then you get into operational, now we have risks that are a little bit different. have risks and compliance errors or non-compliance. Now we've got fines and things like that that could be, would that rise to the level of materiality? Eh, maybe, maybe not, but it would be a different way to think about it. All right, and then risks down at the operational level people clicking on this and opening up that. 

Now you're talking about the bits and bytes and what those risks would be and could they potentially bubble up? Always bubble up, never bubble down.

Justin Beals:  Yeah, it's a hard discussion because everyone can think about what they most fear. It's usually existential and they don't have control over it. But then you start getting a team into a weird loop about a risk that doesn't, isn't really anything they have any control over because they're thinking strategically for the whole business or what's happening in the country outside of them. And I think being able to winnow them into be like, we're only looking at risks on this layer of what we're doing. Yeah.

Well, Bryant, we have blown through our time together. I really enjoyed the conversation, deeply appreciate your expertise. I've always learned a ton in these conversations. So thanks so much for joining us today on SecureTalk.

Bryant Tow: Absolutely, glad to be here.