Chris Krebs: Cybersecurity Risks and Controls

February 21, 2022 00:39:46
Chris Krebs: Cybersecurity Risks and Controls
Ayna Insights
Chris Krebs: Cybersecurity Risks and Controls

Feb 21 2022 | 00:39:46

/

Show Notes

Chris Krebs, a renowned expert in cybersecurity, shares his thoughts on the current issues facing cybersecurity around the world, including the current situation in Ukraine, the 2020 election, the Colonial Pipeline hack, and other attacks on critical infrastructure. He also discusses how organizations can anticipate, prevent, and recover from these types of attacks in the future.  

Mr. Krebs is a former Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). He recently founded a cyber consulting firm named Krebs Stamos Group with his partner Alex Stamos where their first assignment was the SolarWinds hack.

How big is the threat of cyber attacks in today’s world? How can companies become more security minded? Tune in for the conversation with Chris Krebs to learn more.

Discussion Points:

Ayna Insights is brought to you by Ayna, the premiere advisory firm in the industrial technology space that provies transformation and consulting services to its clients. The host of this episode, Nick Santhanam is the CEO of Fernweh.

This episode is part of Disruption 2.0 series where the focus is how a new wave of technology is disrupting multiple sectors.

For more information:

Christopher Krebs LinkedIn

Krebs Stamos Group Website

Ayna

Nick Santhanam LinkedIn

View Full Transcript

Episode Transcript

[00:00:03] Speaker A: Welcome to Fernway Insights, where prominent leaders and influencers shaping the industrial and industrial tech sector discuss topics that are critical for executives, boards and investors. Fernway Insights is brought to you by Fernway Group, a firm focused on working with industrial companies to make them unrivaled. Segment of one leaders to learn more about Fernway Group, please visit our [email protected] dot. [00:00:38] Speaker B: This is Nick Santanam, CEO of Fernway Group. As a part of our Funway Insights podcast series, we are delighted to host Chris Krebs, founding partner at Krebs Demos Group, a cyber consulting firm. Chris served as the first director of the Department of Homeland Security, Cybersecurity and Infrastructure security agency CISA. As director, he oversaw CISA's effort to defend civilian networks, manage systemic risk to national critical functions, and work with stakeholders to raise the security baseline of our country's cyber and physical infrastructure. Prior to that role, Krebs served in various Department of Homeland Security roles responsible for a range of cybersecurity, critical infrastructure and national resilience issues, all very important topics for us and very pertinent today. Prior to his time as DHS, he directed us cybersecurity policy for Microsoft and advised industry and government clients on complex cybersecurity and business risk matters. He holds a bachelor's degree in environmental sciences from the University of Virginia and a GED from the Anton Scalia Law School at George Mason University. With that, welcome, Chris. Welcome to the podcast. Very delighted and excited to have you today. [00:01:59] Speaker C: Hey Nick, thanks for having me on. Great to see you again. [00:02:02] Speaker B: Thank you. So, Chris, let's just jump straight into it. We've heard a lot about cyber attacks and ransomware recently, including the one we have been talking about, or the news media has been talking about the russian ukrainian situation and potential for cyber attacks there. For our audience, that includes executives, board members, investors, fund managers, and founders, all with grave and serious responsibilities for their institutions. Tell us, what's the severity of the threat out there? How worried should we be? [00:02:32] Speaker C: Last year, 2021, was a blockbuster year for high profile cyber events. Think to your point and your question, it certainly seemed like the threat actors, the government act, the nation state actors, the cybercriminals, they really took off and took advantage of the installed technology that we all depend upon. In 21 was a breakthrough year. But what's I think most interesting is that the difference of 21 and the years prior to was that really more than anything, they hit the kind of the capital centers of the economy. They hit the political centers, right? Colonial pipeline. I live in the DC area. I've told this story before. I live in the DC area. I couldn't get gas in my car for four or five days. I haven't made that jump. Electric vehicles yet. So still putting 87 octane in there. But it was a real disruptive factor. And that catches the, the news. The news is attention. That catches the political attention. But again, these things have been going on for quite some time. 2017 and 18 were real breakthrough years for ransomware, and specific in general. 2017, though, was the year of the big notpetya attack, which was took place in Ukraine. It's been attributed to the russian GRU, which is the military intelligence unit of the. The russian government. And what they did was they compromised a piece of software that companies operating in Ukraine have to use, or at least highly recommended to use in accounting software. We all use third party systems and software services to get through the business day. And the Russians identified that dependency. They were able to find a vulnerability in that system. They inserted what looked to be ransomware, but was, in fact, malware, or destructive malware at that, and that spread globally. And so the last half decade, id say, are really significantly transformative in terms of our awareness of the threat. The good news, though, again, about 21, is that by hitting those capital centers, by getting such significant attention at the leadership levels in the government as well as in the boardroom and across the executive cadre, we're seeing a lot of discussion and time spent in board meetings, in the weekly agenda of a CEO and COO. So we're seeing investments in cybersecurity. So that's a good thing. But as we look forward, we're only going to plug more things in. We're only going to incur more technological dependencies, whether it's software, hardware, firmware, whatever. And so we're not making our jobs that much easier until we really bake in security, not just of our own corporate networks, but of the products we ship or we host for our customers. Security has to become one of those core first principles of every organization that plays in the technology domain. And that's not just next year. That's not just for the next five years. I got to say it, Nick, it's like this is humanity for the rest of our existence. We're only going to be more technologically dependent, and there are always going to be bad people out there that seek to exploit vulnerabilities, misconfigurations for money, for political purposes. And unfortunately, some people are just like the Joker and Batman. They just. They just want to watch the world burn. So you got to account for a number of different actors out there. [00:06:31] Speaker B: So, Chris, you sort of then get me to the very next question. Right. So we have to live with it. Right. There's always a joker, and there's always going to be the Batman movies with a series of that. What's the level of current capacity, capability and preparedness of organizations to deal with this threat? I mean, you talked about not having gas. I mean, not having gas is an issue, but this can be much worse. Right. So where are we on? [00:06:54] Speaker C: You kind of break it down into, typically into people, processes and technology. From the people perspective, there is absolutely a shortfall in available technical talent to build out it teams and it security teams. And so we need to do a lot better job at the federal level as where, well as in the private sector and the, to support more opportunities through the educational system. And we can't over spec job requisitions as we tend to do. I need a four year college degree. I need all these certifications. I need someone with ten years of experience in a language, a coding language that's only been around for four years. We literally see those position descriptions still. So we need to think more about what our actual requirements are and then match it up with the talent. But more importantly, on the people side, in individual organizations, leaders have to look down into the organization and understand that security really starts at the top. So no CISO or IT security lead is going to be successful if the chief operating officer and the CEO and the chief legal officer and the board don't care. I if the investors don't care and they skimp on security, you're not going to have a competent program, an effective program. So when I think about the six attributes of a successful security program, number one is leadership. It's got to start at the top. The second aspect there of the more strategic side is that everybody's got to be on the team. So it's not just the CEO, it's not just the IT security director. It goes from the top to the bottom, to the interns, to the executive assistant, to the people distributing the mail. If we still have the mail sorting room, everybody's got to be a part of the team. But at the same time, we have to make it easier for them to be successful and to compute securely and do business operation activities securely. So it's about giving them the tools in the resources and not trying to trap them through, like, phishing tests and things like that. You need those every now and then. You need good training, but it's really about making it easy so that they can make mistakes that are not, and they're not catastrophic for the organization. And you hand over the keys to the bad guys and they're absolutely strategies to limit blast radius effectively of someone clicking on the wrong email or attachment, really containing it to a single device. The third piece of a competent security program is you got to know who's working on your network, who's in it, who should be in it, which sort of access. This is really all about just identity management and getting beyond just multifactor authentication. First off, if you're still using passwords, I'll say a prayer for you tonight, but you've got to get to that security posture where you're using a second and sometimes even a third factor for authenticating into your accounts. But again, you should only allow people to go where they should go, and you got to keep tabs on them, because when they move from position to position, where they should go changes. Fourth element here quickly, just to wrap it up, fourth element is knowing what's on your network, what devices should you be, should be operating within your network, what's their health? Are they patched? How quickly are you patching them? Keeping your keeping tabs on the topography and the things that operate within your network and how they can be accessed from the outside, from the inside, from third parties. And then the last two bits here have an incident response plan. And that's really key. And you and I have talked about that before, but everyone has bad days. It's inevitable. It is. No one's perfect. You're going to have a bad day. Can you respond effectively? Do you make decisions that are informed by experience and understanding of what your priorities are, and can you communicate them effectively? And last one again, people have bad days. Can you recover ransomware specifically? It's not going anywhere. But if you have a ransomware event, you get locked up, as bad as that seems. Can you get back up and running without affecting your core business operations and delivering a product or a service to your customer? How quickly can you get that back up and running? [00:11:32] Speaker B: Fascinating. Chris. Let's talk about the source of the problem. What's the spectrum of bad guys, from individual actors to organized groups, syndicates? And what are their motivation? I mean, let me ask a politically blunt question. Who are these guys and what are you most worried about? [00:11:48] Speaker C: Every single country on the face of this earth is right now developing, at a minimum, intelligence collection capabilities, using technology, using cybersecurity capabilities. They are using those for foreign collection and many governments are actually also developing these tools and capabilities for domestic surveillance purposes. And that's a significant concern. And we need to make sure that those don't proliferate globally because they've absolutely been used, and you've seen that with some of the NSO group issues. The second is they're developing their factions in almost every country on the earth. They're developing criminal infrastructure so that they can, as I mentioned earlier, monetize vulnerabilities and monetize misconfigurations. In fact, the entire country of North Korea is effectively a cyber criminal state where they go out and they're able to conduct operations, business, email compromise, some ransomware activities to fund the operations of the north korean regime. And then lastly, what we're seeing, and I think what really concerns me the most is countries are developing disruptive and destructive capabilities so they understand that cyber is just one more tool in the toolkit of projecting force, projecting power. I think, as you mentioned in the opener, what's happening right now in the Russia Ukraine crisis, I would absolutely expect if, in fact, Russia does roll into Ukraine, I would expect to see a cyber enabled campaign that does three things. First is gives Russia the intelligence collection capabilities to understand what the ukrainian government is thinking and what their next moves might be. And so that's that intelligence piece. I'd also expect to see destructive capabilities that would align with military objectives. So you'll see cutting out the power, cutting out the communications and command and control capabilities for the military. So they don't know where their tanks are, they don't know where, what kind of airstrikes and what's up and what's down. And then the third kind of rolls into that, domestic surveillance. But also a broader concern with disinformation. I would fully expect russian actors and potentially third party belligerents, including countries maybe like Belarus, get into the disinformation game and create chaos across the population. That's really one of the tactics of the Russians, is it's not just technical attacks for military objectives, but it's psychological attacks to create chaos and undermine confidence of the governed in their confidence in the governing authorities. And the Russians are quite good at that, and they've honed their skills for decades. [00:14:52] Speaker B: Wow. You're basically telling this is going from an interesting topic to a very important critical topic. It's becoming a mainstream narrative, maybe. Now, Chris, I love to switch gears and talk about your journey, right? I mean, you've got a fascinating background. You spent a lot of time on this topic before it became the front page of Wall Street Journal. How does an environmental engineer end up directing us cybersecurity and infrastructure security agency? [00:15:22] Speaker C: I did an interview with Politico here in Washington, DC. I think it was about 2019 and the run up to the 2020 election. And I just kind of, in an offhand remark, called myself the accidental director. When I was in college, I went to University of Virginia and Environmental Science. A little embarrassing story here. My plan for the first year or so after college was to go down to the Bahamas in divemaster, teach scuba. And I got down there for a couple of weeks. I was like, this is boring. Good for me. First world problems, to be able to hang out in the Bahamas for a couple of weeks and say this isnt for me. And then I moved up to Washington, DC. And I had always been interested in the national security community, broader risk management issues, even going back to as a kid, everybody loves the Tom Clancy books and its kind of captivated with some of the COVID and subterfuge. So I ended up in Washington and worked for a couple different contractors that were in the national security space. And then 911 happened and I was involved in some of the efforts to stand up the original, you know, the first couple years of the Department of Homeland Security, I went to law school. And, you know, within about a week or two of law school, it became pretty apparent to me that I wasn't, I wasn't cut out for big law. So I wasn't, you know, I wasn't going to be a K Street lawyer. I was really taken by policy issues and sorting out the decision making process for how governments operate, particularly again, at the time, at least within a homeland security construct, but with a real focus on critical infrastructure. So those key elements, right, of the nation's economy, what keeps us moving forward, which I still think to this day, critical infrastructure as a risk management space, at least in the national security community, is still, I think fully is underappreciated. We significantly invest in our defense and intelligence collection community, but still say, hey, private sector's got, private sector's got the critical infrastructure piece. That's their problem. They need to sort it out. And I think what we've seen over a decade or so is that critical infrastructure absolutely is national security. So critical infrastructure security is national security. And then cybersecurity is a big piece of that. And so worked in the Bush administration, worked in consulting, worked at Microsoft, and then at the beginning of the Trump administration, knew a couple of the folks at the Department of Homeland Security that were standing up the new team came in and just from, again, accidental director from a series of decisions other people made. There was a position opening, and I was in an acting role as the first secretary. John Kelly went up to the White House and there was a position open and vacant. I filled it in acting capacity. And I just remember a conversation I had with someone that said, hey, we need to figure out what the, who's going to be the Senate confirmed or Senate nominated and confirmed director for CISA or the predecessor organization. And I kind of looked at it. I was like, I've been acting in this job for about six months now, and I think I've done a pretty damn good job. So until you say that I'm not qualified, I'm going to keep saying I should be the director. And I ended up passing the test, I guess, and got nominated and was in that job either in enacting capacity or Senate confirmed. Actually, Senate confirmed two years plus one day, but in the acting capacity for about three and a half years. And I think back to that time, just how fast paced it was. I tend to operate in a heightened state in moments of crisis, and, and I feel like that three and a half years was one crisis after the other, whether it was hurricanes, cyber attacks, prepping for elections, and it was really a highlight of my career. I'm not sure I'll ever have anything quite as meaningful and loved the team and really respect the team and the leadership folks that are in there right now. But I took my shot. I think it worked out. All right. [00:19:38] Speaker B: Chris, I think you're being a little too humble. I think you played a big role in a lot of the stuff over the last four years, but obviously the big one was the 2020 presidential election. I think people can just Google and see your name show up in multiple things on the 2020 presidential election. Of the cyber topic, what are the real biggest cyber threats you anticipated and you were prepared for? [00:20:00] Speaker C: Well, we went through a process in preparation for the 2020 election, about three years of what I call threat modeling or red teaming, but really spending a significant amount of time thinking through all the bad things that could happen. We had developed scenario after scenario, dozens of scenarios of technical things that could happen, disinformation campaigns, and we would continue to work through a problem of, if this happened, what would our response be? But more importantly, how can we take that avenue, how can we take that opening off the table now? I firmly believe that in the run up to the 2020 election, we controlled the battle space. We in the us government controlled the battle space until the bad thing happened, we were the masters of our own domain. So lets take advantage of that and make the changes, the improvements, the upgrades. Thats one of those, those lessons or leadership lessons I have from my time in government is you always have to be holding two different mindsets. One is today. We have to be managing todays problem because somethings going to break tomorrow. And so you have to keep grinding through the day to day. But if youre always grinding through the day to day, youll never be able to look around that corner. So you have to commit, dedicate resources to both problems, the today and the tomorrow. And so we actually, that was the motto of CISA. It was defend today, secure tomorrow. And it was really trying to push a mindset across a reactive organization into being both proactive and react. The more proactive anticipate you can be, the easier it makes. Those things that break because you've probably thought about it or anticipated. The things that we were most worried about in the end were ransomware attacks on voter registration systems. Voter registration systems tend to be, have some aspect of Internet connectivity so that you and I can look up our voter registration. Are we registered? Where am I supposed to go vote? California, you can go do vote centers, but in Virginia you've got to go to a specific precinct, precinct, which in my case happens to be a school, an elementary school down the road. So you've got it. There has to be some degree of Internet connectivity. Now, the database itself is not accessible and can be protected. But look, any way you cut it, a bad guy coming in, cutting off that ability to look up the lookup tools or somehow figuring out how to burn down a voter registration database would be not fatal to an election, but chaotic. It would be catastrophically chaotic, in fact, and would create a lot of confusion and undermine confidence in the process in the advance of an election. So that was number one. Number two was also about election night reporting. So unfortunately, I think the majority of Americans think that you show up on election day and you cast your vote and you wait for CNN or Fox or whatever to tell you who won the election. And that's just not how it works. But still, that kind of emotional dependency on media and exit polls creates a massive vulnerability, psychological vulnerability in the population. So we were worried that, we've seen actors do this in the past, but that someone could hack into the ticker across the bottom of a news station and change numbers, change outcomes. Look, the unofficial results are screwed up all the time, but an intentional disruption could be really chaotic. And so that then kind of shifts me over to not the technical attacks we were worried about, but ultimately, we were pretty confident in our understanding of what the bad guys were thinking and what they might do and the resilience of the system of the voting process. But it's really hard to account for psychological attacks, disinformation attacks. I think if I had one, kind of, I'd like to rerun the election, but if I could go back and change one thing, we should have done a lot more public engagement, lower level public service announcements and things like that, educating people on how the vote process works and the security controls and verification measures in place along the way, because, again, fraud, claims of fraud have cropped up all over the place, and it just doesn't happen on any kind of meaningful scale. And so I think next time around, I think that's something that election officials should do a lot more about, is educating, kind of shining some light and demystifying the election process. [00:25:06] Speaker B: So you would say, Chris, I mean, you were obviously in the hot seat, but so you would say with a very high level of comfort that there was no water fraud or there was no fraud that happened in 2020. [00:25:18] Speaker C: Yeah, absolutely. I mean, and I've been consistent on that. And there is still to this day, nothing that's come up. In fact, all the evidence and in the continued audits and things like that across the country validate our position. But look, its not just me standing up there at the podium. Our confidence was based on three or four things. First is the improvements made in the voting process. And I suspect everyone thats watching probably voted somehow had a piece of paper associated with your vote, whether its voting at home, absentee, or you go into the vote center voting precinct, you either fill in a bubble or you push a button on a, on a touchscreen that spits out your ballot that you then feed into another machine. We went from below 80% of votes cast with a paper ballot in 2016 to about 95% in 2020. That's a remarkable resilience improvement. That was where everything in Georgia and Pennsylvania, in fact, hinged on those paper ballots that were involved in the voting process in 2016. Those states had what was known as dres, direct recording equipment, machines where you just go in, you push a button, and it's saved down on removable media. That's really hard to audit. And so we really pushed for the auditability of elections. And Georgia counted their votes three times, consistent throughout. And the other two parts of why we were so confident it was, again, the hard work of the intelligence community and the Department of Defense to understand what the bad guys were doing and destabilizing them. And then third is that relationship we had with state and local election officials where they were reporting to us any sort of activity they would see. And we were able to investigate it. And again, this thing was, for all the claims of fraud and manipulation, this was the most scrutinized, the most audited, the most paper election we've had. [00:27:22] Speaker B: So, Chris, lets talk about the future. Wed love to talk about the Krebs Demos group, which has been recently formed. Tell us a little bit about you and your co founder Alexs Motivation behind this company. Why did you set it up and tell us more. [00:27:34] Speaker C: Were a little over a year old now. So its January of 2021, rather, is our birth month. Our first client was a company that most folks should know. Its called Solarwinds. They were targeted by the russian intelligence agency, the SVR, that was discovered in December of 2020. And what happened was the incoming CEO. So he accepted the job. Sudhakar Ramakrishna accepted the job in November timeframe. He was going to start in late January, something like that, in the middle of December. And it came out that the Russians had compromised one of their products and he didnt have to show up. But he did. In fact, he showed up early. He said that hes a man of his word, and if youre afraid of a challenge like this, youre probably in the wrong business. He jumped in with both feet and he called me. He reached out and said, look, Im coming in. Im probably getting into a bit more than I can chew and would like some help to make sure that were doing the right things as a company. And in the course of the introductory conversation with Sudhakar, he repeated our business proposition, our value proposition back to us. We didn't even open our mouths. He said, I think executives, CEO's need strategic advice on how to manage cybersecurity risk that can fold together incident response insights, legal insights, and input from the board. We need someone that has been in the mix, that can put all these things together, that is focused on the company, the customers and shareholders. And we came in, helped them out. Right now, I think they've weathered the last year quite well. So really what our basic concept is cybersecurity is a core value. We're seeing a shift from stakeholder accountability and shareholder accountability, rather into stakeholder accountability. So really company standing up and becoming security minded corporate citizens. In the last year, we've grown, we're about 25 folks right now, about a dozen or so clients, and we try to work in the industries of tomorrow, advanced information technology, automation and robotics, aerospace, as well as with the private equity community to help them kind of understand where they've made bets and where their investments are. And we work from the high strategic geopolitical building and geopolitical considerations into global operations, down to technical assessments of a company that might be only a couple of years old, thats got significant valuation, but might also be a high target of chinese intelligence operations and help them get their security game up to match. And so its been a lot of fun really. I said the CISA job was probably the best job I'll ever have. This one's pretty close. It's a lot of fun. [00:30:41] Speaker B: Interesting, Chris. As you know, phoneme Group, we are obviously focused on the industrial space, the industrial tech space, and a lot of the industrial companies have a global manufacturing footprint with a great amount of focus on Asia, China. What did your advice be? And we talk to CEO's all the time, and this is obviously a topic coming more and more because it's on the front page of newspapers that they start thinking about it. How should these companies be thinking about cybersecurity? How should they be thinking about their cyber strategy? [00:31:10] Speaker C: So cybersecurity cannot just be considered in isolation. You have to factor in broader geopolitical and broader geoeconomic factors into your security risk management approach. And as I, you know, when I see a company that has a chief information security officer, that rolls up to a chief risk officer, that also has global security operations and enterprise risk management and some of the supply chain considerations all under that umbrella, that gives me a degree of confidence and hope that theyre able to consider a degree of a variety of factors to manage the risk, both of their products being exploited. But as the products go downstream, specifically with the industrial sector, one of the things that we're seeing is historically, there tends to be a mindset of ship it and forget it. It's almost the Ronco oven of hardware, where it's really hard to manage and update products and solutions once they go out into the field, particularly considering downtime is such a driver, avoiding downtime as much as possible. Plus I some of the really inhospitable environments which industrial products are deployed. What we're seeing is a bit of a shift in customer safety mindset. Yes, that product may be out there in the field, and that customer tends to update only 5% of the time. Of everything we've shipped over the last ten years, they've only applied five updates. Historically, you may see product security folks go, eh, can't do anything about it. I think a shift's happening. How do we invest on the softer side of engaging customers? Our field reps. How do we get our field reps more attuned and adept in security configuration from the beginning, in constant contact and engagement with customers to ensure that they have the guidance they need to make sure that their products are safe. Really what you're doing, and this is a mindset that I think, again, in the industrial sector, that I think folks need to keep in mind, is you're shipping targets. You are shipping targets for foreign intelligence agencies, for foreign military operations to potentially target and exploit for their gains. And the last thing you want is your name splashed all over the headlines because your thing blew up in the middle of a pipeline or whatever, because it wasn't patched and it was exploited. So you really have to be thinking through managing across your risk registry, reputation, customer product, things like that. This is what you need to be considering in the Ukraine Russia context. Not everyone has operations in Ukraine. But if this thing goes south and if we do see actual kinetic activity in a military incursion, there will be cyber activities. I'm convinced of that in Russia. And a lot of its going to target hard infrastructure. You have to think about, are we deployed? How do we manage that risk? How do we protect our employees? And the last thing I think id be thinking about is across your supply chain for your products. How do you understand what the security posture is at some of your facilities that may be in a state or a country that requires access to your networks or requires you to use a joint venture? Do you really trust effectively the security hygiene of your manufacturing facility in any specific country? And what are the risk management strategies that you can develop from both your personnel security strategies? An insider threat. If you've got that facility in that country, and 90% of your employees there are indigenous, and those are things you have to work through. None of this is bad, right? Necessarily bad, at least. It's just you have to be aware of the risks that you're taking on with a global distribution. And kind of, to steal a phrase from game of thrones, but the night is dark and full of terrors. You have to have a very risk aware mentality when you operate globally. It's not the good old days, whenever the good old days were, I don't know when those were anymore. But right now, there is absolutely geopolitical tensions. That technology is now becoming one of those chief battlefields. And in the automation and industrial sector specifically, it's at the very tip top of the Chinese made in 2025 plan. The chinese government, those are the strategic sectors that they want to win globally. Okay, you may be on the target list. [00:36:16] Speaker B: Chris, I have to say this is fascinating, but also scary at the time. So I know we are coming to the top of the hour. So closing off, I want to ask you, since you started Krebs tables group, without obviously revealing confidentiality, tell us some stories of the work you've been doing with companies on the threat of cybersecurity, which I think is interesting, but also for the audience to say, wow, I should think about that. [00:36:39] Speaker C: Well, I think, again, we can pivot back around to Ukraine and Russia. If you look at how the software development industry globally has developed over the last several years, there's a lot of really good software engineering talent in eastern Europe, including in Ukraine, in countries up and down the former soviet bloc. And that's a great thing. It's really good talent, it's cost effective. But one of the concerns you have to think about is not just the fact that Russia may roll in and you've got a war zone, but what does the longer term stability of Ukraine look like if an objective of the russian government is a regime change, where you may have a different set of laws in place, you may have a different security service in place, that may not make it as hospitable to using software services out of a country like that. So I would really be thinking through, and this is what we work with right now. Again, from that geopolitical consideration is really be thinking about your third party services and your dependencies, both where you're getting it in the outsourcing piece. But also, even if a product or service or offering is in a traditionally safe country or geography, those can also be exploited by sophisticated actors. Cloud services right now is that's what got everybody through that shift to work from home and the digital transformation due to Covid. But the cloud is not necessarily inherently more secure. It has a different set of security considerations and risks you have to be thinking about. So again, I would work very diligently through what your third party risk is. And I think 2022 and 2023 are probably going to be the, the year of third party risk. The quote I like to apply to this conversation is Willie Sutton, the famous bank robber. When he was asked why he would rob banks and he said, thats where the money is. Hey, cloud and third party services, cloud supported services, why do the bad guys go after those access? Theres, thats where the access is. Thats where the data is thats where your crown jewels are. So really be thinking about where your crown jewels are, who's hosting them, who has access, and how you need to best protect them and get them back up and running if you lose them. [00:39:11] Speaker B: That is amazing and fascinating. With that, Chris love to conclude our podcast. Thank you. Thanks for your time. Very interesting and very helpful. [00:39:18] Speaker C: Hey, thanks so much Nick. [00:39:25] Speaker A: Thanks for listening to Fernway Insights. Please visit fernway.com for more podcasts, publications, and events on developments shaping the industrial and industrial tech sector.

Other Episodes

Episode

February 22, 2022 00:31:33
Episode Cover

Bob Luddy: Industry Leadership in Small Businesses

Robert (Bob) L. Luddy, one of the most talented, persistent, and enduring entrepreneurs in the U.S., shares his journey of transforming CaptiveAire to an...

Listen

Episode

March 06, 2023 00:35:06
Episode Cover

Paul Reitz: Much More Than a ‘Stodgy Old Industry’

In this episode, host Gaurav Batra welcomes Paul Reitz, President and CEO of Titan International, to discuss Titan’s unique niche in the industry and...

Listen

Episode

December 20, 2024 00:34:23
Episode Cover

Silicon Labs: From Analog Beginnings to IoT Pioneers


Vineet Gupta, President of Ayna, hosts Ross Sabolcik, Senior VP and General Manager of Industrial and Commercial IoT at Silicon Labs, to discuss the...

Listen