1
00:00:00,000 --> 00:00:05,200
One of the biggest problems in many organizations in the world today is the lack of automation.

2
00:00:05,200 --> 00:00:08,800
How do you create a culture of cyber security?

3
00:00:08,800 --> 00:00:10,000
How do you educate the human?

4
00:00:10,000 --> 00:00:16,560
In cyber, I guess you wholeheartedly believe that you are wonderful.

5
00:00:16,560 --> 00:00:19,440
You can't do the NIST prepare response.

6
00:00:19,440 --> 00:00:26,640
You need to be able to determine one key factor, which is can my staff identify a malicious

7
00:00:26,640 --> 00:00:30,400
wanted. And if you can do that, I think you are ahead of the game because you can then stand

8
00:00:30,400 --> 00:00:35,600
up and say hello 75% of my staff are able to clearly identify malicious.

9
00:00:35,600 --> 00:00:44,800
Welcome to the Executive Connect podcast, where we will explore cutting-edge intersection between

10
00:00:44,800 --> 00:00:53,120
AI and cyber security. A marvel discuss how AI transforms our defense against complex cyber

11
00:00:53,120 --> 00:00:59,520
attacks. Whether you're enhancing your company's cyber security measures or keen on the latest

12
00:00:59,520 --> 00:01:06,160
digital safety, Omar's insights are your guide to navigating today's dynamic cyber security

13
00:01:06,160 --> 00:01:12,320
threat landscape. Welcome Omar. Greetings everybody, Melissa. Thank you for having me here.

14
00:01:12,320 --> 00:01:21,200
We're so excited to have you here. I read recently on a Google study that 63% of security

15
00:01:21,200 --> 00:01:28,240
professionals believe AI will improve corporate security from your perspective. How can

16
00:01:28,240 --> 00:01:35,200
organizations integrate AI in a way that complements their cyber security team strengths?

17
00:01:35,200 --> 00:01:40,720
Wow, we could be here for several hours. So I'm going to give you soundbites.

18
00:01:40,720 --> 00:01:50,000
Even if we keep the age of AI to one side, one of the biggest problems in many organizations

19
00:01:50,000 --> 00:01:58,480
even today, Melissa is the lack of automation. Now, I say it's not lack of automation, I say it's the

20
00:01:58,480 --> 00:02:10,560
belief in automation, the fear of automation. Right? So AI, I think, is already offering quite a lot,

21
00:02:10,560 --> 00:02:18,400
has a lot more to offer, but what may be the biggest roadblock to implementing AI for the benefit

22
00:02:18,400 --> 00:02:29,120
of security? Maybe the fear of what AI may do. And to summarize that, the best way to summarize it,

23
00:02:29,120 --> 00:02:35,040
the fear of interrupting business, right? If you're an e-commerce business, if you're high transaction,

24
00:02:35,040 --> 00:02:40,960
business, if you're a critical national infrastructure business, right? You don't want AI switching

25
00:02:40,960 --> 00:02:51,120
off the nuclear reactor just because it's seen something. So I think there are loads of benefits of AI,

26
00:02:51,120 --> 00:02:56,400
and we're going to discuss many other challenges and opportunities, but in summary, I think

27
00:02:56,400 --> 00:03:08,400
organizations need to embrace AI, but that fear of disruption and interruption by AI is going to

28
00:03:08,400 --> 00:03:16,560
be a massive roadblock. Yeah, absolutely. I think you touched on it. So just jump in right into the

29
00:03:16,560 --> 00:03:23,520
risks of AI. So from your perspective, are there any, I know there's a lot of risks we hear that

30
00:03:23,520 --> 00:03:29,600
is going on right now in the world of cybersecurity, but from your perspective, and AI, are there

31
00:03:29,600 --> 00:03:36,960
kind of the top potential risks? And how can companies prepare for some of those risks with using AI

32
00:03:36,960 --> 00:03:45,600
tools? Ready to lead smarter and invest wiser? On the Executive Connect podcast, we unpack executive

33
00:03:45,600 --> 00:03:52,160
strategies for wealth and influence. Hit the subscribe button now. Don't just watch, act.

34
00:03:52,160 --> 00:03:59,520
Yeah, so I think one of the threats to AI, and this may be a general statement, if I may, I think,

35
00:03:59,520 --> 00:04:09,120
but especially in cyber and IT, one of the threats to AI is the lack of available data,

36
00:04:09,120 --> 00:04:16,000
am I making sense? So, you know, chat GPT and barred and co-pilot all brilliant, because they have

37
00:04:16,000 --> 00:04:21,280
access to a lot of data that they are learning from. But now imagine a large organization or a

38
00:04:21,280 --> 00:04:30,400
medium-sized organization brings in AI, but they're only monitoring 25% of what they can monitor,

39
00:04:30,400 --> 00:04:38,720
if you see what I mean. So, you now have the situation where 75% of their data is not being monitored.

40
00:04:38,720 --> 00:04:44,560
And then you add to the recipe, the complication of privacy, maintaining that privacy of an

41
00:04:44,560 --> 00:04:54,880
individual of staff members of clients, you add additional pressure on AI, not accidentally exposing

42
00:04:54,880 --> 00:05:00,960
something, which it might very well do, because we are still quite, you know, relatively early days of AI.

43
00:05:00,960 --> 00:05:08,240
Am I being saying, so the risk of privacy, the risk of not having sufficient learning data of an

44
00:05:08,240 --> 00:05:17,680
organization, because it costs a lot to gather the data and store the data, and then you got the cost of

45
00:05:17,680 --> 00:05:26,800
AI where you need unlimited CPU, you know, to constantly keep learning. I hope I kind of captured

46
00:05:26,800 --> 00:05:35,200
some key risks there. Yeah, no, no, you make a good point. I talk often about education. I think a lot of

47
00:05:35,200 --> 00:05:42,880
times in cyber security, a lot of the IT teams I deal with, their job responsibilities used to be

48
00:05:42,880 --> 00:05:48,240
very clear, you know, setup computers, put the ink in the printer, setup the dust tops, keep the

49
00:05:48,240 --> 00:05:55,600
infrastructure up. And I think as cyber security becomes front and center in the world today, AI,

50
00:05:55,600 --> 00:06:02,240
you know, layering in AI tools, I think a lot of times, you know, it's easy to say, well, this, you know,

51
00:06:02,240 --> 00:06:08,080
we had a ransomware attack, it's this administrative assistance fault, or it's this other marketing

52
00:06:08,080 --> 00:06:14,800
person's fault, but I do, you touched a little bit on it, education, it's such an important part,

53
00:06:14,800 --> 00:06:22,800
your employees are your first line of defense, they're the first way in. How do you create a

54
00:06:22,800 --> 00:06:29,920
security-centric culture where everybody in the organization, whether you're proficient and

55
00:06:29,920 --> 00:06:35,520
understand AI tools and cyber security, or whether you're an HR in marketing and cyber security is

56
00:06:35,520 --> 00:06:44,000
not your forte, how do you create a culture of cyber security? Are you a high-income professional

57
00:06:44,000 --> 00:06:48,960
looking for smarter ways to protect your wealth? The Texas Freedom Fund gives you the opportunity

58
00:06:48,960 --> 00:06:55,120
to invest in energy assets leveraging proven fracking technology and prime access to global markets.

59
00:06:55,120 --> 00:07:00,720
With strategic oil and gas investments, you can build real wealth while benefiting from tax advantages

60
00:07:00,720 --> 00:07:06,080
under laws dating back to the Reagan era. Take control of your financial future. Visit

61
00:07:06,080 --> 00:07:12,240
Texas Freedom Fund.executiveconnectpodcast.com. How do you educate the human?

62
00:07:12,240 --> 00:07:19,680
It's a big a question to me, you know, and I think some organizations do it better, but it's also a

63
00:07:19,680 --> 00:07:28,320
human problem if I may, what I mean by that is your staff member has to meet you halfway, so

64
00:07:28,320 --> 00:07:35,360
you know, they've got to be entrusted in learning, but one of the key mantras that I give people

65
00:07:35,360 --> 00:07:42,800
is one of the key KPIs that performance, if I may, is can your staff identify something malicious?

66
00:07:42,800 --> 00:07:49,120
Am I making sense, right? Yeah. Fishing, you know, we can be three years from now and fishing will still

67
00:07:49,120 --> 00:07:56,320
most likely be the biggest entry vector for criminals. So, so I think education is absolutely key.

68
00:07:56,320 --> 00:08:06,160
It's changing the interaction, the ability to automate the gaming, etc. I think different cultures

69
00:08:06,160 --> 00:08:12,400
have different challenges, organizational cultures, but unless you can determine

70
00:08:13,440 --> 00:08:22,080
after all of that education is my staff actually educated, right? You need to be able to determine

71
00:08:22,080 --> 00:08:32,640
one key factor, which is can my staff identify a malicious content, right? And and if you can do that,

72
00:08:32,640 --> 00:08:37,920
I think you're ahead of the game because you can then stand up and say hello 75% of my staff are

73
00:08:37,920 --> 00:08:44,080
able to clearly identify malicious content. Yeah, absolutely. I think there's great

74
00:08:44,080 --> 00:08:48,000
cybersecurity learning tools and I know from my perspective, I used to get

75
00:08:48,000 --> 00:08:53,840
fishing emails where it was abundantly clear that they're fishing emails. Maybe Microsoft was spelled

76
00:08:53,840 --> 00:08:59,920
wrong or the logos were wrong or it wasn't a complete sentence, you know, fast forward to all these

77
00:08:59,920 --> 00:09:06,000
fantastic AI tools that are out there. Now people that, you know, English is not their first language,

78
00:09:06,000 --> 00:09:13,200
they can create a fishing email that is harder to spot. I know I've received one recently that looked

79
00:09:13,200 --> 00:09:20,720
exactly like me and how I communicate. They had basically taken something I posted on social media,

80
00:09:20,720 --> 00:09:28,720
reworded it and sent it over to me. And even I working in cybersecurity regularly, I was shocked at how

81
00:09:28,720 --> 00:09:36,800
good it looked and how easy, you know, my first instinct was to think it was real.

82
00:09:36,800 --> 00:09:47,680
And and and if I may build on that, I think where AI today can add a lot of value is in these kind of

83
00:09:47,680 --> 00:09:54,400
not just for the spammers, if I may, but for for us because AI is adding tremendous value as you

84
00:09:54,400 --> 00:10:02,640
highlight Melissa for the the the average spammer who has to create really good email, they are now

85
00:10:02,640 --> 00:10:08,720
I'm absolutely as you identified, I've seen emails that are absolutely brilliant, right?

86
00:10:08,720 --> 00:10:16,240
In in terms of the fishing, you know, approach and trying to trick people. But I think on the other

87
00:10:16,240 --> 00:10:24,320
side of the fence, organizations should start embracing AI to combat the AI coming in

88
00:10:24,320 --> 00:10:30,800
from the other side of that makes sense. And and that that's where you would get tremendous value,

89
00:10:30,800 --> 00:10:38,320
but I repeat, we speak to different types of clients, the fear of AI, you know, taking over

90
00:10:38,320 --> 00:10:47,760
the day I say the terminator sky net fear, which may be true five years from now, etc, but right now

91
00:10:47,760 --> 00:10:53,600
that that that fear is keeping people away from what AI can absolutely do.

92
00:10:54,080 --> 00:10:59,920
Yeah, absolutely, and I think you know, we talked a little about education and kind of pivoting a

93
00:10:59,920 --> 00:11:08,480
little bit, you know, AI is just a tool, right? People are using the tool and it takes people to use

94
00:11:08,480 --> 00:11:13,840
the tool to make them work just like cyber security tools, people have to run tools,

95
00:11:13,840 --> 00:11:20,720
to scan environments. And so I think it, you know, I look at it as just another tool for my toolbox

96
00:11:20,720 --> 00:11:27,040
and not something to be fearful of because people need to use the tools that are in their toolbox

97
00:11:27,040 --> 00:11:33,520
and tell the tools what to do. I think also just, you know, kind of switching gears a little bit

98
00:11:33,520 --> 00:11:41,360
and talking about third party. Like I'm also fearful from other third parties now and how third party

99
00:11:41,360 --> 00:11:48,160
risk management is really crucial in organizations now. So managing their vendors as well. So it,

100
00:11:48,160 --> 00:11:54,240
you could have a great, you know, cyber security team, you could have great tools, your people can

101
00:11:54,240 --> 00:11:59,120
be trained, but now there's third parties that you're letting into your environment. Can you address

102
00:11:59,120 --> 00:12:08,640
a little bit about third party management? Wow, that's that's a full day. I think the third party risk

103
00:12:08,640 --> 00:12:16,160
is going to be probably has always been and will be and you know is the biggest Achilles heel if I may,

104
00:12:16,160 --> 00:12:26,640
right, of any organization. And part of that again comes to lack of trust in organizations saying,

105
00:12:26,640 --> 00:12:34,160
okay, here are the documents you want. Don't worry, everything's fine. And, you know, sadly,

106
00:12:34,160 --> 00:12:40,400
the few things that you can do with third parties are contractual clauses, right? Now,

107
00:12:40,960 --> 00:12:48,640
in the EU and UK when the GDPR became very popular in the initial days, there was one very

108
00:12:48,640 --> 00:12:55,440
interesting clause that was called right to audit that many people managed to put into their new

109
00:12:55,440 --> 00:13:01,920
contracts. You know, I would say you should add right to on-site audit. So if you're dealing with a

110
00:13:01,920 --> 00:13:09,200
massive third party supplier who manages your IT, for example, not just right to audit, but I think

111
00:13:09,200 --> 00:13:18,240
you should visit their site to get a feel of who is working there. You know, I think this opens a

112
00:13:18,240 --> 00:13:24,160
massive Pandora box because because of working from anywhere after the pandemic. Many third parties are

113
00:13:24,160 --> 00:13:29,760
now have allowed their staff members to work from countries that may not be hostile. Sorry, that may,

114
00:13:29,760 --> 00:13:35,200
that may be hostile, you know, to the West. And they themselves don't know because, you know,

115
00:13:35,200 --> 00:13:41,760
employee now works from Asia, but now moved to a different country in Asia. How do they track

116
00:13:41,760 --> 00:13:50,160
that risk of staff working from hostile countries? So if you add, if you add all of that and then

117
00:13:50,160 --> 00:13:59,600
you rely on the third party coding your application, supporting your AI, you know, data, I think it

118
00:13:59,600 --> 00:14:10,160
opens a bigger box to manage than as I would exist. Yeah, and I, great point, GDPR is one of the,

119
00:14:10,160 --> 00:14:15,120
you know, a frame, another framework. There's lots of them in cyber. We've gotten this. We have

120
00:14:15,120 --> 00:14:21,040
CMMC now that's come out. We've got new PCI standards. There's a plethora of frameworks to

121
00:14:21,040 --> 00:14:26,560
comply with. And if you're in, you know, healthcare, you have hip-hop compliance and other, there's

122
00:14:26,560 --> 00:14:32,240
other banking compliances. And so I think it's just a lot now for organizations to say, okay, well,

123
00:14:32,240 --> 00:14:39,200
we might adopt this framework, but we also have to pay attention to, like you mentioned, GDPR

124
00:14:39,200 --> 00:14:48,000
or HIPAA compliance. And so I think it's becoming more tricky to navigate and, you know, layering on

125
00:14:48,000 --> 00:14:57,040
again, IoT, Internet of Things, you know, how can companies effectively implement strategies for,

126
00:14:57,040 --> 00:15:06,240
you know, shifting innovation at IoT AI? How can they, you know, maybe the better question is,

127
00:15:06,240 --> 00:15:14,480
how can they manage that when you layer technology with organizations that may be on-prem and never

128
00:15:14,480 --> 00:15:25,200
use the IoT devices? Again, a brilliant question. And I think if you look at it from the digital

129
00:15:25,200 --> 00:15:33,760
innovation side, you know, embracing IoT, embracing technology is brilliant. But what most people

130
00:15:33,760 --> 00:15:39,920
don't understand, and this may be a problem where many people who are driving digital transformation

131
00:15:39,920 --> 00:15:47,600
don't necessarily understand digital, right? They just want digital, right? You know, and I think

132
00:15:47,600 --> 00:15:52,320
COVID did a good thing in a way. It forced a lot of digital transformation. If that's one of the

133
00:15:52,320 --> 00:16:00,160
good things that did, but right now I think if you want to embrace IoT, you've got to ask yourself,

134
00:16:00,160 --> 00:16:06,480
how will IoT destroy my business? In my big sense, right? So that's the same kind of strategy we use

135
00:16:06,480 --> 00:16:11,520
when we do tabletop exercises with clients or whatever, how do you destroy your business? If you can

136
00:16:11,520 --> 00:16:18,960
figure that out and then you can work backwards to try to mitigate those risks. So if you're embracing

137
00:16:18,960 --> 00:16:24,640
IoT for whatever reason, that's brilliant. If it's going to help you increase your profits, all of

138
00:16:24,640 --> 00:16:30,400
that's brilliant, but you've also at the same time as a risk assessment, say, what's the worst case scenario,

139
00:16:32,080 --> 00:16:39,520
will it have a devastating impact in my business, on my business, and then try to mitigate that risk

140
00:16:39,520 --> 00:16:44,880
to make sure that you can still IoT, but at least you mitigate those risks.

141
00:16:44,880 --> 00:16:51,760
Yeah, absolutely. It made me, when you said that, it kind of made me chuckle a bit because I know

142
00:16:51,760 --> 00:16:56,800
in industries that I work a lot of times, the marketing departments, which I love marketing,

143
00:16:56,800 --> 00:17:04,480
and I love marketing departments, but they'll have grandiose visions of kiosks or apps or things

144
00:17:04,480 --> 00:17:10,080
they want to implement. And the IT departments are like, wait, we need to get involved before we just

145
00:17:10,080 --> 00:17:19,440
open things up for you. So I chuckle because people that are in the IT as a general germ and marketing,

146
00:17:19,440 --> 00:17:25,360
don't always see eye to eye with these, like you mentioned, what's the worst that can happen, focus

147
00:17:25,360 --> 00:17:33,120
there, and then work backwards. So I think when we look at cyber threats that are constantly evolving,

148
00:17:33,120 --> 00:17:38,560
and they're constantly changing, which would affect not only your brand, but your IoT devices,

149
00:17:38,560 --> 00:17:48,080
everything that encompasses an organization. So I think emerging threats are always on my mind.

150
00:17:48,080 --> 00:17:54,320
I'm always concerned about my own personal life and my bank accounts, my home, my things.

151
00:17:55,040 --> 00:18:02,320
So is there, how can companies develop resilience against some of these sophisticated

152
00:18:02,320 --> 00:18:10,880
cyber attacks? Yeah, operational resilience, a massive, massive topic, we are kind of specialists

153
00:18:10,880 --> 00:18:18,640
in that area. I think the best example, if I may, the biggest natural thread in Japan, I want to

154
00:18:18,640 --> 00:18:23,680
pick on Japan as a country, it's a beautiful place, but the biggest natural thread in Japan is earthquakes.

155
00:18:23,680 --> 00:18:31,280
Now imagine if you and I lived in Japan and we operated an organization there and we declined

156
00:18:31,280 --> 00:18:39,360
any preparation for earthquakes, in my making sense. I hope everyone listening in and you

157
00:18:39,360 --> 00:18:47,280
agree that that would be absolute stupidity. Living in Japan, operating in Japan, and saying,

158
00:18:47,280 --> 00:18:55,280
nah, what are the chances of an earthquake hitting us? Now, if we take that same logic, if you want to

159
00:18:55,280 --> 00:19:03,680
operate in cyberspace, you're going to be hit by earthquakes in cyberspace. If you don't acknowledge

160
00:19:03,680 --> 00:19:08,640
that fact, because we do, we do a very, very popular training called cyber incident planning and

161
00:19:08,640 --> 00:19:12,560
response, and we actually do this for clients. One of the biggest learnings, Melissa, is

162
00:19:13,200 --> 00:19:17,520
you and I can be sitting here planning for an earthquake, but if you and I and all the other participants

163
00:19:17,520 --> 00:19:22,400
don't believe that we are going to be hit by that earthquake, then the planning session is going to be

164
00:19:22,400 --> 00:19:29,440
boring and it's not going to be interactive and the participants are not going to absolutely put

165
00:19:29,440 --> 00:19:37,520
their mind to it. So whatever people are doing, if they want operational resilience in cyber,

166
00:19:37,520 --> 00:19:44,880
because people are very concerned about flooding, building, not being available, that's all where

167
00:19:44,880 --> 00:19:51,200
humans can, even non-technical humans can understand, oops, my building will not be available,

168
00:19:51,200 --> 00:19:57,520
so I better plan for that. I think when it comes to cyber, many non-technical people, and sometimes

169
00:19:57,520 --> 00:20:03,760
they say techies, a guilty of, either techies are guilty of over trusting technology, and

170
00:20:04,320 --> 00:20:09,360
non-techies are guilty of, I've given you one million dollars, why should I be attacked?

171
00:20:09,360 --> 00:20:14,800
Now, they're not going to say that in Japan, because they're going to invest that million dollars,

172
00:20:14,800 --> 00:20:20,320
but still understand that there will be an earthquake and the building might be saved,

173
00:20:20,320 --> 00:20:27,440
but they still need to prepare. If I make sense, right? But in cyber, unless you wholeheartedly

174
00:20:27,440 --> 00:20:34,880
believe that you are wonderful, you can't do the nist-prepared response, right? Because

175
00:20:34,880 --> 00:20:40,160
you believe that nothing shall happen to me if I put enough money in it.

176
00:20:40,160 --> 00:20:44,320
Right, yeah.

177
00:20:44,320 --> 00:20:49,440
Am I making sense? Yeah, yeah, absolutely. You also made me think when you were saying that,

178
00:20:49,440 --> 00:20:53,120
I was with a friend of mine this week, and they were saying,

179
00:20:54,880 --> 00:21:01,200
I have six credit monitoring subscriptions now, because six separate companies that were just

180
00:21:01,200 --> 00:21:09,760
attacked had hit them from healthcare to their banking. So, six of them in a,

181
00:21:09,760 --> 00:21:19,360
less than 90-day period, and so I'm thinking from their perspective, they were, they sent this

182
00:21:19,360 --> 00:21:27,760
individual an email that said, "Clean up your password, that's going to fix it." And so I think of all these,

183
00:21:27,760 --> 00:21:35,360
it's a good point that you don't want to set up shop in a place that has earthquakes, has a lot

184
00:21:35,360 --> 00:21:44,000
of these challenges, but you also don't want to set up shop in a way that you're not clear,

185
00:21:44,000 --> 00:21:50,320
like you mentioned with what your goals are, right? What are, what are we trying to protect? How are we

186
00:21:50,320 --> 00:21:57,440
going to protect it? I also think about, you mentioned a little bit about GDPR, like transparency

187
00:21:57,440 --> 00:22:04,720
in people's data. So I'm kind of touching on a lot of different points here, but I think of like my

188
00:22:04,720 --> 00:22:11,200
my data with, you know, the companies that I do business with personally, and I'm concerned,

189
00:22:11,200 --> 00:22:16,080
right? I'm concerned that, yes, I've gotten great password hygiene, I've got, you know, but they have

190
00:22:16,080 --> 00:22:22,080
my data either way where I live, what my social is, when my birthday is, all my, my private data,

191
00:22:22,080 --> 00:22:29,440
no matter how great my password is, and how I'm using their mobile app, they still have my information,

192
00:22:29,440 --> 00:22:38,560
and how, how can I, as a user of these products, whether it be banking products or healthcare products,

193
00:22:38,560 --> 00:22:47,600
how can I, as an end consumer, feel safe putting in my information into these IoT mobile device

194
00:22:47,600 --> 00:22:56,960
apps or websites? How can I feel safe? So from your perspective, maybe the question is, you know,

195
00:22:56,960 --> 00:23:02,880
I always, everybody says, "Robust passwords the way." You know, and I kind of juggle because

196
00:23:02,880 --> 00:23:10,960
this not just passwords, it's understanding where your data is going and how it's being used as

197
00:23:10,960 --> 00:23:17,280
well. So maybe I don't know if you have any thoughts, kind of following up with, kind of like

198
00:23:17,280 --> 00:23:24,400
password protection, slash security of people's information. Wow, this is a really very good,

199
00:23:24,400 --> 00:23:31,200
very good question again. I think, I think, quick takeaways, one, everybody should be using a

200
00:23:31,200 --> 00:23:38,400
password manager, right? That's, I think, a baseline, whether you're technical or not, it doesn't

201
00:23:38,400 --> 00:23:45,520
bother, in my opinion, everyone should have access to a password manager. That's number one. Number two,

202
00:23:45,520 --> 00:23:52,560
the recipe in my professional opinion is very simple recipe for passwords, easy to remember,

203
00:23:53,760 --> 00:24:03,280
difficult to guess, right? Okay, and the problem with historical password, you know, education was

204
00:24:03,280 --> 00:24:07,600
super complex password with 20 characters, ABC, one, two, three exclamation mark,

205
00:24:07,600 --> 00:24:15,760
ampersign, who is going to remember that, right? So in the end, that broke the principle where it was

206
00:24:15,760 --> 00:24:22,720
easy to guess and actually difficult to remember the other way around. So, so for everyone listening in,

207
00:24:22,720 --> 00:24:26,800
I think one, you need to get a password manager because the good news, Melissa, as you know,

208
00:24:26,800 --> 00:24:32,880
majority of password managers, these days are warning users that it's a weak password,

209
00:24:32,880 --> 00:24:43,280
that the password has been breached on, you know, this particular website, etc, etc. So that is

210
00:24:43,280 --> 00:24:49,280
making people more secure because it's in their face, you know, the password manager,

211
00:24:50,000 --> 00:24:54,720
I'm not going to name any particular brands, but majority of them are informing the user,

212
00:24:54,720 --> 00:25:04,000
don't use this password because it's too easy to guess, etc. So, so is difficult to guess,

213
00:25:04,000 --> 00:25:11,040
but very easy for someone and the best way and the best advice today is use three or four

214
00:25:11,040 --> 00:25:17,600
pass phrases, three or four words as your password. So, you know, if you like Harry Potter books,

215
00:25:17,600 --> 00:25:24,080
for example, or any book that you like to read, remember page 54, paragraph one,

216
00:25:24,080 --> 00:25:31,600
and, and take five words or three words from that paragraph one.

217
00:25:31,600 --> 00:25:37,600
Well, that's a good idea. I think I think I'll use that, Marr, it's really great,

218
00:25:37,600 --> 00:25:45,040
really great idea. Might or long, but not that long, so I probably need to tighten them up.

219
00:25:47,040 --> 00:25:55,040
One thing I hear a lot in cybersecurity from people I work with are, it's how expensive

220
00:25:55,040 --> 00:26:01,360
cybersecurity is now in all industries and all spaces and a lot of times people will say, well,

221
00:26:01,360 --> 00:26:07,760
we're a non-revenue generating department, we're not like the marketing department that's

222
00:26:07,760 --> 00:26:13,040
doing this to the sales department that's bringing in business. We're just IT. So,

223
00:26:14,800 --> 00:26:25,120
can you help me just from a RLI perspective? What, how do you talk to your clients from an RLI

224
00:26:25,120 --> 00:26:32,000
perspective and looking at cybersecurity as an investment versus a cost?

225
00:26:32,000 --> 00:26:39,360
Very good question. I think we've got to break it down into two buckets if I may. One is

226
00:26:40,320 --> 00:26:47,280
practical security, and then as we discussed earlier, the other is about monitoring, detection,

227
00:26:47,280 --> 00:26:53,760
and response, right? So, let's look at it from the practical angle. I think there is

228
00:26:53,760 --> 00:26:59,440
the two frameworks, if I may, one of them is the UK's framework called cyber essentials.

229
00:26:59,440 --> 00:27:03,280
It's a very, very tiny framework of five controls.

230
00:27:04,960 --> 00:27:10,080
The other one I really like is the US. You must have obviously heard about it. The Center for

231
00:27:10,080 --> 00:27:16,560
Internet Security. It used to be called SANS 20, but now it's CIS, and I think they are now 18 controls.

232
00:27:16,560 --> 00:27:25,680
Now, we work with a lot of clients, and if you look at CIS 18 for the majority of those controls,

233
00:27:25,680 --> 00:27:31,600
you can do a lot of good things without significant investment. Am I making sense with that?

234
00:27:31,600 --> 00:27:37,760
Absolutely. Because one of the fallacies in techie and non-techie minds is if I throw

235
00:27:37,760 --> 00:27:44,880
enough money at cyber, we won't be hit by the earthquake, right? Which is a fallacy. So,

236
00:27:44,880 --> 00:27:52,000
if you take a step back, don't throw any money at what you have, but actually take a practical

237
00:27:52,000 --> 00:27:57,920
approach similar. And I think if I may introduce one sound bite, to me, this is probably the most

238
00:27:57,920 --> 00:28:06,960
sound bite, no access, no hack. Now, what does that mean? That means if you can control

239
00:28:06,960 --> 00:28:13,520
access, oh, access control, right? Who has access to what and who can do what?

240
00:28:13,520 --> 00:28:20,720
It may be a boring topic in the grand scheme of next generation, AI, etc, etc. However,

241
00:28:21,600 --> 00:28:30,880
majority of advanced criminals, even nation states, in most of their attacks require privileged access.

242
00:28:30,880 --> 00:28:40,400
Right? Now, yes, they require unpatched software, I agree. But if you follow a life cycle of an attack,

243
00:28:40,400 --> 00:28:46,240
or the non-technical people listening in and for the techies, if you can control access and

244
00:28:46,240 --> 00:28:55,840
limit access, you are significantly at a very low cost, increasing your protection.

245
00:28:55,840 --> 00:29:03,520
Number one, number two, everyone's heard about it, two factor authentication. Now, many people will

246
00:29:03,520 --> 00:29:08,640
say, yeah, yeah, yeah, we have switched it on, but they need to ask one question in the organization.

247
00:29:09,360 --> 00:29:18,960
If an administrator, Melissa, switched off to FA, would they know? Seems like a very simple question,

248
00:29:18,960 --> 00:29:27,520
but and let's assume the administrator is, he or she or they are, you know, non-molicious,

249
00:29:27,520 --> 00:29:34,560
but they may accidentally switch off the two factor across the organization because they can't

250
00:29:34,560 --> 00:29:39,360
get their work done, so they may have done it accidentally. It goes back into that question,

251
00:29:39,360 --> 00:29:44,400
do you, would you know if someone switched that off? Why am I bringing these two topics here?

252
00:29:44,400 --> 00:29:52,240
Because similar to what you're saying, for an immediate ROI, right? This practical approach of

253
00:29:52,240 --> 00:30:00,160
no access, no hack, and when would you know, or would you know if someone from the administrator side,

254
00:30:00,160 --> 00:30:07,760
the system admin, the techie, switched off to FA, two factor authentication because they wanted to

255
00:30:07,760 --> 00:30:17,120
get their job done? These two can give you, without significant investment, significant return

256
00:30:17,120 --> 00:30:24,160
because you are controlling who can do what? I love it. That's a really good piece of advice.

257
00:30:26,720 --> 00:30:38,480
I love it. That's spot on and I absolutely agree. I think, yep, yep. I think that the other thing too,

258
00:30:38,480 --> 00:30:45,520
I think low-hanging fruit is is education, basic, like, what are we clicking on?

259
00:30:45,520 --> 00:30:52,160
And just, you know, companies shouldn't be sending out some of the emails that they're sending out now,

260
00:30:52,160 --> 00:30:56,000
you know, offering free Starbucks or those kind of things. If you can't control it,

261
00:30:56,720 --> 00:31:02,320
and people are clicking on everything, you need to get, like, a report card, right?

262
00:31:02,320 --> 00:31:07,920
Okay, we did a phishing exercise and when we have 100 employees and 85 of your 100 employees

263
00:31:07,920 --> 00:31:14,000
clicked on something, we have a problem, right? I had to do this, Melissa, sorry to interrupt you.

264
00:31:14,000 --> 00:31:18,080
Yeah, yeah, definitely. Here is another really interesting and important sound bite,

265
00:31:18,080 --> 00:31:24,640
because humans are humans and we are going to do what you are saying because, you know, I put my

266
00:31:24,640 --> 00:31:31,360
hands up, I'm, you know, although I am, like, yourself more paranoid, I may fall for a phishing email.

267
00:31:31,360 --> 00:31:40,480
I think the key is, can I admit to you? Can I phone the boss and say, hey, boss, I made a mistake,

268
00:31:40,480 --> 00:31:47,280
because I can only do that if I can identify, in my big sense. So, identifying in admit is that

269
00:31:47,280 --> 00:31:53,600
sound bite, I regularly tell my customers, you need to encourage one, your staff needs to be able to

270
00:31:53,600 --> 00:32:00,880
ah, oops, I fell for this, but they also then need to be able to either hit the report button or

271
00:32:00,880 --> 00:32:07,600
admit by email or phone saying, hey, boss, you know, last Friday, I was really tired, oh, I was at

272
00:32:07,600 --> 00:32:15,200
the pub and I opened an Excel macro that rebooted my laptop. I mean, that's gold dust, you know,

273
00:32:15,200 --> 00:32:21,360
but the question is, are your staff encouraged to own up?

274
00:32:23,360 --> 00:32:31,200
That's a fantastic point because you're right. I made me chuckle again because I have done that myself

275
00:32:31,200 --> 00:32:38,000
or clicked on something or, but I think it's, it's, you make a great point is, is creating a culture

276
00:32:38,000 --> 00:32:44,640
where it's okay to make mistakes because we're all human and bringing it forward so we can fix

277
00:32:44,640 --> 00:32:49,280
the problem instead of scared and sweeping it kind of under the rug because when we do that,

278
00:32:49,280 --> 00:32:54,400
that's when the big problems happen and people get into our environment and they sit for

279
00:32:54,400 --> 00:33:00,080
for days, weeks, months and they learn what's going on in our environment, then they make decisions.

280
00:33:00,080 --> 00:33:05,680
So I think that's a really, really good point. I'm sitting here thinking like, what are the top

281
00:33:05,680 --> 00:33:13,440
things that are low-hanging fruits for companies that don't cost anything that they can do? We've just

282
00:33:13,440 --> 00:33:20,720
given a few of them, right? That they can low-hanging fruit, creating a culture where they're able to

283
00:33:20,720 --> 00:33:26,240
bring that forward or they're leveraging a managed security services company where they forward that

284
00:33:26,240 --> 00:33:32,640
over. They look at it, contain it, clean it up, make sure nobody else clicked on it and they investigate

285
00:33:32,640 --> 00:33:38,400
it. And I think the sooner that those that you can have your people feel safe, like you mentioned,

286
00:33:38,400 --> 00:33:44,480
to forward whoops, I made a mistake, the sooner your organization can fix it and get the smart people

287
00:33:44,480 --> 00:33:55,040
on the phone to figure out what happened, if anything. Absolutely. Yeah, so just a couple final things,

288
00:33:55,040 --> 00:34:00,560
I know you mentioned some really good tips and tricks. Anything else from your mind, maybe that we

289
00:34:00,560 --> 00:34:07,840
haven't discussed that companies across many different sectors can focus on, that's low-hanging

290
00:34:07,840 --> 00:34:14,000
fruit from a cyber security and AI perspective and closing thoughts. Yeah, absolutely.

291
00:34:14,000 --> 00:34:19,840
Related to access control and I know this term has been used or abused by marketing companies and

292
00:34:19,840 --> 00:34:29,040
agencies, zero trust, right? You don't, okay, and the problem is zero trust is, again, it's one of those

293
00:34:29,040 --> 00:34:33,440
things, would you challenge someone who has worked at your organization every day for 10 years?

294
00:34:34,400 --> 00:34:42,080
In the zero trust culture, you would, right? Because if that individual didn't bring his or her

295
00:34:42,080 --> 00:34:49,040
pass, they shouldn't be able to enter the organization as an example. You know, it's fairly, you don't

296
00:34:49,040 --> 00:34:58,720
need great technology, it's more of a cultural organizational, cultural and human cultural issue.

297
00:34:59,840 --> 00:35:06,000
But if you can, that's when again, and it relates to access control, isn't it? Because imagine

298
00:35:06,000 --> 00:35:11,360
me telling you, hey, Melissa, I just need access to the AD. It's a Friday evening. You go, yeah, I know

299
00:35:11,360 --> 00:35:18,240
more, you know, I'm going to give him access. Instead of saying, whoa, Friday, why do you need access,

300
00:35:18,240 --> 00:35:26,480
a more? Where is the change control? Blah, blah, blah, you know, it's that if, if you can implement it,

301
00:35:27,440 --> 00:35:35,200
again, the ROI on this is because it just simply makes it really difficult to then succeed in an attack.

302
00:35:35,200 --> 00:35:42,240
I think that's one of those, this things, but yeah, the other one is look at CIS 18. I absolutely

303
00:35:42,240 --> 00:35:48,000
love that. A lot of it, a lot of what CIS 18 can be done on the cheap. It's again more of a,

304
00:35:48,000 --> 00:35:56,400
can we, are we willing to say, you know, no to someone, are we willing to tighten access control?

305
00:35:57,120 --> 00:36:03,600
Are we willing to remove unwanted apps? For example, Melissa, you know, are we willing to say for

306
00:36:03,600 --> 00:36:11,280
corporate people that they cannot install apps without their permission? It's this balance of

307
00:36:11,280 --> 00:36:16,480
everyone wants to be very digital and modern, but then again, every, you know, at the same time,

308
00:36:16,480 --> 00:36:23,280
you'll be asking them to be more, more restrictive, which the day I say the younger folks may find

309
00:36:23,280 --> 00:36:32,800
very irritating, but, but I think if I made this close this, the good, the benefit is if someone doesn't

310
00:36:32,800 --> 00:36:39,280
is not allowed to work, you know, CNN or BBC from their website, most people have a separate

311
00:36:39,280 --> 00:36:45,600
smartphone or tablet that they can use it on. So that again, very simple process of why do you need

312
00:36:45,600 --> 00:36:54,400
this website, go and surf it on your own phone? Yeah, and you make another really fantastic point is

313
00:36:54,400 --> 00:37:03,440
if, if you're not sure as, at the IT department and you don't know, and something seems off, ask,

314
00:37:03,440 --> 00:37:09,440
and get your employees on the phone, ask them, why are you doing this? Or why are you putting a

315
00:37:09,440 --> 00:37:17,600
USB key at 12 o'clock at night in your computer and offloading all your files? If that's happening,

316
00:37:17,600 --> 00:37:24,160
that's a problem, right? And ask the person. And maybe the person's like, hey, Amar, I'm presenting

317
00:37:24,160 --> 00:37:31,200
next tomorrow. I need to get these PowerPoints on this USB stick because they need it that way.

318
00:37:31,200 --> 00:37:37,440
And they're like, okay, make sense. Yes, right? Because it could be the other way. They could be doing

319
00:37:37,440 --> 00:37:43,840
things, not for the right reasons. And so I think you make a really good point. I always say,

320
00:37:43,840 --> 00:37:51,440
trust but verify in the industry is trust your people, but verify when things aren't up to the

321
00:37:51,440 --> 00:37:59,440
sniff test and ask. And at the end of the day, I know I, you know, I spent a lot of my time in,

322
00:37:59,440 --> 00:38:07,280
the sales marketing strategy kind of kind of role. And so I'm not a delivery person in my career. But

323
00:38:07,280 --> 00:38:11,680
a lot of times people have asked me, Hey, Melissa, what about this? And I'm like, oh, it's this. And

324
00:38:11,680 --> 00:38:18,960
but they've asked. And I've been able to explain. So I think you nailed it, you know, ask and wonder.

325
00:38:18,960 --> 00:38:24,560
On the AI front, if I may have just thought one more thing, you know, one of the challenges with AI

326
00:38:24,560 --> 00:38:30,960
right now is, and this is not an accusation at any company, but I can, I can confidently say

327
00:38:31,920 --> 00:38:41,120
everyone's now saying their product is AI, you know, right? And it may well not be AI or true AI

328
00:38:41,120 --> 00:38:46,160
like chat GPT or barred or co-pilot, right? So this, this, this again, then creates this

329
00:38:46,160 --> 00:38:54,000
snake oil industry where as long as you say AI, your product will be sold, but the end user may not

330
00:38:54,000 --> 00:39:01,200
actually see the benefit. And that itself then, you know, reduces the trust on what could be true AI.

331
00:39:01,680 --> 00:39:10,720
Yeah, in AI is the buzz word right now. Everybody's in AI and even in cybersecurity, everybody's

332
00:39:10,720 --> 00:39:16,720
in cybersecurity in AI right now because they're the popular topics, the shiny things. And, you know,

333
00:39:16,720 --> 00:39:21,600
we, you know, if we're five years from now, we look back and there's, there's going to be a lot

334
00:39:21,600 --> 00:39:27,600
of convergence in that space and some will survive others won't. I think of it, you know, similar to

335
00:39:27,600 --> 00:39:32,640
the rise of, you know, tech companies and which ones are still standing and which ones are acquiring

336
00:39:32,640 --> 00:39:40,240
the others. And so I agree, I think it's a popular shiny thing now is we're secure and we're using

337
00:39:40,240 --> 00:39:46,480
AI. So I think everybody's kind of using that now, but companies like Microsoft, like you mentioned

338
00:39:46,480 --> 00:39:53,920
co-pilot and chat GPT, there's a lot of companies that are embedding some of these tools into their

339
00:39:53,920 --> 00:39:59,600
products. So I think it's great to use them. But yeah, you make a good point.

340
00:39:59,600 --> 00:40:10,000
Any final thoughts before we close? I really appreciate you being on executive connect. Anything,

341
00:40:10,000 --> 00:40:13,840
maybe top three things you want to share with the listeners before we close?

342
00:40:13,840 --> 00:40:19,680
Yeah, I mean, I can easily do that. Thank you so much for having me here. I think one, as we said

343
00:40:19,680 --> 00:40:26,560
earlier is access. You know, it's a very good return on investment and you can do a lot of it on

344
00:40:26,560 --> 00:40:34,080
the cheap who has access, restrict access. The second point I would say is you have to admit that your

345
00:40:34,080 --> 00:40:40,320
organization will be attacked. I know I don't normally say will, but you know, the likelihood is very high.

346
00:40:40,320 --> 00:40:46,960
So you've got to focus on not just protecting or building a wall, but actually how would you

347
00:40:47,840 --> 00:40:55,040
detect and respond and recover? So those are the kind of things I would say. And like I said,

348
00:40:55,040 --> 00:41:00,080
you know, certainly yourself on something like CIS-18, for example, and in, you know, very

349
00:41:00,080 --> 00:41:08,240
popular international framework and try to map and align yourself. There I say, and I know I'm

350
00:41:08,240 --> 00:41:15,280
going to go on record here. ISO, the standards are too onerous. I think CIS-18 is probably the best

351
00:41:15,280 --> 00:41:21,040
most and nest obviously, but CIS-18 is a control framework. I think for many organizations is very useful.

352
00:41:21,040 --> 00:41:27,760
That's great. Thank you so much for being here today, Omar. I know you're a busy man.

353
00:41:27,760 --> 00:41:32,000
And that's the Executive Connect podcast.

