December 7, 2023 • 19 mins
Discover the intriguing parallel worlds of cyber security and finance as we navigate through compelling discussions with our distinguished guest, Igor Volovich. Promising to equip you with a nuanced understanding of the convergence of risk and compliance, we catapult into the breach of SolarWinds and the ensuing SEC charges. With Igor's expert insights, we introduce the concept of the "ultimate audit", prompting you to rethink the necessity of a cyber Sybanes Oxley within the current regulations.
Our journey doesn't stop there. We venture into the realms of evidence-based risk management, championing the need for factual data over subjective opinions to assess security posture. We challenge the traditional compliance models, urging for a shift towards an approach akin to medicine, where evidence is king. The episode culminates in a thought-provoking discourse on the interconnected dynamics of CUMULAS, SolarWinds, convergence, and the SEC, all in the context of Enron. So, are you ready to redefine your understanding of cyber security with Igor Volovich? Tune in.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Igor Volovich.
Thanks for dropping in, myfriend.
How are you and how is theworld of compliance and risk?
I know you're always talkingabout the convergence between
risk and compliance, and alsofor those who are just tuning in
and have never met Igor before,igor is one of the best
security strategists that I'veever met and he is just full on
(00:25):
in this space of compliance andrisk, and so they do a thing
called compliance therapy.
So tell us what's new incompliance therapy, and I know
you've got an update onSolarWinds, let's hear it.
Speaker 2 (00:37):
All right.
Well, josh, thanks for hearingme back again, and of course,
I'm humbled by that greatintroduction.
Thank you, I try to live up tothe hype.
So well, let's get into it.
So, first of all, solarwinds.
What is it?
What's about, right?
The case has been out there fora while.
I've talked to other folksabout it, I've put some podcast
episodes out there and somearticles.
In a nutshell, what happenedwas SolarWinds got breached
Everybody knows about that andof course, there were second
(00:59):
order effects.
So once SolarWinds got breached, their platform was used to get
into other environments, andthat's where the plot gets kind
of thicker.
The CISO of SolarWinds has nowbeen charged by the SEC
personally in his own name, andthe reason he was charged is
because they're alleging that heparticipated in misleading the
investors and, of course,solarwinds is a public company.
(01:20):
They had an IPO a couple ofyears back that he misled the
public and the investors,particularly about the state of
security controls, not onlybefore the breach but also after
the breach.
And so before we go any further, I just want to put it out
there the SEC, the government,is not penalizing SolarWinds for
being breached.
The breach became the ultimateaudit, and I'm very fond of
(01:43):
saying it and it's kind of abumper sticker I've put out
there for a while Consider thebreach the ultimate audit.
You can have all the audits inthe world, you can have all the
assessments in the world, butthe breach will be the ultimate
audit.
And that's exactly whathappened here, and it basically
exposed that allegedmisrepresentation and
malfeasance.
Speaker 1 (01:58):
So more about that in the middle he was on the hook
for the whole thing.
Speaker 2 (02:03):
Well, he's not being on the hook for the whole thing.
So there's something that theSEC sounds out called the Wells
notice, and the Wells notice isbasically the same thing as what
the FBI calls the target letterin a way.
Basically, they're sayingyou're under investigation, get
your ducks in a row, get yourevidence ready, because we will
be sending a subpoena and youwill be investigated.
So that's kind of a very niceway in the kind of the white
collar crime world where the SECor the DOJ will let you know
(02:26):
that you are under investigation.
Stop shredding evidence, stoppulling it and run, because
we're going to be after you.
And so that's where you get intowhat's called evidence
spoilation.
But that's for the lawyers.
But so they got the Wellsnotice and sent out that one
went out to the CFO ofSolarWinds, the other one went
to the CISO of SolarWinds.
The CISO is the only one who'sbeen charged so far, so that
(02:47):
tells you something, right?
The CFO is the one who signsoff on the actual control status
.
Speaker 1 (02:51):
Yeah, that's kind of strange.
Speaker 2 (02:53):
Yeah, it is a little bit strange.
It is a little bit strange.
So I think what they'realleging and if you read the
complaint, which goes on forsome, you know, I think it's
like 50, 60 pages, if you doread it, that's what's in there,
right?
There were emails, there wereSlack messages, were basically
engineers that reported to us.
So we're confirming that wejust lied to a customer.
The customer was asking what'sgoing on?
Is the platform breached, doingto worry?
(03:14):
And they're telling no, no, no,we got it right.
So and then there in a second,they sign off the client and
there's an internal slackmessage saying hey, we just like
this client and this happenedand infinite.
Speaker 1 (03:26):
So it's like cyber security is now being treated a
lot more so.
You know, if we look back tothe Enron as sort of the example
of this, cyber security isbeing treated more like finance
because with the SEC rule, Imean, obviously they're looking
at it as finance and they'relooking at the CISO as the CFO
or, like you know, the CFO wouldhave been the counterpart in in
(03:48):
the any kind of financial Ponzischeme or any sort of financial
liability you know that mightbefall a company.
Speaker 2 (03:56):
Well, it's a funny thing to say, right.
So, and this is something thatyou know, a lot of folks in the
cyber security arena don'tnecessarily understand right,
especially kind of the more thetechnical practitioners we don't
need.
Like, there's this calls for,you know, we need a cyber
Sybanes Oxley, right?
Enron gave us Sybanes Oxley,also known as SOX.
Right, and what folks talkabout typically within the audit
sphere, right, and and I goback with this probably over 20
(04:19):
years right, you know, I was atMicrosoft when we had our first
Sybanes Oxley four-on-four auditand we had an audit firm come
in one of the big four and youknow kids with clipboards fresh
out of B school we're runningaround and looking at controls
and and asking us a lot ofquestions and filling out these,
these checklists.
And that was the first year.
The second year they were a lotbetter, a lot more in depth.
Folks kind of figured out howto do four or four controls
(04:40):
audits, four, four controls.
Basically these are internalgeneral controls.
Cyber security controls areincluded within IT general
controls, right?
So?
So we don't need a SybanesOxley for cyber, we have it.
It's called Sybanes Oxley, okay, but there's another section in
Sybanes Oxley that folks don'tnecessarily pay attention to,
and that's the section 302, andthis is where the CEO and the
(05:00):
CFO, or the or these officers ofthe corporation sign off on
this state of controls.
They sign off on thesecompliance statements and
regulatory filings.
So the personal accountabilitythat, again, people are asking
for, that's already built in,right.
What we have different now isthe SEC, the FTC and the DOJ are
aggressively enforcing the law.
Right, they have new rules, nodoubt about that.
(05:22):
But what they're really sayingis we're going to become more
strict.
We're going to be, we're goingto deploy more scrutiny against
the public statements that youmake, the regulatory filings
that you make and thecontractual claims that you make
.
So if you tell a client thatyou have security in place and
then you get breached and, as aconsequence, your client gets
breached wishes, the perfectexample solar winds right,
that's exactly what happened,that we're going to come after
(05:44):
you.
Right, it's not the fact thatyou get breached, it's the fact
that you lied about the state ofcontrol.
It's the delta between what youhave in hand and what you're
telling people right here.
Where the thing gets even worseis that most people don't know
what they have in hand, and wecan talk a little more about
that right, right, well, that'swhat.
Speaker 1 (06:00):
That's what I was going to ask.
It's you've got four days toreport a material breach, right,
and that's not a lot of timefor a lot of people to get all
their ducks in a row.
And you know, you conduct maybea pre-audit once a year and
then you do your official auditonce a year, and a lot of times
that's when you realize that youknow you've got an issue.
(06:20):
It's sort of like I hate to usethis analogy, but it's sort of
like the abortion issue.
It's like if you're going toban it at six weeks that's
before most people know thatthey're pregnant, so you know if
you're in a terrible, terribleanalogy, but it's what that's.
What comes to mind is if you'regoing to enforce something that
will affect somebody's life,affect their livelihood, affect
(06:41):
their job, affect theirreputation, is it fair to give
them only four days to report?
Speaker 2 (06:48):
well, you know, we we saw the kind of response from
the industry when the chargeshappened against Joe Sullivan
and uber.
Right, we saw the kind ofresponse that happened with
solar winds.
There was a lot of big backlashagainst the sec, saying you
know, this is not fair.
You know the syso is ascapegoat.
Well, what the sec is thatalleging is actually garden
variety malfeasance.
The cyber thing is just that'sa sideshow.
(07:09):
Right, the fact that his titlewas a syso and not cfo.
If the cfo had lied aboutfinancial statements, they would
be right, just leaving afterthem as well, right?
So just because it happens tobe cyber and sysos have in the
past been, have been madescapegoats, that makes no
difference in my book, right?
You know you lie about thingsand these are statutory
regulatory filings, sure youcan't lie, right?
(07:31):
So I mean there's disclaimersyou have to sign.
You have to.
You have to sign that this isunder the penalty of perjury.
I am making these statementsand then you have slack messages
literally saying we just lied,right?
So that's that.
That's the issue.
That's yeah, that's fair.
This is a thing is a is asideshow.
Uh, as far as the four-daything, look, if you're waiting
for the breach or for the auditfor that matter.
(07:52):
I already established theframing right, the breach, as
the ultimate audit right.
If you're waiting for that tofigure out if your house is in
order, where your controls are,you know, it's like that old
commercial back in the 80s it's10 pm.
Do you know where your kids are?
It's like, yeah, it's breacho'clock.
Do you know where your controlsare Right?
And if you wait for the breachto go figure it out, spin up a
crisis response.
Look, iran answered a response.
(08:13):
For many years I've created oneof the first instance response
plans that one of the biggercompanies out there in the world
right, I get it.
I understand the answerresponse.
The biggest thing in answerresponse is not the day of the
breach.
80% of the work happens beforethe breach.
You prep, you drill, you figureout what your controls are, you
figure out who you call, how doyou get people engaged, how you
get them spin and spin in andspin out of the incident
(08:33):
response process.
That's the bulk of the work.
You get ready for the fight andyou train as you fight and you
fight as you train right.
You will not rise to theoccasion.
You will sink to the lowestlevel of your best training,
right.
And so that part of thatpreparatory mindset, the
proactive mindset, it's aboutknowing where your controls are.
(08:54):
Guess what If it takes you a bigforefirm or somebody like that
to come in and tell you whatyour world is right, tell you
what time it is on the watchthat you're actually wearing.
You can't tell what time it ison your own watch.
You have to give it to somebodyelse.
They borrow it.
Then they charge you and theytell you, oh, it's 4.15 in the
afternoon, in the morning what?
And they go, I don't know,looks about 4.15 to me.
(09:15):
And you go, what's your timebelt?
You're like I don't know 4.15,dude, that's all I know.
Right, that's audit.
That's what we have with auditand compliance, and I'll say
this and take it and moveforward.
It's worth.
I think the audit and compliancemodel has been broken.
I think it's been broken sinceday one.
We borrowed these models andyou made mention, right, the
parallels between financial andcyber.
(09:35):
Yeah, we took a lot of stufffrom financial and we kind of
poured it over to cyber, exceptwe forgot that cyber moves too
fast and this kind of thisdeterrent model of we're going
to, you know, find some oldfissons.
We're going to do itretroactively, we're going to do
it after the fact, and thenwe're going to go ahead and
punish somebody and they'llcreate a deterrent effect, and
then you know the next CISO orthe next CTO or CIO, they won't
(09:57):
do it right.
Cyber moves too fast.
We can't apply standard auditmodels to it.
We have to have this continuous, always running audit and
compliance model.
Right.
We have the tools, we have theframeworks.
These standards were designedwith all these threat models in
mind.
Nist is a great organization.
I love them.
I worked with them.
I still sit on a couple ofadvisory boards.
I absolutely believe in themission.
(10:19):
Right.
All the standards, all theframeworks.
They're there for a reason andthey're well designed and well
thought out.
The problem is we're notapplying them in real time, so
we don't know what's going on.
We have the lens, but we'rejust not using a telescope.
That's the problem.
And so if we can flip our mindaround that and say, hey, don't
wait for the breach, don't waitfor the audit, know where you
are right now, every minute ofevery day, wake me up at three
(10:41):
in the morning on a Saturday andask me where's control X.
Stop control B in thisparticular framework and show me
on the system within my domainwhere it is.
Most people can't do that yeah.
Speaker 1 (10:53):
They wait for the breach.
What do you think aboutmaturity?
I'm going to plug TrustMap alittle bit here, because that's
who I work for and we thinkabout this all the time.
We're always thinking aboutcontinuous improvement and we
use maturity as the measure of.
You know, that's the measuringrod.
We don't use compliance, we usematurity because we often find
(11:15):
when people rely on compliance,it's like, okay, we did it All
right, get us up next year.
But we want people to thinkabout continually improving over
time and then, maybe once ayear, to satisfy the powers that
be, whoever it is that you needto satisfy.
But CSOs want to be able to havea report that can be handed
(11:38):
over to their customers, theirpartners, their board at any
given time that says okay,here's where we were back in,
you know, 2021.
And here is where we want to goand here's how we've moved the
needle over time.
Here are the trends.
Sometimes it goes down,sometimes it goes up, but, like
(11:59):
you said, it's that people don'twant to be lied to.
They want to know that whateverwe're telling them is that's
the accurate state of oursecurity posture and if there
are issues, we'll deal with it.
And so, you know, at TrustMapwe kind of have the system as
one source of truth that at anypoint in time you can go into
the system and you can see whatthe maturity scores are, you can
(12:21):
see how compliant you are, thepercentage of compliance for all
of you controls, and then beable to communicate any of those
records to anybody at any giventime.
So what do you think aboutmaturity versus compliance as
sort of the measuring rod for asecurity posture?
Speaker 2 (12:40):
I think we're talking about the same thing, my friend
.
Okay, I think we're talkingabout.
So, from my perspective,security is what you do.
Compliance is how you prove it,if you do it right, right.
And so the problem again withtraditional legacy let's call
them legacy compliance modelsand audit models is that they
rely on opinion, not fact.
Right, and I think you and Ihave talked about it the length
before.
But for our audience, again, aquick reminder when you ask the
(13:02):
question, how do I know what Ibelieve I know about the state
of my controls, the state of mysecurity, the state of my
posture, the state of mymaturity, right?
These are in some wayssynonymous, right?
The question to ask is well,how do I know this?
Because somebody told me,because I actually have evidence
and telemetry and data in handthat shows me objectively what's
going on, right?
And so I think, if you'relooking at subjective opinions,
(13:24):
you know, just because you havea platform that somebody filled
out a form in, that doesn't makeit true.
Now you have built in certainmodels and certain mechanisms to
ensure that there is trustacross that system, right?
People shouldn't lie at work,right?
That's kind of a thing we relyon.
But ultimately there's very fewchecks and balances because it's
too complex and we're under thegun.
(13:45):
Right, we have to get thesecompliance reports out because
we can't do business right.
If we don't do a regulatoryfiling, depending on the
industry, we'll literally haveto stop the presses, we can't do
work and so you have tobasically scream through these
controls, do the best you can.
Maybe there's some level of QAand if you're paying, you know
an external firm to come in anddo it for you, which most people
do right.
Maybe they have some internalcareer as well.
And I have been an auditor, I'mstill a certified auditor, so I
(14:07):
get the model right, we get it.
But when you kind of ask, youknow you can get very deep in
the weeds very quickly withcompliance right.
It's very complex.
But if you go macro right, youkind of go strategically 40,
50,000 for view and just ask onequestion how much of our
compliance report or auditreport is representing opinion
versus fact?
And ultimately, if you ask fact, you're asking for evidence,
(14:29):
you're asking for telemetry,you're asking for system data,
not somebody's opinion of sameright.
So asking where this came from,it's an interesting eye-opening
because folks invariably go.
I didn't even think about itthat way.
I didn't even understand thatmy compliance report or my
regulatory filing that is goingto be scrutinized by the SEC,
the FTC, the DOJ, the DOD,depending on who you do business
(14:51):
with or which regime you fallunder, it's going to be
scrutinized the day after thebreach.
They will ask the question hey,you have five years of clean
reports, have five years ofregulatory filings that say we
have no material deficiencies inour critical controls.
That's the border-plate phraseyeah here you are being breached
.
So what gives?
Yeah, right.
And the thing that folks don'tunderstand is that the audit can
(15:14):
only see so much.
You know, I've been toenvironments where we have 4,000
line of business applications.
I'm on site for three weeks.
You think I'm going to look at4,000 line of business apps?
No, we've got to do a sampling,right, and hopefully that's a
representative sample.
Who is at?
Who do I ask for theinformation about the sample?
The client.
So my knowledge, my ability todiscern any level of credibility
(15:35):
around that data is basedultimately on what they give me.
And guess what?
The first 10 pages of anycompliance report is disclaimers
about exactly that.
Hey, this is based on what wewere told.
It's a limited scope, limitedtime.
There's a scope around thisthing, right?
So we only see a subset of asubset of a subset of data, yet
we try to approximate a riskpicture for the entire
enterprise.
(15:56):
It's a probabilistic model ofrisk management.
It's not evidence-based.
So we've evolved and you know,forgive the lab coat, right, but
we have evolved in medicine toevidence-based medicine,
evidence-based treatment.
It sounds like.
You know what does that mean?
Well, it means we actually arenot shooting, kind of firing off
into the dark and saying, hey,hope for the best, let's see if
it works.
No, we're looking at data,we're looking at clinical data,
(16:18):
we're looking at experimentaldata, we're going through trials
, we are pulling together datato inform decisions and yet, in
cybersecurity risk, we stillkeep relying on audit and
compliance to tell us where weare, and not to make decisions
about where to invest.
And the entire thing is devoidof any meaning.
And that's my big thesis.
Speaker 1 (16:34):
Oh well, said I have a feeling you're going to die on
that hill and it's a hill thatwe're dying on.
I hope I'm not going to die onthis hill.
Speaker 2 (16:43):
I hope this hill gets destroyed and that we can move,
evolve into something better.
Speaker 1 (16:49):
Some other hill.
Speaker 2 (16:50):
Yeah, some other hill .
Well, I mean, you know it's afunny thing you mentioned Hill.
I've had this probably for thelast 10 years.
I've carried around this chartand I've shown this chart to
every client and every personI've ever talked to.
When they talk about complianceand I say, great, do you know
what a full speak is?
And they go, yes, I do.
Okay, you know, you think you'reclimbing a peak and then you
get there and turns out, no,there's a valley and then
there's another higher peak.
You've been looking at thewrong peak and so that's
(17:12):
compliance.
Right, you can reach complianceand still be insecure.
That's where a lot of folkshave found that they feel like
they're being very strategicwhen they say this you're going
to throw this off the cuff.
Compliance is not security andinsecurity is not compliance.
I couldn't agree more.
Right, and I am the head ofcompliance strategy for cumulus,
a compliance automation vendor.
Right, and I'm the first toadmit compliance is not security
.
But then we have to dig in why.
We have to deconstruct, we haveto understand, we have to dig
(17:34):
into why it's not, and the onlyreason it's not is because
compliance is great.
It's a wonderful measuringstick of maturity of your
posture.
It tells you how well you'redoing on security.
If only you're applying it realtime, which means on the same
time scale, is security?
Security operates in real timecompliance three year cycles in
federal Absolutely Right.
So you look at the time horizonin security.
(17:57):
We're looking at days, right.
Maybe I mean sure, some stuffyou want to look at some
persistent threats.
You know that might go backmonths or years, but ultimately
we're operating in a real timein compliance, with three years
behind the ball.
How are you going to managerisk doing that?
Right?
So we need to converge on thetime scale first.
And that's when you start askingquestions about compliance
automation.
You start asking questionsabout where does my compliance
(18:17):
data come from?
How much of that can I automate?
Can it be end to end?
And another thing to understandis most folks who say
compliance automation don'tactually meet it or, worse yet,
don't understand the differencewith the compliance automation
and compliance digitization.
Just because you took a paperprocess or a paper form and
turned into a digital form didnot create more credibility in
(18:37):
the data.
It's still somebody's opinion,right?
So understanding that figuringout is an opinion effect and
asking that basic questionacross the board, that's one of
the ways to kind of rethink howcompliance can be a true vehicle
for risk management across theentire enterprise.
Speaker 1 (18:54):
And that's why we need CUMULAS, and that's why we
need you, igor Volovich.
We talked about SolarWinds, wetalked about convergence, we
talked about the SEC.
We even got some Enronreferences built in there.
Thank you so much for droppingby, and those who are listening
and watching this.
Thank you for dropping in aswell.
Thanks.
Speaker 2 (19:13):
Thanks for having me, josh, always a pleasure.
Speaker 1 (19:15):
All right Okay.
Igor Volovich.
Thanks for dropping in, myfriend.
How are you and how is theworld of compliance and risk?
I know you're always talkingabout the convergence between
risk and compliance, and alsofor those who are just tuning in
and have never met Igor before,igor is one of the best
security strategists that I'veever met and he is just full on
(00:25):
in this space of compliance andrisk, and so they do a thing
called compliance therapy.
So tell us what's new incompliance therapy, and I know
you've got an update onSolarWinds, let's hear it.
Speaker 2 (00:37):
All right.
Well, josh, thanks for hearingme back again, and of course,
I'm humbled by that greatintroduction.
Thank you, I try to live up tothe hype.
So well, let's get into it.
So, first of all, solarwinds.
What is it?
What's about, right?
The case has been out there fora while.
I've talked to other folksabout it, I've put some podcast
episodes out there and somearticles.
In a nutshell, what happenedwas SolarWinds got breached
Everybody knows about that andof course, there were second
(00:59):
order effects.
So once SolarWinds got breached, their platform was used to get
into other environments, andthat's where the plot gets kind
of thicker.
The CISO of SolarWinds has nowbeen charged by the SEC
personally in his own name, andthe reason he was charged is
because they're alleging that heparticipated in misleading the
investors and, of course,solarwinds is a public company.
(01:20):
They had an IPO a couple ofyears back that he misled the
public and the investors,particularly about the state of
security controls, not onlybefore the breach but also after
the breach.
And so before we go any further, I just want to put it out
there the SEC, the government,is not penalizing SolarWinds for
being breached.
The breach became the ultimateaudit, and I'm very fond of
(01:43):
saying it and it's kind of abumper sticker I've put out
there for a while Consider thebreach the ultimate audit.
You can have all the audits inthe world, you can have all the
assessments in the world, butthe breach will be the ultimate
audit.
And that's exactly whathappened here, and it basically
exposed that allegedmisrepresentation and
malfeasance.
Speaker 1 (01:58):
So more about that in the middle he was on the hook
for the whole thing.
Speaker 2 (02:03):
Well, he's not being on the hook for the whole thing.
So there's something that theSEC sounds out called the Wells
notice, and the Wells notice isbasically the same thing as what
the FBI calls the target letterin a way.
Basically, they're sayingyou're under investigation, get
your ducks in a row, get yourevidence ready, because we will
be sending a subpoena and youwill be investigated.
So that's kind of a very niceway in the kind of the white
collar crime world where the SECor the DOJ will let you know
(02:26):
that you are under investigation.
Stop shredding evidence, stoppulling it and run, because
we're going to be after you.
And so that's where you get intowhat's called evidence
spoilation.
But that's for the lawyers.
But so they got the Wellsnotice and sent out that one
went out to the CFO ofSolarWinds, the other one went
to the CISO of SolarWinds.
The CISO is the only one who'sbeen charged so far, so that
(02:47):
tells you something, right?
The CFO is the one who signsoff on the actual control status
.
Speaker 1 (02:51):
Yeah, that's kind of strange.
Speaker 2 (02:53):
Yeah, it is a little bit strange.
It is a little bit strange.
So I think what they'realleging and if you read the
complaint, which goes on forsome, you know, I think it's
like 50, 60 pages, if you doread it, that's what's in there,
right?
There were emails, there wereSlack messages, were basically
engineers that reported to us.
So we're confirming that wejust lied to a customer.
The customer was asking what'sgoing on?
Is the platform breached, doingto worry?
(03:14):
And they're telling no, no, no,we got it right.
So and then there in a second,they sign off the client and
there's an internal slackmessage saying hey, we just like
this client and this happenedand infinite.
Speaker 1 (03:26):
So it's like cyber security is now being treated a
lot more so.
You know, if we look back tothe Enron as sort of the example
of this, cyber security isbeing treated more like finance
because with the SEC rule, Imean, obviously they're looking
at it as finance and they'relooking at the CISO as the CFO
or, like you know, the CFO wouldhave been the counterpart in in
(03:48):
the any kind of financial Ponzischeme or any sort of financial
liability you know that mightbefall a company.
Speaker 2 (03:56):
Well, it's a funny thing to say, right.
So, and this is something thatyou know, a lot of folks in the
cyber security arena don'tnecessarily understand right,
especially kind of the more thetechnical practitioners we don't
need.
Like, there's this calls for,you know, we need a cyber
Sybanes Oxley, right?
Enron gave us Sybanes Oxley,also known as SOX.
Right, and what folks talkabout typically within the audit
sphere, right, and and I goback with this probably over 20
(04:19):
years right, you know, I was atMicrosoft when we had our first
Sybanes Oxley four-on-four auditand we had an audit firm come
in one of the big four and youknow kids with clipboards fresh
out of B school we're runningaround and looking at controls
and and asking us a lot ofquestions and filling out these,
these checklists.
And that was the first year.
The second year they were a lotbetter, a lot more in depth.
Folks kind of figured out howto do four or four controls
(04:40):
audits, four, four controls.
Basically these are internalgeneral controls.
Cyber security controls areincluded within IT general
controls, right?
So?
So we don't need a SybanesOxley for cyber, we have it.
It's called Sybanes Oxley, okay, but there's another section in
Sybanes Oxley that folks don'tnecessarily pay attention to,
and that's the section 302, andthis is where the CEO and the
(05:00):
CFO, or the or these officers ofthe corporation sign off on
this state of controls.
They sign off on thesecompliance statements and
regulatory filings.
So the personal accountabilitythat, again, people are asking
for, that's already built in,right.
What we have different now isthe SEC, the FTC and the DOJ are
aggressively enforcing the law.
Right, they have new rules, nodoubt about that.
(05:22):
But what they're really sayingis we're going to become more
strict.
We're going to be, we're goingto deploy more scrutiny against
the public statements that youmake, the regulatory filings
that you make and thecontractual claims that you make
.
So if you tell a client thatyou have security in place and
then you get breached and, as aconsequence, your client gets
breached wishes, the perfectexample solar winds right,
that's exactly what happened,that we're going to come after
(05:44):
you.
Right, it's not the fact thatyou get breached, it's the fact
that you lied about the state ofcontrol.
It's the delta between what youhave in hand and what you're
telling people right here.
Where the thing gets even worseis that most people don't know
what they have in hand, and wecan talk a little more about
that right, right, well, that'swhat.
Speaker 1 (06:00):
That's what I was going to ask.
It's you've got four days toreport a material breach, right,
and that's not a lot of timefor a lot of people to get all
their ducks in a row.
And you know, you conduct maybea pre-audit once a year and
then you do your official auditonce a year, and a lot of times
that's when you realize that youknow you've got an issue.
(06:20):
It's sort of like I hate to usethis analogy, but it's sort of
like the abortion issue.
It's like if you're going toban it at six weeks that's
before most people know thatthey're pregnant, so you know if
you're in a terrible, terribleanalogy, but it's what that's.
What comes to mind is if you'regoing to enforce something that
will affect somebody's life,affect their livelihood, affect
(06:41):
their job, affect theirreputation, is it fair to give
them only four days to report?
Speaker 2 (06:48):
well, you know, we we saw the kind of response from
the industry when the chargeshappened against Joe Sullivan
and uber.
Right, we saw the kind ofresponse that happened with
solar winds.
There was a lot of big backlashagainst the sec, saying you
know, this is not fair.
You know the syso is ascapegoat.
Well, what the sec is thatalleging is actually garden
variety malfeasance.
The cyber thing is just that'sa sideshow.
(07:09):
Right, the fact that his titlewas a syso and not cfo.
If the cfo had lied aboutfinancial statements, they would
be right, just leaving afterthem as well, right?
So just because it happens tobe cyber and sysos have in the
past been, have been madescapegoats, that makes no
difference in my book, right?
You know you lie about thingsand these are statutory
regulatory filings, sure youcan't lie, right?
(07:31):
So I mean there's disclaimersyou have to sign.
You have to.
You have to sign that this isunder the penalty of perjury.
I am making these statementsand then you have slack messages
literally saying we just lied,right?
So that's that.
That's the issue.
That's yeah, that's fair.
This is a thing is a is asideshow.
Uh, as far as the four-daything, look, if you're waiting
for the breach or for the auditfor that matter.
(07:52):
I already established theframing right, the breach, as
the ultimate audit right.
If you're waiting for that tofigure out if your house is in
order, where your controls are,you know, it's like that old
commercial back in the 80s it's10 pm.
Do you know where your kids are?
It's like, yeah, it's breacho'clock.
Do you know where your controlsare Right?
And if you wait for the breachto go figure it out, spin up a
crisis response.
Look, iran answered a response.
(08:13):
For many years I've created oneof the first instance response
plans that one of the biggercompanies out there in the world
right, I get it.
I understand the answerresponse.
The biggest thing in answerresponse is not the day of the
breach.
80% of the work happens beforethe breach.
You prep, you drill, you figureout what your controls are, you
figure out who you call, how doyou get people engaged, how you
get them spin and spin in andspin out of the incident
(08:33):
response process.
That's the bulk of the work.
You get ready for the fight andyou train as you fight and you
fight as you train right.
You will not rise to theoccasion.
You will sink to the lowestlevel of your best training,
right.
And so that part of thatpreparatory mindset, the
proactive mindset, it's aboutknowing where your controls are.
(08:54):
Guess what If it takes you a bigforefirm or somebody like that
to come in and tell you whatyour world is right, tell you
what time it is on the watchthat you're actually wearing.
You can't tell what time it ison your own watch.
You have to give it to somebodyelse.
They borrow it.
Then they charge you and theytell you, oh, it's 4.15 in the
afternoon, in the morning what?
And they go, I don't know,looks about 4.15 to me.
(09:15):
And you go, what's your timebelt?
You're like I don't know 4.15,dude, that's all I know.
Right, that's audit.
That's what we have with auditand compliance, and I'll say
this and take it and moveforward.
It's worth.
I think the audit and compliancemodel has been broken.
I think it's been broken sinceday one.
We borrowed these models andyou made mention, right, the
parallels between financial andcyber.
(09:35):
Yeah, we took a lot of stufffrom financial and we kind of
poured it over to cyber, exceptwe forgot that cyber moves too
fast and this kind of thisdeterrent model of we're going
to, you know, find some oldfissons.
We're going to do itretroactively, we're going to do
it after the fact, and thenwe're going to go ahead and
punish somebody and they'llcreate a deterrent effect, and
then you know the next CISO orthe next CTO or CIO, they won't
(09:57):
do it right.
Cyber moves too fast.
We can't apply standard auditmodels to it.
We have to have this continuous, always running audit and
compliance model.
Right.
We have the tools, we have theframeworks.
These standards were designedwith all these threat models in
mind.
Nist is a great organization.
I love them.
I worked with them.
I still sit on a couple ofadvisory boards.
I absolutely believe in themission.
(10:19):
Right.
All the standards, all theframeworks.
They're there for a reason andthey're well designed and well
thought out.
The problem is we're notapplying them in real time, so
we don't know what's going on.
We have the lens, but we'rejust not using a telescope.
That's the problem.
And so if we can flip our mindaround that and say, hey, don't
wait for the breach, don't waitfor the audit, know where you
are right now, every minute ofevery day, wake me up at three
(10:41):
in the morning on a Saturday andask me where's control X.
Stop control B in thisparticular framework and show me
on the system within my domainwhere it is.
Most people can't do that yeah.
Speaker 1 (10:53):
They wait for the breach.
What do you think aboutmaturity?
I'm going to plug TrustMap alittle bit here, because that's
who I work for and we thinkabout this all the time.
We're always thinking aboutcontinuous improvement and we
use maturity as the measure of.
You know, that's the measuringrod.
We don't use compliance, we usematurity because we often find
(11:15):
when people rely on compliance,it's like, okay, we did it All
right, get us up next year.
But we want people to thinkabout continually improving over
time and then, maybe once ayear, to satisfy the powers that
be, whoever it is that you needto satisfy.
But CSOs want to be able to havea report that can be handed
(11:38):
over to their customers, theirpartners, their board at any
given time that says okay,here's where we were back in,
you know, 2021.
And here is where we want to goand here's how we've moved the
needle over time.
Here are the trends.
Sometimes it goes down,sometimes it goes up, but, like
(11:59):
you said, it's that people don'twant to be lied to.
They want to know that whateverwe're telling them is that's
the accurate state of oursecurity posture and if there
are issues, we'll deal with it.
And so, you know, at TrustMapwe kind of have the system as
one source of truth that at anypoint in time you can go into
the system and you can see whatthe maturity scores are, you can
(12:21):
see how compliant you are, thepercentage of compliance for all
of you controls, and then beable to communicate any of those
records to anybody at any giventime.
So what do you think aboutmaturity versus compliance as
sort of the measuring rod for asecurity posture?
Speaker 2 (12:40):
I think we're talking about the same thing, my friend
.
Okay, I think we're talkingabout.
So, from my perspective,security is what you do.
Compliance is how you prove it,if you do it right, right.
And so the problem again withtraditional legacy let's call
them legacy compliance modelsand audit models is that they
rely on opinion, not fact.
Right, and I think you and Ihave talked about it the length
before.
But for our audience, again, aquick reminder when you ask the
(13:02):
question, how do I know what Ibelieve I know about the state
of my controls, the state of mysecurity, the state of my
posture, the state of mymaturity, right?
These are in some wayssynonymous, right?
The question to ask is well,how do I know this?
Because somebody told me,because I actually have evidence
and telemetry and data in handthat shows me objectively what's
going on, right?
And so I think, if you'relooking at subjective opinions,
(13:24):
you know, just because you havea platform that somebody filled
out a form in, that doesn't makeit true.
Now you have built in certainmodels and certain mechanisms to
ensure that there is trustacross that system, right?
People shouldn't lie at work,right?
That's kind of a thing we relyon.
But ultimately there's very fewchecks and balances because it's
too complex and we're under thegun.
(13:45):
Right, we have to get thesecompliance reports out because
we can't do business right.
If we don't do a regulatoryfiling, depending on the
industry, we'll literally haveto stop the presses, we can't do
work and so you have tobasically scream through these
controls, do the best you can.
Maybe there's some level of QAand if you're paying, you know
an external firm to come in anddo it for you, which most people
do right.
Maybe they have some internalcareer as well.
And I have been an auditor, I'mstill a certified auditor, so I
(14:07):
get the model right, we get it.
But when you kind of ask, youknow you can get very deep in
the weeds very quickly withcompliance right.
It's very complex.
But if you go macro right, youkind of go strategically 40,
50,000 for view and just ask onequestion how much of our
compliance report or auditreport is representing opinion
versus fact?
And ultimately, if you ask fact, you're asking for evidence,
(14:29):
you're asking for telemetry,you're asking for system data,
not somebody's opinion of sameright.
So asking where this came from,it's an interesting eye-opening
because folks invariably go.
I didn't even think about itthat way.
I didn't even understand thatmy compliance report or my
regulatory filing that is goingto be scrutinized by the SEC,
the FTC, the DOJ, the DOD,depending on who you do business
(14:51):
with or which regime you fallunder, it's going to be
scrutinized the day after thebreach.
They will ask the question hey,you have five years of clean
reports, have five years ofregulatory filings that say we
have no material deficiencies inour critical controls.
That's the border-plate phraseyeah here you are being breached
.
So what gives?
Yeah, right.
And the thing that folks don'tunderstand is that the audit can
(15:14):
only see so much.
You know, I've been toenvironments where we have 4,000
line of business applications.
I'm on site for three weeks.
You think I'm going to look at4,000 line of business apps?
No, we've got to do a sampling,right, and hopefully that's a
representative sample.
Who is at?
Who do I ask for theinformation about the sample?
The client.
So my knowledge, my ability todiscern any level of credibility
(15:35):
around that data is basedultimately on what they give me.
And guess what?
The first 10 pages of anycompliance report is disclaimers
about exactly that.
Hey, this is based on what wewere told.
It's a limited scope, limitedtime.
There's a scope around thisthing, right?
So we only see a subset of asubset of a subset of data, yet
we try to approximate a riskpicture for the entire
enterprise.
(15:56):
It's a probabilistic model ofrisk management.
It's not evidence-based.
So we've evolved and you know,forgive the lab coat, right, but
we have evolved in medicine toevidence-based medicine,
evidence-based treatment.
It sounds like.
You know what does that mean?
Well, it means we actually arenot shooting, kind of firing off
into the dark and saying, hey,hope for the best, let's see if
it works.
No, we're looking at data,we're looking at clinical data,
(16:18):
we're looking at experimentaldata, we're going through trials
, we are pulling together datato inform decisions and yet, in
cybersecurity risk, we stillkeep relying on audit and
compliance to tell us where weare, and not to make decisions
about where to invest.
And the entire thing is devoidof any meaning.
And that's my big thesis.
Speaker 1 (16:34):
Oh well, said I have a feeling you're going to die on
that hill and it's a hill thatwe're dying on.
I hope I'm not going to die onthis hill.
Speaker 2 (16:43):
I hope this hill gets destroyed and that we can move,
evolve into something better.
Speaker 1 (16:49):
Some other hill.
Speaker 2 (16:50):
Yeah, some other hill .
Well, I mean, you know it's afunny thing you mentioned Hill.
I've had this probably for thelast 10 years.
I've carried around this chartand I've shown this chart to
every client and every personI've ever talked to.
When they talk about complianceand I say, great, do you know
what a full speak is?
And they go, yes, I do.
Okay, you know, you think you'reclimbing a peak and then you
get there and turns out, no,there's a valley and then
there's another higher peak.
You've been looking at thewrong peak and so that's
(17:12):
compliance.
Right, you can reach complianceand still be insecure.
That's where a lot of folkshave found that they feel like
they're being very strategicwhen they say this you're going
to throw this off the cuff.
Compliance is not security andinsecurity is not compliance.
I couldn't agree more.
Right, and I am the head ofcompliance strategy for cumulus,
a compliance automation vendor.
Right, and I'm the first toadmit compliance is not security
.
But then we have to dig in why.
We have to deconstruct, we haveto understand, we have to dig
(17:34):
into why it's not, and the onlyreason it's not is because
compliance is great.
It's a wonderful measuringstick of maturity of your
posture.
It tells you how well you'redoing on security.
If only you're applying it realtime, which means on the same
time scale, is security?
Security operates in real timecompliance three year cycles in
federal Absolutely Right.
So you look at the time horizonin security.
(17:57):
We're looking at days, right.
Maybe I mean sure, some stuffyou want to look at some
persistent threats.
You know that might go backmonths or years, but ultimately
we're operating in a real timein compliance, with three years
behind the ball.
How are you going to managerisk doing that?
Right?
So we need to converge on thetime scale first.
And that's when you start askingquestions about compliance
automation.
You start asking questionsabout where does my compliance
(18:17):
data come from?
How much of that can I automate?
Can it be end to end?
And another thing to understandis most folks who say
compliance automation don'tactually meet it or, worse yet,
don't understand the differencewith the compliance automation
and compliance digitization.
Just because you took a paperprocess or a paper form and
turned into a digital form didnot create more credibility in
(18:37):
the data.
It's still somebody's opinion,right?
So understanding that figuringout is an opinion effect and
asking that basic questionacross the board, that's one of
the ways to kind of rethink howcompliance can be a true vehicle
for risk management across theentire enterprise.
Speaker 1 (18:54):
And that's why we need CUMULAS, and that's why we
need you, igor Volovich.
We talked about SolarWinds, wetalked about convergence, we
talked about the SEC.
We even got some Enronreferences built in there.
Thank you so much for droppingby, and those who are listening
and watching this.
Thank you for dropping in aswell.
Thanks.
Speaker 2 (19:13):
Thanks for having me, josh, always a pleasure.
Speaker 1 (19:15):
All right Okay.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com