Security OperationsCybersecurity Risk & StrategySecurity Transformation
Video
•
219
views
•
39:52
•

August 13, 2020

TEC37 E10: A Holistic Approach to Cybersecurity

Business and technology executives are challenged with aligning business goals, increased dependence on technology and the responsibility to secure the organizations most important assets. As any breach report can attest, this is a complicated task that requires a balance of understanding the business risks and goals, managing technology tied into the responsibility to secure the organization and its assets. That is why it is critical that organizations stop being focused on specific solutions and start looking at their organization holistically. How can organizations holistically be secure? In this episode, we will discuss the elements that make up an enterprise wide security program and how this program impact every aspect of the organization. We will also discuss traditional cyber operations and compare it to how some organizations are being more proactive with how they approach holistic cyber security, and we will outline how business executives are managing their cyber risk.

Please view transcript below:

 

Robb Boyd:                   Something that is holistic would be characterized as interconnected, such that the parts can only be explained by reference to the whole or the entire thing. So what does it mean to be holistically secure?

                                    Welcome to TEC37, the podcast covering technology, education and collaboration from World Wide Technology. My name is Robb Boyd. Today's topic addresses security as a whole, specifically cybersecurity, as our panel of experts is here to provide ideas and guidance for things like the balance between security and business, or the value of best practices. How about asking for help? And a whole lot more.

                                    Business and technology are certainly intertwined like never before. Long-term success requires acknowledgment of the risk involved and the security foundation upon which you build everything. Well, all right, guys, we have a fantastic looking panel. Thank you so much for joining us today. I tell you what, I want to go around the horn and let you guys introduce yourselves, just to make sure I don't have too much of a chance to mispronounce names or titles. Let's start immediately to my side here. Shena, I believe is the right way to pronounce that? Shena, can you give us your full name, your title, what you're involved with? Why are you here? That type of thing.

Shena Seneca Th...:       Yes. Shena Seneca Tharnish. I lead the Cybersecurity Product Management team for Comcast business. I'm here to talk about security business enablement today.

Robb Boyd:                   There's an ongoing complex conversation we're going to about to get a lot deeper on, which is where do these two things intersect? Well, thank you so much. Good to have you with us. And Warren, what are you responsible for? And what's your full name and title?

Warren Perils:               Thanks Robb. So, thanks for being here. Warren Perils. I'm based out of Atlanta, Georgia. I manage the Security Practice within Global Service Provider here at World Wide Technology, and really that's responsible for the overall strategy of security and cybersecurity across our service provider business and helping our major customers like Comcast here. Shena, thank you for joining us today and be part of this conversation.

Robb Boyd:                   Yeah. I like the fact, you guys, everyone here represents a different angle for ways for which to tackle this conversation. And especially, Geoff, I had the joy of meeting you as we were starting to plan out this topic and I'm still just getting bits and pieces of all the different things that you're involved in. But for the sake of this and keeping it simple, what's your full name? What are you responsible for? And, yeah, thanks for joining us.

Geoff Hancock:             Sure. So, Geoff Hancock. Thank you for joining, everybody. Director of Engineering and Operations for World Wide Technologies. Have about 20 plus people who particularly help support organizations across the board like Shena's organization regarding security operations, architecture design and how all of that filters into and supports business operations.

Robb Boyd:                   Well, Geoff, I'll start with you. This topic where we talk about the intersection of business and security and making this a topic that for some is way too simple, because I don't think they're recognizing everything. And I think for others, it's something that also can appear way too complex and maybe someone doesn't know always where to start. But I wonder if you could set the stage for us in terms of what's important to be covered today, and how do you want to approach this conversation?

Geoff Hancock:             Yeah, absolutely. Thank you. As you guys know, the world has changed a bit in the last five, six months. The use of technology has grown significantly. Organizations are trying to justify and understand the impact of technology on current business operations, how it affects IT infrastructure purchases, things such like old legacy systems, cloud security, new systems, 5G, things of that nature. And cybersecurity is impacting all of that. And CISO and security experts stand in the middle, they definitely stand in the middle, in between, on one hand helping organizations understand the business ramifications of good security, but yet also on the other hand, looking at traditional IT infrastructure and new technology infrastructure and how to secure that, and balancing all the spinning plates. So it's definitely a challenge today. It's always going to be a challenge, but I think with every six months, 12 months, something new happens in the world and it makes security a bit more important. It makes business enablement more important. It makes understanding IT more important.

Robb Boyd:                   Yeah. In fact, I wanted to ask you, and you use... What's the right term when you say an acronym out loud, there's one that comes up a lot and will happen again in this conversation around CISO. I think at least that's how I pronounce it. C-I-S-O. Do you mind breaking down that acronym? Make sure we're all on the same page?

Geoff Hancock:             Sure. Chief Information Security Officer.

Robb Boyd:                   All right. So this would be the most senior executive for security in an organization, if an organization is maybe big enough to have that definition, because I think we're still at an age where a lot of people don't have dedicated individuals just solely practicing security, correct?

Geoff Hancock:             Yeah, yeah. Though the first CISO was 1994, very long time ago. And then hit miss the last 20 plus years. But in the last 10 years, the title and role has definitely expanded. You get people from all over taking on those types of positions, but your point is well-made. Not everybody can afford one, not everybody can find one, because they are few and far between nowadays and it's a challenge. So, thee conversation, when I mean CISO in this conversation, it's really not just for a Chief Information Security Officer, but it could be a CIO who's got specific cybersecurity responsibilities, or it could be a security director. I think the point is really going to be, how those things impact the business.

Robb Boyd:                   Let me ask you, Shena, I want you to weigh in on this. You work with a lot of different customers of many different sizes. You are responsible, as I understand it, and correct me if I'm wrong, for really starting and building out the security practice, I hope I'm saying this correctly, for Comcast business. But I know you interact in and you're responsible for a team of people that are providing a lot of services to customers of different sizes. What are you seeing in terms of IT specialization versus an in-depth security specialization versus someone that's just... Where do those things hit? At different size businesses or different models, perhaps even across industries.

Shena Seneca Th...:       I think in the large organizations, the Fortune 1000, you're going to see the CISO role, for sure. You're going to see that head person that has responsibility for all security operations, but probably when you get downmarket, the smaller businesses, you'll find a security practitioner of some sort that could be wearing multiple hats. Not only are they the security person, they're the IT person, they're the desktop person, or the installer, right? So it really varies greatly from small to large.

Robb Boyd:                   Yeah, no, very much so. And that's part of the need for certain things to be more simple, certain practices to be more repetitive, perhaps. But also, just while we're here at the top of the show, I want to make sure that we've also defined, because we're going to just say security in a lot of situations, specifically we mean cybersecurity, and I want to make sure, as opposed to say physical security, there are certainly some overlaps in terms of practices that make their way in the digital realm versus the physical realm that are important to understand and will come into play. But I think for the most purposes we are talking about the digital side when we say cybersecurity, correct, Geoff?

Geoff Hancock:             Absolutely. That's a good clarification to make. Yep.

Robb Boyd:                   So, let me throw this out for the group in terms of understanding where those differences are, IT versus cyber, I don't know. Geoff, will you kick this off? And then, Warren, I want you to jump in because I'm not exactly... I know you've got opinions on this, but IT versus cyber, what's important to understand how that stuff fits together?

Geoff Hancock:             So I think, back to your point, so cybersecurity is securing digital assets, essentially, at the end of the day. Data, hardware, software, a variety of things, right? It's a tool to secure those digital assets. IT is traditional. If you go back 30 years ago, IT tech, IT was really designed to support business operations. So it's just email and servers and infrastructure where security was in that mix, but at a very small level. Maybe a firewall, maybe antivirus, maybe passwords, maybe not. That's very minimal level. But as the industries have grown, IT has accelerated past what would be considered a traditional IT operations and grown into cloud. 12, 13 years ago, the term cloud security kind of kicked off and it's really taken obviously storm, but that IT infrastructure has gone outside of your own business office and has become your work on somebody else's computer essentially, is what cloud security is.

                                    So the use of cloud and IT services, security around that has just increased tremendously, obviously, in many different forms and fashions. As businesses grow security has to attack on not only to the human side of it and how humans interact with IT, but to strictly the IT side of it and how IT systems are built, how applications are developed, securely, how in-systems become integrated. So the concept of security has expanded exponentially, whereas IT has grown in multiples. So it's a different concept.

Robb Boyd:                   What are the... Go ahead, Warren.

Warren Perils:               I was just going to expand on that a little bit and if you want to fill buzzwords out there, digital transformation, right? So as we evolve now, as companies, especially like service providers evolve and transform their networks and their services they offer to their customers, Shena knows a lot about this, we have to tie security into that. Think about 5G, IoT, AgE computing, all of these wonderful things that are opening up new opportunities to the world, they just add more problems now. The attack surfaces increase. There's more inherent problems built into this architecture. Some of them are not even open systems, they're virtual. So there's a lot of complexity built into them.

                                    Even though they are wonderful, they enable a lot of businesses and the world to... As we enable our customers to perform better. You think about medical, think about manufacturing, IoT going over. We think about COVID now, what's happening and our IoT can enable the medical field. So all of those things are wonderful, but it also opens up a lot of attack surface, and there's a lot of danger in that. So how do we tie security into that transformation? How do we tie security back into that?

Robb Boyd:                   Well, in our efforts to do that is, when we think about the traditional goals of an IT group, maybe, are those differences? If I am an IT person and I really care about networking connectivity, are my goals going to clash or work in concert with maybe what a security practitioner wants to achieve? Because it feels like, obviously, these are two things that need to work very well together, but I don't know that they always do. Maybe either because of the way the organization is set up or is it just a fact of life? And if we want those two to clash a bit so that something good maybe comes out of that clash at the end? And any comment on that?

Shena Seneca Th...:       I think that often happens because the groups talk too late. If you bring in all of the constituents early on, you'll end up with a better outcome. And so the clash often happens after the fact, right? Maybe a business strategy is developed and it's nearly executed, and then you discover all these issues that have to be addressed from a security hygiene perspective, and it causes a lot of rework and financial implications and complexities, and maybe doesn't feel as agile. But if you will have the right partners in the beginning and you do it mindfully, the outcome will be so much better and probably allow you to be much faster than your other competitors, because you've thought through the next step and the next step and prepared yourself as a business.

Robb Boyd:                   I think that's a great point. Yeah, go ahead, Warren.

Warren Perils:               I was just going say to that point, security is often seen as a barrier, right? Traditionally it's seen as a barrier. It has to, like Shena said, over the years, so security can be bolted onto a solution and you have to work backwards. Instead, now, we actually see a lot of organizations starting to bolt security into it. They're starting to learn that and it's just accelerated then, accelerate them immensely. And then also, if you think about from the customer point of view, it's actually enabled them to be viewed better from a customer point of view. They spare more trust. More trust can lead to a better market brand as well.

Robb Boyd:                   Completely agree. I'm reminded, and I think we talked about this earlier, but I'm reminded of this thing that had come to mind with this notion of, no one brags about the brakes on their fast car when they're bragging about their car, but I guarantee you that if you did not have good brakes on that fast car, we're just assuming it's faster than normal, but any car could do this, you're not going to drive it much at all, perhaps. And so, to Shena's point, the idea of baking in security from the get-go is all about being more nimble, because first it's a mindset of not thinking about security as the just say no department like purchasing perhaps, but this is the group that should be enabling if they're all on the right page.

                                    So, for the next part of this conversation then, let's assume that our customer is on board. They are pro security in the general sense, but then, Geoff, I feel like the next step becomes a little bit more difficult if we're starting this fictitious company here from scratch. I want to do security right, I want the right marriage of cybersecurity operations, so to speak. What kind of things should I be looking at to make that happen?

Geoff Hancock:             I mean, honestly, as a new company, right, many of the attention immediately goes to regulation and compliance, because assuming that this company is going to be managing personal data or some kind of information, either customer information or IP data. So part of that fiduciary responsibility is, what requirements and regulations they have to be compliant with. Unfortunately, a lot of companies stop there. They think, "Okay, if I'm compliant with this standard or that standard, then we're good. Right? All done." And then, here comes the IT folks saying, "Hey, we can do all these great things. We can start this new business. We can expand your business here. We can do this, that, and the other, develop applications and all manner of things," which are great. But then they have to bump that up against compliance and say, "Wait a second, is this compliant aspect or not?"

                                    But in doing that process, many organizations miss what you just said earlier, was the operationalization, cyber operations, security operations, what's that look like. Because security operations is not a one and done. It's not a-

Robb Boyd:                   That's a great point.

Geoff Hancock:             ... checkbox compliance. It's an operation. You've got to make sure applications are developed a certain way, and as they're used by the user, they maintain security. New updates, new interactions with their technologies. From a strictly business perspective, just your supply chain, making sure your supply chain is secure, which is both very business centric, but then also very technical centric and cybersecurity. So, multiple spinning plates there when you start talking about this.

Robb Boyd:                   Yeah. And that's where I think sometimes the head begins to hurt because there is so many different places you can go. And it's interesting, when you talk about regulations, I do think that that is indeed where some people get forced into doing something they should have been doing all along. I think in a perfect world, we'd love for the regulation requirements to be met through tweaks, or just acknowledgement of a process or set of systems that you've already got in place. And you mentioned the difference between checking a box and saying, "Okay, I've achieved all these things," which we generally have to do at certain points in time, but it all should be a moment in time of a process that's already been in place, I guess. Yeah?

Geoff Hancock:             Yeah, yup. Absolutely. There's actually 27 different cybersecurity policies in the world-

Robb Boyd:                   That's right.

Geoff Hancock:             ... or regulations in the world. Right? Yeah, I know, that's all right. These are standards and bodies like HIPAA or PCI. The challenge is many companies, let's say they implement PCI. PCI is only appliable to a certain part of your business, not to the other parts of your business. So you can only be PCI compliant so far. It's only going to help you so much. And many companies don't understand the holistic nature of cybersecurity and security operations and what needs to happen when you make it holistic across the company.

Robb Boyd:                   All right, let me run this past you. I feel like good security, because it's a function of risk, is the way I've always looked at it, and it's degrees of risk. And it always felt important, at least it was a turning point in my own head, was the nature of understanding that you're never going to be finished. Security's not an initiative that you're going to... Could mean a project and then be done with it at some point. Let me direct this to Warren. Do you agree that it's about reducing risk, which implies that you understand where that risk is to be found? And what are you seeing... Because you work a lot with service providers, I believe, on the security side, many of whom, perhaps Shena included, have varying degrees of security practices where they're either doing stuff for themselves so they're providing a good product, or they're actually providing security products themselves. Where do you see that balance of risk and such hitting with your customer base and what they're doing?

Warren Perils:               Yeah. I think there's two things when it comes to the risk that's important. It's your exposure, so what's your risk exposure? A good example is visibility. Service providers have these vast expensive networks that are highly complex and visibility is a major issue. And that's across cybersecurity at all. It's just varies from size of organization, of course. The other piece with these, how do you measure that risk? How do you measure that risk to reduce it?

Robb Boyd:                   Oh, yeah.

Warren Perils:               That's very important. So, risk quantification is very important nowadays. It also comes back to the business component, how you tie that back into a language that non-security folk can understand? And that you have to tie that back to a quantification, whether it be monetary, whether it be a score, or whatever that might be.

Robb Boyd:                   Yeah. How does someone begin to go about quantifying risk? I mean, maybe not in the physical sense, but it feels like it becomes necessary to know... I need to know what's most at risk so I know what's justifiable in terms of spending to manage that risk or decrease that risk. Any comments from anyone on the panel from that perspective?

Shena Seneca Th...:       I think every business... You are in business because you have some intellectual property that's of value, right? And so starting with those crown jewels of what you're selling, what you're offering, how you're generating growth and revenue for your organization, that's where you should focus first because that's absolutely the greatest risk. That's how you're thriving as a business, and then working out from there of how to make sure that that is done securely. And to the point of your suppliers that help you to do that, ensuring those connections are secure. So I think it's like, you start in the middle and grow out and the farther you get, those things may not be as risky because there's no way to get back into your crown jewels.

Robb Boyd:                   Right.

Shena Seneca Th...:       Yep.

Robb Boyd:                   And those become good... Go ahead. Yeah.

Geoff Hancock:             So one of the examples that we like to use, it's like throwing a rock into a pond and you get the concentric circles that come out that you see, but that innermost circle that wraps around the rock, it's closest, is what we say is your most important data, how you're securing that, who has access to that. How it's to be utilized. Answer those three questions and you're able to manage that most important information. And then as Shena said, as you go out, you're like, "Okay, do I really need to manage this? Is this that secure?" And the furthest most ring could be your guest wireless network in your lobby of your office building. It's on a separate network, it doesn't touch any data, it's on a server in a closet and is monitored and manage, but doesn't touch anything else. That's important [crosstalk]

Robb Boyd:                   Assuming you built it that way, though. [crosstalk] Because it comes back into Shena's point about building in from the get-go. If you didn't design it to be on a separate network with no ability to jump a layer or three connection or something over, then, yeah, you probably do have the ability to worry about that a bit less. But if you didn't get to that point, then you better start worrying about it now because that's another port on your network, I guess. Yeah. Sorry, I just-

Geoff Hancock:             Exactly.

Robb Boyd:                   Felt passionate about that one. [crosstalk]

Geoff Hancock:             Exactly.

Robb Boyd:                   Because have you seen people that haven't-

Geoff Hancock:             Personal experience.

Robb Boyd:                   ... that haven't done that? Yeah. Well, and I think we've seen a lot of companies, they don't get talked about for very long and unfortunately security events only make the news when they're uniquely different or bigger, when in reality there's all kinds of things, ongoing. I've joked, if you're in security, it's the gift that keeps on giving, because security always is happening, but it only gets public attention or media attention when something is really unique and really different, unfortunately. But it doesn't stop.

                                    And there are some companies, because they didn't realize, to Shena's point, exactly what their most valuable assets were that made up the intellectual property or their ability to deliver value to their own customers, that when that was affected, maybe it was a ransomware situation where everything was encrypted internally and they couldn't or didn't pay for the keys to get that out, because I think that's always a horrible position to be in, well, suddenly the company ceases to exist because it just cannot function because it doesn't have access to its data. So, to what you're saying there, Shena, the idea is, those are where you probably should start protecting first, I think is what you're saying?

Shena Seneca Th...:       Yes, yes, absolutely.

Robb Boyd:                   Spend the most money proportionally in that direction? Well, let me ask you then, is there such a thing as a best practices that apply in a widespread fashion to anybody that could potentially be in the audience watching us talk about this? Is there somewhere to start, at least at a basis? Because I imagine it gets custom the further down the ladder you go.

Geoff Hancock:             Yeah, absolutely.

Robb Boyd:                   What kind of best practices could potentially be shared, Geoff, or not? How does that work?

Geoff Hancock:             Yeah, sure, absolutely. There's one that I go back to when people ask that question, is where do we start or what should we go back to? Really, it's most of the question. Where do we miss it along the way? And one of the standards is, and it's not like an official requirement standard, it's been around since 2007. It used to be called the Consensus Audit Guidelines. It was changed into the Center for... Its most recent incarnation is Center For Internet Security, 20 critical security controls.

Robb Boyd:                   Sounds good.

Geoff Hancock:             People can find it at cisecurity.org. What's unique about this is, it was originally developed in 2007 for the express purposes of how to respond when bad guys attack your network. So it's not designed to be data security or other compliance information security. It's designed to the best way to protect your network from how bad guys attack. [crosstalk 00:23:18].

Robb Boyd:                   But it sounds, [crosstalk] if I may interrupt, it sounds reactive though, is it?

Geoff Hancock:             Ah, it's not, actually.

Robb Boyd:                   Okay.

Geoff Hancock:             It's very proactive, right? There's 20 control sets. There's 100 subcontrols, but it forces you to look at your network and do things like, know what's on your network. Map and track. Have a list of everything that's on your network, software and hardware. Make sure those things are updated. That's not sexy, but it's not like the MITRE ATT&CK Framework. It's basic bread and butter, right? But people miss that.

Robb Boyd:                   It's where stuff keeps happening. Yeah.

Geoff Hancock:             Exactly. That's exactly your point. That's a perfect [crosstalk 00:00:23:52].

Robb Boyd:                   A sequel attack.

Geoff Hancock:             It's where... Exactly, it's where stuff happens. If I'm a bad guy, that's where I head first, right? To get in there and get lateral movement. So they're very basic, 20 controls, but they're very popular. There was a report done and a research done five years ago from the Department of Homeland Security, where they looked at all of the attacks over an 18-month period and then applied various different security controls to the attacks to say, "Okay, if somebody had applied this, what would it have done to this attack?"

Robb Boyd:                   Oh, I like that comparison. Okay.

Geoff Hancock:             Yeah, it was great. And what they found was 87.2% of all breaches that they found would have either been delayed or not happened if they'd implemented just the five of the 20 critical security controls. So, I watched that happen. I watched that play out and I was like, "Wow, okay." I've been involved using the controls on and off with different SOCKS that I've built over the years, and it works extremely well from just like a basic thing, but it gets you so much further as an organizational perspective goes.

Robb Boyd:                   I think that's a great point for starting off, because I'm a big fan of plagiarizing other people's work to get started on stuff because there's plenty of room to get creative and individualistic as you move forward. But it's like, why not stand on the shoulders of those who came before us? And really, in this thing... But I want to make sure... A couple of different things I want to make sure of. For one, we're definitely talking about cybersecurity, but I feel like one important part of cybersecurity is, and use a different term if I'm not doing this correctly, but I feel like security culture in an organization that really has to do with the people and how they view security.

                                    For example, when I was working for Cisco, I'm embarrassed that I got hit by this because I generally thought that I was pretty good at this, but Cisco's IT security group started sending out specially crafted phishing emails, but they were designed by the security group to lead you into... And if you were unfortunate enough to have clicked on this, then it led you into some mandatory training that you had to take. And the whole idea, because I thought that was pretty genius in the sense of... Because it hits on one of the loosest security vectors we have, which is our people, because we ultimately have to trust people that are on the network. They have certain rights and abilities on the network. Let's hope that those are restricted to least privilege, but generally they're going to have to have some level of privilege.

                                    It's probably over and above what they do on a regular basis, and so it's really easy for someone to say, "Well, a social engineering type attack could lead to..." Which I consider phishing to be, "Could lead to someone giving access because they thought they were doing something legitimate," perhaps, based on the way it was crafted and these things come out. So where does culture come into a plan? You mentioned the 20 things, Geoff, on that. I think most of those were infrastructure-related, but I could be wrong. What suggestions do you have in terms of culture and getting people straight?

Geoff Hancock:             Sure, sure. I think... Yeah, I'd be interested in what the other panelists think. I think that culturally and I think it was almost touched on an earlier part of the conversation, when you have business attacking or approaching cybersecurity and you have technologists approaching cybersecurity, they're two very different perspectives in that, two different cultures, two different philosophies, two different understandings. When that boils down to the staff in the organization, some people are religious about changing their password every 30 days. Other people, their password is the same thing it's been for 20 years. And there's actually a company that goes on the back-

Robb Boyd:                   There's a key on the back of the keyboard for handy use.

Geoff Hancock:             There you go. Right.

Robb Boyd:                   There's nothing there, though. Just so you know. Yeah.

Geoff Hancock:             So many stories about that, right? There's a company that's been tracking password usage for 12 years, and the last 10 years it's been this... The number... They have a list of top 10 most used passwords. The number one has not changed in 10 years.

Robb Boyd:                   Wait, let's see if we guess. Warren, what do you think it is?

Geoff Hancock:             Can I guess?

Warren Perils:               [inaudible] password.

Robb Boyd:                   Just password? You think password?

Warren Perils:               Password.

Robb Boyd:                   I was going to get password as well.

Geoff Hancock:             I think it's third or fourth this year. It's actually one, two, three, four, five, six, seven, eight, nine.

Robb Boyd:                   Ugh.

Geoff Hancock:             And they go and look at all the breaches and all the data, all the information, the published data that's been... Of companies that have been attacked, and you can see all this information. So they do every year, they troll through all this stuff and get the research. But that proves the point, right? There is a behavioral situation that people like us on the call, I mean, Shena, I'm... Your responsibilities can be very clear. You can have all the money you need. You can really run your practice, your business, really, really well as a business owner, support your executives, but then the administrative assistant to your CEO, who, if I was a bad guy, I would target first, keeps all of her passwords on her screen and four of them are the same and she doesn't change them.

                                    So I'm going to target her or him to be able to get into your network, and I'm going to go sideways. And it's going to make all the energy that you have spent in your career... It's going to make it harder for you to do your jobs, is what I'm saying. And I think that cultural awareness, both as a CEO, understanding that one person can make things go sideways if you're not careful. And as a CISO or a CIO, understanding that not only one person could make it go sideways, but one person in an organization like your supply chain, which you don't have direct authority over, can make your organization go sideways.

                                    That existential risk is multiplied. You're like, "Oh, crap. Why am I a CISO? Why am I in this business?" Because it gets really complicated all of a sudden. You've got to be able to develop controls in place that at least alert you to things like that happening. They might not be able to stop you, but at least alert you to things like that happening. But then you've got to be able to work with your business partners to build that culture.

Robb Boyd:                   Warren.

Warren Perils:               You can also draw a direct correlation between cyber culture and awareness to the ease of use of security. So if you want to able your employees, why make it difficult? That's why we have a shadow IT, because it's just simply hard for users to store things on a secure server versus their own personal one drive. So I think we have, as cyber practitioners, a responsibility to make that as easy as possible. Think about working from home now, right? I mean, who wants to go in and change their password 20 times, and then do this and jump through 50 hoops to do something? But I think there's been a definite shift in terms of ease of use, how we work with our tools as employees, whether it be biometrics or to sign on, single sign on, just making it easier but secure at the same time. So I think there's a direct correlation between those two aspects.

Robb Boyd:                   Shena, let me ask you a question. How do most people arrive at wanting to spend more money on security? Because, for instance, as I understand it, Comcast business of course provides network connectivity-type services as a provider. And then your team is responsible for something that they're going to have to pay a premium for when they engage with you, guys. So there's a level of security value that you're constantly selling, which inherently I like the idea of, because I like the idea of it being handled for me, at least to a certain degree. Do you find people approaching your team and looking for more help in a proactive or a reactive basis?

Shena Seneca Th...:       It depends on the size of the business, really. The large organizations, the enterprise organizations, they have security operation centers, they have network operation center, they have large IT staff, and they know security is important. So that's more proactive learning about what Comcast business can provide to them versus the smaller businesses, they may have a jack-of-all-trades, they have very limited budget, and their focus is on just growing their business. And security is sometimes an afterthought. So that's more reactive. It's not until the partner business down the street had a breach or some sort of ransomware, or they hear of something happening to a business like them that makes them think, "Oh, I need this." Otherwise, they actually are impacted by something and then forced to go ahead and purchase.

Warren Perils:               I think also, Robb, just, we talk about partners like Comcast being a part of their customers and WWT as well. We can actually... No one can do security by themselves, we think about our customers. They need a partnership. Partners around that can actually accelerate their endeavors to make them more effective and have a larger impact on themselves and their organizations. I think partner ecosystem is being important. You can use those strengths out there, whether it be WWT and Comcast, we bring a lot to the table for our customers.

Robb Boyd:                   Well, let's hit the ground on the last couple of minutes here in terms of, and I want to make sure we're clear on some ideas for where people could take ideas that we kind of talked about here, but where could they go with next steps? And I feel like, even people that are on top of security or at least would pride themselves on trying to stay up with it, because I can usually tell people who are the best at security are generally the ones who don't think they're that great because they're just... Because I think the more you know, the more you realize-

Geoff Hancock:             Yeah, what you don't know.

Robb Boyd:                   ... yeah, you don't know. Exactly.

Geoff Hancock:             Yeah. Oh, yeah.

Robb Boyd:                   I would assume, though, if I think I'm pretty good with my company at it, can I come to a World Wide Technology and ask, "Do you guys have a service to say..." I always think of old days of penetration testing, but I think it's more than just that. "Do you have ways of potentially helping evaluate my security on a regular basis as part of just wanting to make sure a third set of eyes or a second..." you know, whatever, "Is able to tell me where I need to work harder?" Geoff. Sorry, I'll leave you-

Geoff Hancock:             Absolutely. That's okay. Yeah, absolutely, I mean, everything from a basic set of a compliance risk assessment based on whatever standard, but then how that standard's applied to the company, all the way over to using the MITRE ATT&CK Framework in a customized database engine that we have that tests how companies' security stands up against that type of framework, from a very technical side. So, the organization works hard because we work with so many different companies and so many different customers. We're kind of in a, honestly, in a sweet spot in that we learn a lot from what everyone else is doing. We help so many people, so we're kind of at an unusual spot that way.

Robb Boyd:                   I feel like everybody should be... And, Warren, what's your perspective on this? Because I get this from my conversation with Shena in thinking that, "You know what? I think everybody, most, any company that's in business has some relationship already with a provider like a Comcast business," whether it's them or not, but I feel like any provider that you're working with, and usually these are multiple relationships, I feel like you should be aware of what services that they provide and that it's always a good question to ask because I could see people mistakenly taking on things that maybe even are better delivered via a service provided by someone else with less tax on their network, less type of things to manage and stuff. Warren, are you seeing that with your... You work across multiple service providers, I believe. Do most of them have security services to offer that maybe their customers aren't even aware of?

Warren Perils:               Yeah. That's a huge thing now, and think about cloud and cloud delivered services instead of sending out a technician or a truck to their house to install those services. So, Shena can talk extensively about this. So I'll give her a chance to talk what Comcast is doing specifically.

Robb Boyd:                   Well, let's do that then. Before we close it out, Shena, can you give us an elevator pitch on the kind of things that you guys are handling for your customers right now, and where you're most proud of?

Geoff Hancock:             And what your recommendations are, right-

Robb Boyd:                   Thank you.

Geoff Hancock:             ... for people [crosstalk] who are listening. What do you think people need to do?

Shena Seneca Th...:       I think, from a Comcast business perspective, we're a cable company at heart, and I do think a lot of customers don't realize what we can bring and offer them in cybersecurity. If you think about it, Comcast is one of the largest ISPs, internet service providers, in the world. So we have to know security at scale for ourselves to protect ourselves and protect our customers. So, denial of service attacks is one area that we have a product that offers a DDoS mitigation for our customers that have high-speed internet connectivity. A lot of customers or businesses don't realize or think of Comcast in that way, but we have to do it for ourselves every day, we can do it on our customer's behalf as well. So that's an example of-

Robb Boyd:                   I think that's a great example, because if anyone looks at how a DDoS attack happens, and DDoS is a distributed denial-of-service, it means basically a bunch of computers have probably been zombied in some fashion and they're sending spurious traffic that's trying to open connections against maybe your website or your key e-commerce type of entrance. And the problem is, you can't solve that kind of problem at all, if not easily. You can't blackhole the traffic on your own. You really need that handled more upstream with a provider like with what Shena's talking about. I think that's a fantastic example because a DDoS is designed to overwhelm. It's designed to just create so much traffic that things just fall over and services quit working. So I like that quite a bit.

                                    Well, I'll tell you what, as we finish up, Geoff, resources, I know you're working on an article that's about to come out, but there's a whole lot of different initiatives. You teach an MBA program on security at George Washington, I believe. And you've got your fingers on other things that must keep you up at night as well. What do you recommend his next steps? Maybe resources at wwt.com or anything else?

Geoff Hancock:             Sure, yeah, absolutely. If people go to wwt.com, there are labs, customer facing, public facing labs on a variety of technologies that people can look at. There's articles on technical articles to business and cybersecurity articles that are written not only by our staff, but then also our partners as well. And the goal of those is to really just share the wealth, spread information data. Here's what I've learned, it might help you. Here's what you've learned, might help me. That kind of thing. And then going to different places like, as I mentioned, cisecurity.org is a great place to go because of the wide variety of tool sets that they've got there that people could learn from. But there's a lot, there's a lot out there.

                                    It's important to understand what your risks are, as we talked in this conversation, what your risks are, qualifying those risks and then taking a step back saying, "Where are all the resources that would apply to me specifically?" And again, as Warren points out, Warren represents part of a larger practice that works with a lot of different industries, from industrial control systems to energy, to healthcare, to a typical normal enterprise. And again, at the WWT site, there's a ton of information for people to be able to log in and take a look at.

Robb Boyd:                   This is great. I can't believe none of us said, "Go buy a firewall," or anything like that. We didn't say there was a whole bunch of products you need to go buy or anything like that, because-

Shena Seneca Th...:       I like what you're selling.

Robb Boyd:                   Yeah, no, I know. And that's the thing, is I was really worried about how we're going to keep this conversation in a certain area at any given moment, because I could easily pick up 18 more conversations that we could have on multiple things that we're going through the center of this conversation here. But we're out of time. I apologize for that. But to our audience, thank you, guys, for joining us.

                                    Please check out wwt.com for more resources. We should have in the notes links to the article that we refer to that's going to be fresh as this podcast comes out. But there's also many more services and stuff I'm not even aware of that World Wide Technology is doing, and I've learned a whole lot more about Comcast business. Working with smart people like you, guys, I really appreciate it. Shena, thank you. Warren, Geoff, so appreciate you, guys. We'll see you guys on the next one.

Geoff Hancock:             Thank you.