Anika Gupta (12:50)

Well, I think what we can see is that over the past 10 years as people have gone from being predominantly in data centers to adopting a lot More Cloud and SaaS applications within their infrastructure story that what this has meant is that the number of services that they're using, the number of applications and where all of the data that they have within their organization, whether it's their own internal data or their customers data, is living in so many different places. An average organization uses over 100 SaaS applications. They might be leveraging multiple public clouds, they likely have multiple data centers if they they have any on premise footprint. And so when you put all of that together, trying to understand the lay of the land and even knowing and having visibility into what where are your applications and where is your data becomes an overwhelming challenge for most organizations.

Dave Bittner (13:46)

Well, can we dig into that some, I mean what are some of the specific perils that you see organizations facing when it comes to this?

Anika Gupta (13:54)

Yeah, I mean certainly from a cyber risk and cybersecurity standpoint, one big challenge is that you have so much data and you have so many applications living in so many different places. And when you're looking at the risk to your organization of an attacker getting to your valuable assets, getting to your tier zero, tier one applications, a big question is well, how do I even know where's my sensitive data? How do I even know what are all the components that make up a Tier 0 or Tier 1 application and that the answers to those questions are actually very, very difficult to answer. Often what organizations are doing is they're looking for their have like an internal essentially program manager going to a bunch of different business leaders and saying, hey, what is your most important application? And then trying to reverse engineer. Well, okay, does that application have data sensitive data in it? What are all the components that are building up that application? And that's, you know, that's just a really challenging situation. What we can see is as a result, organizations are making or having a lot of challenges managing cyber attacks and breaches. In a recent report we did, and research we did, we found that one third of companies have been forced to make leadership changes as a result of cyber attacks and breaches. And at the same time they've increased their security spending by 40%. So people are spending more and yet getting breached more often. And a lot of this is having to do with hey, I can't manage this infrastructure that I now have across my organization that and manage the data that sits within that and understanding what's sensitive and what's super high priority.

Dave Bittner (15:38)

I guess, I mean it's fair to say that nobody sets out to lose control of this, right? Everybody has, everybody has best intentions. And then is it typically a matter of the team waking up one day and saying, hey gang, we've got a problem here?

Anika Gupta (15:53)

I don't think it's a one day you wake up and say, hey, I think I have a problem. I think it's just the result of running a business. The reality is, is that businesses have to grow, they have to make money, they have to innovate. And when you have multiple business leaders and multiple R and D organizations and your IT organization, everyone tried to innovate. They're trying to use best of breed solutions and breast of breed tools and applications in order to move faster and deliver business results. So it's just the fact of doing business. And I think security teams for a long time have recognized well and have been anxious about the fact that they're giving up control and that they don't know what's going on in their environments. And as people move to the cloud, you have developers that are just sometimes just spinning up instances without using a golden image or doing a ton of things that are not best practices because they're trying to move fast and people aren't trying to be malicious, they're just trying to do their jobs faster and faster. And AI is only going to exacerbate that even further where people are using AI because It's a great productivity boost. So people are trying to find the best tools, the best mechanisms to do their work better and to deliver those business results. And that's just meaning that over time the tools for visibility and just haven't been able to keep up with the amount of innovation and sprawl that's happening within organizations.

Dave Bittner (17:13)

Are there common mistakes that you see people making as they try to get this under control?

Anika Gupta (17:19)

Yeah, I mean, I think one is just say like, and I wouldn't say this is like necessarily super common because I think every, every security leader is trying to do something, but I think some people are also feeling like, well, you know, is this my highest priority thing? Is, is it getting visibility across my applications and data? Is that my highest priority issue or is it just trying to mitigate the active attacks that are happening to me right now? And I think that's a real trade off that some organizations have to make based on resources, both people resources, as well as technology, budget, etc. So I think there are some, some organizations that are not saying, hey, how do I lay the foundation? Which starts with visibility and understanding your applications, understanding where does your sensitive data live, and being able to classify that so you can protect your most valuable crown jewels and not have to worry about every single alert that's, that's emerging and trying to mitigate that, especially if it's against something that isn't super important to your organization. I mean, you still have to go do all of that work too. But I think a lot of teams get caught in the reactive mode and not enough in the, hey, what can I do proactively to give myself more visibility so I can be better prepared for the future? And where, where do I lack visibility? People lack visibility all over the place. So how do you decide what you invest in first to like give you the visibility that you need in your organization? And I would argue that having visibility into your sensitive data and your sensitive applications is a super, super important building block. It's also really hard to do. So often folks don't invest enough in it because it just is a, it's a big initiative to, to go after.

Dave Bittner (19:00)

Well, when you say visibility, how do you specifically define that?

Anika Gupta (19:05)

I think like, understanding. For instance, if you're a, let's say you're a financial institution, understanding in the course of your business, what is the most, what are your most important applications that you just cannot afford to be down because it would actually just completely break your organization or cause you massive regulatory issues? That's one. And then Being able to understand well for my organization what is the data that is most important and most sensitive and confidential. Again, maybe because it's related to your customers or because of regulatory issues that may emerge if that data is breached or lost in some way. And if you can understand both of those things of hey, I know what my applications look like that are my most important. So for banking it's probably the core banking application. It's the core way that they manage money transfers across accounts and in and out of the bank. Like those are the things that are going to be the absolute critical applications. And then the data might be like their customers personal information and their customers financial information that might be their most critical asset because that's the thing that if it gets breached or lost, like they're in a massive, it's a massive, massive risk to the organization. So I think like leaders have to take this approach of for my organization, where does my highest risk lay both in terms of the applications themselves and the data and then how do I get visibility into this on an ongoing basis of how do I identify these critical applications and then how do I identify where does critical customer data live so that you can on ongoing basis monitor that, making sure that critical customer data isn't going into a dev instance or isn't getting exposed to public IPs on the Internet, things like that that are very critical to manage in order to ensure that you protect those cred.

Dave Bittner (21:00)

For someone who's ready to go down this path, what sort of advice do you have for them specifically in terms of how disruptive this is going to be or not as they begin the process?

Anika Gupta (21:16)

So I think as with any change, you have to think about both as a leader, you have to think about both the people, the process and the technology that's going to be involved in making this change. So from a people perspective, like who are you going to allocate to making this successful? How are you going to make sure that the key business leaders are brought along with this? Because it's not like it or security can go do this effort in a vacuum. They need the cooperation of the business leaders across the organization. They need to figure out how can like why are they doing this effort? How do they articulate the why? How do they articulate the risk to the organization and how they're trying to mitigate those risks by going down and doing these efforts. And I think from a process perspective, really like you can't boil the ocean in this. Like you have to figure out where do I get started and Maybe you get started with one application, one type of data and really get a good handle on what is it going to take to not only just create this like kind of catalog once, but how are you going to do this on an ongoing basis and maintain it for one, you know, a subset of use cases within your organization and then you expand that over time and you get coverage of more applications, more types of data, more footprints so that you're able to continuously get better because it really is going to be a journey and then from a technology perspective, really looking at what are solutions that can serve your organization best, knowing that most organizations again have applications and data sitting across on prem cloud and SaaS. So can you buy a technology that's not just a product point solution for one type of application in your organization or one type of use case? But, but, but buy something that's going to take you on that, that's going to be on that journey with you, that's going to give you centralized management and visibility no matter where your applications are, where your data is. And making those technology choices and the right technology choices early is really going to help be an accelerant for both the people and process.

Dave Bittner (23:18)

That's Anika Gupta from Rubrik. And finally, in what could be described as the FDA's leap into the future or a fast forward stumble, the agency has rolled out elsa, a generative AI tool built to make government work more high tech and ideally less glacial. Heralded as the dawn of a new AI era, ELSA is supposed to help everyone from scientific reviewers to inspectors whip through data and spot health risks faster than a caffeine fueled intern. But according to FDA insiders, ELSA might be better suited to writing office memos than evaluating life saving drugs. The system, based on anthropics clawed and developed by Deloitte to the tune of $28.5 million, has already been caught spouting inaccuracies and offering partial truths, which to be fair, is kind of on brand for Washington. Staff have labeled it rushed, buggy and more hype than help. Still, the FDA insists it's secure and promising. Just maybe keep ELSA away from clinical decisions for now. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of summer. There's a link in the show notes. Please take a minute and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody. Dave here. I've talked about Delete Me before, and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k. Code N2K.