B (12:28)

Well, it's interesting, the Hybrid Identity Protection Conference. It was conceived as a vendor agnostic technical conference designed by identity people for identity people to help them wade through all the complexities and rapid changes that happen in the modern world of hybrid identity. More complicated than ever. Our founder of the conference and our CEO Mickey Bresman was really the driving force behind it. Even when Cempras was very small, just a few dozen people, and he recruited several veterans with experience in a predecessor conference, such as Gil Kirkpatrick and myself, to help get the conference off the ground. That was back in 2017. So it's been nine years since then through Covid and everything else and then, which is pretty great. And not to brag, but I guess I'm bragging is that we really get, we get rave reviews about the conference. Many people have told me personally and actually just last week, it's the best conference they've ever been to. So it doesn't get much better than that.

A (13:38)

No, no. Well, hats off to you and your colleagues there. What sort of growth have you seen over the years?

B (13:44)

Well, originally the first one was in World Trade Center 7 in 2017 and probably had 30 people in it, something like that. And this year we are in the low Hundreds, less than 500, but more than about 300. I'm not exactly sure what the number is, so quite a bit. And the professionalism and the organ of our teams and all that is just grown by leaps and bounds. I'm actually going to be recording podcasts on Monday before the conference of individuals presenting at the conference for my HIP podcast as well, which is paired with the conference.

A (14:24)

Well, I know one of the key elements of the conference are these Operation Blind Spot tabletop exercises. Could you explain what that's all about?

B (14:35)

Sure. Blind Spot Tabletop are disaster recovery, crisis management tabletops, and we hold them throughout the year. And the point of course behind them is that they expose the blind spots that can hinder efficient cyber response. I actually led the red team at the previous blind spot exercise at Black Hat in August. In addition to the blind spot exercises we're doing in HIP this week, we're organizing an upcoming event at Govware in Singapore on October 21st and at Microsoft Ignite in San Francisco on November 19th.

A (15:11)

Well, in your estimation, if a random organization got hit by a cyber attack, how prepared would they be? If they had a well tested cyber crisis preparedness plan, would they be prepared or would they still find themselves scrambling a bit?

B (15:27)

Well, we've actually published some research on this earlier this year. And what the research has told us is that somewhat surprisingly is that more than 95% of organizations have a cyber crisis plan, but also 90% report that roadblocks hamper efficient response because of the gaps in communications across most organizations. And this jives very well with what I hear from incident response professionals. In our research, we found that these communication gaps between the key stakeholders lead to slower responses. And as I said, in talking to cyber response technical individuals, they find that they often have had to sit on their hands while communication issues are resolved and leadership order and who makes decisions for what are figured out. So it's very much people, process and technology, with oftentimes people being the thing that is slower than anything else. The report that we published earlier this year, you can find it on our website if you search for state of enterprise cyber crisis readiness.

A (16:47)

Well, in your estimation, from your experience, how realistic should these tabletop exercises be for defenders? I mean, should they be disruptive?

B (16:59)

Well, so much of, as I go back to people's, the people part of people process and technologies, so much of these exercises, it's human nature that you don't want to fail in an exercise, especially when management is probably watching. But the whole point of a good tabletop is to expose weak points in your response plan, to expose potential failures. So they should be more than routine. They should be more than just check the box exercises. They don't check the box exercises don't provide little value. And in my estimation, they can be dangerous because the participants walk away thinking that their organization is more prepared than it really is. So the exercise should show messy realities, expose them like incomplete communication chains. Oh, we can't get a hold of Jim Bob because he's on vacation and he's the only person that has access to these plans. Or unclear decision authority where your leadership of your organization ends up being political infighting to make very important, very potentially disruptive decisions and make them as quickly as possible. Or the one that we all think about technical gaps instead, what happens with polished and safe tabletops where you follow the happy paths and the happy path and you make assumption that a lot of things are working in your infrastructure and reinforces the illusion that we've got this oh, I think we're pretty good. These polished tabletops often discourage adaptive thinking, which in my conversations again with incident response people, on my podcast last week I did a recording. My guest was the top incident response person for cohesity, Jonathan Mayer, and he specifically called out adaptive thinking as an important trait in incident response. Because in a real incident things are chaotic, they're confusing and oftentimes things have happened that have never happened before because remember, you've got real human beings on the other side and they do this. A they're not dumb. B they do this sort of thing all the time and you do it only every once in a while. Maybe they will make moves and counter moves that you probably haven't thought of and probably haven't seen before. So that's what you have to practice for. If a tabletop's overly structured or sanitized, it doesn't force either the leaders or the responders to think on their feet, adapt to incomplete information or make decisions when you have uncertainty all around you. Instead, they just play along with the script and so they can check it off, but they haven't necessarily improved their defenses or their response at all.

A (20:01)

You touched on the potential for failure. I mean, is there value in going full Kobayashi Maru, full Star Trek on some of these folks where there is no way to succeed?

B (20:15)

Well, it's interesting. We did a at the tabletop that we did at the operation we did in Black Hat. We actually, as I said, I was leading the red team and I had an ace in the hole. I had Marcus Hutchins, who is a famous cybersecurity figure on my team and we ended up not quite Kobayashi Maru, but a standoff between the blue team and the red team. But it made for some pretty hair raising moments as we sparred back and forth aggressively. So yes, sometimes, yeah, sometimes that's how you learn. You learn by failure and then seeing doing what you can and if you can't fix it, then at least you're aware that that is a weak point. I won't burden you with any quotes from Sun Tzu, but that's that's absolutely what this is all about.

A (21:19)

Well, going back to the HIP conference, I understand that you had world renowned cyberpsychologist Professor Mary Icahn was your keynote speaker yesterday at the conference. What was the talk about?

B (21:32)

I thought that this was very interesting because first off, she's a great speaker, but she spoke about something fairly unique in my experience, which is how it's, it's the intersection of technology and human behavior. So she is a world expert in what's called cyberpsychology. And what she talked about was hybrid identity environments, where technology fits, where human behavior fits. So we think about the technology all the time, but the human dimension, how users perceive authentication systems, how they trust them and how they interact with them, remains the most exploited and least understood aspect of cyber defense. I mean, we've all been through phishing exercises and we know how well those succeed or don't succeed. And yet responses or studies show again and again that it doesn't affect the click through rate on phishing attacks very much because there's all of this human aspect to it that is not fully understood. So in her keynote she examined the cyberpsychological challenges of securing hybrid identity and the complexities of it coming on in this world of AI driven threats. So you have nation state actors and cybercriminals increasingly using AI and machine learning to deliver hyper focused, hyper personalized phishing and advanced social engineering attacks. And they succeed not just because they're technically sophisticated. They succeed also because they exploit human frailty within identity workflows to trick us into doing things we otherwise know better than to do. As identity professionals, we talk about something called anti patterns where you have seen some kind of a dialogue pop up so many times you just end up clicking up. Yeah, okay, okay, okay, okay. We say, I had a friend that described it as spouse mode. Answers. Okay, okay. Yes. Yes. Okay, okay. It's like dealing with a toddler. Right, Right, exactly. And you may have just clicked through an officing because you're so used to those workflows.

A (24:00)

Yeah.

B (24:01)

So Mary delved into that more deeply.

A (24:05)

Well, I understand. Also coming up you've got Jenny Easterly and Chris Inglis. Can you give us a little preview of what you're expecting from them?

B (24:14)

Yeah, I'm very much looking forward to both of these keynotes. I've not met Jenn Easterly and I look forward to meeting her in person. Her keynote is set up as a fireside chat and it's about cyber resilience and lessons she's learned in her career and the challenges ahead. The title of it is Cyber Resilience. Yesterday's Lessons, Tomorrow's Challenges. She's planning, as I understand it, to discuss the toughest cyber incident she dealt with as CISA director and how leaders can avoid fatigue and motivate their teams where the biggest threats will be coming over the next five years and the role that AI once again will play in both cyber threats and defense. Now, Chris, Chris Inglis, who's former U.S. national cyber director, he's keynoting on Thursday also, and he's keynoting on Thursday morning. And the title of his keynote is the Evolving Cyber Resilience in the Age of Innovation. It's about how the global reliance on a distributed digital infrastructure, it's what we all rely on now, has created both unprecedented opportunities and dangerous vulnerabilities as traditional forces that controlled the way we do things lose their power. And transformative technologies like AI and nationalism and fragmented regulation change the world almost on a daily basis. He says that success requires adaptation and a leading in resilience mindset to thrive in the middle of all this ongoing instability and accelerating change. I've been fortunate enough to spend a little time with Chris, and he's absolutely someone that if he's talking, I'm going out of my way to make sure that I'm listening.

A (26:12)

Yeah, no, it's quite a lineup that you all have here for the conference. Before I let you go, I'd be remiss to not ask you about AI. Can we talk a little bit about AI and velocity? You know, how. How do organizations need to evolve, faced with these challenges of AI is my guess is the pace we used to operate at is insufficient and as if.

B (26:38)

The pace that we were operating at wasn't hairy enough as it is.

A (26:42)

Right, that's right. That's right.

B (26:44)

Yeah. More, more, faster all the time. And more sophisticated through AI. I mean, look, we're using it for good right now, and the threat actors are equally using it. If you think about our use of AI and how it's changing, have you, six months ago, had you ever heard of the term vibe coding before? No. And now it's sort of becoming part of the vernacular. At least in our industry, it's becoming part of the vernacular. Yeah. I don't have a solid answer for you on this. I have to tell you because I don't think it's easy to tell what we have in front of us, because I'm not sure anyone knows what's in front of us. We can make predictions, but at this rate of change. Who knows what next week is going to bring us? Certainly if you follow the news feeds, as you do as a professional, you're seeing more and rapid, more rapid changes all the time in ways that you had never thought about before. What was one that just came about? Oh, so threat actors. This is not specifically related to AI, but as things continue to change, threat actors are now targeting H VAC systems in hospitals. Because if you hit the H vac systems, they can't operate. So that's turned out to be a critical piece that the bad guys have found. And then of course, if you look back on it and you go, well, of course. But a year ago, who thought about that in terms of health care, in terms of healthcare attacks?

A (28:20)

Yeah. Well, Sean, thank you for taking the time for us here today and good luck with the rest of the HIP conference. I hope it all goes well for you.

B (28:29)

Thank you. It'll be a very busy week to be sure.

A (28:33)

That's Sean Duke, the principal technologist with Sempras. The holidays have arrived at the Home Depot and we're here to help bring the excitement with decor for every part of your home. Check out our wide assortment of easy to assemble pre lit trees so you can spend less time setting up and more time celebrating. And bring your holiday spirit outdoors with unique decor like one of our Santa inflatables. Whatever your style, find the right pieces at the right prices this holiday season at the Home Depot. Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheels, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. And finally, a Danish software engineer named Joachim built a simple website one weekend in August and accidentally gave the European Union a migraine. His creation Fight Chat control lets visitors fire off pre written protest emails to lawmakers opposing an EU bill meant to combat child sexual abuse material online. Privacy advocates call the measure a threat to encryption. Politicians now just call it that thing flooding my inbox. More than 2.5 million people have visited the site, reportedly triggering millions of emails and paralyzing inboxes across Brussels. Diplomats complain it's not a dialogue, while Joachim insists it's democracy, just faster and louder. The campaign has stirred national debates, clogged parliamentary servers and made one thing clear in Europe, even a lone coder can jam the machinery of policy with enough public outrage and a send button. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick note before we wrap up. Today is the last day to vote in the Sans Difference Maker Award in the Media Creator of the Year category, which I have been inexplicably nominated for. I'm honored to be recognized and would appreciate your support. You'll find a link to vote in our show Notes. And like I said, voting is open through the end of today. Thanks for listening and being part of the N2K CyberWire community. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our Executive Producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.