David Moulton (11:22)

New adversary tactics and emerging tech to meet these threats is developing all the time. On Threat Vector, we keep you a step ahead. We dig deep into the threats that matter and the strategies that work. How do they help that customer know that what they just created is safe?

Nigel Hedges (11:38)

The future is now and our expectations are wrong.

David Moulton (11:42)

Join me David Moulton, Senior Director of thought leadership for Unit 42 at Palo Alto Networks and our guests who live this work every day.

Marcus Hutchins (11:50)

We're not just talking about some encryption and paying multimillion dollar ransom.

Nigel Hedges (11:55)

We're talking about fundamentally being unable to.

Dave Bittner (11:58)

Operate automated eradication and containment. So being able to very rapidly ID what's going on in an IT and contain that immediately.

Marcus Hutchins (12:09)

They're hiding in plain sight.

David Moulton (12:14)

So if you're looking to sharpen your strategy and stay ahead of what's next, tune in and listen to Threat Vector, your front line for security insights.

Marty Momjian (12:29)

CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them, trust uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Ark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive that's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's v a n-t a.com cyber Marty Momjian is general manager of Ready One by Sempris. I caught up with him to find out more about Operation Blindspot, a tabletop exercise taking place this week at Black Hat.

Marcus Hutchins (15:12)

Yeah, so something we do yearly is a community tabletop exercise and a simulation that we get just a bunch of members of the cyber community together, local law enforcement, sometimes we have the FBI attend as well and just cyber law enforcement. And we pretty much get everybody together in a room and do a tabletop exercise that's generally open to the media. And our focus is based around what is really currently happening out there in the cyber industry. Right. What are the high value targets? Critical infrastructure, Healthcare, gas and oil, airlines. This year we're focusing on critical infrastructure, a water treatment facility.

Marty Momjian (15:55)

Well, let's dig into that. I mean, what made you have a water treatment facility be the subject of this year's exercise?

Marcus Hutchins (16:03)

There were a few incidents that occurred late last year and early this year. Some made it to the media and some did not of just state nation sponsored adversaries targeting critical infrastructure in the United States. Right. And in Europe and certain parts of the world. And we decided instead of doing the traditional tabletop exercise, let's do something that would actually have direct impact to the public from what we know is going on out there.

Marty Momjian (16:31)

So for someone who's going to attend, what can they expect to see?

Marcus Hutchins (16:35)

Generally we try to make it a little bit of fun and a little bit serious at the same time. What we do is step through cyber incident response framework and crisis management framework. We will assign the teams randomly assign certain individuals to certain teams and go through about a two hour tabletop exercise that we take turns on the red team and blue team and stepping through an actual incident that has occurred in the past, but also reproducing it with the attendees.

Marty Momjian (17:07)

So my understanding is this year you've got, I guess a bit of a cyber celebrity is fair to label your special guest this year.

Marcus Hutchins (17:16)

Yes, we got Marcus, Go on. Probably the best known cyber security practitioners out there and researchers.

Marty Momjian (17:26)

Marcus Hutchins.

Marcus Hutchins (17:28)

Yep. Marcus Hutchins, one of my favorites. So I would say to me is more than a celebrity.

Marty Momjian (17:33)

Right.

Marcus Hutchins (17:34)

Some knowing somebody like him in the industry who's an actual hands on practitioner, not just somebody who speaks about it, but he actually practices true red teaming in the industry and shares his wealth of knowledge. So we're going to have him in attendance as well, more than likely signed to the red team because that's what Marcus is good at. Of course.

Marty Momjian (17:53)

Is there an educational component to this as well? I mean, is this something that someone who's looking to learn more about these sorts of tabletop exercises, would they be able to get something out of it?

Marcus Hutchins (18:04)

Yeah, yeah, absolutely. One thing that we do is we try to stay away from the theoretical. So there's a lot of tabletops that occur that's kind of a make believe theoretical. What if this happens? What if that happens? We do our due diligence that we actually step through, de identified and not sharing any personal information or identifiable information whatsoever about the incident, but actually stepping through the real time tactics of threat actors and adversaries for these incidents and the real time tactics that the good guys, the blue team, would use. Right. So we try to make it a mix of consultative approach plus very, very tactical when it comes to the red and blue team as well, to make everybody participate as much as they can and absorb as much knowledge as they can for us as well. And we try to have it be as engageful as possible.

Marty Momjian (18:52)

What do you hope that people get out of this? What do you hope they walk away with?

Marcus Hutchins (18:56)

Mainly awareness. And the attendees are a mix of different industries. So we have attendees from all different types of industries from around the world. What I generally look to get out of it. And the attendees is learning from each other. What are different organizations doing, different industries doing in of handling cyber threats that are out there and how they really put their incident response plans together. Because there's a lot that we can learn from each other.

Marty Momjian (19:23)

That's Marty Momjian, general manager of Ready One by Sempras on this week's Threat Vector segment. And David Moulton speaks with Nigel Hedges from Sigma healthcare about how CISOs can shift cybersecurity from a technical problem to a business priority.

David Moulton (19:52)

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. Right now we're facing a perfect storm of sophisticated attacks. Chinese state actors exploiting SharePoint flaws to deploy ransomware, affecting over 4,600 compromise attempts on more than 300 organizations worldwide. New shade bios techniques that run malware in places where no security software can reach And AI generated malicious packages that are stealing cryptocurrency from thousands of users. CISOs need more than technical expertise. They need to be storytellers who can translate these complex threats into language that boards understand and act upon. What you're about to hear is a snapshot from my conversation with Nigel Hedges, Executive General Manager of Cyber and Risk at Chemist Warehouse, about this challenge. If you like this short segment, you'll love the full episode. The link is in the show notes. Nigel Hedges, welcome to Threat Vector. I am so excited to have you here today.

Nigel Hedges (21:05)

Let's do it. Yeah.

David Moulton (21:06)

You've held CISO roles at major Australian enterprises. What does it take to elevate cybersecurity from just an IT issue to a business issue in these types of environments?

Nigel Hedges (21:17)

Yeah, it's a good question because I have more and more described cyber to anyone who will listen that it's not a technology risk, it's a technology enabled business risk, just like any other business risk. So that's the start of that conversation. But I typically try to address it in my first hundred days of any new role, which is making a conscious effort to spend equal time on trying to understand the environment and the cyber risks that I'm inheriting, as well as going and meeting with key stakeholders from the business units. And that way having the dialogue explaining the philosophy around my approach to cyber, you know, with the gems of marketing, sales, supply chain, whatever it might be, but actually just starting with the question, how can I help you? And so that's the way that I try to elevate cybersecurity is by getting in there and right from the get go appearing like somebody who wants to help in their domain.

David Moulton (22:29)

So, Nigel, you've worked across retail, higher ed, professional services, a lot of different domains. How do the conversations around cyber risk shift across these sectors? At the executive level?

Nigel Hedges (22:42)

Yeah, so I think that at the executive level, for me, at least in my experience, that it hasn't been as different as one might think. The industry is different. Different complexities, of course, but I found the types of concerns and questions are the same. I think the only difference I would probably point to is culture. And take retail for example. It's high stakes, quick to market, try to get things done really quickly. So therefore your approach to inserting cyber into those conversations level needs to be done in a certain way. With professional services, higher education, there's a little bit more regulation and compliance in there, so there's a little bit of a slowdown to speed up type of thing. And so again, that's kind of just going with the flow with what are the carrots and the sticks that you have available to work with the executives.

David Moulton (23:45)

Now, Joe, I like the idea that there are unifying documents out that help coach an important group like your board on how to have a conversation with you. And I think maybe it helps you understand the types of questions you should answer. And I suppose when I say you, not just you specifically, but security leaders in general. I'm curious though, when you're preparing for those board level presentations, how do you decide what to include and what to leave out?

Nigel Hedges (24:18)

Yeah, so for me, I always try to go in with that materiality perspective again. So I am thinking about the types of incidents that have occurred possibly in that period. I'm looking at things that have happened in the market that are of interest and I will put them into my presentation and sometimes going into a very busy audit risk committee type of environment where I think that they've probably going to be spending about four hours together talking about all sorts of things. So I try to think of it like I've got 10 minutes to talk and in fact, out of that 10 minutes I've got five minutes to talk and five minutes for questions. The reality is, even with that perspective, I've typically gone into audit risk committee and come out 45 minutes later or longer. But I've basically tried to apply that approach because when I look at my material I suddenly say to myself that there's no way I can cover these eight or nine things in five minutes. So what can I. What should I cut out? You have to just be brutal and go back to that material sort of thing. They've got a fiduciary duty of care at the board level, especially to protect the organisation and the organization's interests. So what connects to that? And that's helped me.

David Moulton (25:39)

And Agile. Talk to me about your experience. What are the keys of making cybersecurity spending a priority in annual budgets?

Nigel Hedges (25:48)

Yeah, so that is a good one. And I think it goes back to starting in the first 100 days. So I typically will look at the annual reports and I will try to connect business strategy and typically technology strategy, but definitely business strategy and connect that back to cyber priorities. So if I find that I'm proposing something that really doesn't very clearly resonate with a business strategy and how it's supporting that, that's probably something that I can't prioritize. It might be still something I do in BAU or enhancement, but it'd probably be best effort. So I'LL put things in that map to the business strategy. That's something I kind of learned from the Sherwood Applied Business Security Architecture or sabhsa. You know, when I first made the transition out of sales engineering, I went into a security engineering role and SABSA was really helpful in connecting what we do from a security perspective to the business. And that stuck with me. And then if that's clearly in there, then there's some of that kind of hive mind perspective. Like are we spending 10% of technology budgets versus everything else that we spend on? So out of the technology budget, are we spending 10% on cyber? These are some of the sort of statistics you might pull from industry research like Gartner. And then from there kind of just map out plus or minus how that stacks up to current spend in available resources. Because we're all dealing with scarcity of resources. So you can only do what you can do. And the best thing you can actually present is that with this spend, I will not be able to do this. And then when you do that, what I found is sometimes folks in the board and the executives will say, well, I'm not actually really prepared to accept that I actually want to do that thing over there you said you can't do. Well, thanks you know Sarah Madame, but that's going to cost a little extra and this is what will bring you so if this is what you want me to deliver, this is what we have to do.

David Moulton (28:17)

If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast Feedback. It's called Speaking Security in Board Language and it's live now. You don't want to miss Nigel's game changing approach to making cybersecurity a business conversation when it matters most.

Marty Momjian (28:40)

And be sure to check out the complete episode of Threat Vector wherever you get your favorite podcasts.

Dave Bittner (28:57)

Abercrombie Denim is everything right now. Denim should feel like this. Confident, easy, like your butt has never looked better. If you didn't know Abercrombie's Curve Love Denim went viral in 2019 for eliminating waist gap, and it's still a game changer. Between that and their classic fits with a straighter line from waist to hip, the perfect denim does exist. Shop Abercrombie Denim in the app, online and in store on WhatsApp, no one can see or hear your personal messages. Whether it's a voice call message or sending a password to WhatsApp, it's all just this. So whether you're sharing the streaming password in the family chat or trading those late night voice messages that could basically become a podcast. Your personal messages stay between you, your friends and your family. No one else, not even us. WhatsApp message privately with everyone.

Marty Momjian (30:01)

And finally, in a breach of both privacy and packaging standards, a major Thai hospital has been fined about $37,000 after patients medical records were found moonlighting as snack bags. The saga began when sharp eyed social media users noticed their chips came wrapped with X rays and lab results. A snack and a health check in one. Turns out the hospital had outsourced document destruction to a small family run business that thought recycling meant reusing literally over 1,000 records, including sensitive personal data, skipped the shredder and instead entered snack circulation. The contractor took the files home, skipped protocol and never mentioned the paper trail. While the hospital received the brunt of the fine, the mom and pop operation was hit with a modest $500 bill and possibly a crash course in data privacy. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August this year. There's a link in the show notes. Please take a minute and check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Marcus Hutchins (32:02)

Sa.