Zscaler Representative (12:26)

And now a word from our sponsor, KnowBe4. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, Effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeFor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35. Vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Chris Pearson (13:59)

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. It is always my pleasure to welcome to the show Dr. Christopher Pearson. He is the CEO and founder of Black Cloak. Chris, welcome back.

Dave Bittner (14:52)

Hey, it's great to be here, Dave.

Chris Pearson (14:53)

I know you know a lot of us have responded and seen the terrible news of the killing of the United Healthcare CEO. And I wanted to check in with you on that because obviously you and your colleagues at Black Cloak are in the middle of protecting executives. I wanted to get your insights. Like, after that event happened, what were the phone calls you were getting? Was there a mandate coming to you from CEOs and boards saying, find us better protection for ourselves? Yeah.

Dave Bittner (15:32)

So, I mean, you know, unfortunately, massively tragic events. But I mean, what this has really shown is, is that, you know, the risks have changed. What people wanted to talk about, both chief information security officers and chief security officers, after that point in time, what they really wanted to focus on is how can we go ahead and mitigate some of the risks to our executives, board members, and their families? How can we mitigate the digital breadcrumbs that are out there that lead folks to where they might be in terms of their location, in terms of their presence, in terms of their residences, even in terms of their personal private email addresses and phone numbers? And what types of steps can we security professionals on the inside of the company do to kind of reduce this inherent risk to an acceptable level of risk? And it went beyond, you know, your traditional physical security review of the home alarms, professional drivers into an area which is, hey, what types of threat intelligence is out there? How can we go ahead and assess the privacy better? How can we go ahead and help reduce that attack surface? So it really has become something that huge amount of incoming from boards of directors, from executives, and from both CISOs and CSOs. And, you know, we're obviously happy to field the call, but, you know, it does seem like a lot of those risks and the risk appetite in this area has dramatically changed.

Chris Pearson (17:03)

Have things settled down from the initial, Is it fair to say, emotional response to this?

Dave Bittner (17:11)

Not so much. Not so much at all. I think that this is one of those things that, you know, are our kind of take on things has always been that the home is the next battleground, the home is the new battleground. And so what this has done is just like Covid, opened up people's eyes to the fact that the home network is an actual attack vector for cybercriminals in nation states, into corporate devices that are being used at home and then into the network. This has also opened up people's eyes to the fact that the personal lives of the executives and their family members is something that needs to be safeguarded. You're not safeguarding Jennifer the CEO, or Bob the cfo, or Larry, who's The cto, you're not, you know, safeguarding them per se. You're safeguarding the role in the position that they have. And that's what the boards care about. That's what the executives and the protection teams care about. I think eventually what's going to happen is that's what the SEC is going to care about. Are you taking care of those things? And so I think this is going to usher in a new era of executive protection for those persons.

Chris Pearson (18:20)

So perhaps these things become table stakes.

Dave Bittner (18:24)

Absolutely. I think that this is just going to become number one. It's going to become a corporate mandate. First of all, boards of directors, corporations, the enter the enterprise risk management committees, these are all going to be asking questions about what are we doing? What are we doing to protect our executives? What are we doing to protect those people that are kind of on the About Us, the leadership page of our website. But also I have a feeling that what we're going to do is just like public reporting documents. How are you compensating folks? What are you doing that are the key level officers of the company? It's going to be a how are you protecting not just the company from a cybersecurity or personal protection perspective, but how are you actually going ahead and mitigating those risks and protecting them that fall 24 7, how do you counsel.

Chris Pearson (19:09)

People on when they've crossed that threshold? I'm thinking specifically of physical security here. At what point do I need someone to come with me to my kid's baseball game?

Dave Bittner (19:24)

I mean, a lot of it can be gleaned from an executive threat assessment. So literally a risk profile on that individual and their family. It also can and should include the kids. And that's really a conversation that needs to be had between the security folks, that security professionals that are on the inside of the company and that executive. But there's some things that are just going to be table stakes and mandated as a result of you being the CEO cfo. We will have a driver for you, you will have an armed driver in other countries. We will have kidnap and ransom, you will have the Mayo Clinic executive physicals. Right once a year type of thing. And that's really where digital executive protection is headed. You will have personal protection, cyber protection for you and your family as a result of your role. And that really is something that I think is going to be baked in more and more. But that executive threat assessment is a great first step and it's a great first step at awareness. And also the key to this is you Want a willing participant. You want the executive to understand and to participate in their protection because you're going to have greater success.

Chris Pearson (20:34)

This is a sunk cost for most companies. You don't make money off of your executive protection. What's the budgeting component here? How do you dial it in to make it make sense?

Dave Bittner (20:46)

Well, I mean in some cases I think it was reported in prior years. It's like Facebook spends $17 million a year on Mark Zuckerberg's personal privacy detail for him and his family and all the rest because they're just big, big targets. The fact of is that the costs of digital executive protection for those persons is going to be dwarfed by the legal costs, remediation costs, incident response costs, investor relation costs, filing costs for SEC stuff. So it's the harm there and the amount of money being spent there. On the latter end, it just absolutely, absolutely towers over the costs of getting in protection to mitigate. Right. Nothing's going to be 100% but to mitigate those risks on the front end.

Chris Pearson (21:31)

Are there common blind spots that folks have when you meet with people to talk about this sort of thing, what are the things that come up where they'll say I never thought of that.

Dave Bittner (21:42)

Yeah, that's a great, great question. The first thing I would say is the extent to which their home network and home devices play in a lot of cases, the things that actually gave them better security. So hey, we have cameras all around the house that are professionally installed or you have a professionally installed managed firewall system. A lot of those things that were for good security purposes have actually introduced more holes and vulnerabilities into their systems. So that's always an interesting takeaway. The second is going to be the role that the other persons in the home, especially the kids, play in this. We actually just had one CEO have their teenage son poke a hole in through their corporate firewall that was at home and literally open up a port so they could have and host a gaming server at the home. Which of course I know we both are chuckling Dave.

Chris Pearson (22:36)

No, well, I mean to make this about me, when my wife and I were bringing up our two boys, we agreed that we may be able to outsmart our kids, but there's no way we're gonna outsmart our kids and all of our kids friends, right?

Dave Bittner (22:52)

Well that's right. But I mean it's one of those stories where the home security was great, spared no expense. And then you have the, well, the K are at least home, they're gaming. So this is a Positive attribute. They're not down by the river doing something else. But all of a sudden you have a hole in the firewall that the corporate laptop comes into each night. And then third, the exposure of the personal accounts. So the personal Gmail, Yahoo, whatever it is that they're using, they do a great job at work.

Chris Pearson (23:21)

Yep.

Dave Bittner (23:22)

I've got dual factor authentication, I've got the Yubikey, I've got the authenticator. But then they say I got nothing interesting on my Gmail. Well, you got all your personal financial communications, banking communications, legal communications, where you're actually traveling because a lot of those airline reservations come back to the centralized email. It exposes a lot of information. So it's always interesting when we're, when the team is meeting with people after the fact of being onboarded in terms of what we're able to find the exposures and then obviously needs a solution for.

Chris Pearson (23:53)

I suppose there's a certain amount of letting go that they have to do when it comes to trade offs with privacy. Right. Like if you've got a team of people keeping an eye on your stuff, that's a trusted relationship.

Dave Bittner (24:08)

You gotta, it starts all with a trusted relationship. All always. The nice thing is, you know, you know, speaking, you know, for us and our platform is that since it's built from the ground up, it's built with privacy in mind. And Dave, as you know, I mean, you know, former chief privacy officer, you gotta instill that in the company and the people, the value, the product, all the rest and build it with privacy, you know, in there by design. I think overall what we've seen on the corporate side is corporate executives, board members have had trusted relationships with their professional drivers, the private jets, with the folks that are in charge of kidnapping, ransom or medical and all the rest. And even financial. I mean sometimes corporations have financial and tax experts that are hired by the company to help and assist those executives so they don't have to worry as much about that personal side of things. And so what we've seen is those relationships grow over time. I think it's a trend that's going to continue especially as those are value enhancing for the executive, but also provide real value and real mitigation into the company.

Chris Pearson (25:18)

Dr. Christopher Pearson is CEO and founder of Black Cloak. Chris, thanks so much for joining us.

Dave Bittner (25:23)

Hey, thank you.

Chris Pearson (25:39)

Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access, reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.

Melanie Fontes Rainer (26:44)

This episode is brought to you by Indeed. We're driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search match with Indeed. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility@ Indeed.com SBO terms and conditions apply.

Chris Pearson (27:18)

And finally, federal regulators are giving the healthcare sector a friendly nudge or maybe a firm shove to ensure that AI and other tech marvels don't accidentally play favorites or worse, discriminate. In a letter, HHS Office for Civil Rights Director Melanie Fontes Rainer reminded providers and insurers to align their AI use with Section 1557 of the ACA, which prohibits discrimination based on race, age, sex, disability and other factors. This isn't just a polite suggestion. The law's affirmative requirements kick in May 1st of this year, compelling healthcare entities to proactively root out potential biases in their AI tools. That's easier said than done. Many organizations rely on third party AI systems with complex, opaque algorithms, making it tricky to peek under the hood and spot issues. Experts recommend auditing AI systems and ensuring diverse data sets during training, but even that's a tall order when the tech feels like a black box. And don't forget HIPAA. Fontes Rainier stressed that safeguarding patient privacy while navigating AI's complexities is non negotiable. Adding to the mix, HHS rolled out a 200 page strategic AI plan aiming to improve healthcare efficiency, equity and safety while addressing AI driven cybersecurity risks. Whether this ambitious vision survives a pending leadership change remains to be seen. For now, healthcare providers are urged to plan ahead because ignoring AI compliance isn't just legally risky, it might also hurt patients. After all, the ultimate goal is tech that heals, not harms. And that's the cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.