Sponsor (11:46)

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Banta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger, yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.

Dave Bittner (13:04)

Worried about cyber attacks? Cybercare from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire. Ian Tien is CEO at Mattermost. I caught up with him on the show floor of the RSAC 2025 conference. In today's sponsored Industry Insights segment, he shares insights on enhancing cybersecurity through effective.

Ian Tien (14:14)

Collaboration and I am pleased to be joined here at RSAC 2025 with Ian Tien. He is the CEO of Mattermost. Welcome. Thanks for joining us here today.

Ian Tien (14:26)

Thank you so much.

Ian Tien (14:27)

Well, before we dig into our topic here, what is your impression of the show so far? Hasn't been open very long, but there's certainly a Lot of energy here on the show floor.

Ian Tien (14:37)

Yeah, it's fantastic. So seeing a lot of old friends, making new friends. Just love the energy of show. Love the, it's, everyone's got, you know, the late night events and the sort of early morning coffee. So everyone's, everyone's being a champ here. It's excellent.

Ian Tien (14:49)

So for folks who aren't familiar with the company, can you give us a brief description what you all do at Mattermost?

Ian Tien (14:54)

Excellent. So Mattermost is a secure communications and workflow solution for critical infrastructure. So think about anything you need in daily life. You need energy, you need security, you need defense, you need manufacturing. All those critical infrastructure industries need a different type of workflow and collaboration. And that's what we provide.

Ian Tien (15:12)

Well, let's talk about collaboration. Why is that so critical to the folks that you're helping out?

Ian Tien (15:17)

So if you have a mission critical situation, you have to run if the power is out, you have to run if the Internet is out, if you go down then, or if you're breached or you have an outage, then there's follow on effects for other systems and for society in general. So you know, if something has to work it's got to be built in a certain way where you can communicate even in sort of unforeseen circumstances.

Ian Tien (15:38)

Well help me understand how that plays out in the real world. Can you give us an example of how that collaborative network would apply in the real world?

Ian Tien (15:48)

Yeah, absolutely. So a lot of things right now are very interconnected, right. We've kind of moved to a software as a service and sort of international view and saying hey we're going to work with all of all these different SaaS providers and it's great because it's more efficient and you have like bigger security teams in these systems. But what happens is there can be outages of those systems and there's is downstream everyone's affected one if one system goes down, you know, all these other sort of like topple as well, then it becomes a real issue. And if you're mission critical you can't take that risk. I think everyone remembers the crowdstrike outage, you know last year which dot down airlines and you know all these display systems and communication systems. So, so that's an example. If you take critical infrastructure and if it stops working, you know like people can't move, you know, first responders can't act. So mission critical systems need a separate architecture. Very often on premise or managed by a partner that says hey this is if this main system goes down or is Breached, I can still operate and I can still respond to that emergency.

Ian Tien (16:48)

Well, I mean, speaking of which is, we're recording here today, just yesterday, major power outage in Spain and Portugal. Turns out it was not a cyber attack, but the downstream effects of something like that were really clear. There was telecommunications and travel and all those sorts of things. When you look at an event like that, what are your thoughts?

Ian Tien (17:09)

Yeah, absolutely. So we serve the energy space and very often you'll have electric utilities that have, you know, they'll use a prime, a general collaboration solution to like, oh, coordinate and hear some PowerPoint presentations and that's all fine. When there's a critical incident, it's the frontline workers, it's the senior managers and even the C suite that get real time updates that can marshal, marshal resources across the enterprise to really respond to that outage. And you can't do that if your primary system is running on the electric grid that has the outage. So you know, there's going to be the primary and then there's going to be these emergency alternate contingency systems. And that's part of a mature critical infrastructure organization is going to have that across the world. Here in the US domestically as well as international.

Ian Tien (17:55)

Are there common misconceptions or shortcomings that you run into when you're working with people? Is it fair to call them blind spots?

Ian Tien (18:04)

Yeah, so some folks, it's really about strategic, strategic foresight. It's like until you're in an emergency, like very often you can't foresee it. Right. So there's this concept of tabletopping your security procedures. You're saying, okay, here's a, here's a table. We're going to imagine what happens if certain things come to pass. And now you have to tabletop. Well, what happens if our primary communication system is breached or it has an intrusion? And what typically happens is you go on WhatsApp or you go on signal and you're like, okay, we have to respond. We can't use the primary system there. It has a potential intrusion. Let's take screenshots of our logs. Let's go use these systems to chat and communicate and get on calls. And what happens is, you know, you, you hopefully solve the solution. But you've gone, you've gone outside the main system for security, but now you've got all this information floating around on people's devices. If they leave your organization, there it goes. You might be secure, maybe it's got end in encryption, but it's not compliant because you have the data that's going to move around no longer under enterprise control. So those are kind of the blind spots and people and they're saying, okay, they don't see it until it actually happens. They don't see it until the primary system is compromised. And now they've got, they've got, you know, an emergency situation and there's had, they have a to do list of like, okay, we need to not do that in future, we need a secondary system, we need an emergency comms. And that's where, that's how this, this kind of space evolves. It's like, you know the, the saying is it's really the battle so scars that you have that really shape a lot of the critical destruction in the world.

Ian Tien (19:30)

Right, right, right. What's that old saying about calm seas don't make good sailors? Have you heard that one?

Ian Tien (19:36)

Yeah.

Ian Tien (19:37)

Well, and for you all, collaboration is not just the tools that you're providing for people. I mean you all collaborate with some of the biggest, most well known names in cyber.

Ian Tien (19:47)

Yeah, absolutely. So a lot of, we don't talk very, we work with a lot of nationalists to security and critical infrastructure. So a lot of the organizations that respond to critical incidents, that set policies that are really, it's really important for them to always be running. And also another aspect is to have complete privacy on their information. So we absolutely work with some of the largest, most important organizations in the world and it's so important for them to be able to operate and have full control of their communications and data and workflow.

Ian Tien (20:18)

Is there a part for things like open source software to play in this equation?

Ian Tien (20:23)

Yeah, absolutely. So open source is so important what we do because of its ability to adapt to any situation as well as be resilient and independent. So right now it's April 2025 and there's tabletopping right now happening around the world. I came from Tokyo, I came from Singapore, I'm in DC and there's table topping of world. What happens if we have supply chain disruption in our digital services? What if there's some ruling, you know, whether it's, you know, in different regulations that say hey, we actually have to be sovereign, how could we be sovereign? How do we have a supply chain that we operate that's going to be resilient for us? So matter most being open source and being in control, having our customers in control, they can see all our source code. They can, they can scan everything and understand hey, this is going to work, work for us no matter what is critically important. A lot. There's sort of this. The pendulum has kind of swung to more sovereignty and there's a mix. There's always going to be interdependence and SaaS services, but there's got to be a portion that you have full control over.

Ian Tien (21:22)

Right, right. And that visibility that you provide them with gives, I suppose, gives them a level of confidence they can trust. But verify.

Ian Tien (21:32)

Yes, and verify. To trust.

Ian Tien (21:36)

Yeah, yeah. What are your recommendations for people who are beginning this journey? They know this is something they need to pay more attention to. Maybe it's a little intimidating. What's the best place to begin?

Ian Tien (21:48)

Yeah, I think really, you know, it's table topping. Mattermost is open source. We've got our documentation fully open. We can show you reference architectures. You might use a reference architecture, you might use some other product, that's totally fine. Our biggest concern, competitor is actually custom built systems for defense and government, you know, for specific nations. And what we do is say you can build it yourself or you can use our platform, which is open source, which is highly configurable and maintained. We'll stand behind it. We're doing CVEs, we're doing catching and we have a roadmap that constantly delivers value. But the reference architecture and how you lay out your system for critical infrastructure can be used by anyone. So you can check out Mattermost, you can check out our open source code, you can decide if you want to buy or if you want to build.

Ian Tien (22:29)

Okay. All right, well, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share?

Ian Tien (22:38)

Yeah, thanks. I think one realization that we've seen with our communities around the world is that all software is on premise and the cloud is a social construct created to trust operations and data to someone else's infrastructure. Okay, so the world is kind of realizing that and you're saying, okay, well, how do I think about, you know, the portion of my world which is outsourced in SaaS, which is fine, but everyone needs that portion that they have full control over. So I'll leave you with that idea is that, you know, this is the way that the world is going and I don't know if we're ever going to fully go back to 100% trust in outsourcing the complete systems for critical infrastructure structure.

Dave Bittner (23:19)

Oh, interesting.

Ian Tien (23:20)

All right, well Ian, thank you so much for taking the time for us today.

Dave Bittner (23:23)

Yeah, thank you so much.

Ian Tien (23:23)

It's a pleasure.

Dave Bittner (23:25)

That's Ian Tien, CEO at Mattermost and finally at pwn to own Berlin 2025 Cybersecurity talent took center stage with over $1 million awarded to ethical hackers who uncovered 28 zero day vulnerabilities across a broad spectrum of technologies. Hosted by Trend Micro's Zero Day initiative, the event celebrated the skills of white hat researchers who earned $1,078,750 for exploits targeting systems from AI platforms to virtualization software. Making history STAR Labs SG scored the competition's largest single payout for the first ever VMware ESXi hack. They ultimately walked away with $320,000 and the win AI was featured for the first time with $140,000 awarded for hacks on tools like Nvidia's Triton inference server. Mozilla responded swiftly to $50,000 worth of Firefox vulnerabilities, issuing patches the same day. The event was a powerful reminder of the value and necessity of ethical hacking in today's digital world. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilby is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved, knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees, personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.