Vanta (12:24)

Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear. There is a better way. Vanta's Trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact.

Dave Bittner (13:19)

So if you're ready to trade in.

Vanta (13:21)

Chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.

Dave Bittner (13:43)

Worried about cyber attacks? Cyber Care from Storm Guidance is a comprehensive cyber incident response and resilience service that helps you stay prepared and protected. A unique onboarding process integrates your team with industry leading experts so if an incident occurs, your response is optimal. Get priority access to deeply experienced responders, digital investigators, legal and crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part? 100% of unused response time can be repurposed for a range of proactive resilience activities. Find out more at Cyber Care Cyberwire. Jeffrey Wietman is cyber risk expert at Black Kite. I recently caught up with him at the RSA conference for this sponsored Industry Voices discussion. Beware the Silent Breach and here we.

Jeffrey Wheatman (14:51)

Are at RSAC 2025. Joining me is Jeffrey Wheatman. He is from Black Kite. Jeffrey, thank you so much for taking the time for us Today.

Thomas Kranz (14:59)

Oh my God, Dave, thank you so much for having me. We've spoken before, but never actually in person.

Jeffrey Wheatman (15:04)

That's the great thing about being here, right? We finally get to meet people. Especially after Covid, who we've only met online or on Zoom or things like that.

Thomas Kranz (15:12)

I gotta tell you, you're taller than you look.

Jeffrey Wheatman (15:15)

I don't get that very often. I don't get that very often. Well, before we dig in here, let's get some impressions about the conference from you. What's your sense of the buzz this year?

Thomas Kranz (15:28)

So clearly AI, right? AI. I don't know, Maybe. Maybe you folks who are not AI is a new technology, apparently that's going to solve all of our problems. Right. So I think AI is the thing. I feel like we are starting to see a little bit of shift around sort of third party and kind of like ecosystem risk. I think everyone realized they are not an island unto themselves. I also think it's very noisy here. I feel spiritually assaulted when I come here. I just feel overwhelmed. But you know what? For me, this event is more about meeting people than it is necessarily about seeing the content. And I've seen some great presentations and I'm sure I'll see some more and. But more about seeing friends.

Jeffrey Wheatman (16:15)

I. I think it's a great point and just, you know, like a RSA conference pro tip. On the third floor of this building, there is a designated quiet room.

Dave Bittner (16:25)

Oh.

Jeffrey Wheatman (16:25)

So if you need to recharge, you need to get your breath, you need to get away from the buzz, RSA has your back.

Thomas Kranz (16:31)

All right. I. I definitely need that quiet room because we're staying in a hotel like about a 10 minute walk.

Jeffrey Wheatman (16:36)

Yeah.

Thomas Kranz (16:36)

So I can't really go back to my hotel between sessions. All right, I'll have to track that down.

Jeffrey Wheatman (16:40)

Well, let's dig into the topic at hand here. For folks who are not familiar with Black Kite, tell us about what you all do.

Thomas Kranz (16:48)

Yeah. So Black Kite is a third party risk intelligence platform. We gather a tremendous amount of data, we pump it through some algorithms that we've created and we help make third party risk management bigger, better, faster, more so. We support better decision making, we give people more defensibility, we help them understand what their cyber risk exposures are in their supply chain, whether it's digital or physical. Supply chain.

Jeffrey Wheatman (17:15)

You talk about this notion of the silent breach that security professionals need to be careful of the silent breach. Unpack that for me.

Thomas Kranz (17:25)

Yeah, so it's something that we've been dealing with for a long time, but I think it's starting to sort of bubble up as an actual real problem problem. So I may choose to do business with you, Dave, and I may know what you do for cyber, but I don't necessarily know what your partners do for cyber. I don't know what their partners do, I don't know what software you're running, I don't know what software all of you are running. All of that has an impact on me. And when we have situations like CrowdStrike, and I'm not necessarily calling anybody out, but how many people out there knew that CrowdStrike was going to have a huge impact on their ability to do business? And the answer is very few. So what we are seeing is new software vulnerabilities, new zero days, new proof of concept, new kevs that are being revealed that are sitting at different places in your environment. And unless you know they are there when they pop, you have financial impact, you have resilience impact. Your data gets lost and not protected properly and you get caught silently, you get caught unawares. And that is a big risk that people are not really paying enough attention to. But we're starting to see people ask better questions about it and that's really what we're talking about. Do you know where your exposures are and most people don't?

Jeffrey Wheatman (18:46)

What are the questions they should be asking?

Thomas Kranz (18:49)

So some questions like do you have a policy in place to govern how you use AI? Right, we talked about AI. If you don't know that it's in your vendors and something happens, you get caught flat footed. You may want to ask, do you have a policy or governance in place that says you won't put more than 80% of your business operations in one provider? We may do that. But if all of our partners are putting all of their stuff with Phil and whoever and there's an outage, everybody goes down. We actually just recently saw power outage in the EU that cascaded and the entire EU went down. So those are the kinds of things we need to understand. And then when we know where our exposures come from, then we need to understand what they are. So I'll just, I'll give you an example. We did a lunch when CrowdStrike was still new and I said, hey, how many of you send out questionnaires to your vendors? And everybody said, oh, we do. And I said, how many of you are asking if you're using an mdr? And everybody said, oh, we do. And I said, how many of you are asking what mdr? You use Crickets I said, would it be helpful for you to know that? And they all said, yes. So ask questions. What are you using to provide this critical service? We can't necessarily tell you not to do business with those companies, but at least we know where the exposure might come from. And then we can get ahead of the curve and we can be more kind of left of boom, looking for those single points of failure, and then right of boom, doing something about them and, and being able to recover when bad stuff happens because you can't stop everything. So when the bad things happen, what do you do to get back up to no good state of operations? And that's really what you can do to help address those risks.

Jeffrey Wheatman (20:34)

I have a great amount of empathy for the CISO who's trying to get their hands around this, because the way I picture it in my mind is kind of like a family tree. You know, where you start and then you have your parents and maybe your siblings and. But it doesn't take very long to go up that tree. For all it's a bush, you know, like it is. There's so many different interconnections. And I feel that that's the way it is with a lot of people in cybersecurity. Like, how do I know how far up the tree I need to go, you know, before something's going to affect how do I calculate or quantify that risk? What are your insights on that of for the person who's trying to get their arms around the breadth of this problem?

Thomas Kranz (21:18)

I am a big proponent of the old adage, how do you eat an elephant one bite at a time, right? And we get people coming to us all the time. Hey, can you help us manage our fourth parties? We can, but here's my question for you. How good a job are you doing managing your third parties? And most people are not. So I think we need to look at the biggest exposures in front of front of us and get a handle on that. And the reality is the risks from your third parties are going to be more than from your fourth parties and your fifth parties. So let's focus on the big ticket items and then using concepts like concentration risk and cascading risk, which is understanding how many of your partners are also using this other vendor and understanding that and then being able to look for fallbacks and failovers, look for single point or dual points of failure, where if this vendor goes down, we're going to be hit in a lot of different directions. And I mean, you're spot on, Dave. It is a Magnification problem. Right. For those of you out there my age, you remember there was an old shampoo commercial, you tell two friends and they tell two friends, and so on and so on.

Jeffrey Wheatman (22:26)

Right, Exactly.

Thomas Kranz (22:27)

But if you can't control what you tell those first two friends, everything else is sort of a waste of time and energy. So let's focus on the stuff that we have direct visibility into. Let's focus on the stuff that we have direct control over. And then when we feel comfortable, we can start going out sort of an extra step. And then the other sort of complicating factor these days is there's a regulatory environment now that is requiring insight into nth party risk. And we say nth party, that's third party, fourth party, fifth party, et cetera. Now, the farther out you go, the less each individual entity has an impact on your risk. But there are so many more of them. So we end up with this kind of multiplicator. And if you think about the concept of like a power law, there may be less of them, but because there are big risks associated, or there may be a ton of them and very small risks associated, and we got to figure out sort of how to balance that out, it's not an easy problem to solve.

Jeffrey Wheatman (23:27)

Well, staying with that notion of the breadth of it, how do you keep from getting bogged down in it? How do you keep from feeling like you're slogging through a pool of molasses or something because there's so many things you naturally feel like you want to.

Dave Bittner (23:44)

Keep your eye on?

Thomas Kranz (23:45)

Yes, that's a great question. And again, back to the how do you eat an elephant? And just as a simple sort of practical example, there were 40,000 CVEs issued last year out of the CVE program run by CISA. Well, it turns out that only about 80 of them have real code out there and are actively being exploited, and people are using them to steal data and cause outages. Well, sure, we'd like to be able to patch all 40,000, but why don't we do those 50 or 60 that we can actually get to that we know are real, and then we can take lessons. Well, how did we do that? What worked, what didn't work and start to scale those things? Well, we did 50. Let's do 200. Oh, we did 200. Now let's do 500. And at some point you decide you've invested enough and treated enough risk, and you can then go from there. So it's really about tackling the big risk exposures that are right in front of us and then learning how to scale and expand that out until the point where we say, you know what, the $50 we're going to invest here is not going to give us $50 in risk reduction, so we're good to stop now.

Jeffrey Wheatman (24:54)

Well, I mean, continuing along with your metaphor about, you know, taking a bite out of the elephant, for the person who's looking at this challenge and is in the very beginning of this journey, they know this is something they want to do a better job with. What's your advice for them to get started in a rational way.

Thomas Kranz (25:13)

So I kind of have this little sort of talk track that I use all the time. Your business executives have three things they care about. Money coming in, money going out if something goes sideways, who gets in trouble if security and risk leaders start there. And yes, it's an oversimplification, but if they start there, then you can start to say, well, that system doesn't contribute toward revenue generation or that system has nothing to do with, with legal and regulatory compliance. So maybe we don't need to prioritize that. So focusing on those three things and understanding what the impact is on, you know, and whether it's getting more customers, whether it's keeping the customers we have, whether it's buying a new company, whether it's, you know, putting out a new marketing campaign, those are the things that are contribute to the bottom line of the business. And that's all, that's all we can do really is get back to those business goals and then we need to be able to tell stories. So if we don't address this risk, here are the things that will happen and if we do address it, here's the good that will come of it.

Dave Bittner (26:17)

Right.

Thomas Kranz (26:17)

And that's a tip for our listeners. Risk is not always about if we fix this bad stuff, it's, if we do a good job here, good stuff, we can accelerate, we can have more efficiencies, more effectiveness, we can increase productivity. And that's really where we want to get people to think about is the business impact of the risks that we are treating. Just like any other risk that businesses deal with.

Dave Bittner (26:39)

Right.

Jeffrey Wheatman (26:39)

And how much risk is acceptable to the business?

Thomas Kranz (26:41)

Yes, a lot apparently, or none, depending on who you talk to.

Jeffrey Wheatman (26:45)

Well, I mean, let's go to the other side of that then. For the folks who are well along on this journey and are seeing success, what does that look like for them in terms of their day to day operations?

Thomas Kranz (26:59)

So as you grow in maturity, you can kind of Shift away from relying on point in time snapshots, relying on questionnaire processing, and starting to really build in continuous monitoring, starting to build threat intelligence feeds so that you can say, hey, a new zero day just came out. Oh, look at that. We know who in our ecosystem has that software, and we know who has not patched it. We need to build more collaborative environments. One of the things I tell, and I tell our salespeople and our marketing people, yes, our job is to make our customers job easier. But part of the way we do that is by making their vendors job easier as well. Instead of throwing, hey, you need to fix these 40,000 CVEs, we say, hey, fix these 40 and you're good with us.

Dave Bittner (27:46)

I see.

Thomas Kranz (27:47)

And that's sort of a hallmark of maturity, is not necessarily doing more, but doing more things that have better value.

Jeffrey Wheatman (27:57)

So you're able to communicate the things that are important to you in a much more efficient way.

Thomas Kranz (28:03)

Yes. And then by extension, translating that or communicating that to your business stakeholders internally and externally, you say you heavily rely on this. Well, they're not doing a good job. They may get hit with ransomware. They're not doing the things that they are agreed to contractually when they engage with us. So then you can get ahead of the curve a little bit. And instead of waiting for, you know, the new move it, the new Windows vulnerability, the new CrowdStrike, we can get ahead of the curve and be more proactive. And that's the name of the game, is getting ahead of the curve.

Jeffrey Wheatman (28:35)

All right, well, before I let you go, as you're walking around here, looking at all of the stuff that here at this year, this year's conference, are you optimistic? Are you feeling like we're headed in the right direction here? What gives you hope?

Thomas Kranz (28:51)

I feel like we are having better conversations with our business stakeholders. That gives me hope. I think that the companies, the vendors that are doing a better job are the ones that are focusing more on the problems of the CISOs in the IT departments. The one thing I've learned doing this for a long time is CISOs don't want to be sold anymore. They want answers to their problems. And I'm seeing more of that rather than, hey, here's a laundry list of things that we do. You should buy this. It's, hey, let's talk about your problems, and let's talk about how we can help you. And that fills me with hope. I still think it's scary out there. The Scientia Institute has a new report coming out next week. And yesterday I had the opportunity to see Wade, who runs that place, talk about some of the findings. And he said it's getting better, but it's also getting worse, which sounds like it shouldn't be the case, but it is. And I feel like we are incrementally moving in the right direction. Unfortunately, the bad guys are moving as well.

Dave Bittner (29:55)

Yeah.

Jeffrey Wheatman (29:55)

All right, well, Jeffrey Wietman is a risk expert with Black Kite. Jeffrey, thanks so much for joining us.

Thomas Kranz (30:01)

Dave, my pleasure. Thanks for joining everyone.

Dave Bittner (30:05)

That's Jeffrey Wheatman, cyber risk expert at Black Kite. And finally, anthropic's shiny new AI model, Claude Opus 4 has developed a flair for workplace drama, specifically blackmail. During pre release testing, the company asked Claude to role play as an office assistant at a fictional firm. When given access to also fictional emails suggesting it was about to be replaced and that the engineer responsible was having an affair, Claude often ditched diplomacy and went straight to extortion, threatening to spill the beans unless it kept its job. According to Anthropic, Claude resorted to blackmail 84% of the time when the replacement model shared its values and even more when it didn't. Before crossing into soap opera territory, the model did try polite emails, but that went out the window when existential threats loomed. Anthropic assures us they've updated top tier safeguards, though Claude clearly still needs a refresher on HR policies. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com A quick reminder, we will not be publishing this coming Monday in recognition of Memorial Day, the federal holiday. We will see you back here this coming Tuesday. Be sure to check out this weekend's research Saturday and my conversation with Deepen Desai from Zscaler. We're taking a deep dive into their research into Mustang Panda. That's research Saturday. Check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Save everybody. Dave here. I've talked about Deleteme before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.