A (5:04)

Yes.

C (5:04)

So they have to review them and they have to make sure they're accurate. So that step, that last mile of review and validation and verification is so important. Now, will we come to a point where there's a governance agent governing the other agents? Right. Because this is all going agentic. Right. And how, what level of autonomy will we give these agents? Full autonomy or maybe, you know, partial autonomy. I think we're going to have humans involved with AI for, you know, the next five years or so until we work through the kinks. Some industries will probably adopt it sooner. Warehouse applications and things where, you know, the risk is low. And then some, like healthcare, will adopt it, you know, a lot slower in a lot more deliberate and practical. Does that, does that help? John, I know it's a great question you asked. It's just such a. It does.

B (6:03)

But, but, but you're making me scared now, right?

C (6:05)

Like, like you should be scared.

B (6:07)

This ambient listening thing, right. Like, like if there's an engagement going on, like.

C (6:13)

Yeah.

B (6:14)

How, how do you differentiate then like sarcasm and just like facial expressions, like.

C (6:20)

There'S a lot of communication. That's right. That's, that's why, you know, you go slow with the adoption. You recognize like for example, templates like what, you know, every doctor has a different approach to putting the data into the ehr, into the notes. I want it in my template. I want my language being used. I want my, you know, my inflection, you know, I want to understand the sarcasm from the actual diagnosis. Right, yeah. Those are all tunings that have to happen throughout that process as you get it. Right?

A (6:53)

Sarcasm. John, who has sarcasm and doctor conversations?

C (6:57)

Come on, sarcasm is human. You're not going to see sarcastic robots anytime soon. Thank you.

B (7:03)

I mean, who knows what they're asking?

C (7:07)

It's Soylent Green, John. It's people.

B (7:10)

Exactly. So how do we tie all this together? Right? Like, like we have all of these different security things. We've talked about AI and everything else. This all needs to end up in your overall enterprise risk framework and process. How do we pull it together? What are the risks and what happens if we fail to do that?

C (7:32)

Yeah, the biggest. And again, this is pan industry, right? So, but, but healthcare in particular, because that's, that's what we're, that's what sense and IFO focus on. You know, it has to be transformative. We can't approach the risk process landscape with the same assumptions that we did a decade ago. Right? So a decade ago or longer, systems changed three, four times a year, max. So this point in time risk process was necessary and sufficient. Today, a SoC2, by the time it's published, it's not a date, Right? Because it's a process of 140 controls and you've got to have evidence. And as you're doing that again, your system is changing. And so by the time it gets published, what you looked at and what the controls you looked at may have been affected based on the change, the scope of risk changes. What we've looked at risk, we've had the luxury of looking at risk. A decade ago, in that point in time frame, we could do a high trust audit, we could do a NIST CSF audit one time, we could do. And we could, every couple years we could reassess somebody, right? Because the state of change and the rate of change was manageable. Now that all bets are off, right? So you still need those certificates, you still need those processes and audits, right? But that becomes evidence into your overall program and posture. Necessary but not sufficient. And so we try to stress to individuals that are on this journey, on this path is a. You really have to look at this through a transformative lens. You have to take not just the technology. And if you just are looking for a tool to solve all your ills, you're never going to get there, especially in risk management. Risk is hard, it's difficult, it's complex. Right. It's people. But so then you have to think about it holistically across that trinity of tech, people, process technology. Right? You have to harmonize those three things as you're adopting new technology and new approaches. If you're just taking our tool, for example, and I tell my customers all the time, if you're taking my tool to solve a problem and you have certain outcomes that you're assuming and you're not looking at your people and you're not looking at your processes, you're not going to get the outcomes you desire. Because this is transformative. We're changing the way you think about risk. In the past, one and done. Now we're looking at it across the life cycle, from cradle to grave and every point in between. And I adopt a product out of the box, I know what the risk profile is, but then I bring it in and I configure it and I integrate it changes the scope and the profile. And then maybe two years down the road, I didn't have PHI Protected Health Info or PCI involved in that application. And then the usage change, and now it's in there. My risk profile needs to be updated. I need a business associate agreement now with that vendor, because they've added PHI Protect the Health Information in there, which is a specific class regulated under hipaa. Right. So there's so many opportunities for this to change, which means the way we approach risk has to change as well.

A (10:58)

Asking maybe a tangential question here, because it makes me. And I know this is a topic that comes up from time to time in terms of, let's say a cyber security or risk scorecard. Right? So when you. It would be a rating, right, that you would have kind of like food. You know, it always thought I lived in New York sidebar for like 15 years, and when Chick Fil a came, they had like a C rating on the restaurant, which is not good, but nobody cared. That line for chicken was around the block. But you know what I mean? It's an interesting way to kind of gauge. I'm willing to roll the dice for Chick Fil A, maybe not so much for this, this other vendor, but, you know, is that where we're going, we need to go. Or you know, what's even the viability of some kind of system like that? And I'd just be interested in your perspective.

C (11:47)

Sure, yeah. So there are, there are approaches, there are technologies or vendors out there that provide, let's call it a, let's call it a credit score for risk. Right. So I get this credit score, you know, 800. What does it tell me? Really?

A (12:05)

Right.

C (12:05)

It tells me at the point of time I scored an 800. Right. But just like credit scores, they change all the time. Right. So this notion of life cycle continuous monitoring is really important. Also they're looking at those types of security scanning score, scorecard applications. Right. They're looking at the organizational risk profile from the outside in. What can I see on the dark web? What can I see from the systems that they're representing to the outside world? Right. And then I create some type of risk profile and score and that gives me one dimension of risk. But I'm not, I'm not taking the organization and putting it into my health system and using it. I'm taking their product or products. So I really need to understand the product risk. And so that's a different type of risk that requires a different approach to risk management. You need both. Right. Necessary. But what's sufficient to get a real understanding of that risk over time?

A (13:14)

Yeah, it would be a tricky one. I mean given, right. The landscape and scope of risk, it's different for everyone and your appetite for risk is different. And it would be difficult to have like a universal system. But I just think it's an interesting thing.

C (13:29)

It's very complex and people have looked for the equivalent of a UL rating. Right. Which, okay, great. I would love to have a UL rating, but it's a plug with well understood standards that don't change. Could you imagine having a UL rating and all of a sudden you got AI coming in, all bets are off on your UL rating.

A (13:52)

It sounds preposterous. Yes.

C (13:55)

I think, I don't think it's possible, quite frankly. And I've been spending a lot of time thinking about it. I think there's certain things that you can certify as indicators, but I don't think you're going to get a real true risk profile because things change so dramatically. I mean, every two weeks we have this flywheel where we work with our customers. They help us identify opportunities to consolidate on the platform. And every two weeks we push out features. They might be fixes to existing features, but mostly they're new things. That we hadn't thought about initially. But now we have this customer interaction and they're feeding us. And so this. Every two weeks, they're getting new things. Right. Can you imagine trying to manage risk for that? Like, it's hard, right? And so if I do a SoC2 and we're in the middle of doing a SoC2, so, I mean, we have to do it because, okay, we'll do it. It's a good thing to do. It's good hygiene. But like I said, by the time that thing is published, we've already gone through probably another 10, 15 releases on the product. So I think those things are good to do. It also shows the discipline in the organization and the organization's ability to do those things, which is, again, is a good indicator of what their security profile looks like. But don't be fooled by simple numbers. And I remember when I first started this journey, one of the customers I was working with says, oh, we just ran your. Your risk. We did a security scan on. On your company. And you came back and. And you got an A. You're great. You check. I'm like, what? And I'm like, what? Can I see that? And I read it and I went through the document. I'm looking. And now we. Of course. Cause we're a risk company. We pro. We knew. I knew what my risk was, and it wasn't good. Cause I was a new company, and we were just building on our risk program and our security program, and we represented that to customers. I didn't want to give them a false. Hey, look, we're. We're an F here, but we're, but we're going to fix it.

A (15:59)

Right? Right.

C (15:59)

So. But we're going to give you that transparency always. So you know what you're getting. Because if I lie to you, it's never going. It's not going to help anybody in the long run. And I found early in my career, if you're honest with customers and you tell them, some of them will say, you know what? We'll come back to us. But most of them will say, wow, thank you. We'll work with you. You know, we'll make sure we hold. We'll hold you accountable to what you're telling us, but we'll work with you. And, And I just laugh at that rating because it's like, we're not an A. Like, I know I'm not an A. And that's what I started thinking about this whole. This whole question about certificates and audits and how realistically Are these, you know, how effective are these longer term?

B (16:41)

So how does this stuff fit in to. With, you know, we. Your the generally accepted principles for cybersecurity. Is there a connection here on, on trying to fill in the expectations here of cybersecurity?

C (16:58)

Yeah, that's a great question. So I write articles for the Forbes Tech Council and I'm always thinking about things that could make life better for security analysts and risk analysts and things. And first and foremost, I think risk and security should be a board level topic and at board level responsibility, actually. Just like you have a finance committee and you have an audit committee and you have a comp committee committee, you should have a cyber committee and you should hire board members that have cyber experience.

A (17:30)

Yes.

C (17:30)

And you shouldn't delegate that down, quite frankly, to the teams to come and present because A, there's always an impedance mismatch between the ciso's world and the world of the board. Right. And sometimes you get, you know, you get really great CISOs that figure it out and understand how to communicate, but most often there tends to be that friction and that struggle between, what are you telling me? What's mfa? What am I doing? So I think if we made it more mandatory, then we would make strides in understanding at the board level, which would help it with investments, would help it looking at gaps, it would help it look at where, benchmarking where we are from our program relative to peers. So we could say, hey, we're spending too little in this area. All of our peers are spending, you know, 4%, we're spending 1%. Right. So let's have a conversation now about resources and the business risk through the lens of the business. That's why this whole point about business process and critical function mapping is so important because boards understand those things well. Right. So as it relates to gap cities, I had a conversation with a CISO from an insurance agent from an insurance organization, a payer God, three, four years ago and we were having sushi together and we were talking about this idea and having a framework. If I want to look at an organization that's public today, I can go to Edgar, I can go to their investor portal and I can pull down their 10q to 10ks, I can pull down their 8aks, I can pull down all of these different forms and filings to make a decision about the organization's financial posture or risk. Right. When I do an S1 for a public offering, there's a huge risk section. Right. And, and usually cyber security is in there as a as a line item gets spared. But there's all these other risks, right, that help me really understand whether or not this is a good investment long term or not. Right. Wouldn't it be nice if we had a standard way to communicate risk and a standard way to drive the accounting, if you will, of risk and cybersecurity across all industries? That's what GAPC is about.

A (19:58)

It's interesting.

B (20:01)

I like where you're going with this. And how do you then, like, how do you pull in like the outputs of like a SOC audit and everything else to get it to the level that needs to be disclosed. Right? Because right now, like to your point, like you look at the filings and you don't get that data companies don't necessarily want to give out their SOC 2 reports other than, hey, look, we, we passed, right? Like what do you envision that output being? Like, what level of detail?

C (20:33)

Yeah, it's a great point. I mean, I think that that's the journey, right? We'd have to go, we'd have to get together, we'd have to run it through a process to get to a level of understanding and reliability and predictability. Right. And repeatability across the industry and that, you know, that takes time. So it doesn't really matter what I think, it matters like what's possible. But the areas that I identified in the article, you know, they're all the standard areas that we talk about. Identity and access, management, threat detection, incident response, recovery. And I think there's a way to again represent some level of detail that gives you an idea of where that organization is and understanding the processes, procedures, protocols, people, right, that are involved in the back, you know, in the back office, if you will, doing the jobs, right? So you could have, you could have a credit like score for all those different categories and that would be an indicator of, wow, everything is 600 where it should be 750 or 800. Now we understand the detail behind that. It's just not an arbitrarily number. So all of that has to be published. The algorithms, the approach to getting the score, what the score means, right. All of that has to be transparent. And with that transparency then we have understanding and then we get repeatability and then you get GAAP and you get non gaap, right? So even in finance and treatments of finance and auditing and how you reconcile revenue and how you treat expenses, right, you have a gap number and then you have a non GAAP number. You could have a non gaps, the cybersecurity view of the world. Too.

A (22:28)

Right.

C (22:29)

So, but I think, you know, Gap C took time to get to. I'm sorry, GAP took time to, to get to where it is today. It wasn't just out of the box. We learned a lot, we made some changes. Right. It was a journey, but it was backed by a process and a set of procedures and a third party approach, if you will, that managed the overall framework and the requirements to support it. Which is why you get non gaap, because people like, well, we want to treat it differently. Okay, great, you can treat it differently, but you have to, you have to report it as non GAAP accounting. Right. And I think that's a good way to think about it because then you get the best of both worlds. But there's a lot of upfront work and I'm sure, you know, you get two cecils in a room, you're going to have, you're going to have agreements, you're going to have disagreements, you're going to have arguments about things that are important, not important, et cetera. Which is, you know, which is why I love, I love this space so much. It's so rapidly evolving, changing. There's so much opportunity to, to make a difference today. And wouldn't it be great in, in five years if we had a GAPSI that we could report on and every public company reported on it? I love it. Amazing. And then, and then you, you did your regular updates on it too, just like you do with your quarterly reports. You have your financial section, you have your gap C section. I could look at the cybersecurity reports. So anyway, that's the vision.

A (23:53)

I love it. Kind of thinking all these changes too. When you talk about evolving, kind of coming back to leadership, it's always an interesting conversation. It's not if it's when an accountable leadership. And now we're seeing boards of directors having fiduciary responsibility if something happens. I mean, as you look kind of ahead at leadership roles evolving and certain skill sets being required and how do we need to be thinking about these leaders and particularly those who can drive in this world of so many unknowns, but where security is just so critical and so many cracks in the system, it'd be very difficult to navigate, I think as a business leader or a board of directors. What are your thoughts on that ahead in terms of, of that evolving?

C (24:45)

Yeah. Wow. Was that one question or like five?

A (24:48)

I think it was like five. Yeah.

C (24:55)

Yeah. You know, someone recently, on this topic of transformation, someone, someone recently said transformation requires leadership.

A (25:03)

Yes.

C (25:03)

Right. And so, and leadership is Hard, right? There's books and, you know, consultants and you got McKinsey and all these different consultants that, that are always thinking about leadership and always writing about leadership. And, and so, you know, the first step is to acknowledge the problem, right? So you can't recover unless you acknowledge as an issue, right? And so the first thing is, and you know, it's like anything, you know, there's so many things that boards and directors have to manage today. The last thing they want to do is take on more, right? So there's this natural friction between doing the right thing long term for the business and industry and then doing what we can do based on those things that are in front of us. So it does take this forward looking approach in leadership to really drive change. And you know, I just think things would be more transparent. We might actually start to level off the trend line of breaches and ransomware events and other events over time if we collectively collaborated in a way that we could truly be stronger together. But that takes leadership, right? And so no individual is going to say, oh, pick me up, right? So the government has a role there. The government through regulation can drive that change, which is good. We're in a, you know, we're in, we've just changed administrations, right? And this administration is anti regulation. So there was a change underfoot to modernize the HIPAA rule to include a lot of these things that we've been working on collectively through the private and public partnerships of HHS and CISA and others. And I've been part of that with other leaders at different health systems. And we were getting close to making a pretty significant change. And then the administration changed and you know, we're sort of delayed, right? So we're on hold. Which again, just to change even a regulation like HIPAA is like moving a mountain. It really is and it exists, right? So, so imagine trying to take that same level of accountability and drive change at the board level or at the senior leadership or executive level. Really hard to do. And no one. You know, I used to say this early on when I first got into cyber security. One of the learnings is nobody wants to be the most secure. It's unfortunate, but nobody really, they're going to do enough to check the box and to do what they need to do to get back. Because it's human nature, right? It's like there's some of us that are dreamers and some of us, but. But then there's everybody else, right? Everyone else is gonna go like, I got so many other things I Gotta do, let me just get through this. And, and, and so that, that notion of checking the box is so critical because you could have a great idea, but the market says yeah, that's a great idea, but I don't need that to solve this problem. I just need to check the box. Right, right. So I mean, would be, wouldn't be a great idea if we put security controls around data. Right. That would be great. Right. I did that, you know, back in 2002, 2004 and then SOC, the, the, the, the, the Sarbanes Oxley and the California CASB law came out around data protection back in, I think it was 2022 or 2023, July of that year. And I thought, oh wow, this could be great, great driver for my business. And then it's like, yeah, checkbox is full disk encryption. That's how we're going to solve it. Doesn't really solve it, but it checks the box.

A (29:00)

Right, exactly.

C (29:01)

Yeah. So these things aren't always aligned. Right. So I don't know, I think that the problem is big enough though and I think that people are trying to solve the problem to their advantage through their lens. Right. The UL label is one good example of that. Right. There's a whole people believe that they can just, you know, create a certificate or a UL rating or something that's going to solve, Sorry folks, it's not going to work. Risk is too porous. It's just not, it's not as binary, it's going to change. So that'll be a checkbox and you won't solve the problem.

A (29:41)

Right.

C (29:41)

And so if you look at the data, the data is still up and to the right with breaches and attacks and everything else. And now with AI and I, I've been saying this, I'll say it again, it's been eerily quiet on the western front, if you will, of, of data breaches and attacks. Now we're, we're seeing some interesting things. We just saw the end the npm, the, the packaging vulnerability that just hit. And so, you know, we're going to see things like that at the supply chain level. But I think this is what I posit, I think the bad folks that have been organizing over the last five years or so, that's been the big change there. Hackers were independent, some were kids, some were, you know, a little more nefarious. The last five years they've organized, they become organized criminals, they become mafioso, if you will, electronically. That changed the paradigm, that changed the attack surface, that changed the way that they, they hit folks, they changed, they, they became microservices, if you will.

A (30:49)

Right.

C (30:49)

I'll create the worm, I'll go collect the money, the bitcoin. I'll do this, I'll do that versus one person doing all things. So now you get scale. Okay. The other thing that's changed is AI. So to the point, quiet, what's going on, there's going to be something big I think because it's been too quiet and the level of change, technology technologically is such that you would expect more attacks right now you're not seeing it. So that, that, that says there might be some organization, organized organization going on here and you know, they're getting ready and at some point it's going to be bigger than we've ever seen. So we'll see. Hopefully I'm wrong. I, I hope, I hope I'm wrong.

B (31:34)

Do you have a theory on what that risk is like? Like, I'm concerned about embedded things in some of these AI models being trained where we can't see it. And you don't know what are the things that are keeping you up at night.

C (31:49)

I, I think the risks that hit, hit so like a Change Healthcare hit 80% of the health, health industry. And, and the big. And it was interesting because there's this, there's this software bill of materials concept where I've got software and I have a bunch of supporting elements, libraries and such that come from third parties. And that's risky. And we've seen events happen at that level. Log 4J is an example of that. Right. And that affects many, you know, that's a one to many effect. That's a nice blast surface for the bad, the bad guys. Then you've got the vendor bill of materials, which is a concept that, that me and another mother guy at dinner created where it's like a software bill of materials, but it's about the vendor and the vendor's concentration of products and technologies. And so the example of change is oh wow, we just saw that change got hit and we don't use that product, so we're good. And then two days later, oh damn, we do use that product. They acquired it. We didn't know that it's part of change. We're in trouble. And then like a day later, and this is the big aha. We only have so much money on the balance sheet. We only have so much working capital. We only have so much money to keep operations going for a couple of weeks, not months. Right. So you know, you talk about that safety, you know, money that you have as an individual, you want a couple months of money in case something bad happens. Like many of these health systems had weeks of capital to operate and that becomes a big wake up call. So that blast hit a lot of people quickly. Now we reconciled, it recovered fast, which is good. But, you know, I don't know, I mean, I think about the infrastructure, I think all of the different infrastructures, there's like, I think 16 of them. Like, you know, you got the, you got the water supply, you have the energy infrastructure. Those are the things I worry about. And if it hits it in a way that, I mean, healthcare is bad. If you, if a hospital gets hit, that's bad. If it can recover quickly, great. But if it can't recover quickly, or worse, you're in the ambulance on the way to the hospital and they shut down. And now you're diverted, but you're diverted. You're having a heart attack and your diversion is like 70 miles, 80 miles out. You're not, it's not good. Right. And those things have happened. That's part of the survey that we ran. We saw that diversion was affected, care was affected, labs were affected. Right. So but it's, but it's that one hospital. If it's from a, from a ransomware perspective, it's a multi hospital attack and shuts down multiple hospitals. That's bad. Right. So those are the things I worry about. And I know that they got to be organizing, right? They got to be doing something. And it's just, I mean, have you noticed how quiet, I mean, things happening? But it's been pretty quiet, hasn't it? Given this, given the technology that's out there and available now.

B (35:03)

Eerily quiet.

C (35:06)

Yeah. Yeah. So not to scare anybody.

B (35:09)

So, you know, we're already scared.

C (35:13)

I think that, I think the costume this year for Halloween will be the AI robot. I think that'll be the, the scary thing. Oh, no, it's AI Give it the candy and get out of here. Sorry.

A (35:25)

No, no, it's so true.

C (35:27)

Yeah, it won't, it won't be the politician mask. It'll be this ro. Oh, no, it's a robot. No. Get out of your AI. Yeah. Oh, here's the Reese's peanut butter cup. Yeah, I know, it's always my favorite. It's like those are the houses you want to go to or the houses that gave you the full big bar, like the big Snickers bar. Not the little mini. Oh, those are the greatest ones.

A (35:48)

Yeah, the houses with fruit. No, thanks.

C (35:50)

Oh, my gosh. Fruit. Yeah. Or the toothbrush. They would be. Try to be sarcastic.

A (35:57)

Exactly, Exactly.

C (35:59)

Get rid of this toothbrush.

A (36:01)

Ed, thank you so much for joining us today. I love this conversation. This has been a lot of fun, but also incredibly insightful because, I mean, these are really, really critical themes that need to be discussed, explored, and particularly around healthcare. I think, as we talked about earlier, and I'm just so glad that we're able to have folks like you on the podcast to. To be able to drive these conversations and get people thinking and also aware of what's out there and available and charting a path forward. So thank you. Appreciate it.

C (36:33)

You're welcome. Thanks for having me.

B (36:34)

Yeah, thanks, Ed.

A (36:35)

And John, you know what I'm going to say next to all of our listeners out there, be sure you smash that subscribe button.

C (36:46)

Subscribe, subscribe, smash it.

A (36:51)

And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cybersecurity podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.