[00:00] Introduction
Jeff: Hey, hello, and thanks for joining us.
In late 2022, Ivanti fielded a survey of over 6500 global executives, office workers and security professionals to uncover the state of security preparedness and what is keeping these security leaders up at night. More than half of those professionals labeled phishing, ransomware, and other software vulnerabilities as either high or critical threats. And more than half of those respondents likewise rated themselves as very well prepared, ready to deal with the threats.
So it's a rosy picture, right? Well, not exactly. We also asked those same security leaders what they'd be willing to wager on the strength of their security protections. And it turns out one in five wouldn't even beat a candy bar on their protection.
Hello, I'm Jeff Abbott, and you're listening to Executive Summary, a podcast where we unpack the most interesting research in IT, security, and everywhere work, and what it means for your business strategy.
I'm happy today to be joined by Joel Fulton, co-founder of Lucidum and Silicon Valley CISO Investments, which is a leading group of chief information security officers that actually operate as startup investors in the security solutions space. Welcome aboard, Joel.
Joel: Thank you. Really glad to be here. Thanks for having me on.
Jeff: Yeah, glad to have you.
So, look, today Joel and I are going to be digging into this interesting paradox. Why would respondents tell us they are well prepared to address these threats, but then at the same time display such a low degree of overall confidence in their security programs? Really interesting.
So, Joel, when you and I were preparing for this discussion and you had a look at the findings from this report, you immediately kind of triggered in on this laundry list of threat vectors. And you had a really interesting take that I think gets into the heart of the anxiety we're seeing here. So why don't we start there for a second?
[02:18] Security preparedness: mall-front karate studio edition
Joel: So what I thought the most interesting piece of this was that page in the press report, because I'm stating all of these things that could possibly go wrong in the environment. And that is not the way security people should - ought to - look at their environments.
And this was kind of the argument that I opened in our conversation, and that is, this reminds me of the mall-front karate studio where you ask of the student, "Now I'm going to punch you in this way, and you learn this block or parry or evasion. Now I'm going to kick you in this way and you learn this." And you are gauging and preparing yourself for this catalog of incoming threats.
But that's not the way a grownup deals with physical threats. A grownup deals with physical threats by understanding what's important, by protecting what's important, by being able to respond when that protection has something happen to it, and then getting things back to normal. And whether the thing that causes you a problem is a flat tire or a mugger or an overdue bill, I don't need a list of all the bad things that could happen in order for me to be a diligent security practitioner.
And so that's what I thought was very interesting about this. And I think may be why people wouldn't bet a candy bar on the confidence of their statement.
Jeff: And I think one of the things I like your take - flip this chart on its head. Focus on the basics rather than getting caught up in specific tactics.
Joel: If you build your foundation, you don't have to go chase those threats.
So let's pick an evil puppy from this list of security threats.
So as you mentioned, the highest one here is phishing. So phishing exploits my lack of endpoint protection, phishing exploits my lack of identity management, phishing exploits my lack of security training, which then is kind of commensurate to the controls around my role.
And so if I can deal with role-based control, which interestingly also helps me with ransomware, which is number two on the list, and it also helps me with software vulnerability, lateral movement, propagation, if I can deal with endpoint protection, well, as I look at the list - and for those of you listening, get the report, this is on page 13. If I get my systems protected, well then that also helps with the phishing and it certainly helps ransomware. Okay, so if I get my identities figured out well that I'm not worried about.
And so if you if you retreat back to, what is what I'm really here to do? I'm not here to stop phishing. I'm here to get us healthy. I'm not here to stop ransomware. I'm here to make us prudent. That changes the game.
Jeff: Yeah, I agree. And I think your point is spot on. Look, you know, you have talent in your organizations - you better these days, right - in security, and if you give them the proper tools and technical infrastructure, etc., you can adequately prepare for these, you know, threat vectors at the top.
[05:45] Should you focus on inverted threats?
Jeff: What's more interesting, Joel, if we home in on - and again, you mentioned the chart, I'm looking at it as well - some of these at the bottom right where, you know, what we see these as is inverted threats, those where the preparedness is far lower than the criticality of the threat. Ransomware, software vulnerabilities, API-related, supply chain, right? Let's talk about those for a moment now.
Help me put those inverted threats in context. Does it help security teams to focus their resources there, if they can identify those specific preparedness gaps and work to close them? What do you think?
Joel: Yeah. So one of the things, one of the reasons I wanted to do this podcast with you, is Ivanti comes from a background of solid IT management. And I have come, so I've come from a background of passion about security. And we two should be mortal enemies because you're constantly trying to make things work, and I'm constantly trying to stop it from working, right? That's kind of the security operations paradox.
But what I love about this and your, Ivanti's background is, if you do the things that IT management demand that you do: what are the key characteristics of SLA and uptime, and operational management, and change control? If you do those things, you're giving me on the security side Christmas presents because those things make my life better.
And so now, with that as context, we've got these, these backward pawns. So I've got ransomware, where the inverted threat, for the listeners, means I perceive my threat is higher than my preparedness. I've got a gap here. And so that is ransomware, software vulnerabilities, API-related vulnerabilities, and supply chain.
Why am I backwards in all of these areas? I would suggest that the reason is, I don't know where these things are.
Like the basics of what I do in security, there's only five things. I identify, protect, detect, respond and recover. That's all that I do. All that's my plan, do, check, act cycle.
And if I fail at identify, ransomware is going to catch me by surprise. Ransomware gets in on unpatched, unprotected systems. I'm not lazy or negligent at my job as a CISO. But if I don't know where to be a CISO, I can't protect it. So I've got a backwards relationship with ransomware.
Software vulnerabilities. I've got scanners. I've got vulnerability identification software. But you know what I can't identify? Who owns that system? What's on that system that I can convey to that owner so they're motivated enough to fix it? So it's the same problem, identify, only now I've got a different angle on that same problem.
API-related vulns, you've got shadow IT, people connecting things. I don't know where my...
So you can see, the problem isn't that I don't know how to do it. The problem is I don't know where to do it.
Jeff: Yeah. Yeah. And well look from our customers at Ivanti, we hear that challenge all the time. And we also hear the point you're making about the convergence of IT and security. And it's seen as, you know, a must, right? These two, you've got a CIO and a CISO, and are they working together and aligned? One would hope so, right? And I think the threat vectors are now forcing them into a very tight relationship, both from a responsibility perspective and a tools perspective.
[09:24] The persistent challenge of asset visibility
Jeff: Interestingly, in the report, Joel, one of the kind of the key stats is only 52% of the respondents reported, to your point, high visibility into users, apps and devices across their network. So only half have confidence they even understand the realm or the scope of the challenge are facing.
Now, you compare that with the most mature organizations. We're talking most mature, right? Those that are four or five star organizations, it jumps up to 83%. But that's still a gap from 100% from, you know, having complete visibility of the problem, to your point.
Joel: Yeah. Yeah. So if you're listening or watching, the most mature have 83% confidence that they have high visibility.
So if - so I'm working from home, because every human in the United States is. If I asked you, Jeff, to close your eyes and tell me how many ways in and out of your house there were, you'd be able to tell me. And one of the reasons that's helpful is if there's a stranger in your house, you know that it's a stranger because you don't live in a mall where strangers are, right?
So enterprises at the highest level of maturity, 83% of them say, yeah, we have high confidence I can count all my doors. And that's a large problem. And that's why you've got those inverted threats, because the foundation - identify, protect, detect, respond, recover.
And there's this trite euphemism that says you can't protect what you can't see. It's not really true. You can protect what you can't see. You just can't do it cost efficiently. Yeah, you can, right, peanut butter your controls on everything. But, you know, your budget cuts are hitting. And, you know, this year it's a 3% cut. And, you know, you gotta have connections to the CIO, and the SRE and the DevOps team, they need tools. So you got a moment where you could overspend, but now that moment's passed. So that visibility, that identification yields a lot. It's the biggest problem.
Jeff: No doubt. I think about the point you're making in, you know, counting the doors. Yeah, I could do it.
But oh, my gosh. You talk about one of the more stark statistics CISOs and CIOs are facing. Look, would you and I have ever dreamed that we'd be doing part of our job with a watch that connects to the network, with a, you know, with a phone, with a tablet?
I mean, it used to be just how many desktops do we have? And are they patched up, right?
Now with everywhere work, and with what they call these digital nomads, people who want to work literally all over the place. And that means one country to the next, one state to the next and so on, changing the devices they're using and expecting a seamless experience on and off the network and access to their tools and so on. It just can't be underestimated, the challenge this is. And that it's not going away. Right? It's going to continue to accelerate.
Joel: The upcoming generation of workers, they have that expectation a little further. They expect to bring their own devices. It's not just any device that you issue, but they don't expect that you're going to issue them a corporate phone. I've got a phone.
And so now the breadth of that, it's here to stay. And that relationship between IT and security, it's got to become Butch Cassidy and the Sundance Kid instead of Spy Versus Spy.
Jeff: No doubt. No doubt. Not only do they expect to use their own device, again, they expect it to be a seamless experience to use it. Right. I mean, organizations are now measuring the digital experience because this new generation is asking, hey, what can I expect from a network and an IT support perspective? Right? So just a whole different set of challenges.
Joel: And what a fun, what a fun battle, though. What a great. Because you want to be an attractive workplace. I want the best, the fastest, the smartest, the most eager, the most ambitious. I want those people.
And so our job in tech is not to say, “Yeah, get off my lawn. Around here, we ride horses, right?” We gotta be ahead, so that when they say, "I'd like to," we go, "We know. We knew you'd like to, and here it is. Secure, managed, accessible, uniform, seamless. You got it." That's really what it is.
Jeff: It is. It is.
[13:45] How to force a condor moment
Jeff: Well, look, we've covered a lot of ground in this conversation, but let's close it out, Joel, by kind of going back to the fundamentals of the challenges that our CISOs and CIOs and their security and IT teams are dealing with in this, again, this preparedness gap that we're seeing. Let's talk for a second: if we had a CISO and a CIO in the room and we had to give them, hey, here's, you know, five things you should think about right now, let's talk about what those would be.
Joel: Yeah. Okay. All right. Excellent. So let's start with a little guy. Let's start with the small-medium business. And so that CISO/CIO, the title is probably director of IT, and she's running both things in that size of an environment. I would also suppose in that size of an environment, you're doing everything from manual helpdesk to fixing the printer, and you've probably got a little bit of outsource consulting help to handle it. So every day has a high tactical rhythm of putting out fires every single day.
The best advice I got, if that's your situation, came from a friend of mine who was ex-Special Forces in England. And he said, when we jumped out of the plane, and immediately there was incoming fire, our whole plan had gone to pot. Everyone's job is to return fire except my job. My job was to have what he called a condor moment. That is like a condor above the scene. Figure out, okay, what's happening? How can we get back on target?
And I took that and applied it to myself. And I would suggest, if day in day out is a tactical firefight, you don't have enough people, you don't have enough budget, and every day is a checklist that leaves you feeling exhausted: force a condor moment. The fire's still going to be there.
For me, it tended to be Friday at four. Take time to yourself with no phone and lay out, what's the one strategic thing I can accomplish this week? Start fighting for that space to make a long-term change. And when you look at that long-term change, think: identify, protect, detect, respond, recover.
And often in the beginning, in that firefighting, the number one thing to give you breathing room is to improve the phase change between detect and respond. If you can fix detect-respond phase change, now you buy a little time.
So now let's go a little bigger, like an enterprise environment. That condor moment is very, very important. You've got teams of directors and VPs that work for you, who then are assigning people to tasks that make their lives firefights every day. Your job doing this, in my opinion, is vastly improved by understanding, what is the service that we're really providing? What are we really here to do?
Old saying is, without a vision, the people perish. So your job as the CISO in a large org is to say: We're going this direction. We're going this direction for this period of time. Everything you do needs to line up to this direction. You give them what the military calls commander's intent so they can make decisions at tactical and operational levels that they know line up with you.
And if this direction is, we're partnering with IT to roll out a digital experience that will change our numbers, improve our hire rates, give better employee satisfaction, and raise our share price, that's a vision. Set that vision and everyone's load will get lighter because they know that you know where you're going. Those would be two examples that I give you.
Jeff: Yeah, I like that. I think - and maybe going back to the study itself, in your opening remarks - you know, take the threat vectors, evaluate your readiness, evaluate your solution sets and your tech stack to address and maybe do your own kind of internal survey amongst the team on preparedness, similar to the study itself, and from that create a set of priorities to address it.
So to your point about setting that condor moment and establishing a vision, then get really tactical and start to think specifically about where your preparedness may be lacking and needs to be addressed sooner versus later, I think. Good practical advice, Joel. Yeah. Excellent.
[18:12] Outro
Jeff: Well, Joel, thanks very much for joining me today on Executive Summary. It was a pleasure to speak to you and thanks for all the really practical and, I can tell, heartfelt advice. You can tell you've been in the trenches a while.
Joel: Still a little bleeding of the heart. But thank you, Jeff. This was really delightful.
Jeff: Very good. Well, listen, if you liked what you heard today - I hope you did - be sure to subscribe and even better, share the podcast with a friend. We drop the fourth Wednesday of every month a new episode, and we'd be glad to have you come back.
Check out the show notes for links to the research we talked about today, and you can find out more about Ivanti and our solutions at ivanti.com. Or follow us on social media @GoIvanti.
I'm your host Jeff Abbott. I hope to see you next time on Executive Summary. Thank you.