The Key to Cyber Resilience: Identity System Defense

When you’re on the kind of ragged edge of a problem that must be solved and the government has the authority and the wherewithal to do so on behalf of its citizens, that’s a pretty special place. I spent twenty eight years at the National Security Agency. It’s a large bureaucracy to be sure. Across those twenty eight years, I only met one or two people that truly had kind of bad intentions, kind of were were truly working for their own ends alone. But everyone else, I would say, at the end of the day, they were trying to do the right thing. That’s true. And and it was important for me to try to meet them more than halfway. Teams always beat kind of individual efforts, and coalitions kind of they amplify the effect of teams. We need to figure out in a world which is greatly challenged, but within which we still have the human, right, you know, population that aspires to do great things. How do we bring all those resources together in a way that the team can prevail or coalition can prevail where individuals will necessarily fail? First and foremost, I think, we need to recognize that, what I call cyberspace, what others might call the Internet plus, what might be sometimes described technically as digital infrastructure has insinuated itself into our lives in a way that we’re now fundamentally, almost existentially dependent on it. And for those that think that technology is a bolt on to our lives, that essentially we can just push it off to the side, treat it as a commodity. We can get it right by essentially just giving it some perhaps crisp borders. That’s really not the nature of the case because it’s so, kinda intertwined in our lives that our choices about how we use it and the relationships or the roles and responsibilities that we have about who’s accountable for creating resilience, sustaining resilience. Yep. Defending resilience. That’s so complicated that we have to focus as much or more on that as on the technology alone. So having said that, I think that we have spent the last fifty years developing an Internet where innovation and market efficiency have been the principal drivers. But safety has always been the third child. It’s always been that aspect of it that we’d say, we’ll get back to that. But the technology moves on, we don’t get back to putting resilience in the technology at the moment. We’re not putting technology into the next iteration, the next generation of that. And so we then have to worry about who’s actually gonna take care of the resilience and robustness that our lives depend on. I think that’s where we are at the moment. And how they use it and the fact that it starts at the very beginning and it’s the ripple effect, I guess, that once someone gets compromised, then it goes to the next step to the next. But in the end, if all of us had the tools and the knowledge to protect it right up front, we wouldn’t face a lot of the problems we’re doing today probably. Yeah. That’s true. You don’t need to be a cyber expert to know that cyber is an issue. Right? To know that there’s something amiss in kind of our use of digital infrastructure, whether it’s reading about ransomware attacks or being the victim of a ransomware attack. Eighty five percent of what goes wrong in cyberspace is attributable to the failure to assign responsibilities, meaning everybody assumes somebody else is actually defending that piece of the digital infrastructure. Or a human error, somebody that clicks on a link or somebody that essentially fails to patch their system when they know they shouldn’t, but they’re busy. They’ll get around to it later. Eighty five percent. So technology matters, and technology can make a huge difference. But it’s mostly about the people issues. If you get those right, then technology can follow. Because there’s a lot we can do to actually make ourselves harder targets. There’s a lot we can do to make ourselves inherently resilient. There’s a lot we can do to make it such that they can’t touch us. Right? The aggressors can’t we’re just too hard a target for them to kind of affect. If we were kind of putting children in cars at the age of sixteen, which we do, we’d spend a lot of time trying to teach them how do you actually drive defensively? How do you actually use this car that was built to make it such and you could safely get from place a to place b? We’ve teach them a lot about putting their hands at the ten and two o’clock position. A lot about the use of seat belts. A lot about the risk of drinking and driving, texting while driving. We don’t do enough of that in cyberspace so that people wind up thinking that someone else is going to attend to their security when they alone are on the frontline at that moment for their own security. So that complacency is, I think, perhaps job one. Once that’s done, there will still be transgressors on the field, whether they are criminals that are trying to extract some financial, kind of revenue from you, whether they are nation states living in cyberspace to impose their will on others, whether it’s hacktivist or ideologues or kind of abusing your privacy. All of that still will be on the field, but we’ll have the means by which to deal with that because we’ve dealt with those things before in the physical world. We can just extend those remedies into the cyber world. The the sort of the intersection, I guess, of the public. What can the government do for us and what can we do for ourselves? That’s a really good question. I think first and foremost, need to realize who innovates, builds, deploys, sustains, defends cyberspace. For the most part, that’s the private sector. Correct. Even critical infrastructure and delivery of electricity, the creation of kind of the weapons of war that are used by the US military, the deployment of services like elections. So that’s all done largely by the private sector, sometimes under the authority of the government. So the private sector is on the front lines and the government needs to realize that. The government needs to deploy its resources and its authorities therefore in support of the private sector. And that’s a somewhat different situation than we’ve experienced over the first two hundred and fifty years of this republic where most of the tools for national security were in the hands of government. Whether that’s armies or kind of legal, remedies or financial sanctions or diplomacy. The reverse is now true. Most of the tools to deal with this are in the hands of the private sector. So, how does the government get into a place where it uses its tools, its authorities, its liability relief, its imposition of accountability, its kind of the negotiation with other nations of interest. How does it use that to essentially enable and empower the private sector? I agree with you. I know when I was at a large healthcare organization, we debated when to bring in the FBI. Are they gonna be our friend? Are they gonna you know, or are they gonna then turn it on us and use it against us? And in this case, this healthcare entity, the state had become, I would call it a bit of a negative force for us because they punished anytime we disclosed. I think we’ve made progress with that with some of the ICEACs. I’ve had dear friends in the private sector say something even more direct to me that we’re worried that when we call you, it will show up to find and stab the wounded. Right? That you’re not here to help us in our moment of extreme need. Put better than I did. Yeah. The government and and that’s government at at all levels, whether that’s federal government, state government, local government, or governments plural across the national kind of boundaries, needs to understand that when they show up at the scene of one of these incidents, a cyber incident, that their first response should be, how do I actually kind of assist to the victims? We’ll sort out later who’s accountable for what, but let’s first figure out how to assist the victims. Or better still, if we can see this threat coming, how do we interdict that threat before it arrives on that scene so that we actually problem solved before the problem actually becomes one. That would be a a a beautiful world, at least in my private sector side, if that had happened. Having said that, there will be moments when you’ve shown up and you’ve insisted the victims and gotten them back on their feet and kind of on their way. You realize that there is some accountability incumbent upon, but I would like to treat this like an automobile accident. When you show up, if a tree fell on that, if a lightning kind of struck that, if a tire blew out through no fault of the owner, you make that person whole and you address the material conditions underneath that or the true aggressors, whether it’s nature or some individual. You don’t then find fault with the driver. Now, if that person was driving drunk or failed to take the necessary responsibility, you then impose some consequence on them, but let the consequence kind of fit the the action and not presume upfront that you have to actually impose some penalty on them simply because they were in the wrong place at the wrong time. I have seen over the last decade that more people are sharing information more freely. I can certainly call and talk at more liberty that without worrying that, oh, the it’s gonna get out. I think that we are making progress there. And what I hope you’re seeing on the private sector side is the government, is sharing more of its information. So if it’s a one way flow and all the actors are on the private sector side, then all that actionable information given to the government is of no consequence. Alright? So so it needs to work both ways. I would agree with that. So hopefully that’s and it’s nice to see that we are, at least in my mind, we are making progress in that space. I think what what I have, learned over time is that people often overestimate, you know, what the government holds, underestimate what the private sector knows and holds, and ignore at their peril what they can only know together. And so how do we actually cause some degree of collaboration, not an envision of effort between the two, but a collaboration where they two can get together, private sector, public sector, to discover things and deal with things together that no one of them could have done alone. Recently, you’ve joined as a strategic board advisor to Semperis. And I’d love to get your share your thoughts on why did you choose us? Why did you choose this area of Active Directory? And Yeah. Well, there’s, like most people are given an opportunity to do something. You’re asking a couple of questions. And in my case, the three questions are, is this a substantive effort that makes a positive difference in the world? Clearly, it does. Ninety percent of cyber events that go wrong involve some degree of exploitation of something called Active Directory, you know, kind of exploiting the identities of kind of personas, kind of entities within a network of interest. And if you can figure out how to actually bring some value to the proposition you can defend that, then that’s materially valuable. Substantively valuable too. I take a look at the people that are kind of engaged in that work and there are subject matter experts and and people that I would describe as patriots without any particular affiliation. Doesn’t matter what nation. They’re actually just trying to do something good for their citizens. And I love the people of Semperis. I’ve known some of them for many, many years and the ones that I recently met, make me feel like I’m back in public service again. Right? You know, while there’s kind of a revenue target kind of in this case as opposed to the government, I mean, it feels a lot like public service. And the third is that I then look at, you know, is this actually, something that will lead to, either experience or practice or contribution that is kind of better by the month, better by the quarter, better by the year? Is it worth making that kind of investment or is this played out? And this clearly is that kind of its inflection point and heading to a good place. Yeah. What you described to me is what I’ve been trying to get across to my fellow CISOs for a long time, which is everything’s about risk management. You can’t fix everything. And you’re describing to a degree, at least it sounds like that you’re focused on the things that can hurt you the most. And that’s ultimately why I joined Semperis from that reason is I felt I could do a bigger contribution to helping all companies out there. I think that’s well said. I think that’s very well said. You cannot defend yourself against all peril all the time. Right? You have to make choices about, you know, where perhaps you can concentrate, where you can get some leverage kind of in addressing the issues of the moment. And you can’t create perfect security. You cannot create systems that are perfectly resilient or that defend themselves. And so you have to figure out where am I gonna put my finger to perhaps achieve the highest possible leverage. Active Directory today, I would agree with you. And that’s, it’s just it seems like you said ninety percent of most attacks involve that and makes sense because that’s where the crown jewels tend to be at least anyway. Talk a little bit maybe about, and again, you’ve mentioned a couple times in our discussion already the word resiliency, which is for a security person, historically, we didn’t use that term. We defend. We did all kinds of things, but keeping things operational historically really wasn’t our deal. That was IT’s deal to keep things running. But now it seems all of a sudden, at least I have a strong belief that if a cyber event caused an outage, that’s on me now. The outage is not on others that are out there, you know, in the IT world. Any thoughts there? Yeah. So it is an overused word, especially in my kind of lexicon, but I like the word. Because I think what it does is gets away from the notion that we’re gonna make perfect systems or perfectly secure systems and actually just create an ability to be a hard target that that we’ve actually made it such that if you’re a transgressor, it’s gonna be harder for you to take advantage of me than it might otherwise be if I’d not taken that action. Yep. And therefore, I’m gonna avoid some of these perils simply because the transgressor says, you know, you’re too hard. I’ll move on. I’ll do something else. But even when, right, somebody comes at you, right, in cyberspace especially, you have the means by which you can understand what’s happening. You can respond to that. You can recover from that. That’s resilience. Now, you can describe that in hours long discussions but essentially, the NIST security model does pretty good job of that. Have you kind of understood upfront what’s really important to you and what your dependencies are? Have you prioritized those to your earlier point because you can’t defend of all things against all perils. Correct. Have you taken some reasonable measures to actually kind of protect that? Have you made it such that you’ve got some built in protection? Kind of maybe in the physical world, do you have an armor plate or do you have some degree of redundancy, some degree of, you know, they’re gonna have to work harder to take advantage of you because you’ve actually taken some time and attention. Can you understand that somebody’s actually attempting to do that or succeeded in kind of getting into the fabric of that, can you then respond in time and then recover such that you can prevail, you can kinda fight through whatever deficiencies you had. All of that kind of like lives under the rubric of resilience. And it’s really a human kind of discussion as opposed to a technology discussion. Absolutely. That’s I view it much like my house in a way. I do. You have locks, you have alarms, you have all these things and they’re just there to reduce the chance that you’re gonna be attacked or someone’s gonna break in. But if someone invariably breaks in, that’s why you have to have insurance too or you’ve got a plan in your house. But to your point, the locks and doors are merely the predicate. That’s just the setup. You have to then kinda have some degree of vigilance. You have to be aware of what’s happening because if you don’t know what’s happening, some life force is gonna course cross the system and kind of take advantage of you at a moment when you’re distracted or looking away. Individuals or companies or for that matter, governments who leave on the proverbial Friday night kind of just close the door, but leave their systems on. And assume those systems are perfect and safe and will be in the same condition on Monday morning are always surprised. Why? Because that lack of vigilance across that weekend, whether it’s a holiday or weekend or just a night off, is an opportunity for a transgressor who knows no time off, who knows no boundaries in terms of their workday to find you at that weakest possible moment. Maybe a little bit more about some of the nation states. I think a lot of people are still wondering with what’s all going on in the political world today, do we need to worry more about nation states and cyber attacks, or are we better prepared for that now? What are your thoughts there? Oh, yes and no. Right? So I’d kinda like come at this both ways. And say that if you looked at the numerical kinda lineup, you’d find that nation states are typically associated with about fifteen percent, slightly less than fifteen percent of the attacks that kind of show up as being notorious enough that more than the victim kinda says. Yeah. I’m interested in that. That means about eighty five percent, is kind of attributable to criminal attacks. And maybe a one percent or so are ideologues, hacktivist, that crowd. But the fifteen percent can be quite consequential, very impactful. Think of the year two thousand seventeen when in the spring, the North Korean nation state mounted something called WannaCry, did a lot of damage particularly to kind of widespread networks that had not patched. Kind of there was a particular threat, knew how to actually take advantage of an unpatched system, and the national health system in the United Kingdom had not patched any of their systems. And they all went down hard. And there was a moment when you couldn’t actually understand which doctor was gonna see which patient, what hospital room was aligned with what. That was a nation state that did that, had a huge consequence perhaps elevated far more than what some criminal attacks that very day might have been. Later that year in the summer, there was something called NotPetya, which was mounted by the Russian nation state. It was intended to be an attack on the Ukrainian infrastructure, but it wasn’t well designed. It got away from them and that that wormed its way across Europe and the rest of the world. And it brought institutions like Maersk, the shipping lines down hard, kind of portions of an institution, FedEx, and the logistics system in Europe down hard. And I think we all stood back and said, wow, nation states are only fifteen percent of the whole. It’s pretty impactful, and you don’t need to be the target to be the victim. Right? And so those two things lined up to say, maybe we should put them at front and center and bring the full resources of governments and the private sector to bear to figure out how do we actually deter them, how do we kind of interdict them when they’re kind of engaged in that, how do we actually box them and evict them in the kind of shortest possible order? It’s been a lot of work from two thousand eighteen forward to do just that. That’s fantastic. It makes me feel good, but it also my assumption too is the bad guys, the nation states are growing and learning too. Of course they are. You know, we’ve talked about several large incidents that have happened. Let’s go back to NotPetya and sort of how it impacted some companies. I think we talked specifically about Maersk in this case. So maybe let’s go into a little more detail about the impact it actually had on these companies and from your perspective, at least anyway. Yeah. That’s a really good example, particularly since, we were talking earlier about the role of Active Directory. Maersk is a very sophisticated company, knows the shipping business kinda like no one else. Is kind of geographically widespread at any moment in time. Many ships at sea, many customers across many continents. It’s a very complex arraignment of, you know, not simply where the packages and the ships are, but who has what privileges on that system to essentially order a ship to go to a different place or to perhaps kind of designate what the package kind of should do in terms of its arrival. And so it’s really important to get the identities right in that system. It’s very important to understand privileges in that system because the physical world is essentially directed by the virtual world. And in the NotPetya attack, what happened was is that that particular threat kind of eviscerated all the Active Directories across that system, such that those identities and the privileges associated with those were gone. And Maersk was very fortunate that at that moment in time, one of their outstations, I believe it was in, Africa, described, kind of an article, I think, titled Sandworm. But one of their outstations was offline at the time, had reserved a copy, a single copy of the Active Directory. And we’re able after they kind of created some degree of resilience in the larger system to restore that. So that once again, we could understand what all the identities in that system were, what the privileges of that system were, right? The system can come up and running again. Imagine if that had not been online and they lost all their Active Directories. They would have spent months simply freezing those ships in place at the local ports and going package by package through the system to rebuild that from the ground up physically. That would have been insanely hard. And so now I think it’s clear we need to defend those Active Directories because they’re the virtual representation of the privileges and the identities that exist in a real world. Right. And even with the fact that they got, I’ll call it lucky and were able to recover, the impact was still to the company was still massive. I mean, pushing a billion dollars worth of damage. So and it I get that they got back, but still let’s and again, as a CISO, the last thing I want is the better part of a billion dollars of responsibility on me. I said it’s still hugely expensive and what CISO or what company or what customer of a company wants to rely on luck. Yeah. Right? You know, as as the way out of some debacle in the future. Yeah. Then that’s, hopefully and I and I do think a lot of people now have taken it seriously and they are starting thinking of the identity is that perimeter and all that kind of talk. And I think that is the right direction to go in, but we still got a ways to go though. I think there are. There’s progress and I think that we can be optimistic about the future, but there are still three challenges. There’s still a degree of complacency where there are any number of people who have a role to play who think that it’s somebody else’s job. Yep. They’ll get, this is a problem, but I think somebody else should solve it because I have no idea what I should do. Which leads to the second problem is that people don’t know what the points of influence are. What would I affect? What would I touch? What would I defend in order to make a meaningful difference? You cannot defend all things against all perils. And so we have to actually add some very plain spoken discussions about these are the things that are most valuable in your system. Active Directory is one of those. And then the third is that we need to actually provide useful tools that are efficient, that don’t actually increase the work load, they actually reduce it. Right? So I don’t wanna provide a company with data. I wanna provide them with insight. I wanna provide them with leverage. I wanna provide them with something that defends their business, not merely defends their digital infrastructure. Yeah. It doesn’t just pour more information on them. That’s right. That’s right. Because because we don’t actually have digital infrastructure for its own sake. It’s like that old question about why do race cars have bigger brakes so they can go faster. Yeah. Why do we have digital infrastructure? Why do we have cyberspace? So that we can do stuff. If we understand then in the doing of that stuff, whether it’s a shipping line, whether it’s an individual attempting to use his or her social media, if we understand why that’s important, we understand its dependence on the underlying digital infrastructure, we understand what’s critical in that, then we know what to defend. We know why. Fantastic. Called ITDR or Identity Threat Detection and Response. It’s a new Gartner category. As I go around from the CISO world and talking to people, more and more people are bringing this up about their identity systems and that that’s sort of the core. Some even saying that it’s the new perimeter. I don’t know exactly what that means, but I do understand that there’s a whole lot of people really concerned about if their identity system is compromised, it opens up the door for their entire business operations almost to get to be compromised as well. So I guess on the public sector side, are you seeing the same things there? We live in the same world on the public sector side. We’re not trying to solve similar problems. We’re actually trying to solve the same problem. Ah. Which argues for public private collaboration. But your point is, you what about the role of identity systems? And I would say that, it’s increasingly true. There was a moment in time when you could say, I think this action is clearly being taken by that person because you could see them. They were in your organization. You knew what they were up to. And therefore, the abstraction of that into a piece of software, pretty straight line. And we could actually map those two physically, you know, that person’s in the workplace. They therefore authorized to take this action. Well, these systems now are massively interconnected. There really aren’t any perimeters. You might imagine one in terms of what you pay for and what therefore your jurisdiction is, but they’re perimeterless, which means to your point, identity then does become a new perimeter. And the abstraction that we’ve achieved, much to our satisfaction, is that we’ve allowed applications to work on our behalf. And to do that, we have to give them our privilege. And if an application working with your privilege shouldn’t be working with your privilege, you not given that authorization, then you have the worst of what I would describe as insider threats. It’s not a literal insider that’s gone rogue, but it’s an application that acts with privilege that is essentially doing things that owner, that person who owns that privilege would not want. So we should focus on what is the role of the mapping of identity to kind of software. How important is that? Very. How do we then make that to your earlier point resilient? And how do we defend that across all the conditions of its lifespan? Right? Because we’re not gonna live in a perfect world where you understand with a hundred percent certainty, are we allowed to actually have access to your system? Are there behaviors gonna be things that, you know, are perfectly kind of consistent with the local security doctrine? And so you need to account for the surprises that are gonna occur somewhere across the life of that process. And that, I think, parallels a lot to the, I guess, this whole thing of ransomware, which the last probably three three or four years, that’s been I would, at least from my perspective, it’s the most impactful of all of the attacks that have been out there. My assumption is, is it’s all driven around the fact that you’re out of business, as opposed to information’s been stolen, money’s been stolen, whatever it is. This actually shuts down an actual business, which you’ve listed a couple examples already that probably has happened. So how do we start to address that though? I mean, how do we reduce that risk? That’s a really good question. I think first we need to kinda like decompose that in human understandable terms. Okay. So what at its core is ransomware doing? The transgressor criminal, let’s say, in this case, is first trying to find a piece of kind of digital resource that’s valuable enough to you that if they were to, abscond with it or if they were to lock it down, you’d pay money to get it back. And how do they do that? They do that by kind of achieving some degree of your privilege and then doing something to that resource, maybe encrypting it, maybe stealing it, maybe kind of, you know, taking the primary copy. Right. Offering us, but they use your privilege, right, to essentially take some action against that, such that only you could have done it, but because they act with your authority, they have done it. And then what they do is to say, I can actually restore that back to you if you pay me some money. That’s the deal. It’s a very simple proposition, but that middle piece of how did they achieve your privilege in the first place? There are a number of ways they can do that. They can find your credentials out there in the open world somewhere. That happens. They can perhaps kind of crack on some piece of vulnerable software in your system and kind of take that in the moment. They can attack your Active Directory and kind of, have that kind of privilege, according to them. But at some point in time, the identity becomes the attack surface. Your privilege is the goal. And once they take that, they can then act like you. They can do whatever they want with that resource and then later having done it in an irreversible way say, I will make you whole because I kept a copy or I’ll make you whole because I know the key to un unencrypt that. It’s a pretty simple proposition. There’s a pretty simple point of leverage in the middle of that, which is your identity. Yeah. Right? Your privilege. And if you can defend that, then you actually make it really hard for a transgressor to have its way with you. Yeah. It’s, typically, at least in my experience, I’ve seen where the attack initial attack is rarely actually Active Directory. They use old tried and true techniques just to get in and take someone’s account. Right. Then they, go after Active Directory because it holds the keys to the kingdom. If you own that, then you have your choice of what to do. And that’s why I think more and more people, at least from my perspective, have got to think in terms of that, of is my Active Directory safe? And it as a CISO at three large companies I’ve been, I didn’t focus on it much. I really I just assumed it was there. Right. The paradox of this is is if we’re very successful in getting people to just kind of engaged in the basic foundational kind of solid skills of of an Internet journeyman. Don’t use the same password on multiple systems, change your password frequently enough, patch your systems. If you just do those basics, then the Active Directory becomes the more lucrative target. Right. You removed all those easy ways in. But the Active Directory, which is essential for your efficient operation of the system. Yep. You have to be able to understand in a very diverse and complex environment who has what privileges to do some variegated things in that system. The Active Directory becomes then the principal target right on the transgressor. And the good news is that it’s easy to defend an Active Directory, but you have to give it the priority necessary. Right. You have to deploy the technology that’s available, and you have to make sure that you’re understanding across the life of that system. Has that been maintained? Has that been sustained? You have to be vigilant. But it can be done, and there are companies who do it extremely well. I think awareness is getting there in the Active Directory space or in this whole space. What I don’t think though is I, the awareness is there, but I think a whole lot of folks are still thinking in terms of we don’t have a big problem there. And what I typically go to is I tell them to run one of the free tools that are out there and just scan your environment. And if you do that, I think you’re gonna be unpleasantly surprised in this case that there are vulnerabilities you’d be ought to be thinking about. And don’t assume that your Active Directory team over there in IT is actually taking care of all this. Yeah. I think that’s a really good point. I think that the threats in this space and and the kind of the actions that are attendant to those threats are so diffused in time and space that there are quite a few people that think they’re either immortal, right? Or they’re young again. Yep. Or that it will never happen to them. This can’t find them, but they need to think in a slightly different way, which is, do they enjoy that vulnerability? Do they enjoy that weakness? And if they do, the distance between kind of having that weakness and somebody exploiting that weakness is measured in microseconds. When somebody turns their unblinking eye towards you and says, oh, serendipity has allowed me to find you in this vast universe of cyberspace. And in the next three microseconds, I’m gonna take advantage of you. It’s too late to actually do something about that. Then you’re forced to go to the resiliency piece of recovering, which is always the last thing we wanna do. Right. There’s a popular advertisement here for literally rooms that says, the best time to fix a roof is when the sun is shining. You cannot recover, right, an Active Directory after it’s been violated, and you can’t defend it or make it resilient at the moment it’s being violated. You have to do that at a moment in time when you have some degree of an opportunity to install that, kind of understand how to properly manage that, and and get it right before the transgressor shows up. And to me, the CISOs of today have a different role than they probably did decades ago. It used to be a technical job. You just secure it, tell people what to do when they did it. But today, with all the risks that are out there, all of the balancing you have to do of, well, do you slow down the business or do you protect the business? How do you meet the right medium? Quite frankly, I think CISOs today are far less technical and they’re far more of a leader, a business person, a risk person. So I’d love to get your take on how can you be successful today as a CISO. First, I love the premise of your question. I think CISOs are the sweet spot. That’s where all the disciplines that are required to create digital infrastructure, make it resilient, use it for its intended purposes, defend it. That’s where they all come to bear, which is more than the technology disciplines. The CISO oftentimes is the quarterback or the van master, pick your metaphor, but they’re the ones that are essentially kind of arraigning all of those diverse disciplines to pull off the miracle of how do we extend and defend the business using digital infrastructure. The second thing I would say is to your point about, leadership. What I’ve always loved about kind of leadership as opposed to management is that the role of leaders is to redefine what’s believed to be possible and appropriate. And this is a moment when we need to rethink and redefine what’s the role of a CISO. Right? Now there are still some CISOs, very few, who think that their job is to build and defend digital infrastructure. But I think increasingly I’ve been impressed by CISOs. It’s a no, no, no. The job of CISO is to actually to extend the business, the aspirations of the business using digital infrastructure. It’s a fundamentally different play. And to the point where those CISOs can then help the board understand that’s why we use digital infrastructure. That’s the role of the CISO. It actually creates a join between the boards and the CISOs, that’s very, beneficial. Right? Where increasingly the CISO can say, I’m running the business plan. This is how we extend that business plan using digital infrastructure, makes the board’s hearts sing. It creates this very beneficial kind of, virtuous circle in terms of how then do we actually feed resource to it, if not authority to it, so that the CISO can lead as they’re expected to do, reframing what’s believed to be possible in the market. Managers can then take over to actually execute that well formed plan. But we need to actually get CISOs to a different place in terms of the mind’s eye of the leadership of the company. Yeah. It’s I look at it almost identically from the corporate side, at least from my perspective. And that’s that as a CISO, I have to enable the business to do what they all want to do in a safe way. I just that’s the only thing I typically add on the end of it. I try to make sure they can do it without things going wrong from a security perspective. When you think about it, most of the decisions made by CISOs are for the business. It’s to make the business more profitable. It’s to keep them in business. A CISO yet has to generate one dollar of revenue that I’ve known in any company, then it’s just not what they do. So what your goal is and, again, what and I know the public sector is a little different from the perspective that you’re not there to generate money, but you’re there to do a lot of other things to protect the country and all other things. We’re here to make money though in the end. But I think to your point, the CISO could say, but if you deploy digital infrastructure in this way, it will generate revenue for the company. Yeah. Or it will generate market share for the company. Then we can use digital infrastructure to advance the interest of the company. If we silo this, which too often I’m seeing that, where there are entities, people within a company that say, I’m in charge of actually advancing the business proposition or I’m in charge of operations. And you, kind of you’re in the IT silo, you’re responsible for defending digital infrastructure, what you’ll find is that the former group is taking risks using digital infrastructure. The latter group is expecting to is expected to discover and mitigate those risks. It’s an impossible proposition. Alright. That second group playing whack a mole can never keep up. Let’s take me to task. You know, I said that I think the private sector is properly on the front lines of, of cyber defense. So given your private sector experience is contrasted with most of mines in the public sector, What would you offer as perhaps the lessons that you’ve learned in that experience? And maybe put kind of the Active Directory or Semperis in the middle of that in terms of why then that’s so important. I’ve actually spent the last probably ten to twelve years thinking exactly about that because I’ve been trying to mentor CISOs that some come from a very technical background, some come from a I’m in a silo and leave me alone. Just let me do my thing. So to me, the biggest lessons that I’ve learned, I’ll call it in recent decades at least anyway, is that number one, a security officer is an officer. They’re not a technician. They spend their time figuring out how to help the business enable the business to achieve what they need to do. We’ve talked about this I know already, but that is a huge part of it and it changes your behavior all of a sudden. You’re not there to say yes or no. I mean, that’s a lot of CISOs love that binary on off. As I’ve told one CISO that I’ve entered heavily is I have to teach you gray. It’s everything’s not black and white. You have to risk base things, which is I think the second point that I would make that up from a learning. When you go out to do security, you can’t fix everything. You have to prioritize what can cause the greatest harm to your company. And to do that, you have to understand the company. What drives the revenue of the company? What are the goals of that company going forward? If you don’t know that, how can you possibly help protect where they’re going and what’s gonna be happening? So and pick the priority of I wanna fix this versus this. I love that. It’s almost as if you’d say that the best CISOs in a digital world have an analog mind. Exactly. No. It’s about context. It’s about nuance. It is that level of detail and I think that is a massive. And then the third is CISOs in my mind are a very it’s a political role to a degree. You spend a lot of your time having to sell what, at least in your mind and your team’s mind, is the most important. Once you’ve determined that the highest risk is x, how do you sell that to the board, to the senior officers, even to the business leaders who are gonna have to spend the money to actually implement whatever you wanna do? Correct. And to me, that’s where you have to be a much more well rounded person. And we have to ensure that in addition to giving them the tools, we give them that voice because their advocacy is essential. Yeah. And that’s the I agree with you very much on the voice part because, again, some boards get it, some senior execs get it, some don’t. So how do you get to the place where you are? And to watch the companies, at least there’s a handful of companies you can go out there and see that where they have that support, the security environment is better. That’s well true. So all boards are struggling to get it. Some do, some don’t. And the CISO can be the essential component of helping them get the role of digital infrastructure Yeah. If they lead. Right. That is a big key to it. Well, they’re getting a lot of assistance to get that knowledge. I think the recent SEC rule for public rule for public boards, made it very clear that cyber can be a material issue. Now that’s always been true, but now we’ve shown a bright light on it and said, but it is absolutely true in this day and age. And so you can see a very significant uptick in boards, at least public boards, but by an extension private board saying, I think I have to get this. I’m looking for some help. To your earlier point, the CISOs can be a huge component of them understanding why digital infrastructure matters, not for its own sake, but rather from the benefit, the welfare of the company. And boards who stood into this have found that it’s actually it’s possible. Right? You can actually get your hands in it. You can have human based language discussions or whatever the language of choice might be, but you can talk about it as human beings as opposed to technologist. Which that’s new thinking in a way. Because historically thinking IT is removed from the business, if you will, day to day, and then security is a sub component typically of that, which is even further removed. So keep them locked up in their cupboard and it’s you’re actually a proponent of just the opposite of that. I agree. So I’ve used this anecdote before, but I think it is useful at this moment. Imagine you’re in a boardroom and a CISO walks in and says, I need five million dollars to do two factor authentication to prevent cross site scripting. Does anyone have any questions? I can guarantee it won’t be a single question. No. Except for the possibility of does that door still work? Can I get out of here? If that same person walked in and actually started in a different place, started where the board is, started where the company is, which is I’ve read the business plan. I know we wanna do business in some dodgy places, maybe in cyberspace places, dodgy places, where it’s important to know who you’re dealing with. But people pretend to be what they’re not. And then in the lack of good identity solutions, they can actually succeed in that. It’s important to know that they have the resources that they say they have. If you give me some money, I will guarantee that you’re dealing with who you think you are, that they actually have resources behind them. For every dollar you give me, I’ll give you two dollars in revenue. Now that’s a conversation that makes the the board’s heart sing. It’s the same conversation. You’re enabling. That’s right. It’s the same conversation, but it starts from a premise of, I think I understand what it is we do together as opposed to what it is I do in my silo. It would be interesting to have a survey of CISOs of major companies and how many of them think that way versus the other way of I need money or the sky’s gonna fall. There’s some really good ones out there and the best of them are actually stepping into that role. Absolutely. Helping the board have a conversation kind of as essentially a group of equals saying, we all have a vested interest in digital infrastructure, not just you, where I’m kind of absolved from that, but all of us have a role to play in in this.