That it's time for the last session here in our room, a pretty much new format. It is called and named, ask Me Anything. And as mentioned earlier, we would love if we talk about IT, security and IT stuff. That's the preferred topic. So you have really the option people here onsite ask any question you want, ever have an answer from Martin Kuppinger or from me. And same for the online attendees. Just feel free to use the chat function, the question tab on the Casey Life platform. So currently we don't have any question, so maybe Martin it's time for a short introduction.
Yeah, so very short. I'm Martin Kuppinger, principal Analyst at Kuppinger called analysts, one of the founders. And my role today is, or these days, is that I work on research supporting advisory to talks and all the things bring up hopefully some new ideas. And in my presentations, this is my role here and supporting our and advisory team.
Yeah, and maybe also few words about me for those who joined just for this session. I'm Christopher Schutze, I'm responds before Practice Cybersecurity, mainly focused in doing advisory, working together with customers, working in projects, and on the other hand very strong focus on information security. On the one hand I'm responsible for our own information security was copy a call and for sure also advising potential customers or customers from our end on that level. Yeah, so again, if you have any question
Why, why, why? There's maybe no, why we are waiting and the people are try of asking questions still. Maybe, maybe let me bring up one of the points and I think during this event we had a lot of talk about supply chain risk, third party risk, et cetera. And so what I found interesting and I'm curious on how you see that is that, and that fits to to results of a survey we did for one of our customers and which also talked about some of the results that one of the major challenges is that there's little standard and little sort of homogeneity in how these audits and assessments are performed. Which results a bit to what I see in organizations frequently having to to respond to whatever, 10, 15 or 100 different questionnaires. Some with 30 questions, some with 200 questions all mixed. Is it also what you see and what you see as a challenge when looking at the subject?
Yeah, this survey is a good example and that's exactly on topic. So on the one hand you have tools that give you some kind of scoring and analyze of a potential supplier you, you might be using. They give you insights into which certifications they have, whether it's an SOC two certificate, ISO certificate tex or whatever. But nevertheless, internal organizations tend to have their own processes, usually not a single process. They have multiple processes. Some companies have some kind of word templates prepared or excellence prepared with their internal questionnaires from IT security fund, operational security, depending a little bit on, on the type of vendor. And I, I haven't seen a really good and mature level here in organizations to do it efficiently. Yeah,
I think that that is becomes latest clear when you said excellent word because doing that in Excel or Word, it's very contradictory to doing it in an efficient manner. To my, my my perspective. I think we, we need to really to go to more automation. Absolutely more standardization. Here's the question,
Open again. So based on your customer, so your the customer get you advice and what do you see as a trends? So right now we see US strengths, the supply chain security or zero cross before the works. Cloudification or digital transition, digital confirmation. What do you see as a cranking future in know, three to five years I think is relatively good timeline to, to define some cranks.
Do you wanna start you leading the cyber security advisory,
You
Not only cybersecurity, I again of we see the work is becoming kinger and kinger. You see a difference between developers and the system in Craig now with cloud and thingss like infrastructure CO is becoming line is becoming kinger and kinger. So it can be even IT not only related to cybersecurity. So it's,
I mean at the end everything comes together at a single point. And this is absolutely something we see Mike shared in his presentation, the security fabric or cybersecurity fabric, which is our concept more or less to structure your organization, your IT security, your organizational IT stuff and bring it in in some kind of order structure, know what you have, where you have it, how to identify, how to protect it and all this stuff. Also integrating in, that's the topic we had yesterday in the C panel also starting from, from the risk perspective a little bit. So all the existing standards that are there, creating awareness, identifying gaps, accepting risk or make it as complex or expensive as possible for attackers to get access to your system data or install some kind of ransomware. This is absolutely something we see in our advisory project. Nevertheless, when you work with customers, you very often have something, what I mentioned word Excel based processes still alive, which are taking months or even years to bring into a more digitalized approach. Maybe something when we come back to supply chain management or supply supplier management at the end here, that also the suppliers are not willing to answer 10 thousands of these questionnaires by multiple organizations with almost, with similar questions but maybe differently phrased, which would it make also difficult to add some more level of automation on their end here. Yeah, that's really tricky.
Yeah, so, so maybe look looking at what we see as major trends also in a introspective, so we touched the need for, for supplier third party or anterior risk management and the entire supply chain risk. That also when we take supply chain, this also involves the software supply chain, which is something where we also see a lot of, a lot of new vendors starting up that that support in, in different stages of the software supply chain and, and secure promising to secure that from identifying code vulnerabilities to ensuring that what has been coded is also what is in the software IDM when it's compiled, et cetera. So this is securing the entire DevOps tools chain. This is surely one of these areas where we see some very interesting innovation and which is also I think a hot topic for, for our companies. Zero trust, no doubt.
I think zero trust has a huge advantage. It is a term that is not necessarily understood but but known to the, to the upper management, which helps in, in driving initiatives. And zero trust I think has evolved as a concept that is really good starting point and a good paradigm. So it's not really a technical concept. Three more paradigm for, for how to do security, right? Layer security as continuous verification and, and things like that. So this is looking at trends. Surely one more of these when we take a bit of another broader perspective, dealing with all types of identities, huge sync for many organizations we see happening. So it's not just workforce, it is the partners, the contractors, the suppliers, the customers, but also the syncs, the machines, all that stuff and making this this manageable and, and modernizing your identity management. So that can deal with different types of identities. That is some, some of this is something we see in many organizations also really this modernization of, of what has been done in the past to make it ready for, for future requirements, which is really one of the things that is concerning many organizations we are talking with. So these are, these are some of the things, modern authentication we could add to that as an important aspect.
The all, everything around. When we go a bit further away, everything around decentralized technology, so be it decentralized identity, which is increasingly mature or be it something like web three, which is just a combination of different types of decentralized technologies. Be it if it ever comes made averse, be it a a public standard made or or proprietary metaverse, I think we may see both of it, which is in some way the standards based one would be in some way an application of web three in some way based on standards, based on decentralized technologies. And the point is truly how does this impact security, how do you secure it, et cetera. This is something which is starting up as a discussion, I would say, but definitely will, will become increasingly more relevant. So these are some of the points we see here as merging. When you ask about what are the trends,
How would you define the Metaverse
York ask, how would you define the metaverse?
So the metaverse in fact is an environment where digital representations of
Whatever, whoever factually interacts in potentially a wide range of scenarios. This is by the way, what I would say where this term digital twin really applies, which is currently mainly used for some, some very technical stuff in in, in the, the iot world. I, I think this is where, where you would really should really think about the digital twin or maybe some would call it avatar. I don't like that term that much because it's also overloaded and, but, but in some way it is what you see. This is by the way very interesting from an identity relationship perspective because it means that you have these relationships between the, the real human or silicon identities that already exist, enter presentations in a, in a separate space for, for different types. As I've said of interactions.
I, I think it'll be very interesting to see where this end, so we had in some way we had a metaverse two ago with second life, which was a bit, when you take the, the more permanently discussed metaverse idea, then it was probably a bit that type of a metaverse will this happen or not? Very hard to predict. I think we will see more things like extending gaming environments for, for the people that are into gaming where, where you in some way are not that far away from, from a made, but I think we will also see fully, fully different applications which are more about augmenting. And this is I think the, the most appealing thing for me, which is not saying there's the metaverse and there's the real world, but saying there is the real world and there's an extension of it and which is made not to help Mark Zuckerberg from further losing money, but it really made to augment people which truly would require a, a more a public standard based open universe where you, where you can integrate information into what you're doing at at any space based on to definitely a certain extent on decentralized technologies.
But I also think we should not be too fundamentalist fundamentalistic about decentralized as as the thing that makes it work. I think in many areas this absolutely helps and will provide a huge benefit, but at the end of the day, what, what what counts most standards? Interoperability and acceptance. Hmm, governance and governance, yes. So who, who governs it? And I think there, there are two extremes of more or less un governed, decentralized open initiatives, which not always are that un governed because when we look at most open source initiatives, then there's, or most successful and large ones, then there's, there are few players driving that and there's not really a governance in the sense of who, who decides about that. These are the ones that are driving it. It's just happening. And we have on the other hand is GAFA world.
And, and maybe the best thing is to be, be more in between with something that is, you know, when you look at today's protocols, then there are standard bodies, there are a lot of organizations involved, sometimes the first still frequently annoying technology to, to communicate. So I've been still have been bared with mailing lists not that long ago when it comes to standards. But at the end it's a, it's a, a rather collaborative and consent focused or, or consensus requiring process. So there, there, there are a couple of things this will be very interesting, interesting to see. And I think it's also interesting that context that with the, the, the take over the acquisition of Twitter by, by Elon Musk mask that some other initiatives, like I think it's master don become popular and become discussed as something, as an alternative to, to sharing sort of small micro information. Honestly, I'm, I don't think that is yet there because what you need at the end is a smart app that works. So it's, it's a bit more from the tech side maybe, but seeing that that we, we we we we have a demand for for more yeah. Open, decentralized democratic solutions there. Popping up in such a situation I think is also a signal
Martin question. What would you say are the biggest threats regarding to metaverse?
Maybe one, one step before your question. I recently read an interesting definition of what versus it says it simply is a place where a flat screen is a $1 app. So in way looking at it innovation wise, it would be the next big thing after the smartphone, you know, you have notebook, smartphone mades where we have more things digitalized, more things out there in space. So it's, it's, it's giving all the challenges we have today, cybersecurity wise, identity wise, just another dimension. But they remain, they increase. And what you said with digital twins, I think is, is an extremely interesting view on which challenges there might be added in future time.
Yeah, I think in some way with twins you'd duplicate challenges. Yeah. So to speak in, in some way. So, so you have, or, or even even you multiply, so you have to, to have twice a sense of, so instead of 1000 challenges, you have one of 1 million connections. I think that's an interesting question to think about what, what it really means. On the other hand, I, I recently had a conversation with a group of Caesars and also a bit about made worse and web three security and, and what to do today and what you can to do, do today. Because in large organizations you sometimes have the situation that someone comes from whatever the, the digital department goes to the CEO and says, oh, we need to do something the made worse, otherwise we will be out of business in six months. So start an initiative on, on metaverse and then the seizure has to look at it from a security perspective. And this is not, not not really easy, but I think when we look at it, and this goes to your question, but to your question I believe as well, sorry,
I didn't go
To interrupt. I think the interesting point on that is how do we, how do we deal with new complex security challenges? My approach on that is deconstruct, solve, construct, so to speak. So when we look at the metaverse, then the metaverse is an application of web three. Rep three is a set of decentralized technologies. So if we in the first step go down and say, okay, which of these technologies can be secure? In which way decentralized identities relatively mature and NFTs a bit less mature, et cetera, then we will be able to, to easier figure out solutions for the small problem. And then we say, okay, and how does this all come together? So what is the governance level across all of that? What is where we need to, can reuse certain types of, of security and how can we then build the bigger thing?
Because then we, we will inevitably fail when we say, okay, we want to find a solution for, for, for web three and security. This is a two big problem, but all of the small problems can be solved and they can come together into an integrated approach and then, then we are done. So, and interestingly, I believe that putting it together again is not that difficult. So, so I don't bring up the, I bring it up the picture of the first thing would be sizing the elephant, but we are then, then creating a new elephant out of the pieces. In that case it works in reality, it doesn't work that well. So back to your
Question. Okay. But, but back to my question. So let's take as an example, any kind of company that where the digital office or one of the digital team says we need to go into the metaverse, let's take the Facebook one, whatever. So they decide to build some virtual store in the metaverse, create digital products, which could be anything like a bottle of water is a good example here that can you, that can be bought for 99 cent, $1, whatever. What is the difference here compared to I can buy on an NFT platform the image of someone hitting the ball in the basketball in the game? What is the challenge? What is the difference here in the metaverse?
Is the,
Is the
Question that would be the interesting question. Is it, you know, sometimes it really helps to, to, so I think something which is very generic, generically applicable to, to security and many other challenges. So what I frequently ss see and and I've seen is there's an issue and then you start saying, okay, that's the case one and the case two and three and so et cetera. So there's, well, we have tech entities, we have workforce and partners and maybe contractors are a bit different and customers are not exactly consumers. So consumers or customers, a subset of consumers or whatever. And over then there are just different whatever devices and things and so on and so on. So you have a ton of solutions and the tendencies then to also implement a ton of identity management services. On the other hand, you could step back and say, okay, there, there's an identity.
So the, the challenge to solve is that someone or something with an identity can have controlled, secure but seamless access to whichever resources needed. And then you have gone from a sort of an infinite list of sometimes this list is really infinite because you say, oh, there's this case as well and this is a bit different or a long list of different problems to one problem. And if you can solve how an identity comes to a resource in a generic manner, then you can apply it to everything. And I think this is important for many of these, these things that are popping up these these new challenges. So what, what is the fundamental issue we needed to solve? And I think I had this discussion yesterday evening, I was a bit of radical thinking, so why do we boler with all these things like network segmentation, et cetera.
So I'm currently making a lot of enemies here in, but, but why do we bo survey this is it, isn't it at the end of the day that we say there is someone with a device accessing a service and shouldn't we in that thinking trust abstract and say every service that we have in it, we understand as a, so to speak, assess service as a servicing also the stuff we do in our, our internal it. And so someone, if you take the workforce accesses this regardless of where it runs, it's the same when you access the old mainframe by whichever interfaith, then when you access O 365 and if you don't protect this, then you have a lot of then have sort of unified problem, which is easier to solve radical thinking, not, not easy to to do, but I think worse to think about isn't that sometimes the better way to do it? And I think it helps when, when, when you are faced, we started with the made worst thing. When you are faced with new complex challenges, not to try to solve every verion of the problem in a specific manner, but to, to go down to the sort of the, the core challenge and use case.
Yeah. I got a question around ownership. So I think a lot of organizations sometimes struggle with ownership, whether it's assets, applications, whatever. And I'm not sure if you see this when you consult, but what is your advice for organizations to get this right? Because that's like a basic fundamental, if you wanna start improving your security posture,
I
Leave it to
Go about doing. Absolutely.
Thank you.
Yeah, asset management where the tech surface management is really an important topic. I mentioned this this morning at in my presentation about vulnerability management that one of the biggest challenges is to have a proper asset management to know the owners or at least have a deputy for the owners. If you know the group of assets, you can derive or calculate something, but it's really very common to see not on how to phrase this carefully, a 100% level of maturity in such asset management from organization. And here again, there are multiple solutions. I mean on the one hand, asset management is a boring stuff. It's not an s but it's a tool where you can put in your assets, you can add ownerships lifecycle in the best case, which is honestly for many organizations at the end of the road having such a life cycle, you have it and you have it till someone deletes it, no matter whether it's used in the last 10 years or not.
That's a typical topic. But you also have to cover this topic from the, from the other end with a tech surface. Tools like scanning your internal environment, scanning in the cloud, it's difficult, but taking care of cloud applications, at least within your aws, Azure, whatever instances to ensure that there is no automatism for new services, tools, whatever popping up on the one hand without permission, that's the attack service part. And on the other hand, knowing that there isn't potential threat because coming back to that it be vulnerability management or what Philippe mentioned about how they can be explored or use zero days and all that stuff, you need to be aware what you need to fix and protect before you can start anything else. And this starts with a really boring but essential topic like asset management and the maturity level is really
Which maturity level.
Yeah, sometimes it's excellent.
Yeah, no, I think we have a huge issue here and that's very fully Christopher and like he said, I always tend to say you can't protect what you don't know. And that, that applies to, to physical assets. We hold in the asset management to, to software solutions, but also for instance, to data. I did some, some leadership component, other research around data catalogs, metadata management, data governance, et cetera. It's the same thing here. Also data needs ownership and we are definitely not very good in, in doing that. And we are, I think this adds to that problem. We are not good in in, in maintaining ownership. So one of the, the things I'm, I'm pushing for way more than decade is to integrate us with our mover and leave a processes, but particularly, so if someone gets a different chop, then all ownership and not only, so the first thing would be this privileged access management ownership for, so every, every functional, every non individual account must have an owner that must, must transfer when someone is moving or leaving.
But it's also for data ownership. I've never ever have seen a solution that integrates that, that that would be a, by the way, an interesting topic to, to elaborate. So, so really identity management integration to all that data space. How do you define data ownership? How do you transfer data ownership? What does it mean for a modern identity management? It must become integrated, no one does it. And we can continue that with all the other entities we have down to machinery and all the other stuff. It must be, and I think this, this would define a, a very different way, bigger role even for identity management in organizations. If we, we follow that thought, which just crossed my mind a few seconds ago. I think that's first to elaborate this and to think more about that.
Sorry, just to add to that, I mean, I mean ownership is one thing and I think often I've seen he this corporate salute, you know, oh, he's dealing with it and he's dealing with it and actually no one's dealing with the, with the asset or, or the data or what. And I think from my perspective, I think like responsibilities and accountabilities are I model of some sort is is vitally important Yeah.
At the,
To understand what their role is and what they need to be taken care of. I mean we, like we always said, you know, you can protect what you don't know and but then you, if you know something, who do you go to? And that's the big question is there needs to be a person that is responsible, accountable to ensure that the whatever is identified is managed appropriately.
So, so a single person is depending on the size of, of the organization, not sufficient. And I don't think that it's possible to do this manually. 100%
No. But, but I think the point behind it is I think every asset from physical to data to whatever must have an owner and we must have the processes for handling the ownership. You're take a note and remind me about that thought that they can follow up on that please. Because I think this, this is something which is really, really important that we, we have a huge field here which we, we need to address because that also helps us then if we do that better, these processes, then then we will know whom to approach regarding that ownership.
That, that's exactly what I mentioned in my first statement in my presentation about vulnerability management. That you have responsible persons over a group of assets. Like for instance, all software as a service application, all endpoint computers, all mobile devices. He is the one who should at the end know who is responsible for that specific Samsung device, mobile device, this iPhone, whatever. And if not, he is responsible in finding and assigning the right one or
She,
But they need to able to take responsibility for that and and acknowledge that that is their role and that sometimes is not the case.
Exactly. So Excel is always the wrong place to do something like that. There are multiple tools, let it be ITSM tool or whatever where you can assign people to something like that. You have something like in a half a year or twice, once a year or twice a year process to have validating all that stuff. But nevertheless, this is a manual process and if someone is moving, coming back to Martin's statement, moving the department going from, from endpoint to mobile is not responsible anymore. This is nothing they know and it is not maintained and maybe he leaves the company afterwards and then there is no update. The challenge, what Martin mentioned is this is 100% right to build something like the, what is I saw in English, I don't, there's a special German word for for solution that does anything and
Everything.
A tool that does everything. Exactly. The challenge here is I know look at today's enterprises, they even don't have 100% of the applications in their identity and access management or in their access management or in the IGA solution. Then we want to have an asset management, the owner related workflows, different workflows, different types of tools, maybe standardized different workflows for these tools. And then many consultants are happy about that. But this does not solve 100% the problem. So I think automatism and proper approach is much honestly today better
If, if if any organization really had a hundred percent CRI of that or if everyone they align, we wouldn't talk about shadow IT anymore to, to be clear on that, so, so the fact that we do talk about shadow, it means we have a lack of control. And I can't remember any identity management IGA project I've been involved, which didn't include one of the exercise at the beginning, which was about which applications do we need to look at, which ended up always with there are way more applications than diverse nightmare dreams the people had before always. I think that's already in Axiom because it's always true.
That's absolutely true. I just can agree. Usually when you start an IGA project and which applications do be assign and manage? Yes. Or do we have a list? Yes. And then it starts to get strange. Yes. Yeah. And then you start to prioritize with active directory, Azure, sap, whatever, SAP is the next topic, which instances production and test development as well.
Then while I find that this is done, the easy part, so even Excel helps honestly if, if you have to list, I always say, you know, first thing is you create a list of these applications, then you have one column which says how many identities are in there. If you're able to do that, he might even have one, how many changes you have per year. And then you have one about a risk rating and you have one that is about the a a few highly high level defined types of interfaces. So is this, whatever EL up, is this trust rest APIs, is it trust command line? But keep it really simple, maybe six or eight or 10 patterns, not 50 something I've seen at one customer a couple of years ago. And then you can relatively easily identify where to start and what to where will you fail. So the things where you say low risk, few users, horrible, outdated interfaces are truly the things you don't put at the top of your list. The most interesting ones are the ones with high risk and in existing or totally strange proprietary interfaces. These are the few users, high risk, etc. These are the ones where you need to think most about. But at the end of the day, if it's few users, you still can do a good well governed manual processs in worst case.
Yeah, I mean I think applications are probably the easiest. I think the complexity comes when you have microservices and, and then you have different teams dealing with
Oh, nice thought. Yes. How do we extend the ownership thing to the entire software? So the entire DevOps world and the software supply chain. Yes. Also a smart thing. Yes.
On responsible for AWS s Yeah. But windows, whatever
The easiest thing would be if it were aws, but AWS is a beast. And then you look at code and modules of code and the different elements in, in the two DevOps tools chain. And then you have again a number of different ownership challenges and again, the need for transfer of ownership. Yeah. Any, any other,
And who's responsible for the container that is published for two minutes, five minutes to be able to deal with the peak and is not, has not installed the latest vulnerabilities because some others,
Any more scary ideas
Around it? Oh yes, for sure.
Yeah, I think, I think surely when you extend this to, to other areas, and I think this is, you know, what I sort of trust a bit during the discussion about is, so there's, there's the other area which is things and connected things and things that form some sort of device or, or even more so a vehicle is not one thing, it's a huge number of interconnected things with partially different ownerships with changing ownerships and all the other stuff. And we, we recently had had had a discussion with a, with a customer that was about also standards that, that come to deploy certificates to things. And unfortunately these standards are very limited to basically a, so to speak, a China process while things like mover or you know, that some device has been stolen, how do you sort of deactivate, how do you, do you do you the certificate and stuff.
It's not, not not even covered in the standard. So I honestly, I I would probably throw that standard into the draft folder. Draft folder is the friendly term. Yes, yes, exactly. Into the bin. No, I I think trash bin, I think, I think we, we have, we have definitely a, a number of, of interesting and, and huge challenges also with all the relationship things. So vehicle is the example. Everything can, everyone can easily understand. So vehicle is, even when you're not very technical, it means you're aware that there's an engine in that are breaks in and that there's a multimedia system in and a few other components also black box for instance, for in the case of a, an accident, the black box for instance, they are depending on the scenario, different parties that can do different things with the black box. So the police can't go just to you and say, I have want to have access to the black box in under normal conditions.
Maybe in some countries they can do that makes things even more complex. But in the case of an accident, it starts looking different. And so who can do what, who can change what, how can components interact? In which scenario we get a even that for the single vehicle or how does the vehicle communicate with other WI vehicles in a connected world and the communication systems in between and the control systems for auto autonomous driving and what about insurance company and the, the people working at the insurance company and the garage and the people in the garage. And so you end up with a super complex thing and what is, if someone else is driving change of ownership. So we have a complex system of relations, ownerships access and, and, and other challenges even in that relatively limited example. So transferred to the metaverse where all the things are in and it gets even more likely or interesting depending on the perspective you take. Okay. Further questions only to Chris, I've talked enough,
So I have one more question. You mentioned the concept of digital twins applied, which up to now had been used to, to test run complex systems like autonomous vehicles without creating, creating damage. And your idea is to apply this to humans, human digital twins, if I understand you right, what could be use cases for digital human twins in cybersecurity?
So what, what would be, would it mean to cybersecurity
The idea behind, maybe if I get more precise, that would be great. Is it, is it possible to use human digital twins to apply that concept on the characteristic of the bad guys and try to move from reactive position into a proactive position?
I, I, I think you know, the point is you could equip, and this is an interesting, very interesting thought. You could equip your, your digital twin that acts in which whichever works with sort of rules or policies or some learnings. I'm bit careful with terms like AI and ML here, but you could sort of make it more autonomously acting on your security by, by identifying things, by understanding things, by, by reacting. Because that could react better and consume more data and more information to react to understanding things or to alert you just to alert you and say, Hey, there's something going on. Which is scary, which is strange. So we, we should
Before it happens.
Yeah. And, and so, so we could sort of surely make that twin act on our behalf for the security, security in the digital world. So that could be, could that's definitely an interesting thought.
Is it then more on the level on the human error or do you mean do this on from anus perspective for both.
I, I, I think surely you can bad bad people could, could create bad twins, no doubt about that. But I think there's the other side of it, which is, you know, we, we all all are challenged by security aspect, by threats when we do something digital, all of us. Because even when you are very experienced and very much then, then you might look at other things, you might look at which processes are running on your computer, but you're challenged by that at another level you're maybe more challenged by, by by uncertainty because you feel that something is strange, but you know, don't know how to, to look into the detail and surely and, and sort of well equipped digital twin could do way more powered by technology in identifying what is going on and what is going wrong. So
Isn't this then security automation?
It it is I think some sort of individual security automation, Mike,
Because we, we had a really interesting panel this morning or this afternoon about security automation and all that stuff. We also started to talk about Skynet and, and artificial intelligence that may maybe decides that all users are evil and just locked them out. So company closed. Mike, sorry.
Well, so I was going to go onto something completely different and it was this morning I listened to the talk by Sarb Sebe and he was went through a litany of control sets, all of which had the maximum number of controls based on prevention. I then went to a workshop on malicious media or malign stuff. And it was quite clear from that workshop that preventing the external stuff was difficult. It's also clear that in today's world of cyber threat and growth that I think, and, and I'd be interested in your opinion, is the balance of how the C I S O has to respond changing from prevention to effective response.
When you ask me my answer would be the thing shifting to recovery and business impact and business continuity. So not saying we don't need protection and detection and response, but my perspective is the most important duty of a CISO is to keep the business or the organization life. And assuming that you are under attack and that some attacks will work some time, then the ability to get back to operations as fast as possible seems to me being the essential thing. That means you need to understand the business impact. And when I look at some of the stuff we, we did, so, so one interesting conversation I recently had with the customer in the context of business impact analysis was about the, what is the English term forge. So, so, so where, where all the parts are stored big shelf for pellets in an automated sort of shelves where, where you not even know what is where because it's just, it is done automatically and it's put where, where it fits in, where, where it goes fast. If that system is attacked and doesn't operate anymore, it's extremely hard to do it manually. And you're lucky the data is still correct. So,
Well I I worked for an organization that had one of those and it failed. Yeah. And basically the, the response was they said you had to equip people like the SAS and they were all sent, they disconnected the power and they sent the people in to go and find what they could and bring it out. It was an absolute total disaster. Yes. And that's,
That's, that's, that's what I think that's what you need to understand. So when you do a business impact, you might end up with that the, the highest shelfs blah blah, blah thing. If high bay racking, high bay racking thing is, is one of your most critical elements, which means you need to ensure that the data is correct. So, so first step is you need to know that, that your data about what is stored, where remains unaltered by an attacker because that would at least allow people to manually pick stuff. You should avoid that the system can go down. So then you would talk about redundancy and, and, and, and fault tolerance for, for something like that, which is a totally boring topic. But at the end it would be the thing where the C may say, Hey, from a, from a business impact perspective, this is the, one of the most important things
So to do in the case that I'm talking about, the business benefit was that you dramatically reduced the storage space that people were not physically able to pick the stuff and you didn't know where it was. It depended upon this data model. Yeah. So effectively at the moment you made that choice. You, you, you were, you were stuffed from a point of view of when it went wrong.
Yeah. But, but, but I think the interesting thing is it's, it's, it's a, it's a risk management done, not done or done wrong thing for, for that. So they only looked at, oh, how can we reduce costs and, and automate processes and for, for, for, for the the shes et cetera, but not what hap what can go wrong. And and surely in that case over time the the risk has fundamentally changed. And I think it's another learning is, is with all the trust and time logistics stuff. Yeah. Where, where we, where the point always was, okay, lesser capital cost, lesser space needed. And so they, they come on with the drug and we directly build it in somewhere. Unfortunately with every strike, with every ship blocking the sewers canal with every pandemic cetera, we learned, we learned it halfway the last three years that the risks were calculated fundamentally, fundamentally wrong in that area. And I think that is what we, what is also a huge CSO task and challenge these days is to reassess such risks and to understand what we need to do. And I, I believe, I fear that we need to go in many areas down to the basics and resync established models that are not it that much, that are really standard supply chain to make things for running out of time a little. Are we
Cool? Two minutes left or three minutes left. Any famous final question from one of
The audience take famous last birth.
That's what I had in my mind first.
Yes. So
If not may, maybe a few words again to what Mike mentioned about what is the role of the Cecil here and identifying the, the impact of something that happens. Tuesday we had a workshop about business resilience management and the tool that you use there is the business impact analysis and we did it together with the audience and the outcome was pretty simple. Here are IT people and we talk, we ask IT people about their most relevant business processes within the organization that we didn't get in single process that was not IT related. And I think taking care of the high
High bay wrecking, that's a good example. He, he the cso, the modern one needs to revalidate, ree, evaluate and also raises the awareness of something like that because the risk changes over time. And if you don't know a business impact analysis is really a simple tool. Take your C levels and maybe level beyond with the most relevant business processes and look how long you can live without them and then you can break it down or not. And if you identify we cannot live without this tool or with the shelf for 10 minutes, I don't want to repeat it, I will not learn this today, then it's a critical thing and then you need to do
Something. Trust hbs.
Can I just say that I think the business, this is really what Martin I think has been saying. Yeah. The business and IT are becoming increasingly inseparable. There is a major supermarket in the UK currently is suffering from major supply problems because they are going through conversion of their e r P system to a major super
Trust. Recently when I was up by cross retailers Yeah that was papers hanging around saying, oh, the data about the price and the reduced prices is not correct because we were victim to VER attack. I think we, we ended with that.
Yeah. Thank you very much for participating. Thank you very much for asking your questions. Thank you very much Martin for answering questions, for raising questions. It was a great discussion. It was great for having you all here. Thank you.
