The Great Security Debate crew recorded a live episode at the GTS Security Summit in Detroit, Michigan with special guest, Zah Gonzalvo, SVP of Financial, Climate, and Operational Risk at Banco Popular. Tune in for a great discussion on risk, risk mitigation, risk prioritisation, and risk in context. Yep, it's all about risk!

Takeaways:

• The evolution of security has shifted from a binary perspective to a more nuanced understanding of risk management, acknowledging the need for flexibility in addressing diverse security challenges.
• In contemporary discussions, it is increasingly evident that security must be integrated into business strategy, highlighting the imperative for security professionals to communicate effectively with stakeholders.
• The role of the Chief Information Security Officer (CISO) has transcended traditional technological boundaries, necessitating a comprehensive grasp of business risk and operational efficiency.
• Effective risk management within organizations requires a shared responsibility model, where every employee contributes to the overall security posture, thus reinforcing the concept that security is a collective endeavor.
• Scenario analysis is a potent tool in risk management, enabling organizations to anticipate potential threats and understand the implications of various risk scenarios on their operations.
• Engaging with business units to contextualize security risks in terms of operational impact and financial implications is vital for securing necessary budgets and resources for security initiatives.

Welcome to the great security debate.

This show has experts taking sides to help broaden understanding of a topic.

Therefore, it's safe to say that the views expressed are not necessarily those of the people we work with or for.

Heck, they may not even represent our own views as we take a position for the sake of the debate.

Our website is greatsecuritydebate.net and you can contact us via email at feedbackreatsecuritydebate.net or on Twitter, Twitter ecuritydebate.

Now let's join the debate already in progress.

Security has needed to morph.

It's about technology.

It's rooted in technology, but there's so much of it that's not about technology anymore.

And I think the one specific piece is around the background.

And So over the 30 years it's changed a lot.

And it started out with this idea that we were binary.

If it was secure, it was good.

If it wasn't fully secure, you had failed.

And that's evolved into a much more risk minded mindset.

And so the comment I made to Za was I'm so frustrated with counterparts with security, counterparts who can't think outside the edges.

And I want to help more people figure out that there's a middle ground, that there is shades of gray.

And oh, by the way, the businesses that we serve, we're not here just to be binary.

We're here to start helping them get to, yes, helping them get to the answers that help the business.

Because you know what the best kind, sorry, the most secure company is one that has no computers completely locked in the closet, no network like no data, et cetera, perfectly secure, not all that useful.

And so you know, Za's been working on, working on coming out of technology Risk.

I'll let you introduce yourself a little more yourself, but now has spent more time in business Risk.

And you know the argument that I put out there is that security isn't tech anymore, it contains tech, but security is business.

Hi everyone.

So yeah, a little bit of my background right now.

I've spent I don't know how many years but around 15, 20 years in banking.

Sure.

One out, literally one hour.

But yes, in terms of the risk and how you transition.

Right.

The role of the ciso, for example, is no longer anymore technology alone and I've had this argument with a lot of people that says, no, you need to have networking experience, engineering experience to become a ciso.

And let me tell you, I was a CISO in my prior role, and a lot of it was a risk management activity.

And what is risk?

The risk is really what kind of events are going to be hitting you that are going to cause you to lose money.

And you have to think of that premise to sell the technology.

Especially a lot of you that are partners here that are selling services to companies and to CISOs.

When I was a CISO, I had a problem, right?

How would I.

I knew that there was a potential risk that my company could be, you know, compromised.

How do I get the money to buy those services?

I had to explain that in Greece terminology to my management.

I had to go talk to the business side, talk to my CFO, to my CEO, and tell them, this could happen to you perhaps 30 years ago.

The attacks were different and they didn't understand.

That's why there was a premise that security was technology.

But.

Or you can go scare them.

Your uncertainty account solves everything, doesn't it?

Yeah.

Once you go through an event, they open that checkbook, right?

There is no other.

I can tell you that, you know, it only takes one time and they're going to be opening the checkbook.

They're saying, create security.

That's what I heard.

I didn't say that.

Don't tell my.

Link to the podcast here.

So I totally agree with where you're going with that on the evolution of the CSO becoming a business leader, actually one of the favorite phrases.

So I was sitting in a talk.

So anybody who knows John Bacon, he was the former CSO for Delphi and Whirlpool before that and Whirlpool before that.

And he was giving a talk.

It was actually.

It was a Fireside chat downtown and talking about how he leads his team.

And one of the comments he made that he is the chief storyteller.

And that's so true.

So fast forward, I'm sitting on a panel, gosh, last week, two weeks ago, over in Grand Rapids, and we were talking about the whole premise of the panel was better together.

Together we're talking about tools and the interoperability of them.

And I made the comment that understanding not just the technology, but how it's infused and how it changes the lives of those within the business is critical.

Critical to being able to sell it.

Because as CISOs, if we continue to be the.

I think, damn, what's it Propeller Heads.

Yes.

Just looking at the ones and zeros in technology that CISOs for the longest time have pushed.

We need to be at the table.

We need to be at the table.

We're at the table.

But continue to focus on technology.

And if we continue to focus on just the technology, going to be relegated back to the Fisher price table.

Yeah, we're at the table.

We can't bring our hot dogs from the kids table.

We gotta eat grown up meals.

We gotta.

Yep.

So adding to that.

Right.

So backing up a little bit.

When you look at the evolution of security, Right.

And when you say becoming part of the business, and you said this the other day.

No, no.

The idea of the business as a distinct item from information security.

I think this was something.

We talked about this at this gathering last year.

That's a misnomer.

Right.

But what I'm saying is, so because everyone says become part of the business, understand the business, learn what the business does.

Right.

How does the company make money?

What's important to, I think is where you were going.

What's important.

Right.

You were talking about risk earlier.

Zah.

Like now in your position, seeing risk, it's not just security risk, it's.

You said liquidity.

Right.

We have tariffs, et cetera.

When you look at, when I say traditional business, right.

We make something, we sell something, we make money.

Right.

What's our biggest risk?

We look at operational efficiencies, we look at supply chain, not in software, but supply chain of our finished goods.

Right.

You look at some of the largest automotive companies.

And again, for reference, I go to automotive a lot.

What?

Yeah.

And food, don't forget about food.

But the idea that the second something happens critical to one of your biggest suppliers, and you had only that one supplier, Right.

One fail point.

And that supplier, say, provided a airbag weight sensor.

And now that plant caught on fire, you didn't have any backup, you didn't have a secondary.

That's why they always had two sources for every product they make.

We had only one and everything was just in time.

I thought we figured that out now.

And that mindset has prevailed across everything, including security.

Yeah.

No 100% prevailed and then diminished and then prevailed and then diminished.

Where Eric and I were having conversations like it used to be, like there was the IT team and there was a security team.

And then over the last five, 10 years, it became like a Venn diagram and there was a little bit of overlap.

Today when you get the chance to look down, it literally mirrors over the top and you're seeing network and security work closer together.

Right.

Like we had the conversation about post quantum, right?

Yeah.

If you're not starting to think about those things, right, when this team's going to do renewals on hardware, this team's going to do that.

What's going to impact the business long term, not just security, everything you do.

And then it becomes a cross functional team.

Business, technology, risk, compliance, all working together.

Legal, right.

And you know, in banking there is a concept of the three lines of defense and that is the regulatory framework where the regulators are saying everyone in a company is responsible for risk.

I don't care what you do, I don't care if you're the teller in the branch or you are the CEO.

You're all responsible to manage risk.

And I have a good analogy to remember, right.

Because even though we're all responsible to manage risk, we do it in different ways.

The first line of defense.

So there are three lines of defense.

Sometimes now people say there are four, but I'm going with the traditional three lines.

The first line is the people that are doing the day to day job in automotive, it's the people in the plant, you know, getting parts through.

You know that you have to follow procedures.

You have some controls, you know, there are safety issues that if you don't follow your procedures, you can, you can do damage, you know, to physical damage or to the products from a quality perspective.

So you have to follow your process.

That's how you manage the risk.

The second line of defense are the compliance, legal risk groups that are there to check the checker, just to check, check if you're doing your job, check if you're doing your procedures.

And the third line is internal audit.

You know, they're checking those second line of defense groups and the first line just to see their following just in case everything fails.

And my analogy is, you know, the pants, belts and suspenders, the pants is the first line, the belts are the second line and the suspenders, the third line.

They're working together for what?

To go over what to go over.

Who's the attacker of this analogy?

Who's the attacker of this analogy?

The subway seat.

Subway seat.

You know, you're wearing all of those three things to cover your ass basically.

So they're all working together to manage risk.

And I think that's how we need to think it through that what is the responsibility of everyone in the technology side as well when they're developing a product and they're putting software out.

What about the idea that if it's everybody's responsibility, it's no one's responsibility as it becomes more pervasive.

I spent a long time as a CISO fighting to make sure that I was not part of the CIO organization because I really believed in the need for parody and peer debate and discussion when it came to doing the right thing.

A thing that was about technology and service resumption was not necessarily the same driver as around data protection, around investigation and understanding root cause.

As this as risk is becoming more pervasive, as it is everybody's job, how do we keep it from becoming nobody's job?

Go ahead.

I was, I was going to challenge.

You like I always do on the what.

What would it be if we didn't challenge each other?

The CSO that has to report outside of the cio?

Because I'm going to use your own mind against you.

It depends, right?

It depends on the leadership that is in that role at the given time.

That I could point to a lot of great CIOs in this area.

There might be one sitting in front of us that understand the risk of the organization, that understand how security is a force multiplier within the IT organization and not just right.

So it really depends.

But going.

Sounds like you were going to answer Dan's question.

It also depends on that.

It also depends on the role of the CIO in the organization.

The CIOs are sometimes becoming more enterprise whole and some are trying to get toward corporate, whereas the product units or the divisions are taking on more technology.

It's changing.

So yeah, there's no single answer.

Yes.

So this is in reference to even some of the partners I talked to earlier that were like, I'm interested in today learning how to start those discussions on security.

I've got people that are really, really good at talking, whether it's ucas, ccas, circuits, telephony, et cetera.

To me, some of that's even more complicated than security because if you look at what the start of the conversation around rescue, you were mentioning pants.

You mentioned the belt.

You mentioned suspenders.

That's almost like table stakes now.

When you get to the 50s and 60s, you're that old that you now have to have all three just to cover it.

Right.

Unless you continuously keep that in shape.

Right.

So like any technology, right.

As the technology gets older, you double that car.

I'm just saying a little more cma.

But it's that starting point, right.

And I'm not picking on security in terms of 10, 20, or even the last five years.

From an introvert, extrovert standpoint, the more extrovert, the more capability in storytelling.

The more introvert, the harder it is to understand how to tell that story.

But everybody finds that, right?

At some point, good leaders bring that out, good CIOs bring that out.

And that's why it's important, right, for people to train.

Like, this is what the board wants to hear, or this is what management wants to hear.

I understand what you're asking me for, but I still don't understand the why, right?

And I go back to the again, Nazi, Nazi, Japanese.

Ask why five times.

You get to the root cause of all things automotive had P, fema, D, fema, process, filler, design, filler, everything that would go to making that good.

To understand what a return on investment is, the business understands what the risk is, right?

And reporting.

I can think of some really big companies.

We'll use Takata as an example, right?

You mentioned pants suspenders, right?

At some point, right?

To save money.

And this happens in security, we're cutting this, this happens in it, we're cutting this.

Budgets get cut.

The same thing happened in automotive.

Nissan had that same risk.

At some point it was, well, if we quit doing X number of checks, we save X amount of money per part being made.

But then one day when it hits the fan and someone comes in and audits, there's no proof that you were doing X, Y and Z.

And then when things got out of scope, right, it went to a really bad place.

And that is massive business risk.

So it's the same thing.

The starting point in those conversations, right, or where do you begin?

Is understanding how to explain the risk.

And do.

Whether it's your own internal assessment or your own internal conversation, because you're doing assessments not just on security, but across the board, of what is the risk to the entire business.

Security is just one part of it.

I think Brian just announced his run for Senate because that was a phenomenal.

Not answering the question about what is everybody's risk?

Is it nobody's risk?

I plead the fifth.

I'm joking.

All right, same question one more time.

Yeah, go ahead.

So the idea that.

The idea, as said, that managing risk exists at all levels, it exists in every role.

And we've said this about security too.

Security is everybody's responsibility.

And, and.

But when it's everybody's responsibility, when it's everybody, then is it really nobody.

When.

It comes to risk?

When it comes to risk, I guess we Gotta get it closer.

So I like the yellow one better.

No, that's fine.

When it comes to risk.

Just saying.

Just saying.

So a badger, a wolverine and a Spartan walk into a park.

True story.

So.

So when we're talking about risk, there's always a name and frame.

Always a name and frame.

Right.

So there's everybody partakes in helping out with the risk.

There's a shared ownership model, but at the end of the day, whether it goes up to the gc, whether it's owned by the ciso, the cio, the board itself, there always is a name and frame.

And my default for risks that we don't know the ownership.

I pass it.

That's what you always talk about, the relationship with your GC as one of the most critical ones.

My best friend.

That's my go to.

Yeah.

Well, thank you for answering it that way because I think you took it exactly where I wanted you to, not because I was walking you into a trap, because I agree the the idea of the idea of a name in a box.

But now coming back to Brian's comment about acceptance of risk.

Business, that is a business risk that is either accepted and understood, combined with the need for storytelling now leads us to how you paint the idea of risk in a way that the person whose name is in the box isn't just going, yeah, I'll do it, I'll take on the risk without understanding what it is, without understanding the real impacts, just to keep moving.

Yeah, I think that that's the main issue is when you explain, you need to explain what is the impact, what is the consequence, how bad can it get?

Right?

And that definition of risk, not everybody knows how to do it well, even to how to write a risk statement.

People find that very difficult because it's hard to think of the what if scenarios.

You know, you're talking about theory until the time it occurs, then it becomes an issue, it becomes an incident.

Right.

So when we're talking about risk, it's still not real.

So that is a very difficult thing to think about and put responsibility.

But at the end of the day, when you are in a crisis, when you are in an incident, it stops with the CEO at the end of the day.

And in my experience, it comes when the board asks what happened and you know, who's responsible for this.

You can keep passing the bulk around and at the end of the day, the leaders are going to come up, the true leaders are going to come up and say, you know, at the end of the day, I let this happen.

Why?

Because I didn't give you enough resources?

I didn't give you enough money to buy the technology.

I didn't approve this thing.

Of course, you know, it's our role as CISOs and rich people to explain properly what we want.

But when something happened and occur, that CEO is going to be in the hotline, right in the media trying to explain what happened 100%.

And this is where I think we can fuse together the advice that we've all given our kids at one point with the don't you nice high risk with the Japanese automotive on this that God gave you two ears and one mouth for a reason.

Less than 24 hours from having said that.

Yeah, see, there you go.

It's a daily occurrence at our house as well before kids.

But if you think about it, you start to have some of those conversations with some of the.

You're going to a plant manager or somebody who's owning operations.

Okay, what happens if the line is down?

Well, we can't get product to ship.

Okay, what happens if you can't ship?

Well, we have a ticked off customer.

What happens if you have it?

The five whys gets us to the point of a dollar value at some point.

And then manufacturing plants know how much it costs per minute per hour.

That starts to become your risk rationalization on what do we have to do about it.

Now I'm not saying go out and do the typical spend a thousand dollars to save a dollar or protect a dollar.

So we have to be cognizant of that.

But having those conversations and walking them through, it's almost hand holding to some of those leaders.

It is.

Well, it is.

It's handholding and contextualizing.

I never need a microphone.

And contextualizing in a way that they understand.

And this comes back to why we need to be business.

We need to be speaking business terms.

We are the business.

And I'll turn it around and I'll dump back to Brian in a second.

But.

So this all makes sense in a manufacturer in a concrete world, you work in a concrete world, you work in a.

There's nothing more concrete than actual dollar bills.

No, everything's out of wood.

Not concrete, truthfully.

Oh, oh, did I leak the new direction for cabinets?

Cement cabinets.

All the time.

Cement cabinets coming.

And shoes.

The.

Now I've lost my train of thought.

This is going to be really hard to edit later.

Oh, there'll be no editing the guy the idea.

Oh.

So I'm in the software world and it's a lot harder to quantify.

Lost time, lost revenue, customer sentiment, brand risk.

Like it's all the sorts of risks that are.

You can't quantify in such a way.

So it necessitates having to be a storyteller, having to walk through things and I talk about them in insurance terms.

The hundred years flood, the 500 years flood, so that the people who are running our products, the presidents of those units and their development teams and their heads of sales and operation, understand the potential impact and the likelihoods in ways that they can relate to in the regular world.

Because we would have a backlog of wood that would become cabinets that sits there for this and it costs us.

This isn't nearly as concrete.

So I'm going to challenge you on that one though, because I think the metrics are there.

You're just looking at it from the wrong direction.

Your salespeople know what the sales funnel are, they know what the, what percentage turns into actual sales and start to calculate what's the impact.

If because something happens, customer attrition, or you draw down on the number of customers that are attracted to you versus your competitors, that is quantified.

But as we learned from Google, you know, I can deliver beta software and collect revenue.

You can't collect them until you deliver a cabinet.

It's a different.

You're not wrong, you're just not completely right.

But again, so again, understanding the business, okay, yeah, if you're in the software world.

But going back to the manufacturing side, I want this very clear for any security practitioners in the room that I've ever heard or anyone that I've ever met that complains that, well, I just can't get budget.

Right.

Understood.

But maybe you didn't tell the right story, because I can think, everybody has issues getting budget.

And I can revert back to manufacturing when you put that line together, let's say for that cabinet you're putting together and saying we need a $5 million budget, right?

Or maybe your supplier, right, you put that in front of the management, management agrees, they send it to the board, and the board says, that's not 5 million, you're gonna get 2.5 million because we need to see a 20% return.

And your 5% doesn't cut it.

So figure out how to make a 2.5 million dollar line.

And then you go back and you begin to say, okay, all these automated checks that we had come out, all this camera equipment that we were gonna do, we're gonna have to do manual inspection here, right?

But then at the end of the day, you still got to go through the production control process and the audit with your customer who says, can you meet our quality requirement?

Right.

So what is your quality requirement?

That's the point.

Security.

What is our requirement?

What do we set it as?

And is there some requirement that customer has that we work with?

Right.

You got to find what it is you're going to use to make tangible to say, this is the requirement.

Tell the story to the management.

This is why we need the money.

We can probably get away with doing just this.

Right.

But then I need more bodies because I need more physical inspection.

You have to find a way to tell the story.

Yeah.

And in banking, for example, when you're thinking about, I mean, yes, dollar and cents, but not really because you're throwing digital products out the market and it's hard to quantify.

But for example, right now we're dealing with that.

Right.

We have an impasse of the last six months between our security team and the product team because of some security requirements.

And it comes down to measuring the latency and the performance of those security requirements being implemented in that digital platform.

What will be your customer experience?

How long does it take you to do a transaction?

Those are things that you could measure to quantify the cost, not only the cost of security, then you have to balance.

My risk is if I don't do those security requirements, customer data may go out or I may have a system outage due to a malware injection of some sort.

And that's going to cost the company potentially X amount versus the performance issues that a user can get through when they are going through the platform.

But you're coming off the line from the only answer is perfect security and encouraging them both to come to the middle.

Exactly.

And that's the role of risk partner.

Right?

That's my role.

My role is how to get them to the middle and how to create a framework that makes sense and that it's traceable because everything is solid.

Right.

And that we could justify getting to the middle of that discussion, discussing with legal, bringing your partners to the table and saying, what is the risk appetite?

What is the threshold where we are, okay, considering that we have cyber insurance, you have to look at maybe reputational damage that can cause.

But considering all of these things, what is our risk appetite and how far we can go in kind of making that determination and decision on what is the right level of security that you need to include?

I was going to say try to get it closer.

It's a little.

It's a yellow one.

It feels like it's dying.

It should be the best one, the.

Yellow one though I think they call it maze here.

But now let's take that and fast forward three years.

The risk you allowed or encouraged them to stay in comes true.

How what does that look and feel like in the organization and do you think about that when doing, when negotiating these middle ground risks?

What happens when it comes true?

Yes, yes.

That comes to my mind every day when I'm in the middle of these decisions.

Because I mean I lived through a couple of really bad situations.

Situations.

And I know how I can get and it's a little bit working with that risk appetite and understanding from the top of the house, what is the level of.

For example, we have a threshold on operational losses that we can absorb.

From the board of directors to our senior management team every year we go through our risk appetite statements and our key risk indicators and metrics and determine what is my threshold of possible losses that I could absorb and I'm still going to be okay.

What is my threshold of reputational risk that I could absorb.

You need to do that exercise to be able to feel comfortable accepting certain risks.

Because the reality is, like you said earlier, the only way you're not going to have any risk if you are locked up, you're not gonna make any money.

You need to make money and you have to take some risk.

Have you have the scars of your past changed your risk appetite completely?

Yes.

And it's a struggle because then you have to go back and recenter yourself and say wait a minute, I'm here to enable the business to make money and not to let what occurs, you know, be I guess a bottleneck or a resistance on it.

But it's something that we deal with it every ciso, I think ex CISO priority.

So person that has gone through a major crisis have dealt with it.

I'm the same question for Eric though.

But he's going to have to imagine because he's never had an issue.

It's all his security has been perfect.

Right.

No comment.

Plead fifth.

No.

So I was going to use an example and I'm going to butcher this one because I don't have my notes or computer in front of me where I were usually able to pull stuff.

But when you just made a statement maybe five minutes ago around software.

Right.

And a little bit different than building a tangible.

Good.

Right.

You have an application you built.

No, it's a little bit harder to.

It's a little bit harder to put your hands around and.

And to immediately I'M going to use this.

I'm going to agree with you because when I was reading this, this was somebody talking about the risk that they didn't even know they had, but they had built this really, really, really cool program and application.

And I think it was the NFL that they took it to.

This was like 15 years ago, right?

Or 10 years ago.

Whatever, whatever it was.

And they've been growing leaps and bounds in the entertainment industry and they took it on in.

And these guys were like, yes, five months in, they're all in.

This was gonna make them like the hundred million dollar company versus the 5 million they were.

And as part of it, they said, we need somebody on our team to run a test on your application.

Basically a pen test or something.

And they had the opportunity to go do a third party first, but they were so excited.

They were like, no, go ahead.

And it blew it apart.

And they were like, no, your product has way too many holes, way too many issues.

Said it put them behind three years.

What they ended up selling the company for was a quarter of what that would have been had they landed that big deal.

But we had no clue what the risk really was.

Right?

So you think about that in the context of like making a finish good even, right?

And you don't understand what the risk is.

You put it out there and then people get hurt, right?

It's like immediately now you're liable the value of your company, right?

So there's all different levels of risk.

So it just got me thinking, that was just one example, right.

That that wasn't part of the business, right.

Of deciding like, exactly.

And they were even given the opportunity to say, you can go do it with your own third party, but we need to see the report.

Right?

So they could have done it first, fix stuff, right.

Or improve stuff.

And it came back to literally blow up in their face.

Yeah, we do a lot of.

I know in risk, we're used to risk assessments.

Everyone does risk assessments.

But there is another practice that is, I think, more powerful to think about those contexts, which is scenario analysis.

And now you're taking a specific scenario and saying that what if?

What?

In a risk assessment, you're talking about plausible risk, you know, plausible likelihood, possible scenario possible, smaller type of losses that could occur in a scenario.

You're saying this is how bad it can get.

This is the end of that bell curve where we're looking at how much I can stress this to the end.

So we can see if we can actually accept that risk or not.

And we go through the exercise and within operational risk.

Now we're putting cyber scenarios to run through and it's actually very eye opening to the business when they see how bad can a loss get.

Right.

And think of how all of these things could happen at the same time.

We are in a geographical zone.

We are in Puerto Rico, which is an island hit by hurricanes every year.

So the now I'm mixing a hurricane coming through.

And at the same time, hackers know we're vulnerable.

We know that all the banks are going to experience, you know, a storm coming through and they're preparing and it's a little bit chaotic and now they're taking advantage to get through your system at the same time.

A cyber hurricane, well, it's going to be a sharknado kind of hurricane.

I love tornado, by the way.

So it's that possibility of mixing events to see how catastrophic can it get.

Which sometimes is what the insurance companies are doing too.

So when you stress and do that, that's when you realize, that's when the business realize, wow, this could actually happen.

And this is how much capital or reserves I need to have to be able to absorb in how much investment I need to make in my tool set to be able to absorb that.

All right, I'm going to challenge you here.

We're talking about the value.

Oh, he's got the microphone.

Here we go.

Value of a company.

If we go back to Target, Home Depot, do you stop buying there?

Yes, it depends.

Liar.

Only because the part I know where this is going.

So if you look at it, it's depending on the value, how we're valuing a company.

Right.

A lot of companies out there in the public space.

Space, it's market cap.

If you look at what happened to Target bounce right back.

Fickle society.

We forget where they once came.

Or I'll use your argument that the restaurant that gets shut down by the health department, that once they open back up again, that's the healthiest company or restaurant.

The best Chinese food in all of Chicago.

Okay, so to your point, and I, this is where I'll say for any vendors in the room, too careful how you throw out fudge.

Right?

Because everyone talks about the brand, reputation, etc.

Target, did they bounce right back.

What was the impact to them from a reputation standpoint?

I personally never really shopped at Target to begin with, but that's only because the stuff I bought was more Home Depot ish.

Did I stop buying at Home Depot?

No, I continue to buy at Home Depot preferably because when I spend Money at Speedway, I earn points.

Those points can be redeemed for Home Depot gift cards.

So I still spend money at Home Depot, but I try to be aware of that.

Like, who do I think I trust or don't trust?

Go ahead, Dan.

You're gonna.

Well, no, I think there's the net.

Net of it is the value of the company.

And this is what makes this discussion very hard.

Inside an organization is the stock price always bounced back and it grew.

And in six months it was back.

So who gives a crap, right?

You know, inside the organization, it's okay.

We'll have an attack.

We'll get on the news.

And the marketing people say, no marketing.

You know, no press is bad press.

And then in six months, our stock is back and everybody's forgotten about it, except the propeller heads who sit in front of rooms and talk about Home Depot's breach 10 years ago.

But I think there's another place.

There is in smaller organizations that are growing, that are.

We're in a time of acquisition.

Yeah.

We're in a time of M and A.

We're in a time of PE takeover.

We're in a time of strategic investments.

This is where it comes into play.

This is where I agree with you 100%.

And we've seen.

I've done a lot of M and A.

I'm part of a.

I'm part of a larger.

A larger software investment company and a portfolio within them.

And we do M and A.

And I'll tell you that the value of a company.

Company.

Anywhere between 10, 15% uplift for those that have good security and at least a 5 to 7% discount for those that don't.

And when you're talking billions of dollars, that is a material amount of money.

It is worth investing in it because it is, I'd say a third to a half of all diligence right now in M and A, in investment refinancing.

If you're restructuring your debt, I promise you this is part of the discussion and it will affect the rate you get when you get.

When you redo your debt.

This.

This is where it matters.

This is.

This is real strong.

Because for small businesses, all right, Especially.

And this is.

Consider your succession.

Even have to be just small.

Yeah.

But I'm gonna throw this out there, though, because succession planning.

All right, And I, we may have talked about this.

It was an article I read, and it was calling out Japan in particular, but saying, hey, get ready, because there's a tsunami coming in North America.

And what it was referring to was the age of business owners in Japan, right.

Private small businesses that didn't have a succession plan.

And because the population birth rate was so low, they didn't have kids to take over the business.

Right.

When I say that's coming as a tsunami here, the number of businesses.

So I got friends in the construction business where they used to have 30 competitors just here in Michigan when it came to large framing.

Today my buddy has nine competitors and half of them are asking to buy their company.

Why?

Because their kids went to college and don't want to do that job or they just don't have anyone to do the job.

They didn't have kids, right.

So now they have a succession plan of now I got to sell my business.

Right.

I use the example of the company in Europe, in England, I forget what it was.

Just happened recently in the last six months, months over $100 million in sales, got hit with ransomware, had no backups, nothing.

The entire business, six months later, shut down, gone.

And they had a plan of a succession plan.

But in terms of they plan to give this to their family, there's now nothing left to give to the family.

That's like the direst.

Right.

End of it.

Right?

But even over here on this end.

So let's say you were in that succession plan.

They said, okay, if you can acquire company B, you're going to be worth this much more.

And then when you go to sell your business, you're going to have all of that value and then boom, something happens.

Or while they're doing that, the investigation says while they're doing the M and A or you're about to sell or get acquired, it's like, yeah, but guys, you have problem X, Y, like the way your books everything that you've done from a tech standpoint, sorry, you're only worth this regardless of the amount of current recurring revenue you have to stand you up in this other model is going to be that much more difficult.

Those are not things that business owners typically think about.

But if you're already having these conversations with those business owners around their day to day operations when it comes to their productivity and everything else, this is why you have that conversation around security.

There's money in that banana stamp.

I mean there is.

There's money in there.

Go find it because it will add to the value of your organization.

Stock price aside, there's money in that banana stand.

Capital structure matters.

Did I answer your question, Eric, or did I swim through it again?

Capital structure matters.

But even the rating agencies, you know, you're Talking about Moody's, AM Best, etc.

Where they come to the organizations, you know, they do it in the banks all the time.

And the first thing that they want to talk is about their risk management structure, the cyber security structure, what are the controls, etc.

And they take that into consideration to grade that company, you know, to, to see if it's worth, you know, in the stock market.

So it is definitely an investment and something that, that we need to capitalize to be able to get money to invest in, in tools.

Is that capitalize or capitalize like I can.

Can I capitalize the investment?

You can.

So Daniel David meets these rules.

Give me the best example of a story you've told though, to a get a point across, whether it was for funding or to get your point across about a risk.

Right.

Well, I'm using this in the next interview I give because it's a great job interview for somebody that's a great interview question.

I get 5%.

I'll have the candidate give you 5%.

I think I talk, I like to talk about things I mentioned earlier in terms of hundred years floods, 500 years floods, things that.

Giving people quantifications about how big this risk is in terms of something that they can understand.

This is something.

This is equivalent to the 50 years flood.

We expect it to happen in some amount of time.

It'll have a moderate amount of impact and we should put money away to do it because it's almost likely, almost guaranteed gonna happen.

And then we.

Okay, sorry.

I guess I was buying time while I was thinking of an actual story.

We talk about Amazon.

So aws, at least he's being honest.

Oh, I'm never.

Not that.

So talk about putting a lot of our infrastructure into aws.

And the question often comes up, you know, what happens if AWS goes down?

And there's a whole lot of, there's a whole lot to unpack in that particular question.

Are we talking about a region, are we talking about all of aws, are we talking about our vpc, et cetera.

And so you start to dig.

So in one case, we're talking about where to put a particular product and all of its infrastructure at the request of a particular customer who wanted it in a place because it was going to then have more, less latency for communication to other services that they bought that were also in that same Amazon place.

And so the conversation that we had went a little like this.

Well, this is, you know, this is putting it all into one region we can use.

We can Use azs.

We can use availability zones to spread it out.

But why wouldn't we put it also on the west coast and just, you know, US east one?

Well, there's latency, there's this.

What happens if it goes down?

Well, if US east one goes down, I promise you we're not the biggest problem that they're going to have.

They're not going to be able to get to their Google workspace.

They're not going to be able to anything else.

We're not the ones that are going to be caught.

So we put some of that quantification and context in.

While it would have been horrific if US East 1 went down for all of us, for us especially, we took into account that we would not be the first person that they'd be calling.

And so we were willing to take on that risk in that particular case and not spread it out because we would have had to double the cost of the environment, we would have had to double the cost that we charged and hire 10 new people to support it.

So those kinds of things all went into the mix.

No, that's good.

You quantified it, right?

Yeah.

Which is good.

As one should always do with risk, right?

Well, it's a massive risk.

The, the overall.

No, that makes a lot of sense.

Eric.

Best story that you've ever told and.

Keep in mind he's had time and he does shouldn't have to.

Van I just want to.

Are you hiring him now?

Did he ask you?

It was a pretty good answer.

I like that story around what?

So I wasn't paying attention.

The best story that you've told or story that comes top of mind in terms of how to A get budget or how to B quantify some type of a risk.

Yeah.

So I'm going to take a little bit different angle on this.

So going back to being at a tier one automotive that I think we can all agree that IT people and OT people don't get along, that there's a little bit of a divide there, not the best of friends.

And we were trying to figure out how do we start to infuse some technology, some controls on the plant floor without totally alienating that group.

And as we were listening to them having conversations, one of the struggles that they had was getting telemetry off of the machinery that they were doing it some really old school ways with some JKD technology which actually gave us an inroad in technology not mentioning the provider but providing them a solution that allowed them to get the telemetry off.

Of the machinery into a cloud container where they could then take actions off of it much quicker than what they had before.

But at the same time, it had built in security on it that completely made that operational technology disappear from the rest of the network.

So essentially tunneled under everything.

So gave them exactly what they needed with intrinsic security built in.

So it was a huge win.

Win.

So you got your micro segmentation ot security, they got the ability to pull data and analytics and stuff they wanted off.

Zah.

Best story ever.

Best story ever.

I'm working through it right now.

This is a good story, but I'm not gonna talk about that one because if this is gonna be recorded, I don't want to get anyone into trouble, but I have another one.

It's outside the statute of limitations.

Yeah, yeah.

Okay.

So, yes, my prior employer.

And this is before they knew how bad it could get.

Right.

This is at the beginning of our maturity cycle on our building our security program.

Actually, the best way I was able to sell getting investments in security was that the COO at the time figured out that for that company to be able to sell our servicing business to other banks, you know, be a subservicer for other banks.

When they were doing the due diligence, the first thing they asked was, how is your security?

So then they started bringing me to the table to talk to pitch in our security program to those people to sell the services.

And I said, you want me to do that?

I need all of this.

It's like, okay, how much do you need?

What do you need?

You know?

So it was a little bit more opportunistic than risk, I would say.

It was more.

You're gonna get more.

At the end of the day, it's money quantification.

You want to sell your product and you, you know, then you have to invest to be able to sell that product.

And if you don't want me to have to tell a story to these people that you don't want me to tell to these people, let's fix it so I can tell the truth, which I would always tell, but I want the truth to be the truth that they want to buy from.

So, first of all, I want to get a huge round of applause for Zagonzalva.

Thank you for joining us.

Thank you for inviting me.

I miss.

We love having guests.

And thanks to you, Eric and Brian, or Eric and Brian.

And thanks to you, the listener, for being here today.

For we love having you.

If you want to learn more, our podcast is part of a distilling security network distillingsecurity.com you can find us on your favorite podcast app, Search for the Great Security debate and on YouTube.

YouTube.com theat sign great securitydebate.

Thanks for being here.

We'll see you again on the next Great Security Debate.

It.