Cybersecurity has moved beyond protecting the perimeter with Scott McCrady

SolCyber CEO Scott McCrady dives into the world of cybersecurity, discussing the challenges his customers face balancing security and privacy, and how cybersecurity fits in with data governance.

They also discuss:

• What are Managed Security Services Providers, and what kinds of businesses do they suit?
• The relationship between data governance and cybersecurity
• Businesses are struggling to prioritize security and privacy measures
• The shift from perimeter-based security to identity-based security
• The future of cybersecurity and AI

Resources

• 🎧 FILED S2E4: Companies must focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint
• 🎧 FILED 10: Organizations must keep pace with evolving privacy expectations | Yvonne Sears, ISD cyber
• 📨 FILED Newsletter: The data privacy regulation floodgates have opened. Time to catch up.  
• 📏 Benchmark: How much PII does the average organization store?

Transcript

Anthony Woodward

Welcome to FILED, a monthly conversation for those at the convergence of data, privacy, data, security, data, regulation, records, and governance. I'm Anthony Woodward, CEO of RecordPoint and with me today is my cohost, Kris Brown, RecordPoint's VP of product management. Hey, Kris, how are you?  

Kris Brown

‍I am very good, mate, in the wonderful city of Calgary this week and said we're, we're bouncing around a bit at the moment.

Anthony Woodward

‍You know, I've never actually been to Calgary. What's Calgary like?  

Kris Brown

‍It's actually been really sunny this week, but the locals do tell me that I may have brought that weather with me. It's normally not so nice this time of year, but it's quite clear too. Apparently, there's some fires nearby. So, flying out this afternoon, there's a good chance that the lovely weather disappears with me.

Anthony Woodward

‍And we have a great guest today, Kris. I think today you're doing the intro.  

Kris Brown

‍I'm doing the intro today. Fantastic. Look, I can't wait for this. I've been we've had a little bit of a momentary chat before we kicked off, but look, Scott, welcome to the show. Great to have you on FILED. Look, I'd love you just to maybe do a quick introduction and sort of give us a bit of a bit of background on yourself.

Scott's actually in from SolCyber. So, maybe Scott, I won't steal your thunder too much, but if you want to take a moment to sort of jump in, let us know who you are and where you're from and maybe even give us a bit of background of sort of what SolCyber does and the problems you solve for customers.

‍

Scott's background, and the origin story of SolCyber

Scott McCrady

‍Sure, Kris, Anthony, pleasure. Thanks for having me on looking forward to this. Quick background on me: I'm an engineer by trade and training. I was setting up security systems coming out of university and quickly got into this realization that you've got to do something with the data that these security systems generate.

Got pulled into a company, into the MSSP business very early in the career, helped build out the business for Symantec and then for a company called FireEye Mandiant during those stints, I was very lucky. I got stationed in Sydney, Australia to build out Asia Pacific and Japan for Symantec. As I like to joke, it was one of those, if anybody remembers Don't Throw Me in the Briar Patch, the Briar Rabbit story.

Now please, please don't send me to Sydney, Australia, but for the company, I'm willing to do it. So, I had a great time there, set up SOCs in Sydney, Tokyo, and India. Spent four years there, spent three years in Singapore. With FireEye Mandiant, setting up their global MSSP business there, and then started SolCyber.

So, a lot of time in Asia, I love being over there. A lot of time running global businesses. And SolCyber is basically taking 20 years of MSSP lessons learned on what worked servicing the Global 1000 and applying those value-added benefits to sort of a modern take on MSSP. How do you, how do you make companies more secure in today's world from both a service and a product standpoint, knowing that there are massive gaps having done the MSSP business for 20 years. That motion is still pretty much the same and happy to talk about that in more detail, but that's my background.  

Kris Brown

‍And look, I've undersold you there, Scott. And so again, for our listeners, so Scott McCrady, CEO there at SolCyber and look, I think it's really, really interesting as we sort of bounce around and talk a little bit more about those security problems, it's like just even this week, a conference here in Canada, where we're talking more in the information governance space, but we're seeing more and more. And as Anthony sort of leans into that convergence. So, we're seeing a lot more of this interaction between cyber and security, the information governance side and being these complementary partners.

And I'm sure we'll talk a little bit about that about more. What do you think, Anthony?  

What is a Managed Security Services Provider (MSSP)?

Anthony Woodward

‍Yeah, I think the, as we said, the convergence is, is something that's really happening. I'd be interested, Scott, if you see that happening in your world as well, probably just for the listener, I wouldn't mind explaining one thing.

You said a few times an MSSP, what's an MSSP because a lot of our listeners probably haven't heard that term before.  

Scott McCrady

‍Yeah, it's a Managed Security Services Provider. And so, the key way to think about it is, do you want to go hire a bunch of people that have a broad set of skills, because it's very difficult to find somebody who knows how to buy technology, security technology, deploy, manage security technology, then update security technology.

And then understand when the threat changes and so they need to get different technology. And then when that technology all fires, I can get all together. So, you can actually track down something bad happening and then have the people that can actually do the response. What we find is you need about 8 or 10 different skill sets.

And it's really hard to find that like 1 or 2 people. And if you do find it, this, this person is a bit of a unicorn. And so, Managed Security Services, allows you to sort of solve that broader problem in a much more consolidated and easy to consume manner. Because as a big company, we can have all of those skills scattered through a variety of people and we can bring them to bear when needed.

Absolutely. Oh, and then on the convergence on governance and security, 100%. So, you're seeing it led out of the government side. I was actually at a great event in Washington DC about a month ago. Kevin Rudd was there. Ironically was the Prime Minister when I was living in Sydney, who's now the ambassador to the US.

There's a massive push around the Five Eyes around data security.  

Anthony Woodward

‍Did you say hello to Kevin07 for me?  

‍

The evolution of cybersecurity standards

Scott McCrady

‍I did. I did say hi. He didn't remember me. Not surprising. But beautiful new embassy, by the way. Gorgeous embassy in DC. So, congrats to that small piece of land, that small piece of Australian land right in the middle of Washington, DC.

But we're seeing that we're seeing really pushed. So, if you think about the US government, they came out with the NIST 800-171 guidelines. Those are being promulgated through the CMMC effort for anybody touching the US government. So, we call this the defense industrial base. What we are starting to see is the desire to have that regulation be broader, more broadly adopted.

It's gonna take some time, but you're already starting to see things that are saying like PCI-PCI, GDPR-GDPR. Right? That's fine when you talk about privacy, but how do we secure organizations in a much more consistent manner? I think you're gonna see the CMMC and the NIST 800-171 standards be more broadly adopted.

I, I guarantee they're gonna end up in Australia. I guarantee you they're gonna end up in Canada. They will always put their unique twist and spin on it. Of course, they'll make it more regionally acceptable, but I wouldn't be surprised if 95 percent of what you see in those to start landing in Canada and Australia pretty quickly.

Anthony Woodward

‍Yeah, I mean, it's a super interesting topic. You know, the NIST Privacy Framework cross references the NIST Cyber Framework. And so, these two things now already beginning to converge within the NIST frameworks themselves. So, I think you're absolutely right. I mean, the, the privacy framework is completely voluntary today, so there's no real enforcement around it, but the security and privacy controls.

And there's been some discussion about this becoming somewhat integrated. And, and I think if you actually look globally, as you say, around the NIST security standards, the cyber standards, those are already enshrined in... Australia's actually already adopted them, so you're seeing that adoption, I think, happen across the board with the standards, and I think what's nice about NIST is it is quite pragmatic as well as, as well as covering a lot of the core bases, you know, the couple of standards out there that are less pragmatic in how they, how they do things.

Scott McCrady

‍I think they did a pretty good job on NIST and what's like, I mean, they really did, obviously you get into level three and stuff, but as we all know. Anything coming out of regulatory bodies can be not so practical or easily updated or timely and generally speaking, they've done a pretty good job on this one.

Anthony Woodward

‍Yeah, so we work a lot in large enterprise and listening to your introduction, I sense, and I'd love you to confirm this that you're doing quite a bit with SMB and that segment of the market. Give me a sense of how they're grappling with these issues. We, you know, here at RecordPoint, obviously we do a lot of work with government like New York City and a lot with some of the banks around the globe.

They have big cyber programs, lots of people to talk to. How does that happen in the SMB world?  

‍

What exactly is the SMB market, and what challenges do SMBs face?

Scott McCrady

‍Yeah. I mean, you all know this SMB in the US is sort of upper mid-market, a large enterprise for a lot of the other countries. So, SMB here, we do a lot of business up into 50-20,000 seats all the way down to sort of 250 seats, you know, 300 seats with a significant amount of our business and sort of 500 to 5,000. Which again, is a little bit different than SMB, generally speaking around the world.

What we're seeing is that they're really struggling to figure out how to get the priorities squared away when it comes to both security and privacy. And so, in the SMB space, generally speaking, it's a crazy, it's a very competitive market. They're not able to get the regulatory moats that some of the large enterprises can get, and they don't have the scale.

So, it tends to be very competitive and they're always watching costs closely. And the other thing is I would say is. They're struggling around professionalization of the CISO and privacy components that you see inside of the large organizations, right? So, if you go to a large bank or a large tech company, there's a very sophisticated privacy and security apparatus built into those organizations, right?

The CISO is a very sophisticated operator. And that's both technically and business and risk, right? You don't see that too well in the mid-market. Okay. And so, we spend a lot of time in the educational process of explaining to the SMB, why an investment in your security practice will actually bleed over to a lot of other components in order to allow them to scale faster, more quickly, and give them some competitive advantage.

You can't get in the US you can't get breached if you're mid-market, the odds of going out of business after a breach are incredibly high. And so, you really need to take that sort of opposite table from a risk standpoint versus doing as minimal amount as possible, and then sort of crossing your fingers.

Kris Brown

‍So, Scott, like, I guess there's this, there's a dichotomy here for me. Like there's this situation where, as you say, there's this lack of sophistication, almost. It's a skill set and back to your position around the MSSP is that you're, you're, you're looking for all of these skills and the better operators will naturally make their way into the larger organizations.

I'm sure there's plenty of exceptions where, you know, there's other reasons why they work or how they work or what they're interested in doing, but how do you then manage that? Or what's the conversation that's had to start to convince them to remove... I struggle when I first read MSSP and I'm working my way through the materials, I struggle to see how you were moving almost the fear of, I'm going to hand over all of my ability to manage the security for my organization to another organization.

And I think I've got some of it from the pieces that you've talked about, but that sounds like a real challenge to have that. And you said, yeah, there's the education piece. That sounds like a real challenge. Like, is it a tough sell? Or am I making more of that? Or is it literally, as you've just said now, from a market perspective, these people are looking for answers and they can't find them in the workplace.

The three types of MSSP buyer

Scott McCrady

‍It's a very well-articulated question because what's happening is we sort of have three types of buyers. Let's call it the first type of buyer is I've got AV and a firewall and I'm good. I call it, you know, that's the ostrich buyer, right? They've got their head in the sand. They're going to get breached.

It's inevitable. So, separate, they learn one. We obviously. Move on from that.  

The second buyer is this person that we say you have to build a security program. Oftentimes this buyer has built a security program in the past, and they get that security program is not a collection of tools. It's a set of tools that are continually evolving, a set of operational processes that are run with rigor, right?

So, this isn't like, oh, we're supposed to do this thing, but now I got pulled away to this other meeting, and then I didn't do the thing. Now I'm going to do the thing next week, and I don't, that doesn't happen. In a way that allows an organization to both track that over time via reporting and show, show value and also respond in real time when something bad happens.

Those people buy our solution like hotcakes because they're like, yeah, I did that once before and I had a ton of resources, a ton of money and it was still hard as heck, and I never want to do that again. And the example I use there is a decade ago I had thousands of Dell servers and I had ping power pipe.

I had an infrastructure management team. I built an infrastructure program, right? With the tools, the people, the processes and capabilities. I don't do that anymore, right? I'm in. I'm that guy. I'm like, that's a nightmare. I'm going to put it all up in Azure and AWS, and then I'm going to manage them. Those people buy our stuff hand over fist.

The third buyer is exactly what you talked about, Kris. They're stuck in the middle. They're like, I sort of want to build it. I haven't maybe haven't done it before. It sounds fun to build my own team. Wouldn't it be great to have my own personal little empire? And then the other side is like, but I'm also fully responsible.

So, if something goes bump in the night at two in the morning, you better know what you're doing. Otherwise, you're going to get owned. We talked to a company, 7,000 seats. They're like, ah, we sort of want to do it ourselves. Got breached. Weren't able to process mortgage payments for two months. Okay. So, you better be good.

I mean, you better know what you're doing. If you're going to be the third prospect.  

The importance of managing all your data

Kris Brown: I like that analogy there that you better be good. I said in our space that even at the larger end, there's still this real grass of not really understanding what it means to manage your data. And so, I'm taking some solace here that we literally just, we've got to make sure that we continue to educate in that space, because there's people building programs that are failing to do so that are having issues around data and privacy.  

And it's actually really interesting to hear you say those things there, because it said for me, that was the piece I was flipping around and reading on this website. And I'm like, I have to ask this of Scott, because clearly, we've got a successful business, you're doing this thing, but it's that third owner, you know, replays back into, into that data governance market.  

It's, you know, I, once upon a time I've got my SharePoint, or I've got my file shares and I've got them under control. There's a program where people are checking in and checking out things and they've forgotten that they've implemented Workday and SAP and Salesforce and all these other platforms have moved to Teams or Zoom or Slack.

And now there's just data and decisions everywhere throughout the organization. And they've lost control. But it's like, when we come along, go, I can help you with that. You don't have to be that guy. As if you just played it back and, and they're like, I don't, you can't have the data,  

Scott McCrady

‍Kris, think about this, like AI, right?

Everyone wants to implement AI to have their own personal chat bot. Right. And all of a sudden, they're like, well, where's the data boundary because the data is everywhere, right? So, to your point, it's becoming real, real for people as they try to figure out how to get leverage that they don't have grasp on their data and where it is and what's being done with it.

Kris Brown

‍Yeah, it does. I take great solace in that.  

Cybersecurity is no longer just about the perimeter

Anthony Woodward

‍Yeah, I suppose thinking about that, though, what do you think is the fluency and the behavior we're looking for when it comes to the connection between data and cyber? So, you know, we talked before about NIST standards, and there is some convergence happening in the standards.

But the one thing I observe is, you know, is that everybody's still talking about the boundaries as opposed to the guts. So, even in the privacy world, there's a lot of conversation about, okay, at the website, when we collect a cookie, we shouldn't use a pixel and we should not have third party cookies and we should deprecate that.

And that's the privacy on the lot of conversation going on there in the cybersecurity world, people are still talking about MITRE and they're still talking about some of the standards that are still perimeter-based rather than actually what we really need to do is observe what's happening inside our operating controls and look at what's happening at the data layer, what's happening at the application layer, you know, it's really, you know, if I was to use networking technology, it's really layer four up, right.

Because all the stuff below is really, if you get out of a packet level, that's easy to watch. You can watch the packets go past. You can, you know, our technology has gotten so good we can go bad packet, good packet, bad packet, good packet. But when you come up to the observations at layer four and above, it gets a lot harder, and people don't seem to be looking there yet.

Scott McCrady

‍Yeah, I completely agree. We talked about this quite a bit with some of our customers. And we talked quite a bit about it with some of our partners. Where we sort of view this is, we've left the perimeter sort of behind, and we went to identity. We'll talk about privacy here in a second. So, when we built SolCyber, we said we're going to build all of our detections around identity going out versus perimeter coming in.

So, the reason for that is starting to go to where you are, which is how do we get better grasp of where the problem really sits? And the problem, generally speaking, is with the human, then the tech, then the perimeter, right? So, our view is that that's a much higher fidelity at scale that we can do when you get to data privacy to your point, right?

Layer 4 and above or 5, 6, 7 is harder to track at a MSSP level. So, we talk to customers a lot about data privacy when it comes like encryption, segmentation, roles and responsibility, you know, all these other things. And then we also talk about the fact that, listen, if you have three security people, why don't you focus them on fraud and privacy instead of on managing this widget?

And then theoretically be able to tell if somebody is hacking in because the odds are very high that they're not very good at that where it's very hard for us to drive data privacy at scale into an organization because you need a level of understanding of the underlying institution that is perfectly designed for an employee to go and help drive that conversation.

So, what we're, what we've been trying to do is free up resources to go attack this more local, more intimate relationship that you have with the company, the employee versus this broader, do you really want people running SecOps? The answer is no. Move them left, shift them left into DevSecOps, shift them left into privacy.

Shift security into the operational into the application layers instead of into this broader category of like, we're just going to start like, I'll give you an example: encryption. What do you hear all the time? I encrypt at my at my storage layer, right? Encryption is a very small piece of data privacy, but I hear this all the time.

Encryption as storage. We all know it doesn't matter. It's not worth crap. But people still will say this. And so, we tell them, why don't you go take the time to figure out where you want to do something like a data privacy framework, then apply that framework instead of processes and tooling that allow you to get to something that's actually usable.

And so that's our view and how we sort of trying to. See those two things interacting  

Anthony Woodward

‍No look and really well summarized. I think this conversation is a conversation we're gonna have a lot between privacy and cyber and data around what other mechanisms and where should people focus and all the other elements.

So, that makes perfect sense. I mean, and it really comes as a part of the notion of shifting left, right? Certainly, again in the data and privacy community and the cyber community, the whole notion of moving up the development stack, moving further into the design of the business itself and the products that you produce and building in security and cyber controls and privacy controls into the product.

Do you all get that far in terms of when you talk about MSSP? How integrated does that become into the business offering in your view?  

Scott McCrady

‍So, our goal is to provide services that we can do at scale, right? And so, where it tends to intersect is areas that we can provide a service on top of something at scale, meaning we can do it relatively repeatedly.

So, I use encryption as an example because we actually offer a service around data encryption that you can deploy at scale. So, think large telcos, large financial institutions. And so, if you want a no code or zero code encryption solution that can encrypt across all applications with a management layer that allows you to see exactly what's happening, that is a component of beginning to build out a privacy policy.

Right? Now, we then say, okay, if one of your one of the things you're trying to do around privacy is to be able to understand where your critical information is, whether that's PII or otherwise, And you want to make sure that's secure throughout the life cycle of that data, then you have to have application level security that's validated at all the points.

Well, we can do that for you because you're going to choose the applications and we can deliver that. The other components around privacy that are much more, like I said, specific to the underlying company that we can't do at scale, we tend to try to hand that off to someone. Because if I have to do it for one company one way and another company a different way, then obviously we can't help because it's impossible for us to do that.

What standards are government contractors focused on?

Kris Brown

‍Yeah, look, and I'm going to shift gears slightly, see what I did there. You've all been talking about shifting left there for a bit, but look, I noticed also that, again, just sort of doing a little bit of research there, Scott, that you're doing a lot of stuff helping those government contractors around CMMC or Cybersecurity Maturity Model Certification.

For our listeners, can you give me a little bit of a better understanding of what that's trying to achieve and help them to understand what that's trying to achieve both for those contractors and then also for the agencies that will then use those contractors and then what's the goal of this? So, where does this go in terms of, I see this sort of a bit of a beginning here, maybe a bit of a response to the market, trying to get ahead of, you know, DoD and these other types of contracting vehicles.

So, what are you seeing in that space?  

Scott McCrady

‍Yeah, love the question, because I think it's really relevant as again, we talk about the expansion of this into places like Australia and Canada. So, the very short version of this is the US government has a set of rules around anybody who operates with it and how they treat the classified unsensitive information that they use.

So, what they found was that a lot of those companies were saying they were securing their organizations, but as you can imagine, it's kind of difficult. So, they weren't. And so, this is 171 is the response to that. CMMC, the easiest way to think about it is it's sort of the teeth behind the framework. So, what CMMC is saying is if you're part of the defense industrial base and you're handling CUI confidential, unclassified information. Then you have to meet these requirements. It's not an if, it's a when. And so CMMC is the teeth behind the NIST 800 171 standard, essentially. The reason why it matters is the US government is going to mandate this. They, they're through their final, what we believe their final set of requests for comments, and we'll be implementing relatively soon.

I don't see any way that the Five Eyes aren't pulled into this framework. Again, they'll probably do it their own way. So, think of it as, hey, you're building armor for drones, and you have 400 people in your company. Guess what? You're going to have to meet these requirements. You're going to have to have proper level of security.

You're going to have to have roles and responsibilities segmentation. You're going to have to have response capabilities. You're going to have to have all of this stuff. And so, the key piece there is you might as well start getting ahead of it by putting the right security in place. And start planning for the operational components.

So, what we tell everybody is it's coming. A lot of people don't like it because it's like anything like you got to go buy your car insurance, right? It's not like we all enjoy that, but you got to go do it. It's the same way coming on CMMC, and it is going to land via that form or a slightly different form in any of the five eyes.

Anthony Woodward

‍Yeah, and we're working with some components of that in Australian government and CMMC needs to be implemented by 2025 as an FYI into Australia. So, there's a rolling implementation that began back in 2021. I think, Kris, I don't know if you have more detail on that. And, you know, obviously, there's different maturity models out there.

Do you see CMMC is really becoming the model that people like the FTC and some of the others will then start to use for, say, the banking sector and other critical infrastructure players? I think so.  

Scott McCrady

‍The belief, and I think it will probably be the case, is that you'll see CMMC be the foundational requirement right now again, because each regulatory body has to, has to do their special sauce, right?

So, they'll say, well, we had this special one and you know, let's prove our value that we're the FTC or whomever. But let's be honest, I think it's probably gonna be like 96, 98 percent the same, and there's not, and we're actually starting to see it at the state level. So, state governments are infamously shy about spending money on cybersecurity.

We are starting to see them say, one of the ways we can solve this gridlock around getting good security in place is to say that we're going to move ourselves to the CMMC standard. So, they, they view the adoption of that as a means to get better security in place through the machinations that it takes to state and local governments as saying, we want to get good security.

We need to get there, but we keep getting blocked. Well, what we're going to do is say, we've got to get the CMMC and then that will force us down the path now.  

Anthony Woodward

‍Super interesting. And it's if anybody wants a bedtime reading, and Kris tells me I'm weird, but I don't think I am. Do take a look at it.

Because again, I think as a lot of those. Cybersecurity regulations are quite indecipherable, but I think to be fair to CMMC, it's actually, it does read in a way that I think the layperson can make some interpretation and start to get a flavor of it. So, it's well worth taking a look at. And again, it has such a crossover at this convergence point, because ultimately all of this is about data.

And how we protect and maintain that data. It's been a fantastic conversation, Scott. I had a question for you. You obviously have a lot of knowledge and a lot of pieces. What do you do outside of the cyber world? Are there particular blogs you're listening to? Is there particular things that are driving what you do on a daily basis?

Scott's pursuits outside of security

Scott McCrady

‍I mean, yes, it is the answer to things outside of cyber that are interesting to me. One, I'm a pretty voracious reader and then two, I find just health and biohacking and all that fascinating for some reason. So, when it comes to spare time, it's reading things that are interesting. I'm sort of, I just started on Elon Musk's autobiography.  

And then two, biohacking and sort of the intersection between technology and sort of human progress is just mind blowing. And I think the thing that's fascinating there is that essentially there have been a ton of people that have been experimenting in this space for a decade. And all of that is coming to light due to the fact that a lot of it can be published, a lot of it can be tested.

And so, what you're seeing around longevity and health and how do you have, how do you live, not necessarily maybe longer, but how do you live better? For a longer period of time is just one of those things that I personally find, find interesting. I tell everybody I've been fasting every Monday for over a decade.

I just found I feel better and all of a sudden fasting is sort of trendy right now. Maybe it's not trendy in five years, but it is right now. So, all those little things about how do you feel good? How do you keep everything working is very fascinating to me.  

What does the future hold?

Kris Brown

‍So, given you've gone and talked a little bit about the future there, and we only touched on it very, very quickly and probably remiss of us not to ask the question, but...

So, we've got all of this stuff with generative AI coming in from my perspective on the data side, you know, we're now going to generate more data faster than we ever have before. That's going to lead to that ability to have, and we've sort of spoken about, you know, pushing data around and worrying about where those boundaries are and where that private information is going, and it said AI is going to consume that.

Pull the crystal ball out for me, Scott. What's your big take? What's the thing that's, you know, it might be a few years out yet, but what's the big take that, that you have in, especially in your space, what's going to happen? What's going to be the major shift? What, you know, what do you wish would happen?

What's the key thing that, you know, would be interesting to the listeners around? What do you see from your seat?  

Scott McCrady

‍Listen, I could scare the bejeebers off the listeners, which I'll try not to do, but maybe I should do a little bit. The thing that you have to realize is every turn of the crank on technology when it comes to cyber security allows for the adversary to be dumber and better, right?

People don't get this concept. The original hackers were very, very, Very, very smart people that could target a very few number of entities and organizations. That's why when hacking started, they were like, hey, let's see if I can get into the FBI. Right. It was things like that. And we all watched the movies back in the 2000s or whatever.

As each of these technologies gets better, it allows for a larger number of people to get into the space to be much less sophisticated around how the technology works and to be much better. So, at the end of the day, Breaches are going to happen faster and more quickly. We're already seeing it. There's a concept called breakout time.

CrowdStrike talks about it all the time. How fast, once somebody gets onto your machine, can they get horizontal across the network in order to do really bad things? That breakout time is going to come from an average of, I don't know, about seven minutes right now, but that's going to come down in probably minutes or seconds.

So, you have to, the time that you have to react is going to be much shorter. Again, if you're not on your A game, the chance of getting breached is going to be higher. So. Long story short, it's a war out there and all of you, everybody who's listening, that's like, it's not going to happen to me. I hate to be the bearer of bad news.

It's going to happen to you because it's just going to be easier. That's all there is to it. So, then obviously what do we do about it? And there's two things that from a defensive standpoint, we're really going to up level the ability for our analysts to action data much more quickly. And so right now, if you're an analyst.

Yeah, but a lot of data coming through ML and AR already, but you still have to go piece it all together when something bad is happening. That process of piecing what's happening and making that picture so that you feel confident that you know what's going on. That is going to get shrunk significantly.

So, the ability to click a button and pull all the data from all the different sources and the context of that data. So, you know that this is a national, a foreign national that's attacking or a hacking group for money coming out of maybe Eastern Europe, you'll be able to figure that out quickly. What are the TTPs and be able to respond to that in a much more quick and aggressive in certain manner.

So. Obviously the defense is always trying to keep up with the offense. The offense only have to be right once. We have to be right all the time. But that's what you want to see as this crank gets turned and it's getting turned faster and faster. We all saw the Chat GPT announcements yesterday. It's insane out there.

Wrapping up

Anthony Woodward

‍Oh, that's a whole other podcast, or perhaps a trilogy Scott around the OpenAI announcements and we're recording the day before. Google IO as well. And there'll be a series of announcements as I understand on Gemini as well as today. So, so watch this space, but look, we could keep having these conversations.

There's so much fascination, I think, with what's happening in the cyber world and what the overlay here is and into data governance. I really appreciate your time, Scott. There's a whole bunch of topics we've covered there. It was really great to have you here on the podcast.  

Scott McCrady

‍Thanks for having me.

Like I said, Australia is near and dear to my heart. So, I always enjoy talking to folks that are living back in the homeland, if you will, beautiful place, and I'm happy to jump on any other time in the future.  

Anthony Woodward

‍No, fantastic. I will definitely get you back. Cause this was a great conversation. There's so much more depth we can get to.

Thanks for listening. I'm Anthony Woodward.  

Kris Brown

‍And I'm Kris Brown, and we'll see you next time on FILED.

‍

‍