Skip to content
NOW AVAILABLE Feature Release! Learn About Our Enhanced Capabilities for Prioritizing Remediation Learn more >>

VIDEO

Beyond Trends: Actionable Cybersecurity Advice for 2023

In this panel our experts outline the key takeaways from another tumultuous year in the InfoSec industry, provide actionable advice to improve your organization’s security posture in the New Year, answer your pressing, hot-button cybersecurity questions, and much more.

Series: On-Demand Webinars & Highlights

Category: Thought Leadership

   BACK TO VIDEOS

Transcript

Awesome. Well, let’s go ahead and get rocking. I mean, we are a couple of minutes after the hour and got a lot of stuff to talk about, so it’s fun. So welcome, everybody. Thank you for joining us. We’re excited to share our second annual installment of our Beyond Trends webinar series that we are hosting every December where we kind of look back on things that we saw as an industry in 2022 and then what, we are going to give advice for our esteemed constituents in the industry moving forward. This is a fireside chat and excited to just have some good friends.

Adam Machinski from Red Canary and then Casey Ellis from Bug Crowd. I guess I’ll advance the slide here to just say here’s your esteemed crew for the next hour. So we really appreciate everybody joining and definitely thank you, Casey and Adam, for spending some time with us today. And then obviously can’t forget Nick, our hacker and residents here at PlexTrac. And then I’m the founder of I guess my title has changed now. Technically, I’m founder and CEO of PlexTrac, but looking forward to spending some time with everyone today. And the agenda for today is we’re going to share some of the trends and the key developments that we saw in the security industry in 2022 and really focus on collectively, what are we seeing happen? What do we see as things that are going to continue to advance into 2023 and then really try and give everybody some actionable takeaways of things that they can try to implement as we head into the new year.

And then this is definitely a Q and A fashion as well, so feel free to throw any questions that you might have throughout the hour in the Q and A portion of the webinar settings. We will try to monitor chat as well, but the best way to answer questions is to go through that Q and A function and so sit back and enjoy. Hopefully everyone’s enjoying kind of landing the plane here at the end of the year and getting into their holiday R and R mentality. So excited to join everybody, but thanks everybody, for joining and let’s dive in, I think. Let’s just talk about some of the trends that we saw in 2022. I know we’ve chatted about several before, but I’d be kind of curious. What was some of the key things that you felt were the most prominent trends from the industry? Casey, we’d love to start with you and see kind of what your thoughts have been and what you saw in the industry this year.

Yeah, it was definitely I kind of got caught by surprise when the Happy first Birthday log for Shell Tweets started dropping. Holy crap, that feels like a million years ago and yesterday all at the same time. So the start of the year, I think, in my head was really framed up by something that I think a lot of us in the industry have known for a long time. The fact that open source is kind of a shit show from a security standpoint. And the sudden kind of collective awareness of how big and how pervasive that problem is. Followed by EOS out of the White House, followed by all sorts of different things coming out of Sister and DHS and just sbomb Central. The SBOM definitely went off.

Alan Friedman, who’s a good friend of mine, who’s been, I think, the prophet in the wilderness, talking about sbomb for for about ten years or so, suddenly living his best life because everyone starts to understand, like, the role of software supply chains in cybersecurity and how fragile everything is. So that’s that’s one that continued. I feel like that trend actually didn’t get as much traction as it maybe could have. It feels like it kind of peed it out a little bit towards the back of the year, but it’s definitely still there, running in the background, and it hasn’t gone away as a security risk. So I think that’s one of them, probably the two others that I’ve got here, and maybe I’ll just drop these as points if you want to go around and get the others and we can figure out the conversation from there. We’ll do it that way. Personal accountability when it comes to cyber risk from a corporate governance standpoint.

So we saw Joe Sullivan get prosecuted basically under a federal crime that was leveled against him off the back of some of the stuff that happened at Uber back in 2016 that sent some pretty major shockwaves through the Cecil communities that I’m a part of. On top of that, the SEC bringing out regulation or bringing out proposed regulation for publicly traded boards to be able to report on the cybersecurity maturity of their board. And really what that feels like to me is that the SEC is trying to take cyber risk from this kind of weird thing that the nerds have control of to just integrating it more into a core corporate governance and risk management thing, which ultimately is a good thing. But it’s not necessarily something that those outside of security, or even those inside of security are used to. So I think that’s a trend that we’ll see continue into next year. There’s a lot of downstream impact to that one. The other is diversification of threats.

So seeing kind of nation state attackers go wholesale, seeing cyber criminals that are typically less sophisticated all of a sudden end up with a bunch of money and start to become a lot more sophisticated in how they’re conducting their work. And then kind of the return of the chaotic actor as well. Like the stuff that Lapses group did the UVA breach. Just people rocking up and making a mess for the Lulls. We haven’t really thought about that from a defensive standpoint since the time of Lull. SEC AntiSec kind of anonymous back at the late, late 2000s, early 2010s. So that to me is if that trend continues from a chaotic actor standpoint, then from a defender through the defender lens, we’ve got to be thinking about that because we, in my view, really haven’t been for a decent amount of time.

Yeah. Thank you. Fantastic topics that I think we’ll dive in on to several of those throughout the next hour. Adam, any anything from your side that you noticed? In addition to what, KC. Because I think those were fantastic, but like minute hour and all those dudes, but resisting the temptation, just like to front load every possible topic under the stunt, the first twelve minutes of this webinar. One thing that I think is important that we need to point out is like, we had like 15,000 tech workers enter unemployment land in the past handful of months, and the effects of that for people, for organizations on the industry as a whole is very interesting, for lack of a better term. And so that is kind of an overarching lens by which we think about even from a strategy perspective, we see all these companies laying off folks, and often as a side effect of that, they lay off their cybersecurity team first in line, oddly enough.

Well, what does that mean? Do they have an MDR provider that they’re just leaning on 100% now? This is something they don’t care as much about. And then back to that personal accountability piece. Just that kind of movement from a hiring and unemployment perspective has some impact. And so that’ll be just the one item I’ll say right now and cover a million things, so oh, yeah, yeah. But no, I think that’s an important I don’t think you can remove the macroeconomic situation out of the last year. Right. I mean, all the progressed throughout this year, we’re part of the trends and are going to play a big factor into what we’ll see in 2023.

I won’t throw anything else on the pile because I definitely want to get to that. But Nick, did you have anything else that you were noticing this last year that you’d like to kind of dive into as we dig in? No, very often. I think we got a lot that you are because I think we could spend an hour on every single one of those topics.

I think it’s legit. Yeah, obviously. I don’t know where you guys want to start, but I think the sbomb stuff and just the supply chain stuff that we saw, we’ve continued to see. And I would say from my experience, it’s kind of come and gone right off and on over the last several years, right. In terms of, hey, everybody knows there’s issues, even when just NPM breaks or something like that, where it’s not even like a malicious thing. It’s just like somebody writes a line of code that breaks the entire Internet and you’re like, this seems like it could go wrong and then you start to get more awareness. But yeah, how do we think that continues to progress into next year and beyond? I’ve seen one thing that I’m noticing, and maybe it’s just because I’m just noticing it now, but a lot of the folks who have leaned on automation assisting them, especially like source code analysis, vendors and products and tools, are starting to add in the ability to generate SBOM inventories based on automated.

So I think the idea is being like a lot of people are overwhelmed when you talk to these folks. They’re like, we can’t even inventory what we have if we wanted to. So I think a lot of the organizations who are trying to crack the code of how to of course automation probably is going to solve everything. But I’ve seen a lot of folks who traditionally think maybe our app SEC or API focused providers or tooling and companies are saying, we can automate that for you, which is interesting.

The other appending on that, you’re right.

You already went mute, Casey. It’s all you. But rochambo okay. Adding on that, I think the thing because I spent a decent time talking, decent amount of time talking with security startup founders and whatnot, including a bunch of people that were already in the ASP bomb space or wanting to get into it. I think a part of why this kind of ran out of steam throughout the year is that even if you’ve got the ability to do software composition analysis or real time generation of S bombs, all those different things, no one really knows what to do with that. So all of a sudden you’ve got like, okay, I’m scared because I don’t know where my shit is. Okay, now I know it is, but I’m scared because I don’t know what to do about that.

And it was a little bit of the cart coming before the horse. I think in general, that sort of revelatory moment of like, there’s a lot of stuff that goes into our software and we don’t necessarily have control over the security of all of it. That’s a good moment for the industry to have if they haven’t had that yet. But then it begs the question, what do you do now? Right. I saw that happening quite a bit in terms of how do you, as an organization, think about how you’re operationalizing the consumption of the output of these sorts of tools in peacetime, as well as the kind of very practical version of that. When it comes to the next log four, J, or log four, show, whatever that is, using it to be able to go off and patch quickly on a reactive basis if you need to. I think everyone answered that second, but no one really got the first one, if that makes sense.

It’s like, how do we operationalize this on a continuous basis? Yeah, I think that’s a good point because I think things that we’re also seeing is like, yeah, okay, there’s the notion of trying to identify what all is in your software, what all is in software that you’re using with your cloud providers. We’re seeing that built into contracts and stuff as a vendor perspective. Right. Obviously, if you’re using open source components, you have to adhere to those license agreements. But then there’s just continued I think there’s going to continue to be more scrutiny on the front end. But then how do you operationalize it as a vendor or as somebody in terms of, hey, we want to make sure that this is secure, but also as these threats come out, are we actually being proactive in being able to identify the gaps that we have related to those threats and those threat actors? I mean, I think it kind of starts to play a correlation of like, we’ll probably see more TTPs coming out related to gaps in open source components or supply chain, right. The one thing that always kind of tickles the back of my brain when it comes to the supply chain stuff, though, is, okay, let’s say we it’s perfect, right? We do everything great and everybody’s got a full accountability for all the things, right? And we know what to do with bill of materials and all that stuff.

So let’s say it all happens. Well, guess what? At the end of the day, if somebody hands your lead developer a duffel bag of money to do a thing, like, what good did any of that solve? Right? And I think that’s kind of something that’s easily forgotten as we’re talking about like the supply chain industry and, you know, reformatting, but at the end of the day, doesn’t you have an insider threat actor who’s just like, yeah, I was somebody gave me a Lamborghini to write a line of code. Done. What do you do about that? We’re always going to have supply chain sadness because at the end of the day, you got to trust somebody. And if you’re going to trust somebody that isn’t you and that person could be bribed or whatever, or for the LOLs, right? We just don’t know. And at the end of the day, they’re humans delivering the thing. And I don’t know if this is a fully technology solvable problem at its core, though.

All of this stuff is still good.

It’s not going away. Do you think we get to that point? Because I think I’ve seen this in security in my past coming from an app SEC background where it’s like, yeah, one or two lines of code can really do a lot of damage, right, or open up a lot of damage. And do you think we get to this point where we kind of become immune to the fact that, like, oh, this is, this is a really hard problem, so we just shine the light somewhere else because there’s lots of, let’s just go shopping instead.

I think there has been a trend, too, not to inject another topic, but it’s also tangentially related, looking at the different cyber insurance and where folks are leveraging the idea of cyber insurance, and then you have brokers and providers and insurance companies who are coming in and starting to offer cyber insurance. The number of folks who have hit me up on LinkedIn see the fact that I have any cyber security background. They’re like, hey, can you be an advisor on how we should set up and do cyber insurance? Not even close. No, I can’t. And if you have to ask me on LinkedIn to do that, you probably shouldn’t be doing it either. But what I’m noticing too is a lot of this, I mean, folks are also finding out that the policies that they thought they had that, you know, errors and omissions and general liability when it comes tons of policies were updated this year too. That said, there’s like a cyber rider at the bottom of it.

And by the way, if it has to do with cyber at all, you’re not covered at all. At all, at all. I think about all these, like, pen testing companies that do hacking stuff for yeah, I’m hoping that you that was another thing that happens. I think it was this year. I’m fairly sure they’re all blurring together a little bit, but let’s go with that. Lloyds of London pulling out underwriting for ransomware, I think, was France. It was where it started, but then it sort of spread out.

So they kind of got to the point where you’ve got actual people that are way better at risk management than we are, frankly, because they’re doing the math around it and trying to build a business on top of that, whereas we just try to reduce it. And that’s kind of our gear, right? So they gotten their data, done their math, and realized, you all suck at this. This is like ensuring a three pack a day smoker for lung cancer. Like we’re going to punch out. That’s a leading indicator, I think, in terms of what they think about the actual business impact of this stuff and how good we collectively as defenders are at this point in time and actually stopping it.

I think you’re absolutely right and I think this all ties together even and dovetails into the whole governance discussion. What additional restrictions or requirements are being placed by the SEC and all of these things. At the end of the day, we’re all still grappling with what are the things, how are we able to answer the right questions? How are we able to identify what the true gaps are, the progress we’re making in them? And I would say that that’s one trend that I’m also seeing as we head into next year. I think some of it’s related to the macroeconomic conditions, but like tool consolidation and really focusing on what value are we actually getting out of our program at large? Right? And that comes down to how do we address these S bomb or supply chain issues, where are our biggest risks there? And at least being able to call them out and say, hey, yeah, maybe we don’t have all the answers on how to solve this problem, but at least we’ve identified that it is a problem. Right? I guess the first not head in the sanding, not being like I’m overwhelmed if I take a nap or even being able to use that. Because to me that’s a trigger to abstract up another layer, right? It’s like okay, if you can’t solve all the technical issues then to me that’s a good time to ask the question well, why am I doing this in the first place and abstract back up a level. And it’s like yes, this is about risk management, this is about minimizing the downside for your business, allowing it to continue to operate, like frustrating the adversary as much as possible, all those different things that might feed up into it, right.

And viewing it through that lens down instead of from the technical lens up, if that makes sense. To me, this has been a trend because like Bug Bounty, with what I do, particularly with Bug Bounty, where you’re actually pricing a vulnerability, that’s one of the many things that Bug Grate does with the thing that we’re best known for. It’s where this shows up. It drives this conversation around what is a vulnerability actually worth to a business and to an adversary and brings it front of mind. So, I think at the end of every year I’ve come on to one of these things kind of wildly optimistic and said everyone’s starting to think about this more as a business issue. And at the end of every year I’ve sort of look back at what I said and feel a little bit disappointed but mostly justified in the fact that it’s a progression, not a kind of a snap and roll all of a sudden there. Because it’s to me something that we’re just not very good at as an industry yet.

Going back to what you were just talking about with the SEC, there’s now a business and a regulatory appetite that’s moving towards us at the same time that we’re trying to move towards them. To me, those are all good things like when they’ll actually produce meaningful change and impact in how we do our job. I’m not entirely sure about that. I think to your point before Dan, the illuminating recession like global conflict, all of those different things, one of the impacts that that has is really drawing a lot of attention to the question of return on investment right across the business, including us. To me, like this is actually the kind of pressure that’s increasing on companies right across the board is potentially for us, valuable to be able to tell that story better and actually see some meaningful change happen in the ways that these sorts of things get done. But, yeah, it all kind of remains to be seen, I think. And I think the aside, though, at the same time is what is it? There’s some statistic about how the average company has like, 50 cybersecurity products, and we’ve all seen the whole, like, crazy cybersecurity landscape with a thousand logos and categories.

One exercise I encourage people to do is, okay, look at that whole landscape and figure out which categories in that grid exist to consume the stuff from other categories. Right? And it’s this horrifying feedback loop. But at the end of the day, going back to that other thing we mentioned at the beginning about, well, what is the state of people’s cybersecurity teams, right? Given all the layoffs and the recession and the fact that this skill is expensive and hard to keep around, well, you have 50 tools that your ROI is maybe, but now you laid off the people who knew how to use that thing, right? So what do you do? Well, somebody said it was important, but that person’s not here anymore. Do you give it to someone else to care about or do you just shutter it or what have you? And I think all of these things are wrapped up together again from the macroeconomic perspective of people have a lot of tools that they may or may not be using, but the skill, the folks who they have there to use, it may not be there anymore because they were poached or you couldn’t afford them or whatever. And that is something looking forward into the new year is going to, I think, be an increasing pressure as people are not only looking for ROI, but also people to drive the cars they bought.

No, I think that includes the engineering teams as well.

You brought that up and immediately, like my mind and probably the mine, since everyone on the call here went to security team, layoffs and all those different things. But when you think about Twitter for all sorts of reasons, is kind of not a clean example of what we’re talking about here. But to me, it’s almost the most dramatic possible version of what could happen if you make it extreme, right? Like, you’ve got engineers, you’ve got infrastructure that’s limping along without SREs or without the tribal knowledge that’s required to keep that stuff online. And usually this is the important part. It’s that tribal knowledge that would form the interface between the security team and the actual production environment. If there’s a thing that needs to be done. Looking at that in terms of the connection points between the security team and the actual production environment itself, there’s loss happening in that side of the business as well.

So it’s like these interconnects between the security team and the folks that are actually going to action, the advisors defenders. That’s something that kicks me up at night a little bit as well at this point. Oh, yeah, there’s a certain obviously you have the notion of losing some of the talent and tribal knowledge of the security team itself, but then if you’ve lost the other connections that would have been able to draw on that tribal knowledge within the organization, it’s an issue. And I think those are things where it’s kind of like, hey, we may not see the effects to that for another six months. Right? I mean, there’s just certain things that operationally you don’t recognize. You’re going to see an immediate impact. And I think what I continue to focus on is that it’s going to continue anytime you’re in, regardless of what your industry you’re in.

But anytime there’s an economic downturn or recession, even from a personal level, you start to just focus on like, okay, where should I be careful with my spending and how am I managing my resources? To your point, Adam, I do see that there may be some loss of knowledge, but I think there’s going to be kind of a reset. And this is what I would recommend to people too, is like, take a step back and really focus on, okay, where are we at as a security program? What are the key things that we’re focused on and how are we driving value from what we know we’re doing? And being a little more proactive on truly saying these are the gaps that we have and where we need to be focused on in terms of shoring those up, the known knowns and ensuring that we continue to have that message, that we can speak up to the board and up to the executive leadership. One thing just to key off of that and to grab a thread from Casey earlier, there’s also something interesting about tool consolidation happening on the other side of the mirror, right? Because as we’re talking about this from a defender perspective, well, guess what? It’s being commoditized the adversary space, right? You have this concept of wholesale tooling for adversaries and everybody’s just buying like the same ransomware as a service tools, and it’s working. And you talk about a weird way to think about ROI as we’re all trying to figure out which of our security tooling makes sense, but what is the adversary up to? Well, they’re doing the same thing, which is kind of strange and terrifying.

It’s a useful way to think about it, though, because when you think about it, the adversary, they go home, sleep at night, put their pants on one leg at a time. They do all the things that we do in defender land. So logically, these kind of economic, the macroeconomic pressures that we’re talking about and some of the uncertainty, it affects them in the same way that it affects us. So thinking about it as almost as a competitive business in a sense, it’s like, okay, if I was a bad guy, what would I do? How would I improve my efficiency? And you’re absolutely right. Like I kind of hinted at it at the start with diversification of threats like the cybercriminal kind of apparatus in general. And this is not speaking to the fuzzy lines that exist between nation state apparatus in certain countries. Let’s leave that off to the side because that gets messy real quick.

But just thinking about it as purely like financially motivated criminals, they’ve stratified. I think they’ve taken a lot of cues from what they’ve seen work and be successful in Silicon Valley wherever, when it comes to SAS vendors and all those different things and really focused upon the part of the kill chain or the part of value delivery, like criminal value delivery, their best at. So you’ve got ransomware as a service operators. You’ve got them now working in partnership with the IABs that are doing initial access. You’ve got brokerage of like all sorts of different things and then obviously the folks that want to actually execute the campaigns and get to take at the end of the day themselves. There’s this phenomenally sophisticated ecosystem at this point in time that really I think it’s been around for a while. I first started becoming aware of it back in 2020 when a lot of it was getting deployed into Healthcare around covered.

Because that’s kind of when I got pulled into the CPI space adjacent to Bowl Discovery and the kind of stuff I do with bug crowd. And it’s really quite eye opening as a defender. Thinking about it through that lens and then thinking about what we do when we’re asked to talk about the return on investment. The problem with defense is if it works, nothing happens, right? So the board asks you, was that an effective spend last year? And you say, well, nothing happened. So yeah, it was. And they ask you, well, how can you be sure? That’s a universally difficult question to answer because of the negative feedback loop that’s kind of inherent in our job. And the funny part is the attackers don’t have that problem.

If they’re successful, then they know, right? So I think that the takeaway for that and this is something that we talked about in the Precolle is just if you’re not already doing it within your organization, like really working on tightening up what you’re reporting as a trended metric of efficiency, efficacy, success, whatever you want to refer to it as that your board is actually going to understand because the number of attacks blocked and all that fun stuff like number of spam messages identified, blah, blah, blah. Those things are good, but ultimately they’re not really reading that stuff. They want to see the overall efficiency gain that’s coming from the money that they’re investing in your team and your organization. And I think it’s on us really to articulate that and continue. To iterate, how we articulate that to make it more consumable and actually have us be more of a partner to them and how we manage the risk of the overall company.

I think that makes sense too. And the last thing I want to put on that is I think there’s also just a drive that status quo just can’t be. And for an industry of folks who are trying to stay bleeding edge either on latest detections and TTPs or on techniques for emulation, et cetera, there is a lot of just resting on laurels and status quo. I think it’s comfortable. You understand it, you have metrics on it, you have revenue projections based on it. But the idea of making sure that we’re genuinely not resting on our laurels and the status quo isn’t the name of the game, and that constant. As threats evolve, we constantly evolve is just something I know it’s not a lot of rhetoric and nonsense, but it’s got to be.

This isn’t to speak to the intelligence community at large, the government, whatnot, but I’m seeing a lot of polls from specific either combatant commands or organizations and agencies, if you will, that are wanting to get commercialized talent, commercialized capabilities that they’re seeing in the private sector. They want to bring it into intelligence communities, into cyber and kinetic warfare. They want commercialized stuff like, you guys are doing a really good job emulating threats. So let’s start taking some of the lessons we’ve learned from the commercial sector and bring it in. Would you like to be one? Yeah, that too.

It’s interesting. Well, I think that’s a good point, and I think you kind of both tied a lot of my thoughts around what I’ve been saying and also seeing a little bit this last year is speaking about our program and our security posture differently and how we’re approaching the proactive side of the house right. Is because you’re right, Casey, for ages. Hey, if it’s not if your security program is working, it’s hard to just talk about the things that didn’t happen, shifting the mindset of being more proactive. And what I’m calling what I’ve been addressing is threat informed pin testing or threat informed security testing of being able to speak to like, well, hey, we proactively assess against these types of threats and incorporate that into a continuous program so that we can actually speak to the things that say, like, well, yeah, nothing happened because we’re testing it on a regular basis. And here’s the gaps that we’ve continued to fill. Right.

And so that you’re not always having to speak to, like, a breach or an incident, but also, hey, in a proactive manner, we’ve been testing these things, and this is how we know it’s working. Right. I think that’s an important shift that we’ll continue to see as time moves forward. It’s talked about the threat informed defense capabilities, and now it’s moving into the proactive space. Yeah, definitely the two areas where we see that one is really the adoption of vulnerability disclosure programs by organizations. I think part of that there’s just kind of at this point of peer pressure that’s kicking in. There’s regulatory mandates, it’s been written into NIST, like there’s all sorts of different things that are kind of pushing the top down, but it’s such a visible thing to do as well.

And it actually speaks well of the maturity of an organization’s kind of cybersecurity mindset, if that makes sense. It’s like, okay, we’re going to be vulnerable. Let’s not try to use Ostrich risk management as a defensive strategy and actually admit the fact that bugs happen because people write code. And then let’s put ourselves in a position where we can get as much intelligence around where we might be vulnerable as we can possibly get and get into a rhythm of fixing that stuff and trying to avoid doing it again in the future. So that’s one. The other is for companies that are using basically incentivized crowdsourced security programs, be it a public bug bounty or a private program. This idea of vulnerability being something that you can extract from a group of people for a certain price.

Once that velocity starts to taper off, you can kind of argue that you’ve reached your proxy, a proxy indicator of the cost to attack your company at that point in time. So it’s like, I offered $10,000, I saw a bunch of issues come in. Now it’s basically stopped as I’ve been fixing things. So loosely speaking, you could say that basically what I’ve done is increased the difficulty to the point where that incentive is no longer enough to encourage a friendly attacker to do the things needed to create to get shell, basically. And then you bump it up to 20,000, restart the process, and off it goes again. We’ve seen a bunch of companies starting to look at some of those metrics as things they can report up to the board. Because when you think about the distillation of everything we’re doing in security when it comes to initial access, in particular, increasing that cost is really kind of why we’re here, right? It’s not about making it impossible because that’s not a real thing.

It’s about rationally increasing the cost of attack to the point where it’s economically irrational for an adversary to come after you and be successful so they move on to the next guy. So those are a couple of I know we’re trying to talk about some actionable insights that we can kind of leave behind with people, but thinking about it in that sort of way be that with Bug crowd because obviously we can partner with that or just taking that as a mental model and figuring out how else you might be able to apply it in your organization. Those are two that I’ve seen start to pop up this year. Yeah, that’s fantastic. Adam, were you going to say something? No, I just love this idea, though, that you can actually create metrics around vulnerabilities and say, like, oh, at a certain monetary threshold, we think that the level of sophistication of a threat actor has crossed, like a Rubicon or not. Right. $20,000 as a level of sophistication of a threat actor is a really kind of strange way to think about this if you’ve been doing it in a traditional sense.

And I love that as like, oh, there’s a bit of a paradigm shift here. And if you use that sort of public disclosure stuff, if you use as a metric, that’s the kind of thing that can really shift your thinking. And it’s staggering when you think of it that way. It’s like, oh, we can actually something that we couldn’t really tell how we were doing. Right. The barrier to entry of a threat actor into our environment has always been kind of fuzzy. It’s like, oh, that’s sophisticated, and that one’s not.

Okay, cool. Neat. I guess. Well, now you can put a monetary value on it and become super clear lines yeah. And demonstrate it as a trend over time as well. I think that’s the important part, right, is the money that I’m because again, thinking framing this up as a CSO to a board conversation, it’s like, okay, here’s me asking for next year’s budget, or here’s me asking to expand next year’s budget. All of a sudden, you’ve got this historical track record of that budget being deployed in a way that serves one of the primary goals of the existence of that department to begin with.

Right. Like, we’ve made it more expensive to tack the business great. Yeah. In a proactive fashion. Right. So, I mean, what you’re saying is like, hey, I want to increase my budget to show that the more I offer in a bug bounty program or something like that, that’s when I get more traction for the complex bugs. I’m just trying to think of that.

Yeah, thank you for calling that out. That’s part of it. But I’m not just talking about that. I’m actually talking about, hey, we want to invest more proactively in developer security awareness training or secure code training, or we want to get into doing what you guys do in terms of integrating Red Team and Bluetooth knowledge and actually operationalizing that within the business. It’s not just about the money that they’re spending on this particular point of vulnerable discovery. It’s actually about that being a proxy of all the other things that go on inside the business that make that hard and actually using that as a leading indicator to justify all the other things as well.

You all can pay us more money if you want to. I’m not going to argue with that. But I guess my point was more that that’s not the only thing I’m talking about. It’s actually almost the smallest thing, and that makes yes, the overall investment in the program is actually a trend to show that the more you do it, the better off you’re going to be. Right? It’s another way to reflect before we run out of too much time. I think we’ve kind of been circling around the whole notion of, like, hey, the value that you want to really show that your program is having and the activities that you’re conducting and the tool sets that you’re using. And then that’s all kind of bubbling up into the continued growth and oversight, I’ll say, like, oversight and governance, both from the political landscape, but also, I think, the social landscape as well.

You mentioned the Joe Sullivan case and what impact does that have as we move forward, as we kind of piece some of these things together? CBD I think in terms of how it plays out, the immediate impacts, it was definitely a good quarter for people doing DOI Insurance for CEOs off the back of that fine. And not to get too glib about it, because obviously some fairly hectic stuff’s gone down here, but we’re talking about the consequences of that.

I think there has been a period of time where CSOs, all of the CSOs I know, they take their job super seriously. They lose a lot of sleep at night, they always miss their Fridays, and anything becomes straight for a public holiday and all the things that happen when you’ve got that gig. But this idea of it being tied to like, personal criminal liability in particular, but then by extension, personal financial liability, I think that was really the bell that the Joe Sullivan hearing and case kind of rang. That is a thing. This is a thing that happens. It is a thing that is possible, like, it is possible to go to jail for decisions that you make in that chair. And I think just in general, that going from not being something that’s front of mind to it being very front of mind, that’s kind of a big deal.

Like how people respond to that. As I said, DOI insurance and all of those kind of personal liability protections, that’s an obvious thing. Just making sure that obviously you’re doing as best and as clean a job you can, that’s another that I know a lot of people are thinking about, but probably not talking about too much. And practically in terms of how that rolls forward, it really to me is a little bit TBD, but to people’s minds at this point in time, and it wasn’t at the beginning of this year, I think that’s pretty and the rest of the executive team of like, hey, this is why this is important, right? And that we’re all on the same team here. I think there’s all kinds of aspects that it’s opening up doors for conversations, which all on the same team and tying Joe with the SEC stuff. And what you’re saying here, we’ve been kind of the widows in the corner for quite a long time with respect to the rest of the business. They know that we’re important.

They’ve got no idea what we’re actually doing, but they understand that it’s really bad if we get it wrong. And no one wants to end up in the media for having the company breached. So there’s this sort of disconnected sense of value between the business and what we do in cybersecurity that I think we’ve just kind of coexisted with the past. To me, probably ten years prior to that, they didn’t even think we were that valuable. But the point that we’re at now is this sense of that kind of being integrated. Like these discussions, the stuff with Joe personal liability for a CISO, that raises the question of personal liability for a director, because if you’re on a board, then you have directorial liability, and there’s different versions of that that might be impacted by the decisions that are being made by the CSTO. So all of a sudden, board directors are thinking about that on the personal level.

Right. And with the SEC stuff, it’s like, okay, we’re actually being mandated now as a part of our reporting responsibilities to have our arms around this thing, and we don’t. So now what, to your point? Like a whole bunch of really productive conversations that I think are available to us now that weren’t at the beginning of this year. I think having those conversations is really the takeaway from that.

No, I’d be curious about the folks about your take when we’re thinking about actionable advice and the trend of the Beso function coming in, because I’m seeing a lot of my peers and colleagues. There was a time where old crusty hackers were like, well, I can be a Pen tester, I can be a Red teamer. Maybe I’ll be a CISO, maybe I’ll go be a Direct, whatever they end up doing, sales engineer, get into something different. But then I’m seeing a lot of my peers and colleagues go into the Beso role where they’re getting smart on the business. They’re getting focused on taking the technical acumen and their risk management backgrounds. I’m just curious because I’ve seen a lot of trends too, of folks talking about biso roles and what are your thoughts as we talk in the same vein of one team, one fight, together forever, or together togetherness.

I just can’t shake the idea of we’re always weirdos in the corner and now we’re just like, criminally liable weirdos in the corner.

I’m just frozen in that it should be a T shirt. Criminally Liable widow in the corner. I love it. One of these companies is going to have that as a T shirt in like three months. You know it is. People are probably already making the orders happen. Yeah, no, I think you’re right.

Go ahead.

I think that the trend is that there’s a lot more focus on like, hey, what can I do to actually help the business and speak in the business terms? And I think that there’s the hacker in all of us that we just love to tinker and we love to break things and just understand the tech and understand how things work. But then I think it’s drawing the conclusion back to the fact that there’s actually a purpose behind being able to do this. Right. And that really is, whether we’re in a business or an agency, you’re there to help accomplish the mission, and that does require some solid, productive conversations and being able to communicate effectively as well. Right, so, I mean, that would be my just visceral thought in terms of how people are thinking about moving into different roles and then being able to grease the skids for those conversations around, look, this is important. We need to be all on the same page as to what the mission is, because at the end of the day, if I make a mistake, I’m going to be honest about it. Right, but there’s a lot at stake here.

Right, yeah, I actually tie it a little bit. I made the joke when miso, because whenever I hear Biso, I think Miso and I feel hungry, which is what just happened. But that’s out of scope of the webinar with the rise of the bison. The other thing that’s happening that I think is kind of related is this whole concept of the field CESO where you’ve got someone particularly for technology and infrastructure vendors, who has a CSO kind of view of the world when it comes to risk management, technology, like political risk, insider risk, all those different things. But their job is effectively to interface with the customers of that technology company. And it gets poopooed a lot because it’s like, oh, that’s not a real C, so you’re not managing risk for the insides of the organization. All those different things, which is the back part of that is partly true.

But to me, we’re back at this whole thing of how do you make security relevant to the business? How do you increase the points of contact and the interface between the stuff that we’re doing that’s fundamentally quite difficult to understand if you don’t come from the places we come from with folks that are actually the reason that we exist in the first place. Right. Field CSOs to me have a tremendous opportunity to actually lead when it comes to sparking thought out there in the market around how to consume security in a more effective way and actually do a better job at taking care of users and doing all those different things. So, yeah, I feel like the CEO role, I don’t think anyone ever really quite got around to defining it when it first came out because there’s so many different versions of it that you see out there. And I think most CISOs would agree with that. It’s not a diss on them. It’s just an inherently vague and very broad set of things to have your arms around.

But this idea of like, it’s specifying down into plugging into business risk or plugging into evangelism and product development to better serve customers and better set their expectations, that to me is all kind of coming back to the same idea of making ourselves more relevant to the company itself.

I didn’t know if Adam was conditioned. I was again going back to the actual intelligence. Does this group feel that there is a trend towards solidifying the roles of CSAs? Or do we think that we’re going to continue to have these roles be fractured into things like Field, CSOs and the like? There as other roles kind of are born and take on more crystalline definitions because I still think it’s kind of up in the air a little bit as far as the trends of what that role does depending on the organization. But I don’t know, I don’t know if you all have seen that gaining traction somewhere or if it’s just being kind of fragmented into new roles.

I think it’s going to continue to evolve. And yeah, I couldn’t predict on where is going to land because you do see some of the trend of like the security is being spread out across the entire organization. Like pervasive cybersecurity to a degree of everyone knows they have a role to play. And so does that mean that the system has some kind of purview over everybody’s activities and actions beyond their awareness? So I think my gut is that that will continue to evolve, but I do see it continuing to be a little bit more dispersed across an organization. So whether that becomes like officer role, those kinds of things I think are still kind of TV in my head. But yeah, I’d agree with Dan on that. Like, you look at the trends from my perspective and if anyone has a different memory of this, feel free to jump in.

But it kind of started off with the CSO and then whenever it was probably five to seven years ago, you start to see the CISO pop in and then all of a sudden there’s a strong distinction between those two roles. And sometimes there is, sometimes there isn’t. Usually someone who wants to see so like a CISO title doesn’t like being called a CSO and vice versa because there’s very explicit pictures they’ve got of those two roles in their own, in their own mind. But to me it’s like CSO, like CISO is a subset of CSO because you’re talking specifically about the security of the information systems and the information within that organization, as opposed to you go up a level, you’re talking about security just in general.

And yeah, you’d be so like Field, CISO, Miso, Soup, eventually they all become these kind of scattered downstream applications at the same thing. To me, the question is at what point does this sort of reintegrate in with the general idea of risk management and how that kind of plays out within an organization? Is that something that happens in the future? I don’t think that’s something that we’ll see next year. But to me, the trends ultimately seeing security kind of merge with engineering in a lot of different ways. I think we’re already heading pretty quickly in that direction. So what does that mean from an.org chart and the title standpoint? Not really sure, but yeah, I’m kind of looking back to look forward a little bit on that one. Yeah, that’s interesting. And it only gets more complicated because now we have information technology and operation technology.

So do we need a chief operational technology security officer? Like, oh, man, that’s another panel. That’s a whole other panel. What’s the difference between it and OT? Well, we finally figured out that IoT doesn’t mean anything and called it extended IoT. So that’s progress. I guess we’re collapsing some categories.

Well, I think it’s clear that technology always changes, which means security always evolves. And threats, like we’ve already talked about threats evolve.

It makes it a challenging way to speak about how we’re addressing it and I think continue abstracting of like, hey, what impact does this have on our overall program? Is the key takeaway that I would push. I was going to say maybe we wrap it up and then open up for just a general Q and A session. But if there was one thing that you would kind of say like, hey, here’s what I would say, take some actionable advice away to the audience, what would you give them as hope for 2023? Adam, we’ll start with you. I’m going to play. Yeah, I think kind of taking on the theme of what we have here. I think the important thing we all do in the new year is really understanding the tools and realities of our organization like it has in their possession. This concept of oh yeah, we bought this thing and the other person who knew how to use it is gone now, or whatever is going to become increasingly problematic, especially as we talk about all these new kind of overseer roles and chiefs that are appear and liability is now held.

Well, at the end of the day, somebody’s got to know how to drive these cars we bought. Right? I think there’s often hesitation be like, well, we bought this thing, we don’t know what to do with it. Quick, everybody learned how to use that thing. That may not be true for every organization anymore. And leaning on third parties is A okay. And I think that making sure that if you have a thing, you really need that thing, the only method to get value out of it is to have someone else drive it, that’s okay too. And so just calibration inside of an organization of what is it? Do we need it and can we drive it ourselves or do we need to have somebody else do it? I think having those be questions we ask ourselves is really going to help as all these things that we talked about the last 45 minutes here kind of shake out in 2023.

So that’s mine. That’s well said, Nick, go ahead. I wasn’t sure if we were passing around or just jumping in here, but I would say that we’ve got the attention of the business now. If you’re talking about a bright note to end on, those of us that have been around for a long time know that that’s not always true. And I often spend myself, find myself spending a decent chunk of time with newcomers into this space just explaining kind of Grandpa Simpson telling the story. It wasn’t always like this, like the business coming to us and actually asking, what were you think? That’s still a relatively new phenomenon. But I think all of what we’ve talked about and all these trends and some of the stuff that we’re sort of expecting to see next year really highlights the fact that that’s true.

And that’s I don’t know about you guys, but that’s awesome from my perspective. And it’s an opportunity for us. I think there’s the whole kind of with great power comes through, great responsibility angle to wield on that one. But the fact that we’ve got the power and the opportunity in the first place, I think that’s the bright spot. And then just frankly, just going away, sitting down and working out what you’re going to do with that, that’s probably, from my perspective, the most actionable piece of insight for anyone. Like, I’m assuming there’s a broad range of people on the score regardless of who you are and what you do, sitting down and having that thought maybe over a holiday beverage or whatever it might be, I think that’s a useful thing that everyone can do.

Yeah. As a fellow nerd in the corner, our corner. And I think encouragement. And something that is encouraging to me seeing because I got hooks into all different types of businesses and consultancies and providers and enterprises and governments and all this stuff. What I am seeing is increased collaboration and to pay homage to the color of my background. That concept, regardless of the nomenclature used to describe it that collaborative nature between not just red and blue and offense and defense but the collaboration between security functions, business functions and that whole one team, one fight. I’m seeing a lot of folks seeing that the impetus is on them to make those moves, establishing those relationships, and that becoming part of the corporate culture regardless of entity type, really having those conversations.

And so an actionable advice and takeaway and encouragement is to continue to foster those. Because as the folks who are creating risk metrics, if they’re in a vacuum and they’re only using the data exposed to them. They’re not being exposed to other data sets that people have, especially with different professional capabilities and those types of things. So just continued emphasis on that better together, one team, one fight, and collaboration and relationship building. Because it’s not just making sure your smart analysts and my smart analysts, all business and cyber and technology together. Well, it’s those relationships at every leadership level. There’s just everybody’s sympathetico.

Yeah, no, I think what’s been fascinating about the last 55 minutes is that we haven’t really talked about how you used to have these things where it’s like, oh, we now see that you can attack people through a USB drive that auto run. We haven’t talked about the technical vectors that we used to as an industry, which because we’re still seeing all these things evolve. But I think what’s fun is that we’re actually discussing more of how we address this as a whole industry, of how does make an impact to the business and how do we communicate effectively and collaborate to the point where regardless of what the new threats that are going to come out, we have an approach to how to be managing those. And I think that’s my takeaway for the team, for the audience, is continue to stay proactive on how are we identifying what gaps we have in our environment and the threats and how we’re communicating those effectively and showing the trends and showing the progress, because that’s going to continue to be vital, and those are going to be the questions that are going to get asked as more regulatory oversight comes down the pike, in my opinion. So while we’ve got a few minutes, like three, are there any questions from the audience? I haven’t paid as close attention to the chat, I’ll be honest, but I don’t know if there’s been any questions that have come into the chat or if you have a question for the group here, throw it into the Q and A function window there and we’ll be happy to address it.

And if not, I’m sure that Nick can do us well. I was going to say, if not, this is I’ve been waiting my entire career for this moment to be able to do this.

The crickets, you got to use it. Mike, congrats.

This is the apex of my existence.

This has been really dope. To just be able to squeeze all the knowledge bombs out of your pores.

Well, that was gross. That was super gross. That was way too vivid.

On that note, we’ll give you some resources here. You can always stay in touch with all of our companies as we’re trying to help everyone fight the good fight and stay ahead of the curve in terms of the trends that are occurring in the industry. So definitely sign up for all of our social accounts, both at Red Canary and Bug. Crowd and PlexTrac. Definitely. Thanks so much for joining us. Adam and.

Casey really appreciate you taking some time to share your wisdom and knowledge of what’s going on in the space and what we’re going to see in the next year. And we can sign off and wish everybody a happy holidays and enjoy the time with friends and family. And hopefully we’ll all get some R and R and be back strong for a solid 2023. Thanks for having us. Thanks. Good talking here’s, y’all. Yeah.

Thanks a bunch. Thanks, everybody. Enjoy the rest of your day.