Digital: Disrupted: The Ever-changing World of Cybersecurity

Episode Transcript:

Paul Muller: Today we're going to revisit the topic of cybersecurity. Now, I know we've covered this a few times, but the reality is that the adversary, the legislative environment, the tools, the techniques, all continue to change at such a pace that it's worth checking in once a quarter or so to keep up to date with the state of play in this space. And we've got a great guest to help us, to guide us through that conversation. But before we dive into it, probably heard me say this before, but I really would love you to check out the website of the show sponsor Rocket Software at rocketsoftware.com. They've updated it a couple of months ago, actually. It looks gorgeous, so do check that out to see why over 10 million IT professionals rely on Rocket Software every day to run their most critical business applications, processes and data. And in fact, they've recently acquired a cybersecurity-oriented company. So, check out what they can do for your cybersecurity too. Hey, but before we go too much further into cybersecurity, I wanted to give you an introduction to our guest who's going to provide us with a perspective on the cybersecurity state of play. I'm joined by Doug Barbin, who's responsible for strategy, development, growth, and delivery of cyber consulting at Schellman. They're a global cybersecurity services company, but that's not all he's got in his kit bag and certainly not his first rodeo. He's got deep experience as a product manager. He spent some time as a CTO and COO at a mortgage firm and also has gotten his hands dirty with fraud and computer forensic investigation, something that I find personally fascinating. Welcome to the show, Doug.

DB: Thank you. Pleasure to be here.

PM: It's great to have you here today. Where will we find you?

DB: I am out in Sacramento, California, actually. So bright, bright and early here. I know it's in the evening for you.

PM: Going to say it's 11:00 PM here. It must be like 5:00 AM for you, is it?

DB: Yep. 6:00 AM. But all good. Used to getting up early. Especially what we were joking about before we started recording, with the global economy, the global everything and yeah, why do we have time zones, right?

PM: Why do we have 'em at all? As Ted Lasso coach said, because the sun. Hey, we're going to jump into cybersecurity. I'm really keen to get a sense of what you are seeing at the moment, especially because you do come at it from a really strong audit and compliance background. I'm curious to see what's happening there, but before we do, we have a little tradition on the show, we call the lightning round. Are you prepared to be struck by lightning?

DB: I’ll do my best. 

PM: Alright, batter up. First question, Doug, what would people say is your superpower?

DB: I think it would be vantage, ability to see multiple sides of an equation and a problem, looking at it from different perspectives relatively, relatively quickly. Just always trying to understand different people's perspectives and factors and things that go into something that may be simple. It seems simple but isn't simple. So, unpacking that.

PM: I like it, vantage. I don't think we've had that come up before. All right, next question. The most disruptive technology of all time?

DB: Of all time. Well, as I was thinking about that and at least recently, as a hobby, I do cook, so I enjoy cooking a lot and I've taken a lot of classes. I was going to joke and start that the Sous Vide is one of the most disruptive technologies at least of the last 10 years for anyone who has cooked. It was designed to solve a particular problem. Anyone that enjoys cooking has done their fair share of overcooking and undercook just about any type of meal. So the Sous Vide was designed to address that problem and it really game changed a lot of what I was doing from not cooking for my immediate family and friends and things like that, but just overall. But that's the hobby.

PM: I’m giving you Sous Veed, we've never had it before. It's very, very cool. I think we're keeping that is all right.

DB: Fair enough. But you've probably had the smartphone and other types of technology.

PM: So many times, it makes my head want to fall off, but no, we've never had Sous Vide, we’re keeping that one. You are an original Doug and food nerd. I can get right behind that. Yep. All right, so that's taking a risk, that's showing leadership, which takes me to my next question. The best quality a leader can have?

DB: I think empathy is if you've got to dial down to one, but it's important to kind of define empathy. Obviously, it's care, it's kindness, but it's being direct though and it's not avoiding problems. It's caring for people that you work with and your clients and your employees just like you would children to a certain degree. You know, you need to make sure that everyone has a fair dose of tough love while knowing that you're in their corner and that you support them.

PM: One of the most thoughtful descriptions of the word empathy I think I've ever heard. All right, next one. Your advice to people starting their careers?

DB: Yeah, I’ve got a rising senior in high school and so of the mindset of she's trying to figure out what the next steps are for college and then grad school and then this and that. And I think the advice is just try not to overthink it too much. It seems like we have, especially people in that age range and in the beginning of their careers, they've either overthought their career or they've under thought their career. Try to tell or do what you enjoy, do what you're going to be successful at and that's going to provide you with happiness and the success will come along with that. And I think what you're driven to do, you'll do it well. So that's really it. Do what you love, try not to overthink it. Know that you can course correct, what you decide to do tomorrow isn't going to set you up for the rest of your life. One of the best security people that I've ever worked with, he was an oceanographer. So he started, I think he's got two degrees in ocean and marine science, but I mean he was an incredible cybersecurity professional. He owns a cybersecurity company, he was a CISO for the city of Seattle. Just try not to overthink it. Do what you enjoy and be ready to pivot if you need to.

PM: Yeah, I think the critical thing right, is to get into it. Yeah, don't be a passenger. That's probably the most critical thing more than anything else. As you say, don't overthink it, but just whatever you do, do it with gusto. All right, next question. The first thought that comes to mind when you think of cybersecurity, other than runaway?

DB: Just change. Change in the sense of its evolving and I think that the organizations and people that suffer in cybersecurity are the ones that aren't taking into account change. They aren't looking at the technology landscape and the people landscape and all of the other things that go into cybersecurity because it's different than it was 2, 5, 10, 20 years ago. It reinvents itself almost every few years.

PM: Yeah, absolutely. And the show's producers made a point of getting people such as yourself back on the show regularly, as I mentioned in the opening because it is a moving target. I remember reading, I don't know if you know who Gene Spafford is, but he wrote a book on cyber security back when I was in high school and that back then I thought, wow, if we just do everything he says, we've got this problem licked. And here, here we are 30 years later or even longer and we're still battling with it. So yeah, couldn't agree with you more, change. Alright, I'm talking too much. If we could use technology to solve one world problem, what would it be and why?

DB: Sex trafficking, horrible problem. I mean it just is, it's a plague on our society and a tough one to solve. So if technology could help find victims, rescue them, bring them home, that yeah, to me that's a big world problem that I'm passionate about, that I support financially. We've got several groups here in the Sacramento area that have organized to combat and educate and to even rescue victims of sex trafficking. 

PM: That is probably one of the best answers I think I've heard on the show. On that note, let's wrap up. Ladies and gentlemen, thank you for joining us for this. That was fabulous. But seriously, we should get onto the topic of cybersecurity because the two are not unrelated in that organized crime is really probably the big difference between when Spafford wrote his book, as I said, must be probably 30, 35 years ago, and back then it was annoying people and the occasional nation state who got curious. Now it's mobsters, it's a business. You do have an interesting background. I do ask this question of a lot of our guests is maybe we could start though with telling us a bit about, you know, you talked about an oceanographer coming into cyber. Tell us a little bit about your journey.

DB: I started, my 18, 19 year old dream was to go into the FBI. So in college. And at that time they were looking, you know, you couldn't just get into the FBI out of being a police officer or anything like that. They were looking for accountants, they were looking for language speakers. So I double majored in college, in accounting and in criminology with that goal that I wanted to do white collar work. And so, I thought that was fascinating. I took an organized crime class, we learned about the pizza connection and mafia and all of those types of things. It was fascinating. That's what I wanted to do. I wanted to go out and go and chase mobsters through the money and then fast forward to a first job at Pricewaterhouse, I was actually able to work in a forensic accounting practice.

And then we saw the landscape evolving. It wasn't just paper-based exercises, it was going digital. So working with another gentleman out of New York, we developed the first computer forensics practice and started getting into the IT side of things. And that took me to security, which took me, took me here, just kind of understanding and adapting to the change of the internal threat. And so ultimately that led me to a startup security company which was acquired by Verisign and then sold by Verisign, which is what a lot of the technology companies did in the 2000s. And then I've been here for 13 years. It's the longest I've ever been at any company, but it was a group of focused people focused on cybersecurity with a particular angle on the assessment and the compliance side. We have a particular role in this ecosystem, but that's really how I got here. Yeah, as you mentioned, I did do a stint in mortgage banking. I was the CTO of a mortgage banking company in 2006 and 2007, which was not a good time to be in mortgage banking. So, I returned to cybersecurity to continue doing work there.

PM: Oh, it sounds like a win for the cybersecurity world. Hey, we talked a little bit about, well in fact you introduced the word change when I asked you what cybersecurity means to you. It does feel like there's been a lot of change or continues to be. I'm curious, sort of look back whether it's 6, 12, 18, 24 months, what are some of the particular thematic, systematic changes, I guess both from the adversary side but also from the side of the people trying to defend their interests, the boardroom IT practitioners, even the rank and file staff. Are there any highlights to jump out at you at the moment?

DB: Yeah, I think you've covered, I think you highlighted some of the adversary sides. You’ve got nation states, you've got corporate espionage, you've got organized crime, you've got crime and attackers that you don't even know who they are or who it is that's coming after you and why. I think that the why was probably something that people focused on maybe 10 years ago, oh, we need to protect ourselves from other competitors trying to get access to our data, then it evolved to, now you've got nation states in particular that drive programs like CMMC. But I think it's not that the why becomes less important, but you have to assume that the why may have a variety of why's and that the tactics are what need to be addressed and the methods in.

So, I think from a trending perspective, third party risk has really been highlighted at the board level and at the individual threat level. I mean that is the crux of a program like CMMC or any of these other programs which focus on supply chain security. It's not enough to just protect your own house and to build up barriers and firewalls and secure your data and deploy secure applications. You're relying on everyone else that you're doing business with. No one does business in a vacuum anymore. No one runs all their own infrastructure out of their offices or a data center. They're using multiple clouds, multiple cloud providers that have to be configured in a particular way that are sharing information across a wide range of networks. And all of this additional complexity with the third parties, and I'm not saying third party, is a bad thing.Everyone uses them. They're nature of business. Our entire firm runs on third party cloud applications. So, it's core to everyone's business, but it is something that you have to account for because the more things started to get more and more distributed, the more companies had to pay attention to them. And breaches and so forth are happening through third party providers or through misconfigurations of third party providers and things like that. And so, I think that's been the complexity of the companies and the organizations that you're doing business with it has elevated the threat profile that's made it so that, as I mentioned, the why maybe is a little less important. It's the how that we have to understand, the risk factors and how companies or how adversaries could get into an organization. It's not as simple as hitting up a firewall or trying to exploit a sequel injection vulnerability on a website anymore. It's typically a lot more complicated than that. It's third party based and it's people and user based as well.

PM: Absolutely. I'm just sort of reflecting on my own thoughts about the last 12, 24 months and I'm just curious how this reflects your experiences, I feel as though ransomware, when I first started hearing about it 10 years ago, back when I was a software exec and we were talking about data protection. Hey, let’s market to this ransomware potential problem, sell to fear. And I remember thinking at the time, ransomware, I mean it would need to be happening everywhere for this to be a valid marketing play. The number of people, number of organizations subject to ransomware at the moment just seems to be skyrocketing, at least according to the popular media. So that would be one. I think the other for me is definitely exactly what you talked about, is this supply chain risk. This, what I like to sort of say - it's easy to catch stupid in the cyber world.Your security might be great, but if someone else’s, it may or may not be stupid, it just may be that they just got breached.And if you are trusting them and they're trusting you, then suddenly the bad guys are through the door. Those are probably the two things that jump out to my mind. Maybe the other one I suspect is this sort of rush to the idea that cloud related, funnily enough to third party or supply chain risk is, hey, if I'm on the cloud, I don't need to worry about security because Microsoft, Google, Amazon, insert name of company, Salesforce will be taking care of it for me, right? And  I can fire not just my IT staff, but I can fire those pesky cybersecurity people who are always telling me the sky's going to fall on my head. Reflections on those thoughts?

DB: Yeah, no, I would agree. The cloud piece is something that I've personally focused on a lot over the course of the last 15 plus years at least. And you're a hundred percent right. And there are very good cloud computing providers and solutions out there. And I will say to benefit nowadays you used to hear Amazon was breached, Azure was breached, and then you click in if you can find a little bit more details. It was typically something that someone left a storage bucket open, or they left a file share unprotected or something along those lines. So I do think that people are starting and companies are starting to understand the user responsibility when they're using cloud services because to your point, it does create a little bit of that supply chain risk as well. Going to the ransomware, ironically, I've been involved in a few matters where companies have gotten hit and more often than not, they're properly deployed cloud services were unaffected. So their email running on Office 365 was unaffected, but they may have had some accounting software that was running on traditional Windows servers that they were managing that had file shares and so forth that after the attacker got in through a phishing campaign, was able to hop around the network a lot easier. They weren't able to get into Office 365 into email, but they were able to get into those traditional corporate file shares. That's where third party, or at least the right third party and third party management can be an asset in a fight against something like ransomware. Because typically ransomware is going to go after, you know after you have the initial entry point, it's going to go after what it can quickly get to and quickly see. And that could be local data on your machine, it could be local file shares, things that it can easily hop or pivot to.

PM: I'm just curious, the tone at the top from the board down, do you get a sense that there's real rigor around what they're doing or is it what I'd like loosely call cybersecurity slash compliance theater? They're going through the motions because they know they need to talk to their shareholders and stakeholders and say, hey listen, we're doing the right thing. But ultimately it is really just a matter of going through the motions or for that matter, leaning on compliance. And we'll talk maybe a little bit about this, the cyber maturity model certification program that you wrote a blog about recently.

DB: Yeah, I think it's a lot better than, it's gotten a lot better than just theater. And there's definitely still work to go, but at a minimum you're starting to see companies that invest in or acquire other companies or doing cyber due diligence, they're wanting to know the current state. I think in large organizations, most large organizations do have a CISO reporting to the board on a regular basis. Is it consistent? No. Does some of it get overblown or under blown as we were talking about before, sometimes as well. But I think it's improving. And one of the other things that we've seen is that in the investment community, we're seeing venture capital, private equity companies wanting to include cybersecurity reviews as part of their due diligence if they're considering investing in a company as well as overall portfolio manager. That's something that we do for a few private equity firms is we'll go in and perform annual assessments of their portfolio companies so that they have some comfort as to the state of security for these companies.

Are they full blown NIST, PCI, ISO assessments or engagements? No, they don't have the appetite to do that necessarily across board, the companies might. But at least at the board level, they want to know do they have a fundamental security program in place? Is there basic core levels of encryption for data? Do they have an awareness program? Do they have let's say a dozen things that are most important that could be most problematic? They're at least starting there. And then if they see something that comes up during their review, then they can peel back the layers of the onion more and have the company or organization or business unit do a more thorough review of what they're doing.

PM: And do you feel like the language barrier, that sort of technology language barrier is improving? Cause I certainly know, again, I mean not so much I use the word theater, but I do wonder sometimes whether there was even border around karaokes, like they kind of knew the words, but they weren't really sure what they meant. So, they were kind of singing along with the tune. But you kind of knew that there was not a lot of substance there and there's no fault of the board members. But I mean that you're talking about some stuff that is in many cases pretty esoteric and the language is in some cases impenetrable. People talk about DMZs and you can just imagine a board member sitting there going, I do not know what you're talking about.

DB: No, I mean think that's fair. Karaoke, that's great by the way. Stealing that one. That's awesome. I think that if it can communicate the security posture and findings in a similar manner to a board that you would communicate even financial data, it starts with presenting it in a good visual way. When I mentioned some of the things that we've done on these portfolio company reviews, we've got say 12 areas of security that we're looking at. So, the first thing in a board presentations going to be, here's the 12 area, of these 12 areas, six of them are green, two of them are red, four of them are yellow. And then from there, well, why are these two red? Because they don't have a third party, they don't have a third party management policy and there's no process in place to review these third party vendors. And that's important because look at these attacks that are occurring through the supply chain and at that level, I think you're speaking their language, I think they're getting it.

And then you've got a board of say six, and if there's two that want to drill down into that more, you can have that conversation and understand, okay, well what's the next steps? Well, they need to put this program in place. They need to go out and get consultants to help them do something like that. And so I think if you can present it, I mean there is some theater to it because there's theater to any executive level presentation, you have to be able to communicate in a way that they can digest it and they can understand the impact without, like you said, starting to, well, let me tell you about this cross-site scripting error on your website that's going to cause the page to go down and people to get credit card numbers and things like the total gone. Right? Absolutely gone.

PM: Yeah. No, I like it. And it does seem to me like I certainly know in Australia, the Australian Institute company directors, it does a lot of the certification and training for board members here is pushing really hard on cyber basics, trying to put it into layperson speak, not to dumb it down so much as to actually just de obfuscate it, right? Because a lot of it is obfuscation is instead of using a simple phrase to describe something, the cyber practitioners come up with something usually very precise, but unfortunately impenetrable. I wanted to shift gears slightly if I can. One of the things, having had a look at your website and as I said reading some of your blogs in preparation for today's conversation, you talk a bit about digital trust, a phrase I've heard banded around by different people at different times. What does digital trust mean to you? Why is it so important and what can people do to improve it?

DB: I think it's about, it's a variety of things, right? Trust is a broad word, it’s transparency, but it's always also about the assurance around that transparency. If you're talking to a customer, talking to a third party stakeholder, talking to someone and giving them some level of comfort that you're doing what you say that you were doing, and it's reliability. I mean it's really about, it's not necessarily just meeting a core set of requirements. We have a SOC 2, so we have a security program, we have awareness and training, we have access controls. We do these variety of things, but it's an additional layer of a level of transparency to communicate how it is that is occurring and why they should trust that that's occurring consistently. So, I think it’s in aspects of all interactions that we do from the programmatic perspective, trusting organizations to handle your data to the transactional level, trusting two systems to talk to each other with digital certificates in a manner that can't be compromised or they can't be attacked. I saw on Twitter last week, Musk said something about a SpaceX problem where there was a certificate had expired between the satellite and some of the ground level communications that caused an outage.

It seems like it could be a very basic thing, but it is a technology process oriented thing that failed and then as a result, communications failed. And so that's a very specific use case, that's digital trust from point to point communications and allowing secure and reliable traffic between over a network. And then like I said, you've got organizations, and so people have so much information they don't know. Companies and organizations and people that use these technologies need comfort that they're able to rely that these technologies are going to do what they've been advertised to do.

PM: Yeah. Well, and on that note, you mentioned transparency. I think one of the areas that there seems to have been, well, there's always been a push, but it seems to have grown in perceived importance and certainly I'm seeing a lot of action in this area, is this notion of transparency is also about being able to declare your hygiene, your cyber hygiene to folks, whether that's through ISO 27,001 certification or the CMMS, PCI compliance, et cetera. Do you want to talk a little bit about your perspective on that?

DB: Where compliance comes into play is that all of those different domains, compliance, whether it's a regulation or an industry standard or something like ISO that is somewhat more voluntary in nature, they all have context to them. And so, if an organization achieves one of those either, is certified or undergoes a SOC two audit, gets a report or is PCI compliant. With that comes some transparency depending on the nature of the report or of the compliance. If you come out and show that you are PCI compliant, well that company has met a standard that's got more than 300 requirements, same as FedRAMP, which has anywhere from 300 something to 400 plus specific security requirements that they need to meet. Now those are very, very industry specific, right? FedRAMP is if you want to do business with the federal government and you're a cloud provider, you've got to meet those requirements.

PCI, if you handle credit card data, others are others such as ISO and SOC two are more commitment based. They can be a bit more flexible. They want, the goal is to be able to communicate to a customer, to a partner that you're meeting the commitments that you've made to that customer, to that partner. So, it's about understanding the context of what the requirements are. But even in ISO 27001, which is a great example, you are meeting a minimum set of requirements for having a security program, for performing risk assessments, for doing the types of things that a good security program does. It allows you the flexibility to do that the way you want to do that or need to do that. But there's a core understanding that if you've got an ISO 27001 certificate, you know that the company has been audited to have a base level security, a foundational security organization that's actively looking, monitoring, addressing risks and having a cycle to do that. That's the goal of ISO. And like I said with all the other ones, it's about understanding the context of what that means. So that's where compliance comes into play is when someone gets a report or a certification, they do need to actually understand the details of what that means and what that doesn't mean. Getting an ISO certificate doesn't mean you've met 500 stringent requirements, means you have a program versus FedRAMP or something along those lines, which may be a lot more detailed and in the weeds.

PM: How do you respond to people who say that compliance is the low bar and all you've done is just tell the bad guys exactly where not to bother looking because you've already, you've dead bolted those particular doors, but it saves them time because they can then focus on the other areas where you're likely to have a zero day.

DB: I'm not a fan of the compliance doesn't equal security mantra that gets tossed around social media quite a bit. I think they coexist, I think they're parts of an interdependent program. I think that depending on the compliance program and what you're focused on. Sure, if you have PCI and you've got one segment of your network that handles credit card information and you put all of your emphasis on hand on meeting the requirements just for those components, but you've ignored everything else in your organization, sure, you're going to open up yourself to attack. I think, and it's a qualified statement. If you have a robust program that aligns with the ISO 27001 security framework, you should be doing a lot of those right things. Now what that's going to look like from company to company may vary. And that's why in many cases it's not enough to say, hey, we're ISO certified.

Usually companies will provide next level detail around what they do, some of the things that they do to protect the data, some of the things that they're proud of from a security perspective because you do need to continue to grow that security program. And compliance doesn't have to be just this minimum bar. It's also the means for you to talk about what you have done and take credit for the good things. As for where to put the attack, where for the attackers to focus on. I think that becomes the balance from a risk assessment perspective. Every single compliance domain has requirements for risk assessments, and I think that's what you're doing internally to identify threats to your environment, to identify threats to your people and so forth and focus on that. That may or may not find its way to a compliance report. I don't know that it has to, but you do have to have a good risk assessment process because that's where we see breakdowns in healthcare, right? The number one issue when hospitals and providers are attacked in healthcare is that they really weren't doing the risk assessment in the first place to identify where those threats and vulnerabilities. They may do a tabletop exercise, which is good enough for HIPAA, but to your point, it's not good enough for protecting against a potential attacker.

PM: And that can be incredibly determined. I think that's the thing that I even find surprising is just how much patience these people will have if they think you're a high yield high value target. They will chip away at you for a long period of time. I want to sort of shift gears again as we wrap. I've got to thank you for your time. First, if people are looking, organizations are looking at their cybersecurity program and thinking you know what we need to take the next step, we’ve gotten to a certain point, but we know that or maybe we suspect we are not where we need to be or what can be people, what can organizations be doing in the near term to improve or get started on the next phase of improvement?

DB: I think it starts with asking questions to customers and partners and employees. That's one of the frustrating things that I see is that people look at compliance, people look at security and they build these programs without taking the time to understand what people are and companies are doing around it. So, you look at AI and ChatGPT, we don't have to go into that because there's plenty of people talking about that, but I think organizations need to understand quickly how their employees are using that information or those tools or how their partners may be using those tools as well. I mean we've done that here. We had to modify our code of conduct just to make sure that people weren't using ChatGPT to insert some client information and figure out a better way to rewrite it. I mean, it's kind of logical, doesn't make sense that you would want to go down that direction, but it is their tools that are widely available to people, that people are starting to use.

They need to make sure you've got protections in place for doing that. Just no different than a decade plus ago when people started bringing smartphones into the organization and they were mixing in business use of personal technology with business and personal use of technology on the same device. So that's kind of the user aspect of it and I think it's the customer and partner experience as well, monitoring the technology. We talked a little bit about cloud then what's the next step in evolution of cloud. Containers create another layer of complexity that people have to deal with. I mean, I can tell you that vulnerability scanning is completely different in a containerized world than it was for traditional cloud environments where hosts and devices are coming up and down very, very quickly. So I think it's just paying attention and having more conversations, not treating security and compliance that it's something that's just the IT department or the operations team has to deal with.

And the result is this shiny SOC 2 report, it is talking to everyone within their stakeholder community about what the needs are and what they're seeing. I mean, that's what we do. That's how we get into new compliance domains and regimes. When we we're doing now TISAX, which is German Automotive Cybersecurity, you know, supply chain assessments. I mean, we got into that because our clients are servicing companies like BMW and Volkswagen, Audi and so forth. And so, they needed to meet. So it's having conversations about that to understand technology regulations, people's use cases and things like that as well.

PM: Fantastic. So I want to wrap up with one last question. That's been a really enjoyable conversation. I had so many questions for you, including I wanted to have a chat to you about over mitigation, which is people applying too much security at the moment. Seems like what we need is another tool, let's just throw some more software at it. But I want to finish with a bit of a look into your crystal ball. We've had people on the show talk a little bit about the impact of AI speaking, about ChatGPT and more importantly, I think, let's call it generative artificial intelligences, particularly things like deep fakes being leveraged to assist with social engineering, which is maybe you don't agree with this, but is one of the more prominent vectors for exploiting an organization. And if you can create a convincing audio or video representation of somebody who is senior to the person you are trying to exploit, then you've got a decent chance of cracking the code. That's my sense of maybe what certainly some of our previous guests on some of the threats they see around the corner, if not necessarily in the very near term. As you look into the crystal ball, especially as you look at it maybe from a boardroom and technology intersect, what are some of the things that you see as emerging threats that maybe our listeners should keep an eye out for?

DB: Yeah, I think we've talked a bit about AI. I would probably throw out software security. It’s always been a problem. Application layer attacks have been the predominant layers of entry for any modern website, but I feel like people are starting to get a more understanding of the inter complexity of the software as part of a supply chain. So, we saw that in the executive order from last year and in the president's new cybersecurity strategy, I think it's only a matter of time before there's more accountability put on software providers, which they're going to do their best to pass that on to the users as well. But I think that software, that's independent software that may be managed by another company or by yourselves, that you've largely kind of gone unscathed when it's come to vulnerabilities and attack surface and so forth.

So as much emphasis as, for instance, the government puts on cloud computing, but all compliance domains and so forth in groups have put emphasis on cloud computing. I see that shifting, at least some of the attention, shifting to software security. So when you hear about terms like software bill of materials, I mean it's a term, but it's used to denote a problem that you have a whole suite of software that you're running your business or your company on that you might not have accounted for. You could have a hundred different underlying components that are running your business. And if you haven't done an assessment to understand that two of those could be the back door into your organization, it's coming in through software. So, we really see software as something that not as just, the threat's always been out there. Attention's going to be put more on it, but I mean even most compliance requirements from ISO to NIST and others are relatively light on software.

They look at change control, they look at segregation of duties. They don't look at what are you actually doing to actively test and monitor back doors into your code and different things. Maybe there's some opportunities there too. I've seen some pretty interesting articles about using cognitive AI to test code, right? I mean, if it's going through and thinking and it's dissecting information, looking for patterns, what better use case on the positive side, but to turn something like that, that looks at code, that looks at how code interacts with other code and starts to identify where bad things could happen because hey, did you know that this particular piece of code goes and calls this piece of code which is insecure, which could allow an attacker to get in. So, I really think that software security is going to get a lot more focus in the coming year. I think the government has all but said that they acknowledge that. How that happens has to come into place with liability and additional requirements and frameworks and really holding the people who create the software accountable for potential bugs and security vulnerabilities.

PM: Especially, and we didn't talk about this on this episode, and it'd be great if we can get you back, but obviously with critical infrastructure that becomes that software provenance problem gets amplified in terms of the consequences because it's one thing to ransomware, I'll say a hospital in a cavalier fashion, but you know what I mean. It's another thing to turn off the lights in a country. So yeah, there's definitely something to watch out for. Look, I cannot thank you enough. It's been an absolute pleasure having you on today, Doug. Where can people go to learn more?

DB: They can certainly go to our website at Schellman.com to see more information. We do a lot of blog articles, a lot of video materials and so forth. We know that compliance isn't the sexiest topic in the world, but our goal is to make it understandable and less painful for all involved.

PM: And you've done a great job. Final question for you. The show sponsor, Rocket Software, big thank you to them, again, have a set of values they talk about that matter to them. Their company values, empathy, humanity, trust and love. Just curious, you don't need to pick one of those. What matters to you right now?

DB: I think as we talked about with trust, it’s building, what are the components of that? I read a book a while back that I loved called Trust Edge by David Horsager, and it's really trust from a leadership, but it talks about the eight pillars of trust, and I'm not going to talk to all eight of them. But of the ones that stand out to me are competency, connections with individuals and consistency. Those elements, really. Those values, I think are what build a foundation of trust. Organization, people to people, et cetera, right?

PM: No, I love it. Look, Doug, just an absolute pleasure having you on. Thank you for taking the time, especially at this time of the morning where you are. Thanks again also to Rocket Software for bringing us another episode of Digital: Disrupted and thank you all for listening in. If you like what you've heard, you've heard this before, because you'll know that I'd love you to jump onto iTunes, Spotify, whatever. You know your Zoon, whatever you're listening to, just give us a thumbs up if you like what you hear, give us a thumbs up if you hate it. Actually, no, genuinely. If you like what you hear, give us a thumbs up, share it with your friend, share it with your enemies. But no, genuinely we'd love to hear from you. Feedback's a gift as I've said before, so drop us a note either through there or through Twitter. Mentioning Twitter, xthestreams is my handle or our show sponsor at Rocket. So if you've got any questions for our guests such as Doug or ideas for topics you'd like to hear covered, hit us up with that. See you all next week. Stay disruptive, everyone.