1 00:00:00,000 --> 00:00:05,500 Today on 60 talk were speaking about security and how to manage 2 00:00:05,500 --> 00:00:12,300 and Lead Security in 2023. We're speaking with Kurt John, 3 00:00:12,300 --> 00:00:18,200 who is the chief security officer of the Expedia group and 4 00:00:18,200 --> 00:00:22,900 my esteemed guest co-host is Q Harrison Terry. 5 00:00:23,000 --> 00:00:26,700 Who is the head of growth marketing for the Mark Cuban 6 00:00:26,700 --> 00:00:31,000 companies. Gentlemen, welcome Um, Kurt, 7 00:00:31,000 --> 00:00:34,100 tell us about Expedia group and tell us about your mom. 8 00:00:34,600 --> 00:00:38,900 I am chief security officer for Expedia Group which means I'm 9 00:00:38,900 --> 00:00:41,500 responsible for physical security. 10 00:00:41,500 --> 00:00:47,200 It security or cyber security as well as privacy and Q. 11 00:00:47,200 --> 00:00:49,300 Harrison Terry. Welcome back. 12 00:00:49,300 --> 00:00:53,400 I love when you're the co-host and I'm just thrilled to welcome 13 00:00:53,400 --> 00:00:55,900 you back. So, tell us about what you do 14 00:00:55,900 --> 00:00:59,000 and the Mark Cuban companies. I'm the head of growth marketing 15 00:00:59,000 --> 00:01:02,800 at Mark, you Companies, as you've already stated empathy to 16 00:01:02,800 --> 00:01:07,300 be back on cxo talk, and really, looking forward to the upcoming 17 00:01:07,300 --> 00:01:10,100 conversation with Kurt. I'm excited for this combo 18 00:01:10,300 --> 00:01:12,000 because we have to talk about security, right? 19 00:01:12,000 --> 00:01:17,600 Mike, Kurt, what do you see as the security landscape right 20 00:01:17,600 --> 00:01:20,100 now, with all of all of that complexity? 21 00:01:20,500 --> 00:01:23,000 One of the things that I think a lot of companies are struggling 22 00:01:23,000 --> 00:01:24,300 with and what the threat landscape. 23 00:01:24,300 --> 00:01:27,700 Looks like it's it's the scale you and I like the word, you 24 00:01:27,700 --> 00:01:29,800 just use complexity, just the size scale. 25 00:01:29,900 --> 00:01:31,200 Gail. And with that comes the 26 00:01:31,200 --> 00:01:33,700 complexity of environments. There's Cloud, there's Edge 27 00:01:33,700 --> 00:01:37,100 Computing, these artificial intelligence is automation is 28 00:01:37,100 --> 00:01:40,000 orchestration. There's an and was funny about 29 00:01:40,000 --> 00:01:43,500 it is that not only are we transforming our business models 30 00:01:43,500 --> 00:01:45,800 and our ability to drive impact in the market. 31 00:01:46,000 --> 00:01:47,500 But also the bad guys are as well. 32 00:01:47,500 --> 00:01:50,300 They have the same types of structures, the same joint 33 00:01:50,300 --> 00:01:54,200 ventures the same type of, you know, collaborations that that 34 00:01:54,200 --> 00:01:57,800 they're doing to try to drive their side and make money for 35 00:01:57,800 --> 00:02:00,100 themselves. And then we are trying to not We 36 00:02:00,100 --> 00:02:04,300 Implement new business models to drive more impact in the market. 37 00:02:04,300 --> 00:02:07,600 But we also have to then defend against adversaries, who are 38 00:02:07,607 --> 00:02:09,699 doing something similar. So I would say, the biggest 39 00:02:09,699 --> 00:02:14,800 challenge is that size and scale and complexity but having said 40 00:02:14,800 --> 00:02:17,300 that there are probably a couple of things you can organize 41 00:02:17,300 --> 00:02:22,200 yourselves around when it comes to actual technical threats. 42 00:02:22,200 --> 00:02:26,000 And there, it's a lot to do with your endpoint devices to 43 00:02:26,000 --> 00:02:29,200 computers were all using it has to do with Cloud because we're 44 00:02:29,200 --> 00:02:34,600 all using It for a subset of the population of companies that has 45 00:02:34,600 --> 00:02:36,400 to do with Edge Computing as well. 46 00:02:37,000 --> 00:02:41,000 And then finally artificial intelligence ensuring that when 47 00:02:41,000 --> 00:02:44,100 we build those data models and we try to scale them, things can 48 00:02:44,100 --> 00:02:47,200 go bad really quickly. So both from a security 49 00:02:47,200 --> 00:02:50,700 perspective as well as from an Ethics perspective, paying 50 00:02:50,700 --> 00:02:53,300 attention to artificial intelligence is really important 51 00:02:53,500 --> 00:02:58,100 Kurt when your Expedia like there's tons of people in the 52 00:02:58,108 --> 00:03:01,100 world that are out there and they do like the chief security 53 00:03:01,300 --> 00:03:03,200 officer role. But at a travel company, what 54 00:03:03,200 --> 00:03:04,900 does that, what does that entail? 55 00:03:05,300 --> 00:03:07,000 It's about our Travellers, right? 56 00:03:07,000 --> 00:03:08,600 Because that's fundamentally. That's what we're trying to do. 57 00:03:08,600 --> 00:03:12,100 We're trying to connect our Travelers with new experiences 58 00:03:12,100 --> 00:03:15,000 around the globe, and in order to do that, we need to serve 59 00:03:15,000 --> 00:03:18,900 them up with new capabilities, new ways for them to engage in 60 00:03:18,900 --> 00:03:23,000 plan, their trip. And, and so we organized 61 00:03:23,000 --> 00:03:25,300 ourselves around our Travelers partners and, of course, our 62 00:03:25,300 --> 00:03:29,000 employees. So a lot of the decisions we 63 00:03:29,000 --> 00:03:32,700 make and the questions, we ask ourselves and answers, we kind 64 00:03:32,700 --> 00:03:36,700 of we tend to give ourselves is around Travelers partners and 65 00:03:36,700 --> 00:03:38,800 employees. Now, fun fact, about expedient, 66 00:03:38,800 --> 00:03:41,900 a lot of people didn't don't know this, there's the 67 00:03:41,900 --> 00:03:47,700 expedia.com but Expedia group is also owns a lot of other brands 68 00:03:47,700 --> 00:03:49,200 as well. And it was interesting. 69 00:03:49,200 --> 00:03:51,400 I was talking to a friend of mine and I was saying, hey look, 70 00:03:51,400 --> 00:03:53,800 I'm gonna go work with Expedia now and they were like, wow 71 00:03:53,800 --> 00:03:56,300 Expedia, you know, experience pretty good. 72 00:03:56,400 --> 00:03:58,400 Good. But, you know, who's even better 73 00:03:58,700 --> 00:04:01,100 orbitz.com. You should probably look into 74 00:04:01,100 --> 00:04:03,400 that. And I said, okay, I think I 75 00:04:03,400 --> 00:04:04,800 will. But at that time, obviously, I 76 00:04:04,800 --> 00:04:09,500 knew, but, you know, orbitz.com Travelocity.com, hotels.com, 77 00:04:09,500 --> 00:04:13,300 verbal your the list car rentals.com the list goes on. 78 00:04:13,300 --> 00:04:17,700 So fun fact, is we drive value in the market through a lot of 79 00:04:17,700 --> 00:04:21,800 different brands. How do you think about security 80 00:04:22,300 --> 00:04:26,300 across this very broad landscape of different companies? 81 00:04:26,500 --> 00:04:30,000 It's different well-known Brands, the necessity to share 82 00:04:30,000 --> 00:04:34,200 information because it we've gotten to the point now where 83 00:04:34,800 --> 00:04:37,600 you're unable to accomplish, whatever it is you need to do on 84 00:04:37,600 --> 00:04:40,700 your own right unless you're building a very specific widget, 85 00:04:40,900 --> 00:04:43,900 Hardware, widget at that than other people are consuming. 86 00:04:43,900 --> 00:04:46,700 And even then you need someone to provide steel or some other 87 00:04:46,700 --> 00:04:50,600 type of raw material. You need an ecosystem of 88 00:04:50,600 --> 00:04:54,800 Partners in order to be successful and so fundamentally 89 00:04:54,800 --> 00:05:00,200 I look at it in two ways. The first First is how do you 90 00:05:00,200 --> 00:05:04,200 work with your partners to drive security consistently throughout 91 00:05:04,200 --> 00:05:07,700 your entire ecosystem? And so that means that it 92 00:05:07,700 --> 00:05:10,700 obviously everyone doesn't need to meet this incredibly High bar 93 00:05:10,800 --> 00:05:14,800 but what's like the threshold of which you want to collaborate 94 00:05:14,800 --> 00:05:17,300 with your partners to really Implement security across your 95 00:05:17,300 --> 00:05:20,600 entire value chain? So that everyone is strong and 96 00:05:20,600 --> 00:05:23,600 because, you know, of course, the weakest link analogy, that's 97 00:05:23,600 --> 00:05:25,700 that's the one side on the other side for me. 98 00:05:25,700 --> 00:05:29,600 So threatened And the ability to share data rights because then 99 00:05:29,600 --> 00:05:33,500 some folks within your ecosystem might be experiencing certain 100 00:05:33,500 --> 00:05:37,100 attacks and then the question then becomes how well can you 101 00:05:37,100 --> 00:05:39,900 all share information together? So that you can insulate 102 00:05:39,900 --> 00:05:42,800 yourself or try to Pivot to prevent such an attack and 103 00:05:42,800 --> 00:05:46,500 iPhone incredible uplifted value in both partnering with your 104 00:05:46,500 --> 00:05:50,000 with your ecosystem, as well as sharing information with your 105 00:05:50,000 --> 00:05:51,300 ecosystem. I think that's really the 106 00:05:51,300 --> 00:05:55,500 future. Even even, you know, the federal 107 00:05:55,500 --> 00:05:59,600 government, the US Government from sisya as well as the office 108 00:05:59,600 --> 00:06:04,000 of Director of National of cybersecurity says the same 109 00:06:04,000 --> 00:06:07,900 thing. In other words, to to beat all 110 00:06:07,900 --> 00:06:10,300 of us, you probably need to be one of us, but then the flip 111 00:06:10,300 --> 00:06:13,300 side of that is to beat, you know, to be one of us. 112 00:06:13,300 --> 00:06:16,400 You have to beat all of us very convoluted but essentially what 113 00:06:16,400 --> 00:06:20,200 that means is if we all cooperate and share information 114 00:06:20,200 --> 00:06:23,300 and and just ensure that there's consistency, it controls through 115 00:06:23,300 --> 00:06:27,200 it or ecosystems. I think the US economy Broadly 116 00:06:27,500 --> 00:06:30,200 as well as our own individual companies would benefit quite a 117 00:06:30,200 --> 00:06:32,700 bit. How does Expedia think about 118 00:06:32,700 --> 00:06:35,700 like internally that decision support system that you're 119 00:06:35,700 --> 00:06:39,900 describing because it's like, you know, to work across, just 120 00:06:39,900 --> 00:06:45,500 the organization, everybody has their directives and goals, but 121 00:06:45,500 --> 00:06:47,800 in order to reach that alignment, you really do need to 122 00:06:47,800 --> 00:06:52,800 be able to frame or lean into some type of support network and 123 00:06:52,800 --> 00:06:56,500 more so specifically around decisions because I imagine When 124 00:06:56,500 --> 00:06:59,100 you're dealing with security threats and, and things of that 125 00:06:59,100 --> 00:07:01,500 nature, your you don't have a lot of time. 126 00:07:01,500 --> 00:07:04,000 This is not something where hey, let's come back to it next week 127 00:07:04,000 --> 00:07:07,700 or next month, or next quarter, this is not specific to Expedia. 128 00:07:07,700 --> 00:07:11,000 This is actually could be applied to any company and it 129 00:07:11,000 --> 00:07:14,500 didn't apply to the companies I've been with before and and 130 00:07:14,500 --> 00:07:18,800 anyone can adopt this fundamentally you're looking at 131 00:07:19,100 --> 00:07:22,700 two things. I think, oftentimes people don't 132 00:07:22,800 --> 00:07:25,600 take enough time to actually build out that structure that 133 00:07:25,600 --> 00:07:30,300 you just It's very much ad hoc and you want to move from ad hoc 134 00:07:30,400 --> 00:07:32,700 to optimized as quickly as you can. 135 00:07:33,100 --> 00:07:35,400 What that means is I consistency a processes. 136 00:07:35,700 --> 00:07:37,800 So, a right. What is that your governance 137 00:07:37,800 --> 00:07:41,300 structure look like, be? How do you evaluate risk right 138 00:07:41,300 --> 00:07:44,300 within that organization and you need a repeatable way to do 139 00:07:44,300 --> 00:07:46,800 that? See, do you know your risk 140 00:07:46,800 --> 00:07:49,200 appetite? This is very interesting. 141 00:07:49,500 --> 00:07:52,000 I've been at companies before and this is not Expedia with 142 00:07:52,000 --> 00:07:54,600 many many years ago I was a consultant and I've seen 143 00:07:54,600 --> 00:07:59,500 companies where Are they think they have a very conservative 144 00:07:59,500 --> 00:08:02,300 risk appetite. But when you look at, actually, 145 00:08:02,300 --> 00:08:04,900 the way that they're making decisions in the type of the 146 00:08:04,900 --> 00:08:07,900 things are going after. It's very much contradictory to 147 00:08:07,900 --> 00:08:10,600 have a very aggressive risk appetite and thing that emerges 148 00:08:10,600 --> 00:08:13,600 because people aren't our organizations are intentional 149 00:08:13,800 --> 00:08:16,200 about defining what your risk appetite is. 150 00:08:16,200 --> 00:08:18,700 It conservative aggressive or somewhere in between. 151 00:08:19,400 --> 00:08:20,900 What do you sort of rally around? 152 00:08:20,900 --> 00:08:23,500 What do you more comfortable with the risk on versus not? 153 00:08:24,200 --> 00:08:27,300 So that goes back to His appetite. 154 00:08:27,500 --> 00:08:33,000 And then finally you likely need within your structure, a way to 155 00:08:33,000 --> 00:08:36,100 make decisions really quickly like you alluded to and that 156 00:08:36,100 --> 00:08:39,400 means that you likely need to assign certain decisions for 157 00:08:39,400 --> 00:08:43,200 certain risk threshold. So for low medium high, so 158 00:08:43,200 --> 00:08:44,800 obviously, a higher critical risk. 159 00:08:44,800 --> 00:08:47,600 Might go to the CEO but if there's, there's something of a 160 00:08:47,608 --> 00:08:50,800 lower risk that might be made with at the director level or 161 00:08:50,800 --> 00:08:51,900 below. Right. 162 00:08:51,900 --> 00:08:55,100 So really, it's I think what that comes down to is more 163 00:08:55,100 --> 00:08:59,400 intentionality or Overall around your risk program and I think 164 00:08:59,400 --> 00:09:02,200 not enough companies treated that way. 165 00:09:02,500 --> 00:09:05,400 Be sure to subscribe to our newsletter. 166 00:09:05,400 --> 00:09:08,500 Hit the Subscribe button at the top of our website. 167 00:09:08,500 --> 00:09:13,500 We have a really interesting question from our Salon Con on 168 00:09:13,600 --> 00:09:17,100 Twitter Our Salon always asks these great questions. 169 00:09:17,100 --> 00:09:21,600 And he says when technology is everywhere and with everyone 170 00:09:22,300 --> 00:09:28,000 what do you find Define as the boundaries of Of your ecosystem. 171 00:09:28,400 --> 00:09:31,600 Definitely today, the boundary of your ecosystem. 172 00:09:31,600 --> 00:09:35,600 Not only has it moved backwards from sort of like, your 173 00:09:35,600 --> 00:09:39,500 corporate network, but it's become incredibly more porous as 174 00:09:39,500 --> 00:09:41,100 well. So, a lot of a lot of holes in 175 00:09:41,100 --> 00:09:43,700 it. And so, the way I think of it is 176 00:09:43,700 --> 00:09:49,000 that you don't Define that boundary, which is and within 177 00:09:49,000 --> 00:09:51,300 the security Community, you're going to find some people might 178 00:09:51,300 --> 00:09:53,800 roll their eyes at this but zero trust, right? 179 00:09:53,800 --> 00:09:56,800 For the bear with me for the time being is Been thrown around 180 00:09:56,800 --> 00:09:59,600 quite a bit in the media and companies are kind of like weird 181 00:09:59,600 --> 00:10:04,900 20, trust Mecca but zero trust still the tenets of it remains 182 00:10:04,900 --> 00:10:08,000 true. So in other words, how do you 183 00:10:08,000 --> 00:10:11,600 create an ecosystem within your environment that allows the the 184 00:10:11,600 --> 00:10:15,500 appropriate access of your partners and and and your 185 00:10:15,700 --> 00:10:18,400 employees? Wherever they may be in a way 186 00:10:18,400 --> 00:10:21,300 that doesn't require you to give card launch access to 187 00:10:21,300 --> 00:10:24,700 everything. So, my fundamental tenant on 188 00:10:24,700 --> 00:10:30,400 this topic is I have Boundary and even if I did, it would be 189 00:10:30,400 --> 00:10:33,100 incredibly porous. So, how do I better manage 190 00:10:33,100 --> 00:10:37,500 access at the software level and at zero trust is a big, a big 191 00:10:37,500 --> 00:10:40,600 aspect of that? What concerns have you seen on 192 00:10:40,600 --> 00:10:44,400 the Privacy side? Due to that, the biggest concern 193 00:10:44,400 --> 00:10:48,600 with this new setup is data sprawl, and that comes from 194 00:10:48,600 --> 00:10:51,900 three reasons, a, the velocity that comes with the velocity and 195 00:10:51,900 --> 00:10:54,200 scalability that comes with Cloud, right? 196 00:10:54,200 --> 00:10:57,200 So you can swipe a credit card and then When you're just Off to 197 00:10:57,200 --> 00:10:59,700 the Races, right? You have a Dev environment. 198 00:10:59,700 --> 00:11:02,300 You have a pipeline, you can build something in a minimal 199 00:11:02,300 --> 00:11:04,800 viable product. You're putting data in there, 200 00:11:04,800 --> 00:11:06,600 then someone's like, oh, that's interesting data. 201 00:11:06,600 --> 00:11:11,400 Let me make a copy of it and just it's very hard to get 202 00:11:11,400 --> 00:11:14,400 started and then sorry, it's very easy to get started and 203 00:11:14,400 --> 00:11:18,400 very hard to contain. So data sprawl is one. 204 00:11:20,100 --> 00:11:26,200 The second has to be my opinion. The ever-evolving privacy. 205 00:11:26,800 --> 00:11:29,700 Gdpr did a really good job of Landing. 206 00:11:29,700 --> 00:11:33,400 This very specific list of things that people need to do. 207 00:11:33,400 --> 00:11:36,200 But for example, in the u.s., you know, different states are 208 00:11:36,200 --> 00:11:39,900 still thinking through how to handle privacy differently. 209 00:11:40,600 --> 00:11:43,100 And that means, you know, if you're in the US or you're doing 210 00:11:43,100 --> 00:11:46,100 business in the US, then you need to potentially be paying 211 00:11:46,100 --> 00:11:50,100 attention to 50 different privacy regulations. 212 00:11:50,400 --> 00:11:52,800 Luckily, if in them, for the most part, there's there's 213 00:11:52,800 --> 00:11:55,400 there's sort of like a Common Thread throughout them but you 214 00:11:55,400 --> 00:11:58,000 can't. Deny that the complexity of 215 00:11:58,000 --> 00:12:02,100 having to do one officer nuances based on this on a particular 216 00:12:02,100 --> 00:12:04,900 State. And I think those are the two 217 00:12:04,900 --> 00:12:08,900 biggest things in the first case, you just need to be really 218 00:12:08,900 --> 00:12:10,800 intentional about having a specific. 219 00:12:10,800 --> 00:12:14,200 And the first case, meaning data sprawl very intentional about 220 00:12:14,200 --> 00:12:17,000 having a very specific privacy strategy. 221 00:12:17,000 --> 00:12:20,200 But it can't be an isolation. There's a lot of convergence 222 00:12:20,200 --> 00:12:24,400 between privacy and security and so you need both an individual 223 00:12:24,400 --> 00:12:27,300 privacy strategy. But you also Need a joint 224 00:12:27,400 --> 00:12:30,500 strategy when it comes to your data and your just your General 225 00:12:30,500 --> 00:12:34,900 Corporate information protection in the second case one would 226 00:12:34,900 --> 00:12:37,600 hope. And I've seen some indications 227 00:12:37,600 --> 00:12:41,400 of this that we're thinking of an updated Federal Privacy Law 228 00:12:41,400 --> 00:12:44,500 which would which would then make companies lives a lot 229 00:12:44,500 --> 00:12:47,400 easier. Now we have another question 230 00:12:47,400 --> 00:12:53,300 from Chris Peterson and he says to what extent can security 231 00:12:53,300 --> 00:12:59,400 organizations be a Get differentiator for their company 232 00:12:59,800 --> 00:13:04,600 by saying, well, you know, we offer better security better 233 00:13:04,600 --> 00:13:08,000 privacy to the customers that they serve. 234 00:13:08,500 --> 00:13:11,700 One of the things that security typically struggles with 235 00:13:11,700 --> 00:13:15,800 generally as an industry is articulating, its value ride, 236 00:13:15,800 --> 00:13:19,500 because our value is derived by the lack of incidents or the 237 00:13:19,500 --> 00:13:22,800 lack of breaches and it's very hard to prove a negative. 238 00:13:23,400 --> 00:13:26,600 So I've seen more and more and I tend to call these Business 239 00:13:26,600 --> 00:13:28,500 value metrics. So there's like, operational 240 00:13:28,500 --> 00:13:30,100 metrics that you need to drive down. 241 00:13:30,100 --> 00:13:32,400 Vulnerabilities, you need to drive down risk. 242 00:13:32,400 --> 00:13:34,800 You need to articulate risk. Clearly, and so on. 243 00:13:35,000 --> 00:13:38,500 Those are sort of operational risk, metrics, business, value 244 00:13:38,500 --> 00:13:43,000 metrics are how those activities deliver value to the business. 245 00:13:43,200 --> 00:13:47,100 A good example of that is let's say for my for my more security 246 00:13:47,100 --> 00:13:51,400 Savvy, folks, ISO 27001, for those who don't know. 247 00:13:51,400 --> 00:13:55,500 It's a, it's a and this ties directly to Chris's question. 248 00:13:55,800 --> 00:13:58,100 It is. Is a certification by a 249 00:13:58,100 --> 00:14:01,500 standards body that you can obtain as an organization. 250 00:14:01,800 --> 00:14:05,700 And it essentially says that you have are doing a really good job 251 00:14:05,700 --> 00:14:08,800 of when it comes to the governance of security within 252 00:14:08,800 --> 00:14:13,000 your organization that is a to me and an excellent example of 253 00:14:13,000 --> 00:14:16,700 moving from, not just driving down risk, which it does right? 254 00:14:16,700 --> 00:14:18,900 Because it means you've put certain things in place to make 255 00:14:18,900 --> 00:14:22,400 sure you have a healthy security program, but then it also 256 00:14:22,400 --> 00:14:24,400 becomes a business value metric. Why? 257 00:14:24,400 --> 00:14:27,700 Because your partner's if Want to sign a deal with, you might 258 00:14:27,700 --> 00:14:30,400 ask you look, security is really important for us. 259 00:14:30,500 --> 00:14:34,400 It could derail our operations. How seriously are you taking it? 260 00:14:34,400 --> 00:14:36,300 And then you hand them that certification. 261 00:14:36,700 --> 00:14:39,100 And it's not the end, all be all, but it's a significant step 262 00:14:39,100 --> 00:14:41,400 in the right direction to, to showing that you have 263 00:14:41,400 --> 00:14:43,500 differentiated yourself in the market. 264 00:14:43,700 --> 00:14:47,600 That's a really easy example, I think, more and more. 265 00:14:48,200 --> 00:14:51,500 As you move down the tech stack, or you get to more technical 266 00:14:51,700 --> 00:14:54,400 outcomes of security. I think you're going to see 267 00:14:54,400 --> 00:14:58,100 those also be start to get elected in the market as well. 268 00:14:58,400 --> 00:15:02,100 So I'm actually pretty excited about this because it solves an 269 00:15:02,100 --> 00:15:08,300 age-old problem, which is a the CEO and and csos in years past 270 00:15:08,300 --> 00:15:11,100 spoke, different languages, one very technical one very business 271 00:15:11,100 --> 00:15:14,300 Centric. But be whenever the CEO, or 272 00:15:14,300 --> 00:15:16,300 those, or whomever, the board might ask. 273 00:15:16,300 --> 00:15:19,300 Well, how are we doing? And like, and well, we're doing 274 00:15:19,300 --> 00:15:20,300 great. No, breaches. 275 00:15:20,600 --> 00:15:22,800 Well, if no breaches, do you still really need all that 276 00:15:22,800 --> 00:15:25,800 money, right? And so that's a, that's a tough, 277 00:15:25,800 --> 00:15:27,000 tough. Obviously, it should add. 278 00:15:27,000 --> 00:15:30,500 So now, with this business value metrics, it makes it an easier 279 00:15:30,500 --> 00:15:34,800 conversation when you're building the vision of like an 280 00:15:34,800 --> 00:15:38,600 environment, where there aren't many incidents, there has to be 281 00:15:38,600 --> 00:15:42,100 threat vectors or things that you find prop of like prevalent 282 00:15:42,200 --> 00:15:45,800 and they have different effects on how you set up the not only 283 00:15:45,800 --> 00:15:48,700 your internal or but even how you communicate, the value of 284 00:15:48,700 --> 00:15:51,900 the system's you've put in place because you're those are top of 285 00:15:51,900 --> 00:15:54,900 mind to you. So Are there specific like 286 00:15:55,400 --> 00:15:59,600 computer and Students that we that you find right now very 287 00:16:00,400 --> 00:16:04,700 forthcoming or eye-catching. I Rely a lot on my threat Intel 288 00:16:04,700 --> 00:16:09,100 team to kind of show what the general threat landscape looks 289 00:16:09,100 --> 00:16:11,100 like and how that what that means. 290 00:16:11,100 --> 00:16:15,700 For example, for Expedia the other to your point is if there 291 00:16:15,700 --> 00:16:20,000 are incidents that my security operations team are mitigating 292 00:16:20,000 --> 00:16:22,900 or preventing from going live in the environment and blowing 293 00:16:23,000 --> 00:16:26,000 something up. Then, I would also raise those 294 00:16:26,000 --> 00:16:28,100 in Hey, look, within the last 30 days. 295 00:16:28,300 --> 00:16:33,200 Here's the incidents that that we prevented the. 296 00:16:33,200 --> 00:16:36,400 But when I say this really quickly, but to get to the Crux 297 00:16:36,400 --> 00:16:41,700 of your question is the way I handle that now is I make an 298 00:16:41,700 --> 00:16:46,300 incredibly tight correlation between what my team is focused 299 00:16:46,300 --> 00:16:50,300 on and business outcomes. So let's say, for example, a 300 00:16:50,300 --> 00:16:53,800 company is focused on building a stronger Partnerships with third 301 00:16:53,800 --> 00:16:56,000 parties and trying to drive more on. 302 00:16:56,200 --> 00:17:00,000 Automation there, then all of a sudden apis. 303 00:17:00,000 --> 00:17:04,700 And you know, Edge Computing is really important to drive that 304 00:17:04,700 --> 00:17:08,300 type of business efficiency that my program needs to Pivot as 305 00:17:08,300 --> 00:17:08,700 well. Why? 306 00:17:08,700 --> 00:17:11,300 Because that's a business strategy, that's critical for 307 00:17:11,300 --> 00:17:13,700 success. And so my program needs to also 308 00:17:13,700 --> 00:17:17,200 pivot with that. So, in that environment, just 309 00:17:17,200 --> 00:17:19,500 given that your e-commerce company and there's tons of 310 00:17:19,500 --> 00:17:22,300 e-commerce, companies out here dealing with this similar issue. 311 00:17:22,700 --> 00:17:26,099 How do you think about fraud and is that a part of the threat? 312 00:17:26,200 --> 00:17:29,800 Dear that you are responsible for or is that something where 313 00:17:29,800 --> 00:17:31,800 you have to work? Very closely with like an 314 00:17:31,800 --> 00:17:34,300 internal business unit. There's some fraud that starts 315 00:17:34,300 --> 00:17:37,000 from a security incident. There's some fraud that starts 316 00:17:37,000 --> 00:17:39,300 with this configuration with some might argue, is still 317 00:17:39,300 --> 00:17:42,500 looking at a security incident. There's some that might start 318 00:17:42,500 --> 00:17:45,700 from a privacy incident, which again, some might argue the same 319 00:17:45,700 --> 00:17:49,900 but it's a little bit different. And so what it comes down to is 320 00:17:49,900 --> 00:17:54,400 a lot of heavy partnership. I have found throughout at least 321 00:17:54,400 --> 00:17:57,700 three to four functions Generally within the industry 322 00:17:58,500 --> 00:18:03,500 and typically you see skill sets across those. 323 00:18:03,500 --> 00:18:07,300 So the best way to think of it is a value chain and I think of 324 00:18:07,300 --> 00:18:10,300 most processes and outcomes as a value chain. 325 00:18:10,500 --> 00:18:13,900 So if as an organization for anyone that's listening, you 326 00:18:13,900 --> 00:18:19,000 want to make sure you handle fraud really well then what, 327 00:18:19,100 --> 00:18:21,100 what are the what's the outcome you're looking for? 328 00:18:21,300 --> 00:18:25,800 What steps do you need to make happen and then focus on? 329 00:18:26,200 --> 00:18:29,100 Driving that process regardless of where they may sit within the 330 00:18:29,100 --> 00:18:32,000 organization, then there's always opportunities for to 331 00:18:32,000 --> 00:18:33,900 optimize and shift things around. 332 00:18:34,000 --> 00:18:36,900 But what you want is the type of environment where you can get an 333 00:18:36,900 --> 00:18:40,000 outcome file them at find the milestones, and then drive 334 00:18:40,000 --> 00:18:42,800 horizontally across the various business units, when you think 335 00:18:42,800 --> 00:18:45,000 about the government, right? So the government has this role 336 00:18:45,000 --> 00:18:48,600 where they're dealing, obviously with some of the Bad actors at 337 00:18:48,600 --> 00:18:54,300 the highest level in the space. But you're seeing so many Edge 338 00:18:54,300 --> 00:18:56,700 use cases. Just palpable Or night because 339 00:18:56,700 --> 00:18:59,700 you're responsible for this fraud thing, what, what would a 340 00:18:59,700 --> 00:19:02,200 better like, what would have better corporate government 341 00:19:02,200 --> 00:19:04,700 Alliance on the fraud protection? 342 00:19:04,700 --> 00:19:06,500 Specifically look like in your eyes. 343 00:19:06,600 --> 00:19:10,000 If you're not familiar with it, I Sachs its information sharing 344 00:19:10,000 --> 00:19:13,600 and Analysis centers, and there are a bunch of different types. 345 00:19:13,600 --> 00:19:15,800 There's like the retail and Hospitality, there's the 346 00:19:15,800 --> 00:19:18,100 financial. There's like electric. 347 00:19:18,300 --> 00:19:25,500 These are all intended to be like sector-specific and or 348 00:19:25,700 --> 00:19:27,400 sector. As if it groups of companies 349 00:19:27,400 --> 00:19:31,300 that focus on specific threats and then share information about 350 00:19:31,300 --> 00:19:33,300 it. And what's interesting about 351 00:19:33,300 --> 00:19:38,100 your question is that I would argue and maybe it's more. 352 00:19:38,100 --> 00:19:41,700 So in the e-commerce / consumer side of things, but I would 353 00:19:41,700 --> 00:19:45,800 argue most businesses are subject to fraud, right? 354 00:19:45,800 --> 00:19:47,400 Particular if you have weak controls. 355 00:19:47,400 --> 00:19:50,700 So maybe a better way that that comes to mind. 356 00:19:50,700 --> 00:19:51,800 I have never thought about this before. 357 00:19:51,800 --> 00:19:55,900 So it's a really good question is, do we need to start 358 00:19:55,900 --> 00:19:57,700 thinking? Thinking about these topics 359 00:19:57,700 --> 00:20:01,600 specific risk, that are plaguing that are running, horizontally 360 00:20:01,600 --> 00:20:05,300 across multiple sectors, and quite frankly plaguing a lot of 361 00:20:05,300 --> 00:20:08,700 companies and sectors. So so too. 362 00:20:08,700 --> 00:20:11,600 So to answer your question, is, maybe it's a, some type of 363 00:20:11,600 --> 00:20:14,800 information, sharing type situation for the specifically 364 00:20:14,800 --> 00:20:20,200 for fraud and Wayne Anderson who's another regular listener. 365 00:20:20,200 --> 00:20:26,000 That also asks these great questions, he has two related, 366 00:20:26,200 --> 00:20:28,800 Questions he says number one, let me ask you both of these 367 00:20:28,800 --> 00:20:31,700 because they're connected. Number one in a consumer 368 00:20:31,700 --> 00:20:38,000 ecosystem, where individuals cannot hold a provider 369 00:20:38,000 --> 00:20:43,100 accountable? Contractually what to you is the 370 00:20:43,100 --> 00:20:49,500 biggest board motivator for a Security Programs incremental 371 00:20:50,000 --> 00:20:52,100 investment. So in other words, what's the 372 00:20:52,100 --> 00:20:55,800 argument that you make to boards around the value of security? 373 00:20:55,800 --> 00:21:00,200 Because Has us consumers you know when providers go down or 374 00:21:00,200 --> 00:21:02,700 release our private information, there's just nothing we can do 375 00:21:02,700 --> 00:21:07,500 about it and then he also wants to know in your mind. 376 00:21:07,500 --> 00:21:11,600 How do you group or what are the important metrics that a 377 00:21:11,600 --> 00:21:18,000 security team can present to drive board members, and 378 00:21:18,000 --> 00:21:20,400 business colleague conversations? 379 00:21:20,400 --> 00:21:24,000 So I think, I think to summarize what he's really talking about 380 00:21:24,300 --> 00:21:28,500 is how do we get? Boards and Senior Business 381 00:21:28,500 --> 00:21:32,800 Leaders Executives to take this seriously when it comes to 382 00:21:32,800 --> 00:21:37,700 boards, there are two things. The first is, you need to find a 383 00:21:37,700 --> 00:21:42,700 way to articulate to that board. How security is helping to 384 00:21:42,700 --> 00:21:48,000 either protect or enable the journey that the business is on? 385 00:21:48,000 --> 00:21:52,700 And so to the best extent possible, you always want to to 386 00:21:52,700 --> 00:21:55,800 to articulate your security outcomes. 387 00:21:56,100 --> 00:22:00,000 Comes in the context of the business strategy and typically 388 00:22:00,000 --> 00:22:01,800 there's an update on the business strategy. 389 00:22:01,800 --> 00:22:04,600 During board meetings for Sophia to come either before an hour 390 00:22:04,600 --> 00:22:09,100 after and to be able to say well yes, and here's how the steps 391 00:22:09,100 --> 00:22:11,100 were taking to help safeguard that strategy. 392 00:22:11,100 --> 00:22:15,800 That's 12. Consumers are also getting very 393 00:22:15,800 --> 00:22:20,500 Savvy, and I think boards and just management in general are 394 00:22:20,500 --> 00:22:23,900 beginning to realize that especially with the Advent of 395 00:22:23,900 --> 00:22:25,400 social media platforms, like Twitter. 396 00:22:26,100 --> 00:22:29,600 You know, things can go south really quickly and I think 397 00:22:29,900 --> 00:22:33,700 having seen that, I think boards are much more sensitive to how 398 00:22:33,700 --> 00:22:37,600 companies are perceived. And so I think the biggest 399 00:22:37,600 --> 00:22:42,500 driver, which it should be, as a foundational item is compliance, 400 00:22:42,800 --> 00:22:44,600 right? Are we doing anything that's 401 00:22:44,600 --> 00:22:49,000 going to land all of us in like the jailhouse or testifying in 402 00:22:49,000 --> 00:22:51,000 front of Congress? No check. 403 00:22:52,000 --> 00:22:54,400 Who are we as a company? And are we taking the steps 404 00:22:54,400 --> 00:22:57,600 necessary that our consumers? As will continue to perceive us 405 00:22:57,800 --> 00:23:00,900 as advocates of their security and or privacy. 406 00:23:01,200 --> 00:23:03,000 We are not. And that I think a lot of 407 00:23:03,000 --> 00:23:04,100 companies need to ask themselves. 408 00:23:04,100 --> 00:23:08,300 This question then, who are we? As I use the term individual 409 00:23:08,300 --> 00:23:11,400 because I see companies as having unique cultures and 410 00:23:11,400 --> 00:23:14,900 personalities and so on. So, bear with me is that use the 411 00:23:14,900 --> 00:23:19,100 term individual Loosely are, what type of individual re when 412 00:23:19,100 --> 00:23:20,600 it comes to security and privacy? 413 00:23:20,900 --> 00:23:23,700 And how willing are affordable willing are really willing to 414 00:23:23,700 --> 00:23:29,200 how far are we willing to go? The Third, Is do we even need to 415 00:23:29,200 --> 00:23:32,100 be best in class? Or are we are we the type of 416 00:23:32,100 --> 00:23:34,200 company that's good at industry standard? 417 00:23:34,200 --> 00:23:37,400 Is It Best in Class has a little bit below, that's a continuous 418 00:23:37,400 --> 00:23:40,100 risk conversation that a company needs to have with itself. 419 00:23:40,200 --> 00:23:43,200 I don't subscribe to every company needs to be best in 420 00:23:43,200 --> 00:23:45,800 class at all times. There's a lot of variables that 421 00:23:45,800 --> 00:23:49,000 you need to consider when it comes to your colleagues. 422 00:23:49,000 --> 00:23:53,900 It's the same thing just taken down and level, so along with, 423 00:23:54,000 --> 00:23:55,800 so the overarching company strategy. 424 00:23:56,000 --> 00:23:58,900 In terms of all Securities, protecting that you then need to 425 00:23:58,900 --> 00:24:02,000 have those exact same conversations with your 426 00:24:02,000 --> 00:24:04,500 counterparts or other Business Leaders. 427 00:24:04,500 --> 00:24:08,300 Here's how we're driving security within your 428 00:24:08,300 --> 00:24:11,400 organization is very topic specific when it comes to 429 00:24:11,400 --> 00:24:14,900 security you cannot make an even spread except for things like 430 00:24:14,900 --> 00:24:19,300 your annual security program you want to create a specific type 431 00:24:19,300 --> 00:24:22,100 of you know outcome conversation, whatever you want 432 00:24:22,100 --> 00:24:24,300 to call it with specific Business Leaders. 433 00:24:24,300 --> 00:24:28,900 And then the Thing I would say is you need to be very maniacal 434 00:24:28,900 --> 00:24:32,300 about feedback. You have an idea of what it is, 435 00:24:32,300 --> 00:24:35,200 you want to accomplish your going to try your darndest to 436 00:24:35,400 --> 00:24:37,800 connect with the board and other Business Leaders. 437 00:24:37,800 --> 00:24:40,500 In a way that you think makes sense, you're going to really 438 00:24:40,500 --> 00:24:43,900 push for outcomes that make them successful but you're not always 439 00:24:43,900 --> 00:24:46,900 going to get it, right? And so you want to have a sort 440 00:24:46,900 --> 00:24:51,100 of a closed feedback loop system where you are constantly getting 441 00:24:51,100 --> 00:24:53,900 feedback, hold of that land. Was it useful, was it not? 442 00:24:54,100 --> 00:24:55,900 And so I'm a big proponent of business value. 443 00:24:56,000 --> 00:24:59,100 Volumetric, how are we landing and then getting that feedback 444 00:24:59,100 --> 00:25:02,600 to try to if you need to Pivot on that business value metric. 445 00:25:02,600 --> 00:25:05,200 Then you do I think it's a good answer. 446 00:25:05,200 --> 00:25:09,500 There's no when it comes to the board's, there's no quick and 447 00:25:09,500 --> 00:25:13,900 dirty response. There's no magic bullet here, 448 00:25:13,900 --> 00:25:16,400 right? There's it's a matter of 449 00:25:16,700 --> 00:25:21,400 convincing the board that they have to make this investment, 450 00:25:21,500 --> 00:25:25,400 which is obviously tough. Because the investment is like 451 00:25:25,400 --> 00:25:29,900 insurance. Send, you know, it's like, gee, 452 00:25:29,900 --> 00:25:33,200 why I think we should buy a lot, a lot, a lot, a lot of sure 453 00:25:33,200 --> 00:25:37,400 insurance for this risk to get back to what you were saying 454 00:25:37,400 --> 00:25:42,000 earlier that main seemed really unlikely completely agree one. 455 00:25:42,000 --> 00:25:46,200 And then, one other thing I'll mention is you have to be an 456 00:25:46,200 --> 00:25:50,300 incredibly amazing Steward of that money. 457 00:25:50,500 --> 00:25:53,000 And what do I mean by that? If you're about to get an 458 00:25:53,000 --> 00:25:55,500 investment, you need to do two things. 459 00:25:56,000 --> 00:25:59,900 You need to be very clear and articulate about what value gets 460 00:25:59,900 --> 00:26:02,700 delivered when and set milestones for you and your 461 00:26:02,700 --> 00:26:04,700 team. So the money just doesn't end up 462 00:26:04,700 --> 00:26:07,400 in the ether and then at the end of the year, you kind of like 463 00:26:07,400 --> 00:26:09,300 well look at this. And yeah, but we give you like 464 00:26:09,300 --> 00:26:11,600 10 times that like is that all we got for the value. 465 00:26:12,200 --> 00:26:15,400 And then the other is that you just because you're getting an 466 00:26:15,400 --> 00:26:17,900 influx of money, doesn't mean that you need, you don't need to 467 00:26:17,900 --> 00:26:24,500 be just incredibly practical about cost savings as well. 468 00:26:25,400 --> 00:26:28,200 You constantly Want to do that. So if their decisions are tough 469 00:26:28,200 --> 00:26:31,700 decisions, you need to make in order to drive more optimization 470 00:26:31,700 --> 00:26:34,800 on cost savings. It should not like you need 471 00:26:34,800 --> 00:26:36,400 almost see the treat those separately. 472 00:26:36,500 --> 00:26:39,700 So you optimize your constantly, optimize your span regardless, 473 00:26:39,700 --> 00:26:43,200 if you're getting an influx of cash or not we have a question 474 00:26:43,200 --> 00:26:47,500 from our Salon con again on Twitter who has asks really 475 00:26:47,500 --> 00:26:49,500 good. Excellent excellent question. 476 00:26:49,500 --> 00:26:54,700 He says this he says gdpr is a good is a good framework and we 477 00:26:54,700 --> 00:27:00,500 know that the US US federal government is not is not going 478 00:27:00,500 --> 00:27:04,800 to jump quickly on to that level of data privacy. 479 00:27:05,700 --> 00:27:11,400 So why don't companies just adopt GDP are themselves as a 480 00:27:11,408 --> 00:27:14,000 standard. The biggest caveat that 481 00:27:14,400 --> 00:27:17,800 companies have why they wouldn't just do that is because there 482 00:27:17,800 --> 00:27:19,600 would be mostly global companies. 483 00:27:19,600 --> 00:27:22,300 I think you'll find if they're either US based companies that 484 00:27:22,300 --> 00:27:25,400 primarily operate in Europe or their Europe is European based 485 00:27:25,400 --> 00:27:28,000 companies. They'll do that in a heartbeat 486 00:27:28,100 --> 00:27:29,500 right? But if you're looking at more 487 00:27:29,500 --> 00:27:32,700 global companies, you're going to find that they may be more 488 00:27:32,700 --> 00:27:36,500 hesitant to do so. Because one of the challenges is 489 00:27:36,800 --> 00:27:41,200 there ever evolving privacy regulations as you work your way 490 00:27:41,200 --> 00:27:43,800 East or West, right? If you're in the US and then not 491 00:27:43,800 --> 00:27:45,500 to mention the 50 states as well. 492 00:27:45,700 --> 00:27:49,600 For example, I know California, just the cpra organ is looking 493 00:27:49,600 --> 00:27:52,900 at one. There's one in Virginia as well. 494 00:27:53,600 --> 00:27:57,300 So companies, I think our head Adjutant and what they end up 495 00:27:57,300 --> 00:27:59,700 doing? Is they try to find the common 496 00:27:59,700 --> 00:28:03,600 denominator and solve for that until there's a more predictable 497 00:28:03,600 --> 00:28:06,200 regulatory environment? So if I think that's maybe, 498 00:28:06,200 --> 00:28:09,200 maybe the key takeaway in the absence of a predictable 499 00:28:09,200 --> 00:28:12,800 regulatory, environment companies are going to try to do 500 00:28:12,800 --> 00:28:18,000 the sort of like the common denominator in order to avoid 501 00:28:18,000 --> 00:28:20,900 wasted funds, right? Because you optimize for gdpr, 502 00:28:20,900 --> 00:28:24,400 and then a state or two or maybe a federal line in the u.s. comes 503 00:28:24,400 --> 00:28:27,200 along and sort of Passes it on its head. 504 00:28:27,500 --> 00:28:30,200 You know, Mike Tyson has a saying, where he says everyone 505 00:28:30,200 --> 00:28:32,400 has a plan until they get punched in the face. 506 00:28:32,500 --> 00:28:36,200 Exactly. I want to, I want to, I want to 507 00:28:36,200 --> 00:28:40,600 own a start to amplify this conversation a bit, right as the 508 00:28:40,600 --> 00:28:44,900 chief security officer. You know, you can build a 509 00:28:44,900 --> 00:28:49,500 security system as really damn good but there's no system as 510 00:28:49,500 --> 00:28:51,500 perfect. And when you do have an 511 00:28:51,500 --> 00:28:56,500 intrusion, or you do have something that it goes, Further 512 00:28:56,500 --> 00:28:59,500 than you would like, what is what what goes through your 513 00:28:59,500 --> 00:29:01,300 mind. One of the things as a chief 514 00:29:01,300 --> 00:29:05,300 security officer, you need to be able to do is to figure out how 515 00:29:05,300 --> 00:29:09,100 to fail fast and fail gracefully. 516 00:29:09,400 --> 00:29:13,600 Because nothing has used to as you alluded to Q is Pitch. 517 00:29:13,600 --> 00:29:17,300 Perfect and something will go wrong and when it does, you 518 00:29:17,300 --> 00:29:20,300 don't want to languish and sort of tumble, right? 519 00:29:20,300 --> 00:29:23,300 You need to be able to fail and then recover as quickly as 520 00:29:23,300 --> 00:29:25,100 possible. So one of the things that I 521 00:29:25,100 --> 00:29:27,900 focus on as well, well and this is not do again, not just for 522 00:29:27,900 --> 00:29:29,300 Expedia but just something to do. 523 00:29:29,300 --> 00:29:34,600 Well within the industry is you need to constantly be evaluating 524 00:29:34,600 --> 00:29:39,000 your ability to fail quickly and and recover quickly. 525 00:29:39,200 --> 00:29:42,400 And I think that honestly is the biggest difference between 526 00:29:42,700 --> 00:29:46,200 companies that handle a breach, well, and others that don't 527 00:29:46,300 --> 00:29:49,600 because you are like if a nation state decides to come after you, 528 00:29:49,608 --> 00:29:51,400 it is very little you can do to prevent it. 529 00:29:52,000 --> 00:29:55,700 What what what and I was at a Cecil conference this week. 530 00:29:56,100 --> 00:29:59,200 And someone asked the question, do consumers. 531 00:29:59,200 --> 00:30:01,100 Really even care anymore, though? 532 00:30:01,100 --> 00:30:06,500 That breaches happen and I said, well, okay, we my response was 533 00:30:06,500 --> 00:30:07,700 and it was question wasn't for me. 534 00:30:07,700 --> 00:30:09,800 I was in an audience member but I kind of spoke up. 535 00:30:09,800 --> 00:30:13,700 I said, yes, maybe we are desensitized a bit as consumers, 536 00:30:13,700 --> 00:30:15,500 right? Because there are breaches, you 537 00:30:15,500 --> 00:30:17,800 know every day you're reading about something different. 538 00:30:17,900 --> 00:30:20,200 But it doesn't mean necessarily That Couldn't that that 539 00:30:20,200 --> 00:30:25,200 consumers don't care and The trouble that companies get into 540 00:30:25,200 --> 00:30:27,800 has shifted from a breach has happened. 541 00:30:28,200 --> 00:30:32,400 That's expected these days to. How does a company respond to 542 00:30:32,400 --> 00:30:35,400 that breach, and what is their communication like? 543 00:30:35,700 --> 00:30:39,100 And to me, that is also a part of your ability to feel quickly, 544 00:30:39,100 --> 00:30:42,300 fail, gracefully and recover. There's one thing that I will 545 00:30:42,300 --> 00:30:46,400 say like, when I worked in security, one of the things that 546 00:30:46,400 --> 00:30:52,400 we, we got really good at that, I think helped us out a ton, was 547 00:30:52,600 --> 00:30:55,100 the Order and the article post-mortem and one of the 548 00:30:55,100 --> 00:30:59,400 things that we did a little bit differently was we always let 549 00:30:59,400 --> 00:31:02,500 with the implemented fixes. So, you know, often times you 550 00:31:02,500 --> 00:31:05,500 have your postmodern and that's like right after the event 551 00:31:05,500 --> 00:31:06,900 you're like, saying, what could we do better? 552 00:31:06,900 --> 00:31:10,400 What could we do wrong? And we LED with the fixes and 553 00:31:10,400 --> 00:31:13,700 the solutions, or even, if they were in development, we started 554 00:31:13,700 --> 00:31:16,100 there. And then we started to divulge 555 00:31:16,100 --> 00:31:19,700 into, you know, what were the mistakes and what can we do to 556 00:31:19,700 --> 00:31:23,200 do better moving forward. What is the post-mortem process? 557 00:31:23,400 --> 00:31:26,100 Your team look like at the highest level. 558 00:31:26,300 --> 00:31:29,100 I would say, it's no different from how it should be done, 559 00:31:29,100 --> 00:31:32,300 right? So the question then becomes for 560 00:31:32,300 --> 00:31:33,800 me. So, the fundamental questions I 561 00:31:33,808 --> 00:31:37,700 ask is what just happened, and why it happened happened? 562 00:31:38,000 --> 00:31:41,100 And even though you might not sorry, not why? 563 00:31:41,100 --> 00:31:43,600 But how, how did it happen? And even if you don't 564 00:31:43,600 --> 00:31:47,900 necessarily know completely what who what adversary got access 565 00:31:47,900 --> 00:31:52,800 to, what typically, you can get to the how fairly quickly and 566 00:31:52,800 --> 00:31:55,400 what you want to start to do, there is try to figure out, are 567 00:31:55,400 --> 00:31:58,000 there other areas within your environment that replicate this 568 00:31:58,000 --> 00:32:00,200 type of either Miss configuration or vulnerability 569 00:32:00,400 --> 00:32:02,500 that you need to start looking at really, really quickly. 570 00:32:02,500 --> 00:32:06,200 It's always putting what happened in context and then 571 00:32:06,200 --> 00:32:10,800 symington asleep, obviously need to work on like what was access 572 00:32:11,000 --> 00:32:13,500 because then they might be some reporting requirements. 573 00:32:14,000 --> 00:32:18,800 But for me it's it's all about figuring out the how so that I 574 00:32:18,808 --> 00:32:22,800 can like stem any type of breach of subsequent weeks. 575 00:32:22,800 --> 00:32:28,200 I might have And but then after that I need to get into sort of 576 00:32:28,208 --> 00:32:31,700 fixing mode really quickly and be able to communicate clearly 577 00:32:31,700 --> 00:32:33,600 to the board and others that might need to get that 578 00:32:33,600 --> 00:32:35,900 information. If you could go back in time, 579 00:32:35,900 --> 00:32:38,200 let's say you have all the information that you now know. 580 00:32:38,200 --> 00:32:42,600 Today, what would your younger self do when you talk about you 581 00:32:42,600 --> 00:32:44,900 just got this job, your brand new into the role. 582 00:32:45,600 --> 00:32:47,800 Like because that's has its the top of the year. 583 00:32:47,800 --> 00:32:51,200 I mean, there's a lot of people that just got new titles titles 584 00:32:51,200 --> 00:32:55,100 changed elevated. And they're they're sitting in 585 00:32:55,100 --> 00:32:58,200 the hot seat and they haven't gotten punched in the face yet. 586 00:32:58,200 --> 00:32:59,500 So what advice would you give to them? 587 00:33:00,000 --> 00:33:02,400 They're probably like four or five things and I hope I can 588 00:33:02,400 --> 00:33:05,300 remember them, right? Because the thing about getting 589 00:33:05,300 --> 00:33:08,600 into a seat like this, it can be really, really overwhelming, 590 00:33:09,200 --> 00:33:11,500 right? There's there's like a gazillion 591 00:33:11,500 --> 00:33:14,500 different things happening. Everyone needs your time, it's, 592 00:33:14,700 --> 00:33:16,000 you know, especially as a new see. 593 00:33:16,000 --> 00:33:18,900 So it's really hard to filter out the signal from the noise. 594 00:33:19,500 --> 00:33:26,100 And so the advice I would have is Make sure your incredibly 595 00:33:26,100 --> 00:33:29,400 clear about your objectives and key results and always come back 596 00:33:29,400 --> 00:33:31,400 to them, regards to how people randomize you. 597 00:33:31,400 --> 00:33:33,100 That's what you're looking to deliver. 598 00:33:34,300 --> 00:33:38,500 The second thing is, as a in the security field, there's probably 599 00:33:38,500 --> 00:33:41,900 five things. There's there's awareness and 600 00:33:41,900 --> 00:33:44,200 training to try to reduce the likelihood that your user 601 00:33:44,200 --> 00:33:47,600 population does something silly. There's endpoint protection just 602 00:33:47,600 --> 00:33:50,400 because that's what, you know, most people click on stuff and 603 00:33:50,600 --> 00:33:52,900 you just want to make sure and I use the term endpoint Loosely 604 00:33:52,900 --> 00:33:54,200 right on. Include servers. 605 00:33:54,800 --> 00:33:58,500 There is a vulnerability management right? 606 00:33:58,500 --> 00:34:01,200 You want to try to spot and get rid of those wounded as quickly 607 00:34:01,200 --> 00:34:04,600 as possible. And then to the extent that you 608 00:34:04,600 --> 00:34:10,699 can, there's also zero identity and access management if you can 609 00:34:10,699 --> 00:34:14,900 nail those. For, I think you are in a much 610 00:34:14,900 --> 00:34:19,400 much better position than a lot of other organizations, quite 611 00:34:19,400 --> 00:34:21,600 frankly. And then you start a build from 612 00:34:21,600 --> 00:34:23,199 there. So Pharaoh, what your foundation 613 00:34:23,400 --> 00:34:26,900 Is build some, okay, ours to those and then that is your 614 00:34:26,900 --> 00:34:29,199 North Star. You are working on that 615 00:34:29,199 --> 00:34:32,800 religiously and let the noise come and go and you just focus 616 00:34:32,800 --> 00:34:36,800 on delivering on those Chris Peterson earlier had asked a 617 00:34:37,100 --> 00:34:42,900 follow-on question regarding the ecosystem and he says how does 618 00:34:42,900 --> 00:34:45,100 Expedia but I'm going to generalize this. 619 00:34:45,100 --> 00:34:53,100 How does security and I.T I.T deal with partner issues? 620 00:34:53,300 --> 00:34:57,500 Like when Southwest just Southwest Airlines have their 621 00:34:57,500 --> 00:35:02,600 disruptions around Christmas, but to generalize, what do you 622 00:35:02,600 --> 00:35:05,400 do? Or what should it should? 623 00:35:05,400 --> 00:35:10,500 What should one do when the partners have a security 624 00:35:10,500 --> 00:35:16,700 meltdown in the data is leaking and you're involved because of 625 00:35:16,700 --> 00:35:20,200 that, what should you do? Hopefully, your left of Boom. 626 00:35:20,200 --> 00:35:23,100 This is sort of the industry term for it. 627 00:35:23,300 --> 00:35:26,800 Something happens. And if you are you want to start 628 00:35:26,800 --> 00:35:30,000 fostering like, relationships with your key Partners today, 629 00:35:30,400 --> 00:35:32,500 share information, share policies. 630 00:35:32,600 --> 00:35:35,200 Find out how to get reporting both ways on so on. 631 00:35:35,500 --> 00:35:40,300 So that's what you want to do. Then if it's right of Center and 632 00:35:40,300 --> 00:35:44,700 something's already happened, you also want to like truly be a 633 00:35:44,707 --> 00:35:48,900 partner lean in with your resources and see and ask how 634 00:35:48,900 --> 00:35:52,800 you can have how you can help nothing, both directions, both 635 00:35:52,800 --> 00:35:56,400 you As the primary person, maybe there's a third party, but if 636 00:35:56,400 --> 00:35:59,400 you are a third party that and there's a primary, you also want 637 00:35:59,400 --> 00:36:02,400 to do that because again without all of us, the kind of skin in 638 00:36:02,400 --> 00:36:06,100 the game we're not successful, so build strong Partnerships 639 00:36:06,100 --> 00:36:09,100 active Partnerships. Our Salon wants to know what 640 00:36:09,100 --> 00:36:13,300 about Ai and the role of AI and security maybe even using AI as 641 00:36:13,300 --> 00:36:16,200 an advisor to the Chief Information Security Officer, 642 00:36:16,500 --> 00:36:23,600 they came to my attention, that someone's forked chat, And 643 00:36:23,600 --> 00:36:27,300 started doing some analysis and some development around that 644 00:36:27,300 --> 00:36:30,200 type of capability with security and was interesting because it 645 00:36:30,200 --> 00:36:33,100 would do something sort of like reverse engineer. 646 00:36:33,100 --> 00:36:35,700 That malware that just came in and put the indicator of 647 00:36:35,700 --> 00:36:39,200 compromise in this system. And so on basically just told it 648 00:36:39,200 --> 00:36:42,500 generally what to do and it was able to do all that. 649 00:36:43,000 --> 00:36:46,200 So I absolutely think there is a place today and it's going to be 650 00:36:46,200 --> 00:36:51,400 even bigger place in the future. For the way AI is going to help 651 00:36:52,200 --> 00:36:55,100 abstract a lot of The complexity of security, and allow us to 652 00:36:55,100 --> 00:36:57,600 focus on outcomes. Now, some people might hear that 653 00:36:57,600 --> 00:36:59,500 and think, well, jobs are going away. 654 00:36:59,500 --> 00:37:02,900 I disagree security is a very complex space and I think what 655 00:37:02,900 --> 00:37:05,900 this does is free up. Very limited resources to work 656 00:37:05,900 --> 00:37:08,700 on more complex and interesting business problems. 657 00:37:09,000 --> 00:37:13,400 We have a really interesting point from carry Sullivan on 658 00:37:13,400 --> 00:37:16,400 LinkedIn. And I'm going to ask this one to 659 00:37:16,400 --> 00:37:21,200 both of you because this question gets caught between 660 00:37:21,200 --> 00:37:23,600 right Square in between you. Off. 661 00:37:23,600 --> 00:37:28,800 Okay, she says, great quote. Unquote, growth mindset thinking 662 00:37:29,900 --> 00:37:34,400 security is about human behavior as much as it as it is about 663 00:37:34,400 --> 00:37:37,000 having great technology. Getting stuck in the crisis. 664 00:37:37,000 --> 00:37:41,100 Letting a breach languish is never the right answer 665 00:37:41,800 --> 00:37:44,800 post-mortem and continuous Improvement or as much about 666 00:37:44,800 --> 00:37:49,500 improving, the barriers, but also the people reaction and 667 00:37:49,500 --> 00:37:52,800 response. And so this is my question to 668 00:37:52,800 --> 00:37:56,100 you. Both it's this, this growth 669 00:37:56,100 --> 00:38:02,000 mindset with security that as far as I can see drives or its 670 00:38:02,000 --> 00:38:04,500 growth mindset. Within the business that helps 671 00:38:04,500 --> 00:38:08,200 create the conditions that drive all the breaches and drive the 672 00:38:08,200 --> 00:38:10,700 fact that my personal information is out there on the 673 00:38:10,700 --> 00:38:13,700 web. So Q, I Blame You and Curt 674 00:38:13,700 --> 00:38:18,100 apologies, but I have to also blame you as representative of 675 00:38:18,100 --> 00:38:22,300 your sort of separate breeds of growth mindset, growth growth 676 00:38:22,300 --> 00:38:26,000 people Security people. I'm sure you might have seen it 677 00:38:26,000 --> 00:38:29,300 but you know, gen Z is very much into this. 678 00:38:29,300 --> 00:38:32,700 This this is we all remember growing up with these Kurt, you 679 00:38:32,700 --> 00:38:35,800 remember this phone? I do remember that phone crazy 680 00:38:35,800 --> 00:38:39,500 thing is, this is a, this is a BYOD phone that you have to 681 00:38:39,500 --> 00:38:42,000 worry about now. No, I'm serious. 682 00:38:42,000 --> 00:38:45,500 Like flip phones are back flip side. 683 00:38:45,800 --> 00:38:48,700 This is also the same device that you have that, you've got 684 00:38:48,700 --> 00:38:52,500 to worry about and you got it in the bad guys. 685 00:38:52,500 --> 00:38:56,000 The Bad actors are there on both, and this is actually 686 00:38:56,000 --> 00:38:58,300 probably more simple, so it's easier to infiltrate a 687 00:38:58,308 --> 00:39:01,300 networking. We oftentimes don't even think 688 00:39:01,300 --> 00:39:04,100 about it, and so marketers, we ruin everything. 689 00:39:04,100 --> 00:39:06,900 We always see the emerging Trends and we come in and we 690 00:39:06,900 --> 00:39:09,700 just, we, we don't think about privacy. 691 00:39:09,700 --> 00:39:12,100 We don't think about, Data. I mean we just use it because we 692 00:39:12,100 --> 00:39:15,300 want the look, we want the press and it, oftentimes Falls in your 693 00:39:15,300 --> 00:39:18,200 lap on the security side to fix it. 694 00:39:18,200 --> 00:39:22,500 But when I think about the people notion, we always, we 695 00:39:22,500 --> 00:39:26,600 this is always been true historically like what was old 696 00:39:26,600 --> 00:39:30,600 once becomes new, what is new Once becomes old and it's just 697 00:39:30,600 --> 00:39:33,000 fascinating to see. Now in a more connected 698 00:39:33,000 --> 00:39:37,800 landscape, how those things can even play into a competitive 699 00:39:37,800 --> 00:39:42,100 intelligence, they can play in to threats and And in security 700 00:39:42,200 --> 00:39:46,400 risks and vulnerabilities, but it's the way I'm going to pass 701 00:39:46,400 --> 00:39:49,500 this back to you. Kurt is how do you think about 702 00:39:49,500 --> 00:39:51,900 that? Because AI is cool today, but I 703 00:39:51,900 --> 00:39:55,200 remember an era were voice was like all the Rave and I remember 704 00:39:55,200 --> 00:39:58,500 an era where blockchain and big data was all the rain. 705 00:39:58,500 --> 00:40:01,800 So there's always a hyped Trend but you are responsible for 706 00:40:01,800 --> 00:40:04,800 keeping it all within the same vessel and making sure that 707 00:40:04,800 --> 00:40:08,300 engine goes forward, the technology might change, but to 708 00:40:08,300 --> 00:40:11,500 the point of the, the person who asked the question, And you can 709 00:40:11,500 --> 00:40:13,800 swap out the technology, but he's in essence, what you're 710 00:40:13,800 --> 00:40:16,200 looking for from your user communities, the exact same 711 00:40:16,200 --> 00:40:18,500 thing. First of all Securities, job 0 712 00:40:19,000 --> 00:40:23,500 S, you know, are they Advocates or champions for security? 713 00:40:23,500 --> 00:40:26,500 And if they're not need to start more in the awareness, training 714 00:40:26,500 --> 00:40:29,600 and just engagement level and feedback level to try to drive 715 00:40:29,600 --> 00:40:32,500 that culture. But then from my perspective, it 716 00:40:32,500 --> 00:40:38,800 also comes down to diversity. And that growth mindset, the 717 00:40:38,800 --> 00:40:40,100 growth mindset, speaks for itself. 718 00:40:40,100 --> 00:40:43,700 How can Learn evolve, you know, grow in order to be better and 719 00:40:43,700 --> 00:40:45,400 respond better to these types of issues. 720 00:40:45,800 --> 00:40:49,900 But then, diversity of my time talking, you know, ethnic 721 00:40:50,200 --> 00:40:54,500 cognitive, you know, you name it every type of diversity because 722 00:40:54,500 --> 00:40:56,100 one of the things that are pretty and that's pretty 723 00:40:56,100 --> 00:41:00,500 interesting about security. It's a very creative field, 724 00:41:00,700 --> 00:41:02,700 right? You can like, two people can sit 725 00:41:02,700 --> 00:41:05,000 and stare the same thing. And just because you had a spark 726 00:41:05,000 --> 00:41:07,800 of inspiration, you can figure out how to solve this issue 727 00:41:07,800 --> 00:41:10,300 where someone else might not. And so, yes. 728 00:41:10,400 --> 00:41:12,100 Technical. But it's also, there's a certain 729 00:41:12,100 --> 00:41:13,900 level of art to it. And whenever you're in a 730 00:41:13,900 --> 00:41:17,000 situation like that, you want the type of team that has very 731 00:41:17,000 --> 00:41:19,500 different backgrounds that when they come together, there's 732 00:41:19,500 --> 00:41:20,900 greater than the sum of the parts. 733 00:41:21,200 --> 00:41:25,200 And so I would say it's a combination of culture which 734 00:41:25,200 --> 00:41:28,000 includes that growth mindset as well as diversity. 735 00:41:28,300 --> 00:41:32,300 What is the impact that you've seen from the application of it? 736 00:41:32,300 --> 00:41:37,800 Security on the Travel industry at large like so they can before 737 00:41:37,800 --> 00:41:41,600 and after and largely because of some of the Season yourself and 738 00:41:41,600 --> 00:41:45,500 colleagues and partners have put in place and it has led to you 739 00:41:45,500 --> 00:41:47,400 know, new environments for herself. 740 00:41:47,800 --> 00:41:52,300 I would say it's the ability to care deeply about your traveler 741 00:41:52,300 --> 00:41:55,700 and the experiences they have. I'm part of the that experience 742 00:41:55,700 --> 00:42:01,200 is not just being able to see, you know, the Grand Canyon or 743 00:42:01,200 --> 00:42:03,300 Christ, the Redeemer statue or whatever else. 744 00:42:03,300 --> 00:42:06,300 It might be. It's them having the confidence 745 00:42:06,300 --> 00:42:10,300 in sharing information with you and trusting you that you could. 746 00:42:10,400 --> 00:42:14,200 Facilitate this experience in a way that helps them be a better. 747 00:42:14,400 --> 00:42:17,400 You know, have a better outlook on life after verses before 748 00:42:17,400 --> 00:42:20,500 taking that trip. And so I think it's driving and 749 00:42:20,500 --> 00:42:24,800 trying to continue to build a confidence in with our Travelers 750 00:42:25,100 --> 00:42:29,000 and our partners. And with that, I'm afraid we're 751 00:42:29,000 --> 00:42:34,400 out of time. So a you thank you to Kurt, John 752 00:42:34,400 --> 00:42:38,900 and 2q Harris and Terry thank you both for doing this today. 753 00:42:39,400 --> 00:42:43,000 Thank you for having me. Me likewise and a huge. 754 00:42:43,000 --> 00:42:47,200 Thank you to our great audience. You guys are so smart. 755 00:42:47,700 --> 00:42:50,900 Thanks so much everybody for watching before you go. 756 00:42:50,900 --> 00:42:53,800 Be sure to subscribe to our newsletter. 757 00:42:53,800 --> 00:42:56,900 Hit the Subscribe button at the top of our website. 758 00:42:57,000 --> 00:42:59,800 Then just subscribe to our YouTube channel. 759 00:42:59,900 --> 00:43:03,300 Check out cxo talk.com and we will see you again next time. 760 00:43:03,600 --> 00:43:04,600 Have a great day everybody.