Episode 14
Integrate security into projects with Randy Lindberg
The finance industry is one in which teams are constantly hunting for an edge, whether a new product or an innovative solution. But these teams can get into trouble when they fail to consider security at the outset. Bolting on security at the end of a project won’t work.
Rivial Data Security CEO Randy Lindberg discusses the challenges faced by security teams in the finance industry, and how a shift-left approach, and a more holistic viewpoint building security into all aspects of the business, can help overcome them.
They also cover why organizations focused on compliance will tend to create reactive security teams, responding to audits and not risks. And on the other side, are auditors too focused on checklists, rather than organizational maturity?
They also discuss:
- The origin of Rivial, and the meaning behind the name
- Why business leaders need more context when making security decisions and why security teams need to present findings better
- The challenge of quantifying risk using statistical analysis, and why business leaders still crave their stoplight graphics
- How advances in technology like AI mean organizations must review risks constantly, not once a year
- The need for security teams to slow down when introducing AI
Links:
Resources:
- Blog post: The ASIC cyber pulse survey 2023 shows organizations are still reactive, not proactive, when it comes to cybersecurity
- Blog post: These are the 5 questions board members and C-level execs should ask about data privacy and data management
- FILED 09: Why organizations must address their vendor risk | Aaron Spiteri, UpGuard
- FILED 08: Living in the intersection of information governance and cybersecurity | Andrew Ysasi, Vital Records Control
- FILED 04: How to minimize the impact of a data breach through data management | Josh Mason, RecordPoint
- FILED S02E02: Why security needs to be integrated into projects from the beginning | Randy Lindberg, Rivial Data Security
- Newsletter: What we miss when we focus on how the hackers broke in
- Benchmark: How much PII does the average organization store?
Transcript
Anthony Woodward: Welcome to FILED a monthly conversation with those at the convergence of data, privacy, data, security, data regulations, records, and governance. I'm Anthony Woodward, CEO of RecordPoint. And with me today is my cohost, Kris Brown, RecordPoint’s, VP of product management. How are you Kris today?
Kris Brown: I'm very good, Anthony.
Kris Brown: How are you?
Anthony Woodward: Yeah, good. It's I think been a really strong start to the year over here and so much happening in our world.
Kris Brown: No, it's been fantastic. And I'm really looking forward to today's guest.
Kris Brown: as well.
Anthony Woodward: Yeah. Why don't we get straight on and do the introduction? I think that's with you today.
Kris Brown: So, yeah, look I know it's, we're just sort of turning things around today.
Kris Brown: So, look, I want to welcome Randy Lindberg here from Rivial. Hi Randy. Great to have you on the show.
Randy Lindberg: Hi there. Thanks for having me.
Kris Brown: Mate, thank you so much for coming on. Look, I'd love to start by, you know, discussing maybe a little bit of background. How you came to found Rivial. You're going to have to give us a quick little explanation of the name there as well.
Kris Brown: And let's tell the audience a little bit about what they do, what you do there at Rivial.
Randy Lindberg: Sure, absolutely. I'll hit some of the highlights. I'll go as fast as I can without boring everybody. So going way back, I was in the ROTC here in the United States, which meant that I was going straight into the Air Force out of college.
Randy Lindberg: And they sent me down to Montgomery, Alabama, if anybody knows where that is. And they said, Randy, you're going to be the information system security officer. My first step was figuring out how to spell security because I had not done it in any way, shape or form ever. But, you know, the beauty of an air force officer is they put you there and you get it, you get to figure it out.
Randy Lindberg: So, I realized very quickly as I was completing my physical three-inch binder. If anybody's been in security for a while, they can appreciate that for the presentation once a quarter. And I found that I just really liked security. So, when I got out of the Air Force, I went into consulting, not my own company, but working for another company.
Randy Lindberg: And I ended up picking up a document. It's NIST, National Institute of Science and Technology. Maybe standards and technology. I also forget the S, but it's 800 dash 30. It's all about risk management, and that's kind of what I latched on to as a security person. And so, when I went from consulting into managing security for a Fortune 50 retail company,
Randy Lindberg: I was doing risk assessments on things like the largest pharmacy application in the country and those kinds of things. And the NIST product, that document in the model, wasn't working very well. So, I started building my own. Eventually I ended up at a bank, it was a regional bank. And around the same time, I was working on some MBA classes.
Randy Lindberg: And I was in a finance class of all things, they covered Monte Carlo analysis, which is a statistical analysis of uncertain events, trying to predict uncertain events. So, I tied together the NIST model that I was tweaking and Monte Carlo analysis. And I basically built a different way to do risk assessments.
Randy Lindberg: And at the same time, I was at a bank, I was trying to find security services and I really couldn't find people who knew what customer service was. It was a bunch of technical security folks, which I love those folks don't get me wrong, but they didn't really know how to take care of me as a customer. So, I kind of combined those things in around 2010 to start Rivial with a couple of goals in mind.
Randy Lindberg: One was to take care of clients properly. We bend over backwards for clients. That was very important for me. The second was improving risk assessment. And then the third major goal was really to make cybersecurity management easier. And that's, you know, we talked about it a little bit before the recording here.
Randy Lindberg: And that's where the name comes from. It's slightly embarrassing. But when I created the name. There was a cheesy slogan that went along with it that basically security management was supposed to be trivial, right? I wanted to make it so easy. It was trivial. So, if you take trivial and you lop off the T, you have a made-up word.
Randy Lindberg: That's Rivial. So, is that a great name? Probably not. But I've talked to marketing companies over the years, and they said, no, it's not what we would pick, but it's good enough, right? So, it got stuck and it's been there for 14 years. And so that's where it comes from. And really, what I do at Rivial, I try to continue refining our solutions, which is software plus services around cybersecurity management, and create the highest value, reasonably priced offerings for our clients, and really to help take care of those clients, which means I make coffee, I take out the garbage, I vacuum, all those things that a respectable CEO does.
Kris Brown: Did you hear that, Anthony?
Anthony Woodward: Can you believe it blanked out for me? I have no idea what was just said.
Kris Brown: But perfect. What he said was that you need to look after me better. That's what he said. Right. You need to fetch me coffee more often. Those sorts of things. So just, yeah, you're good.
Anthony Woodward: And the only point I heard was taking out the garbage, but I wasn't sure Randy, whether that was metaphorical or an actual taking out of the garbage.
Randy Lindberg: What I pieced together here is you need to take care of Kris and take out the garbage. So, is that one and the same?
Anthony Woodward: Fair enough. The reason I go there is a lot of where we focus, and I think he's very much that thing, and I'd love to get some context for Rivial. In terms of your context, do you really think about what aspect of cybersecurity and is taking out the garbage in a digital context part of that?
Randy Lindberg: Absolutely. I didn't intend that and hadn't really thought about it, but in a sense, yes. And so, if we get into risk management a little bit more, there is a lot of metaphorical garbage in cybersecurity when people don't do proper risk assessments because they're not really understanding the business context in which they operate.
Randy Lindberg: They're not understanding the real risk to the organization, and they might be out buying tools and doing those kinds of things. Whether you could consider that garbage, I think it's a very good question.
Anthony Woodward: Yeah, and so give us the landscape. I love that background. I love the problem in the space that you're solving there when you talk about Rivial today.
Anthony Woodward: What are the top 2-3 use cases that you really dive into for customers?
Randy Lindberg: Oh, sure. Yeah, it's a very good question. So, I would say the top handful is overall just making cybersecurity management easier. One of the main goals and we built a platform, we provide services that go with it. And so those two things combined, our vision is that we can help anybody confidently manage cybersecurity program.
Randy Lindberg: And that is all of the things that a security leader does, right? There's the technical space with the SIM and XDR antivirus and all those things were one layer above that, where we tie together, basically tie the business to the technical security program. So doing things like risk management, managing compliance with IT
Randy Lindberg: internal policies or some kind of external regulation or document just making all of that easier, you know, winning at the whack a mole game that is vulnerability management, right? So that's one of the major goals. Another one is I talked about risk assessment. That's really my thing. So, I lean on that quite a bit, but the second goal is really helping people manage risk better, and that starts with doing a better job assessing risk.
Randy Lindberg: And we're kind of stuck in our industry. One of the things I want to fix in our industry, cybersecurity just across the board is we as security people traditionally go out and we kind of put our finger in the wind and go, oh, this is a high risk. This is a medium risk. This is a low risk. And then we go to the board of directors or executives, whoever makes that decision, and we say, hey, we have a high risk. We need to spend 50, 000 to reduce that to a medium and they go, what, right? They don't have anything better to extract information from. So, they're forced into making decisions based on that just ambiguous detail. And so, I think that makes us as security people look bad.
Randy Lindberg: And I can tell you when we get in and we actually use our software and we're using Monte Carlo analysis, we're measuring risk better, it facilitates better conversations with those people making decisions, right? Because they speak in dollars and cents. And when you can go to them with risk measured in dollars and cents, it's a more meaningful conversation.
Randy Lindberg: That's kind of the second main goal. The third one is it kind of goes in line with those first two. Which are making cybersecurity easier, management easier, better risk assessment, and that's just automating as much as humanly possible. So, using software, using mechanisms and streamline processes, again, just to automate as much as possible, but particularly compliance.
Randy Lindberg: Nobody likes compliance. Nobody likes doing it. They just want it to be done and that's where we help people as well.
Kris Brown: I feel seen, you know, nobody likes compliance piece. I mean, this is sort of where we live, right? So, you know, here at RecordPoint, we're obviously there trying to help organizations not only manage their risk but obviously manage all of their privacy requirements and other regulations, but it's that compliance element that they get at the end.
Kris Brown: And there's all the other benefits up front. But yeah, no one really wants to deal with the compliance piece. It's almost like you have to. And I guess one of the pieces here that's made me aware, a little bit more aligned is trying to get it to a place where the outcome is compliance by doing all of the other good stuff.
Randy Lindberg: Yeah, absolutely.
Anthony Woodward: Yeah. I'm really interested in it, certainly we haven't talked much on the podcast, but we do a lot at RecordPoint, you know, thinking about different ways to quantify risk. And it sounds like you guys are really on top of it. You know, we talked a little bit about things like Monte Carlo analysis and regression and mathematics.
Anthony Woodward: Is your application of that purely through that method, like how do you deal with things like the law of averages over that analysis and the impact of those considerations? Or do you start to weigh that out? I think the listener would be really interested to understand the, well, it's almost your IP, but how that approach is done.
Randy Lindberg: Oh, sure. Absolutely. Law of averages. There, there are a lot of things that we would like to do just in the security space in general, but it's hard to kind of move people along. You're going from high, medium, low measurements, some kind of ordinal scale, one through five, I mean, to statistical analysis is a pretty significant jump, right?
Randy Lindberg: And so, we're just trying to get people to make that jump once they do that, then we can dig in and mature the program over time. But really, it's just making that initial leap that again, it's very, very difficult to a point, and I might be a little off topic here, but when we have a new client. And we present to them the results of their risk assessment.
Randy Lindberg: We've run the statistical analysis. We give them the results. It shows actual dollars and cents, financial figures and return on investment for the recommendations we're making. If we don't have some kind of stoplight chart, like a red, orange, green, or red, yellow, green, they panic because all of the risk assessments they've received in the past, I have some kind of high, medium, low chart.
Randy Lindberg: I'm not trying to make fun of anybody, but just for new clients, we put in a stoplight chart, high, medium, low, and they go, "oh, cool. I have my stoplight chart." And then they go to the next page, and they go, "oh, this is interesting. Tell me about these financial figures." And that's where the conversation really starts.
Randy Lindberg: So, they kind of cruise past the stoplight chart, they get to the financial figures. And that's where the, like I said earlier, meaningful conversation starts. And so just getting to that point, leaving out, you know, the laws of averages, law of averages, and those others, I'll call them fudge factors in risk assessment.
Randy Lindberg: We've tried to take those into account just in the way that we get opinionated with our software works because people aren't quite there yet. And again, I'm not trying to make fun of people or be condescending, but we kind of hide all that until people ask. For example, this is different than what you're asking I think a little bit, but a lot of people ask about cyber insurance. I don't need to worry about this because I have insurance. Yeah, well, that's not really how risk assessment works, right? I get the idea, but the idea is to measure it. Right. You get your, your impact, your likelihood or probability in our case, you end up with your inherent risk.
Randy Lindberg: You look at controls and you get to your residual risk. And when you look at that and measure that residual risk, then you go do something about it, whether you mitigate it, accept it or transfer it, which is insurance, right? So that's a risk treatment mechanism. So, people ask, "Oh, well, can I consider insurance?"
Randy Lindberg: Well, yes, but way later in the process.
Anthony Woodward: Yeah. And the reality is all insurance doesn't offset a hundred percent of your risk, right? That's the, that's the key denominal factor here. When we talk about cyber and the risk of cyber, which is an ever-evolving landscape, which is partly why I brought up the question around them.
Anthony Woodward: There is no true law of averages. That was probably a made-up Anthony term, but the floor of averages has probably been a way to put it. I guess where I was headed with that is because it's an evolving landscape, you know, traditional Monte Carlo simulations and traditional ways to assess risk, you know, treasury and a bank and those kinds of things are all around the predictability of an event because cyber is evolving so quickly.
Anthony Woodward: How do you deal with that evolution and those externalities that are going to occur?
Randy Lindberg: Oh, sure. Yeah, that's a very good point. As far as externalities go, when you ask the question, my mind jumps to artificial intelligence, because it's being used on both sides, right? The bad guys and the good guys. And now the arms race has kind of escalated and sped up in certain cases, because, you know, we have externalities.
Randy Lindberg: One thing that jumps to mind is phishing, just kind of your standard email phishing attack, right? That risk has changed significantly. So, if you did a risk assessment a year ago or two years ago, shoot, even a year ago, actually, you know, 6-12 months ago, it needs to be updated because phishing attacks are better.
Randy Lindberg: You can dig into the statistics, but when you look at phishing attacks, it used to be that vast majority of them were written by somebody who had English as a second language. It looked like it was just poorly written. Now the attackers can go out there regardless of what language they speak. With the right prompts, they have ChatGPT or something like that.
Randy Lindberg: Some kind of large language model writing an email for them. That's in our case, in perfect English: grammar is correct. Spelling is correct. It looks like a legitimate email. And so, one of the means that users had of just noticing, you know, just detecting phishing attacks is kind of gone now when you have artificial intelligence available to the attackers as well.
Randy Lindberg: So that kind of externality, those things are coming in. On the security side, of course, we have artificial intelligence now to defend against that. So again, that arms race. But back to the risk assessment. Yeah, for me, it really comes down to keeping the risk assessment up to date over time. So, it used to be, and I don't know that this was ever acceptable, but it used to be that people did a risk assessment once a year and go in and assess the risk and write a report.
Randy Lindberg: Put it on the shelf or the virtual shelf, and I wouldn't look at it for another 12 months. Well, two or three weeks after doing that, it was out of date. And so what we see and what we're trying to push people toward along with the statistical analysis is keeping things up to date over time, tying in with external tools and tying your risk assessment in with external tools, pulling that data daily or weekly or monthly and updating the evidence that proves those controls are in place to really measure risk over time.
Randy Lindberg: We call it real time risk. Not that that's proprietary words or a phrase for us. No, but really, yeah, it's dealing with those things. I think you have to look at risk consistently rather than just once a year.
Anthony Woodward: Love it.
Anthony Woodward: And so, this, this notion, cause one of the things that I've observed a lot in the industry is that risk is seen as episodic.
Anthony Woodward: I have an event; I then calculate the risk on the event. Or as you say, twice a year, I have an audit, I have a set of processes. I do these episodic tasks; this notion of risk is always on. And I know that. That's part of what you know, you're all doing that Rivial is really key. Isn't it? That risk is something we do every day and we're thinking about it from all sorts of directions.
Randy Lindberg: Yeah, absolutely. Well, back to Kris' point, you know, regarding compliance where nobody really wants to do compliance, but they have to in a lot of cases, obviously there's overlap, and so if you're automating compliance and keeping that up to date. And you're tying those same controls in a lot of cases in with your risk assessment as well, you're doing the same, you know, setting up the same integration, the same automations and keeping your compliance up to date and keeping your risk assessment up to date.
Randy Lindberg: So, you can make proper decisions around risk. So, to me, they go hand in hand.
Kris Brown: Randy, one of the things we've been exploring on FILED and obviously through RecordPoint this year is all about shift left and I'm wondering what's your take on that as it relates to what you're doing at Rivial. And certainly how, how are you in that sort of place of, what's the goals of embedding security into an organization better?
Kris Brown: What are the outcomes they're going to get? And I want to be a little bit more targeted. How does that play out, say, for example, in the finance industry? So, where's your take on shift left as it relates to your organization?
Randy Lindberg: Oh, sure. Absolutely. That's not a term we use often. Maybe we should do a little more, but I was introduced to that term a few years ago in regard to software development.
Randy Lindberg: And so, when you think about a workflow from left to right, it's setting up the requirements, designing, building and testing usually happens way over to the right. So, doing that testing, you know, on the left and continuously throughout the process, you know, I think that also applies to, you know, just IT projects as a whole, which involves security, right? And so, to your point, when you go purchase something or implement something, any kind of an IT project, whether it's cybersecurity-related or just touches cybersecurity, which, of course, all things IT do, the earlier you can start to define security, the easier and cheaper it's going to be.
Randy Lindberg: And you guys know this. And there are certain cases where bolting on security after the fact isn't even possible. Again, it's when you start with, I'm gonna go back to risk assessment. Let's say you're going to buy a new solution. If you get all the way through the process, you purchased the cloud platform or you purchased, you know, whatever it is, the application or even hardware these days.
Randy Lindberg: You go all the way to the end, you go, okay, now we need to look at security. Well, you might not be able to go back and bolt on security, right? There are tools out there. Let's say your organization is using Okta for single sign-on and you might, you know, the business unit might go out and get a, get a product and say, this is going to save the day.
Randy Lindberg: We need this. Let's put it in. And then let's call the security folks. Well, it might not interact with Okta, it might not be possible. So, it might not even be possible to do Single Sign-on. So, you've taken this really cool solution, and you brought it into your organization, and you can't secure it right. It doesn't fit in with the normal processes.
Randy Lindberg: So again, for me, once you start that process, I think a risk assessment needs to be done and security needs to be built in. So, I'm thinking about, you know, acquisition or implementation in terms of a workflow from left to right. Those security requirements should be way over on the left, right? Shift all of that thinking left rather than trying to bolt it on to the right.
Randy Lindberg: And we actually see that, as you can imagine, a lot in the finance industry as well with cloud and AI specifically, because they just make good business sense. And so, we do see that a lot where businesspeople are looking, they're looking for an edge, they're trying to gain a competitive advantage. So, they're looking at solutions, they bring in those solutions, they could pay for those solutions.
Randy Lindberg: If there's no procurement process that involves cybersecurity and they bring something in and then the security people are left holding the bag and, "hey, go make this secure. Now that we purchased it." You guys have seen that.
Kris Brown: Yeah, yeah, no, absolutely. And I think, you know, the, the interesting thing, as you say, is, is just that element of even shifting left in that purchasing process, right?
Kris Brown: Like I'd say, do the right thing, bring that security organization in. Again, homing in a little bit there on that finance sector. Do you see any pitfalls or anything obvious at the moment around how financial agencies are handling this security? And, and obviously I'm not asking you to tell us all how we can get into the, you know, hack into the next bank, but.
Anthony Woodward: Well, we can do that after the podcast, can't we?
Randy Lindberg: Yeah, yeah, absolutely. There's a coffee chat after. Yeah, well, none of our clients are hackable. I'm kidding. Everybody's hackable. But yeah, as far as pitfalls in finance, I think there are a handful that really come to mind for me. And the first is, not presenting what the board needs to see.
Randy Lindberg: So, at most banks and credit unions that we deal with, it's really the board that's the decision-making body. And so, a lot of us, I feel like I'm picking on traditional or security folks with our traditional ways, but a lot of security people will report on the nitty gritty, the stuff that the security person needs to see.
Randy Lindberg: They think, "Oh, it's important to me. So therefore, it's important to the board." And in a lot of cases, it just really isn't. The one that comes to mind, I use it as an example all the time is the number of spam messages, blocked by the firewall. The people making decisions about security programs just don't need to know that. The security person does make sure the firewalls working configurations are set up properly.
Randy Lindberg: But when you report that to the board, these folks are not typical board of directors at a financial institution. They're not meeting every day. They're not thinking about security every day, or even every month, or possibly even every quarter, right? They get together and they have a bunch of stuff to go through.
Randy Lindberg: And I think just us security people, we need to understand the business and what they're thinking about rather than the other way around. And so, for my part, I think it was four or five years ago, I created a template. It's free for use. I don't have a link handy, but it's free for use. People can download it, use it.
Randy Lindberg: I was trying to help where it's essentially reporting cybersecurity to the board and it hits things at a level that is low enough and detailed enough that the board gets what they need, but not too detailed where their eyes glaze over and they want to move on to the next topic that they understand.
Randy Lindberg: So again, that's out there and just the feedback we've gotten for the last few years on that. People have come to us and said, oh, thank you for doing that because I used to not have a great relationship with my board and now, I report to them what they need to know. And they love me for it. So that's one, just not presenting the right information
Randy Lindberg: I think for the board of directors or for executives in general.
Kris Brown: And we might steal that link from you at some point and advertise that with the podcast. So, for those who are looking, they might be able to see that in the details of the podcast too. So, I think that sounds really, really interesting.
Randy Lindberg: Yeah, absolutely.
Randy Lindberg: And again, we, I don't know the link, but we put it out there. People can download it and use it. Because what I'm trying to do is just help people get better at security, right? And part of that is tying the business to security. So, I've been in those shoes. I was a technical person, you know, I've been a business owner for 14 years.
Randy Lindberg: And so, I kind of see both perhaps a slightly different perspective than someone who's just, you know, they've done security in their whole career. But to further answer your question, I think number two, if I could go back, you know, I'll just, I feel like a repeating record here, but that's not measuring and managing risk properly.
Randy Lindberg: That's kind of the second thing that we see that are where security programs kind of go, go bad and that's not the security person's fault. I think we as an industry haven't put together the right tools, so we share our model readily. It's not easy to do without software, admittedly, but we share our model readily because I worked on it for, well, starting in 2004, 2005, trying to build a model that actually worked, and we've refined it over the years.
Randy Lindberg: So, to share that model with people, they can go do it using spreadsheets and things like that again, not easy, but it's doable. As I mentioned before, once you report the correct things to the board of directors at the right level, and then you get into the financial aspect of cybersecurity risk, that's where the board then trusts you, right?
Randy Lindberg: There are people out there that have great relationships with their boards. The board gets them, it gets security. I totally understand that. But when you report the right information, and you report risk in terms of finances and return on investment—the language that business people speak—it just builds a better relationship.
Randy Lindberg: They trust the person more; they know what to expect. I know what they're seeing, and they feel like they're part of it, quite honestly, that's where the, like I said before, meaningful conversations start specifically in the finance industry. I would just add that unfortunately, what drives security in a lot of cases is compliance.
Randy Lindberg: Right. So, there's nothing wrong with compliance. Of course, examiners are there for a reason. FDIC, the NCOA, when they come in, they're there for a reason. But when an institution simply reacts to what an examiner is telling them, they don't seem to ever get ahead. They're just constantly in reaction mode.
Randy Lindberg: Their program isn't great. They're not able to make improvements because they're just waiting for the examiner to come in and whatever those hot topics are this year, the examiner hits those things. So, they're not focusing on building a solid holistic security program. They're just doing whatever the examiner tells them.
Randy Lindberg: So, they're, you know, they're just reacting all the time.
Kris Brown: Yeah, I think there's probably again a correlation there to our own industry and our own customers. They're in a sense that there can be a focus very much on the compliance without the holistic view and. As I said, I love the idea of even perhaps for something for ourselves is that sort of advice back to how to report this up to the board when I think one of the biggest things that we see in our industry around is that the practitioner, the information manager, the privacy officer really do struggle to understand.
Kris Brown: How to report that value and in a way that a businessperson understands. So, I already have a mark down here that I'm going to have to go away and read that. And maybe there'll be a further chat about having a look at how I replicate that for this industry as well. Cause I think that sounds like a really valuable tool and something that organizationally, everybody struggles with really at the end of the day.
Kris Brown: It's to be able to take what you do as an expert and push that through to a board and have them understand in a financial context is an enormous challenge.
Randy Lindberg: Sure. Sure. Absolutely.
Anthony Woodward: And I think you brought up a really interesting topic, right? Yeah. You talked about the NCUA, which it just for global listeners is the National Credit Union Administration in the United States.
Anthony Woodward: And you probably can explain it better than me, Randy, but my understanding is they have the regulator that looks at all depositing institutions in the credit union industry and looks at the regulations around them. Is that correct?
Randy Lindberg: That is correct. Yeah. So here in the United States, yes, for credit unions.
Randy Lindberg: It's the NCOA for banks. It's the FDIC, Federal Depository Insurance Corporation. And so, they, they're charged with making sure that the banks and credit unions. Have that security program in place,
Anthony Woodward: And I think what's really interesting and where I wanted to get to on that question was, do you think there's scope for the regulator to go beyond the compliance checklist?
Anthony Woodward: Because as you're saying, you know, ultimately, the compliance process is marking to an exam. And, you know, I certainly know myself as a learner. I'm hopeless. Like I can go to exam papers till the cows come home. My memory isn't that I actually have to learn the material, you know, have it integrated into me and then I can go do the exam versus I know others are much better at sponge learning and just knowing that answers by rote and not actually learning it.
Anthony Woodward: And I think the latter is a lot of what we see organizations doing is, what's the checklist? How do I meet the checklist? Do you see the regulators moving on where they're starting to benchmark maturity, publishing maturity. You know, you brought up your template that you put out there, which sounds like it's an awesome way to potentially benchmark your own maturity.
Anthony Woodward: Where do you see that going in the industry? Cause this is where I think the intersections occurring between your data, privacy, data governance, and cyber is really understanding the maturity of the organization and how it compares with peers and therefore how stakeholders should expect those organizations to behave.
Randy Lindberg: Sure. Yeah, I think you make a great point. As far as benchmarking and maturity, I personally don't see that a lot. There might be some examiners out there doing that. We don't see that a lot. And there's, it really comes down to training, quite honestly, the level of scrutiny put on any one financial institution can vary widely, even in the same region, same place, just because of the different folks.
Randy Lindberg: And I don't want to pick on anybody, Okay. But there are examiners who we talked to, maybe it's been a while, who just really have never seen a good risk assessment. They've not been trained properly in how to do a good risk assessment. And so, I'll tell a story, it's been several, several years, so I feel comfortable telling this story.
Randy Lindberg: We had an examiner who came in and said, oh, we, I don't like your risk assessment. I said, "okay, well, what are you looking for?" Oh, it's got too much stuff. So, we took our report. And we start chopping it down and just try to, you know, we do whatever we can to make the examiner happy. So, we started chopping the report down and he said, "no, no, no, it's got to be in a spreadsheet."
Randy Lindberg: Okay, so we ditched the report. We dug back up the raw results of the spreadsheet. And he said, no, just too much stuff. This is, you know, and so after about 12 back-and-forth sessions with the examiner, we've taken our spreadsheet. That's again, this is the raw data, not the report. We would never deliver this directly to a client, but it was, you know, 200 rows of stuff and maybe 20 columns of stuff.
Randy Lindberg: We whittled it down to about, I think it was five or six columns and maybe 12 rows. And once we got it whittled down enough, he said, "okay, perfect. That's a risk assessment." I said, "I'm just curious if you don't mind for my own edification. You know, Mr. Examiner person, can you enlighten me on how you came about this way?"
Randy Lindberg: He dug up an example spreadsheet of a risk assessment that he had seen probably 10 years prior to that time. And it was six columns wide by 12 rows deep. And that's what he was looking for. And again, I mean as I mentioned, I'm not trying to pick on this person. I, you know, don't even remember his name, but that's the kind of thing that we deal with across the industry where the level of scrutiny can vary widely.
Anthony Woodward: Yeah, and I think that we see that quite commonly in a bunch of different areas when people start to talk about quantifying the behaviors of an organization for risk, right? It really does come down to how the auditor is prepared to interpret the risk and the pieces that wrap around that. Right?
Anthony Woodward: So do you see that evolution then where risk becomes not just a process of compliance in those elements but integrated into the business models of these organizations. And do you think stakeholders are seeing that? I mean, certainly what we see in our world is much more focused on supply chain, much more, you know, as a SaaS vendor who has data of our clients, you know, there's a real harder look at what does that supply chain equal and where are the risks in that supply chain?
Anthony Woodward: Is that what you're seeing when you're doing these risk assessments as well?
Randy Lindberg: Yes, absolutely. Yeah. I hope it continues that way. And we're starting to see that trend toward better risk assessment and certainly for several years now, supply chain, you know, vendor management has become important, but examiners kind of across the board and our clients like banks and credit unions just as a whole are wanting to do better risk assessments.
Randy Lindberg: They realize that there's more to it than just high, medium, low and not really presenting anything useful. And so, what we've seen is a trend. There was a study done maybe a year ago, maybe two years ago, fairly recent. And it was talking about the number of organizations doing kind of your normal ordinal scale of risk assessment versus Monte Carlo versus something beyond that.
Randy Lindberg: And so, the really cool diagram showed that over the last couple of years. More and more organizations are, first of all, doing risk assessments, right? Because not a lot of people did them even as a few years ago. Right, but there are more and more organizations planning. They're moving toward statistical analysis like Monte Carlo and planning to even move beyond that.
Randy Lindberg: So yeah, as far as I'm just a maturity of the industry, hopefully getting past that reaction to exam findings and getting better. And I think it stems from security, us security people, we security people. We need to present risk better. Once we do that, it's a better conversation. It becomes a, like you said, business topic, rather than just a technical security topic.
Randy Lindberg: Once it's embedded in the business discussion, then it can be, I think, it's treated as a business discussion. Therefore, the organization is a little more proactive, where they say, they identify their own risks, and they go, oh, yeah, we need to do something there. Rather than just push security off to the side and wait for the examiner to bring up a finding.
Anthony Woodward: Yeah, I always find it really weird, right? And there are, I don't know, it's an evolving industry and cyber risk is relatively new but, you know, we have things like GAAP accounting, and we have all these rules and in fact, not following a rule results in significant detriment to the business from different stakeholders.
Anthony Woodward: These are conversations that are well known around a board table, and we get an auditor in every year. You know, we bring in a, someone who's really going to be independent and third party to do that examination to a particular standard. We're going to see the evolution of that in its entirety, right on the cyber side.
Anthony Woodward: There's a nascent beginning to that, but do you really see it as a part of that shift left piece? And really when we talk about shift left, we really, really see that moving right up to that board table conversation. Do you think that the quantification of that is going to be as simple in 10, 15, 20 years as what we see in the finance industry and having the kind of standards like GAAP and those sorts of things?
Anthony Woodward: Is that the evolution that we're headed to?
Randy Lindberg: Oh gosh. Yeah. I would say that I hope so. Absolutely. It is funny that you mentioned GAAP because One of the most common documents, and I'm not sure if this is global or not, but it's at least the United States with, you know, vendor management and just vendors having their own security tested and then providing evidence of that too.
Randy Lindberg: Their customers, and that is you know, we use a sock to that document actually came from the A. I. C. P. A. Which is the American Institute of Certified Public Accountants. Smart one.
Anthony Woodward: No, you got that. I think you got that one. Definitely.
Randy Lindberg: Accountants testing cybersecurity, right? Doesn't seem entirely logical, but that's the organization that came up with that report format.
Randy Lindberg: So, the unfortunate part is that report format leaves a lot of holes. And so, what does that do to supply chain risk, what vendor management in terms of these organizations presenting their security to customers? To be seen
Anthony Woodward: One of the things, you know, you probably can tell from my line of questioning.
Anthony Woodward: We're really interested in seeing a maturity matrix for the industry as it thinks about these dimensionalities of risk and really thinks about how you can be more effective in that quantification. And I think what you've seen in the finance industry so that stakeholders can assess an organization's risk and value is things like GAAP and things like those commonly understood standards that we're operating to in terms of operating models.
Anthony Woodward: And I think SOC is a good one, although probably still early in its evolution.
Randy Lindberg: Yeah, I'd like to think so. And as far as maturity for the industry goes back to organizations moving to better risk assessment and really just better cybersecurity management. And I think there's a lack of tools quite honestly, and you guys, you guys probably see this as well on the privacy side, but it's all point solutions.
Randy Lindberg: And so, it's hard, I think, to mature a program overall when you have three or four or 10 different places you have to go log in to whether it's doing a risk assessment, keeping track of compliance, maybe managing vulnerabilities and they have to go somewhere else to get your policies. Right. And I think there seems to be, in the industry—at least what I've seen people realizing—that managing a cybersecurity program can all be done in the same place.
Randy Lindberg: All right, we're doing that. Others are doing that. I think when you start to report correctly to the board or executives, get them involved in the conversation. So, it becomes more about the business. And then you take all of those individual risk or cybersecurity management tools and put them all together.
Randy Lindberg: I think at that point, we can really start to mature what we do as security professionals on the management side, right? There's the technical folks who are digging into the weeds. And then there's more of the governance, risk and compliance CISO type folks. And I think once we tie all these things together, then we'll really be at a point where we can mature cybersecurity management overall.
Kris Brown: So let me pick on that a little bit and go pull your crystal ball out. We like to always ask the future looking question, but if you look forward, let's keep it nice and tight because this space is moving very, very quickly. But say, look ahead 12 months, what's on the horizon? What do you see changing?
Kris Brown: There are obviously all sorts of regulations that are moving, but what's the two pieces, what's the wish, what do you want to happen in the next 12 months, reality, what do you think is going to happen in the next 12 months?
Randy Lindberg: Oh gosh.
Kris Brown: And it's okay. Cause that's one of those questions where it's like, how long is a piece of string, Kris?
Randy Lindberg: Yeah. The next 12 months. I was going to cheat and just jump to AI, just because that's where everybody's going, you know, I feel like if you don't mention AI in a presentation these days, it's not interesting to people. What do I wish for in artificial intelligence? I hope that we can figure out whether it's me and my company or somebody else and they publish it and make it available, is that we can figure out a good way to not only structure a risk assessment.
Randy Lindberg: And measure risk properly so that it's based on data, which gives you the ability to bring in machine learning, right? I hope that we can tackle that to add artificial intelligence to the structure that already exists to the model and get to a point where we have this computer human partnership where the computer, you know, the machine learning, that artificial intelligence can dig into the data and you make suggestions, right? We can't rely entirely on AI just because, you know, they tend to hallucinate. They might get things wrong. “They” being artificial intelligence, it might get things wrong. You know, artificial intelligence is better at digging through data. So my hope is that we can get to a point where we've applied AI in such a way that going through the data can happen in a half a second and the right risk recommendations are put up in front of our analysts and those people then can kind of comb through those and make sure that they're right, that those recommendations are valid, the AI model wasn't hallucinating.
Randy Lindberg: At the same time, of course, AI, as I mentioned earlier, is also being used by the bad guys, not even attackers, but just the way that we use AI in security. Everybody's trying to get AI built into everything. And so, whether the AI tool is building a policy or it's analyzing an event that occurred on the security event management device or tool, AI is going to get things wrong.
Randy Lindberg: It's not perfect. Not that a human could get it right either. It's just way faster. And so. I hope that people come up with the right policies. I'm not a big fan of regulation, even though that drives a lot of business our way, admittedly. I hope it's not over regulated. But at the same time, I hope people are smart about deploying AI so that they do it correctly on their own.
Randy Lindberg: Right, so it doesn't have to be over regulated. And so, I'll use a Jurassic Park saying from way back in the mid-nineties, if you guys have seen that movie, where I think it was Jeff Goldblum's character, he said the Jurassic Park scientists were so busy trying to figure out if they could create dinosaurs that didn't stop to think if they should.
Randy Lindberg: So, my hope and fear kind of wrapped into one with AI is that people just take a step back. And stop racing to get it in place but do it in such a way that makes sense.
Anthony Woodward: No, it's a great forecast. And I think the big risk in that we foresee, and I'd love to take your view on, you know, as a particular that applies to the, the financial industry and the use of AI and those things come in the future is the data going in.
Anthony Woodward: So how do you understand what are you putting into those models? How do you quantify that and those things? And I think those are things we are gonna be grappling with for the next 12, 18, two years down the track. Is that data risk on top of the cyber risk?
Randy Lindberg: Sure, absolutely. And just, you could look at that in multiple different ways, right?
Randy Lindberg: It's people typing stuff in or inputting things into an AI model and then it's out, you know, in the public domain. Or what's being plugged into the model and then impacting what comes out, you know, whether we're relying on AI to write a policy or investigate an incident, the data going in is very, very important.
Randy Lindberg: I'm with you there.
Anthony Woodward: No, look, this is such an interesting conversation, and there's so many more questions that I'd love to have of your Andy, and I think we could talk for hours. I definitely need to find a moment. We're in the same town somewhere and buy your beer and go through it. But I really enjoyed the opportunity to talk to you.
Anthony Woodward: And like, I think over two or three years, we could probably even solve the worst problem. So, it's all there in front of us, but I really thank you for sitting down with us and taking us through what you guys do at Rivial. It was really an interesting conversation.
Randy Lindberg: Absolutely. Thank you. I've never turned down a beer.
Randy Lindberg: As long as I can buy the second round. So, I'll take you up on that.
Anthony Woodward: Thank you very much. all for listening. I'm Anthony Woodward
Kris Brown: And I'm Kris Brown. We'll see you next time on FILED.
Enjoying the podcast?
We want to hear from you!
Submit your topic idea now to help shape the conversation.