Robert Frances Group provides advisory, consulting and research services to execs in IT and LOB
Bambi Francisco Roizen speaks with Cal Braunstein, CEO at Robert Francis Group.
The Excelerate Champion Podcast, hosted by Bambi Francisco Roizen, brings on influencers and decision makers at Global 5000 companies and asks them about their challenges. The solutions they’re seeking and their strategic mandate. Think of the conversation as a reverse pitch. Those interviewed are Excelerate Champions. Excelerate is a unique community of corporate leaders and decision makers helping startups succeed. Startup founders therefore can hear from these influencers and understand how to engage with them and how to best approach them."
Highlights from the interview:
- A single average breach costs more than $5 million for large financial services firms and most of these compromises are caused by human errors. So, there are a lot of ways for hackers to get into the system. The challenge now is for companies to find ways to make sure that they are dealing with the latest types of attacks, and they're protecting themselves.
- In 2023 there are three areas people need to focus on: the traditional one that there's been around for a while and people have been focusing on more and more focusing on is zero trust, which is the digital approach to what Ronald Reagan said, “Trust, but verify.” Zero trust is the digital side of that saying. “I trust who you say you are, but I want to verify it anyway. I want to make sure you're really who you say you are when you're doing this particular transaction.”
- No company can be complacent enough to say, “I've closed every single door and every window.” Part of the reason for that is every week, somebody is releasing new code into the system, either a brand new module we never had before, or they modified an existing module. I've tested it, but I can't guarantee that the modified module didn't end up creating a hole I didn't know about.
- There is a high probability that there is malware in most OT devices in the US, if not globally. China and Russia and other bad actors have been working hard to do that and it sits there dormant. It may be the type of thing where, should we ever go to war, that they decide they're going to attack the infrastructure, they shut off all the power because they are in there and you don't know it, it's sitting idle. So, we do have to worry about security on all these OT devices that are out there these days and it's getting more and more complicated with automobiles and trucks and smart houses and smart buildings. Everything is more and more dependent on electronics, all these black boxes, that people who buy but don't know anything about the inside.
- There have been examples where people have hacked into a company through the temperature control of a fish tank inside a building because it was electronic. They could do it through a vending machines inside your network that's broadcasting information to its home base saying it's time to refill certain things. So, there are a lot of ways to hack into a company besides the old IT stuff that IT folks have worried about. It’s all these sensors and IoT equipment and OT equipment that's out there that people need to worry about that they may not have been worrying about before.
- Braunstein wants people to start thinking about defense in depth, which is a different approach to how you think about all of your software and your environment. He likens it to a house versus a submarine: if there's a fire in the house, odds are every room in the house is exposed and the whole house could burn down. There aren't barriers that can stop it for very long. In a submarine, if you shut the hatches down on both ends of the compartment that has a fire or is flooding, then that's the only thing that's exposed to the catastrophe that's ongoing, and the rest of the submarine is safe. Companies need to think about security in the same way. Just because they can get in doesn't mean they should be able to get everywhere.
- There are a lot of cybersecurity companies out there, and the challenge is to be able to cover enough spaces for people to resolve that, whether that software is in the data center, in a private cloud, in a public cloud, open source code, SaaS, you need to be able to do a number of different things. The challenge that most companies have is the software security software may not be simple to use, and they want simplicity. They also need stuff that allows them to see the important problems they need to go after. One of the problems today with a lot of the software, whether it's running static analysis or dynamic analysis, tends to be it provides you too much data so they can't act on it