🔵 Keynote: Managing New Cyber Risks – People, Process and Technology
Presented by: Emily Mossburg, Michelle Zatlyn
Originally aired on February 20, 2024 @ 8:00 PM - 8:30 PM EST
Cloudflare Connect 2021 Keynote Session
Cloudflare Connect continues as Emily Mossburg (Deloitte Global Cyber Leader US Principal, Deloitte) and Michelle Zatlyn (Co-Founder, President & Chief Operating Officer, Cloudflare) discuss how IT and security teams are moving forward from a year that changed everything, and what the most successful Zero Trust transformation projects of the last two years have in common.
English
Connect
Fireside Chat
Keynote
Transcript (Beta)
Great. Hello, everyone. Welcome back. I'm Michelle Zatlyn. I'm one of the founders, also the president and chief operating officer here at Cloudflare.
And I'm just so honored to be here with Emily.
Hello, Emily. Welcome. Hello, Michelle. Very excited to be here today.
Thank you. Great. Well, Emily Mossburg, you are the global lead for cyber at Deloitte as well as a U.S.
principal. And so why don't you start by telling the audience, we say Deloitte cyber.
What does that mean? And kind of what is your purview as part of this as part of the organization?
Well, it's a very broad organization and it's global in nature.
So we have practitioners around the world, over 20,000 practitioners focused in all things cyber.
So we have strategic and governance leaders.
We have people that are focused in on legal and regulatory and policy requirements.
We have leaders in specific technologies.
So cloud network infrastructure identity. We're really focused on understanding the entire breadth of the cyberspace and making sure that we can work with our clients regardless of the challenge that they're facing in order to bring them leading solutions, technologies, processes, advice, et cetera.
I've been with the firm for over 17 years now in the cyber practice.
And it's gone through many different changes over that time. And it's been really exciting to watch that and be part of it.
That's amazing. This is exactly why I'm so excited to have you here, because you help lead this huge practice that tackles all these different aspects of cyber.
And there aren't that many people that get to see all the different facets across so many different types of companies.
And for, like you said, you've spent the last 17 years of your career here.
So let's start kind of with what you see as trends. And then I want to go talk to about some of your clients and how you see similarities and differences.
But maybe as you think about when you first came to Deloitte to today, what are, and there are different chapters.
Maybe what are some of like the broad shifts and trends that you've seen that might be interesting to the audience as you kind of reflect back over the course of your career so far?
Absolutely. So I will say we've probably all felt some of these things over the course of the last 20 years.
But I will say that when I came to Deloitte, a lot of the discussion was focused on working with clients to help them validate that this was an issue, that this was a risk.
Some organizations had formal CISOs. Some organizations didn't.
They had a manager in IT that was responsible for security. And the discussion was, help me validate that we need to create these initiatives, that we need to do this project, that we need to protect this data.
And then, you know, fast forward, let's say 10 years.
And that wasn't the question anymore. Because at that point, we started to see breaches being public.
There was a lot of concern about, oh, wow, look what's happening.
Look at all of the focus on companies that have either had operational disruption or major loss of data.
And the question was more, how do we make sure this doesn't happen to us?
And how do we put in place the programs that we need to that make sure that this doesn't happen to us?
And then, you know, it's really most recently been this focus on, you know, and people have been saying this for years, the fact that it's not a technology issue anymore.
It's a business issue.
And so ultimately, helping organizations to understand how cyber risks translate into business risks.
And how do you have the discussion that you need to in terms of what might go wrong from a business perspective?
What might happen in terms of loss of revenue?
You know, if these risks become real. And now we're seeing more and more this convergence of IT and OT.
So connected devices, connected vehicles, connected, you name it.
And it's not just about it being connected.
It's about it being connected back, in many cases, to the organization that created it.
And so what does that pathway back and that connection mean?
What are the vulnerabilities there? How do you make sure that these products and services that you're creating?
How do you make sure that there's not a larger impact from an operational perspective?
So it's not even about, oh, my systems and my applications and the data that support them anymore.
It's about I created a car, that car is now out on the road, it is connected back to my infrastructure, I need to make sure that A, it stays safe from a cyber perspective, but B, that it stays safe from a physical perspective.
So not only do you have the convergence of IT and OT, you have the convergence of physical security and cyber security.
So it's, it's fascinating to see how much this space has changed.
And I think that that's really why I love it so much, because it's moving so fast.
And it's evolving so quickly.
It's hard to get bored, because there's always something new every day to learn about and to focus on and to discuss as it relates to this space.
Oh, that's such a good I want to come back to this kind of point of rate of learning and the constant change and the growth mindset and staying on top because it does it keeps you busy, you know, new new sets of problems to solve with really smart people, which I which I also one of the reasons why I love the technology industry and the cybersecurity industry.
So we'll come back to that. But one of the things you said is, it's less about what this this idea of how when you started was really to convince people there were a problem.
And now there's a lot of organizations that understand it's a problem.
And now they're thinking about how do we mitigate the risk?
And are we doing it in the right way? But let's say there's somebody listening and saying, Wow, Emily, I still met an organization that's not taking this seriously, or maybe they don't understand the business risk.
What kind of advice would you have for the audience listening of how to maybe bring other people internally around along or some other leadership along saying no, this you really have to take this seriously.
And let me tell you why. So we don't end up on the cover of this Wall Street Journal, the New York Times.
Yeah, so I think there's a couple of points there.
You know, one is sharing information, right?
If they haven't heard about some of the most recent attacks, and the outcomes associated with those attacks, and how can you share those, and share them in a way that it's not about fear, uncertainty and doubt, I don't tend to prescribe to that so much.
But it's about, hey, these are things we need to be thinking about, because, and I also love this concept of cyber as an enabler, because, and a differentiator, I guess I would say, because organizations that are thinking about these challenges ahead of time, and are incorporating them into the way that they do business with their end customers with, with their third parties with their alliance partners, etc.
It makes a difference in terms of them being more competitive in the marketplace, because there are questions today about what's your posture, what's your stance as it relates to cyber, and being able to talk about the fact that we're doing this, to differentiate ourselves in the marketplace, we're doing this so that we can drive more innovation in our organization.
I love that side of the story so much, because it's such a proactive pro business discussion, then.
And, you know, ultimately, to get a little tactical, you know, the one thing that I really focus in on and tend to preach a little bit about is, think about the highest risk scenarios for your organization, and not from a tech perspective, but from a business perspective, you know, what do those scenarios look like?
What would have to be true for those scenarios to take place?
And what would you ultimately see as a result of those scenarios playing out?
And it's a way we like to talk a little bit about it as it relates to what we call the beneath the surface impacts.
There's a lot of things related to breach and breach implication, or breach impact that's above the surface.
And very clear, you know, fines and changes to programs and legal fees and all these things that you can look at a balance sheet and you can say, okay, there it is.
And that's how much it costs. But when you think about the true value impact of an incident to an organization, and you start to think about things like, is there impact to my trade name and my brand?
Is there an impact to my contract value?
Is there an impact to my ability to raise debt? And you really think about these things holistically, you understand that the true value of those incidents are much larger to your organization.
And so if you can start to frame, here's the top three things that could happen.
And here's truly what the impact of those things would look like for us.
I think you can have a much broader conversation with the set of stakeholders that doesn't just include one group, but it includes multiple stakeholders across the organization to say, okay, well, what do we think about this?
And what do we want to do about it? And how do we think that we want to go about sort of mitigating the risks related to this scenario?
And where do we focus first? I love that, that that really resonates with me.
And it helps bring people along and in a sense of sharing the vision and kind of mitigating what could happen, but without the fear, uncertainty and doubt, which also is known as FUD in the cybersecurity industry, which I which really speaks to me as well, you know, when you're saying about cyber as an enabler, just as a total, just as a side anecdote, I was speaking to a CISO of a large public company.
And she was talking, and this was about startups, how much do startups have to take security, cybersecurity seriously.
And again, Doele, you work with some of the largest organizations.
And her point of view is, I think it should be one of the first 10 people you hire.
And this idea of bringing it in early, it's like, as soon as you think you have a business, cyber becomes part of the business doing business.
And so the earlier you have it in by the design, the easier all these things become.
And if you think about, okay, well, if you work in a large organization, you've inherited a lot of these sorts of things.
But if you're starting a new organization, what would you do differently?
And that was something that I had never heard before, when, when they said, What do you think, Michelle?
And I was like, Wow, first, I'm thinking back to when I started ThoughtFlare, like the first sixth employee, I like it, that's that is a bold statement, I thought, and kind of comes back to cyber as an enabler.
But I think ultimately, like an interesting point there is, if you do bring a CISO on early, and you do sort of embed that thinking, and that thought process from the beginning, you save so much money, right?
And that's because, you know, you're embedding these things from the beginning, you're, you're developing that with that, with cyber and security and the protection and the monitoring and the vision and the visibility, all of that's built in from the beginning.
And I think that that's really when you can truly start to talk about, well, now this is a differentiator for our organization, because look at the way in which this is part of the core.
And today, there's so much focus on trust, customer trust, and what does customer trust mean?
And how do you get and maintain customer trust?
And a huge part of that, I think, is, are they comfortable with the data that they're sharing with you?
That what, are they comfortable with what you're doing with it?
Are they comfortable that you're protecting it, right, in the way that they would expect that it would be protected?
And, you know, are you treating it ethically, and all of that is sort of built into a cyber program.
And, and when you can focus that at the beginning of your innovation lifecycle, and you can say, you know, that's a core tenant, or a guiding principle, or whatever you want to call it, to the way in which we're going to do business and the way that we're going to develop products and services.
I think that really starts to move the needle in terms of, oh, wow, you know, I think organizations and consumers really appreciate that.
Definitely. I love the world that you're that you're painting right now, Emily.
So thank you so much for giving us all some optimism and hope, which is great.
So switching gears. So these are some broad trends you're seeing, and we're going to get back to those.
But let's talk, let's kind of narrow in the last 15 months, when all of a sudden, we had this, this, this big work from home, all a shift, where all of a sudden COVID, this global pandemic, which most of us have never lived through a pandemic like this before, we all found ourselves at home.
And again, you see a portfolio of clients, a portfolio of people calling you up and saying, please help us, what do we do?
And I'm just curious if you can maybe share with the audience, specifically the last, you know, year, 15 months, where all of a sudden, all of your clients found their employees working from home, and from a cyber lens, maybe what got better, what got harder?
I would love to hear any kind of thoughts as you kind of reflect what what what emerges there?
Well, I think that if you look at the trends, and you look at the what was happening from a threat perspective, and an adversary perspective, it's really easy to see that a lot got harder.
Because we made some really massive changes as it relates to digital transformation, and new ways of working in a very short period.
And that changed the attack surface very rapidly. And as we all know, that that's what the adversary and the attackers are looking for, they're looking for, you know, some some sort of chaos.
And I'm not saying it was chaotic, but it was fast.
And it was rapidly changing. And that gave them, you know, an ability to really focus in and target on, you know, phishing, and spam, and ransomware.
And, you know, all of these changes happening at once really opened up what what was occurring from a threat perspective.
Now, at the same time, people were doing processes, and conducting business from their homes, that typically, in many cases, only occurred within the confines of the actual facility in which they worked.
And in many cases, that could mean things like processing loans, right, and, and looking at people's financials.
And all of this sensitive data now was coming to an end device that was sitting outside of the perimeter.
I mean, there is, I mean, basically, there's no perimeter, right?
I mean, there, we've been saying that for a long time.
But now, I mean, there's literally no perimeter, because devices are everywhere connected to everything.
You know, we can pretend that there's some, you know, perimeter around some of these things, but there, there really isn't that much of a perimeter.
And it just really opened up a whole new set of concerns.
And, and, you know, with all of the speed that this was happening, the focus was on driving connectivity.
Like if you think about the CIA pyramid, you know, and you think about confidentiality, integrity, and availability, when COVID first hit, the focus was on availability, right, that was the focus, like, we've got to keep things going, we've got to make the systems available, we have to make sure that people can get to the things that they need to get to.
And, you know, then slowly, but surely, there was a recognition that, oh, wow, are there decisions that we're making that are compromising the other, you know, sides of the triangle.
And so there was a huge focus then on, okay, focused on availability, now we need to lock all this stuff down.
And I don't think any decisions were made haphazardly, I think it was always in the back of the mind, it just wasn't in the front of the mind.
And the front of the mind was, we have to keep the lights on, we've got to keep doing business.
And, you know, maybe we're going to take a couple shortcuts, and we'll come back later and fix it.
I mean, there's been a lot of coming back and fixing shortcuts.
And I think also a lot of focus on now we need to industrialize what we did very fast.
And we need to do it in a way that this is like, this is what's going to be the future.
This is what the way it's the world's going to be now. So now we need to put it in place, the systems and the processes and the procedures and the staff and all of that, in order to support this world that we're in, and this inner level of interconnectedness on an ongoing basis.
You know, we saw something really similar where when when the pandemic happened, it was about availability and just keeping the lights on and not making a lot of changes.
It was just like patching like duct tape. And then now we're seeing a lot more, okay, where do we want, we never want that to happen again.
And, and, and as you said, it's this idea of people doing their jobs just from a trusted office or location just doesn't it seems no, I want them to be able to process that loan from a bus stop while I wait for the bus if I can be productive anywhere.
But what what, how do I have the best processes systems to set myself up?
And so if you were going in and the people listening, okay, I'm like, what is the future?
Like, what is this new? Because I was that person kind of holding duct taping together.
But what what, how should I be thinking about this new world where my team can work from anywhere in any place, whether I can trust it or not trust it?
What How would you describe that to the audience? Well, we've been talking about it a lot, just from a holistic standpoint, it's a way.
Yeah, using the phrase, work, re architecture, because it's about, you know, the way the way that we work.
And to your point, if people want to be productive, while they wait for the bus, then how do we arm them with the tools so that they can be productive while they wait for the bus, right?
And, you know, part of this is, what needs to be in place to make sure that that can be done securely, and that all of the systems and the data that we're talking about can be protected.
And what has to be true for that to be the case. And I think that, you know, ultimately, we've been moving in that direction for for a long time, but we're getting much more focused on the fact that, you know, the whole concept of Zero Trust, right?
What does that mean? And what needs to be in place in order for us to truly drive a Zero Trust architecture, and you start to think about, well, what is, what is incorporated, you think about things like identities, so users, and what those users can access and what they're authorized to do with what they can access workloads.
So what workloads are they able to process and be part of and whether that's an individual or a system or a device or an application.
That's the other thing to all of this is everyone has to be everyone, everything, every computer, every workload has to have what it can access and what it can do.
At the end of the day, there's data involved. That's ultimately what we're talking about the data is the end asset.
So how do you make sure that that data has the right level of protection around it?
What do you do with the network layer?
Right? If there's, if there's little to no perimeter, as we've talked about, how do you secure yourself at the network layer?
What are the protocols that you can put in place?
What are the technologies you can put in place?
And then lastly, the end device, right? I mean, we all think about the number of end devices that we're all using on a day to day basis.
Each of those individual devices have to be part of this as well.
So it's really about bringing all of those pieces together.
And one of the things I would say is that you've really got to know what's most critical, because you can't go about, you know, all five, all the five things that I just laid out for every single device for every single network for every single piece of data forever, you've got to think about, okay, what is the most critical?
What is the most high priority? What will, what would be what is it the most the most at risk, I guess, is the way that I would put it.
And so those are the things that I need to prioritize in terms of locking down as tightly as possible.
And then what does that look like as we move out from highest risk out?
What does that look like? Right? And how, where do I take trade offs? And how do I feel comfortable that everyone in the organization, not only understands the trade offs that we're making, but accepts the trade offs?
Because that's, you know, at the end of the day, it's the risk acceptance, because you're never going to get to a zero risk posture.
So how do you help the organization and the business leaders and the executives understand where you are making those trade offs and what risk acceptance they're taking on?
And to me, okay, well, I think that you've done maybe the best kind of description of to describe Zero Trust in a way that's kind of tangible to the business.
And when you think about clients that you talk to, because again, you work, you just see a lot of companies, and I don't, I don't want you to name the people who are the best and the worst, because that's not fair.
But when you think about the companies who are who are taking this really seriously, versus ones who maybe don't get it, do you see any similarities or differences that you can highlight for the audience?
Because I again, I think you're the fact that you see that portfolio.
Portfolio companies is really interesting position.
Well, I mean, one of the easy ones that I'll start with, and I almost feel like it's a cheat, because because it is so easy is, you know, highly regulated businesses, right, highly regulated businesses have been having to deal with this for many years.
Their attitudes and sort of their approaches have shifted dramatically over the last 20 years.
But it's something that they've had to really embed within their organization.
And so their organizations are more mature, they're more well funded, they're more well understood.
And so that's, you know, sort of an easy one.
I'd also say that we're seeing much more from the tech perspective.
And I would say it's sort of funny, because everyone says, oh, cyber, it's a tech thing.
And, but I think that many of the tech companies were really focused on, oh, I want to build cool functionality.
And I want to, you know, build all these cool gadgets and gizmos.
And they didn't want to hear about cyber, because it was like, that sounds really like it's going to slow me down.
And I'm not going to be able to do these cool, you know, tech things that I'm trying to do and drive these cool innovations.
But I think that we're truly seeing a significant uptick in the tech industry of this is critical.
And, you know, you think about sort of the supply chain, and, you know, hopefully moving to a secure supply chain.
And I think tech companies are, they get it. They're like, okay, if I'm going to be trusted by the organizations that are going to buy my software, I have to show them that I have a robust program in place and that I'm taking this seriously, not only from my own IT perspective, but in terms of the business and the products that I'm developing.
And I need to show a holistic program to, you know, to the customers that I want to work with.
So I think we're really seeing a significant shift there.
The other thing that we're seeing more and more of, and, you know, this has been around for a long time, but there just seems to be more focus in government and public sector for obvious reasons.
But I think that we're really seeing significant movement in terms of making sure that, you know, it always was the intelligence agencies and, you know, national defense around the world that was focused in on cyber.
But now we're seeing it across multiple agencies, you know, even into transportation and into education and sort of across the board with an understanding that if there's a weakness anywhere, it potentially has the ability to impact the entirety of a government entity or a government itself.
And so, you know, there's just seems to be much more happening there these days as well.
So those are the big three things that I would highlight that I'm seeing right now.
I mean, I would even add on the government side where I've even seen it go down to the state level and it's not just the federal, it's not national, it is like down to states and, you know, municipalities.
Right. Exactly. And when I think about it, and sometimes I think someone new coming in and is why and it's well technology is everywhere and everything is connecting online and one of the things that that I like to say as a technologist is the Internet was never really built with security built in by default or privacy built in by default.
And in many ways, I mean companies like Cloudflare but also these, you know, the Zero Trust framework is going in and putting in that patching the Internet with the security first privacy first because this is now the way we do business, it needs to be done and that is the best way I can describe someone's like I don't really understand why do we have to do this like and it's, it just was never by design to do what it's been doing it's everywhere it's not going away so we got to go back and put it in by default and this is how we're doing it and.
And so what you're saying really resonates and actually Jerry Perullo I interviewed him about two hours ago from ice the New York Stock Exchange a regulated regulated industry and he said exactly what you said Emily he said I work in regular the industry we've been doing this for a long time because we've had to exactly what you said so that that that your colleague was just saying that two hours ago so well, I often think about it like in two pieces.
There's the legacy problems that we have to go back and fix, because just like you said I say that frequently to like none of this was created with security in mind, none of this technology none of this connected this.
And so we have 10s of years of legacy issues that were we continue to shore up.
And then we have the things of the future.
And it's like, we can make sure that no one like us has to deal with legacy problems.
If we embed. Now, what needs to be considered if we take the time to make sure that those requirements that those potential implications are built in now, then we can hopefully at some point do away with the concept and the idea of this legacy problem that we're fixing, and just be focused on the future.
I love that. That's why I come to work every day and it sounds like you do and so we have about a minute and a half left this time just flew by again we could spend hours talking, but I do want to end, because obviously you enjoy what you do like it's just clear you're passionate you love solving your clients problems and you've started recently an initiative at delight called women in cyber and I wanted to end by you sharing with the audience what it is and why it's so important to you.
I will try to do it within a minute. It's a fantastic initiative that I'm really excited about but it's focused on highlighting 14 women in our delight cyber practice and really making their personalities and the roles that they play and what they do in cyber come through because there's clearly a shortage in this space.
There's a lot of discussion about the fact there aren't enough women in cyber.
And I think some of it has to do with the fact that we don't always talk about it in a way that makes it exciting for everyone and so I this campaign is really about showing real people doing real jobs and real roles with different backgrounds and different educations and focused in many different things and the idea is there's a place for everyone in cyber, and we really want to get that out and get people excited about the opportunities for a career in cyber.
That's amazing.
Well, I think there's probably a lot of people listening who are like wow I want to be part of this what's the best way for them to learn more about this initiative.
They can go directly to the delight website and they can go to www .delight.com hash or on backslash cyber, and they can find a number of all of these you know materials etc they're amazing.
All right, Emily This was a fantastic conversation.
Thank you so much. Thank you everyone for for tuning in and really excited to see everything that you do for your clients going forward Emily.
Thank you.
It was great talking to you, Michelle.
