Building Resilient Cyber Defenses with Richard Cassidy Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Building Resilient Cyber Defenses with Richard Cassidy

October 01, 2024 • Joe South • Episode 170

Send us a text

Ever wondered how a psychology degree can lead to a cybersecurity career? Join us as Richard Cassidy reveals his remarkable journey from a teenage computer enthusiast to a leading expert in IT and cybersecurity. Richard shares intimate stories from his early days, including how he transitioned from psychology to an apprenticeship at a major American bank in London, where he started with simple tasks like replacing toner cartridges before quickly advancing into more complex roles in networking and firewall management. His career evolution over 26 years, culminating in a significant presence in the vendor space, underscores the importance of hands-on experience and continuous learning in this dynamic field.

In this episode, we'll uncover the vital aspects of data security and disaster recovery that every organization should prioritize. Richard delves into the limitations of traditional security methods and emphasizes the necessity for modern solutions like zero trust, immutability, and data observability, particularly those offered by Rubrik. Through compelling anecdotes, he highlights the dire consequences of relying on outdated systems, such as an obsolete tape backup setup, and advocates for cloud-based disaster recovery plans that ensure business continuity and quick recovery from ransomware attacks. This discussion serves as a crucial reminder that comprehensive data security strategies are non-negotiable in today's threat landscape.

Lastly, we tackle the unique cybersecurity challenges faced by healthcare organizations, especially under financial constraints. Richard discusses the complexities of integrating multiple technologies and the critical need for robust recovery processes, including manual fallback plans that are rigorously tested. Drawing insights from the Rubrik Zero Labs report, he highlights the often-overlooked pitfalls and encourages connecting with like-minded professionals to share knowledge and best practices. Tune in to gain valuable perspectives on navigating cybersecurity in the healthcare sector and beyond, ensuring resilience against ever-evolving threats while focusing on customer needs.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:54

How's it going, richard? It's great to finally get you on the podcast. You know, I know that we've been planning this thing for quite a while and there's always some hoops that we have to jump through, you know, several times, right, but we're finally here. We're finally able to do this thing. Yeah, pleasure to be here. Thanks very much for having me alone. Yeah, absolutely so, richard.

Speaker 1: 1:15

You know, why don't you tell my audience what made you get started in IT, what made you want to go down that path and what made you choose security as a specialty? I ask everyone you know about their start, right? Because there might be a portion of my audience that are trying to get into IT, maybe for the first time, right, or they're trying to get into security for the first time. And hearing everyone's background, you know, when you hear a similar background, you can say, oh well, if they did it, maybe I can do it too, right, and that door kind of opens up a little bit for them saying like, okay, if they did it, I could do it. Let's try. You know, let's put some effort into this thing, right.

Speaker 2: 1:59

So what's your story? Yeah, it's a great question, um, and it's a long story, but I'll keep it as short as I possibly can. Um, I think, like most of the people I meet at my age in this industry, uh, I started off with a an unhealthy interest in computers, and what I mean by that is, you know, my, my teenage years were consumed by them, and I always found it fascinating how electricity and code could create the visual feasts that we were seeing. And when I say feasts, I mean back then. We're talking Atari ST games, right, so they weren't quite as feast as they are now, but even still, as a young child, as an early teen, I was fascinated by them. So computers were just always a thing that I was intrigued by. I always knew that I would be involved in this industry somehow.

Speaker 2: 2:46

And then one thing led to another. Funny enough, I actually went to uni and studied psychology. I didn't even go into computing science, which is kind of crazy, and some may argue how useful was that in my career? It's been very useful, let me tell you, having a psychologist background has really helped. But I landed a role at a major bank an American bank, but here in London and I was replacing toner cartridges and doing what apprentices do, and then finally got into the team that managed um you know the, the windows networks, the dos as well back in the day in nt um, and then got an opportunity to go into to networking and into, you know, creating firewall, and again back then it was ip tables on linux firewalls, um, but then got into you know more of the modern sort of firewalls that we know today as time went by and then got a great opportunity to join the vendor space, which has always been an interesting space, because I think in the cybersecurity arena it was historically the most cutting-edge place. To be right, if you worked for a security vendor, he was kind of creating new products and innovating. You'd always find yourself sort of playing with the latest tool sets and doing the latest things. Now I think that has shifted massively. You can still be very innovative at a customer as much as you can at a vendor.

Speaker 2: 4:06

And one thing led to another. And here I am, 26 years later, if you'll see so, at a current company, rubrik, and taking all that experience and, by the way, not a huge deal has changed Let me tell you that I mean, you know, 26 years in. Yes, automation is far more rife than it ever was and, yes, there's a lot of capabilities around machine learning and stuff like this. But actually the way that we do things, the types of attacks we're protecting ourselves from, you know, have just become more sophisticated. But pretty much a very similar bag. And there we are and that's kind of what I've been doing over the last 26 years. So that's how it started and that's how I've ended up where I am huh, you know, that's that's really fascinating you describing.

Speaker 1: 4:51

You know what piqued your interest, right, is that electricity combined with, you know, some code right, creates this visual picture. Right, and it was just an atari. But you know, at the same time, like when you, when you really think about it I mean, you never really see electricity you always see the end results and if you do see electricity, you're're probably getting, you know, shocked by lightning or hit by lightning, which is not something that you want to do, right. So it's an interesting relationship like that. You know, to be able to kind of like piece that together in your head kind of shows how deep of a thinker you know you were even at that time. Yeah, it still fascinates me today, although I understand it more.

Speaker 2: 5:38

It kind of shows how deep of a thinker you were even at that time. Yeah, it still fascinates me today, although I understand it more. But yeah, how are we going from electrons, you know, through various electronical gates to code to what we're seeing on screen? And I just still am fascinated by it and I've always been an in-the-details kind of guy and you know, that's where it-the-details kind of guy and that's where it started. That analytical mind kind of got me into this whole arena.

Speaker 1: 6:05

So, yeah, you talked about being an apprentice and that sounds like a lot of help desk roles here in America that everyone is used to, and that's an interesting distinction that not a lot of people understand, right? So in Europe you're expected to go into an apprenticeship where you're trying out that career and you're getting the experience that later on down the line they're looking for, right, these companies are looking for. In America, they almost expect you to kind of just create this experience out of nowhere, right Out of thin air. They expect you to convince you know an unwitting hiring manager to give you that first chance and then, like, somehow just wind up at their door year one with five years of experience, right. Why do you think that difference in mentality exists? Right? Because so I studied German when I was in college.

Speaker 1: 7:03

I didn't really study it, but you know it was a requirement, right. So I kind of partook in learning German and we learned about the education system, and the education system, like right from the beginning, is kind of gearing you towards what you want to do, where you want to go right. And I always found that to be extremely beneficial, because here in America they're kind of just like shoving all this information down your throat. It's up to you to figure out what you want to do, with no real context of anything of what it is right. Like when I was in high school I wanted to be a doctor. I got to college and I couldn't get through chemistry right and for some stupid reason I wanted to be a doctor and I would pass out when we would do, when I would do blood tests, right, like. It's just a different. It's a different mentality, it's a different way of thinking. Why, why do you think that there's such a difference there?

Speaker 2: 7:59

I would say yeah, it's an interesting question. The nuances in Europe are very different, even country to country, which is, you know it's given, right, it's for such a small continent. There's still significant differences in culture. You know from even 50, 100 miles over a border, depending where you live, and it's the same in education. Um, there are education systems in the nordics, for example, that don't really force any particular subjects on children until they reach a certain age and it's all about kind of allowing the child to kind of feel their way into, um, an area of education and academia that suits them. Then you've kind of got what the uk do, which is very structured, regimented system of of learning um, and and you know, these are the subjects you'll choose until you get to the age of, you know, 15, and then you get to specialize and then you go into what we call uni. But there's no difference between college and uni. Uh, you know, across the pond and and that's kind of very, very, very similar across most of Europe, that kind of system.

Speaker 2: 9:00

But I suppose the education system the biggest differences we find is you're allowed to specialize earlier on through. In the UK, for example, they call it A-levels. So once you've left the kind of secondary school education. When you're about, as I said, you know, 15, 15, 16. You get to choose three core subjects, or four, depending on how much study time you want to have, you know, after school hours, and that allows you to start specializing before you jump into a very big commit to a big degree, for example, in a very specific area, and I don't know how that, how, why, that's so different between you know what we're seeing in in in america and first what we're seeing across across Europe. There's no reason for it to be that way, but it certainly does change the employment process to a large extent, and what I mean by that is a lot of the people that are taking apprenticeships as you rightly pointed out, joe are going in with a very different mindset.

Speaker 2: 9:51

It is more of an assessment of whether the company or the role is right for them, whereas what I found and I have worked in North America for a number of years, I've done various projects with the Department of Defense and US Navy and I've worked with apprentices in those roles as well is that it's almost an expectation that as an apprentice, you are going to be in that career.

Speaker 2: 10:12

That's the job that you do and you kind of just get on with it and there's no real assessment whether it's right for you, just kind of fall into that, that pathway, whereas for some reason in in europe people will do multiple apprenticeships. Um, and in fact you see it advertised loads over here as if you're looking for roles. There's all sorts of companies, from airlines to to car manufacturers, to petrochemicals, to pharmaceuticals, looking to let you and they run small apprenticeships, three-, four-, five-, six-month apprenticeships, and it's not uncommon for somebody at the age of 18, once they've left the A-levels, to go and do a year or two years' worth of different apprenticeships to see what they like. So it's definitely different and it shouldn't be, because I think it's a good way to approach the decision that you're going to make. That will essentially affect the rest of your life. You know why would you not try multiple things?

Speaker 1: 11:10

It seems to me to be an obvious thing to do. Yeah, it's an interesting question or situation, for sure. You know, I remember when I was in college, the big thing was internships, and I'm sure it still is here in America, right, like that's probably the closest thing to an apprenticeship that you can get to. But at that point you're probably doing an internship in your course of study, right, and studying a topic and doing a topic are two totally different things, you know. And so it just opens the door for, you know, you making bad choices and having to like redo things, and then you're in a situation you don't want to be in. I went the route of not even going the internship route, right, because I felt like I just wasn't ready to be like completely just used and abused by these employers.

Speaker 1: 12:04

You know, like you always hear these horror stories and sure enough, you know, later on down the line, I have a couple of interns on my team and they're you know they're working long hours, or working longer hours than what they were expected. They're you know they're working long hours. They're working longer hours than what they were expected. They're you know they're having legitimate conversations with me saying like, hey, I need to like do this project for my degree, what's more important, because I don't want to lose this internship, you know, and like that stuff because it's so. It's so much more unstructured in America. I feel like Once you reach that point, it's kind of expected. You just figure it out, you make, do right. I guess it's two different ways of looking at it, but it's always interested me. I always wonder what would I have gone in if I was born in Europe and I had that structure behind it?

Speaker 2: 13:03

Would it be IT? I don't know. Yeah, it's an interesting point. I I I'm actually the a lot of people I meet tend to have gone through the same process. We just talked about that that you had a feeling for two or three career models that would have suited them and they went and tried them all. And it's such a commonality here in in these markets it's very rare you find somebody because, yes, I knew from you know, 70 years of age, I wanted to be in this, this role. I mean there are some they're like that, but more often they're not. And I feel at least the european markets better geared for that kind of choice approach to the career, uh ladder than than I've seen in other countries.

Speaker 1: 13:37

Yeah, absolutely so. You mentioned that you're at Rubrik. Now why don't we talk a little bit about what Rubrik is what you guys do? What do you focus on?

Speaker 2: 13:51

Yeah, good question and it'd be good to give you a brief overview. So, essentially, rubrik is a vendor that had made our name in modernizing significantly the game of backup and recovery and we kind of took customers on a journey back in the day when they were storing data in legacy systems or backing up to tape and sending those tapes off to a different location and then when the worst case happened, they needed to recover. They'd have to get the tapes back and then rebuild all of the servers and systems and it could take months in many cases to kind of get back to operation. Should you've lost a physical site or a number of servers had gone bang and and that sort of is where we started. We said that's broken, we don't want that system, you don't want that system as an industry. You know, if anything goes wrong, you need to be able to spin it up within hours, if not sooner, and and and 10 years. We we did that very well and and and became success that we were. But halfway during that journey. You know we well, we have this data. Customers are using us from a resilience perspective. We've got this architecture that allows us to ensure, you know, zero trust and mutability.

Speaker 2: 15:11

So things can't change, and also the ability to look into the data and ask questions of it right and do things on data at rest that people weren't doing, because a lot of the security industry is focused quite heavily on the real-time detection. Let's catch the bad actors in the act, let's catch them red-handed, let's prevent it from happening, right and well, we play that story out for long enough to realize that's not going to work and it hasn't worked and it isn't working. And so at rubric we said, well, let's give customers the ability to look into that data and look for things like ransomware, look for anomalies that that may well lead to something that could be a pretty bad day or potentially breach that's about to happen, and if, if it were to happen, also allow them to look in the data to say, well, where did it start right, where was patient zero in this incident? And therefore that would allow organizations to be able to recover just what they needed to recover and they wouldn't have to do a complete monolithic recovery of everything, which again takes you back into the weeks or months timeframe and then built on that. So now we're on a mission to secure the world's data.

Speaker 2: 16:14

We have a platform that provides not just data remediation but now the data observability piece, and with the integrations that we have with all of the major security vendors say, all of them, a lot of them, not all of them, of course we're able to bring a lot more context now to the ecosystem for security teams, which gives them a view of data that they'd never really had before. They're looking at the actual data they own, looking at data at rest and they're marrying what they're doing with data in motion, with the data that we have, and getting that context much more quickly and understanding the roots of problems much more quickly and, in many cases, preventing things becoming a worst case scenario.

Speaker 1: 16:53

Yeah, it's really fascinating Disaster recovery, the whole mentality behind it. It's kind of inherent to security as a whole. I feel like you can't really be a good security professional if you don't understand disaster recovery to some arduous extent, even right, you know. I recall I recall working for a company earlier on in my career and they, you know they they had a tape backup system, right. They stored it over at Iron Mountain, you know, here in the Midwest or they might even be pretty big, you know, nationwide, right, and I stumbled across the fact that we had lost our route signing certificate for like for our company as a whole. We lost it, didn't know where it was, we had no clue. We're like it's on a USB drive over at Iron Mountain. And I said, well, when was the last time you saw it? You know, saw it, held it in your hand? When was the last time? They said, oh, it was a couple years ago at Iron Mountain, two, three years ago. But you know, no one's been up there since and so we assume that it's still there. And so I was like well, are you willing to risk like the entire company on it? Because if we lose that we have to re-key everything, you know, and we're gonna lose quite a bit of data, right, like there's no, like there's no like recovering that encrypted data, right, you kind of need this thing.

Speaker 1: 18:30

And so they sent me out to iron mountain. You know, it's an hour and a half drive, or whatever. I walk in there there's a room just full of these giant metal cases and they're like all right, that's everything from your company. And I said this is literally 100% of everything. And they said, yeah, it is, you know. And it took me like two hours probably to go through, because I'm just allegedly looking for a usb drive. Open up the box, is there a usb drive in here? No, close, it move on to the next one. Right, couldn't find it. And their whole, like their whole system kind of changed and they were like well, I hope that never happens and that we actually need that thing. Right, which is an interesting predicament to be in.

Speaker 1: 19:18

One, they relied on a very antiquated piece of technology where, even if they had to restore from those tapes, it was going to take an insane amount of time. I literally asked them for the mean time to recovery, right, how much time do we think it'll actually take us to do it and how much time are we willing to actually, you know, do it right to where the business is still alive, still profitable, at. You know, let's say, the 12 hour mark and the 14 hour mark, right, like it's like, hey, this is the drop dead deadlinead deadline. We have to be fully up and running with these systems by this time frame. They didn't even have that.

Speaker 1: 20:03

I literally said to them. I was like guys, you know, we have offices all over the country, like in every major city we have an office right, but we're the headquarters. Everything filters to us. If you take us out, we're at a huge, huge risk right now. And me even mentioning why don't we store backups in the cloud, it was like a light bulb went off in everyone's head. It was like, hey, we're already 98% into Azure. How about we just do some backups in another region? That was like an insane idea to them. They were like, oh my God, we never thought about this. And I'm just sitting here like guys, this is security 101.

Speaker 2: 20:54

Yeah, absolutely. And it's funny, organizations don't really understand how painful that process is until something happens. They have to go through it. And I still find it fascinating this day and age that I still speak to customers that don't understand that. And and it's taken regulation change and in europe there's been a lot of regulation change but it's the same in north america with the sec to say listen, businesses, stop thinking legacy here, because we've all been through the pain of having to run to iron mountain or whoever it was.

Speaker 2: 21:25

You know physically get this data rehydrated onto platforms. You know if a bank is not operational. You know bank of america, you know whoever for in more than a day. I mean I don't know what size, what stake in the economy that bank has, but I can give an example barclays bank in in the in in the uk 32 or 31 percent of the uk economy. So that's day. If that's down for a day because they've got to go and do legacy backup recovery, that's how much it's going to cost the uk. It's going to affect people being able to buy food, being able to get paid right and everything beyond that right. Businesses can't transact. I think that's what the world's waking up to now it's like we can't have to our critical infrastructure these outages, so we've got to do something about it. We can't rely on the stories that you've just shared there, joe, that I've seen day in, day out in not just Rubrik, but in previous roles. It's something we have to think harder with.

Speaker 1: 22:21

Yeah, it seems like the industry that is impacted by this type of scenario or an attack that can be easily recovered from backups you know, I'm thinking about ransomware attacks, right, the industry that's probably affected by this more than anything is the healthcare industry, and you know, I have a 18-month-old at home, right. And so the first part of this year, I mean, we were in the doctor's office every other week, you know, like the kid kid got a cold, she got a fever shots, you know all that sort of stuff, right? I mean, you're in the doctor constantly with a new kid. Um, that is something that I was not told before it. I wish that was in the book, right. Um, and it was pretty early on in the year.

Speaker 1: 23:13

Um, the I guess the parent hospital of the doctor's office that you know my kid's doctor was at had gone down due to a ransomware attack. This is a privately held hospital. It's not like public information. It doesn't have to be public information, right, and they were down for something like two months, right, two, it was like two, two and a half months. They were completely down, and I mean hard down, like they were making appointments day of only, and it was monitored on a on a pad of paper. And if they lost that pad of paper, then they didn't know who was supposed to be coming in when. Right, and that is extremely stressful. Right, because it is it's probably the largest. Yeah, it is the largest children's hospital in Chicago. Right, probably not in the country. There's probably a couple others that are larger, but still, you know, you think about, you think about the parents with, like you know, sick kids that have cancer or something like that.

Speaker 1: 24:25

Right, and this is one more thing that goes on top of them. You know, this is a children's hospital too. Like they don't charge the families. If your family is, you know, poor or not able to afford a treatment, they don't charge you. Right, like you still get the treatment, which is a fantastic thing. It's something that you know. Seeing my parents go through that with my younger sister, I mean that's like a that's a godsend, you know, like that is something that you absolutely need.

Speaker 1: 24:52

And for an attacker to attack a children's hospital, of all things, you know that's that's heartbreaking, that's gut-wrenching. It's like guys, you could attack an adult hospital, you know adults like all day long, but children is like the worst thing. And then for that hospital to be down for so long. You know mean thankfully, right, like my kid wasn't like really sick with anything. You know like it was like, okay, she, you know, has a has an ear infection again, right, but I couldn't imagine the stress for those families that do have, you know, much bigger problems and this is now impacting them really. I don't want to rag on them too much, right, but due to the hospital's poor backup recovery strategy, you know they they don't have a good method of restoring their network again, as you've touched on some a lot of incredible points there, um, and so I'll wind back a little bit in the conversation.

Speaker 2: 25:55

So the I think the first thing to note is there is no honor amongst thieves. I, you know there's this view in the, in the adversarial space, from the external side right the good side, if you like of the force, um, that you know, you know they won't go after, uh, you know, children's hospitals they won't go after, you know, whatever it may be, um, and in COVID showed the world that that was never the case. There was absolutely nobody that was safe with COVID. They were attacking hospitals across the world at an even more increased rate. They were, you know, running campaigns to people to, you know, clicking on, smishing and sharing details they wouldn't normally share because of thinking they had to respond to a government message or something healthcare related. So COVID proved that there was certainly no honor amongst thieves, and even in the last couple of months, not just in the US but also here in Europe, we've seen a large number of attacks on healthcare, and so that raised the question why are they attacking healthcare so relentlessly? And I think that the biggest fact we all have to sort of realize is healthcare organizations secure more data on average, and certainly far more sensitive data, than most organizations, and we did some research here at Rubrik on this, because it's an interesting fact that we found that that actual average was 20% more than companies globally. So that's an insane amount of data. And if you put that into sort of actual figures, you know a typical health organization would need to secure about 334 backend terabytes. So that's, you know, after all, the data's at rest and and and and, properly compressed and things like this compared to 273 back-end terabytes for sort of a typical global organization. And so the adversaries know that they're not. They're very wise to where the data is and and data has a value. And even if hospitals weren't to pay the ransoms, for example, that data can still be sold via some very sophisticated ecosystems in the adversarial space. And I have done some research a decade ago and I and I every couple of years I refresh this research. I'm only adding new boxes to my ecosystem for cybercrime underworld. I'm not changing a thing because we're just seeing more capability, more sophistication, how data is mined and then how those data miners can combine and converge the data to build profiles of users such as you and I and our children to be able to go and run campaigns that extort money and potentially other things. So that's the kind of biggest reason that healthcare needs to sort of really think about the problem.

Speaker 2: 28:44

And I often find this is a big failure as well in a lot of the conversations I'm having is very few organizations take the time, joe, to ask who am I up against? You know, it's all well and good listening to what gartner have to tell you in forester um and and looking at the technology trends in the marketplace, but sometimes those technology trends have absolutely little to do with your need as a business, um. And just because gartner says that you know vendor a, b or c or technology uh area a, b or c is is the one that you should adopt, it doesn't necessarily mean it's right for you. And I'm not saying that you shouldn't listen to Gartner Forrest, of course you should. They're a great sort of navigator of what's happening in the tech industry as a whole. But you need to ask yourself who am I as a business? Who would I be up against? And there's a huge amount of information. There's a wealth of data on the open source channels about this. Mitre ATT&CK framework is one great example, it talks about all the APT groups that it knows about. It talks about the techniques, tactics, procedures. It can tell you which ones are focused on healthcare finance. So, as a CISO, as a security practitioner, whether you're you know the godlike level in your soft practice or you're just starting out as an apprentice, um, you should be making sure that tooling that you're employing, what you're doing, is fit for purpose, and purpose is what are you protecting and who are you up against? And then you start to build what I call a, a threat informed detection, responsive, persistent um.

Speaker 2: 30:12

And the last point and sorry for for waffling on is let's assume we get that right, and that's a moving target, month by month, quarter by quarter. The next question is well, we only have to get it wrong once, as the defenders in this cyber warfare era that we're in, the tool set that we've we've relied on so heavily, only has to get it wrong once, from a security perspective, for the data breach to occur or the account compromise to happen. And then we let's assume then that that results in ransomware being dropped and and you know, health care organizations just normally so ill equipped to deal with ransomware. And I'll expand on what I mean by that in a moment. And so that occurs, occurs, right, you see, a mass encryption event, or maybe it's a destructive APT group that don't actually want any data. They just want to burn the building down. That's happened a few times in the past. And so what if they just destroy services or just take down applications and tool sets that you rely on to do what you do as a health organization? What's your recovery process? And a big part of that is what rubric are doing, which is, of course, you know, let's know what those core mission critical operations and application services are, and let's let's make sure that you have a capability to get those back online. But it isn't just about the rubric piece as well.

Speaker 2: 31:32

You raised another excellent point. It's well in that, in that window where I have to go and do those things, what's my fallback plan? Do I have? Are people trained in the paper-based processes? Do do doctors you know, and they should do um, are they able to examine, without all of these tools that they have, like these, these, these, you know these, these technology aspects? Maybe they've got to get hands-on more or go back to, you know, manual, you know assessments? Have we got processes in place for this? Are everybody aware of those processes and, most importantly, do we test them? It's all well and good saying you've got this and you can do it, but if you're not showing that you can do it and testing that, then you have a new set of problems that will hit you when, when breach or the failure does occur. So I'll pause there, but I mean, you raise some excellent points. I just wanted to bring some answers to why they're there and then the kind of things you need to be thinking about in this industry to mitigate.

Speaker 1: 32:27

Yeah, yeah, no worries for the long-winded answer. It's a complex topic that has a simple solution that not very many people actually enact that simple act of testing. Just when I worked for one of the credit bureaus, they didn't have a very good DR process. They didn't really have a good testing process for their disaster recovery and then they went and bought another company that their DR process was literally we have two data centers. We are going to put the power on data center A and whatever is running in data center B, whatever's not running, then we know what to fix and we're going to do this every two weeks until we can't do it anymore, right, and it was for years that they did this and they completely revamped, you know, the DR process. The DR even test for the entire company globally. This was just a smaller company that a larger credit bureau bought and everyone else said, oh, that's what we need to be doing, like we need to get to that level of capability, right, and that kind of set the bar for my DR testing that I now enforce and talk about and kind of evangelize right At whatever company I'm working for or with, is that kind of standard you talk about?

Speaker 1: 34:07

Another really good point. A lot of companies they'll kind of just go to Gartner and get whatever Gartner recommends, without the you know perspective of their own environment and what they need for their environment. And you know, I think it's important to remember that those companies are paying to be on Gartner. You know they're paying Gartner to do an assessment. They call it an assessment but it's a phone call. Right, it's a phone call. They get on the call with these companies and Gartner ranks them and kind of. I guess I'm a little bit jaded towards this workflow or this perspective, because I've been bitten so many times by this. As the lead engineer, right, you're in charge of a whole product for a company globally and the product was ranked very highly on gardener and you get the product and the product is probably the worst thing that you've ever touched on this side of technology, right, and it is. It is hard to conceive of how they even sell this product right, like it is difficult for me to even piece together how like they convince themselves that they should sell this product right, that's how poor it is. And you know, you look back at Gartner and it's like man, how did they get ranked like this? And then you start digging into that process a little bit and it's like, well, they're paying for it.

Speaker 1: 35:32

You know, now, that being said, right, that's my little, that's my little spiel on Gartner. That being said, every RFP, every time I go to purchase a product, gartner is literally a qualifier in my scoring system. Right, that I create a qualifier in my scoring system? Right, that I create Because you want as many different opinions as possible and Gartner actually gives you a lot of really good information. So if you choose, you know, let's say, like the top, you know I don't know, five Google hits that you get for typing in a category, right, and then you go to Gartner.

Speaker 1: 36:13

Gartner actually outlines the pros and the cons of that product and then guess what? A part of your own scoring, critiquing, scoring critique or scoring criteria you should actually be testing each of those points. So it kind of tells you, hey, these things I should actually be ensuring that I'm focusing on when I'm testing this product for my environment. So it is very valuable. But you also have to understand how those products get onto that scoring card, right, because there's been amazing products that I have tried that are not on Gartner, and I asked them about it because my company has a requirement of oh, they have to be on Gartner for us to buy them, and I'll ask them about it and they're like well, we don't feel right about paying for them to assess our product. You know a lot of these other assessors. They just get it for free and they give us an unvetted, unfiltered opinion on it, you know, and that's kind of what we want to do, right, and I respect that a whole lot, yeah.

Speaker 2: 37:10

I want to do right and I respect that a whole lot, yeah, I mean, yeah, I think the main reason I do. You remember back in the days there was a saying you never get fired for buying ibm, and I think gartner are kind of that, uh, that safety net to the board. You know, if you've made a decision and for some reason there's they a fail to deliver on, whatever the audit, regulatory or functional outcome was, you know you can say, well, you know Gartner had it as a top right vendor. The peer insights had phenomenal feedback. You know, we couldn't have predicted this. We tested it the way that we were supposed to and you kind of got a little bit of a fallback to say, well, I kind of followed what I was told and I had to believe because you don't know, and to your point, there are some great products that are below the gartner threshold for for getting into a magic quadrant, you need to have a specific amount of revenue. For example, as you know, um, and, and that means the very early adopter startups potentially get missed, which have some great products, and maybe that's not a bad thing at the moment, with all the AI stuff that's happening. Oh, my goodness, every other company does something about AI. Maybe we need that sort of that gatepost, because we'd all be the Gartner Magic Quadrants would just be this big black blob of ink, because it'd be far too many companies to try to discern from.

Speaker 2: 38:32

But this is where I kind of go back to that. You know, cso security lead mentality, it's, it's, it's don't be afraid to to be a thought leader there. If you really have done the homework on what you have and where it sits and and then who you're, you're protecting that data and those assets, and assets are people like you and I as well, like not just data and it uh uh tool sets. If you've done that, that homework and and you find a technology, a solution, a service provider that meets dead on the knee that you have, then you have taken a risk-based and a threat-informed based approach to the problem. There'll be no bore that will come in and hold your feet to the fire for you, making that place, that decision for the business and and people just need to get a little bit more confident with that. You know, um, because tribal knowledge is is good and we've all learned and there's a lot of companies licking their wounds still from attacks and threats and there's great write-ups on on all of the breaches that you can think of, about how it occurred and what happened.

Speaker 2: 39:31

To learn right, there's a very famous Irish playwright named, a guy called Oscar Wilde, which some of the viewers, stroke listeners may know, and he has one quote which I use almost all the time, which is wisdom is knowledge without pain. And so what I, what really I mean by that? I think what Oscar Wilde is learn from other people's mistakes, don't be a fool. Right, listen and know what happened and build an ecosystem that's based upon your business need and not following the pack, as it were. There is no right or wrong answers. If you want to stick with the Gartner, the Forrester, the whomever, that's okay, but I would say the attackers know that may not be mainstream, but are absolutely laser focused on delivering the business outcomes they need. You know, make decisions for the business, not based upon what the industry is doing.

Speaker 1: 40:39

Hmm, yeah, so it's fascinating how basically every company has an AI component to it. Now, you know, like it kind of just like sprung up over the last two years or whatever. And you know, I remember when I was getting into like security and the but the key buzzword was next gen, right, well, next gen came and now that buzzword kind of died and now it's all ai and it's. You know, I'm sitting here and I remember you know just vendors daily pitching me and next gen was always in the pitch deck, always in their vocabulary, and when I would actually look at the technology, there was nothing next gen about it. You know, it's like your solution is a little bit smarter. Now that's not next gen. You know, like they're they're calling, uh, they're calling like legacy firewalls. Next gen it's like guys, there's nothing next about this. It is literally a yes or no question in your firewall and that's that. You know, um, so I just say that because it's interesting to see where the market is going and everything.

Speaker 1: 41:53

But as a as a professional, you know, I always take a lot of pride in in recommending the solution side, right, what's the technically the right solution. And you know, I get a little bit. I probably get a little bit too vested in these products, right, because I started liking them. I'm a tech guy, right, like you know. You show me a good piece of tech, I mean I'll dive into that thing for weeks Like it doesn't matter, right? But you know, you give me some bad tech and that's maybe the number one cause of my anger. The number one cause I'm bald now is bad tech.

Speaker 1: 42:40

It's just an interesting situation and I think that the healthcare industry to tie it back to healthcare you said that they have a significant amount of data that they're securing every single year I feel like that industry is ripe for innovation. It's an industry that they're probably a little bit nervous for innovation because they're dealing with lives. They're dealing with legitimate, actual lives of people. But I feel like they could take a lot of lessons learned from the baking industry, because you know, to your point, right, how often does Barclays go down, right?

Speaker 1: 43:17

How often do they, you know, go down and lose people's information? How often does Chase go down, right? I mean, I don't know if I've ever heard of a breach at Chase or an outage at Chase. Heard of a breach at Chase or an outage at Chase? I mean, maybe I just sequester myself from that news, but I've never heard of that. And they create millions of transactions every single day. And think about that. With the restrictions in place, you have to secure each and every single one of those transactions. So I think the healthcare industry is ripe for innovation. It's whether the board will accept it or not. That's the big struggle, I guess.

Speaker 2: 44:06

Yeah, well, you know, finance have infinitely larger budgets and they're able to adopt the latest and greatest, and far and wide, whereas healthcare traditionally probably doesn't have the same. I don't know if that's true in all countries. Certainly in the UK, healthcare aren't as well funded as you would want them to be, based upon the threat landscape they're facing and I think globally. Yes, maybe healthcare doesn't have quite exact same sort of budgets to spend as finance. But to your point and to our discussion here. It isn't about bigger is better and spending more money doesn't always give you the types of returns that you're after. It's about focusing the right tools and technologies. But then you ask, well, how do you choose that? And so what's the root question? But then you ask, well, how do you choose that? So what's the root question? And it is back to original point what do I do as a business and what is the worst day for my customers? Because your worst day for your customers for certain businesses isn't actually really that bad of a day, right? If you're a gaming company, you go down. Okay, they'll get to play their game for half a day. Is that really going to stop the world from turning? No, but if you half a day. Is that really going to stop the world from turning? No um. But if your health organization to your point and you can't, you know, run your scans, you can't. You can't do blood analysis, you can't even check patients in, let alone all of the the medical interventions, that's a bad day for your customers. So how do you mitigate that? Then you start to ask yourself the jordan peter sort of piece and ask questions right, if you're into this guy, would you sit at the end of your corporate bed and ask yourself the tough question what's the worst possible thing that could happen and what would I change about it? And this is where boards probably are getting that level of pressure from the C-suite. The C-suite aren't saying I've analyzed my business, I'm a hospital, I'm a finance company and I've identified the 4, 5, 15, 20 critical business pillars or important business services or minimum viable business lines, and they rely on all these things. And all these things either do or don't have the right level of resilience capability they need.

Speaker 2: 46:09

And once you've identified that, now you've got a blueprint on what you need to do to withstand the storm because the attack will happen right. So your job, therefore, in cybersecurity and IT ops is to just get back to operational state as quick as you possibly can and know what the blast radius of that attack was, whether it's ransomware, whether it's malware, you know whether it's something else. And you're not going to do that by just saying, right, this technology, yeah, this technology, let's just keep laying them on top of each other. You've got to create, you know. I think you remember the old saying let's find that needle in a haystack. And now we have an industry problem. And I say now it's been a problem for the last decade or so. We're now creating stacks of needles. We no longer have haystacks, We've got stacks of needles and now we've got to figure out which needle we care about the most. And so you know that creates new problems and by layering on technology over technology, you're just going to compound that problem.

Speaker 2: 47:10

Go back to what keeps the lights on for our business, for our customers, please ask.

Speaker 2: 47:12

Please ask the question about customers, because a lot of organizations don't think I think enough about customers. I I believe they're just too hyper focused on the intrinsic factors of what make the business run and they don't think about what would happen to customers if they suffered an outage in certain aspects of their business because that's really important in wherever you're serving healthcare utilities, things like this and know what they are. And then ask can we recover in all of these different types of scenarios and spell them out? And if you don't know what they are, go look at the outages your competitive businesses have suffered because they're the same ones you might face. And then go and find out where you have weaknesses and where you don't, and then go and fix them. And if fixing them means going to Gartner to get an idea of the technologies that are available, great. But at least you're now going to Gartner with the question that's based upon business need and it's not just about trying to follow the technology hypercycles.

Speaker 1: 48:05

Yeah, yeah, that is a really great point there, you know, to backtrack just a little bit, you're right, the argument with hospitals is always you know, we don't have the money, we don't have the funding. You know we have much larger or much smaller budgets than banking and whatnot. And that's probably true in most of the world, right, because it's like health care is free, you know, basically the rest of the developed world, but it's free at a cost of something, right, like you're giving up something in some cases and whatnot. Like you know, they still have different levels of coverage or service, right, but in America it's, like, you know, my wife earlier on in the year she got a chest x-ray. Right, they charged us something like $10,000 for that chest x-ray.

Speaker 1: 48:56

And I'm sitting here, like you know, this machine is probably 10 to 20 years old, right, there's no way you bought it yesterday. Okay, unless we have terrible luck, there's no way you bought it yesterday. Have terrible luck, there's no way. You bought it yesterday. So you 100 paid that off just by doing simple math in the first year of owning it, right, so what's the? What's the 10 000 for? You know, I mean, oh, thankfully I didn't have to pay that much money, right, like my insurance, you know, negotiated it all down and all the other rigmarole that that happens in america, right, but it's like, where are you making up these numbers? Because if you, you know, just getting basic things done, like like a, you know, antiseptic, like towel, it right, like it's like 50 bucks, you go on amazon, it's 30 cents, you know. So I'm sitting here. It's like, guys, what provider are you going to where it's 50? Because I could buy this same thing right now for 30 cents, you know. And so it it. I think in america that is starting to become a a more difficult argument, right, because because of that, because everyone is starting to become more hyper aware of like, wait a minute, you're charging me for what? You're charging me how much for that two second thing that you did, you know, like it's just insane. But you know it's an interesting dilemma because they also need to shift their focus to being customer obsessed.

Speaker 1: 50:33

I always say I kind of developed my customer obsession when I was earlier on in my career, when I was on help desk.

Speaker 1: 50:38

One of the very first roles out of college I was on help desk and I was in charge of all of the federal and the military clients that we had, and these clients were probably the most underappreciated customers at this small company, which is very interesting because to me, I mean, they're the most important, right, like I'll bend over backwards.

Speaker 1: 51:00

There was several times where it was like, literally Thursday 7 pm, hey, you're flying out tomorrow 8 am, we just paid for your flight, like you're going to be there through the weekend and all of next week, right, and you know, to me that shows that customer obsession where it's like, yeah, I needed to be there, I needed to do that for my customer, I needed to provide that service for them. And maybe in the hospitals, maybe in management in hospitals, it's difficult to keep that picturesque view of your customer Because even now I'm not on help desk, I haven't been in help desk for 10 years or whatever it is. But even now I keep in mind who my customer is. And as an internal security person, my customer is my fellow employees, it's the rest of the organization. And then you take a step farther out, right, and that's the customers that we're actually serving as a business. And so I'm keeping everything in the context of that to provide the highest level of service I can to those customers right, and that could be internal people or it could be external.

Speaker 2: 52:08

Yeah, and that's all I would ask of businesses. What are we doing? Who are we serving? Okay, and how critical is that? So go on that journey of how do you get a customer back to a place where you can serve them if that's what you do. If you don't serve customers and you're another operation, then it's a different question.

Speaker 2: 52:30

But healthcare is a great example. I need customers' personal data. If that gets leaked, that's devastating your entire medical history in the hands of somebody in a nation state. That's not. That causes psychological stress. That causes mental health issues to some people, and so let's not let that happen. Let's do everything we can to mitigate that risk and and and then look at how we're doing it and we're not doing it.

Speaker 2: 52:56

And then, internally, what if I can't let patients come and check in at the front desk? What if I can't run these machines? What do they rely on? What's the most important services? First right neonate itu needs to be always operational. Okay, are we testing that? We can do that. You know it's not an easy answer. I think healthcare is probably the hardest answers and a lot of questions to ask. But if we don't start somewhere on these questions, what does our worst day look like for us, for our customers? What are the critical services we have to deliver we should deliver Now let's make sure we have the right tooling around it to protect it and monitor what's going on. So we find the bad things as soon as they happen, or, preferably, as they're about to happen, because that's just good practice these days. How quickly can we get them operational again, and what does that look like, and what do we have to invest in to do that? Yeah, that's just the smart way to approach it these days.

Speaker 1: 53:58

Yeah, yeah. And I feel like it's always useful to put it in the context for that patient, that consumer of that service that gave up their data, right, because a lot of times, like my wife for instance, right, she'll say, well, what does it matter if my credit score gets breached? What are they going to get? Right, they're not going to get anything with it. That was her initial opinion of it when I first met her. Thankfully, it changed since then. Small wins, right.

Speaker 1: 54:29

But you know, I posed actually this question to a former CIA officer that is responsible for taking down AQCon's chemical weapons program. I said why would an enemy nation want the medical records of everyone in America? Right, like, what are they going to do with that? They're going to see, like what? We're fat, we have heart issues, like you know. It's not rocket science, right now, right.

Speaker 1: 54:56

And he said, well, what if someone wanted to create a biological weapon where, once they deploy you have to remember, the wind will take it anywhere in the world? Exactly Right. So they need to deploy it in a way that it only impacts people in this region and not them, right, they don't care about maybe this other country that it'll, you know, blow to first, right, but they don't want it to take out them. Surely they wouldn't want it to take out them. So they have to craft these pathogens in a way that is specialized to their target or specific to their target.

Speaker 1: 55:32

Once he put it into context like that, I was like this is a much bigger deal than expected, right, like that's something that you know. Unless you're like living in that world, you're not going to think that way, because people typically always think on the positive side, or they try to, at least you know. But I felt like it was important, you know, to share that context, right, because that's one way to think about this problem and begin adjusting and building your security program with that mentality of, hey, this information is actually very valuable. It's not just valuable because of privacy issues, it's valuable because lives can be impact.

Speaker 2: 56:10

Yeah, I mean that it no true is saying your data is valuable to somebody in some way, and and no more true is that to the adversaries, and you've given one example that we could talk about hundreds more that are just equally as harrowing. Um, don't assume for a moment that um, you know why would anybody attack me or look for my data. It has value to somebody somewhere for all sorts of nefarious reasons.

Speaker 1: 56:35

Yeah, absolutely. Well, richard, you know it's been a real pleasure having you on having this conversation. It's a fantastic conversation. I'd love to have you on anytime you want to come back.

Speaker 2: 56:46

Oh, I'd love to. I think I feel like we've just hit the tip of the iceberg in some of these subjects and we could go deeper on ransomware and what's going on out there. I would love to come back and go deeper on some of these subjects because you've raised some really valid points and very topical in the current climate.

Speaker 1: 57:02

Yeah, I feel like we almost need to discuss over some drinks or something.

Speaker 2: 57:06

Oh, 100% Anytime anywhere my friend something.

Speaker 1: 57:09

Oh, 100%, anytime, anywhere, my friend. Yeah, absolutely. Well, richard, before I let you go, how about you tell my audience where they could find you if they wanted to connect with you and where they could find Rubrik and potentially even other reports that came out regarding the healthcare industry?

Speaker 2: 57:21

Yeah, absolutely. Well, let's start there. The Rubrik Zero Labs report on healthcare has a lot of eye-opening and eye-watering statistics on what healthcare are up against and the effects of things that may occur to them, such as ransomware. There's a whole load of pitfalls they haven't even considered. That you'll see in that report, and so you'll find that at our website. So, wwwrubriccom, and front and center there, if you look at the Rubric Zero Labs link, you'll get to all the reports that I've talked about and more. There's some really good reports as well from last year Myself. You'll find me on all the usual media channels, LinkedIn and others. So you know, look for me, Richard Cassidy, and I'd love to connect with like-minded people. I'm all about sharing knowledge. The more we can share about what we know, we can share about what we know, the more we can manage the impact that we're all facing day to day in our jobs.

Speaker 1: 58:12

Awesome. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host