Industry sign banking delaware job offer secure
hulu I why am i giving this time I'm a senior security advisor my petal Jam need to be steam security consultant what the difference is i buy now at Leviathan a small information security shop that does really cool work in Seattle I am Philadelphia I'm not leaving because once me in their risk advisory practice so yes we've got pen casters got technical testers the government people do difference in a response and my go bag has a lot of cash and a pistol and gotta live here so you generally don't need to call me up at three in the morning I fix a bunch of different problems but what we do for response services we help people determine the governance what is the appropriate amount of spending what controls you have in place or that strategy stuff and the question our gang commonly is are we spending enough are we doing what we're supposed to be doing so that's what spawned this talk I'm also a licensed attorney which makes me really really slow at installing software because I have to actually read the contract but it also makes me think about how what we do fits into bigger and bigger and uglier frameworks I'm trying and I'm a watcher regulatory trend i watch what happens in legislatures and regular I agencies and what insurance companies are doing and what other companies are doing about your security and these are all trends I think I've got a handle I'm trying to look like half a step in the future see what the future looks like there are no fuck-ups so here's an open question why do we pay for information security cheaper than a lawsuit right so it brings nothing to the bottom line we buy information security it's not free it's not the reason money it's not free as an effort it's not comfortable in fact I will argue that in most times information security is men- right because we get in the way of things hey we'd like to do this thing you know like my fears we've got this great marketing idea excites I talk to startups because it's fun talk to people then pick up in new ideas like we're going to put SI p in the cloud it's like really you're going to put it out look that's that's how you could do that right after working good um because cloud is awesome ERP is awesome and that's something I would never want to see but no we get in the way the other ones who say no I don't think that's a good idea no maybe making a rocket out of hair spray and a lighter is not an appropriate than you do two bedroom apartments right we are the ones that bring the NOFA that's where cause second sometimes we get in the way of things right we have to improve things we have to get in the way of at new grapes all 40 algorithms like I got some serious problems with confidentiality integrity and availability of that serve of that system once it's rolled so we're spending money so we don't spend more money to prevent lawsuits right so the idea is this you spend a dollar to save Morgan and if you spend a dollar to save any sense you're losing if you spend a dollar to save a dollar twenty you're winning putting that risk right because it's not that clear by spending a dollar I save a dollar twenty i buy the firewall say I install firewall it's ten thousand dollars how should that say this whoa no you don't know because did you absolutely remove that risk I don't know no is that long no you can transfer their right good thing this way we're here you body the thing you do the thing you do the activity you and anything from the most granular control we change the firewall rule all the way up to revamp our entire information security program in a small effort John effort what we're bad Idzik waiting that to dollar risk and it's not very lazy about it because the idea is thinks we want marginal benefit equal marginal costs the idea is that you keep spending money until it no longer makes economic value we've all seen that great afraid as you spend a dollar for security you get you hope you're getting more than a dollars worth of benefit until eventually you start spending more money and you get less benefit you spend a dollar and you get 80 cents worth of benefit and that's you know every beginning management textbook has a supply and demand reference and marginal cost remarks were interacting the problem is is that it's really hard to figure out what's the marginal benefit of that year control of that new policy we've all seen this right probability x impact equals risk and i will call Wendy Heather when she says yes peanut butter comes jet engine equals shiny because if you don't know what you're measuring you don't know the probabilities the output is meaningless it is a meaningless metric anyone ever see any animals metric and you will never collect a bunch of meaningless metrics put in a PowerPoint send it over to management with later what the hell it means like you expect them to go huh even once it seemed meaningful right howdy who here has done a vulnerability assessment of their institutional a sea of an institution of somebody ok how many highs it has to be at least one but has to be at least one but how many economic knowledge to say there was 50 50 findings out of that usually antenna cover by 10 to the house so if fixators but how do you have left you may have introduced a new right it's a 10 year 12 right so so you're you generating metrics right and the promise is this is one that's an emperor has no clothes problem because I generate these metrics you look at my pretty graphs and koalas belch out luminous output about how good we're doing or what what our threat posture looks like our waters here what are our mobility surface we're going to make up a bunch of words like I am eating and we're going to condense powerpoint that's going to say we found this many phones we fix this many bulbs how many phones do we have now how many new ones have we added because the patch in created new o days that we won't learn about for another 18 months we're running this hamster wheel and we're we generally measures a look I have you fed could ship the metrics show activity right I have closed as many vulnerabilities I have fixed this many systems I ran this fast in this far on the hamster wheel we don't know what we're measuring right we can't calculate probability private because say for example you start with those 10 volts you fixed eight are you now what percentage are you more secure you don't know even though you've got nervous right you can take a very naive approach and say we are now twenty percent as vulnerable as we were when we stopped because each runner building maps exactly to a chance of getting no I'm not going to say that I'm going to say we generated activities yeah can you theoretically get some sort of idea I mean it's not reviewed because that probability but you can text your based upon the the software the developers that particular team how automated is bad patches right I imagine you could build a model my problem though is we run back to this one we peanut butter jet engine shiny is that we're going to make so many assumptions that might sound right they aren't born by a bigger chunk of data are what I bet the problem we run into is we don't have a lot of instances because I'm going to compare this to insurance you you are you're shopping for two different cars you talk to your insurance company and they give you two different quotes because they had big chunks of data to know they know your driving record your age your sex marital status and a few other few other attributes you that they've been able to grind back into risk and figure out the chance of having to pay off for you taking that car and damaging or running or someone else variants based on the car you drive the cost and then parts of the parts and all that they've got enough stuff they can spit back out and written a very very good risk their their model is much better than ours because say we're going to consider a sister over so paddled out a firewall and everyone that was like a pile out is better how much better better it's further on the Gartner Magic Quadrant thing Francisco is but can you quantify that you how much risk doesn't remove and eventually a calf be honest and say now would it feels safer it feels better more solid like when you're buying cars go feel solid steel of course some defense 65,000 hours and son we don't know the measures we generally are difficult to put into context that is valuable but we're going to all sale it oh yeah look we've closed all these farms we dumb stuff and this is kind of wrapped to set up for our next part which is we're trying to avoid stuff right reputational and headline risk and I want to create a new term because things this way we're talking at reputation on headline mr. the fear of oh my god we've been found out that we have really bad skewed are we have embarrassingly bad security how many of those have actually shut down a company that you can think of I cannot but I want to consider a new kind of reputation headline risk which is not so much that open secret your security is weak that your business model was a fraud like the Ashley Madison thing but you also have contract risk either contractual requirement to have these controls do this thing the right way in such a way that I agreed to other people I'm a vendor to a health care provider I've got some contract rules about what controls i have i have torque risk I don't have a contractor I'm sorry I've lost all your data bars I like to sometimes joke we moved all your data to the cloud the problems we moved into peace bit come on third party and I'm contracted third party so to our risk we screwed up we were negligent data dirt bike we're trying to avoid thing regulatory risk if you are one of those regulated entities your health care provider you're a bank and you leaked your regulators are called actual interest if you're smart you've called them an alert of them to the breach because you don't want Twitter to tell them that that is the opposite of regulatory good web these the things we're trying to avoid with our information secure expenditures here's the problem quantifying those risks like actually figuring out what's it cost how do you put a dollar value of reputational the actual reputational damage it's a target right how many people said they were not shopping at Target ever again after the reach really everyone still did it's like I'm not going to walmart right no no oh my god the contract risk figuring out that maybe maybe was liquidated damages climbing toward risky I couldn't predict what it cost of a reach now would work out to be maybe a regular turbines I could probably match that Matt back finds to an equivalent but even then I can put a good dollar on it so we're not good at the assessee the benefit of an individual control or programs and I can't assess what the damages on which is entirely unlike other kinds of risk I can price out the value of a car accident to within ten percent pretty easily because they're so common so we don't know what we mentioned we can't believe measure we don't have good models for measuring probability we need to know what the impact is so thought of this come days ago and room filled with smoke the floor is a really good guy right you're trying coincide what is that more money in information security in a smart manager says how much does that get us you can either say well it's going to make a safer I think it's a good idea how much safer I don't know somewhat that many I wish goodbye to security please I have for money so what's the minimum because oftentimes is the conversation had to see your magic what's the least I can get away with and before we usually view that with contempt but you know what it only sets if you've got it you gotta draw a box setting of what being able to wear one of those lines is kind of puts everything else into perspective so I don't know where I'm supposed to be but at least if I'm here I know where I am so what's the minimum you got to do so can generate the metrics but we don't know what they mean any level so you don't know what the optimal is what's the optimal spend but you know the bottom so if in doubt under your clearest cuffs where the easiest ones determine so contracting limited manages losses you're a contractor to a health care provider and you have a hundred dollar per record rule in the contract everything record you league we're going to decide right now but the damage the hundred bucks is a bridge verification letter costly and three years of credit monitoring might cost eight that way we allocated the risk figure out what it costs there I no longer have to work in smoke-filled room I have an idea what it's going to cost me well so that works when I talk about car accidents I know the rough value of running a car into a wall is going to be value the car like the medical expenses plus some wiggle room I don't know what a reach causes fines and penalties those are general public they're fair their common enough and those are if you're if you have management saying after a customer saying what's this going to save me you can point to those and say HIPAA breach costs this are affianced cost this afternoon so you've got close notice you get an idea like this is what I'm hoping to avoid and then it's several layers of abstraction away from that that's why I want to buy a hundred thousand dollars with zero and services from a consultant so it's hot contract you've got contracts that our association you want to handle payment cards your contract essentially pcr that means that everyone signed with everyone signed two bigs agreements before even handle the time for example requiring some kind of certification that I fit these rules either self-certification our external certification it says I do this thing I need you standards and that we have individual which is contract con individual going back to I wish to provide services healthcare providers do this a lot bags will do this I wish to process data for a bank and process data anything from I'm going to handle some else or service I'm going to do marketing for you're going to handle your stuff that lets me touch your data that's important I have a contract with you that says i have i have to meet your standards so the security problems offender maybe sometimes mayor parte identification where you essentially are taking off their risk some kind of audience closure rights that say I'm not just trusting you I get to go and look at your stuff anything from the one or two day assessment where I go over your policies ask you hard questions and then try to figure out if your line to me and come up with a grade between one and ten about how much you scare me and then go on to the next one are you make a full on building your hiring these people were doing a one-off pen test to find out if you're actually Batman insurance contracts is another example of some kind of agreement between the two between you and someone else that says you have this level of security premiums may depend on controls or policy I've been asking to get copies of the writers general they're fairly simple they're giving a list of all the controls you have the advantage of this is it allows me later on make sure to not give a pale in the opens requirements right you said you did this turns out you didn't well I'm not paying you for the claim I'm getting back out of the contract retroactively later home it's called a decision which is I was going to be even like never signed that contract is you didn't do this stuff up you didn't so I'm not going to a nice a top screen which is Pat so now regulatory stuff any of your working banking used to health care okay give you a couple examples directly read a few financial services legislation allows us is grandwitch blithely and glam gramm-leach-bliley act which creates essentially all the regulatory agencies then occ FDIC and see you a sec most of those got together created the FFIEC handbook which is you're the guide by which you are judged by auditors Lissa this is directly regulated as in regulators show up and say we were here to look at all your stuff we are auditing you know breaches occur just cake it's your time of the year and it's going to be rough or not so promulgated standards regular reviews and in many cases you arm as a regulat
d entity also in some way responsible for your event and business associates you have to have some how to prorate vendor management program on morning off board of your maintenance that says that while you're not necessarily on the hook if you pick a bad vendor and they reach your stuff you can't say the dog ate my homework you have to show some kind of work product that says as they breach but when you did appropriate levels of vetting so you're now responsible for everything else in your ecosystem Red Raiders have some sticks they can closing they can say you are ceasing operations all of your assets are being held by this holding company which we will sell off to someone who actually do the job don't go far but you're fired of reserve ratios and this is kind of a intermediary stick where they can say you have to hold more money in reserve you can't lend out or speculate against the used up a whole Bedford future risk and then actual findings report practice barely have health care pic botha to high-tech essentially create it's not as intrusive not as activists as the financial services because your half-wit the FFIEC handbook reasonable controls in some measure of risk management requirement and those of you who are doing impressions of your consultant well sometimes create things we call the salesmanship where you will say things like well I'm here to do a HIPAA pen test and while a pen test maybe maybe actual appropriate control / acquired by HIPAA really that you do risk assessments and you have dissed dumb risk assessments to determine whether or not in control is necessary or reasonable and you go from there so in turn risk assessment responsible for your vendors and business associates as well and significant funds and contagion active region contagion because these two industries are essentially they're not monolithic their ecosystems for some of the work I was doing for a blue cross blue shield I realized they had somewhere between 500 and 1,000 vendors that touched healthcare that can be a hospital medical practice a print shop marketing agencies other Blue Cross Blue Shield's your data goes in a lot of places right like the anthem breach probably breach as many non anthem proof not people that didn't have anthem record of anthem insurance as individual that didn't have anthem insurance because somehow anthem got a bid from someone up another Blue Cross Blue Shield to handle something the amount of people have hands on your data is astonishing in this neither system so the contagion yourself the breach means that everyone else who might contract with you knows that you have a social disease right you can't hold your makeup I have to now consider that when I'm coming off to say maybe I should find an alternative because you were shown to be wanting so it's essentially eight seconds a relational kind of regulation how can you in surfaces doesn't have to beat up doesn't have to continue beating up the regional partner everyone else does part of old quarter mine used to say mob justice is a form of justice so continued revelatory not directly regulated this is an interesting Federal Trade Commission and I don't want to say stumbled into this because that would be wrong clearly they wanted to get into this space because outside of those two industry's most other industries don't have hard security and privacy requirements so the FDC got in this game a couple of years ago when they were claiming bad and they successfully did this that improper statements of security that end up in a breach can be actionable as a unfair or deceptive trade practice an example like deceptive practices FTC vs. life's good you've seen this clothing life's good its kind of soccer mommy kind of clothing with happy-go-lucky things printed on baseball caps but I look it up and it's in case where they said they had a web store they claimed that they were doing all sorts of privacy and security stuff they didn't they got owned and hat you see well you know you've got icons over your web page saying how awesome your security is you didn't have it we're not regulating their security we're just saying that could be deceptive if you say it's safe and you're lying that may be receptive a big leap there and so they graduated they filed suit against them under the military commission and next thing you know they've got a settlement because life's good one they're pretty much in their rights and they went there continued regulating on that basis until actual unfair practice irrespective of what we promised you about security it may be possible that you'll be security in and of itself is an unfair trade practice and that is FTC versus window wyndham hotels winner hotels had laughably bad security like no separate segregation of personal identifiable default passwords on critical systems you know the password is supposed to change like that one that you google when it's like I've reset this router that I've never seen together because your aunt has it you know I don't know what the password is when someone's already put up a list of it those kinds of stuff right no segregation breach after creations like no no you can't do this FTC serves them based on both deceptive and unfair practices and they ran on both and so all of a sudden FTC has this power they can say really bad security and notice them being so definite about this term the court doesn't define it the court merely points out laughably bad security and says we're not going to the court says we're not setting a standard but you'll know it when you see and the FTC comes around and says we're not setting a standard either but we'll know it when we see it so there is this laughably low standard out of wyndham minimum standard so white stuff I mean this was like no firewalls no feel and saturday day knowing that the 101 stuff that Wyndham wasn't doing and they got regulated because they got fined other stuff gets part of their extensive statement on their ssl security and then even read that very cohesive are they admit that it's totally saves money for the Pacific crunch okay that's it but what's interesting though for Windham is is the dis- that you don't have to make any statements in all and still get regularly that's that's my cake because it's you can stay on this way after life's good a lot of shops just said we're not going to talk about right I'm talk about how secure our websites right I make it I make no promises i'm not telling you any longer to have state laws like preach notification every states got a breach notification book and the amount of lawfirm websites i read they're like these are incredibly draconian like guess once you identify read you have to tell me bolts oops guess or your pigs could have a real guess oh we don't know that's where as where we send you this letter dear job on your data so reach your vacation but generally these recertification laws will explicitly they're not consume they're not always consumer from there's a lot of them have what we call a no private right of action which is a lawyerly term that says you can't sue moving the only people who can regulate this would be the state attorney general so this you get the letter and the letter says guess where your data is gone that's it what do you do well now you know why you're getting our spam that's it can I sue them no can't do it can we have pork problem is that torque torque makes sense in 100 year old events right we have been running into each other with horses carts now cars the self-driving cars will also run into us we have precedent on that even where you don't have a bar private right of action you still have other problems you'll have to show there was a duty to actually protect you right I have to say that I have a responsibility to protect data then I have to show that I did not protect your data man I did not do it was reasonable then I have to show that because of my screw-up that's why your data got beat and then a hard one is damages who here at it who here had a credit card involved on the part of reach one how much were you out what oh it was important that my heart may have been taken but your damages the actually I could have ripped through your window you know what your damages are because you call you know caught ee acne glass and like at 250 bucks okay damage it's 250 your credit card is gone we have to send you a new and old one may be out there as is your other stuff what's your injury yeah target just yes but because visa is indentifying into caramel that's mostly though because it's they may have in conflict since target may have not been pci compliant I kind of laugh at that because it's like you are PCI compliant even before he says that until you have reached no we retro actively say where you must not have men like faking I do you believe yes still cancer oh well still probably banks are still out something if there's more fraud against he's a visa the banks of where the fraud of these things are hiding you're paying fees well yeah here's your French question that's for the time to change your auto repairs the point is I'm showing real damages is kind of hard there's a lot of times it's absorbed by third parties showing you damage just by that the inconvenience of my credit card bill you work for three days but yes showing it showing that how much does that work minor annoyances are generally not recognizable so what's going to make the biggest changes to to our industry because writers we try to establish this minimum stand now assuming you are outside of PCI financial services healthcare but if you still have sensitive data you're trying to convince your boss I want to spend some money I want to do some things you have to say if you want to buy you I would have spent on dollars on a bicycle lock the bicycle better be worth more than on the bucks and it's hard to quantify working on a date of going to evaluate the value of data and unrealistic uncommon some crazy ideas because I can't figure out what the value of your like I can figure what the impact of losing your Active Directory right you're entered director is gone the backups are gone and anyone who's done administration was like oh cool that's that's a bad week but what's the financial impact of that what's the financial impact what did you what did your company lose you lost productivity but how much of that was looking at pictures of reddit much of that was actually doing your job and how much for that was actually you can point to that and my argument for this is target lost a bunch of money in the breach because they had to cyber threats back here right one was cart ocean right the pls malware the other one was amazon which one isn't sure I'm going to see think that they're going to say all the losses are due to the hack rather than your neck Amazon because I can't go to write insurer and say amazon just beat me to death this year no one sells anti competitor issues but you can say all my losses were due to the reach and I'm not saying they did that but it's there's a bias to work stand and sometimes the answer comes to be it's not an accounting questions a legal question what's my loss account the cap pass through some others and says this is what we has to enter loss board again lawyer says what are you open over there I think this is all advocacy now take as college I want to save some time to come home sometimes three answers yeah oh you meant to a hundred LOL ugh more than I felt like what if you've got a hundred dollars why for a $75 bike because then if that bike is is lost without lock your out 150 because G need to look a hundred fifty this because he named it but I need the bike please think it sees the cost of the yeah I think that's still when you're too kind of feel to an accounting problem words I I figure out all the possible injury this causes I don't have a bike signal and then that's when you're okay but you usually they the Alvarez you don't overspend on some secure because you want your security to be roughly commencer to the risk you and we just assume your bicycles a hundred dollars and new ones one hundred dollars that we're also removing the cost of I need to get home tonight i could go actually go through the bother getting another bicycle although ready roll calculating that you can build a model for our problems that we we're going through multiple hoops of trying to determine so it's by applying by orbiters we go with the minimum and then go up from there so let's go make the biggest changes to our environment FDC after window the information security plus reached my acura sultan defines and that way you can go to manage really say we have laughably bad security we can actually get fined by the FTC they may actually decide to go after us if we're big enough or egregious enough and there were more shop set of bad security and breaches than the FTC but they may decide to pick it's like speeding on 95 a lot of people are going to do it someone's going to someone is going to pay for but they are now sort of in this game how event how deep they want to get in the game to be determine the standards low and undefined pretty much not laughable you know it's not the it's not the question of do we get the paddle out over the cisco firewall its biggest there a fire are you actually using it because the amount of shops i get we have our wallets in the box over there and i do I thought this was years ago I make sure we're going to shop that was the problem and I'm gonna be yelling yelling consistent in like so it's going to stop a burglar this little trip on the way he didn't knock music all install like dust on we actually should put it in and it finally kills it him into it why do I have to guilt you into installing new here you can respond that was board of director liability for poor security and this is this is two groups because boards of directors and corporations are generally fairly insulated foremost actions unless it's self healing or gross comments however some of my friends from law school or business you you as an investor buy stock and company makes you say goodbye the stock at fifty dollars something bad happens the company is now trading at 30 board of directors are responsible for that loss now if they're actually going to have to pay for that loss to recommence you firm mischaracterizing the health of that company or doing something wrong but there are not suits against how many boats are saying we bought your stock when I was here it's not raining here after the bridge we think the board of directors were grossly negligent in ignoring their own internal findings that suddenly have a security I will be curious to see how there's go out there at a previous shop we had a lot when we mentioned or four people are more effectively we're actually curious about this could that research this like if they're going to pay me to research something that says they're interested in that says you can circumvent regular management and go to the boards of directors and say if you think you're not getting the expenditures you think you need to protect stuff if they're afraid of you can bring the FTC in as a as a potential really bad security but you can also say hey you Board of Directors guys right not CEO but above them so these people sure to die the company get paid a bit get paid a bit of money but if they're responsible for like oh wait a minute oh hell no i want that good securities not be the level of interest rate those are not technologies usually and career statesmen and states women in business but they don't want to have to pay out millions of dollars no boss if they're found liable so tore my ability isn't here yet it's the rector and I keep watching I keep watching the Bolton's for it to see what happens when someone finally gets directly soon for bad security if it doesn't currently allow many reach international laws don't allow it but someone's eventually going to try and get and then all the sudden we're going to pay attention so the threat of lawsuit is actually greater it's like a good of our room I never share your good director doesn't show you the monster until you're 15 minutes before the end so insurance instead of spending additional money of information security thinking back to that marginal return
vs marginal cost money eventually you realize that you will never have zero risk right there shops that spend and obscene amount of money on the information security and still have breaches because there are people involved are mistakes got me you always have those exception systems we've drawn a circle around said we don't count those so eventually you say the amount of money i'm suspended effeminate is higher than the tential life what I can not the potential ioa what I can be someone else to assume that lightning it's cheaper to go to an insurer once you go beyond the bamboo causes bare minimum program so insurance is going to is going to fit in here where you're going to hedge your your big long tail it's your most likely stuff you will defend against personally and accept that risk that your own defense is good but insurance is going to push in further further and knowing a few people in insurance companies trying to figure out how to do cyber insurance they don't know how to do it again because figuring out what causes a breach and all those metrics it's easy to figure out what the common what a new Corvette is going to cost in the hands of an 18 year old with a drinking problem it's hard to figure out what the cost of a of health insurer who are alive song these vendors is going to cost so some of these insurance companies are going to get in the market early and lose some or gonna make these I don't know so it's going to transfer some wrist instead of mitigate will say I'm not maybe getting that residence transfer it's yours now trans company ensures them eventually once if you get burned they'll inside me or they'll figure out what controls actually makes sense and they'll say instead of saying give us this list of your controls and policies and we're going to hold you too man they may actually mandate some are built benefit son right do you have these controls oh you don't this is your freedom what if we did have those controls will have that premium cost of its contrast is less than that half that premium I'm going to give the controls so insurers get on acquiring it but still give it give this a round or two of breach pale reup what when the when the insurance companies do their post more they'll come up with at least some stands you'll have to meet I realize I've been talking about standards like the battery right we need to have some what are they take away their one commander policy there are no mandated standards headphones like what is reasonable and you have risk assessment so the fight between I so cobit missed 853 miss cybersecurity framework which is the pick one from column a one from column B CSC I think any of them and that governments level will be fine pick the one that best fits because it will have to say this is the policy abuses are cut this is our framework these are policies that roughly match that we're good and not maybe enough to defend from the port and the regulator stuff cuz i'm thinking the later the later regulatory agencies to the regular games sec has like think was that last year they said they're going to assess financial services firms better their regulatory space against these missed substrate framework rather than entra Phi C or something or no like I so our Kobe look max if you stay so this actually pushed would say adopt cybersecurity framework which if you look at it's just pick from what they like or if you want to be crazy make your own can't imagine and fitness actually I can't because I work in someone good who had feedback into the cake c-a IQ common our cloud look it up but so there's no wrong standard a meeting what picking ones that you follow that should be good enough for now look at common questionnaires if you're bending the vendor assessment receiving end you see the questionnaires you may have seen the language or rewarding there's a health care one there's the the ca IQ believe some of the Blue Cross Blue Shield's are coming up with a common set of questions there you'll see the same pressure world over again and you can tell if the person writing those was in came out of ISO or came out of came out of that on this job you'll see the language our one was dealt with one was like are you fed right okay you're coming out of the Mist 853 school fine but look at the common questions to come up with what are the controls are expected what are the frameworks you're expecting so that way your mech you're reading your contractual requirements and this is all going to kind of formal model where they're being a commonly accepted baseline this is why it is good enough this is what is expected of course recognize that when you were on the vendor assessment sending side oftentimes the questionnaires are written by salespeople why anyone anyone anyone get a better assessment reply salesperson I had numerous times because they're the people who want to make the sale right I'm working for the large companies sending the vendor assessment and if the sales rack was like oh man who's all there they're not imagining I got to do this they're imagining massive freaking Commission of the magnetic so they're writing stories about security and castles like you when you'd like to use google terms like a Gartner Magic Quadrant Lee Gartner Magic Quadrant is not the security appliance yeah I can imagine i'll be a great little great prank but some to you box and just does magic see bad stuff comes in the red packets come in because those ones that contain malware and pipes up pure green ones how's it work but recognize that that oftentimes people writing these or sometimes lie if you're still mad space the woods circling around our poor state state law tort cases in the FTC they're not yet forcing standards and essentially these two are going to enforce a the bottom they'll come after you if you've done things very very long that's are you limited to work why that's where you're taking risking tort liability in the FTC getting interested in generally the middle stuff is going to be contractual stuff where you're getting assessed by someone who's got to work back to financial regulator RL RL helping human services so they're going to be concerned as a part of their magnet better management practice and the monster that ate talking about that well they hand out safe harbor and phone calls after that last case came down which is what does this mean and I hate saying this because it's the entire not consulting thing to say which is I think um I'm not going to try to sell your lunch consulting services because I've got a magic 8 ball and I can shape it as well as you can what's this mean stuff's going to change how that's going to be the other living thing the Europeans are going to get involved because in a unique wonderful cloud world everyone wants to do business everywhere and the big shots are solving this the easy way which is German data centers right it's obvious like that not I'm not going to try to figure it out safe harbor will come back getting much much much weakened form it will be a community harbor certificate and it'll count for very very so that's if you're if you're building your national stuff that's another sort of set of work you're going to have to do it it might be the easiest is the punt it's just read some rack space and time on site anywhere in Europe eternity seems to be the obvious one cuz there's going to be a think of the trade this view we're going to have with the Germans over Volkswagen which is you know it's going to be a sacrifice the sacrifice the hostages like hey you do that do you we will do to Facebook what you do revolves like so thinking back to how you how you pipe this top those of you who are not in pointy hair awesome instead you want resources you want people you want buy in you want to write new policies that might be harder you might want to write tougher vendor management standards you might want to be more honestly or vendor management responses uncertainty words management because this is still a smoke-filled cloudy room right this is not like i can calculate what's my young things when you have to race to your attitude your two biggest cyber and currency fluctuation you can graph the hell out of currency fluctuation say the risk of the money we held in euro are our remin be these are the brackets this is the most it's going to lose here this is the least it's going to lose you and you can come up with a breather like i can come within like ten percent of what it will be i really never been within word magnitude of what the internet fee for each help sometimes difficult fear our budget is right I wanted this thing if I don't we've got it you've got to give my deal v again so uncertain people worried them being able to go back to hard costs the easily identified costs finds losing contracts right point2 we will lose this contract if we don't put in this control these easy sale to make actually harder sailed enough though because I've done that affect me we just got this contract from large bank what's it going to take a half of security contracts going to pay a million dollars i go to be eighty thousand dollars the work to do that really doesn't cost that much like your game you're getting paid a million dollars to do the work no if I if you were a carpenter and said I want me to build this but you need to buy this tool and you get to keep the tool afterwards that's an easy sale but here it's hard for some reason maybe it just needs now but to give them some level of certainty it's hard for you to quantify things like reputational costs are for you to come to do tour comes it's easy to say these are the last ten finds by the FTC for doing something similar to what you're talking about the FTC was the hearts could solve a web page so you can go find them insurance as soon as insurers get better at building better models they'll be able to give you the cost for not having control but right now there's a takeaway for those who are Chinese trying to convince people up upwards of you to buy stuff and do stuff this is what I point out so any questions and I stairs yet what did I'm just going to ask when did you start working on behind a couple months ago you agree I only ask that I hadn't heard you change jobs thank you so on the insurance issue is there bad emotion yet I insurance I'm going to use an example of a son 150 year old house it was very hard to get through its network is their kind of motion in the cyber security industry to do that I heard of some I don't know yet because generally I don't find out about it until it hits either the trade routes or its litigation where you know you have a you buy insurance have a loss insurance company goes up you know and then you sue the insurance company say what was that all that touchy-feely stuff you're just sent me back my premium check with oh by the way generally the decision there's a there's here there's hundreds of years of precedence on precision you have to be phased out to show that there's a material in accuracy are in the statements you made to be ensured that them to do under looking like i said i was going to have these defenses against this loss and happy to be happy it's not usually nickel and dime east of it's usually it's gotta be substantial it's not like i said my car was red and it was actually you know it's actually hurting me that's not material if i send my car had anti-lock brakes and it didn't and the accident what could have been mitigated by that that you're a precision it's the materiality of the of the correct statement to be shorter than the figure out the the risk they are bearing my shorty do you see now for that let's say that you installed version 3 point out or whatever the standard is but meantime that's not the latest is that you see that is not going to be enough to get more trouble there might be a little I might get more granular than one or like that Monday they were brighter than I think along the stem so he might be that you had some kind of patch management system and whether or not that was an acceptable restaurant would just be contemporanea standards like most people had shifted before pointer yet because then you're going to like two parallel problems I'm going to fun we get rid of those laws are presented by handling parallel problems with a standard versus common usage was this is this inherently negligible sorry oh thank you so much