Sign Nebraska Banking Confidentiality Agreement Secure

Industry sign banking nebraska confidentiality agreement secure

my name's rob uh ceo of stealth group we've got dasha here she's on our panel today um you know she's an award-winning cyber geek uh cso president um actually big news from last week she's one of only 25 provisional cnmc assessors in the world so that's a pretty cool thing not pci though not not pci but you do have a pci qualification yes yes she's pcip um we have mark segaloff who is uh cso ceo financial services and cyber security consulting veteran who loves pci so he jumps at the chance to be on panel um so he's going to answer all the questions as far as i'm concerned exactly we have cassandra who's pcip she's cso lots of um cyber qualifications grc veteran uh also loves a bit of pci right you can have waiver everyone cassandra if you want to um you know who i am i've been in financial services for more years than i than i care to mention but it's over 30 and uh spent a lot of time with pci with a couple of companies so i have a i have a point of view it might not be accurate but it's but it's grounded in the real world and one of my colleagues on one of those programs is chris connor and he's not on the panel but he's joined us to listen and i'm sure if he gets excited he'll he'll chip in as well so that's the panel um who else do we have so rich was on a previous panel um he's just he thinks he's just listening in today but i'm sure he won't be able to resist uh jumping in at some point and then who else do we have we have steve brown steve would you like to introduce yourself sir sure i'm steve brown i'm with tpg telemanagement here in omaha nebraska we're just dipping our toe into cmmc uh we're gonna get there hopefully to look look at getting into the more federal business we're into listening and scoring uh customer service type calls and creating uh metrics delivering that back to customers as insights and rois awesome that's uh i think you come to the right place so yeah hopefully you'll enjoy uh what we come up with um we have uh jeff is uh is our new operations manager nick is our new sales guy chuck i don't see a surname uh chuck why don't you uh introduce yourself and tell us why you're here chuck you're on mute yeah i mean i always encourage folks to turn your cameras on if you can and that makes it far much of much more of a conversation and less of a kind of diatribe slash um you know a presentation it's uh we we would like this to be as interactive as possible we have a p valid uh if you would like to oh you won't be able to speak i guess so you might be in a noisy place so that's fine i've just got your message um okay you're in a conference room with others that's absolutely fine enjoy the conference have a listen in as i say if anyone if you want to turn cameras on and just get stuck in that's absolutely fine the the purpose of this is to share insight there is a zero sales pitch this is purely we love what we do we think it's really important we love to share simple as that and we we invite our buddies along just to give their points of view as well so we get some more rounded points of view plus we like to have a bit of a laugh you can probably tell i like to uh to have a bit of a joke this you know these topics can be quite dry so if anyone wants to inject some humor you're very welcome um as i said all of the questions that were posted they're on slido.com the code that you need to access the questions or add some new ones is seven i'm sorry hash 74501 um so if you wanted to have the questions to hand i've i've been in there i've taken a look at those and we're just going to run down those questions so so without further ado if everyone's comfortable and has a cup of coffee um sit back and relax and we'll get into the first one so the first question was um given the and i think we expanded on the question a little bit because slido gives you a word limit so the actual question was given the financial services industry often deals with a mix of domestic and international clients meeting regulatory and compliance requirements is non-negotiable yes what is the best practice for performing due diligence to ensure we remain compliant so i'd be very happy to give a kind of consultants type answer to that but i think uh who would uh who from our panel would like to volunteer on answering this one i know mark's about to put his hand up mark my hands up what do you think i think um from my experience there are probably a number of different facets here the certainly within the financial services they have a concept of three lines of defense which some of you are probably very familiar with so it's ensuring that you've got a robust three lines of defense model first of all the second the second aspect is very much around being able to demonstrate compliance as much as possible so actually having the evidence and the process to support visibility of what you're doing for compliance is equally as important and the third thing is certainly some of the larger banks that i've been involved with like lloyds and ubs it's really knowing where are your key risks as well so very much focusing on what what ticks are boxes for some of those organizations and some of your regular your regulatory authorities and so for example in in a ubs or uh scenario they had multiple regulatory uh requirements resulting from sarbanes-oxley from the mass authority over in singapore and of course your external auditors so it's about being able to have a meta standard knowing what's important but focusing on key risks like privileged access management is often key in financial services um anything to do with access control um a lot to do with third-party assurance as well um and following the trail of data and understanding where your data is so it's really just no it's really just trying to narrow your scope down and focusing what's really important because they are complex beasts absolutely i think we're going to get more into the the third and fourth party question a little later but i think we can agree that all roads lead to the chief risk officer at this point you know they've got the risk register of the enterprise risk register that is fed by the different department heads and you know you it's you need a plan for compliance that that makes sure that you address or at least has a compensating control for those risks were relevant so you know because cost is important you can't go around fixing everything um so it's it's understanding the priority of your risks from an enterprise perspective and then knowing what to do with them so and then you know you we're going to come to this quite a lot but yeah the three lines are different absolutely but this is all about people process and technology you know this isn't just about set processes it isn't just about a set of appliances and it's not just about training your staff to a certain standard it's about all of those things and that that for me is you know if you're ticking those boxes then um compliance becomes easier and don't forget being compliant doesn't make you secure and i know this is a this is a strap line for stealth we will get i'm getting ahead of myself we'll get into that question momentarily but just just bear in mind just because you adhere to a certain compliance standard um each one of them is different which means each one of them has pluses and minuses so we're each that means where you have deficiencies if you haven't focused on those as part of your compliance activity then there's there's risk there as well so all right awesome thanks mark so next question managing vendor risk so here's your here's your third party question so managing vendor risk is a critical challenge the financial services industry faces and to be fair all industries are facing right now what have you seen to be the most successful approach to managing third-party relationships so i'm wondering if cassandra's going to put a hand up for that she is there you go no prompting whatsoever so cassandra over to you this one is one of my favorite ones so i usually get the joyous task of coming to clean up when things are not done correctly so my view is more from uh starting with the end in mind and making sure that you're protecting yourself but also building that relationship with your vendor i think it's really critical that you set the expectations up front with them and let them know that their security has to follow the mandates of you as the customer and it has to be put in writing in the contract to protect yourself later on if you run into an issue so what that means really is you need to make sure that they understand what your security requirements are and what you need to comply with and when you need to comply with them you also need to be building in your contract and your expectations with that vendor and any of their you know sub vendors a right to audit their systems and their processes at any time but you know working with them in a relationship oriented way to say look every quarter we want to take a look we would like for you to proactively provide that to us so that we don't have to be invasive about it but we do need to make sure that it's happening um the other piece here is you've got to make sure that there's slas built in there that that state when this information well i think we lost cassandra for a second hopefully she'll catch up if not i think i know where she was going with that so trust me verify is key um right toward it is um is essential so when you're writing contracts with your third provider yeah sorry cassandra it's uh it's so clipped we can't um can't make sense of that one but i think the point was well made i think we got that point any any questions on that uh particular point yeah trust me verify right to audit uh frequent checks uh i would add you know monitoring those connections from a from a network perspective and keeping logs of traffic um you know all of those things are really useful mark just just one thing to add i think i think it's very important to talk the same language as well i think that's often lost with suppliers and third parties so using standard terminology around standard frameworks so each third party has a multitude of requirements from multiple multitudes of customers so it's about trying to be approaching it from a standards perspective whether i say or nist et cetera okay and also a shared nomenclature as well so getting your acronyms fully understood and listed and uh yeah so that you're both absolutely speaking from the same page yeah now that's a good point thank you so next question that we had on uh by the way slido.com for those that have just joined slido.com 74501 if you wanted to ask any question or just look at the questions that have been posed on to the next question how should we go about managing the threat of internal personnel causing a data breach or security incident now i know for a fact mr segeloff is going to jump all over this one so uh over to you mark you're just still muted right where do you start um so it is i think it's all about culture people the what's important is that security is embedded as part of the dna of an organization that is probably one of the most important things that very few companies really get right so to do that it's not about just a security program or a training program it's actually understanding how that business operates and connecting the security in to how a business processes uh all the different functions so whether within so for example without going too down too far down the pci rate pci dss um call centers taking payments understanding that business process is very key to ensuring that those people understand what security is relevant for their role and that's probably the most important thing in ensuring that you can help minimize um i suppose the accidental element with respect to a security breach now obviously from a more deliberate or angle then it's very much looking at your employee screening understanding employees not just not just before they are hired but also understanding being close to them throughout the duration of their employment as well so you know noticing if there are issues or whether personal issues that may impact one's performance or one's ability to let's just say stay on the straight and narrow so it's about really being taking care of your employees as well or your staff as well and being close to them and really understanding what's going on um and then you've also got some of the more i suppose more of the detective controls in place but obviously uh there are some proceeds implications so you have to obviously balance what is appropriate as well based on that sure i mean again there's there's a trust but verify elements of that as well so technology can be used just to verify that you know what's happening should be happening and can look for an anomalous traffic and stuff like that so yeah great answer thank you very much cassandra you're back thank you yes awesome so next question as technology continues to develop and we move towards a cashless society how should the financial services industry consider the challenges of securing things like mobile and web applications any takers i think dasha would like to answer that one um i mean it's it really does not i don't think it actually is the financial institution unless they develop their own tools and their own mobile applications to process it it um right now it really comes down to everyone who is putting some kind of application out might it be paypal might it be um anyone else would develop their tools that they need to actually adhere to their security best practices and that's not really pci related it has anything it really it's a wasp pen testing it's uh proper code review and using the entire software development life cycle with security in it to uh to make it short and every time there are some updates it actually gets tested before it goes out in the public right so secure by design testing all of the good toys around uh dual factory authentication tokens um encryption all of those things so i think um you know less secure applications are falling by the wayside because everyone certainly within the financial services industry whatever mobile banking app that you have if um if that was deemed insecure then you might raise questions to that particular financial institution so so in a way having a very secure access to your to your money is um is almost it was a differentiator but i think everyone's pretty much on the same page now so um jim did you i saw you noting on that did you want to did you want to yeah i was wondering where where you may be going with that in terms of the digitization of the dollar right um is it beyond just the transaction services on these platforms or is the question geared towards the digitization um the thing i'm thinking um if we look back at history and you go back into why the dollar is green today right um that history basically was every bank had their own notes right and there was all kinds of exchange rates between very very complicated mix to to manage um until you had a structure like the federal reserve come into place where they say it's going to be won across the you know across the united states we have a standard we have a dollar i think standardization as we get into monetization or digitization of the dollar is going to become a huge thing so um it actually in some weird ways there's potential for it to get a lot simpler i think um if you know the dollar were managed say out of a federal bank right and that those bits and those uh uh and that that virtual currency uh were managed out of a central bank there'd be a lot of a great way to have standardization much as they did with making the dollar green back in the 1800s right now i mean that's a segue into into blockchain technologies right now um so yeah the federation of or sorry the non-federation of these different exchanges you know it has its pluses and minuses and i think we have a blockchain question in a bit so uh in fact we have a blockchain question now because question five i think was um was another one about third and fourth party vendors which we've covered um next question was how should we approach emerging technology blockchain and iot knowing their risk is high so for me this is these a e two totally different questions one blockchain is designed to be inherently secure and you have a visibility of the ledger in the entirety of the ledger whereas iot is a is a kind of an amorphous ad hocracy of potential devices that might be connecting to your network so if we take the question into parts gym did you want to take the the blockchain file don't know i i think you just hit it right i think you know in terms of the blockchain stuff it's inherently designed to be more secure which again i'm i'm intrigued to see where that goes i really do think there's there's such a future there um i just think of everything we do in password management everything we do um just becomes so much more streamlined and so much more robust but i also think for financial institutions that presents a bit of a problem while there is um yeah the opportunity to reduce fraud is going to be uh is going to be significant but um when fraud does occur it's going to be that much more challenging to find so for sure for sure onto the um so so there have been if you like breaches within i guess the the blockchain [Music] system might i would argue that those breaches have been due to lack of adherence to secure by design and appropriate testing and following eye wasp and things like that to dash's earlier point um but you know each one of those those application vendors would argue differently i'm sure but so on to iot then iot and financial services for me right now and this is this is kind of topical because of kovid you know a lot of perhaps smaller banks have asked their folks to work from home and in some cases perhaps they haven't had a resilient um enterprise set of tools to to deploy to home initially anyway i'm sure they've all caught up now um and i'm sure in some cases uh companies are asking folks to work from home using their own devices and that for me is a i see kind of bring your own device and internet of things as mostly joined so unders so yes that that was proven to be a risk because there were breaches via kind of home home working if you like i think the world has moved on from that i think with kovid there's actually a greater awareness of of that and security i think one of the plus points of code has been the general awareness that actually the internet isn't necessarily as safe as you thought it was and folks are getting better educated on that so so for me this just comes back to people process and technology if you if you are encouraging bring your own device as a financial services organization you absolutely have to wrap that up in policy and procedure you absolutely have to train your staff on what's acceptable and you absolutely have to have technology in place to check the you know access to corporate information assets um you know confidentiality integrity and availability and maintained so jim i don't know if you wanted to add to that yeah i think it goes right back to what mark was saying a little bit earlier it's it's really embedded in your culture uh if that hygiene uh and good cyber hygiene uh is is um you know imbued into your staff uh and it's a part of who they are uh security is viewed as a shared responsibility um yeah i do think you're right on the money there uh robert great thanks guys mark did you have anything more because you know these are such big questions they they kind of deserve bigger answers so did you want to chip in yeah i think i think um obviously with coverage remote working was i was was here before but the huge acceleration and the time scale to which it had to happen is what caused it i suppose inherently i suppose vulnerabilities being introduced not because of the technology or the or the actual underlying change it was just the pace of change and the ability to move quickly so i think what will happen is perhaps a few months or even years down the line due to that pace of change only then those those organizations that perhaps aren't as good as monitoring incidents or breaches will start to realize that maybe they may have introduced one or two threats that we're unaware of um and those organizations that perhaps are perhaps more proactive would have prevented that at this point in time so i think you're right back to that trust but verify i think the verified was playing catch up a little bit awesome thanks guys so um next question another kind of big wide question so how can we avoid failing to accurately strategize compliance efforts so i have my point of view on this one but i'll share that last cassandra what's uh what say you on this one how can we avoid failing to accurately strategize compliance efforts i think the biggest thing is and am i i'm getting the connection unstable again so i'll talk quick um i think that everyone knows pci is important but oftentimes the senior leadership team does not carve out the appropriate space and environment and funding and resourcing strategy to be able to accomplish it and and really continue it on an ongoing basis to make sure that it gets done correctly and then you end up with people trying to mad dash at the end and throw bodies at the problem so i think that's the biggest overarching thing that i see in the industries that i work with for sure it's some you know compliance efforts are aligned to frameworks and and especially pci it is argued that it's it's a little ambiguous and it's a little expensive so you know without the right and these are not kind of these efforts don't take months they can take years for kind of higher tier merchants um a couple of myself and a couple of guys on this school worked for three four years on a pci compliance certification project for a huge insurance company so um you you have to be make make sure that your your budget line is as ring fenced as it possibly can be so one of the experiences we had was you know budget team being taken away from this particular compliance effort because there were more pressing business imperatives um and the business was more inclined to to take the fine then because they had to spend that money on something more pressing so you know because of their multi-year efforts these types of these types of things do come into play but you do need a plan you know i think pci does if nothing else it does give you a framework for where you should be looking but again being compliant doesn't make you secure you need to be aware of you know with pci in the car processing environment specifically you can take things out of scope of compliance by making sure that they don't touch any credit card data so all of a sudden if your compliance activity and you're looking at that to make you secure and that's your boundary you've just taken some things out and put them outside your boundary and so what how are you going to make those secure if if they're not part of pci so i have a question okay dasha so to compliance um i mean the pci itself has a the the work workaround where if you're not compliant you can still put compensating control in place you could put a project plan together you can have that basically everything and all that is non-compliant you can have a compensating control around it which pretty much puts you into non-compliant status but you can still do business so what's the point of having pci and trying to make it all secure if everybody pretty much can bypass it i think there are that's a multi-headed question and there's a there's a big answer to that as well but one of the points would be um have it being pci certified is is a differentiator for some companies so to say your pc i said it doesn't matter if you've got common certain controls or not take you know being certified by the pci council um can be a differentiator versus your competition but you're right and this is to my point about pci can be a little ambiguous and it's you know there are a lot of criticisms of pci that being one of them um but i believe mark when was the last time the pci standard was changed do you know or updated a couple of years ago it was a couple of years ago wasn't it very recently yeah yeah very recently in the grand scheme of things i think there's probably one other thing to add about compensating controls as well depending on what level merchant you are and depends obviously the degree of rigor that you obviously assess that you're compliant but with the compensating control you still need to be able to demonstrate for example to a qsa that that compensation control is as equal to or if not better than the original control itself so so compliance there's always a there's an art to pci compliance [Music] and it's about how you how you i suppose take your qsa assessor on the same journey with you and that's probably just as important to managing that relationship and with the acquirer than it is to actually become compliant itself so we saw this compliance with with a bit of risk we've yeah we've done that it's a conversation you're right it's an art and a science all mixed in together um but i think that you know the assessor tends to take a relatively holistic view and then okay so there might be one or two things where maybe the compensating control isn't as strong as the actual control itself but given you know their their job is to take a step back and take a holistic view and they think well on balance you know there are other things over here that you know on balance this is a relatively secure organization versus its peers so but yeah that's part of the conversation that you have with your qsa and it's also important i'm sorry chris i don't know whether it's okay if i chip in with a a memory of uh a compensating control that we had yes um about call recordings yes if you remember that and mark remembers that yeah um i thought the interesting thing about that was that there's the the degree that um the acquirer managed us through that process um and they they kept us a very close eye on on our progress towards closing down that compensating control so i mean from that point of view it was quite effective it got us over the line in terms of our compliance but they still made sure that we closed it down for sure and that actually raises an interesting point that nobody has asked um with with pci you know call centers take credit card details over the phone so all of a sudden your call recording systems are in scope for pci so that just as an aside that was a that was probably one of the more interesting um projects within the program that we ran um i was fascinated by that and and that was quite a difficult thing to do but you're absolutely right um we did receive a lot of guidance and counsel on what good look like which was which was really good okay thanks guys um i really enjoyed that one so next one security controls must be implemented in order to reach peak compliance i'm not sure about peak compliance i don't know if you know it's kind of binary isn't it um how can we adapt security solutions as a means of risk mitigation monitoring and control without resulting in performance management issues so for me this question was a slightly kind of open-ended i wasn't sure if it was about system performance or organizational performance um if for me the former there are tools out there that can that can monitor things and you can set the amount of the threshold of system performance that you're allowed to allow that process to run but let's take this as a more kind of systemic or an organizational performance issue so mark security controls must be implemented in order to reach peak compliance for pci how can we adapt security solutions as a means of risk mitigation monitoring and control without resulting in organizational performance management issues i'm going to i'm just trying to read that question in a in a way that uh it comes so like touches on what we just mentioned before it's about trying to for me it's always about trying to right-size compliance for an organization um so no matter what no matter which control you're looking at or which or what your key assets are and i think i think understanding i suppose understanding the business context the business drivers the what is really important in the context of an organization in an organization so for example pci idss is quite you know credit card data but then we're looking at volumes as well so and we're looking at those large volumes or those volumes that are included in automated processes as well those are the key aspects we're not looking at like ancillary data that may be stored somewhere but so we need to just kind of focus in on what's really important in the context of what we're trying to achieve for compliance um the other thing as well so you know if we talk about performance for example on a security monitoring as well for me it's all about having actionable intelligence i don't want to be bombarded with lots and lots of log data that i cannot consume or cannot take actionable intelli action on those two or three issues that maybe be maybe arising each day i want something that i can just consume and deal with it and some banks obviously they're geared up and have huge socks and huge instant response teams other smaller financial institutions don't have that luxury and required to say a really you know having an outsourced partner to support them through that process and provides that key issue so it doesn't impact my day-to-day job i think that's the key thing obviously i'm security so i expect to be dealing with a bit of that but i don't want any everyone else to having to overwhelm them uh and just i think that's also the balance is understanding your organization and the response and the ability for your organization to consume whatever you're delivering right so i did come up with an analogy for that so i'm pretty sure your phone would run ever so slightly quicker if you took all of your passwords off it right but um you know you can't really do that in an organization so it's almost the cost of being secure is a slight performance hit but i look on the positive sometimes it gives you an opportunity to look at your internal business processes and make them more secure and actually streamline them and make them better so you know that's something that i would look at but um but on the whole you know you can't you know be more secure and not not there not be some sort of trade-off somewhere i think so i think the other thing as well with financial organizations as well um trust is extremely important to the consumer and customer so more and more certainly over the last five years plus security is often sold as a benefit as a beneficial marketing differentiator as well so you'll see so many marketing campaigns with financial services around protecting your money for anti-fraud all these different things so so it's a lot so there is a positive spin about um customer retention and um obviously uh building that trust as well i think jim wants to i think jim yeah you know there's a magic trick in that right i mean you know you know robert you bring up a great point before about um there's a big push for frictionless we want as little friction in the customer experience as humanly possible uh when you're dealing with financial assets and things maybe a little bit of friction is good um but i think it's really about how you introduce that friction and when you introduce that friction and this is where i think security could be viewed as an enabler to the business we want to we want to keep those transactions as safe as possible and if we can work through automation algorithmically looking for those red flags and giving just the ones that mark talked about earlier about give me something that's actionable uh that we're not drinking from the fire hose here um there's a lot of those flags you trip enough of those flags your tool then introduces the friction of hey maybe i need you to give me your password now right um uh you can be there's a very fine line you know business-wise between that friction um and you know the friction we want as security people but the friction that the business doesn't want because they want to retain customers they want to make it as absolutely simple as possible for their customers um i think there's a there's a third way where security can help enable that right um through automation through to ls with uh you know algorithms and ml and ai that can really uh especially if you've got that kind of volume i think of something like uh like a paypal right where you've got that kind of transaction volume those engines can learn rather rapidly so um and then you're faced with just you know the exception handling that that you want to be faced with as a security manager yeah great integral you're integral to the trust you want your customers to have right in your platform right that's integral it's baked into you know one of the reasons i think i use paypal is because i feel secure there right you know you know it's uh so that that i think is you know part of your product is going to be you know you know that security message that your your funds are going to be safe with especially in financial services because it's your money right you've worked hard for that it's personal it's very real quick it does doesn't it yeah yeah great thanks jim cassandra did you want to jump in on that one i saw you raise your hand sorry i was just uh i was thinking it sounds so luxurious now after i've left big banking and gone to uh help the smaller fish in the sea because they really don't have the money to use automated tools or any of the fancy things that are out going back to basics and i think there is a very large cross-section of the blue ocean that needs um critical thinking skills and helping them come up with their compensating controls because they really need to strategically think about where they're going to spend the dollars that they have to figure out which ones are going to be automated tools and which ones are really people in process that need to be addressed because they don't have that angry security culture or or really a risk management mindset so it's definitely a particular challenge for those of us that are used to having money to buy things and then going to uh help others to get through their pci challenges for sure it really is about bang for the buck isn't it at that point yeah great so great so thank you okay we've got another kind of wide-ranging kind of strategic question for the panel so how do we make sure our compliance requirements are fitting into the larger security objectives how can we ensure they address the ever-growing range of cybersecurity challenges we may encounter so we've kind of touched on this and i think dasha wants to have a crack at this one actually yeah i think um and this this goes back to cyber security as a standard and as a building a part in the culture to daily operations has not really much to do with pci or hipaa or cmnt or anything it's just every single company needs to be aware that security is a requirement now it is actually a business enabler because otherwise you can't process credit cards you can't play with the dod you can be in the healthcare industry and um yeah things change um it is part of doing business just like uh 50 years ago we didn't have tvs and health health devices um 20 years ago 30 years ago within their firewalls now we need them um going forward we will need double and triple encryption and have ai and automation so i think it's part of doing business you have to keep up you have to um upgrade your technology you have to stay with standards you have to keep track of what um you know what is coming coming our way and what um and also maintaining our and educating your staff your employees of what their requirements are on security it's uh i think it's really just going on with it it keeps changing and just like 30 40 years ago we did not have credit cards we have friends now we just have to get on with it so it's an evolution so the question for me then becomes okay as a small as a small business owner and i'm very good at manufacturing my widgets but i'm no cyber security expert you're telling nanny to keep an eye on the on the future how do i do that well just like for anything else if you have a house um you don't try to fix your electricity yourself you get in the professional and so it's part of doing the part of doing business it's the cost you get the people that are professionals in their areas to help you to guide you and the good thing with today is you do not need a full-time sizzle you do not need a full doesn't have to be a permanent member of staff right there's a lot of companies out there that provide the fractional services um that you can ask even freelancers to support you as a business to advise you especially to the cassandra center is the small businesses that just don't have the knowledge you don't have the tools that don't have the budget you can still keep up with it and especially in pci and also applies to cmmt and everything else is define the scope you don't have to put the security controls across the entire enterprise you can really make sure that you scope for a particular security requirement is as small as possible and that's also where consultants can help you and uh and make sure you don't overspend money for where you don't need it right so that that potentially checks your certification box but as i mentioned previously you may just have taken some things out of your security scope that actually are quite important so there is a balance between the two right yeah but sometimes uh taking something out of scope which is a risk and you give it to somebody else for example if i want to be a credit card processor well i can get a pos here or i can just give it to a third party and have them manage the risk and it might actually be cheaper than me ground for a whole pci certification and getting the sim tool and the monitoring and everything in place right so there's a concept in pci around tokenization where instead of sending um pan data you're actually sending a token and there's a database that that translates the two so so yeah as a compensating control i guess that's uh that's definitely something that we looked at previously so so yeah but i guess it comes back to the point you you might be expert manufacturing widgets the the council i guess would be find somebody that you trust that and and get a get a different point of view um jim did i see uh did i see you wanted to to jump in on that one i just really i want to thank dasha for the the historical context because it's it's it's not it's no small thing right this is still you know we talk about 20 or 30 years that's this is all brand new stuff right i mean in the context this has got nowhere near the maturity of say uh your city's subway system or the electrical power grid or lighting you know there's nowhere near this kind of maturity here and the rate of change is this i think what complicates this sorry i think what complicates what we're trying to do here is that so many software companies ran out and built something and they went out with all these fancy bells and whistles and you know small to medium-sized businesses with some money to spend are able to justify to their boards that hey we need this thing and they get duped into buying things that they don't need or don't function properly because they don't understand doing a proof of concept and having solid use cases so that's where someone with your expertise can come in and help to at least get you started off right so that you don't find yourself having to go back and apologize for spending money that you did and that's exactly where i was going with this yeah yeah actually for the new company um it's done right and really the critical thinking is done up front and i think cassandra you're 100 on the money there are places and i know one of the challenges i had one of the last places i was working was you know the number of tools we had was was because i needed two percent of this tool one percent of that tool five percent of this we had the amount of money being spent on tools the deluge of possibilities and tools and capabilities um people have to step back from that really start thinking about ring one two and three what are we trying to secure and how are we trying to do that this is right if you step back and take the time like in any six sigma project i tell you the most amount of your time should actually be spent on defining what your problem is right um what it what are we doing here if we can do that i think the new guy actually wins because the new gal actually wins because they get that they can get some really really incredible technology on relatively on the cheap right to do some really incredible things because of what's there now um you know i think the problem comes in if you've got legacy trouble that's that's where things start to get scary because you've got all these other problems to deal with but if you're new and you're coming in you don't have a ton of money identifying what it is you're actually trying to do you can make it i think you can make a pretty robust system for you know a lot less investment say than somebody who's dealing with a legacy totally agree certainly i think with the rate of change i think not hiring some expert counsel is a false economy i think that's i think we're all in violent agreement on that i think mark you wanted to jump in yeah they're probably two to two angles i think you just mentioned obviously the expertise i think there is a um i used not to be disingenuous but sometimes i use the phrase like uh making sure you've got an intelligent customer but in a way that they actually understand what they need to be able or the right capability to be able to get them to where they need to go and sometimes the guidance out there may not necessarily see them in the right direction and that needs to happen right at the top as well so it's recognizing i've got a problem here and then secondly recognizing right before i go into the technology space it's not a technology problem what is the business challenge i'm trying to address the second part to that is is no matter what size or organization in theory um i say in theory because it's not always happens in practice the the you know organizations at the senior level should be thinking about how their security strategy um aligns with their business strategy i use the strategy obviously it's different for a big financial compared to a an sme but a strategy for an sme may be in their heads um but it's just making sure that that security strategy is thought through and looked at top down very much from what are their business drivers what are their regulatory drivers what are the compliance drivers what are their key risks not every single risk because you can get lost in the weeks but what are the key material risks of that organization and also what are the business opportunities and if you understand that context then you can clearly lay out a series of prioritized controls for once better phrase it could be a pci-related control catalog it could be a meta catalog that has all your compliance and risk drivers and then you can start thinking about how do you actually meet those controls today um either through technology people process or technology but the one thing i find lacking in a lot of organizations is the ability to pull that together the governance aspect the leadership aspect because that's what that's what needs to happen to really make all those other three really effective and that's and that's and that's the job of everyone in security said but also the wider business to sell the need for things like that i think that's the danger of the pace of this industry because i think we're so out there or customers are generally out there trying to buy tools right tools give me the tools i need to do this and they really haven't thought about their people their processes um you know tools are predicated on processes processes are predicated on policies have we actually how many places have you walked into where where's the policy and there's nothing right you know it's a virtuous it's a virtuous circle isn't it those three are so so in to join cassandra i saw you lean into the into this i suspect you i was just thinking um integration is always an afterthought and it presents so many challenges that that really create technical debt in an organization that's very hard to overcome in the long run so it's super important to think about every single time you're thinking about buying something you know what are the impacts to the other things that you have or what you are looking at further down on your product roadmap or service roadmap um because what i i find even in big banks and financial institutions they go with an integrator that they think has all these shiny bells and whistles and they get midway through their implementation and they realize crap this isn't this isn't going to allow business banking like i thought it would or they really don't have a product that they promised me you know so you need to do your due diligence and make sure you're really getting what you think you're getting yeah for sure business impact afterwards you know you have to have support afterward to help you with your growth strategy yeah so business impact analysis bia you know some you know just talk to somebody that's done it before um you'll be surprised that uh the insight that you'll gain from that and overall you will save money and deliver quicker um is is all of our experience around this table so see it but we would say that right yeah i think um from our pci program the one that we are ultimately a few of us are familiar with one of the things that especially when it's a multi-year program showing benefits benefit realization whether it's control improvement maturity improvement or i'm not going to say cost improvement because it's not always not always possible or risk benefits that's so important along that journey to maintain that that buy-in at the right level and maintain the investment that you need but not just maintaining investment but demonstrate that that investment is effective so i would overlay the whole measurement aspect as well and report it that's a really good point really good point you know whoever's managing that program for you needs to be continuously in touch with key stakeholders explaining what just happened what the benefit of that was what what is about to happen because not only do you do you maintain the visibility of your program and how important it is but you also be because it's still in the mind of the decision makers and the budget holders then you're more likely to when it comes to next year's budget decision they can say oh yeah this was really good for us and we got these benefits so yes let's continue so yeah good good point that's really cool go ahead chris sorry chris oh all i was going to answer that was um you just made reminded me of um that point we reached in um in the program early on where we we actually were getting some pretty poor advice um and i think from an organization's point of view it is sometimes difficult to tell with you're getting good advice or not um and making a judgment as to whether whether you're choosing the right option um i mean fortunately we had people in-house like mark i think ash was there at a time as well as you as well as you rob and um we did change direction but um uh you know we could easily have carried on spending money on a on an approach that wasn't really going to work or was going to be extremely expensive and getting the right advice is is quite tricky and knowing whether you're getting the right advice is a difficult one right so the message i'm getting from that is actually sometimes you might just want to get a second opinion um yeah not just go with one uh one firm or person but uh but get a rounded opinion but yeah do do find folks that have done it before i would add to what mark was saying too about the measurement of some of these things right because you're right the cost benefit is not always there right to look at it and say i got to spend the money to do what how you're reducing risk is going to be critical you go through some of those business impact analysis and you identify vulnerabilities you've got to come into that with some kind of a scoring mechanism right uh that you can look at every one of these vulnerabilities in a list and you can score them you know in some way to say these are you know actually you can go look at som thing that engineers have done failure modes effect analysis right right you can look at something like that and come up with some kind of a number that says you know this is how frequent this is going to happen or how likely it's going to happen uh how big it would be if it happened on a scale of 1 to 10. um you know and uh you know multiple for these things and you can rank them so if you have a thousand dollars to spend i can look at this and listen i can say well for the thousand dollars that's probably the single biggest thing i can do and and in doing that i can say here's what the risk looks like before the fix and here's what the risk looks like after the fix and that score is now some difference and you could say i've reduced that risk by you know 75 percent right you've got a quantifiable number to look at that stuff so i think that you'll cost versus risk is is something that we look at and without selling a thing because there are many tools available on the market but we actually use a tool that assigns a financial dollar value to the to the information asset via a pan be it um pii appear anything you like right we can scan environments and so when you're having that conversation i i could i can't i can't share a story uh because they were still under nba but we we had quite an interesting uh conversation with the president of a very large organization whereby um i accidentally managed to to find my way into the back of their finance server while i was waiting for the meeting and um over time we explained we scanned that server and there was half a billion dollars worth of information asset on that server and i said to him you know i was i was sat in the bar on my phone with a commercially available kind of penetration testing app and i managed to get a login prompt for this particular server so those are compelling stories because your cfo doesn't understand cyber and doesn't want to but you give them a dollar say this is half a billion dollars at risk here you're more likely to get it could you fix that quickly please so yeah it's it's about choosing the vocabulary in the language of the stakeholder that you're in the room with so us as security professionals we can chat with each other all day about cyber security but we have to understand the decision makers don't really speak our language and it's us that has to adapt we have to adapt our vocabulary to put these risks across in terms of they understand so that we can all be doing the right thing so with that in mind i've got one minute questions and this was this was a such a great webinar um any questions around the room um emmy did we get any new questions that we could handle in literally 30 seconds no okay good so without i'm going to have to close because i know folks have time boxed a sincere thank you to everyone that joined i hope uh i hope you had a bit of a laugh with it we tried you know we tried to make it not too dry i hope you learned something if anyone's got any more questions reach out to myself or anyone on the stealth group team here thank you to our panelists thank you to jim i know you weren't officially a panelist but you jumped in anywhere that's fantastic we love you for that and for everyone else that joined we hope you found it informative i'm going to sign off now you've got our contact details if you need anything and thanks and have a great rest of day enjoy your weekend thank you