Welcome to the debut episode of Modern Cyber with Jeremy Snyder, where cybersecurity experts discuss the latest trends, challenges, and innovations shaping the industry. In this episode, Jeremy sits down with Anthony Johnson, CEO of Delve Risk, to dive deep into the complexities of cybersecurity in the modern era.
From discussing real-world examples of cyber threats to exploring the impact of political decisions on global cybersecurity landscapes, Jeremy and Anthony cover it all. They delve into the intricacies of cybersecurity for small to medium-sized businesses (SMBs), highlighting the challenges faced by these organizations in the face of evolving cyber threats. Join the conversation as they explore the trade-offs between best-in-breed and best-of-suite cybersecurity solutions, the accelerating trend of consolidation in the cybersecurity space, and the importance of integrating security into the fabric of business operations. Don't miss out on valuable insights into the ever-changing world of cybersecurity and how organizations can stay ahead of the curve.
Anthony Johnson is a former CISO at multiple Fortune 100 companies, Fannie Mae, JP Morgan Chase Corporate Investment Bank and GE Treasury included. He's currently a Managing Partner at Delve Risk, a market research firm focused on cybersecurity and innovative technologies.He's a sitting board member of multiple companies, a mentor and coach to multiple Fortune 500 CISOs, and an active advisor and investor to a number of cybersecurity startups.
Linkedin - https://www.linkedin.com/in/anthony-johnson-delverisk/
Delve Risk Website - https://delverisk.com/
Jeremy is founder and CEO at FireTail, an end-to-end API security platform that offers the inline, real-time, application-layer data needed to deliver true API security. Prevent breaches and protect your APIs from code to cloud with FireTail.
Jeremy Snyder (00:01.159)
Hello, welcome to another episode of Modern Cyber. I am thrilled today to be joined by somebody that I've known for a little bit while and I've spoken to in the past. And you've probably heard me speak to in the past, but he's somebody who brings a ton of insight and experience to the space. I'm joined by Anthony Johnson. Anthony Johnson is a former CISO at multiple Fortune 100 companies, Fannie Mae, JP Morgan Chase Corporate Investment Bank and GE Treasury included. And he's currently a managing partner at Delvrisq, a market research firm focused on cybersecurity and innovative technologies.
He's a sitting board member of multiple companies, a mentor and coach to multiple Fortune 500 CISOs, and an active advisor and investor to a number of cybersecurity startups. He holds a BS in computer information systems from Regis University, an MBA from Indiana University. And I can honestly say from my own experience, one of the nicest people I've ever met in my career. Anthony, it is a pleasure to have you back on. Thank you so much for taking the time.
Anthony Johnson (00:52.514)
Thanks Jeremy, it's always a great time to chat with you, man.
Jeremy Snyder (00:56.335)
Awesome. So we're here in early 2024. And I'm really curious as somebody who's been a CISO and now kind of transitioned out of that, how do you look at the state of the CISO right now and what you're probably hearing from, you know, peers and colleagues that you've known in the past, because it feels like there's a little bit of a shift going on where, you know, somebody described it to me as the Sarbanes-Oxley moment of cybersecurity, where personal
accountability is starting to come into play. Like, what are you hearing from people on the ground? How are they feeling about being CISOs right now?
Anthony Johnson (01:33.05)
Yeah, so I said this in the past, and someday it's gonna bite me, but I'll say it again. There's a difference between what I call a little C and a big C when it comes to being a CISO. And specifically, a lot of the big C CISOs, which isn't necessarily just driven by organizational size, but it's really by their level of accountability.
actual authority within an organization, like the scope and breadth. Are they truly an executive or are they, you know, a security manager? Right. The big C's are actually really concerned about this because part of the challenge is that you have general councils, you have the rest of the executive teams who are, in a lot of cases, not taking this personal liability conversation seriously. It's like, oh, no, you're covered.
Jeremy Snyder (02:25.981)
Right.
Anthony Johnson (02:27.97)
Don't worry about it, we don't need to have a special call out and they're like, well, am I a named exec? No, I'm not a named exec. Am I covered on that policy? Yes, but what you're seeing is, for example, there's a security leader who's going through something right now, very public. He's protected if he's found innocent.
Jeremy Snyder (02:47.664)
Yep.
Jeremy Snyder (02:53.815)
But...
Anthony Johnson (02:54.722)
But if he's found guilty, he owes all that legal debt for his defense, right? And so that's a really interesting piece of where you have a security leader who's like, hey, I'm trying to do the right thing. I'm following the guidance. And all of a sudden it's, well, if the courts find you innocent, we'll cover your seven figure legal debt. If they don't, you owe it.
Jeremy Snyder (03:01.239)
Yeah.
Anthony Johnson (03:22.146)
And I think that security leaders, particularly the big C, are like, hey, you know what, I need some additional protection. I need to, do I have to have my own level of insurance here? What does that mean? Whereas the little Cs, they're not even comfortable having that conversation yet.
Jeremy Snyder (03:28.287)
Yeah.
Yeah.
Jeremy Snyder (03:38.599)
And where would you draw the line? Like what defines a little C in this world? Is this somebody where, you know, they're chief in name only, but they probably report to a general counsel or report to a CFO, as I've seen in a number of organizational structures.
Anthony Johnson (03:52.418)
They absolutely they could. And they could, you could still be a big C in report to CIO, right? It's to be clear. It really comes down to whether the rest of that executive team thinks that your views you as actually having a meaningful spot at the table, right? Um, if you're just the, the guy that or gal that goes in, Hey, lock up the doors and windows verse, Hey, help, help us to have a more efficient flow of things. And you're part of the actual business solutioning here.
Jeremy Snyder (04:20.451)
Yeah. And I mean, it does bring to mind, especially what you just said about, you know, let's say things like having an insurance policy, whether taking this role going forward is going to have to have that written into employment agreements, right? And, you know, whether there will be a market then of insurers who are willing to say, hey, you know, business buys its own insurance, but you might need to buy a separate insurance policy or, you know, negotiate into your contract that you get coverage or, you know, money to cover this.
Anthony Johnson (04:49.906)
100%, I actually believe that any CISO taking a role today needs to have their own insurance policy. And so I think they need to have their own insurance policy or it needs to specifically be called out that they are covered across the board, right?
Jeremy Snyder (05:01.639)
Yeah. But what insurance policy would this be, right? Because I don't even know what, if I were taking this role on, and I called up an insurance company, what am I asking for?
Anthony Johnson (05:13.186)
I think it would probably be something like an E&O, right? So the errors and omissions or the, yeah, something like that, right? And you're, I'm not an insurance broker or anything like that, right? But like, yeah, but as I think about it, you know, as a small business owner, I have my, you know, my directors and officers, I have my E&O, right? I have my professional liability. It's gonna be some amalgamation of that, where you're like, hey, I did the right thing. I tried to do the right thing. I didn't break any laws, but I knew it. Like I followed.
Jeremy Snyder (05:15.687)
Okay, there's an emissions, yeah.
Jeremy Snyder (05:21.68)
Yeah, full disclaimer. Yeah, don't even play when on TV.
Anthony Johnson (05:41.802)
guidance from counsel, et cetera, et cetera. And I think that we're in this murky time period where I've seen CISOs that are in the contract negotiation for their salary, they ask those questions and the feedback that they get is like, yeah, we don't do that for you. It's like, oh, wait a minute. I know N number of people that are being sued or on the hook or whatever that means here, right? It's a different world.
Jeremy Snyder (05:44.597)
Yeah.
Jeremy Snyder (05:56.231)
Yeah.
Jeremy Snyder (06:02.907)
Yeah. And, you know, and to some extent, I even wonder whether like, if I looked at it as an ENO kind of policy errors and emissions, one case in particular that comes to mind that is, you know, being played out right now pretty publicly, I would say that a lot of the evidence and a lot of the analysis I've read leads me to think that this was a nation state directed or funded at, you know, research to figure out
the vulnerabilities and the chaining of vulnerabilities because it's a pretty sophisticated exploit. And by the way, just to plug for a second, APIs were a key component in there. And it's something that a lot of firms aren't looking at right now. Check us out if you want to learn more about that space. But what error or omission could you realistically point to that then an insurer wouldn't say like,
Anthony Johnson (07:00.35)
Yeah, and that's what, and I don't know, right? I do think that there's an aspect of where you're gonna have to have, I think that security leaders do have to have their own representation on this, right? I could see, and I think there's a number of different ways that you could see this kind of forming. It might be like a brainstorm idea that wants to go build a company of like, hey, it's gonna be a co-insurance of a bunch of security leaders who, you know.
Jeremy Snyder (07:03.208)
Yeah.
Jeremy Snyder (07:18.422)
Yeah.
Anthony Johnson (07:27.85)
self do something like, like there's gotta be a way because otherwise the liability potential risk isn't worth it, right? And especially it's not worth it when you have a bunch of CISOs you're still making a couple hundred grand and all of a sudden they're, they can be on the hook for a few million dollars in legal fees, because they're CBO did something.
Jeremy Snyder (07:34.195)
Yeah.
Jeremy Snyder (07:44.947)
Yeah, yeah, yeah. Or whether CEO, CFO, or someone else did something that didn't allocate the budget necessary to protect the organization. And I hear that complaint and concern a lot. And it might be that, it might be didn't get the budget, or it might be didn't get the organizational mandate where let's say the CISO came in and assessed that the organization had a particular attack surface that wasn't covered and needed that coverage, but then business stepped in and said,
Anthony Johnson (07:55.075)
100%. Yep.
Jeremy Snyder (08:14.983)
Now you can't put that coverage in place because it's the risk of blocking legitimate transactions, et cetera. It is too high.
Anthony Johnson (08:23.806)
Exactly. And then, then what you get into is you get security leaders who are actually incentivized to over dramatize how bad it is so that they're not the ones who, who were, who said no. Right. Cause they're like, Oh no, I, I tried to make the case that it was so bad and they told me no. So it couldn't have been my liability. It was clearly the business's liability. Right. Um, and so it, it disconnects this actual aspect of the security leader.
Jeremy Snyder (08:45.435)
Yeah.
Anthony Johnson (08:52.354)
having a meaningful say. And you want them to have a meaningful say, you want them to be able to advocate for the right amount of security, right?
Jeremy Snyder (08:54.262)
Yeah.
Jeremy Snyder (09:08.629)
Yeah, yeah.
Anthony Johnson (09:31.334)
That's exactly the quote I like to, it's one of my favorite quotes, Steve Jobs, where he's like, you know, you can't connect the dots looking forward, right? You can only connect the dots looking back. And he's talking about life and career and all this stuff. But when it comes to like the right amount of security, the right amount of parenting or over-parenting or whatever it is, you can only connect the dots looking back. You're like, ooh.
Jeremy Snyder (09:44.693)
Yeah, yeah.
Jeremy Snyder (09:51.913)
Yeah, yeah.
Anthony Johnson (09:56.094)
Ah, maybe I was a little too protective on that. And I should have let her fall and scrape her knee because she'd be riding a bike by now or whatever that is, right? And I think that we run this risk of people, Monday morning quarterbacking it and being like, well, you know, you probably should have done this. Like, I didn't know Russia and China were gonna team up to do this thing and go after this thing that didn't exist.
Jeremy Snyder (09:58.351)
Yeah, yeah, yeah.
Jeremy Snyder (10:23.615)
Yeah.
Anthony Johnson (10:25.706)
And go after me specifically for that data set. Like.
Jeremy Snyder (10:28.755)
And that is such a challenge because when we see these kind of, let's say, industry-wide, I won't call them existential because that's not the right word, but these kind of like landmark occurrences, some people would say like black swan, like solar winds, this kind of like low and slow multiple year supply chain infiltration.
Jeremy Snyder (10:58.543)
Um, exploiting a broadly distributed third party, uh, piece of software that's running on prem for thousands of organizations worldwide through a very, very sophisticated exploit. Like these are the first instances of those things, which in a way would say like looking back to connect the dots pretty hard, like a pretty hard calculus to come up with that.
Anthony Johnson (11:20.106)
It's really, really hard. And the example I'll use actually from this week is, we saw that, what was it, change health, the event that's gone on there. What's really fascinating is that, I think it was in what December, November, FBI did a take down of some attacker group website. The attacker group reclaimed their website and said, hey, because the FBI did this to us, gloves are off.
we're going after critical infrastructure, including hospitals. And now the risk dynamic for all these hospitals who weren't necessarily concerned about this particular threat actors like, oh my gosh, we are in the crosshairs directly of these people who are mad at a government agency or whatever, and we're feeling the brunt of it, right? Companies get attacked not just because they did something bad, but it could be because you're based there, this is the country or whatever.
Jeremy Snyder (11:49.899)
Yeah.
Jeremy Snyder (12:00.188)
Yeah.
Jeremy Snyder (12:11.099)
Yeah. I, yeah, that's a great analogy. I remember years ago, I was living in Southeast Asia, and there was a set of political decisions made by the US administration that were viewed as being very anti Muslim. And there was a boycott of Starbucks in Indonesia. And it's this kind of, you know, knock on effect of something that you may not have been connected to in the first place. So yeah.
Anthony Johnson (12:37.03)
100%, right? And the real scary part though is, I call it the high wall problem, which is that it's something like foot 50 some percent of US GDP is not, is actually the SMB, the small to medium businesses, right? In large enterprises, which is where my background is, we have millions and hundreds of millions and billions of dollars to spend on cybersecurity and talent and tech and all this stuff and recovery.
Jeremy Snyder (12:53.749)
Yeah.
Anthony Johnson (13:06.186)
And the SMB doesn't. Right. And it doesn't take the highly trained nation state actor to get mad at somebody who owns and set of restaurants because they are part of the city of Chicago or whatever it is, right? Like, and so the fallout is that you have these big companies with very high walls, well-trained defenders, protecting, you know, their enclave.
Jeremy Snyder (13:07.883)
Yeah.
Jeremy Snyder (13:23.445)
Yeah.
Anthony Johnson (13:34.77)
And outside of the high walls becomes a scorched earth. Right. And the SMBs are the ones who have to rebuild and try to, you know, like Mad Max style, like how do I cobble along, which is such a huge, huge part of our U S economy.
Jeremy Snyder (13:38.241)
Yeah.
Jeremy Snyder (13:50.791)
Yeah. And this, I mean, this point in particular really hits close to home. I mean, not only because I'm also an SMB, but you know, I talked to a number of SMB owners on a regular basis. And even those that are outside the cybersecurity space, the little bubble that we, you know, spend most of our time in, you talk to them and you start hearing from them like, oh yeah, you know, we're hearing about this attack targeting restaurants or targeting, you know, doctors offices, small dental practices, and so on.
And, you know, the point that I, an adage that I go back to a lot is that hackers have automation too. And it's not necessarily that you're being targeted. It's that like, it's just a spray and pray broadly speaking, using automation across, you know, every IP address that they can find. And if you happen to have any internet exposure, you know, I think these organizations are just real waking up to the fact that everybody's a target when, when automation is in play.
Anthony Johnson (14:32.738)
It is.
Anthony Johnson (14:47.307)
That's exactly it. That's why I use the high wall analogy, right? If you have an attacker out there with a flame thrower, they're just trying to hit whatever they can on the wall, maybe burn something, get on the other side, but there's a lot of people and businesses between that attacker and that wall that are just gonna be collateral damage and they'll take their money and do the thing along the way. So we as a nation, as an industry, have to figure out how we shore up, which is.
Jeremy Snyder (14:55.147)
Right.
Jeremy Snyder (15:05.269)
Yeah.
Anthony Johnson (15:14.418)
One of the aspects of like building security and by design, right. Having secure and safe APIs, like having solutions that are, that, that lead themselves to be safe for the SMBs to use, cause they're not going to be able to go spend the $5 million to buy, you know, the N number of products.
Jeremy Snyder (15:17.577)
Yeah.
Jeremy Snyder (15:29.053)
Yeah.
Yeah, and I mean, this is why I think the development of managed security for SMBs is a net positive. I don't I can't speak to the effectiveness of any particular vendor in the space. But I just think the growth of that type of offering and you know, hopefully they do a good job for their customers is a is a net positive because most of those SMBs they budget take the budget question out for a second. They're not going to have the expertise, you know, to implement things. So yeah.
Anthony Johnson (15:58.798)
100%. Yeah. They're not going to, and it's really interesting. If you think back like 20, you know, 20 some years ago, if you started a company, you might have a Yahoo as your email. You might have, you know, Google, you might have Hotmail, like you'd have businesses that have all sorts of crazy email addresses. And today, if you start a company, it's going to be a Google or, or Microsoft, right?
Jeremy Snyder (16:23.519)
or Microsoft. Yep.
Anthony Johnson (16:25.666)
Um, and it, cause I think there's that been that consolidation of, of that, same, same with building a server. You're GCP Azure or AWS. Right. Um, and I think that's the security stack needs to go in the same vein to where a consumer just, I buy option one, two or three, and I'm generally pretty good.
Jeremy Snyder (16:28.512)
Yeah.
Yeah.
AWS. Yeah.
Jeremy Snyder (16:44.075)
Right.
Well, that actually leads me to the great segue to the next topic I wanted to discuss with you. Cybersecurity is a space that new threats emerge, new companies emerge to try to address those threats. And then what we tend to see is over a couple of years cycle, we'll start to see consolidation into that space. And in the last couple of years, it seems like that consolidation has started to accelerate. And I've heard arguments and counter arguments for
you know, quote unquote best in breed versus best of sweet, where, you know, the trade-offs are kind of like, I could buy one platform that incorporates all of this functionality into it, but you know, there might be one particular attack surface where it's not the best, you know, it doesn't have the best functionality because there's this other company over here that only does data security, API security, cloud security, whatever it is. And they're super, super deep expert focused only on that.
So how did you think about that kind of trade-off? And then also, how do you view the kind of like the macro trend of consolidation in the cybersecurity space from the functionality perspective?
Anthony Johnson (17:54.858)
Yeah. So, so this is always a fun topic because, um, one, this is actually as, as business leaders, this is a problem of our own design in that we are ADD and neurotic, um, like when you could have a good set of suite of products. And then when anything, you know, anything happens, everybody points to, oh my gosh, they didn't have the number one widget defense.
42. So now everyone goes chases that and they spend a bunch of money there. Right. I personally have always taken the view I'm more interested in the most integrated solution as opposed to the most innovative solution. I think innovation is brilliant and I love it. But the problem that we have and we have this in large enterprises particularly is you actually have way too many tools that you're not doing anything with. Right.
Jeremy Snyder (18:24.895)
Yep.
Jeremy Snyder (18:38.656)
Okay.
Jeremy Snyder (18:53.483)
Yeah.
Anthony Johnson (18:54.294)
You put them in, one of my favorite conversations I have with vendors is, um, you know, our customers, they're like, well, you know, how do we get the so and so head of vault management or security operations or CSO to log into the portal or our platform? And I'm like, they're not right. Like they're there. And I was actually at a dinner a few weeks ago where they were like, you know, how do we get you guys security leaders? And I asked them, I was like, when was the last time you guys logged into a vendor platform?
Jeremy Snyder (19:09.687)
That's not the right question.
Anthony Johnson (19:21.806)
And across the board, they were like, it's been years, dude. I don't do that. It's just not happening here. So we have tools that are being installed, but not actually maintained, not actively being used. They're not being used to its full suite of capabilities. So we buy things that are, hey, it solves that hole. OK, we plug this hole. We plug this hole. And then someone comes back a couple of years later, and new security leader is like, hey, consolidate this down. Like.
Jeremy Snyder (19:24.371)
Yeah, yeah.
Anthony Johnson (19:48.982)
Cause the vendors are also buying up each other, you know, expanding their capabilities and you look at one product today, it might be here and in three years it might be here. And then you have an overlap. Right. Um, and so that, that's a big thing. And the, one of the big driving factors, I'm not a Microsoft fanboy, right. But Microsoft security is bigger than what the next 20 cyber security vendors combined, right.
It's a massive entity. And I think that type of model of having one platform is going to be where things you have to go to more and more for that pure integration play.
Jeremy Snyder (20:27.635)
And do you think that's mostly a function of, we have a limited number of hours in the day, we're not going to go log into all these tools, we're only, you know, our, our waking and working hours are just going to be consumed by the alerts and events that do get triggered. And so, you know, the other tools that we bought, we just don't have the time to go back to them. Or do you think it's a function of actually attacks are getting more sophisticated and the correlation of the data is so valuable?
that that's where we actually need to be.
Anthony Johnson (20:59.522)
So I actually, maybe this might be an oversimplification, it probably is. I'm a fan of Price's Law. So Price's Law states that, you know, you can take anything, take sales. 50% of the output is provided by the square root of the number of things delivering that. So if you have a sales team of 25, 50% of the sales is actually driven by five people on your sales team, right? And...
Jeremy Snyder (21:23.936)
Okay.
Anthony Johnson (21:25.866)
Price's law holds true in general for most things. And I think it holds true for cyber where let's take a vendor or take a company that has a hundred products. There's five to 10 that actually do 50% of the, of the value protection for that organization and out of those hundred products, there's five to 10 that the security leader really knows or cares about because by name recognition of like, oh yeah, that's doing the thing. Right. Um,
Jeremy Snyder (21:29.011)
Yep. Okay.
Jeremy Snyder (21:34.825)
Yep.
Jeremy Snyder (21:38.379)
that are delivering, yeah.
Jeremy Snyder (21:50.76)
Yeah.
Jeremy Snyder (21:53.983)
Yeah, yeah, yeah.
Anthony Johnson (21:56.114)
And when we add in five, let's say 100 products, you got 10 that do 50%, that means you have 90 doing the other 50%. And it's a much smaller value add for each slice.
Jeremy Snyder (22:06.208)
Yeah.
Jeremy Snyder (22:11.699)
But then let me make the counter argument and just hear your reaction to it. It's, yeah, but look, there's so many emerging attack vectors, emerging threats, et cetera. And cyber defense is about making sure that you don't have the one slip up because the attacker just needs to get it right once. We on the defense side have to get it right all the time. So these other 50 tools or 90 tools rather in this 100, portfolio of 100.
Like they actually do provide value by being there and covering the things that you're not thinking about. Like, is there validity in that argument?
Anthony Johnson (22:46.574)
Think I, well, I think there's some validity in it, but, but look at most of the breaches, right? Most of the breaches are not this fancy sexy dance of a like, oh my gosh, how do they figure out how to get into that one thing? They were right. The one time most of the breaches are something that were a fundamental flaw, somebody did something dumb. It was a misconfiguration or something here, right?
Jeremy Snyder (22:54.453)
Yep.
Jeremy Snyder (23:13.799)
Yep, yep, yeah.
Anthony Johnson (23:16.122)
And I think my position on it would change a little more dramatically if it was like, wow, that's a pretty clever way that they did that. And I'm surprised they should have had end product to do this. Now I do think with aspects of like the reliance of two pieces, one mobile and API's like the amount of tech and data that's good, that, that we really rely on, on those two spaces. We're just not paying attention to them. Right. Like in.
Jeremy Snyder (23:41.543)
Yeah.
Anthony Johnson (23:43.89)
That's where I think you're going to see these attacks, these opportunities hit. And it's like, yeah, they, that was kind of a negligent piece. Cause I, again, prices law takes the same thing of like, how many things are actually protecting mobile, how many things are protecting API? Like, okay, well, if you don't have zero, the square root of zero, right. Like, and define whatever, whatever the calculator says.
Jeremy Snyder (23:59.035)
Yeah. Yeah, yeah. Zero. Yeah. Or maybe undefined. I'm not sure. Like, but it's been so long, right? Since BC Calculus back in high school. But that's a great point. And I did want to kind of think about that or explore that topic with you. It's like, you know, I worked in cloud security for a long time, right? And in the cloud security space, we saw breach after breach after breach.
And to your point, it was pretty much always misconfiguration, somebody did something dumb or both, right? And, but it took years for the market to kind of, let's say, wake up to that fact. And we saw dramatic acceleration in just, let's say, the amount of attention that the space received and the number of conversations that were generated about what we would have said as a security company three years later than we expected.
Anthony Johnson (24:46.593)
Yeah.
Jeremy Snyder (24:57.087)
Do you find that that's like pretty typical over, let's say over a 20 year cycle that it kind of takes a few years of things being bad before it starts to resonate?
Anthony Johnson (25:07.986)
Yeah, I think so. There's this adage that we used to use, I wanna say in like 2005, you probably remember it's the lion in the gazelle, right? People like, hey, attackers are like lions and all the companies are like gazelles, right? And you don't wanna be the head of the pack because then you're probably overspending. You don't wanna be the last because you might get grabbed. So you wanna be kind of squarely in the middle, right?
Jeremy Snyder (25:28.539)
Yeah. Right. Yeah. Yep.
Anthony Johnson (25:37.15)
Now I think that with the speed of technology and how things like that has changed, but I, I do think that there, there is an aspect of where, um, we businesses do wait to see some other gazelles fall before we're like, okay, I need to, I need to step it up a little bit more. I'm going to spend a little more calories to run a little faster because the pace we were going is no longer acceptable.
Jeremy Snyder (26:00.176)
Yeah.
Yeah. And one thing that's been interesting along those lines is, um, you know, we see however many breaches we see, but they're happening every day, right? And, you know, organizations of all sizes are getting breach. One of the more interesting observations from my own experience in the cyberspace is that it's pretty much never the company that got breached that is immediately reaching out to you to say, Hey, we got breached on attack vector X that
It's almost always competitor of organization that got breached, reaching out because to your point, they can see the other gazelle fall and think like, ah, I don't want that to be me.
Anthony Johnson (26:44.638)
Yeah, no, I think that that's true. And I think that there's a, it's an interesting conversation. This is a great question. And I've, that I like to ask security leaders. And the answer, I'll start with the answer, is that most of them feel that it is their fault or they are the bigger risk and who's they. If you ask a lot of security leaders, which is a bigger risk, actually getting hacked or the regulatory risk afterwards?
Jeremy Snyder (27:13.855)
Yeah.
Anthony Johnson (27:15.486)
It's not actually the cost of the breach of restoring operations and getting the business back, it's the fear of fines and litigation and regulate regulatory oversight that now starts to really dwarf how much a breach actually cost the company. Right.
Jeremy Snyder (27:32.699)
Yeah. And you think that's worse than the loss of customer trust and the reputational damage?
Anthony Johnson (27:40.874)
How many new credit cards did you get the last year? Like where you just got one because, hey, your company like, it's more of a, you know, like you get a new credit card because they're like, hey, your data was breached. Here's your new card, right? I think out of all of the breaches, and I do this math, like we looked at it, like I think it was a year, year and a half ago, only two companies didn't fully recover on the stock market within nine months.
Jeremy Snyder (27:54.547)
Yeah, yeah.
Jeremy Snyder (28:09.011)
Yep. Yeah. Interesting.
Anthony Johnson (28:11.658)
Right. And then exceed where they were at, at the time of the breach. Right. If target had another event, people are still going to go by those Stanley mugs. Right.
Jeremy Snyder (28:16.392)
Yeah.
Jeremy Snyder (28:20.287)
Yep.
Yeah, yeah, yeah. Yeah. But I mean, one kind of counter argument that I'm wondering, right, and is a, are the fines just not big enough? Because I think like, the reputational damage, etc. As you said, okay, great, you know, consumers get over that they go back to shopping, they get a new credit card. Yeah, it's annoying to have to log into Netflix and update my credit card number, whatever. But I do it, right. And I just wonder if like,
Anthony Johnson (28:45.27)
100%. Yeah.
Jeremy Snyder (28:51.723)
the regulatory fines, they just aren't that big. I'll tell you, just on the API security side, there were two very parallel companies in different geographies who both had breaches. One in the US that had a breach three times larger than a company in the same space on the other side of the world, the breach was one third the size. The fines were almost zero in the US and hunt about like over 200 million outside the US.
Anthony Johnson (29:21.695)
Yeah.
Jeremy Snyder (29:21.736)
And yeah, go ahead.
Anthony Johnson (29:27.535)
I think it's interesting, if, when it comes to fines, I think that you see organizations, because again, you can look back and be like, well, you guys should have done that and you should have done this, right? And so you end up with organizations being fined that at the time probably made a realistic or reasonable business decision, right?
Jeremy Snyder (29:36.628)
Yep, yep, yep.
Jeremy Snyder (29:48.183)
Okay, in terms of what they were willing to invest relative to the risk. Yeah.
Anthony Johnson (29:52.53)
Exactly, right? And it's hard to Monday morning quarterback, hey, should we have not built that new plant and instead bought these types of things? Or especially when so many of these threat actors are moonlighting at night foreign state agents who have a clearance to go attack US business interests. So really the question becomes like, how deep down the rabbit hole of victim blaming do we go?
Jeremy Snyder (30:13.172)
Yep.
Anthony Johnson (30:22.646)
because if I get mugged or my house gets broken into, and then I get fined because I didn't lock my door on the Sunday afternoon, like, ah, like, now it might be different if I didn't have locks and I didn't have a door, and then they're like, listen, you lost all your stuff because you didn't have doors and it was the middle of whatever, right? I think there's a difference there.
Jeremy Snyder (30:32.177)
Yeah.
Jeremy Snyder (30:37.435)
Yeah.
Jeremy Snyder (30:43.099)
Yeah, yeah, yeah. But no, I understand that difference. But I would also say that there's a difference on the perpetrator side, right? Because like, on the perpetrator side, it's the job of your local police department to, you know, potentially track down that thief, and try to help you recover the stuff. And there are laws that specifically ban what they're doing. Cyberspace is not regulated that same way. Most of the perpetrators are overseas. And, you know, you don't have a law enforcement authority.
that is even credentialed or has the mandate to defend organizations. And this is like the one thing where I see this kind of a very different view.
Anthony Johnson (31:20.362)
It is, dude. I actually haven't been able to use this analogy in a while, which is one of my favorites, right? So in the US particularly, we are not responsible for our own security. We pay taxes, we have police, except when it comes to cybersecurity, right? It's like, ah, when it comes to cybersecurity, you're on your own, right? And...
Jeremy Snyder (31:36.767)
Yeah, yep, yep.
Jeremy Snyder (31:43.103)
You're on your own. Yeah.
Anthony Johnson (31:46.57)
The way I use this as a model and I have an entire rubric made out. I call it Joey, Joe, Joseph and Yosef. Okay. Joey is the equivalent of a 12 year old kid who Googled some stuff on YouTube and figured out how to hack your company. If you get beat up by a Joey, you get hacked by a Joey, you are negligent. Done. End of story. Joe is a 19, 20 year old kid, college kid, some savviness, right?
Jeremy Snyder (31:53.003)
Okay.
Jeremy Snyder (32:00.107)
Okay.
Anthony Johnson (32:13.034)
You got, you get hit by a Joe, like you have a big corporate enterprise. You should be able to defend against a Joe. Joseph is going to be your 35, 40 year old sys admin. Who's been in your company for a while. Man, that's super tough. Right. Cause he knows your, your stuff. And Joseph is a nation state threat actor. We shouldn't be punishing organizations for getting hacked by a Yosef. Right. It's tough to punish a company who got hacked by a Joseph.
Jeremy Snyder (32:34.864)
Yeah.
Anthony Johnson (32:40.63)
by somebody who built the tech and worked there and understands the processes and has that backdoor key. But it's the other ones where you're like, I could see fines, especially a Joey, right?
Jeremy Snyder (32:49.719)
Come on. Yeah. Yeah, that's a great analogy. I really like it. Do you have this rubric published online anywhere?
Anthony Johnson (33:01.05)
I think I published it a few years ago. I'll dig it up and send it over to you, but yeah.
Jeremy Snyder (33:04.015)
Okay, awesome. Well, anyway, we'll have the video clip of this that we'll make available on LinkedIn or something for you. But I think that's a great analogy. Anthony, you know, just a couple final thoughts to wrap up here. How do you feel about cybersecurity in 2024 going forward? Do you feel like we are as an industry making progress backsliding facing a kind of a moment of real tension and kind of coming to grips with
Anthony Johnson (33:07.979)
Yes.
Jeremy Snyder (33:30.815)
with the reality of the current situation? Like what's your overall emotional feeling about the space right now?
Anthony Johnson (33:39.37)
Um, so without getting into the whole AI world, we conversation, um, too much. I, I think that there's a lot of new technology advances and expansions that are happening that security leaders aren't actively getting educated on. Um,
Jeremy Snyder (33:45.241)
Yeah.
Anthony Johnson (33:57.57)
There's the growth rate of some of the innovations that are happening, how businesses are gonna change dramatically. And I think a lot of security leaders are resting on the laurels of, oh, I've been in tech for 30 years, I've seen it. Not realizing like, well, the world is about to potentially really, really shift here. I think that you are seeing new security leaders ask tough questions about from vendors of like, hey.
Jeremy Snyder (34:09.919)
Yeah.
Jeremy Snyder (34:15.286)
Yeah.
Anthony Johnson (34:23.338)
Are you guys going to be here? Like, what does this look like? What's your path to success? Right. Um, because I think they're, they're re-challenging this notion of the free flowing investment cycle that's happened for the last five, six years. Um, and so I think those are fair, which makes it opportunistic for organizations like the large platform players to come in and be like, trust us. We've been here forever. We're going to be here forever longer. Right. Um, so I think that security leaders do need to have, um, you know, get
Jeremy Snyder (34:25.203)
Yeah.
Jeremy Snyder (34:35.797)
Yeah.
Jeremy Snyder (34:45.951)
Yep, yep. Yeah, yeah.
Anthony Johnson (34:52.606)
more engaged with vendors, especially startup organizations to understand like, hey, what are you guys actually seeing? Like, how should we think about this? Because the problems that need to be solved are not the same ones we've had to solve.
Jeremy Snyder (34:58.279)
Yeah.
Jeremy Snyder (35:04.583)
Yeah, and I mean, this is such a great point. And obviously I feel strongly about this as somebody who's created a company to try to go address an emerging risk that, you mentioned earlier, mobile API, and those are just two of them, but there's 10, 20, 30 emerging threats that people aren't necessarily getting educated on.
Anthony Johnson (35:23.97)
It's fascinating, right? When, especially when you talk to somebody and you start to talk about API security, and then you realize they don't actually understand the conversation. And you're like, Oh, okay. How do I educate you without insulting you, but you got to get there together because this is so critical to the future of industry, your company, our country.
Jeremy Snyder (35:35.361)
Yeah.
Jeremy Snyder (35:41.331)
Yeah, yeah.
Jeremy Snyder (35:47.623)
Yeah. Awesome. Well, we're pretty much out of time. And I think that's a great place to leave today's conversation. We will definitely have to pick up another thread another time. Anthony, I always learned so much from talking to you. Thank you so much for taking the time to join us on the podcast today.
Anthony Johnson (36:03.798)
Well, thank you. I really appreciate it. This is, it's always a pleasure.
Jeremy Snyder (36:06.831)
Awesome. And for people who want to find out more about Anthony, the work that they're doing over at Delv risk, it's just Delv risk.com D L V E risk.com. You can also find Anthony on LinkedIn. He is one of the most prolific.
Anthony Johnson (36:24.053)
I appreciate that.
Anthony Johnson (36:28.098)
Thanks, Jeremy.