In this episode of Modern Cyber, host Jeremy Snyder sits down with Christine Bejerasco, Chief Information Security Officer at WithSecure, to dive deep into the world of exposure management, cybersecurity, and the implications of regulatory frameworks like NIS 2.
In this episode of Modern Cyber, host Jeremy Snyder sits down with Christine Bejerasco, Chief Information Security Officer at WithSecure, to dive deep into the world of exposure management, cybersecurity, and the implications of regulatory frameworks like NIS 2. With insights spanning multiple parts, this conversation covers everything from the importance of asset inventory and third-party risk management to the potential impact of new directives on organizational security postures.
Join Jeremy and Christine as they explore the evolving landscape of cybersecurity, sharing valuable perspectives and practical advice for businesses looking to navigate the complexities of modern security challenges. Whether you're a seasoned cybersecurity professional or just starting out in the field, this episode offers valuable insights and actionable strategies to help you stay ahead in today's cyber-threat landscape. Don't miss out on this engaging discussion packed with expert insights and real-world examples. Tune in now to gain a deeper understanding of exposure management, regulatory compliance, and the future of cybersecurity in the digital age.
About Christine Bejerasco
Christine is the Chief Information Security Officer at WithSecure and a member of the Forbes Technology Council. She previously served as CTO at WithSecure and she has more than 20 years in the cybersecurity industry. Coming from a technical malware/threat-analysis background, Christine has always remained 'hands-on' in cybersecurity. She's seen the threat landscape evolve and she has worked as a researcher and a leader of diverse global teams with really varied backgrounds.
Christine Bejerasco Linkedin - https://www.linkedin.com/in/christinebejerasco/
WithSecure Website - https://www.withsecure.com/en/home
Why 2024 Will Be The Year Of Exposure Management by Christine Bejerasco for Forbes -
https://www.forbes.com/sites/forbestechcouncil/2024/02/13/why-2024-will-be-the-year-of-exposure-management/
About Jeremy Snyder
Jeremy is founder and CEO at FireTail, an end-to-end API security platform that offers the inline, real-time, application-layer data needed to deliver true API security. Prevent breaches and protect your APIs from code to cloud with FireTail.
0:00
[Music]
0:08
hello and welcome back to another episode of the modern cyber podcast I am thrilled to be joined by somebody that
0:14
I've had the pleasure of interviewing before in the past and it was so much fun that I had to ask her back on and
0:19
she was gracious enough to take the time to join us today and we've got a great conversation teup on something that
0:26
we're going to get into in just a minute that I think is a pet topic of her where she's got a strong opinion I had a
0:32
reaction to it and that's really more than anything what led me to invite Christine Basco to join us again
0:39
Christine is the Chief Information Security Officer at with secure she previously had become the chief
0:44
technology officer of with secure and she's got more than 20 years in the cyber security industry starting during
0:50
the era of network worms I myself also started during that time frame I uh had
0:56
my share of worms my share of Melissa and I love you viruses and all of the terribleness that went along with it but
1:02
Christine has stayed really Hands-On in this cyber security profession she's seen the threat landscape evolved with
1:09
the technology Evolution that's gone on she's worked as a Hands-On researcher she's worked as a leader of diverse
1:16
Global teams with really varied backgrounds and I think because of all of that experience she's got a really
1:22
unique perspective on everything that she's seen she is a regular speaker at events and conferences on Cyber secur
1:28
topics and I am Ed to welcome her to the podcast Christine thank you so much for joining us today thank you for having me
1:35
Jeremy awesome now the topic that I kind of teased in the intro that I had a
1:42
strong reaction to when I read your recent essay about it is exposure management so before we get into it
1:48
let's just hear from your side what is exposure management and then I guess you know follow-up question why is it an
1:55
important Concept in today's cyber landscape well exposure management um
2:00
could really be defined into many things but from my perspective it is all about
2:06
managing and ensuring that the potential entry points and the touch points from
2:12
your estate where threat actors especially coming from externals are
2:18
able to infiltrate and get into your assets are then controlled are managed
2:23
and as much as possible the risks behind it are mitigated now I believe this is
2:29
quite important and and um to be honest the the time for doing this for getting
2:36
into this uh type of cyber security measures is actually already right like
2:42
at the moment or maybe sometimes even already overdue because if you if you look back at the past 20 years um the
2:50
evolution of different Technologies the exponential growth of different technologies that we have we have been
2:56
so good like different organizations and even individuals have been so good at
3:01
adopting new technologies but have been so bad at deprecating old ones now
3:07
because of that we just pile off new technologies on top of the older ones
3:12
and the complexity and the attack surface that we have has exploded and if if you think about what
3:19
are the measures that we have to make sure that this attack surface is managed maybe we have vulnerability management
3:26
and the bigger your attack surface is the more soft software you have or Hardware that you have to manage Yeah
3:33
the more vulnerabilities you have listed there and the way that we measure or score those vulnerabilities may not
3:39
exactly be very helpful or actionable for organizations so from an exposure
3:45
management perspective would you say that if if I look at vulnerability
3:50
management and this is exactly where I had kind of the reaction that I had to what I wrote and and by the way my
3:56
reaction was yes you're right it's overdue why aren't more organizations
4:01
thinking about their risks in this way because like to go on a slight tangent
4:06
for a second vulnerability management is something that has been around for 20 years as an overall let's say cyber
4:12
strategy and for those who aren't really familiar what it refers to is like hey I've got my Mac operating system here
4:17
and on that um on my Mac uh my MacBook Air I've got a thousand pieces of
4:23
software installed and of those thousand pieces of software 500 of them have known vulnerabilities but the customer
4:31
experience around vulnerability management has tended to be quite poor because most customers are going to get
4:37
end up with a list of vulnerabilities that is yes you know thousands of sheets of paper long
4:44
but they only really care about those vulnerabilities that are kind of that are exposed yes the problem that I that
4:51
I I've seen customers Express around that is it's very hard to understand which vulnerabilities are exposed and
4:57
which are not so how how do you think about you know when you when you go talk to a customer or you think about
5:04
internally how do you think about drawing that line and figuring out what's exposed what's not exposed is
5:09
this a a question of inventory is this a question of like attack surface mapping H how do you approach that
5:16
problem it's it's funny that you mentioned inventory and attack service mapping because they need to be both
5:22
part of that okay um okay for example if you if you imagine an estate and it has
5:27
externally exposed points but if we talk about what is the attack path towards an
5:34
asset within the organization that you are really protecting does it have an attack path from that externally exposed
5:40
asset going towards um yeah the asset that you're trying to protect if it does
5:47
then perhaps these are the different points in the attack paths that have vulnerabilities those are the ones that
5:53
need to be prioritized first and this would need to Bubble Up into the
6:00
priority list if you may of the exposure management software that these are the areas that you actually need to focus
6:06
first and for example if we even add information let's say um the the known
6:13
exp the the known exploited vulnerabilities from cesa for instance if you add that information even to
6:21
these individual vulnerabilities that you may find along the path then you have something that is irrefutable like
6:27
within the organization that as the CES or as the head of security operations you can just say like hey patch this
6:34
because if you see this very clear attack path and if you see that this has already been exploited it's just a
6:40
matter of time before this will happen and if we if we compare that like you
6:45
you mentioned about the old vulnerability management methods if we compare that for example with CVSs
6:51
scoring and you have this separate uh different systems that are in there one
6:57
may have very high score but it could be A system that is also unreachable from
7:03
um an externally exposed back surface that is something that perhaps shouldn't be as high as priority as the other one
7:11
that has a very clear attack path going towards it yeah yeah but along those
7:16
lines I guess one of the first questions I have is do you first of all do you think that a lot of people understand
7:22
what an attack path is like I know it relatively well from the time that I spent in Cloud security because it was a
7:28
common concept and we looked at let say like the interconnectivity between resources you've got a an ec2 with an
7:35
exposed web application and by the way the ec2 instance has an AM role that gives you access to an S3 bucket or an
7:41
RDS database like this was a common scenario in Cloud security and something that we talked about regularly but I'm
7:47
not sure that outside of the cloud security domain it's widely understood may maybe even outside of the
7:53
cyber security domain it's not widely understood and you have a good point maybe this is also one of the areas
7:59
where we need to educate people what does it mean but if we if we look at it from an IT perspective and a te path is
8:06
really just let's say like an access path that that one asset or one area of
8:13
your estate can be accessed uh via this U via this particular asset and if you
8:20
chain them together if you chain the assets that can access each other that would compose a path and that path can
8:27
also be translated into that path because that's also the same path that the attacker would go through in order
8:34
to get through the inner inner most assets of the organization so kind of a follow-up
8:41
question along the lines of the vulnerability management aspect of this and because vulnerability management is
8:46
not all of it right because you know you've also got things like let's say um least privilege uh principles around you
8:54
know maybe a particular server could get compromised and then a service account
8:59
uh running on that server could be used to connect to another system but if there's least privilege uh principles
9:06
applied to that service account you know that somewhat reduces the attack path or at least the blast radius of the data
9:12
you know unfortunately far too often we see service accounts very widely provisioned often with admin rights like
9:19
you know you often often like 90% in my experience often but fair enough like
9:26
you know vulnerability management is not all of it one of my questions for you is
9:31
like as you think about the vulnerability management piece of exposure management how how do you think
9:39
about automated patching in you know in modern you know 2024 plus 2024 and
9:45
Beyond because historically I know there's been this kind of argument that like well well two arguments one is that
9:51
vulnerability management is the domain of cyber security patching is the domain of it so so that's one thing and second
9:58
is um I can't do automated patching because I might break production and so
10:03
like I'm curious your your thinking around that in the modern landscape that
10:10
we're in either or both points um I would say that uh this
10:16
really is not um sort of like a technical thing rather than a comfort thing for different organizations so for
10:24
example we may have organizations um let's say like the in the finan sector
10:30
who whenever I have had discussions with them and have encountered um them most of the time they would really want to
10:36
have full control over the patching experience but these are also the organizations who have enough resources
10:44
to handle all of these different patchings and um they are also the ones
10:49
who can really deploy and properly properly do the the patches in a priority order that's necessary they are
10:56
the ones who have the right kind of tooling Etc because they do have have bigger budgets now the challenge is when
11:03
organizations who may not have a bigger security team or um even like enough
11:09
security team or even it team to perform these patches would subscribe to the
11:15
same methodology that they would say that they would want to be in control what happens in the end is that we get a
11:22
pile of these different vulnerabilities and patches that are never applied so I
11:28
would say that um they would need to Define it on a per asset level and um it
11:34
needs to be a journey for them as well because I don't believe that it can be binary since like as people they would
11:40
really be very uncomfortable to switch this to just like fully patch but I also
11:46
don't believe that it is sustainable for these organizations to just rely purely
11:51
on like manual patching manual patch so they they would need to work like for instance a lot of them may be working
11:57
with manag service providers who may be helping them perform dispatching they need to have the right kind of
12:02
agreements that okay what kind of measures then um can they do where are the areas where they are pre-authorized
12:10
to already perform these things what are the issues and if there are there's a need to call someone is if some
12:15
something fails then they would do that but I don't think it's sustainable if we keep on piling up new technologies and
12:22
then we think we can still manually patch every problem I mean we are already leaning towards exposure
12:28
management to know how to prioritize the problems and then if you do all of this
12:33
manually it's still GNA pile up so um we need to change as well our comfort
12:38
levels when it comes to automated ping along those lines I mean if I'm a
12:44
if I'm a customer today and assuming I'm not let's say a bank or an airline that runs a Mainframe at the back end and I
12:51
ask you hey what's your recommendation should I just turn on automated patching
12:56
everywhere would you say yes nowh still it kind of depends go down that go along that journey I would say let's say my
13:03
comfort level is there like I tell you explicitly up front with that's my Proviso I tell you explicitly up front
13:09
if you tell me yes I should automatically patch I'll turn it on I would I would ask you if you know your
13:15
assets um if you have a proper asset inventory and you know the criticality of your individual assets because there
13:21
may be one or two um assets in there that you would really want to be full control of and that's okay because like
13:29
if that's if it's two over 100 and for the 98 of those you can do automated
13:35
patching and for these two remaining ones that's the time that you want to spend your time manually Pat patching it
13:41
then you have just reduced the work like 98% yeah so I I wouldn't I won't
13:46
wouldn't also go like blanket tell you go 100% but if you have a proper inventory and like listing of the
13:53
criticality of your asset then I think you would be much better to make an informed decision which
14:00
want that that makes total sense I was earlier today over lunch I was chatting with somebody about log for J and how
14:08
easy or difficult it was for various organizations to kind of manage that and
14:13
the point that you just made around understanding the asset inventory not just let's say the hardware or the
14:19
virtual U machine asset inventory but the software asset inventory is is is I
14:25
think actually more critical than your Hardware inventory because like you know we mostly live in a softwar defined
14:31
world even if you're running your own data center chances are you're running some kind of hypervisor um and you're
14:36
not doing you know uh a bare metal physical hosts at this point you know so
14:43
uh but we were going through kind of a a case study on log forj patching and the
14:49
first thing that was said was we had access to all of our code repos for all of the software that we produce and we
14:55
were able to search those code repos for every instant of log forj and for the version of log forj that was deployed in
15:02
every environment and you know they used that as the basis for rolling out an
15:08
automated patching process of a new version of log forj that contained the fix for that vulnerability log for shell
15:15
and they were able to get you know something like 80% of their estate patched in less than 12 hours now this
15:22
is a super sophisticated like very technically Advanced organization I don't expect everybody to be able to
15:27
have that but exactly what you said they had that asset inventory or they had access to data that gave them that asset
15:34
inventory and then they were able to act upon it I'm curious when you think about other as um aspects of the exposure
15:42
management chain so we think about you know we've talked about vulnerability management a bit we've talked a little
15:47
bit about let's say the external exposure we've talked a little bit about um principles of lease privilege for
15:53
identity uh resources that kind of connect various things what are some of the other let's say hot button areas
15:59
that you need to think about in this like what are other big points of exposure for people to think about the
16:06
there's one thing that um perhaps is not really very much covered by um current
16:11
exposure management organizations and this is thirdparty exposure so think
16:18
about it a lot of the um a lot of the software that we may use today could be software as a service and one
16:25
organization could have hundreds of this uh different software asset service um
16:31
uh sort of like assets that they utilize within their organization and they are
16:36
on different they may be on different levels of criticality because for instance you may have a CRM with customer data which like would really
16:43
good protection super sensitive yeah yeah exactly and um for example you may have worked as an Erp Etc but you may
16:50
also have something which just has data that not really that sensitive so the
16:56
the question then becomes is that uh um the management of this third party risk
17:01
um what what type of third- party organizations are our organizations in
17:07
bed with um they have the same level of
17:12
uh for instance security posture as us or is it so that we end up reducing our security posture if we put in our
17:18
sensitive information in their state because the moment they get they get breached sorry that's also exposure for
17:26
us essentially so this is one area that is not really
17:33
completely um in control and I I dare say it would never be in control but it it sort of needs to be managed as well
17:40
by the organization who is doing business with this thir party
17:45
organizations yeah but I mean to a large extent it kind of goes back to what you said earlier it's understanding the
17:51
assets and in this case we're talking probably about data assets and and you know maybe like that third party
17:57
relationship and and potentially something like single signon that you use to um to authenticate and log on to
18:04
that third party service that would be a piece of the um exposure linking or that kind of attack path um from let's say
18:11
like my fished email account um into workday or into Salesforce or whatever
18:16
that CRM system is so you've got to understand what are those thirdparty systems what are the data sets there
18:23
what's the connective tissue that could lead from either from there into you
18:28
know into the organization or from breached Jeremy into that data set um
18:35
yeah EXA exactly and um like even beyond that if we go further for example if
18:40
this organization this third party organization may be breached and your data is impacted do they have an
18:46
obligation to inform you or would it be so that I will just be surprised that um
18:52
the Cyber criminal has already been informing me that hey I have your data and then you can pay is much Bitcoin for
18:59
a ransom so I I mean I I would I would really love to sort of like get our
19:05
digital plane like into into um a mode where when it comes
19:11
to third-party risk when it comes to like how we deal with our vendors and how they deal with us that there there
19:18
is sort of this this obligation that even contractually we can even put in place that whenever there's there's an
19:24
incident let's work together whenever there's an incident let me inform from you so that I can already manage my
19:31
potential exposure whether that's a PR exposure um later on I can prepare
19:36
before it even potentially goes out and um of course like when you don't have um
19:43
a relationship with inm with a vendor let's say uh post off boarding what happens with my data um what are the
19:49
data retention requirements um that could also be potentially a liability for my organization if that's not
19:57
properly handled and deleted so those are some of the things that um
20:03
honestly keeps me up at night occasionally yeah like I I wonder about that because there's a lot in in what
20:09
you said there's a lot of things that are kind of implied that I think like a lot of people don't think about and you
20:15
know we as as it professionals and especially as like cyber professionals
20:21
we probably have like a disaster recovery plan maybe a business continuity plan you know for you on the
20:27
on the security practitioner side I'm sure you have incident response plans for various things you know in case of X
20:34
do y but you then have to think about involving those third-party vendors as
20:40
part of your incident response and you you probably need playbooks in response to oh crap workday got breached what's
20:49
the you know what's the blast radius oh it's my internal employees and contractors and here's the data that's likely to be exposed Etc along the same
20:57
lines of course like it it comes to mind that all of my contractors who are doing
21:03
let's say work for hire you know whether that's a managed service provider that might be helping me to manage my it or
21:09
whether that's let's say an outsourced marketing agency or an outsourced R&D agency that might be writing code on
21:15
various projects for me like these are also thirdparty relationships where I probably need to understand them as an
21:23
asset understand the data that they do and don't have yes and and also kind of factor them into an incident response
21:30
plan and into my overall kind of sense of exposure right yeah AB absolutely and
21:35
it also gets trickier so not to make it more complex but it is quite complex so
21:41
for example your third parties have their third parties so your fourth parties for instance and um is it so
21:47
that they have subcontractors who also have access to your data um how have they exposed it to you or do you even
21:54
know about those yeah would be some something that it would be really good to understand because even if your third
22:02
parties may have a really good security posture if they have third parties which
22:07
don't have that good a security posture and have access to your data so that could be the the link in the chain that
22:14
could be breached I'm curious in your experience because my understanding is that with
22:20
gdpr if I'm working with a third-party vendor and they have data of mine that
22:26
is in scope for gdpr they have to inform me about data transfers to any third
22:32
parties right they should yes okay so and and this covers the information that
22:38
is in scope of the gdpr um okay of course for instance if we're talking about uh information that is not
22:46
personal it's not private yeah marketing data who cares right but yeah but uh for
22:51
instance like it could be um information related to the organization on intellectual property that then wouldn't
22:57
be wouldn't be covered uh with the gdpr and in your experience do you think that
23:03
most of these thirdparty contractors understand that and are doing a good enough job of keeping their customers
23:08
informed about thirdparty data transfers well most of unfortunately
23:15
most of the time no because I it's quite rare that this truly happens but with
23:22
organizations that um they have for instance like with gdpr they have a proper presence in Europe and um they
23:29
have people they have like uh dpos uh they like data privacy officers and they
23:35
they have people who are really looking into this as their day job of course they are more conscious and we get more
23:42
communication coming from those organizations but we don't always work with organizations of that size or um
23:50
with that much resources as well and I also don't think that we should like lean towards just favoring organizations
23:57
of those size and reach otherwise we will have problems in economic market
24:03
dynamics as well so yeah and we limit the capabilities that might be able to leverage yeah yeah so um we also hinder
24:10
Innovation um especially with like more agile newer companies but at times like
24:17
it is challenging to to work with regulations but you you also you can also see the value of regulations when
24:24
it comes to really enforcing these things and keeping people's data private and a little bit more
24:30
secure yeah and it's interesting because like on you know I haven't lived in Europe since 2008 personally I am
24:37
subject to gdpr both in the sense of being a European citizen but also in the sense that we firetail we have offices
24:44
in Ireland and Finland and you know we run the company on a kind of global gdpr
24:49
standard and I've seen some American companies adopt that as an approach as well if they realize hey we're going to
24:56
have to spend all this effort to bring ourselves to gdpr compliance anyway because of a strong business presence in
25:02
Europe let's just make that our global standard at the same time the
25:07
initial energy and momentum that there was around creating consumer privacy in
25:12
the US has kind of died you know there's California and then Virginia and a couple of other states that have
25:18
implemented things but what I have seen in the US to your point is is two things
25:24
one is Hippa created this thing called a business associates agree baa this is
25:29
for healthcare data in the US and it kind of created this daisy chaining effect of like anybody that I share
25:36
Hippa regulated data or you know data in scope for Hippa has to sign up to the same set of requirements and recently
25:43
what we've seen is basically an inheritance of sock 2 and so you know if you want to serve larger customers you
25:51
pretty much have to have a sock 2 certification at this point and you may or may not even be processing data
25:57
that's sensitive at all but you know it it seems like there's a lot of kind of
26:02
risk management around I'm only going to work with vendors who meet that minimum security requirement I'm curious like is
26:10
this a good thing is this a bad thing like what's your gut reaction to be
26:15
honest I think it's a it's a very good thing because if I if I look back at the past 20 years as well before this
26:21
regulations and before these requirements came into play um there is
26:26
it's sort of like a late easy Fair attitude that um we can we can pretty much do uh what's necessary what we
26:34
believe we can do um it's a very feature oriented world move fast break things push it out yeah yeah and um and we we
26:43
got a lot of Technologies out there but it also became part of the problem and even though cyber security and different
26:49
cyber security organizations have been preaching at the pulpit about you need to secure these things because there are
26:55
cyber criminals doing this and doing that and there there's still this feeling from different organizations
27:01
that maybe they can escape the cyber crime and maybe they're immune I mean of course those who were hit eventually had
27:08
better security posture than the others but then regulations came and when when
27:14
regulations came into play I mean people of course they weren't very happy at the beginning but now they need to play on a
27:21
whole new level and it it elevated um like it tried to pull everyone onto a
27:28
minimum level where you can really secure the data of your customers for
27:34
example in the case of gdpr and um even with other regulations uh when it comes
27:40
to security and even now with da actually like this is going to be for the financial sector but hey how many
27:45
organizations serve the financial sector they would need to then make sure that they can serve their customers and keep
27:52
them compliant and um and this is actually very good for for everyone who
27:59
has their data their information into these different organizations who now have to operate on this new level
28:06
otherwise it would be that okay you you're unsure which organization can
28:12
protect your data you're unsure like who can and as a consumer then all of the
28:18
research like the burden of understanding that and the burden of risk management Falls to you as opposed
28:25
to just these organizations being responsible for security and privacy in the first place yeah yeah it's it's a
28:32
really interesting point because like you know one of the one of the core things about cyber security is it's
28:39
fundamentally an exercise in risk management and part of risk management is risk understanding which kind of goes
28:45
back to one of the very first things that you said today which is you know you have to have visibility and
28:51
understand where your risks are so that's what is that exposure what is that chain of connections that leads to
28:57
the D data set or the application or whatever the bad actor is after and part
29:02
of risk management is being informed to know how to choose which vendors you can
29:08
reliably trust which ones you can work with or if you have a particular need with a vendor who may not be up to your
29:14
cyber security standards what are the things that you might do as mitigations or controls to kind of manage that
29:21
relationship and manage that data flow I think that's a really it's a really kind of evolved way
29:27
of thinking about understanding and quantifying that risk and and kind of prioritizing it
29:34
relative to the business needs and like is that part of the goal with the with the concept of exposure management is to
29:41
kind of make that at balance or make that assessment between cyber security
29:46
needs and business needs or is it more like hey this we're just going to do much more effective cyber security with
29:51
exposure management approaches I think it's a good link um like at the moment
29:56
when people think about uh exposure management or like the the way different organizations have designed it they
30:03
there may not be like a a very explicit um definition that okay these are the
30:09
business outcomes that you're aiming for but it's easier to link the business outcomes to the different assets that
30:15
you may be protecting so for example if people would understand um what is the
30:22
business strategy over the next three to five years where's the business heading towards and then what are the risks that
30:30
are behind those business outcomes it's easier to see where are the assets that
30:35
those risks are actually tied to and perhaps these are the assets that you need to be more mindful You Can level
30:42
them with higher criticality that whenever they get into your exposure
30:48
management portal and then you take a look that okay every time they are impacted even if it's a vulnerability
30:55
that is not very high in the CVSs core I know that I would need to manage this
31:01
because this is a major part of our business goals our business plans so um
31:06
this can this can help people think like Elevate their thinking towards a little bit more related to the business
31:12
outcomes and of course if there's an organization who would like to link the business outcomes directly in the um
31:18
their exposure management portal like so to speak however that may look like it would be very much easier for the
31:25
security teams to also understand not just to think every day about what are the technical measures they can do but
31:32
also think of how they are contributing towards the business with the different
31:38
assets that they are protecting and doing yeah awesome we've only got a
31:43
couple minutes and I have one other question on a separate but you know related to cyber security topic that I
31:49
did want to bring up with you I know recently um in Europe there's this uh new nis2 directive or standard or
31:57
whatever you want to call it what you know you as a chief information security officer you must have had a chance to
32:02
look at this and kind of understand at a high level what it's trying to establish one of the questions I ask
32:08
whenever I hear about new standards evolving and I you know we recently had a conversation with a guest from
32:13
Australia talking about their update to the essential 8 that's put out by the Australian signals directorate what do
32:20
you think is the goal because there's a thousand standards and compliance and Regulatory Frameworks and so on what do
32:26
you think is the main goal and benefit of this of this new nis2 well the like how I see it the main
32:34
goal really is to help Elevate the security posture of different
32:39
organizations especially the larger ones who can potentially afford it to a different level because the the scope
32:46
has expanded um for instance like information security providers they are now part of the scope um scope was
32:52
lesser previously um wider area of the public sector as well is part of the scope and organizations Beyond a certain
32:59
size now the good thing so there are like good and tough things maybe um with
33:06
this so the good thing is that um if an organization for instance already has ISO 271 because we also took a look at
33:15
it and then um realized that hey a lot of this are um actually already covered
33:22
if you have ISO 27001 certification which is a really good thing if you already have it then you you take a look
33:28
at what's missing and um maybe those are the areas that you can then help Elevate
33:34
I mentioned a little bit about third parties uh earlier but the one good thing about this as well is that it
33:41
requires uh that uh organizations do due diligence for their third parties such
33:47
that they don't actually reduce their security posture but they they work with third parties who who help Elevate their
33:54
security security posture and that's a really good thing um but there are painful points I mean
34:00
one particular thing sort of that uh we we're not 100% sure how how this has
34:08
been like defined is um the reporting of material incidents or significant
34:16
incidents and there's this time limit like first 24 hours and then all the way
34:21
to one month and how do you define what is a material in ident um
34:28
when is the starting point of computation of 24 hours is it when you detect something or when you validated
34:34
something so they there are still questions like this of which we are sort
34:39
of like uncertain what does that really mean and of course feedback feedback now um we're also engag in conversations for
34:46
instance that could give some feedback to Brussels U and then one more pain point
34:51
is that um this is a directive therefore the different countries in the EU will
34:57
have their own transpositions so if you operate in every single one or even like
35:03
um a few of these countries one can hope that the transposition wouldn't actually
35:09
be very different like in every country so that would remain to be seen
35:16
because exactly so that that would really be the biggest pain if um if they
35:22
are so varied so uh but of course the the bare minimum would be the um the
35:28
main uh list to that that would be if if that would just be sort of like taken in
35:34
to the different countries as a bare minimum then I think that would be that would make it easier yes but
35:41
let's see we it yeah let's see what happens so so early days I'm sure
35:47
customers are kind of you know starting to look at it now but probably you know
35:52
not something that a lot of organizations would have gone through an audit on or gone through a certification
35:58
or like a compliance check around not not yet especially since um not every
36:03
country is uh transposition is actually uh ready okay there were for example in
36:09
Finland um we managed to give feedback to the um to the finished transposition and then uh hopefully they they get a
36:16
new version after that that we can also take a look at but we have we have October which they will this will be
36:22
like in force so um even with things not yet finalized looking at the main M too
36:28
like for the whole of EU at least that would be the basis of where we need to start and that is already ready so that
36:36
is becoming our basis as well today well I guess I'll ask you know one of the other kind of questions that I asked
36:41
earlier around let's say the inheritance of sock 2 assuming that the transpositions are not just wildly all
36:49
over the place I hope this is also a net positive right I mean this should improve the security posture of these
36:55
organizations yeah absolutely and um the I guess the the consideration the beauty
37:01
of this is that it's a little bit considerate to smaller organizations um even the Finish finish transposition was
37:08
actually putting in some Euro values in there that how much it would potentially cost if you do this uh each okay but but
37:15
as I mentioned if the organization already has ISO 27001 then the cost of
37:20
Bridging the Gap is actually not that much anymore unless of course somebody
37:26
goes crazy with a transposition then different story yeah yeah well fingers
37:32
crossed let's hope that the transpositions end up being logical and well reasoned and actually you know help
37:38
make the situation better yes and I think with Christine with that I think we're going to have to leave it there we're pretty much out of time for today
37:45
I want to thank you again for taking the time to join us on the modern cyber podcast and for sharing your thoughts on
37:50
both nis2 and exposure management which I really do support as a concept and
37:56
obviously for people who want more information please have a listen to this episode have a read of Christine's post
38:02
about it I think it's easily found on Forbes is I think where I ran across it um so you can just Google Christine
38:07
Bosco I'm pretty sure if you just Google Christine exposure management Forbes you're G to come up with the article so
38:13
it shouldn't be too hard to find but we'll try to link it from the show notes as well thanks again for taking the time
38:18
thanks for listening to the episode everybody we'll talk to you next time thank you Jeremy thank you
38:24
everyone bye bye [Music]
38:35
oh