Transcript
I'm your host, Joe Robertson, and cybersecurity is exactly what this show is about, but we don't talk technology, at least we don't talk much about the technology. What we want to talk about here is the business implication of cybersecurity, and that is for decision makers, executives, and board members whose roles may be impacted by cyber attacks. In other words, just about everyone. As for me, I'm an executive consultant helping top managers navigate the intersection between business needs and security requirements. Now we call the program Brass Tacks because the expression getting down to brass tacks means getting to the core of the subject, the important points. So let's get down to Brass Tacks. Today's guest is Daniele Mancini, field CISO at Fortinet Europe. Daniele, welcome to Brass Tacks. Let's talk cybersecurity. Thank you, Joe. Now I want to start by just pointing out that not only are you a member of the Fortinet team, but in the past you have actually been a CISO at various global companies, so you've seen the environment from both sides. And I think that what's important in Brass Tacks is to talk to non-technical executives. When you talk to non-technical executives, how do you discuss the implications of cybersecurity? How do you do it now on the vendor side, but how did you do it in the past when you were part of the organization itself? The discussion usually doesn't start from the technology, but the discussion starts from the business strategy and the vision of the company. And what I've been seeing also in my current role, I would generalize that we drive the discussion to understand how some business drivers are influencing the strategy results, strategy execution specifically. And if I want to generalize, I would say that we usually discuss three important drivers. The first one is how we manage data. So implication on data these days is largely important because we are recording an increase on data volumes. There's so much more data. Yeah, because basically we are connecting more stuff. And it's not just people, it's machines. It's machines, yes. It's production. And also we have accelerator elements like AI. AI use data but generates also large amounts of data. The other important driver is speed. What we are seeing these days is that speed is an important variable because it's usually triggered by external factors. Could be geopolitical situation, could be pandemic, could be quick business alignments. And the way how the organization react also to cyber attacks, it's important. So speed is another important element. And the third element is the interconnectivity. So the chain of consequences of events could be dictated by changes in the regulation, geopolitical situation, cyber warfare. The elements that trigger this interconnectivity are, there is a larger variety. But the important thing to understand is that the entire ecosystem is impacted. So if something is happening in third parties, it's for sure reflected into the final customer. Okay. So all of these, from what I'm hearing, these ideas are the drivers involve communication. And the advantage has been being able to open up communication to your customers, your partners, regulators, almost everyone. But once you open up the communication channels, electronic communication, you're also potentially opening them up to people you don't want to be communicating with, attackers, for example. And we're not just talking about IT stuff either. We're talking about the production, machines, the plant that is being used to operate and manufacturing equipment. Now when we've got this sort of, if you will, an exposure surface, an attack surface, you need to talk with executives about that. How do you bring up these subjects? How do you discuss these subjects with non-technical managers? The discussion is driven around three important domains, usually people, processes, and technology. And how the cybersecurity influences those processes in the business results. And where cybersecurity is impacting the business domains, there are four main elements. One is financial. So we look at how certain changes in the cybersecurity could be an attack, but could be also changes in the processes of the cybersecurity processes into the company are influencing the financial results. Also, how those changes are influencing the internal processes and the way how the organization performs on the market. Because one of the key elements is that these days, cybersecurity represent a competitive advantage for organization because showing full control on cybersecurity demonstrate to the customer there's attention to their data, to their privacy. So the customer perception is changed on how well you perform in cybersecurity. And this is realistic, especially in tech. This is quite common, but we are seeing more and more due to the digital transformations into retails, into automotive, look at to the autonomous car driving or to other components in your car. So how you manage cybersecurity well, it influence also the business performance and the customer perception. So that's part of you being part of your customer's supply chain, you need to be able to demonstrate that you're protected from cyber attacks so that your customer is willing to do business with you. Exactly. That's correct. And the fourth important element is how the organization is capable to learn and grow. Because cybersecurity is extremely dynamic compared to other discipline. If I look at compliance, compliance penetrate enormously into the business processes, but the speed is not very high. Cybersecurity is penetrating more and more into the business processes and the speed is very high. And having an organization capable to learn and adapt quickly is another important element. And this is the kind of discussion we are having with executives across Europe and Middle East. So what you're saying is that cybersecurity is not just the domain of the security organization? Not anymore. Not anymore. Now it's a business domain. Many organizations like the World Economic Forum, they have classified cybersecurity in the top three risks. And also there's cyber warfare we have seen around due to the geopolitical situation around the globe. We can see, we can feel how cybersecurity is part of our daily life. And there are lots of new cyber regulations, everything from GDPR to the NIS and NIS 2 in the European Union and lots of others that hold non-technical executives responsible for the cybersecurity of their organizations. Because executives are liable for some certain breaches, sometimes criminally liable even, how does that conversation go with them? The conversation is usually driven around one important concept these days, is resiliency. So how the organization is capable to adapt and learn from a cybersecurity event specifically makes the difference. And how you develop your business continuity plan, your disaster recovery plan, but also your internal competencies and the capacity of the organization to acquire and distribute knowledge, it makes the difference in performing or not performing in the resiliency response. So resiliency is not just being protected against an attack because attacks sometimes get through. It's having the procedures in place to know what to do if you're attacked and how to recover. Correct. But there's also next level, recover, learn, and adapt. That's the reason why learning and adapting gets really important these days for an organization, especially with the pressure of the cybersecurity threat landscape. So how do we react? How do we put in place measures to be able to deal with an attack and get beyond it and restart production, restart billing, restart whatever it is that's been stopped? There are, I think, two important elements. The first one is processes and regulations. So the way how you develop and keep adapting your internal processes is important. We are in an age where you cannot develop a process or a business process inside the company concerning cybersecurity and you won't monitor or change the process for more than two years. And the other element is how we keep up with innovation. So keeping up with innovation, especially in terms of cybersecurity, is extremely important. In the enterprise environment, I have to say, it's well digested. So enterprise environment are keeping up with innovation. And every year I see changes in the strategic portfolio, in the strategic digital agenda. And these days with the digital innovation, pushing the manufacturing, so the production plan and operational technology to adapt to that speed is a little bit complicated. And the organization, they have to learn and they're learning how to manage innovation into this business challenging environment. So the idea is that to innovate in business, one of the pieces of that innovation needs to be building cybersecurity into whatever it is you're trying to work on, whatever the project is or the process is. Building it in from the beginning is a lot easier and more effective than bolting it on at the end. And cheaper, I have to say. Because it's important that the concept of cybersecurity by design is now realistic. So I remember that when we were talking about that 10 years ago, it was in the literature of the cybersecurity. But these days we are realizing, we are really feeling why it's important to have it in everything we do in terms of technology, processes, and also people. So keep educating people and educating people on which are the threats to which they are exposed is extremely important. So certainly in my experience, and tell me what yours is, one of the biggest drivers of that change in mentality has been the COVID crisis and having people suddenly not being able to go to offices, having them work from home and executives realizing that there is actually a security issue for them having everyone working from home. Yeah, that was one of the example. I think we go also back to the initial point, speed. So we reacted very quickly in bringing people off the traditional office perimeter and enable them to work. But of course, we expose it to our assets, so data specifically in our internal assets as a company, because at the time I was doing the CISO, to different kind of threats. And how we managed and how we reacted made the difference in keeping the business running and producing results, even during a pandemic. One thing that companies are doing from an operational point of view in all departments is they're outsourcing more and more applications and parts of the business are being done using software that may be a software in the cloud or software that they're purchasing. And that brings up a question of how well protected is that software, what's known as the supply chain problem within the cybersecurity world. I think the use of cloud and multi-cloud specifically in the large enterprise, it's a normal procedure these days. But the problem is that we need to learn to not losing control on those data. And not losing control on data means also the way how we protect the data from external actors, threat actors specifically, or to external threats. Because it's not having the data in our data centers makes the difference because you can take certain action in your internal data centers, but when it's involved with a third party that is managing your infrastructure or your software as a service, you need to develop different processes and different capabilities. You can get extremely quick in the reaction, probably faster than having inside, but you need to acquire that knowledge and apply that knowledge. One of the things that I've seen in the last few years, and I know that you're involved This is in manufacturing organizations and other organizations that have production equipment. More and more of that has become digitalized, there are digital twins, there are all kinds of data that's flowing from the equipment, there's downloading of new software, et cetera. This has raised all kinds of questions and issues of protecting that operational technology. What have you seen? I have seen that, especially in everything concerning operational technology, innovation is slightly slower because the priority is availability. We need to keep up the supply chain running and producing spare parts of the final goods. Introducing new technology in this area, and especially related to cyber response, because we need to keep these availability indicators extremely high, it has its own challenges. As a fortune, of course, we have developed a large technology for responding to these kinds of threats, but introducing the technology into this production environment is the real challenge. And having a clear understanding of the risks and what we should prioritize in the mitigation process, this is something that the organization are learning these days. And that operational managers and production managers are starting to become sensitive to the fact that they are exposed to attacks, but that doesn't make it easy to implement the solutions necessary to protect them. No. Correct. Correct. Also because, as I said, confidentiality and integrity are still important, but availability is slightly more a priority in that environment. If you're not producing your product, you're not selling it. Correct. Exactly. That makes perfect sense. In the time that we've got left, I want to bring up one question which actually refers back to the fact that you've been both on the vendor side and you've been a CISO for several different companies. That really is, what can the vendors learn from the CISOs and vice versa? What can the CISOs learn from the vendors? So the vendors can learn from the CISOs is definitely the impact on technology on the business strategy. Because as a vendor, we are really focused on innovation. So for us, innovate is the priority one. So we really dedicate our energy and our effort into innovation. And learning how this innovation is impacting the business, a division, a company, is probably something we can learn, especially when you have to deal with multiple business segments. From the CISO perspective, definitely is the way how we manage innovation as a vendor. And being a CISO, I have the direct feeling on that. The way how vendors manage innovation is definitely something that CISO can learn. And the way how we develop certain capabilities into multiple sectors, it makes our agility extremely high in developing innovation. And definitely this is where we can partnering with the CISOs in developing their own security incubators for bringing new technology into production environment and enterprise environments. And the vendors' objectives are really the same as the CISOs, and that is keep the bad guys out. Correct. Correct. Okay. Well, thank you very much for spending some time with us. This has been very interesting, Daniele. I'd like to thank you for your time. Thank you, Joe. So that's it for today's Brass Tacks with Daniele Mancini, Field CISO at Fortinet Europe. I hope you found it interesting and useful, and I really hope that you will join us again for another episode of Brass Tacks, Talking Cybersecurity, brought to you by Fortinet. This series is available both as an audio and a video podcast. You will find it on your regular podcast app or YouTube as well as on Fortinet TV.
