Transcript
Real stories, real defenses, and real recoveries, straight from the practitioners building and defending modern data environments. And hello. I'm Dr. Joy Purser, Global Field CISO of Cohesity, and I'm so glad that you've joined us for a live episode of our podcast called Zero Downtime. We know that security leaders have zero downtime because the threats never stop. And so, the purpose is to help educate, at the operational level, some lessons learned by leaders in the field. Today, I am delighted to have Erin Jo with me as my guest. Erin, please introduce yourself. Well, hello everyone, and Joy, thank you for having me. I'm Erin Jo, and I had a long career in the FBI before going into Mediant, and then Google Cloud, and now I have joined Wiley Ryan's law firm, where I'm enabling their cyber practice, helping our clients before, during, and after cyber incidents. And I will say, very briefly, that although I had a long career in the FBI, I have to give a disclaimer here, disclaimer that I'm no longer in the government, and so all of my conversations today will be based on my personal experience and personal opinions. Fantastic. So Erin, you bridge the legal profession with security risk, as well as the management and protection of big data. And so, talk to us on the first topic that we discussed about data security. Yeah, so it's really interesting when you think about it, because organizations hold data of all kinds. They hold their own data, they hold the data of others, and they're entrusted with that data. For most organizations, they don't really think about how comprehensive that risk really is and how to manage it comprehensively. So you have to think about a number of things. You have to think about, do you have good data governance in place, and can you enforce it in a way that matters? Can you prove that you can take care of that data and prove that you're protecting it, not only from a legal compliance perspective, but really just from a trustworthiness perspective? And recognizing that much of the data is regulated in some way. And if it's breached and compromised in some way, you may have a number of reporting requirements or notification requirements. But then there's also the goodwill and trustworthiness of letting people know that you've had an incident and letting them know what care you took to protect their data, what may have been compromised, and what steps need to be taken next. So there's a whole host of things that go around being entrusted with data. And what comes to mind very briefly is, I mentioned about the governance, I mentioned about proving, right, your ability to take care of it as well as your ability to track and trace it. But then also on the backend, being able to do analytics on that data and being able to do an impact or damage assessment on the backend of that is critically important, not only for you, but for the other organizations that lost data as well and are impacted by that compromise. So in the past two minutes, you've used the word trust three times. And I'd say a few years ago at the RSA conference, zero trust was a term that was used so much. And I believe that that's fairly well understood in terms of the technical perspective and guardrails policies in place to cordon off, classify, protect sensitive data. But in terms of trust now, it goes far beyond that. And from a business perspective, trust is reputational risk, not only data security risk. So trust and risks tend to go hand in hand. And so in the legal profession, and specifically with security expertise, where do you see the term trust used a lot in your, in your? Yeah, that's a really interesting question because I think organizations inherently know that their business is built on trust. But then as they evaluate what they're going to do, typically it's a very legalistic analysis. So it's a really interesting question because I think organizations would be better served to think of those together, right? Not only what am I legally required to do, or what am I, what are my obligations, but what's the right thing to do for the organization and for the company and for your customers or whoever it is that you serve? I mean, why are you in business in the first place, right? And I think that's where those two ideas converge in a really lovely way and can impact decision making in a way that can best suit an organization. So for example, you may have legal notification obligations or reporting requirements if you have a cyber incident and those you have to follow, right? So an organization may not have significant decision making around that because it's a requirement. But then there are many situations in which there may not be a legal obligation, but it may be wise to do so. It may build trust to do so. And if you had a reporting requirement, you also run the risk of others finding out, right? So that's a risk. But then even if you're in a situation where you think no one will find out because it's internal to you, we really live in a world today where data gets out and gets exposed. And then the questions start to come, well, how did this data get out? How did this data get exposed? So those raise a lot of questions that could become the source of an investigation by a federal agency. It could become a regulatory issue. It could become a privacy issue. And then if the roads lead back to your organization, it really doesn't look good for your organization to not have come forward first, right? So to build trust, you want to own the narrative and you want to be the one demonstrating that you are trustworthy, that you're doing the right thing, that you're letting people know what has happened, you're providing support and assistance, you're doing your own impact or damage assessment to what it means to your organization, but you're also supporting what kind of harm could come to other organizations whose data was lost. All those things are the things that build trust more so than a report that said, I had an incident, here's what happened, I'm making my mandatory requirement disclosures. That's a check the box, but it doesn't build trust across the organization and with your clients. No, and there are real business impacts with the degradation of trust of a business. And we've seen that to devastating effect over time and with specific businesses and sectors. So I would say, thank goodness for new technical controls that allow us greater visibility into whether we are storing and working with sensitive data. So for example, with Cohesity, as you know, we're a software company that sells backups and other software and hardware and our why is that we're there for customers on their worst day, right? We see cyber attacks and we think deeply on how do we do our very best so that they can recover in such a way that there is minimal to no impact on business operations and therefore company reputation and more broadly trust. And I would say without getting too much into technical details that an innovation we're proud of is that our backups have data security posture management, DSPM, that is powered by Sierra, which is the best of breed in the DSPM business. But what it does is it allows organizations to see clearly if they have protected health information, protected individual private information in the secondary data. So in the backups, which historically have been like an iceberg in that we see the primary of production data, but what's underneath the surface has been invisible. And if you're backing up data that has PHI, there are legal consequences, trust consequences and reputational damage if that is discovered. So I think it's a great innovation and I love to see how tech is rising to meet those trust risks. Yeah. You know, you raise a lot of really important points. Organizations struggle and I've seen it firsthand. So from years of experience of being over some of the largest data breaches in the world and seeing how organizations are able or not able to respond well to that. And when you think of incident response, you typically think about, can I get my network and processes back up and running? But you don't always think about the long data tail that follows. It's long and challenging for most organizations. So you have to then know, was the data access in an unauthorized manner? Was it exfiltrated and was it taken? How do I know? How can I prove what was taken and how can I prove it wasn't taken? Then you have, like I mentioned, the notifications, responsibility or obligations. You may have regulatory obligations. You may have, like you say, the PII, PHI, like all of those obligations. But then you have your own damage or impact assessment and then assisting those who have to do their own. So I walked through that specifically now because you're saying, well, gee, it's not only for the data that may or may not have been impacted as part of the incident, but now you also have the data that you need to bring back up as part of your backups, right? So you have the same data twice that you're dealing with. Oftentimes, third actors access the backups as well or try to corrupt the backups in some way. So you have a number of different times and ways that you need to be concerned about protecting the data, right? Not just in active use, but also in your various backups and being able to trace what the threat actor did and then being able to, with confidence, say what happened to that data and whether or not it was protected or part of the compromise. So I think having technical capabilities that enable that are critical. I also think about having good data governance and good data governance enforcement is critical. And I always tell people, you know, data that's deleted is at a much lower risk to your organization. So delete some of this data, right? You don't necessarily have to keep all of it, but then being able to map it and know what was at risk or what wasn't is really critical. But afterwards, that analysis and having insight into the types of data that you were responsible for and being able to show the picture of what that meant from an impact standpoint to your organization or to others is absolutely critical. Fantastic. You know, we talked about resilience takes practice. Yes. And I love that idea. And one of the key things that I learned from years of government and years of crisis management in the FBI and elsewhere and related to the cyber world is that you need to continually prepare, right? It needs to become muscle memory. You have to test for stress because oftentimes people want to do the tabletop exercises on the easy things, but they don't really want to test for the stress that your organization will encounter in a major incident. And that kind of stress is it's emotional fatigue on an organization. It's financial fatigue on an organization. It's a significant business disruption. And then as you're restoring your capabilities to do your day to day work, your same employees are still the ones that need to deal with that long tail that I talked about that happens when you have to evaluate now what? What are the consequences of having just gone through a major data breach? Yeah. Right. So being able to prepare for that kind of stress is really critical. And then building a community around you to be able to support you through a major incident is a key part of that resilience. So being able to have partnerships with data companies and those that secure data can help you identify your data, having strong relationships and retainers with your incident responders and your law firms and your ransomware negotiators and all the people that you need to bring in to be there with you and for you throughout the course of your incident management is absolutely important. And I do still put in a big plug for having good, strong relationships across government, including the FBI. Right. And being a critical part of the community and building that resilience. So I've got a little story to share when it comes to a stress test. Yeah. So you and I have in our in our work had many, many, many conversations with CISOs, Chief Information Security Officers, Chief Security Officers. And I sat once with a logistics company and the CIO and the CISO were in the room and some operator level staff and they talked about how they had just begun doing tabletop exercises that included the backups, which is what I've been advising even when I was at CISA. Right. And they shared that the first time that happened, that they did the exercise that included the backups, that basically the backups team did this. Yeah. I'm sorry, but we don't, we can't do anything and we don't know what else to do. Right. And there were two lessons learned there, one for operators and one for senior executives. Yep, that's right. And the lesson for the operators is that this is not a blame game and that with repetition that you get better. And just like any exercise, physical exercise or cyber, it's hard at the beginning and then it gets better. So for them, it was an important learning and they got better with subsequent exercises. And from the CISO perspective, it's so important for executives to message properly and to make sure that the backup team, who they usually don't manage because they're in IT, to say to them, I'm not your boss, but you're going to be an integral part of a recovery and I need you to be part of this. And I'm not doing this to embarrass you or anyone else, but for defense in depth, you are essential. And so this is what we're going to do. Yeah. What do you say about that? So I've always said that your organization is not really ready until every person in your organization is ready. If they don't know what their role is in an incident and they don't understand where they fall in function, then you're not really ready and you're not doing your organization the service it deserves if you haven't prepared them properly. Leaders think about, well, how do I get the business back up and operational, right? But you also have to think about, well, what does it take? What are the demands? Who needs to do what? Who will be my leaders? Do I have a bench? I would say, build a bench, build a bench of leaders because you're going to need leadership maybe 24 seven over the course of months, even to lead through any incident and recovery situation and then to be able to handle that long tail I always talk about with respect to the now, what does this mean for organization? Do we need to technically rebuild? Do we need to handle the data? Do we need to do an impact assessment? All those things that we've been talking about, but if you don't have a bench of leaders who understand what it takes and who is going to own certain command and control of those different pillars that are so critically important, then your organization will start to crumble under that stress. And from a leadership perspective, the other aspect of it now that I'm sitting in the legal chair is your general counsel needs to understand how to quarterback the recovery as well and quarterback the incident and understand that while they're trying to manage some of the investigative aspects that you may want under privilege that are often not considered early on, like they could actually have some of the investigative activity handled under privilege that could be very helpful to your organization, recognizing also though that the facts are not privileged and there will be certain parts of the investigation that will be available to the rest of the organization to be able to do something about. You have to act, right? You can't just sit there and admire it. It's going to, it doesn't go away. So you have to be positioned to make decisions. You have to be positioned to have leaders who understand what part they own and how they are expected to operate and with what principle, right? What is your driving principle? And we've been talking about trust. I think trust is a driving principle. This is how we are going to react and respond. I always say you can't prepare for everything, but you can prepare for almost anything. That's true. If you have the right principles, if you have the right leadership, if you've tested for stress of some sort, then it doesn't matter what type of stress comes at you. You're going to be able to be resilient for it. Very well said. And I love how you succinctly discussed people and process and technology because resilience requires all three, right? It does. Yeah. You can't forget any one of those. The process, I think, sometimes fails because the people aren't ready, right? You can have all the greatest processes, but if your people don't know how to exercise them and use them, then you often end up with chaos and paralysis and delays. And those delays can cost your organization time, money, people, resources, reputation, all those things. So building that resilience and building that muscle memory is absolutely critical. And there are things you can do in advance, right? So you can, in advance, map out your reporting obligations. You can map out in advance your contractual obligations. You can map out who would you want to notify just as part of that trust building, even if you don't have an obligation. Well in advance, you can map out your data. You can map out your requirements with the data. You can map out the impact if that data were to be compromised. Those things can be handled in advance, and those are areas that organizations don't typically invest in on the front end, but they cost you a lot of time and money that you don't expect on the back end if you don't get it done. Agree. Well, we are out of time. And I just have to say, Erin Jo, your perspective based on your experience and where you are now contributing from security, from the legal perspective, is just amazing. Thank you so much for being with us on this episode of Zero Downtime. Well, thank you, Joy. I think you've been a tremendous champion in this area. I think you're a tremendous friend and colleague. And I just want to thank you for having me today.