2854: From Hacker to Hero: Simplifying Cyber Risks for Business Leaders

[00:00:00] In a digital age where cybersecure it stands as a formidable bastion against unseen threats.

[00:00:07] How do businesses navigate the complexities of protecting themselves while still pushing

[00:00:13] the envelope of innovation?

[00:00:15] While today here on Tech Talks Daily we're going to dive straight into this critical dialogue

[00:00:20] with Johnny Tires, the visionary founder and CEO of a company called Threat Plane, a

[00:00:26] with cyber security risks escalating in a world deeply intertwined with technology, businesses

[00:00:33] face the daunting challenge of both understanding and mitigating these threats.

[00:00:39] So Johnny's going to be bringing to the table a solution that demystifies the technicalities,

[00:00:44] talk more in depth about things like threat modelling and how by connecting the dots between

[00:00:49] business risks and technical control he's going to craft a narrative that businesses

[00:00:54] can not only understand but act upon so there's going to be some actionable tips for everybody

[00:00:59] listening today.

[00:01:01] And also as emerging technologies like AI and IoT continue to stretch the boundaries of

[00:01:06] that digital landscape I think Johnny's insights are more relevant than ever, so prepare

[00:01:11] to unravel that explainability problem of cyber security and also discover the strategic

[00:01:18] prowess of threat modelling and explore how continuous learning can help us all stay one

[00:01:24] step ahead in this perpetual cyber arms race.

[00:01:29] So are you ready to transform complexity and clarity, fear into fortitude?

[00:01:34] Now before I get today's guest on quick shout out to the sponsors of Tech Talks Daily

[00:01:39] because in today's remote first world I think settling for outdated managed file transfer

[00:01:44] solutions means ultimately you're risking your sensitive data but if you are great to

[00:01:49] kite works the gold standard insecure MFT boasting FedRamp modder authorisation kite works

[00:01:56] isn't just secure it's a complete transformation of how your business handles file transfers

[00:02:02] and the communications so say goodbye to compromise and hello to unmatched security and efficiency

[00:02:08] and you can do that by making the switch to kiteworks.com visit kiteworks.com to begin

[00:02:14] that kiteworks.com to secure your data and empower your business.

[00:02:20] But now let's get today's guest on well book a lot and hold on tight as I beam your ears

[00:02:25] all the way to the UK where you can join me and Johnny as we navigate this cyber sphere

[00:02:30] together and talk about all this and so much more.

[00:02:36] So a massive welcome to the show Johnny can you tell everyone listening a little about

[00:02:40] who you are and what you do. Hello everyone yeah I'm Johnny I am an ex hacker and I joined

[00:02:50] the the bright side the good side some years ago and now I run a company called threat

[00:02:55] plane we get tech misses secure in a way that fits with their business plans.

[00:02:59] Well I feel like there's a bit of a backstory there what was it that made you I don't

[00:03:06] spoil that interest in choosing the protecting business from something happened there was

[00:03:10] a something of us to let us spark in you. Well the biggest transformation was that I got caught

[00:03:15] which is probably the best thing that happens to me but one of the things I noticed back then

[00:03:21] as like a teenager when I was when I was up to no good but also now it's still repeating

[00:03:26] thing is that security sounds massively patronized and to say this but the security is about the

[00:03:30] basics and the basics get really hard because the world is really complex and what I realized was

[00:03:37] that actually just having the confidence having the knowledge having someone there who's by your

[00:03:41] side to just guide you through that is it's just hugely rewarding for me but also really helpful for

[00:03:48] businesses because it's their livelihoods on the line as their employees livelihoods on the line

[00:03:52] often the stakes are high and often cyber doesn't even come into the thoughts of many people until

[00:03:58] kind of the last minute either because someone's asking or because they've had a ransomware attack

[00:04:02] or something. So yeah incredible and that just listening to that I know this is a story that

[00:04:09] you're very passionate about and before you came on the podcast one of the things that attracted me

[00:04:13] to you is how you've I've seen you online emphasizing that cybersecurity is one of the

[00:04:18] biggest risks for businesses today so can you elaborate on some of the key factors that maybe

[00:04:24] elevate this risk profile and why companies should prioritize security just to set the same

[00:04:30] for our conversation to know. Yeah I mean where do you start is the thing it sounds like a cliche

[00:04:36] these days it's that cyber security is the biggest risk because we've been saying it for so long but

[00:04:40] it is it's true and it's been true for a long time but it's true or and true if you think about

[00:04:46] for any of your listeners here today and if they're running their own business or if they look at

[00:04:51] the businesses around them maybe like no someone who's running a business what you'll invariably

[00:04:55] find is that technology is core to that business and that's more true today than it was 10 years ago

[00:05:01] and it's way more true today than it was 20 years ago. Technology has just become a more and more

[00:05:06] important part of it and it's obvious most of the time I work with tech businesses it's really

[00:05:10] obvious there you have an app or you have a website obviously technology is key but some of the

[00:05:15] biggest case studies that I often use in workshops are things like the NHS which when you go into

[00:05:21] a hospital of course it's all about human contact it's about your health it's about the well-being

[00:05:26] of different people around you it's about safety for very human touchy feel if you like

[00:05:31] profession in many ways but of course technology absolutely drives that if you didn't have technology

[00:05:35] I'll still just could not operate and another big case study that we often trot out is is nut lurries

[00:05:42] so there's a story about a decade ago about a logistics business in I think it was California

[00:05:48] which were transporting nuts and they would take nuts from which if I recall correctly it was L.A.

[00:05:54] so it would have been long beached the big port in Longer Los Angeles and then distributed it to

[00:05:58] different warehouses and deliveries to different businesses across the state and probably across

[00:06:03] state lines as well and they they had a cyber attack the hackers managed to get in and take the

[00:06:10] roster of the different trucks that were making deliveries here and there then you which trucks

[00:06:14] was going to be going to be where picking up what's and what the consignment was and everything else

[00:06:19] and then the hackers would get their own truck turn up 10 minutes early or probably some time earlier

[00:06:25] take the delivery because they had all the right paperwork and then drive on with all the nuts in

[00:06:30] the bank and sounds really silly it sounds like petty theft until you realize that every single

[00:06:35] delivery I mean America is big trucks average value back then this is a decade was 450 per truck

[00:06:42] so it was a pretty valuable business and that's kind of I like those two case studies because they

[00:06:46] just kind of represent the breadth really of yeah what it can mean to different businesses but

[00:06:51] I mean the story is no doubt true the attack is just core to everything now and the the the

[00:06:57] story unfortunately is getting worse as well so cyber is the attacking side of cyber where the

[00:07:03] hackers operate the dark web and so on is a really established if you like mature market ransomware

[00:07:10] providers as they're now known they sell services to each other just as you'd get service providers

[00:07:15] providing services to each other in the real economy but often a hacker will break into a company's

[00:07:21] network they'll then sell that access to a ransomware provider the ransomware provider will then

[00:07:26] do the ransomware and we'll there there's a whole supply chain there where people can monetize

[00:07:31] different elements of access different elements of leverage some the people who demand and the

[00:07:35] ransom are probably not the people who did the original hack yeah it's immensely evolved sort of

[00:07:40] ecosystem really and that's what we're up against incredibly sophisticated very motivated

[00:07:45] and sometimes not very constrained attackers sometimes they're operating for jurisdictions where

[00:07:51] basically the consequences aren't necessarily that severe so the threat is really big and yet on

[00:07:55] the other side there's average shows like you and me whose livelihoods might be on the line and

[00:08:00] it's a tool challenge and one of the things I've heard you talk about is the explainability problem

[00:08:06] within the cyber domain so for anyone listening it's not heard of this can you just expand on

[00:08:10] what it means and how it impacts businesses ability to better protect themselves against these

[00:08:15] kind of cyber threats you've just mentioned oh yeah so if this used to happen to me all the time

[00:08:20] I'd be in a networking event or even in social gatherings and people would be like what do you do

[00:08:25] and I'd be like well I work in cyber security and they're gonna eyes would roll oh my goodness

[00:08:29] like they'd say one of two things they'd say oh that must be the business to be in because

[00:08:34] everyone's talking about it but the other thing that says card I don't understand a thing about how

[00:08:37] that and the funny thing is that's true in business as well like cyber is really difficult it's

[00:08:44] really dense the technical side of cyber is just so deep and I'm very fortunate to have grown up

[00:08:50] as the internet was growing up so people like me have have seen the internet take a

[00:08:55] world by storm and we've been part of that journey so we've seen the basics that it's all come

[00:08:59] from all you have now is a really sophisticated ecosystem you've got social media you've got

[00:09:04] search engines you've got the way that websites are delivered and the technology that drives those

[00:09:07] the data bases and all that stuff that sits in the background there's such a huge amount of technical

[00:09:11] density and detail and then you've got cyber which is how all of that might be subverted

[00:09:16] and to the average business owner whether they're in a startup they're a startup founder

[00:09:20] or they're in an enterprise in the part of management hierarchy and they might be in a border

[00:09:24] director's or something that complexity is just really difficult to grasp and of course if your

[00:09:28] day job is you're the CFO or you manage operations for a hospital or something like that then it's

[00:09:33] just really difficult to get your head around when someone says cyber stuff and often these

[00:09:38] businesses are driving technology change they're trying to use technology to go faster whether

[00:09:42] there's AI whether it's social media whether it's anything else and the at some point on those

[00:09:48] journeys someone will say hey what about cyber I mean particularly with GDPR coming out that question

[00:09:53] became much more common was what about cyber security what are we doing to protect the data

[00:09:56] what are we doing to protect our customers and across the leaders wouldn't know so they'd ask

[00:10:01] their technical teams okay so what about cyber and the tech teams would go away and they'd figure

[00:10:05] it out and then they come back with the answer and the answer would be full of TLS MFA it'd be full

[00:10:10] of EC2 and it'd be full of technical jargon which no one understood outside of the circle of the

[00:10:15] cyber people and so for a business leader understanding what all the technical stuff means and trying to

[00:10:21] translate that into what it means for their business are we protected are we not are we investing

[00:10:26] enough in security are we not where are the risks and how are we doing on that scale that there's

[00:10:30] just a big chasm there where on the in the leadership room they're thinking about the business

[00:10:36] about the revenue about the risks about the compliance and the regulatory about their customers

[00:10:40] and their reputation all those important things their business plan and their goals and then on

[00:10:44] the shop floor the sort of the technical frontline you're fully in the technical detail and those

[00:10:49] two sides are just not joined up in most businesses and if you try to join them up it's just very

[00:10:54] I mean the explainability problem is exactly that they cannot be joined up in the typical business

[00:10:58] because they're just on a totally different plane of understanding and once they've shown that

[00:11:04] you advocate for is connecting the business case to the technology in attempt to solve that

[00:11:10] explainability problem but are there any examples you could share just to bring that to life of how

[00:11:15] this approach has made cyber security more accessible to business leaders yeah absolutely so this

[00:11:21] is kind of the core of I mean you can tell my voice I'm quite passionate about this and this is

[00:11:26] the core of what threat plane does now I realized that this was where cyber has to go if it's to

[00:11:32] solve these big challenges of what the hackers are doing and yeah we've worked with a number of

[00:11:37] businesses different sizes we've worked with a large bank where they they had huge as you can

[00:11:46] imagine with a large to the high street UK bank they have huge risks that they need to manage

[00:11:52] handling people's money handling people's data there's also strong regulation there so understanding

[00:11:57] and on the other side they've got huge complexity in all their systems they have lots of systems

[00:12:01] from their own business from other businesses they've acquired all the new stuff they're trying to

[00:12:05] build which you know these banks often run really large engineering divisions that are building

[00:12:11] new apps new technology all the time the amount of technology they're building is really quite high

[00:12:16] and so for them the answer is where do we focus what's the most important thing

[00:12:23] and from a technology perspective there's always more to focus on you'll never get perfectly secure

[00:12:28] and the complexity of technology means today that just you could be working from now to eternity

[00:12:32] fixing security problems so the question from a business perspective always has to be what's

[00:12:36] the most important thing where do we focus and for a large bank they have large numbers of systems

[00:12:42] even for them they have limited resources they have to figure out where to focus and on the other

[00:12:47] end of the scale I mean our other sort of a key customer that I often talk about is a medical

[00:12:52] technology startup they work with research teams and that they built a platform that stores

[00:12:56] electronic health records across jurisdictions so they operate in the UK so they have data that

[00:13:01] comes from the NHS where that's been consented they operate in African states then looking at

[00:13:06] the United States as well and there's lots of regulation about that but also of course the data

[00:13:12] is highly sensitive it's often DNA data as well as I actually have health records it's incredibly

[00:13:17] sensitive data and for them they when I started working with them they were a small startup they

[00:13:23] just finished their MVP which is the sort of if you like proof of concept to see whether the

[00:13:27] business would work from a technical perspective and the the challenges there were we've got this

[00:13:34] huge risk or at least this hugely sensitive data set how given that we're small startup we don't

[00:13:40] have the sort of funds that a bank would have or a big health organization would have how on

[00:13:45] earth do we even go about beginning to secure this data and so we helped them work with what they

[00:13:51] had to limit the risks the risk profile for a startup is very different to that of an enterprise in

[00:13:56] any sector really because of the way that attackers will look at you whether you'll come up on

[00:14:00] different people's radars and so on we bring that to the table to help them understand actually

[00:14:05] yeah how can you win in that situation so those are the two examples and something I try and do

[00:14:10] every day on this podcast is demystify complex areas like cyber security for business leaders

[00:14:16] that might be listening anywhere in the world so for those people listening how does threat

[00:14:20] modeling work as a solution to cyber security challenges and what would you say makes it such an

[00:14:25] effective tool for businesses of all sizes not just those large enterprises yeah so threat modeling

[00:14:31] is a sounds very technical and like several things in this industry it's actually incredibly simple

[00:14:38] at its heart threat modeling in its normal form is quite a technical concept that's used by security

[00:14:43] teams and they look at the technical risks around a particular system or a particular process

[00:14:49] what we do is we've taken threat modeling and we've devised this thing called risk-based threat modeling

[00:14:54] which as the name was just kind of puts a risk and that means the business risks the businesses view

[00:14:59] of risk front and center of the process so you get all the benefits of the buy in and the kind of

[00:15:04] the aligned objectives that come when leaders and when technical teams see things from the same page

[00:15:10] which is from the perspective of the business so the way that threat modeling helps in this scenario

[00:15:16] is that on the one hand it brings together business risks so what that looks like in practices

[00:15:21] that we speak with a business owner or a management team and we say where are your risks and of course

[00:15:27] for many sectors they're self-evident for health though our risks around safety, patient safety

[00:15:32] there are risks around data as those what we classify as a risk around compliance and regulatory

[00:15:38] requirements and as also if they're a private business there will also be things around revenue

[00:15:43] and reputation which they need to manage as well so all of that sits on the risk bucket and all

[00:15:46] of that is stuff which the management team understands it's often their day job for different parts

[00:15:51] of the business and those risks can be they often fall into a small number of categories but as you

[00:15:56] can imagine they can be manifest across different areas whether it's HR operations, finance, legal

[00:16:03] and then on the other side of the threat model you look at the threats which is where often we

[00:16:07] provide our expertise so we will look at different aspects of the business and we'll say these are

[00:16:12] the threats that face that part of the business and this is where we're looking at what the

[00:16:17] attackers are doing what the attackers might be interested in the ways that they might get in so

[00:16:21] what the what we call the attack surface might be the systems that they used to get in and methods

[00:16:25] they used to get in and the output of a threat model is the really useful bit which is what in the

[00:16:31] security what we call controls and basically if you think about the starting point as business

[00:16:35] risks are things that a business needs to wake up and pay attention to in terms of why they might

[00:16:39] be exposed the controls are simply how you fix it so the controls are a fairly extensive list of

[00:16:46] things you could do to address different aspects of those risks and the beauty is with the way

[00:16:52] that we do it is that the power is all in the hands of the customer so this process is entirely

[00:16:57] transparent to the customer when we do it and what we do is we present them with that list and we

[00:17:01] say we've given you the advice and the risks and we'll tell you which controls we think you should put

[00:17:06] in and there are lots of ways of doing that cost effectively and so on but ultimately the choices

[00:17:12] yours about which risks you want to address how far you want to address them how much money you

[00:17:16] feel you can afford at this point etc so the idea is that the power is right back in the customers

[00:17:21] hands because one of the one of the weird dynamics is cyber perhaps because it's so technically

[00:17:25] complicated is that historically that hasn't been the case historically people struggle to understand

[00:17:30] cyber a security vendor would come in and offer what they can but ultimately the customer doesn't

[00:17:36] understand what they're buying doesn't understand whether solution really needs to niche or not

[00:17:39] because scientists are complicated unfortunately some vendors take advantage of that but even if

[00:17:44] the vendor's acting honestly and ethically it can be quite easy for a customer simply not to

[00:17:49] understand and to make a purchase that then they they regret later on or that doesn't work but

[00:17:54] they would never know so by doing it this way we connect to all the dots we give the customer the

[00:17:59] information they need and now they've now the power is in their hands they can make a decisions

[00:18:03] about which security we put in because now it's connected to risk so although they may not understand

[00:18:09] the technical details of the controls they do understand yeah it's going to stop us getting in trouble

[00:18:14] with the regulator it's going to stop us having a big PR disaster it's going to stop that data being

[00:18:18] leaked if that they understand absolutely love that and if we were to go back to the beginning of

[00:18:25] our conversation from our value your journey from a hacker to a business leaders ally is fascinating

[00:18:30] so I'm curious as you're background influence your approach to cyber security and your ability to

[00:18:36] communicate complex concepts in simpler terms because it certainly comes off that way in our conversation

[00:18:43] I certainly like to think so Neil I mean I've been fortunate I was fortunate to get caught

[00:18:49] and and having been on the other side but not having done anything that could have got me into

[00:18:53] serious trouble yeah but there's this quite that I came across a few months ago by a guy called

[00:18:58] Kevin Beaumont who's a UK but UK based cyber security researcher he's on the TV sometimes

[00:19:05] and he said that when hackers decide to do something they they can make the decision and they

[00:19:09] can go and do it they can operate really fast because it's them or it's just a small group of them

[00:19:14] is a small number of individuals in a business setting if you want to make a change to a business

[00:19:20] system usually there's a zillion forms to fill in there's a process to wait for in enterprises

[00:19:25] they have a thing called a change window where you have to wait for the change window and then

[00:19:28] you're allowed to deploy it and you have to test it and these and making a change to anything can

[00:19:32] take days weeks months and the hackers just simply operate from a faster perspective so I mean

[00:19:39] from my perspective helping a business I mean A to understand that a hacker can see their objective

[00:19:46] and they can just go there this is not a problem for them if if they've got a means to do it

[00:19:50] if they want to operate a certain way I mean for a business obviously we have in bigger businesses

[00:19:56] there's lots of red tape there's lots of sometimes politics there's sometimes other things

[00:19:59] divisional boundaries and so on they're just called paralysis that just means that they can't move

[00:20:04] and although no one's intending for that situation to occur it is a kind of dynamic

[00:20:08] oblige organizations and it does mean that just the just means that the bad guys can get in

[00:20:14] the defenders don't win in that scenario I mean from my perspective I've worked after getting caught

[00:20:20] I went into the software work for a long time and worked my way up through there and did it

[00:20:26] did work with a number of organizations and government sort of defense interstitial but also

[00:20:30] in in a private sector and saw businesses small and large grappling with these different problems

[00:20:38] and having worked with software teams most of our customers now are software teams and I totally

[00:20:42] understand where they're coming from and as a small business owner and having worked in account

[00:20:46] teams sales teams large projects and programs over the years I understand what the businesses after

[00:20:52] as well so I like to think that we can bring both sides to the table the technical depth but also

[00:20:57] the business savvy that means we can talk to both parties and first forward to 2024 I was doing

[00:21:03] a little research on you I see that you're also a member of the Internet of Things Security

[00:21:08] Foundation sounds incredibly cool but especially when you look at some of the big names in there

[00:21:12] so how do you see the collaboration between some of the diverse members such as Mastercard, Cisco

[00:21:19] and so many others shaping the future of IoT security is it as cool as it sounds in there?

[00:21:25] It's they are a fantastic bunch yeah I mean the story is quite funny behind that because

[00:21:29] they actually approached us we didn't approach them yeah I never thought at our stage that

[00:21:36] we could be involved in section organization but precisely because of that the the big names there

[00:21:41] and I know some of the other guys and girls who work in the ITSF and around the organizations

[00:21:46] there and some of the work that goes on is incredible they get very involved with for example the

[00:21:52] conversations that go on in regulatory circles in Brussels and the EU for example as well as

[00:21:58] on the UK size with Department of Science, Innovation and Technology not to mention

[00:22:03] standards boards and all this sort of stuff and they bring together suppliers and companies from

[00:22:08] a whole range of different backgrounds we did an event with them at the end of last year so the

[00:22:14] September I think about last year in London and it was great to meet all the people who came

[00:22:18] to the event but it was also fascinating to hear talks and to meet the other companies who were

[00:22:22] there some of which are smaller businesses where I was talking directly to the founder or the CEO

[00:22:27] but some of them huge organizations that do something quite different but are now in the IT space

[00:22:32] and IT is really interesting because it's kind of the human end of technology

[00:22:37] iIT stands for Internet of Things and it kind of as a category encapsulates anything which is

[00:22:42] a physical thing that is internet connected which isn't even of itself a computer so cars come

[00:22:47] under iot for example internet connected cars which is obviously a big topic and getting bigger

[00:22:52] and bigger something like yap will watch you a fit bit with counters iot conceivably really any

[00:22:57] mobile device phones included iot we've one of my friends who used to be on the steering

[00:23:03] committee for the itsf used to joke about internet connected toasters and kettles and is there a

[00:23:08] risk there I don't know I mean there probably is a health and safety risk but I mean one of the

[00:23:12] things that came up some years ago was internet connected baby monitors for example and just the

[00:23:18] you know the thought that as a parent I mean i'm a parent if I lie intentionally do not have

[00:23:22] internet connected baby monitors back to this very reason but you know they're very thought that

[00:23:27] someone else could access those are interfere with those it just yeah doesn't fill me

[00:23:31] with good feelings at all so for me iot probably will become one of the most important parts

[00:23:39] actually of cyber because it will be where life and death is most directly present when if there's

[00:23:45] a cyber attack and it could affect life and death iot is where it will happen if you imagine cars

[00:23:50] getting hacked if you imagine i mean obviously we all see the unfortunate events in Ukraine but one

[00:23:55] of the big features of Ukraine is drones and that would be firmly in the it space as well so there's

[00:24:01] a huge I mean I could riff on forever as you can hear in the other iot but there's a huge opportunity

[00:24:06] but also a huge amount of ground to make up in it in particular because it's not here the two

[00:24:11] been a sector that's been that secure and organizations like the iot sfi i really believe make

[00:24:17] a huge difference they they work pretty hard behind the scenes as there's sort of about two or

[00:24:23] three strands really that they operate in the first is the regulatory sphere so often your

[00:24:28] regulation will be an important part of cyber security in the future and that's not everyone

[00:24:32] inside the industry understands that they will have to be government involvement and government

[00:24:37] regulation and requirements around some of the aspects of cyber and then and organizations like

[00:24:42] the itsf bring expertise they bring a sensible voice to the table when regulators are thinking about

[00:24:48] x it's not there area of expertise the other thing that they do is they help dry standards so standards

[00:24:53] are usually more internal to the industry to the technology industry in the security industry but

[00:24:58] nevertheless make an important part of what goes on the standards bodies exist for I mean

[00:25:04] everyone nowadays uses google chrome fire fox or microsoft age or safari as their browsers browsers

[00:25:10] over the last 15 years have become way more secure than they used to be and a lot of that is down

[00:25:15] to good standards strong standards driven by the likes of google the likes of apple and microsoft

[00:25:22] and a huge number of others to go and vote for in this as well I wouldn't be able to name them all but

[00:25:27] they've all contributed through their expertise to building strong standards and all of those efforts

[00:25:32] kind of we need to push on all fronts really in order to make cyber security globally for all

[00:25:37] economies and for all society more more secure I share so many of your concerns there I think today

[00:25:44] almost every new home appliance is labeled as a smart device and the problem is those devices

[00:25:50] whether it be a washing machine a toaster or a kettle they've probably designed to last five

[00:25:54] six years maybe even ten years but the software updates only usually come for two or three years

[00:25:59] that's the kind of thing yeah it keeps me up at night as well in there's a huge transition

[00:26:06] that's going on it it all these sectors whether it's washing machines whether it's cars

[00:26:10] whether it's toasters for the manufacturers as well because if you think about how we buy

[00:26:17] products what wind back a couple of decades you buy a toaster and so a factory somewhere in the world

[00:26:24] maybe back then it was in China maybe it wasn't but a factory of mega toaster and of course

[00:26:29] they've made them by the thousands they have different brand names put on them different labels

[00:26:34] they're ships to different countries and basically as soon as the factory or the manufacturer

[00:26:37] has sold that toaster it then passes into the hands of wholesalers of distribution companies

[00:26:43] of retailers ultimately and it ends up on the shop shelf or it ends up on Amazon and so

[00:26:49] that the factory has no connection max the product anymore they've built it they've made sure

[00:26:53] it meets safety standards and so on and then that's it and the supply chain for so many things

[00:26:58] works like that today because it our consumer society I suppose has just built that up

[00:27:03] and one thing that cyber brings in is that now you have to retain that connection back to the toaster

[00:27:09] i mean the proverbial toaster that the wash Eugene or the car or whatever now there's a degree of

[00:27:13] management and that's a big cultural shift for these manufacturers i mean and it has a huge

[00:27:18] cost implication frankly as well so the whole way that they think about how they build these

[00:27:23] devices how they sell them how they look after them afterwards how they'll probably be reflections

[00:27:29] in the way in how we pay for them as well because that there's a burden there so that there's a lot

[00:27:34] to think about that steps well beyond the world of strictly cyber technology it's big transformation

[00:27:41] and when i was doing a bit of research on you guys you seem to be in some many different areas as

[00:27:45] well i also came across i think it did work with a leading UK high street bank who we will keep

[00:27:51] nameless for the podcast purpose and i think you were working with them to enhance their cloud

[00:27:56] applications digital transformation without naming them are you able to share any insights from

[00:28:01] the experience and some of the implications for cyber security strategy as well naturally with

[00:28:07] with many of our clients they prefer to remain nameless and we respect that i mean with

[00:28:11] working with an organisation like at bankers is fascinating because they are huge and banks

[00:28:17] are actually pretty unique as a sector i did a a presentation to a banking interest group probably

[00:28:22] about six months ago speaking about banks and as a bit of a fun exercise i thought how old is the

[00:28:28] average bank and i went through through through Wikipedia and through corporate kind of

[00:28:32] such information sites to figure out the big banks of the world this was a global kind of exercise

[00:28:38] and and figure and i forget the things now but many banks so several banks all the names that we

[00:28:45] know are clear in HSBC and so on 150 years old and some of them are 200 years old

[00:28:52] and obviously big names in other countries like japy morgant chase morgant stanley we have a

[00:28:57] noise bank over here that are and that west other organisations like that that are we know are

[00:29:02] a product of several that they were smaller banks before but now they've made mergers and acquisitions

[00:29:07] so what you've got is these really old organisations which have handled people's money

[00:29:11] for decades and their investments and other things insurance and so on for decades

[00:29:16] and the systems the processes the frameworks and kind of regulatory side of what they do has been

[00:29:21] kind of set in stone and built up over those decades or those hundreds of years and you've now got

[00:29:28] this world very much like our customer where everything's cloud everything's instant everything

[00:29:34] needs to be adapting you have Facebooks move fast and break things philosophy and so they're having

[00:29:40] to really and they've been really grappling with how on earth do we compete in this marketplace now

[00:29:45] how do we stay relevant how do we make our apps work well when we've got all these big bad systems

[00:29:50] these big legacy older systems we have to look after it and i think it is a huge challenge but

[00:29:55] there are ways through so i mean one of the big challenges with with banks that they have is that

[00:29:59] they have lots of older systems and hospitals are similar they often have many older bits of kit

[00:30:05] the present big security risks there's sorts of things that they buy on a 20 year cycle an MRI scan

[00:30:11] a referral example which the sort of typical scenario in a hospital would be like an MRI scanner

[00:30:16] that only works it has a computer that plugs into it and it only works a Windows XP because that's

[00:30:20] what they had when they bought it and then they've spent hundreds of thousands of pounds in this MRI

[00:30:25] scanner they can't just rip it out replace it like you would a normal desktop pc they have to really

[00:30:30] make that that life of that product work so the way that our approach stems to that is really

[00:30:35] helpful for them because we find well actually yeah there are ways of managing that risk it's not

[00:30:40] only about keeping everything up to date because sometimes that's impossible and the same applies

[00:30:44] to banking systems as well the very innards and guts of banking conglomerates and banking systems

[00:30:50] is usually really old systems that stem back decades again when i was out of uni my first job at

[00:30:55] uni was working on some of these systems i saw them in the flesh and they're very old but they're

[00:31:00] very difficult and risky to move to other things i mean we all may remember the tsp kind of

[00:31:07] disaster that was the tsp outage that happened at 2018 i think it was when tsp they split from

[00:31:14] Lloyd's which used to be Lloyd's tsp as you remember and became an independent bank and then they built

[00:31:19] their own systems and they had this cut over weekend where they thought right we're going to

[00:31:23] that they planned to migrate all of their customers from the old systems that they had when they

[00:31:28] were part of Lloyd's until their new tsp kind of fresh systems and the whole thing was a disaster

[00:31:34] and although there were as later reports found wasn't something that tsp has an organization

[00:31:39] managed especially well it is also partly the inherent risk of when you've got older systems lots

[00:31:46] of data you can't just move it all to a new system clicky fingers like this this huge risks

[00:31:51] involved and yeah so for us in the security sphere it's about you're going to have older systems

[00:31:57] that's kind of a given how do we manage that and that's partly where our threat modeling and

[00:32:01] someone comes in that's where they find us really adding value and for saying this is a tech

[00:32:06] podcast we've done remarkably well here we've hit 40 minutes without mentioning AI but it is a big

[00:32:11] topic now i'm going to give you the opportunity i'll set you up for this one although any trends

[00:32:17] are emerging threats that you believe businesses should be most aware of or how they could adapt

[00:32:22] to stay protected you're right i thought you'd have mentioned AI sooner but you've restrained yourself

[00:32:26] remarkably well in all that maybe i have to i mean yeah i mean AI is obviously the big thing at

[00:32:32] the moment there's the funny thing about cyber is that trends come and go in the public

[00:32:38] consciousness but of course they take a long time to work out for so for many bigger organizations

[00:32:42] they're still grappling with cloud even their clouds but around for ages and some of the big trends

[00:32:47] that are still going on in the enterprise sector is how do we make cloud work for us and so on

[00:32:52] so that's still very prominent and it has its own was she sort of its own ebson flows into the

[00:32:59] cloud out of the cloud and so on but yeah certainly the the big topic of the moment is AI and how

[00:33:04] it's taking the world by storm and AI poses i mean there's no two ways to say AI does pose huge

[00:33:13] threats it also poses huge opportunities so i'm absolutely not going to be the person who sits here

[00:33:18] and says you must never do AI because it's got some risks the nature of those are all down to

[00:33:23] where it's used and how it's used about a year ago people were saying to me Johnny what would you

[00:33:29] say about AI and cyber and AI and I said well what i used to say about them was that AI is fine

[00:33:35] as long as it's not as long as you don't give it privileges so if you think about and what i mean by

[00:33:41] that if you think about an analogy that the best analogy is that kind of drones if you if you have a

[00:33:45] drone but it's still flown by a human pilot ignoring all the issues at line of sight and so on

[00:33:52] for a minute but if it's flown by a human pilot then essentially it's still it's still conceptually

[00:33:57] the same to what we used to do but as soon as you give a drone the ability to fly itself then the

[00:34:02] whole host of issues start to come up around if it gets hacked if the software has a bug if the

[00:34:07] drone incams as a situation which was a program to handle when you're talking about military drones

[00:34:11] there's all sorts of difficult issues from I mean from a legal perspective but also from an ethical

[00:34:16] perspective about if a machine decides of its own of its own sort of power to to fire a weapon

[00:34:22] and that weapon kills someone that's really difficult issues and with AI get zooming back to our

[00:34:28] kind of business context well hopefully that that won't be the case but AI if you are giving AI

[00:34:32] the power to do things on your behalf as a business then you that's where the risks start to open

[00:34:38] up so there is a story that I think has been well publicized about how a car manufacturer in the US put

[00:34:43] AI on their website and it was kind of a help bot but it was part of their sales website so it was

[00:34:48] the same website that they sold cars through and you could chat with the bot in order to arrange to buy

[00:34:53] a car once you looked around it and you can ask lots of questions about fuel economy and about

[00:34:57] features and all the rest of it and and someone managed to trick the AI into selling it a car

[00:35:02] for one dollar and and and of course if you trick a salesperson into doing that I mean a

[00:35:07] probably a human salesperson wouldn't do that because they would realize their drop was on the line

[00:35:11] but also to go around and do that you can only do that so many times with an AI on a website

[00:35:17] you could do that a million times perhaps before it's been picked up so that's kind of where the

[00:35:21] risk is that now you've got a big scalability thing about the trickery that you can put off

[00:35:26] that just wasn't there before the other big thing about AI of course is that it's a tool which

[00:35:29] is used by the bad guys as well as those good guys so for a long time we've we have in the cyber

[00:35:35] industry had vendors talking about using AI in their defenses so systems that will use AI to detect

[00:35:40] hackers in their networks to use AI to detect ransomware before it can really encrypt its scale

[00:35:46] and so on but of course the hackers are using AI as well they're phishing emails that you'll get

[00:35:50] through now I'm much more convincing because of AI they don't have grammatical mistakes anymore

[00:35:55] they tend to use much better tainted language because now the hackers can do that at scale just like

[00:36:00] the defenders can so it is creating or rather it's accelerating a bit of an arms race in the

[00:36:06] cyber sphere and I think well we can only speculate about where that ends but it does create

[00:36:12] its own risks. Now question I've got to ask you we've talked about so much today and the average

[00:36:17] business leader is it overwhelmed and feels daunted by the amount of challenges that they're facing

[00:36:22] how do you self educate how do you keep up to speed with all these changes?

[00:36:26] yeah it's a really good question I mean I well podcasts are a great way of keeping a

[00:36:31] breast of things that's definitely become true if I'm driving between offices, driving to a client

[00:36:37] or whatever cost is a great way to make use of that time in the car even when I used to hold phone

[00:36:42] calls in the car but some of the areas around where I am here there's some fairly big signal black

[00:36:46] spots because you can still listen to a podcast so podcasts really help the other thing that I

[00:36:51] really find useful is books I always try to have a fiction book on the go all the time if I can

[00:37:02] which isn't really related to can you to new to new is learning but we can go back to that and

[00:37:06] then I always try to have a nonfiction book on the go as well so and it's typically a business

[00:37:10] book that sometimes it will be many years ago this book is about struct modeling and about

[00:37:13] cyber liability engineering which are all important topics in our industry but many more about

[00:37:19] yeah running businesses well scaling teams thinking about the challenges our customers have as

[00:37:23] well and one thing one hack actually you're listening to my appreciate so that I picked up from a

[00:37:29] book recently is using different mediums for the same book so this guy published his book and he

[00:37:35] had an ebook yeah but he also had a sort of training course equivalent which was available in video

[00:37:42] format wasn't on youtube but it was in video format you could get access to if you had a book

[00:37:46] and the brilliant thing about that was that you were using two different sides of your brain to

[00:37:51] educate yourself in the same material so I could read a chapter in a book and I could watch the video

[00:37:56] and I'd be kind of reinforcing that memory and that knowledge and of course you inevitably

[00:38:01] the content you get is very slightly different so you're kind of it's not just the trodden path

[00:38:05] that's feeling your way around the trodden path so that I found as a really useful hack and so

[00:38:09] you can play apply the same to having a book that you read an audio book equivalent for example

[00:38:13] I found that really helpful well I think incredibly cool I'll be checking that out and how we

[00:38:18] can leverage that but before I let you go we've covered so much in a short amount of time today

[00:38:23] for anyone listening just wanting to find out more information about anything maybe contact

[00:38:28] your or your team learn more about threat plane where would you send them well the first place

[00:38:32] I'd send them is threatplane.com we've got a website there so threat threat plane is threat and then

[00:38:38] plane is PLA and you can go to threatplane.com find out about what we do you can get in touch

[00:38:44] a big part of what we do is trying to be human in cyber and part of that is making ourselves

[00:38:49] available so you can always hit me up on LinkedIn send me a message and it might take me a few days

[00:38:53] but I'll definitely endeavor to get back to you and yeah we're also in LinkedIn you can follow us

[00:38:59] there we regularly release content as you'd expect videos and audio snippets for people to stay

[00:39:06] up to date so yeah do follow us there as well well I'll add links to that so people can find you

[00:39:11] nice and easily and as we said at the very beginning of the podcast cyber does have an explainability

[00:39:17] problem but I think today we've been able to get around talking about complex things such as

[00:39:22] cyber security with the connecting the business case to technology how we can fix our explainability

[00:39:28] problem talk about threat modeling and some of the other different areas in a language that everyone

[00:39:33] could understand so Johnny's to big thank you for doing that today showing your insights it is

[00:39:37] a skill to be able to do that so thank you so much for sparing your time to talk with me today

[00:39:43] absolutely by pleasure I think it's clear that the labyrinth of cyber security is not about

[00:39:48] navigating through the dark it's about illuminating the path illuminating it with knowledge strategy

[00:39:55] and continuous evolution and Johnny's personal transformation from hacker to protector I think

[00:40:01] underscores a vital narrative in this digital age understanding the enemy within to fortify the

[00:40:07] defenses and safeguard our digital existence and through threat modeling Johnny has illustrated

[00:40:12] a powerful bridge today connecting the abstract complexities of cyber security to the tangible

[00:40:19] needs of a business strategy thereby solving the pervasive explainability problem and his story

[00:40:25] about aiding a UK high street banks transformation I think also further peels back the layers on

[00:40:30] the real world application and the impact of strategic cyber security so how will you apply

[00:40:37] Johnny's insights into your own cyber security strategy how can threat modeling reshape your approach

[00:40:43] to digital defense please share your thoughts with me tech blog writer outlook dot com twitter

[00:40:49] linked in instagram just at nilc Hughes and let's continue to explore and debunk myths in the tech

[00:40:56] landscape one episode at the time and remember in the world of cyber security knowledge is not

[00:41:03] just power it's protection so let's keep this conversation going learn from our past to secure

[00:41:11] and on that note thank you for listening as always and until next time don't be a stranger