3019: Navigating Cyber Risk: Insights from Barracuda Networks' CIO

[00:00:03] [SPEAKER_00]: How prepared is your organization in navigating the ever-evolving landscape of cyber threats?

[00:00:12] [SPEAKER_00]: Well, today I'm going to take you on a journey and together we're going to dive into the

[00:00:16] [SPEAKER_00]: heart of cybersecurity governance.

[00:00:19] [SPEAKER_00]: My guest today is the CIO at Barracuda Networks, and she's got over two decades of IT leadership

[00:00:28] [SPEAKER_00]: that spans across wide industries from fashion to sports and public broadcasting.

[00:00:35] [SPEAKER_00]: And she also brings a wealth of experience to her role, guiding businesses through the

[00:00:39] [SPEAKER_00]: complexities of cybersecurity in this digital first world that we all find ourselves.

[00:00:46] [SPEAKER_00]: So today she's going to be sharing her insights on the current state of cybersecurity.

[00:00:51] [SPEAKER_00]: We're going to discuss the critical governance challenges organizations face today and talk

[00:00:57] [SPEAKER_00]: about everything from inconsistent security policies to the intricacies of third-party

[00:01:02] [SPEAKER_00]: access and supply chain vulnerabilities, but also offer a comprehensive view of the risks

[00:01:09] [SPEAKER_00]: that can undermine your organization's cyber resilience.

[00:01:13] [SPEAKER_00]: If we've got time, I also want to explore the findings from Barracuda's latest CIO

[00:01:17] [SPEAKER_00]: report, which reveals some pretty worrying stats such as over half of organizations are

[00:01:24] [SPEAKER_00]: struggling to implement consistent company-wide security policies, and also a worrying fact

[00:01:31] [SPEAKER_00]: that only a minority out there feel confident in their ability to manage cyber risks effectively.

[00:01:37] [SPEAKER_00]: So are you ready to learn how your business can better prepare for, withstand, and recover

[00:01:44] [SPEAKER_00]: from a cyber incident?

[00:01:46] [SPEAKER_00]: Well today I invite you to join me and my guest as together we're going to uncover practical

[00:01:51] [SPEAKER_00]: strategies and resources that can help you and your organization build a robust resilience framework.

[00:01:59] [SPEAKER_00]: Before we get today's guest on, I want to talk about the fact that defense contractors

[00:02:03] [SPEAKER_00]: face immense pressure to comply with something called CMMC 2.0 security standards, and finding

[00:02:10] [SPEAKER_00]: a secure, easy-to-use file sharing solution meeting those guidelines can be a major challenge.

[00:02:16] [SPEAKER_00]: The federal government and federal systems integrators supporting the Department of Defense

[00:02:21] [SPEAKER_00]: have similar compliance requirements for improving cybersecurity and data protection too.

[00:02:26] [SPEAKER_00]: So if you are an IT admin in the defense sector, if you are tired of juggling complex

[00:02:31] [SPEAKER_00]: security solutions, Kiteworks offers a game-changing approach to CMMC 2.0 compliance because their

[00:02:38] [SPEAKER_00]: centralized policy management simplifies administration across the entire platform.

[00:02:42] [SPEAKER_00]: So upgrade to Kiteworks and experience the perfect blend of security and simplicity.

[00:02:48] [SPEAKER_00]: So if you're interested in accelerating your CMMC 2.0 compliance and begin addressing federal

[00:02:54] [SPEAKER_00]: zero-trust requirements with Kiteworks' universal secure file sharing platform made for defense

[00:03:00] [SPEAKER_00]: contractors, simply visit kiteworks.com to get started.

[00:03:04] [SPEAKER_00]: But now it's time to return to our regularly scheduled programming and welcome today's

[00:03:08] [SPEAKER_00]: guest onto the mic.

[00:03:11] [SPEAKER_00]: So buckle up and hold on tight as I beam your ears all the way to Las Vegas, Nevada, where

[00:03:18] [SPEAKER_00]: today you can sit down with myself and also leverage the expertise of the CIO of Barracuda

[00:03:24] [SPEAKER_00]: Networks.

[00:03:25] [SPEAKER_00]: So a massive warm welcome to the show.

[00:03:29] [SPEAKER_00]: Can you tell everyone listening a little about who you are and what you do?

[00:03:33] [SPEAKER_01]: Yes, indeed.

[00:03:34] [SPEAKER_01]: Thank you, Neil, for having me.

[00:03:35] [SPEAKER_01]: It's wonderful to be part of this podcast.

[00:03:38] [SPEAKER_01]: So my name is Sarah Wee Meshagen, and my career has led me from all kinds of walks of life

[00:03:45] [SPEAKER_01]: from media to sports to luxury fashion and beyond that.

[00:03:50] [SPEAKER_01]: Today I have the pleasure of being Barracuda Networks CIO.

[00:03:55] [SPEAKER_01]: I lead many areas from infrastructure and operations to enterprise data and business

[00:04:01] [SPEAKER_01]: systems and so much more.

[00:04:03] [SPEAKER_01]: I'm really excited today to talk about governance challenges that companies and enterprises

[00:04:10] [SPEAKER_01]: are facing in managing their cyber risk.

[00:04:13] [SPEAKER_01]: So that's a bit about me.

[00:04:16] [SPEAKER_00]: Wow, amazing.

[00:04:17] [SPEAKER_00]: It's fantastic to have you on the podcast today, especially because of your backstory

[00:04:22] [SPEAKER_00]: there and being involved in so many different industries.

[00:04:25] [SPEAKER_00]: I think that is so important.

[00:04:26] [SPEAKER_00]: But ultimately, every business is a tech business now.

[00:04:30] [SPEAKER_00]: And I'm curious, as a CIO, how do you see the role of a CIO evolving in the context

[00:04:37] [SPEAKER_00]: of today's heightened cyber risk environment, the arrival of AI and so much else going on

[00:04:43] [SPEAKER_00]: there?

[00:04:43] [SPEAKER_00]: How do you see this role evolving?

[00:04:46] [SPEAKER_01]: It's so interesting to have been involved in tech for as long as I have.

[00:04:51] [SPEAKER_01]: Sorry, we were chatting earlier from the East Coast to the West Coast between.

[00:04:56] [SPEAKER_01]: And I've seen the role of both cybersecurity evolve, but the CIO as well, of course.

[00:05:04] [SPEAKER_01]: And it used to be long ago that it was just kind of like the standard issue, operations,

[00:05:12] [SPEAKER_01]: helping the enterprise from a technology point of view, kind of like who has what systems

[00:05:18] [SPEAKER_01]: and how are they operating and running and what software is necessary.

[00:05:23] [SPEAKER_01]: But now you've got to add to your remit, seeing around corners.

[00:05:28] [SPEAKER_01]: So you need to make sure that you've got your perimeters locked down and as tight as possible.

[00:05:37] [SPEAKER_01]: You have to have very tight controls.

[00:05:39] [SPEAKER_01]: You have to make sure that the best of breed tools for your enterprise and your ability

[00:05:46] [SPEAKER_01]: is used for cyber protection and detection.

[00:05:50] [SPEAKER_01]: You have to make sure that you've got a really good, robust training program for cybersecurity

[00:05:57] [SPEAKER_01]: so that your end users understand the what's in it for them.

[00:06:02] [SPEAKER_01]: You have to make sure that your awareness remains high.

[00:06:04] [SPEAKER_01]: You've got to stay in the news.

[00:06:07] [SPEAKER_01]: You've got to be aware of what's happening out there with the cyber bad guys and

[00:06:10] [SPEAKER_01]: understand how AI can play a part in that.

[00:06:14] [SPEAKER_01]: AI is making you, the cybersecurity practitioner, the royal we, much more capable and able to handle

[00:06:23] [SPEAKER_01]: the onslaught of what's coming at us.

[00:06:26] [SPEAKER_01]: But what it's also doing is it's improving the skill sets of the bad guys at the same time.

[00:06:33] [SPEAKER_01]: So that makes it a little... That's a double-edged sword about AI that we're trying to manage right

[00:06:39] [SPEAKER_01]: now.

[00:06:40] [SPEAKER_01]: So that, in addition to managing incident response, making sure that you've got strong

[00:06:46] [SPEAKER_01]: business continuity and disaster recovery plans, and all kinds of the other... All the other

[00:06:54] [SPEAKER_01]: practice lines and structures that you need to build in order to have a robust cybersecurity

[00:07:00] [SPEAKER_01]: program, those are all now part and parcel of the daily diet of a CIO.

[00:07:05] [SPEAKER_01]: So it's no longer just sort of the regular operations, but it's all that other stuff as well.

[00:07:12] [SPEAKER_00]: And you're so right in everything you said there, and especially around the news,

[00:07:15] [SPEAKER_00]: because I think we're seeing high-profile breaches every week.

[00:07:19] [SPEAKER_00]: We know that... Every business knows that they need to have a proactive rather than

[00:07:24] [SPEAKER_00]: a reactive approach to cyber.

[00:07:26] [SPEAKER_00]: They need to train their staff better to finally retire that horrible blame game and phrase that,

[00:07:31] [SPEAKER_00]: hey, employees are the weakest link in security.

[00:07:34] [SPEAKER_00]: Then we've got good AI versus bad AI.

[00:07:37] [SPEAKER_00]: Well, on the flip side of all that stuff that we know, over half of organizations are struggling

[00:07:43] [SPEAKER_00]: to implement consistent security policies.

[00:07:46] [SPEAKER_00]: So I've got to ask, what do you believe are the key obstacles in helping businesses achieve

[00:07:52] [SPEAKER_00]: that consistency needed to offer that robust protection?

[00:07:57] [SPEAKER_01]: Yes, you are so right.

[00:07:59] [SPEAKER_01]: Well, to implement these policies, because the biggest thing that I see, and I've seen

[00:08:04] [SPEAKER_01]: not just where I am today, but across my career, is this perceived convenience or inconvenience

[00:08:12] [SPEAKER_01]: of establishing these security policies.

[00:08:16] [SPEAKER_01]: So for example, if you want to put some sort of just-in-time access as part of your security

[00:08:22] [SPEAKER_01]: policies, and you've got some engineers that are used to having full admin rights for everything,

[00:08:30] [SPEAKER_01]: and all of a sudden you lock something down a little bit at a time or a lot or whatever

[00:08:36] [SPEAKER_01]: the case may be, that is going to be perceived as inconvenient.

[00:08:41] [SPEAKER_01]: So humans are interesting because they'll try to work around all of that stuff that

[00:08:46] [SPEAKER_01]: you try to put in place to keep everything safe and sound.

[00:08:50] [SPEAKER_01]: And so going back to how can you get past that, it's about creating awareness.

[00:08:59] [SPEAKER_01]: So you have to make sure that you've got your stories ready to go, that you have people

[00:09:07] [SPEAKER_01]: with feeling like they've got their skin in the game, that they're part of creating

[00:09:13] [SPEAKER_01]: the security posture of your entire company.

[00:09:17] [SPEAKER_01]: And the operations that they do in their daily work, they've got to make sure that they

[00:09:23] [SPEAKER_01]: are careful and that they follow the policies and procedures that you are laying down before

[00:09:29] [SPEAKER_01]: them because they hopefully, as you have gone to the trouble of educating them, understand

[00:09:35] [SPEAKER_01]: why it is that that's happening.

[00:09:36] [SPEAKER_01]: So you've got to have educational programs, training like we talked about.

[00:09:44] [SPEAKER_01]: And then on top of that, you layer in the places where executives may not understand

[00:09:51] [SPEAKER_01]: the importance of these policies.

[00:09:52] [SPEAKER_01]: So sometimes not having the tops down approach and support can create friction and a struggle.

[00:10:00] [SPEAKER_01]: So you make sure that you've got your communication plans on all angles for all levels, because

[00:10:07] [SPEAKER_01]: that's really going to help you.

[00:10:09] [SPEAKER_01]: Create a what's in it for them scenario.

[00:10:12] [SPEAKER_01]: Try to expand on the power of and.

[00:10:15] [SPEAKER_01]: Can we go fast and be safe rather than can we go fast or be safe?

[00:10:21] [SPEAKER_01]: Implementing passwordless mechanisms can be sometimes more efficient and secure.

[00:10:26] [SPEAKER_01]: So you give them a little bit of a give and you have a little bit of take where, you know,

[00:10:31] [SPEAKER_01]: maybe you're providing some additional lockdown of some admin access or so on.

[00:10:37] [SPEAKER_01]: And then people tend to understand that the communication must be strong and you can't

[00:10:43] [SPEAKER_01]: discount the importance of it.

[00:10:46] [SPEAKER_00]: And one of the reasons I was excited to invite him on the podcast today was after reading

[00:10:51] [SPEAKER_00]: a quite frightening stat from Barracuda's CIO report that highlighted only 43 percent

[00:10:57] [SPEAKER_00]: of organizations out there are actually confident in their ability to manage cyber risk.

[00:11:03] [SPEAKER_00]: So frightening stat, but did that surprise you?

[00:11:06] [SPEAKER_00]: And what steps can businesses take to maybe boost that confidence and boost that figure

[00:11:12] [SPEAKER_00]: for next year's report?

[00:11:13] [SPEAKER_01]: That's a good question to ask.

[00:11:16] [SPEAKER_01]: What did I think of that statistic?

[00:11:18] [SPEAKER_01]: And because I have come from so many different walks of life, meaning, you know, like I've

[00:11:24] [SPEAKER_01]: worked at companies that are pretty big, came from Ralph Lauren.

[00:11:29] [SPEAKER_01]: I've worked at the NBA and I've also worked at a non...

[00:11:33] [SPEAKER_01]: I've worked in nonprofit.

[00:11:35] [SPEAKER_01]: So I worked in public media for PBS in New York City.

[00:11:38] [SPEAKER_01]: And I've seen the spectrum of places where you've got a large reserve of budget to help

[00:11:48] [SPEAKER_01]: you put forward an amazing cybersecurity program.

[00:11:52] [SPEAKER_01]: And I've been in situations myself personally, where I am trying to find budget from every

[00:11:59] [SPEAKER_01]: corner of the pocketbook to create a cybersecurity posture and program.

[00:12:07] [SPEAKER_01]: And so it wasn't that big of a surprise to me to see that statistic.

[00:12:13] [SPEAKER_01]: 43 percent, that's under half, obviously.

[00:12:16] [SPEAKER_01]: But you just kind of have to say to yourself, okay, these companies, thankfully, they're

[00:12:22] [SPEAKER_01]: being honest about how they're seeing themselves.

[00:12:27] [SPEAKER_01]: And we had almost 2000 respondents and the respondents were people not just like off

[00:12:35] [SPEAKER_01]: the street types of people.

[00:12:36] [SPEAKER_01]: These were the CIOs of the companies that responded typically.

[00:12:40] [SPEAKER_01]: So we feel very confident in these statistics that we're working with here.

[00:12:47] [SPEAKER_01]: But what can people do?

[00:12:49] [SPEAKER_01]: The question is, what can you do to boost this confidence?

[00:12:53] [SPEAKER_01]: So we were talking about communication with executive stakeholders.

[00:12:59] [SPEAKER_01]: That's to me, one of the key components of getting yourself in a better spot.

[00:13:07] [SPEAKER_01]: Because as we're saying, budget can be a factor.

[00:13:11] [SPEAKER_01]: So having a cybersecurity program doesn't come for free.

[00:13:15] [SPEAKER_01]: I mean, it's not free 99 out there.

[00:13:17] [SPEAKER_01]: You can't do everything on a shoestring.

[00:13:20] [SPEAKER_01]: And you do need to have your executive management understand the importance of having a cybersecurity

[00:13:26] [SPEAKER_01]: program.

[00:13:27] [SPEAKER_01]: And by the way, this is, as I said, on a spectrum.

[00:13:31] [SPEAKER_01]: If you're a smaller company, the same thing applies.

[00:13:34] [SPEAKER_01]: Larger companies, same thing.

[00:13:36] [SPEAKER_01]: But obviously, it's a sliding scale.

[00:13:39] [SPEAKER_01]: So having a narrative that explains all of the issues that can arise if you do nothing

[00:13:47] [SPEAKER_01]: is really important.

[00:13:49] [SPEAKER_01]: Finding incidents out there that have caused companies that are similar to your own,

[00:13:55] [SPEAKER_01]: that have caused issues can help resonate your message forward.

[00:14:03] [SPEAKER_01]: And then if your budget is constrained, how can you manage around that?

[00:14:09] [SPEAKER_01]: There are lots of resources out there.

[00:14:13] [SPEAKER_01]: You can also, if you're a situation where you're a fractional CIO or a fractional CISO,

[00:14:19] [SPEAKER_01]: you can leverage things like the CISA or CISA has a program where they will run a free tabletop

[00:14:30] [SPEAKER_01]: exercise for your company.

[00:14:33] [SPEAKER_01]: You can leverage all the toolkits that are available on the NIST site, and so on and so

[00:14:39] [SPEAKER_01]: forth.

[00:14:39] [SPEAKER_01]: There's just a ton of resources out there to help you establish processes and procedures

[00:14:44] [SPEAKER_01]: so that you can boost the competence and boost your cybersecurity program internally.

[00:14:51] [SPEAKER_01]: So there's a lot of stuff you can do that is free.

[00:14:55] [SPEAKER_01]: Sometimes training programs can just be about the amount of effort that you put in.

[00:15:00] [SPEAKER_01]: Developing a risk register, that's something that you can follow processes to create on

[00:15:05] [SPEAKER_01]: your own.

[00:15:06] [SPEAKER_01]: And then having that risk register available so that you can review it with your board

[00:15:11] [SPEAKER_01]: regularly.

[00:15:12] [SPEAKER_01]: That goes into helping you garner support for budgets maybe in the future, but at least

[00:15:18] [SPEAKER_01]: awareness.

[00:15:19] [SPEAKER_00]: And boosting security in any organization of any size is also heavily reliant on so many

[00:15:26] [SPEAKER_00]: external factors as well, which we don't talk about enough.

[00:15:30] [SPEAKER_00]: So I'm curious, what governance challenges do you see organizations facing when managing

[00:15:35] [SPEAKER_00]: so many different areas from third-party access and supply chain security?

[00:15:39] [SPEAKER_00]: There's a lot going on there.

[00:15:41] [SPEAKER_00]: It's not as simple as what's going on in my organization.

[00:15:44] [SPEAKER_00]: It stretches far and wide, doesn't it?

[00:15:46] [SPEAKER_01]: It sure does.

[00:15:47] [SPEAKER_01]: When you say those things, when you talk about third-party access and supply chains, we're

[00:15:54] [SPEAKER_01]: talking about the attack service of your company.

[00:15:58] [SPEAKER_01]: And sometimes people don't really understand what that means.

[00:16:02] [SPEAKER_01]: But if you think about it in terms of the number of tools and applications, SaaS apps

[00:16:09] [SPEAKER_01]: mostly in this day and age, that make up your portfolio of tools that help run your company,

[00:16:17] [SPEAKER_01]: and you think to yourself, oh, it's not just my Google Docs or Word or Excel or whatever,

[00:16:24] [SPEAKER_01]: like Zoom.

[00:16:25] [SPEAKER_01]: It's so much more than that.

[00:16:28] [SPEAKER_01]: Oftentimes, companies have hundreds, hundreds, like a few hundred applications that are in

[00:16:36] [SPEAKER_01]: use at any given time that are making up the portfolio of tools that people are using to

[00:16:42] [SPEAKER_01]: get their jobs done.

[00:16:44] [SPEAKER_01]: And wouldn't you know that most of the time, the IT people like myself don't know about

[00:16:51] [SPEAKER_01]: all of them?

[00:16:53] [SPEAKER_01]: And so that's really where things get scary.

[00:16:56] [SPEAKER_01]: And to go to your question about governance challenges, if you don't have a whole procedure

[00:17:04] [SPEAKER_01]: and policy that has been communicated outward to your constituents and employees, they'll

[00:17:12] [SPEAKER_01]: continue to use freeware or they'll continue to log into various applications, maybe with

[00:17:20] [SPEAKER_01]: a personal email account, or they'll use the free version of something that doesn't

[00:17:26] [SPEAKER_01]: have the security protocols that you need it to in order for it to be at least at a

[00:17:31] [SPEAKER_01]: safe level for your environment.

[00:17:34] [SPEAKER_01]: But that's just the baseline.

[00:17:38] [SPEAKER_01]: What you're missing without having a full process and procedure is the ability to review

[00:17:45] [SPEAKER_01]: all of these applications, tools, vendors that are part of your ecosystem.

[00:17:51] [SPEAKER_01]: And by having a review that lets you take a look at what types of companies you are

[00:17:57] [SPEAKER_01]: allowing to be part of your infrastructure.

[00:18:01] [SPEAKER_01]: And just like you as a cybersecurity practitioner are trying your level best to be as safe and

[00:18:08] [SPEAKER_01]: secure as possible, you are leveraging to help run your business to have the same frame

[00:18:17] [SPEAKER_01]: of mind.

[00:18:18] [SPEAKER_01]: So doing these vendor assessments that are part of this process of governance for third

[00:18:25] [SPEAKER_01]: parties and supply chain is super important because that's going to allow you to check

[00:18:30] [SPEAKER_01]: to see what kind of cybersecurity standards these companies have.

[00:18:35] [SPEAKER_01]: Do they have the right types of attestations that are important for you?

[00:18:40] [SPEAKER_01]: What types of internal controls do they have?

[00:18:43] [SPEAKER_01]: And those are the types of things that you want to be able to know about before you onboard

[00:18:49] [SPEAKER_01]: any vendor or application.

[00:18:51] [SPEAKER_01]: And then once you do that, you want to do the rinse and repeat where you're regularly

[00:18:56] [SPEAKER_01]: going back and reviewing the portfolio of vendors and tools that you have in your enterprise.

[00:19:04] [SPEAKER_01]: But that's just the tip of the iceberg.

[00:19:07] [SPEAKER_01]: It's really about having the policies, the procedures, and then going back to this theme

[00:19:14] [SPEAKER_01]: of communication, making sure that people understand why it is important that they are

[00:19:20] [SPEAKER_01]: part of this process, that they don't try to go in the back door to start using something

[00:19:25] [SPEAKER_01]: that you don't know about that you can't control.

[00:19:29] [SPEAKER_00]: And if I go back 10 years, there was always a fear that in IT, especially that fear that

[00:19:35] [SPEAKER_00]: in the boardroom, they didn't always see the value in something that might happen or might

[00:19:40] [SPEAKER_00]: not happen, especially when looking at the ROI of cybersecurity.

[00:19:44] [SPEAKER_00]: We all know that value, of course, but not everyone could see it.

[00:19:46] [SPEAKER_00]: So in your experience, has that attitude changed?

[00:19:50] [SPEAKER_00]: And what role do you see management support playing in successful implementation of these

[00:19:56] [SPEAKER_00]: company-wide security policies that are desperately needed?

[00:20:00] [SPEAKER_01]: Laura Briggs Management participation and understanding

[00:20:02] [SPEAKER_01]: is paramount to the success in my experience.

[00:20:07] [SPEAKER_01]: And across all of my friends and compatriots who sit in this role with me, who I know far

[00:20:15] [SPEAKER_01]: and wide, they will tell you that without executive sponsorship and understanding, it's

[00:20:21] [SPEAKER_01]: very difficult to have successful implementation of company-wide policies.

[00:20:27] [SPEAKER_01]: Because the top-down approach is really what's going to help supply that extra oomph that

[00:20:33] [SPEAKER_01]: you need.

[00:20:33] [SPEAKER_01]: The bottoms up is okay, but you've got to have the tops down as well.

[00:20:38] [SPEAKER_01]: So having them understand is really important.

[00:20:42] [SPEAKER_01]: We've talked about that a little bit earlier throughout our podcast so far.

[00:20:46] [SPEAKER_01]: But digging in more deeply, you're asking, have I seen a shift?

[00:20:51] [SPEAKER_01]: And I have.

[00:20:52] [SPEAKER_01]: I've seen even publicly traded companies, non-publicly traded companies, you've got a

[00:21:00] [SPEAKER_01]: board regardless that is typically, thankfully, usually made up of people who are also operating

[00:21:09] [SPEAKER_01]: an audit board perhaps, or there's a cybersecurity committee that's

[00:21:14] [SPEAKER_01]: kind of a subset of the board.

[00:21:17] [SPEAKER_01]: And they're looking at the policies and procedures that you have across your company.

[00:21:24] [SPEAKER_01]: A lot of this is dictated by the various government requirements that are coming down, whether

[00:21:32] [SPEAKER_01]: or not you live in the UK, or you live in the United States, or anywhere else, there

[00:21:36] [SPEAKER_01]: are new requirements that are important that all companies, regardless of whether or not

[00:21:42] [SPEAKER_01]: you're publicly traded, or you're small in size, but they have to follow and comply

[00:21:47] [SPEAKER_01]: with.

[00:21:48] [SPEAKER_01]: So I'm starting to see a real shift because you've got to have understanding.

[00:21:55] [SPEAKER_01]: So I'm seeing that the boards are now up leveling themselves to more and deeper understanding.

[00:22:02] [SPEAKER_01]: But of course, it's still our responsibility to help underpin that with consistent messaging

[00:22:08] [SPEAKER_01]: and just continuing to bring them in closer to the message.

[00:22:12] [SPEAKER_00]: And I think we often hear about the financial implications of a cyber breach, but I've seen

[00:22:18] [SPEAKER_00]: so many different stories that also talk about the reputational impacts that can go on for

[00:22:23] [SPEAKER_00]: a number of years.

[00:22:24] [SPEAKER_00]: So how do you approach the task of preparing an organization to not just withstand, but

[00:22:30] [SPEAKER_00]: also recover from a significant cyber incident?

[00:22:32] [SPEAKER_01]: So I love this question because the answer is a few things, but one that I want to highlight

[00:22:42] [SPEAKER_01]: is the importance of conducting regular tabletop exercises.

[00:22:47] [SPEAKER_01]: And what that means is getting together all of the executive stakeholders or everybody

[00:22:54] [SPEAKER_01]: that is listed in your incident response plan, sitting them around a table, either in person

[00:23:01] [SPEAKER_01]: or virtually, or a combination of those two things.

[00:23:04] [SPEAKER_01]: And you're going through a mock incident.

[00:23:07] [SPEAKER_01]: You're actually taking it from the very beginning seedlings of something happening all the way

[00:23:13] [SPEAKER_01]: to your recovery steps.

[00:23:15] [SPEAKER_01]: And every single person that's in that room with you is having some level of responsibility

[00:23:21] [SPEAKER_01]: and accountability to ensuring that that incident has gotten to a resolution state.

[00:23:28] [SPEAKER_01]: So making sure that you run these regularly helps elevate the understanding of what people

[00:23:35] [SPEAKER_01]: have to be aware of and be prepared to handle when something comes at you.

[00:23:42] [SPEAKER_01]: And the one that I like to call out a lot of times is your communications person.

[00:23:48] [SPEAKER_01]: Typically, your communications person is not in the technology area.

[00:23:52] [SPEAKER_01]: They're usually part of HR, marketing, or some other team like that.

[00:23:59] [SPEAKER_01]: Those are the folks that are going to have to...

[00:24:02] [SPEAKER_01]: Heaven forbid you get to a state where you have to do this, but they're the ones who are

[00:24:06] [SPEAKER_01]: going to have to write a press release, for example.

[00:24:09] [SPEAKER_01]: And if they are unpracticed at that, that's something that you're going to have to struggle

[00:24:14] [SPEAKER_01]: with in the midst of dealing with an incident where if you already had that as an understood

[00:24:19] [SPEAKER_01]: item as part of the process of dealing with an incident, you wouldn't have to spend so

[00:24:26] [SPEAKER_01]: much time over on that.

[00:24:28] [SPEAKER_01]: So I think preparing your organization with running these tabletops, it seems like such

[00:24:34] [SPEAKER_01]: a small thing to do because it's a pretend incident, but pick something that could be

[00:24:40] [SPEAKER_01]: real.

[00:24:41] [SPEAKER_01]: Don't pick something like martians landed outside.

[00:24:45] [SPEAKER_01]: Pick something that could really happen to you and run that to ground.

[00:24:52] [SPEAKER_01]: Make sure that you've really looked at all angles of that particular incident,

[00:24:57] [SPEAKER_01]: and it will definitely spark a lot of thought across every area of all of the people that

[00:25:04] [SPEAKER_01]: are sitting there at that table.

[00:25:06] [SPEAKER_01]: So that's one big thing that you can do.

[00:25:08] [SPEAKER_01]: There's a lot more, but that's a big one.

[00:25:10] [SPEAKER_01]: Of course, having your BCPDR plans at the ready, at least starting to show on and on.

[00:25:18] [SPEAKER_01]: But I love the tabletop exercise discussion.

[00:25:22] [SPEAKER_00]: Absolutely invaluable advice.

[00:25:24] [SPEAKER_00]: I can almost hear light bulb moments going off around the world, and it makes so much

[00:25:28] [SPEAKER_00]: sense to have those tabletop exercises bringing in the constant.

[00:25:32] [SPEAKER_00]: I think then being aware of what might happen, how to create that press release, etc.

[00:25:36] [SPEAKER_00]: It makes so much sense to have all that in place and to try and provide even more valuable

[00:25:43] [SPEAKER_00]: takeaways or actionable tips for anybody listening.

[00:25:47] [SPEAKER_00]: Are there any other practical resources or strategies that you'd recommend to businesses

[00:25:51] [SPEAKER_00]: aiming just to improve their overall cyber resilience?

[00:25:54] [SPEAKER_00]: Because I feel you're on a roll there with that last answer.

[00:25:58] [SPEAKER_01]: Yes.

[00:25:59] [SPEAKER_01]: So resources are at the ready.

[00:26:02] [SPEAKER_01]: The internet's an amazing thing.

[00:26:06] [SPEAKER_01]: Especially given the fact that there are so many agencies out there that are publishing

[00:26:12] [SPEAKER_01]: information that is available to you, whether you live in the United States, in the UK,

[00:26:16] [SPEAKER_01]: or whatever, you've got a government agency that is incented to supply information that

[00:26:23] [SPEAKER_01]: you can use to help build your cybersecurity practice.

[00:26:26] [SPEAKER_01]: In the US, there's CISA.

[00:26:29] [SPEAKER_01]: NIST is amazing.

[00:26:30] [SPEAKER_01]: NIST just announced their new cybersecurity framework 2.0, which has elevated the last

[00:26:37] [SPEAKER_01]: version 1.2.

[00:26:39] [SPEAKER_01]: I invite everybody out there to just go to that website and go through the repository

[00:26:46] [SPEAKER_01]: of documents that can be used to help underpin your cybersecurity program.

[00:26:52] [SPEAKER_01]: Incredible stuff out there.

[00:26:54] [SPEAKER_01]: You can lean into resources and recommendations from third parties that you got as part of

[00:26:59] [SPEAKER_01]: your own framework.

[00:27:00] [SPEAKER_01]: If you've got a managed XDR, for example, or other people that are knowledge leaders that

[00:27:06] [SPEAKER_01]: you can tap into.

[00:27:09] [SPEAKER_01]: Also, if you happen to have subscriptions from Gartner, Forrester, InfoTech Research

[00:27:15] [SPEAKER_01]: Group, any number of those other agencies out there that have frameworks and toolkits

[00:27:20] [SPEAKER_01]: you can use to help.

[00:27:22] [SPEAKER_01]: Those are great resources.

[00:27:24] [SPEAKER_01]: And then taking that to the strategy level, start somewhere.

[00:27:29] [SPEAKER_01]: If you can afford to have an outside expert perform a risk assessment or cyber audit or

[00:27:34] [SPEAKER_01]: some sort of pen test, that can help you figure out where you've got gaps.

[00:27:40] [SPEAKER_01]: It can help you put your roadmap together of priorities.

[00:27:45] [SPEAKER_01]: That'll give you a place to start.

[00:27:47] [SPEAKER_01]: If you do not have access or can't afford any of those, then lean in happily to the

[00:27:53] [SPEAKER_01]: resources that I just mentioned about NIST, CISA, so on and so forth.

[00:27:58] [SPEAKER_01]: They've got excellent frameworks and you can definitely get started there.

[00:28:03] [SPEAKER_01]: I mentioned the word roadmap, develop one.

[00:28:07] [SPEAKER_01]: It can be your glossy brochure when you go to talk to your executives.

[00:28:11] [SPEAKER_01]: So it's clear where your head is and you can show at any given moment where you are

[00:28:16] [SPEAKER_01]: on your journey.

[00:28:18] [SPEAKER_01]: It can also highlight where you might need investments.

[00:28:21] [SPEAKER_01]: So that's my recommendation, Lala.

[00:28:25] [SPEAKER_00]: Okay.

[00:28:26] [SPEAKER_00]: Absolutely.

[00:28:26] [SPEAKER_00]: Priceless.

[00:28:27] [SPEAKER_00]: We started the podcast today talking about your vast experience, which has taken you

[00:28:32] [SPEAKER_00]: across so many diverse sectors from fashion to sports to public broadcasting.

[00:28:37] [SPEAKER_00]: And as we come full circle, I'm going to ask you to look back at your career now.

[00:28:42] [SPEAKER_00]: And how did all of these collective experiences inform your current approach to IT and

[00:28:49] [SPEAKER_00]: cybersecurity at Barracuda?

[00:28:50] [SPEAKER_00]: I would imagine there's been quite a few moments of reflection, but anything you can

[00:28:55] [SPEAKER_00]: share around that?

[00:28:56] [SPEAKER_01]: Yes.

[00:28:57] [SPEAKER_01]: So the first job that I had in a really big company was I started my technology career

[00:29:06] [SPEAKER_01]: in a much smaller software company.

[00:29:07] [SPEAKER_01]: But the first time I worked for a very large company, it was for Time Inc when it existed,

[00:29:13] [SPEAKER_01]: which is the magazine division of Time Warner at that time.

[00:29:17] [SPEAKER_01]: And the role that I was hired to do was to roll out secure IDs on our dial-up VPN

[00:29:25] [SPEAKER_01]: infrastructure.

[00:29:26] [SPEAKER_01]: So that was a long time ago.

[00:29:30] [SPEAKER_01]: Things have changed a lot since then.

[00:29:32] [SPEAKER_01]: But when you're talking about times that I can have reflective moments along the way

[00:29:39] [SPEAKER_01]: of seeing what has happened and where things diverge or are different, what I can say is

[00:29:48] [SPEAKER_01]: having worked across all of these different sectors and having been around long enough

[00:29:54] [SPEAKER_01]: to have seen just the very seedlings of cybersecurity and then have it grow into such a massive

[00:30:01] [SPEAKER_01]: state that it is today, what I can tell you is regardless of the company that you're in,

[00:30:06] [SPEAKER_01]: the shape, the size, the components, what your industry is, that cybersecurity is foundational.

[00:30:13] [SPEAKER_01]: It's foundational for every organization, regardless of size and industry.

[00:30:18] [SPEAKER_01]: And cybersecurity in general is foundational for human beings.

[00:30:22] [SPEAKER_01]: So understanding how you should be operating to protect yourself as best as possible shouldn't

[00:30:29] [SPEAKER_01]: change from when you are at home to when you go to work.

[00:30:33] [SPEAKER_01]: All of that should be at the same level.

[00:30:36] [SPEAKER_01]: You should be as vigilant, regardless of whether or not you're sitting at home and opening

[00:30:41] [SPEAKER_01]: your Gmail account and responding to some sort of email you think you got from your bank,

[00:30:47] [SPEAKER_01]: or when you're at work and you are trying to navigate through different policies and

[00:30:53] [SPEAKER_01]: procedures that are there.

[00:30:55] [SPEAKER_01]: It's just important that cybersecurity exists everywhere and that you have the respect,

[00:31:02] [SPEAKER_01]: regardless of whether or not you're in a tiny company or a large company,

[00:31:06] [SPEAKER_01]: it is super duper important.

[00:31:09] [SPEAKER_00]: Okay, fantastic advice.

[00:31:11] [SPEAKER_00]: And we have been very serious today.

[00:31:13] [SPEAKER_00]: So before I let you go, it's time to have a little bit of fun with you.

[00:31:16] [SPEAKER_00]: And I always ask my guests to leave everyone listening with either a book that they'd

[00:31:21] [SPEAKER_00]: recommend or mean something to them or inspire them that we can add to an Amazon wishlist

[00:31:25] [SPEAKER_00]: or a song that we can add to our Tech Talks daily Spotify playlist.

[00:31:30] [SPEAKER_00]: Guilty pleasures are allowed.

[00:31:32] [SPEAKER_00]: You can choose either, but what would you like to leave everyone listening and why?

[00:31:37] [SPEAKER_01]: So I recently, I try to read some books that are not technology related.

[00:31:42] [SPEAKER_01]: And one that I just read is called The Advantage.

[00:31:48] [SPEAKER_01]: And it is by an author, Patrick Lencioni.

[00:31:52] [SPEAKER_01]: It is a fascinating book.

[00:31:55] [SPEAKER_01]: It's about organizational health and how that is...

[00:31:59] [SPEAKER_01]: According to this author, and I really believe what is in here,

[00:32:03] [SPEAKER_01]: how that is the most important thing to run a business.

[00:32:07] [SPEAKER_01]: And so it offers practical advice of the way companies can attain organizational health.

[00:32:15] [SPEAKER_01]: And it's not just about strategy or marketing or technology at all.

[00:32:20] [SPEAKER_01]: He talks about how organizational health is so important, and that we have to overcome biases

[00:32:28] [SPEAKER_01]: for sophistication and quantification.

[00:32:31] [SPEAKER_01]: So they can't...

[00:32:31] [SPEAKER_01]: It seems that they need to measure everything in order to see the benefits of

[00:32:36] [SPEAKER_01]: just looking at this organizational health.

[00:32:39] [SPEAKER_01]: But I'll just leave you with the four disciplines that are part of this book,

[00:32:43] [SPEAKER_01]: and hopefully it will entice you to read it.

[00:32:45] [SPEAKER_01]: It's not that long, and I thought it was very fascinating, and I love it.

[00:32:48] [SPEAKER_01]: But number one is to build a cohesive leadership team.

[00:32:52] [SPEAKER_01]: Number two, to create clarity.

[00:32:54] [SPEAKER_01]: Three, to over-communicate clarity.

[00:32:57] [SPEAKER_01]: And number four is to reinforce clarity.

[00:32:58] [SPEAKER_01]: So the themes we talked about today in terms of communication, I feel like are echoed

[00:33:03] [SPEAKER_01]: in what I just said in terms of these four disciplines for the advantage.

[00:33:08] [SPEAKER_01]: Anyway, I loved it.

[00:33:09] [SPEAKER_01]: So recommendation is that.

[00:33:11] [SPEAKER_00]: Awesome.

[00:33:11] [SPEAKER_00]: I would get that added straight to our Amazon wishlist.

[00:33:14] [SPEAKER_00]: And we've covered so much in a short amount of time today.

[00:33:17] [SPEAKER_00]: So where is the best place for listeners to find you or your team online,

[00:33:22] [SPEAKER_00]: or just dig a little bit deeper on anything we talked about today?

[00:33:27] [SPEAKER_01]: I'll tell you the two places to go.

[00:33:29] [SPEAKER_01]: Number one, follow me or connect with me on LinkedIn.

[00:33:32] [SPEAKER_01]: That's where you'll see any of the thought pieces that I publish or any of the podcasts

[00:33:38] [SPEAKER_01]: like this one that I get invited to.

[00:33:41] [SPEAKER_01]: And thank you again, Neil, for this.

[00:33:43] [SPEAKER_01]: But even more so, go to the Barracuda site and subscribe to the Barracuda blog.

[00:33:51] [SPEAKER_01]: There are countless topical blog posts that we release all the time.

[00:33:56] [SPEAKER_01]: And I think you'll find them fascinating.

[00:33:59] [SPEAKER_01]: So either of those two places.

[00:34:01] [SPEAKER_00]: I'll add links to both of those so people can find you nice and easily and keep up to speed

[00:34:06] [SPEAKER_00]: with everything at Barracuda.

[00:34:09] [SPEAKER_00]: And I can't thank you enough for coming on here and discussing the best ways for businesses

[00:34:13] [SPEAKER_00]: to prepare for, withstand, and respond to, and ultimately recover from cyber incidents.

[00:34:19] [SPEAKER_00]: And also talking about the top governance challenges facing organizations in managing

[00:34:25] [SPEAKER_00]: risk, but most importantly, leaving some priceless advice and actionable tips and key takeaways

[00:34:31] [SPEAKER_00]: for people to go away and try some of these things to improve their cyber resilience.

[00:34:36] [SPEAKER_00]: Just a big thank you from me for sharing your story and some incredible tips.

[00:34:41] [SPEAKER_00]: Thanks again.

[00:34:42] [SPEAKER_01]: Thank you so much, Neil.

[00:34:44] [SPEAKER_01]: It was a pleasure.

[00:34:45] [SPEAKER_00]: So what steps will you and your organization take to fortify your defense against cyber

[00:34:51] [SPEAKER_00]: threats?

[00:34:52] [SPEAKER_00]: Because as we wrap up my conversation with a fantastic guest today, one key takeaway

[00:34:57] [SPEAKER_00]: still resonates.

[00:34:59] [SPEAKER_00]: Cyber security is not just an IT concern.

[00:35:03] [SPEAKER_00]: It is a business imperative that requires executive commitment and a proactive rather

[00:35:09] [SPEAKER_00]: than reactive approach to cyber security.

[00:35:11] [SPEAKER_00]: Yep, you are expected to look around corners now.

[00:35:16] [SPEAKER_00]: And I think my guest provided us with so many incredible valuable insights into the evolving

[00:35:22] [SPEAKER_00]: role of the CIO cyber security, but also the challenges of implementing those consistent

[00:35:27] [SPEAKER_00]: security policies.

[00:35:29] [SPEAKER_00]: But I think it was her actionable tips, the resources that she shared today are just essential

[00:35:35] [SPEAKER_00]: tools for any organization looking to enhance its cyber resilience.

[00:35:40] [SPEAKER_00]: So I think this is one of the great things about a podcast that yes, you can listen passively

[00:35:45] [SPEAKER_00]: and hear the stories of guests.

[00:35:48] [SPEAKER_00]: But my guest today left very valuable takeaways that you can use in your organization.

[00:35:55] [SPEAKER_00]: So if you have not had a tabletop exercise about your customer database getting hacked,

[00:36:03] [SPEAKER_00]: how your organization would respond if you've not worked with your marketing and comms team

[00:36:07] [SPEAKER_00]: on how you would communicate that message to the great wide world, if you've got to

[00:36:13] [SPEAKER_00]: put a press release together, all those things could be in hand right now.

[00:36:18] [SPEAKER_00]: So over to you, what will you do to ensure your organization is prepared to meet some

[00:36:24] [SPEAKER_00]: of those challenges ahead?

[00:36:25] [SPEAKER_00]: I want you to reflect on the strategies discussed today and consider how they could be integrated

[00:36:30] [SPEAKER_00]: into your cyber risk management framework.

[00:36:33] [SPEAKER_00]: And I also invite you to share your tips.

[00:36:35] [SPEAKER_00]: Maybe you're doing a lot more and want to highlight something that we've not covered

[00:36:39] [SPEAKER_00]: today and think we may have missed.

[00:36:41] [SPEAKER_00]: There's a couple of ways you can do this.

[00:36:43] [SPEAKER_00]: You can sit down with me and we can talk about it for 30 minutes.

[00:36:46] [SPEAKER_00]: And you can do that by emailing me at techblogwriteroutlook.com.

[00:36:49] [SPEAKER_00]: We'll get that conversation started.

[00:36:51] [SPEAKER_00]: But equally, if you just got a couple of quick questions or quick takeaways, slide into the

[00:36:56] [SPEAKER_00]: DMs on Twitter, LinkedIn, Instagram, just at Neil C Hughes.

[00:37:00] [SPEAKER_00]: Let me know your thoughts.

[00:37:01] [SPEAKER_00]: I'd love to share it with everyone.

[00:37:03] [SPEAKER_00]: But that's it for today.

[00:37:04] [SPEAKER_00]: So much food for thought on my side and a lot I'm going to be taking away.

[00:37:07] [SPEAKER_00]: But more than anything, thank you for joining me and my guest today.

[00:37:11] [SPEAKER_00]: And until next time, stay vigilant, stay secure.

[00:37:15] [SPEAKER_00]: And hopefully if you enjoyed yourself, join me again bright and early tomorrow with another

[00:37:20] [SPEAKER_00]: guest.

[00:37:20] [SPEAKER_00]: Hopefully speak with you then.