WEBVTT 1 00:00:00.210 --> 00:00:03.120 Anna Delaney: Hi, welcome to this special payments edition of 2 00:00:03.120 --> 00:00:06.180 the ISMG's Editor's Panel. I'm Anna Delaney. And this week, 3 00:00:06.180 --> 00:00:09.000 we'll be talking about trends and innovation in the payments 4 00:00:09.000 --> 00:00:12.990 space, cloud security, SBOMs and much more. And at this point, 5 00:00:12.990 --> 00:00:15.630 I'd like to welcome our special guest Troy Leach, who is the 6 00:00:15.630 --> 00:00:19.800 former CTO of the PCI Security Standards Council and now chief 7 00:00:19.800 --> 00:00:22.650 strategy officer at Cloud Security Alliance. And, of 8 00:00:22.650 --> 00:00:25.650 course, Tom Field, our senior vice president of editorial. 9 00:00:26.550 --> 00:00:28.950 Welcome, Troy, really good to have you with us. 10 00:00:29.550 --> 00:00:31.770 Troy Leach: Thank you very much. Happy holidays. 11 00:00:32.280 --> 00:00:35.340 Anna Delaney: Happy holidays, indeed. Where are you today, in 12 00:00:35.340 --> 00:00:35.790 the forum? 13 00:00:35.790 --> 00:00:39.750 Troy Leach: Well, I am not in Rome. Although I just spent a 14 00:00:39.750 --> 00:00:43.200 couple of weeks there, Cloud Security Alliance, and working 15 00:00:43.200 --> 00:00:48.540 with some of our stakeholders in Rome and Milan and beyond. I am 16 00:00:48.540 --> 00:00:53.130 back in sunny Phoenix, Arizona, so I see all the snow in your 17 00:00:53.130 --> 00:00:58.290 backgrounds. And I'm not familiar. I did do my graduate 18 00:00:58.290 --> 00:01:01.980 work in Syracuse. So, I did get some snow in my life. But being 19 00:01:01.980 --> 00:01:05.130 in Phoenix for last 20 years, I'm not quite as familiar with 20 00:01:05.130 --> 00:01:06.270 that white stuff anymore. 21 00:01:07.260 --> 00:01:09.510 Anna Delaney: And you weren't tempted to dress up like Tom? 22 00:01:11.460 --> 00:01:14.730 Troy Leach: We talked about this, right? And I wanted a ugly 23 00:01:14.730 --> 00:01:18.420 sweater competition. But because Matt didn't join us, you know, 24 00:01:18.450 --> 00:01:23.940 it was an uneven number of judges and panelists so I 25 00:01:23.940 --> 00:01:26.520 figured we just go normal this time. 26 00:01:26.550 --> 00:01:28.530 Anna Delaney: This is all your fault. I even dressed up a 27 00:01:28.530 --> 00:01:32.010 little bit. Tom, do explain. 28 00:01:32.670 --> 00:01:34.830 Tom Field: Well, two things. One, I'm actually just outside 29 00:01:34.830 --> 00:01:39.660 of Rome. Rome is the neighboring town here. That's my home out in 30 00:01:39.660 --> 00:01:42.780 the countryside in Mount Vernon. I am wearing the ugliest sweater 31 00:01:42.780 --> 00:01:45.030 I have, I don't know if it quite qualifies what I would wear to a 32 00:01:45.030 --> 00:01:48.450 holiday party, and you perhaps have noticed them wearing a hat 33 00:01:48.780 --> 00:01:54.000 and some goggles. And these are based on the most annoying child 34 00:01:54.000 --> 00:01:58.500 character in the 1983 classic Christmas movie, A Christmas 35 00:01:58.500 --> 00:02:02.160 Story. I know Troy has seen it. Anna, you haven't, it's got to 36 00:02:02.160 --> 00:02:03.330 be on your list this year. 37 00:02:03.930 --> 00:02:07.740 Anna Delaney: It's on my list for sure. And well, it snowed in 38 00:02:07.770 --> 00:02:12.120 London this week. And it's rare to see a few inches of snow in 39 00:02:12.120 --> 00:02:16.290 London, particularly before Christmas, so I thought I'd 40 00:02:16.290 --> 00:02:21.450 share the view from my room. But Troy, we have a few questions 41 00:02:21.450 --> 00:02:24.750 for you today. And I'm going to pass over to Tom to lead the way 42 00:02:24.750 --> 00:02:25.500 to start us off. 43 00:02:25.890 --> 00:02:32.760 Tom Field: Perhaps I should have done. Okay, Troy, if you can 44 00:02:32.760 --> 00:02:37.620 take me seriously here, what do you see as the most innovative 45 00:02:37.620 --> 00:02:41.010 trends in payments as we go into the new year? And what are the 46 00:02:41.010 --> 00:02:45.540 biggest concerns and risks with that innovation and the word 47 00:02:45.540 --> 00:02:47.370 crypto comes up very quickly here. 48 00:02:48.710 --> 00:02:54.320 Troy Leach: Well, I do have crypto in mind. But I actually 49 00:02:54.320 --> 00:02:57.710 might surprise you in the type of cryptography that I'm talking 50 00:02:57.710 --> 00:03:00.830 about. You know, sometimes the most innovative things that we 51 00:03:00.830 --> 00:03:06.110 have are sometimes the least sexy, unlike the goggles and 52 00:03:06.110 --> 00:03:11.240 hat. These are things that to me and security, what I'm very 53 00:03:11.240 --> 00:03:14.870 interested in is to see how the use of things related to 54 00:03:14.870 --> 00:03:19.370 confidentiality of data. Because if we can eliminate the risk of 55 00:03:19.370 --> 00:03:24.260 exposing data and that can be used for harm, then all of a 56 00:03:24.260 --> 00:03:26.960 sudden, we can do all these wonderful things. And so I'm 57 00:03:26.960 --> 00:03:29.390 very interested in the advancement of confidentiality 58 00:03:29.390 --> 00:03:32.150 computing, it's something that is starting to get a 59 00:03:32.150 --> 00:03:36.560 groundswell, more popularity, in the last couple of years. We 60 00:03:36.560 --> 00:03:39.560 talk all the time about third-party risk exposure, we 61 00:03:39.560 --> 00:03:43.340 saw the recent Uber data breach that happened due to a vendor. 62 00:03:43.550 --> 00:03:46.100 And there's countless other stories of similar attacks, 63 00:03:46.100 --> 00:03:50.750 where third-party vendors are at fault. So what if all these 64 00:03:50.750 --> 00:03:54.470 service providers had no access to decrypt the data even if they 65 00:03:54.470 --> 00:03:57.980 wanted to. And that's the core concept behind confidentiality 66 00:03:57.980 --> 00:04:01.970 computing. And all the cloud service providers already have 67 00:04:01.970 --> 00:04:05.210 their own enclaves. And dozens of organizations are developing 68 00:04:05.210 --> 00:04:09.020 solutions on top of that, those platforms as well. So it's not 69 00:04:09.020 --> 00:04:13.250 as attractive but I will say that's one trend. Of course, HSM 70 00:04:13.250 --> 00:04:16.820 as a service in the payment space is something that we're 71 00:04:16.820 --> 00:04:20.870 talking about which is related, we're taking the keys that 72 00:04:20.900 --> 00:04:25.760 create the trust and how do you trust the trust keepers? Looking 73 00:04:25.760 --> 00:04:29.480 at doing that in a cloud virtual environment, we see payback as a 74 00:04:29.480 --> 00:04:32.990 service, what Stripe has done and many others that have 75 00:04:32.990 --> 00:04:38.390 followed all this new ways that we're leveraging software to 76 00:04:38.570 --> 00:04:42.590 create commerce in different ways. And I will say the last 77 00:04:42.590 --> 00:04:47.060 one of innovative trends is crypto and just the commingling 78 00:04:47.090 --> 00:04:51.200 next year, you see Visa, MasterCard, all these major 79 00:04:51.200 --> 00:04:55.250 payment brands and major banks either acquiring or partnering 80 00:04:55.250 --> 00:04:59.720 with these crypto companies. And I'm interested to see how 81 00:04:59.720 --> 00:05:04.070 they're going to continue to have this hybrid of of going 82 00:05:04.070 --> 00:05:10.130 back and forth between crypto and some Fiat-based currency. So 83 00:05:10.130 --> 00:05:14.720 I think those are some of the trends. As for risk, I think 84 00:05:16.310 --> 00:05:23.090 it's simply to be able to verify all these organizations and make 85 00:05:23.090 --> 00:05:25.670 sure that there's no tamper - so, in the physical world, we 86 00:05:25.670 --> 00:05:28.220 have ways that we can know, "Hey, did someone break into our 87 00:05:28.220 --> 00:05:32.150 house, we have these physical tampers." So I think finding 88 00:05:32.150 --> 00:05:36.350 ways that all of those things I mentioned, how do we have tamper 89 00:05:36.350 --> 00:05:40.550 responsiveness for a virtual HSM, limited transparency today 90 00:05:40.550 --> 00:05:44.780 for some of the software development practices? How do we 91 00:05:45.920 --> 00:05:49.640 look at crypto exchanges? Of course, we have FTX and whatnot 92 00:05:50.720 --> 00:05:53.780 that are in the headlines today and some of the integrity issues 93 00:05:53.780 --> 00:05:57.260 there. So, for me, it's simply creating these immutable 94 00:05:57.260 --> 00:06:00.230 controls to protect against any type of foul play and I'm 95 00:06:00.230 --> 00:06:02.660 confident we're going to get there, because for one, it's the 96 00:06:02.660 --> 00:06:07.310 holiday season, we just have to be positive anyways. But I think 97 00:06:07.310 --> 00:06:09.950 if we get these behind the scene things right like 98 00:06:09.950 --> 00:06:14.180 confidentiality computing, then these opportunities for 99 00:06:14.180 --> 00:06:16.610 consumers to have all different types of diversity and how they 100 00:06:16.610 --> 00:06:19.940 use payments is limitless. There you go. 101 00:06:20.760 --> 00:06:23.580 Anna Delaney: Well, Troy, we want to stay with FTX. We can't 102 00:06:23.580 --> 00:06:26.700 avoid it this week. So Sam Bankman-Fried, founder of this 103 00:06:26.880 --> 00:06:29.970 failed cryptocurrency exchange has been charged with what they 104 00:06:29.970 --> 00:06:33.150 say as one of the biggest financial frauds in U.S. history 105 00:06:33.150 --> 00:06:36.900 this week. So drawing upon your extensive experience of creating 106 00:06:36.900 --> 00:06:40.170 standards in the payments industry, how might these events 107 00:06:40.170 --> 00:06:43.590 or this case influence the crypto regulatory discussion? 108 00:06:44.860 --> 00:06:47.830 Troy Leach: Well, I think it quickly heightens the concerns 109 00:06:48.130 --> 00:06:55.000 by regulators that have a top-tier crypto exchange that 110 00:06:55.000 --> 00:06:58.900 could use client money simply by making a change to the software. 111 00:06:59.500 --> 00:07:02.800 That's what really scares me about the allegations is that 112 00:07:03.280 --> 00:07:07.270 something that was only known by a handful of people influence 113 00:07:07.300 --> 00:07:12.760 and take consumers' money and, you know, could continue to keep 114 00:07:12.760 --> 00:07:15.040 borrowing funds, that's another thing. It's something that 115 00:07:15.130 --> 00:07:18.220 should never have been allowed anyway by any type of a crypto 116 00:07:18.220 --> 00:07:22.960 exchange, they're more like a payment processor in a 117 00:07:22.960 --> 00:07:28.390 traditional payment. So, and the fact that they were borrowing 118 00:07:28.420 --> 00:07:31.060 irrespective of the value of the collateral of the securing those 119 00:07:31.060 --> 00:07:36.160 loans. So in banking, there are very clear rules: any money 120 00:07:36.160 --> 00:07:39.700 laundering and banking standards. So I'm very curious 121 00:07:39.700 --> 00:07:44.950 to see how the existing laws are going to change. You know, I'm 122 00:07:44.950 --> 00:07:48.730 not a lawyer. But I did play juror number eight in a school 123 00:07:48.730 --> 00:07:52.960 production of 12 Angry Men. So I do have an interest in the law. 124 00:07:53.320 --> 00:07:59.380 And I do think, in conjunction with that, we have billions and 125 00:07:59.950 --> 00:08:04.210 tens of billions of dollars that have been lost to either crypto 126 00:08:04.270 --> 00:08:10.300 exchange has not done proper security. And, you know, we've 127 00:08:10.300 --> 00:08:14.920 seen Coinsquare, Coincheck, Gemini, Crypto.com. All these 128 00:08:14.920 --> 00:08:18.520 crypto exchanges that had reported data breaches, not all 129 00:08:18.550 --> 00:08:21.340 were crypto, some of it were just PII, but still data 130 00:08:21.340 --> 00:08:24.430 breaches, simply because they didn't have good security 131 00:08:24.430 --> 00:08:28.360 practices in place, they didn't have a validation system and 132 00:08:28.360 --> 00:08:34.450 security, public transparent security systems in place. And 133 00:08:34.450 --> 00:08:39.520 so, in addition to that, then you see also consumers have been 134 00:08:39.520 --> 00:08:44.890 frauded by phishing attacks and that's actually three to four 135 00:08:44.890 --> 00:08:50.230 times worse of a problem in the industry is all the victims that 136 00:08:50.230 --> 00:08:53.020 have lost their funds simply because they thought they were 137 00:08:53.020 --> 00:08:57.100 working directly with their crypto exchange and instead, it 138 00:08:57.100 --> 00:09:02.020 was a criminal that was stealing their information, taking the 139 00:09:02.020 --> 00:09:06.730 key and emptying their wallets. So I think all of those are 140 00:09:06.730 --> 00:09:09.370 going to lead to two things for the future and the government 141 00:09:09.400 --> 00:09:12.790 and there's going to be a lot of debate all over the world in 142 00:09:12.790 --> 00:09:16.120 different governments and one is, you know, what role, if any, 143 00:09:16.150 --> 00:09:18.820 does the government have to protect citizens against 144 00:09:19.180 --> 00:09:24.550 voluntary forms of decentralized finance? And the second part 145 00:09:24.550 --> 00:09:31.360 then is how do they validate and consistently monitor and force 146 00:09:31.570 --> 00:09:39.040 if it's not a Fiat-backed currency. And it was difficult 147 00:09:39.040 --> 00:09:43.540 enough for us to get PCI standards off the ground when we 148 00:09:43.540 --> 00:09:47.680 already had programs in place and operating contracts that it 149 00:09:47.680 --> 00:09:53.200 had enforcement. I think this is so hard for people to get their 150 00:09:53.200 --> 00:09:57.040 heads around because it's decentralized and, you know, 151 00:09:57.040 --> 00:10:01.090 servers are all over the world and the ledger slight of issues 152 00:10:01.090 --> 00:10:05.020 are really going to keep regulators very busy next year. 153 00:10:05.050 --> 00:10:07.120 That's my take. 154 00:10:08.290 --> 00:10:09.460 Tom Field: Troy, I'll ask you about one of your other 155 00:10:09.460 --> 00:10:12.490 predictions - this time about cloud migration. You predicted 156 00:10:12.490 --> 00:10:17.740 that we're going to see a three times migration in 2023-2024 of 157 00:10:17.740 --> 00:10:21.130 major traditional banks putting their infrastructure into the 158 00:10:21.130 --> 00:10:25.210 cloud. Now, why is pretty understandable, but what risks 159 00:10:25.210 --> 00:10:26.260 should we be monitoring? 160 00:10:27.950 --> 00:10:30.380 Troy Leach: Well, that's really interesting because ... and that 161 00:10:30.380 --> 00:10:38.390 came from a McKinsey report that said between now and 2027, we'd 162 00:10:38.390 --> 00:10:46.880 see 3-4x growth in cloud. And for me, I think it's really 163 00:10:47.630 --> 00:10:52.490 driven by the pandemic. I think, in the banking world, they're 164 00:10:52.790 --> 00:10:57.680 very much laggards for a while. And I will say in Cloud Security 165 00:10:57.680 --> 00:11:01.370 Alliance, we just did our own survey to financial 166 00:11:01.370 --> 00:11:06.320 institutions. And the results of that survey will be out next 167 00:11:06.320 --> 00:11:11.390 quarter. But it really bolsters and it aligns with McKinsey and 168 00:11:11.390 --> 00:11:15.350 other groups that have done similar reports that while it's 169 00:11:15.350 --> 00:11:21.320 taken a really long time, banks have jumped in both feet with 170 00:11:21.320 --> 00:11:26.330 moving this lift and shift to the cloud. And the concern is 171 00:11:26.330 --> 00:11:30.170 they're doing it now very quickly, do they have the right 172 00:11:30.200 --> 00:11:33.950 people? I think the banks have been investing and exploring for 173 00:11:33.950 --> 00:11:37.190 a long time, but it's gone from, "Hey, this is an interesting 174 00:11:37.190 --> 00:11:42.470 thing. Maybe we should should look at" to actually "No, this 175 00:11:42.470 --> 00:11:45.500 is our future. This is where we're going to go." And it makes 176 00:11:45.500 --> 00:11:51.860 so much sense. You know, we have people that are, you know, you 177 00:11:51.860 --> 00:11:56.090 look at the cloud and the value of the cloud, it's really about 178 00:11:56.090 --> 00:12:00.170 the scalability, the provisional utilization, the efficiencies of 179 00:12:00.170 --> 00:12:04.640 maximizing computational power, the storage span versus the 180 00:12:04.640 --> 00:12:09.590 data. So, all these types of metrics, they were made for 181 00:12:09.590 --> 00:12:14.420 financial folks, like the banks, and so it just took putting the 182 00:12:14.420 --> 00:12:17.240 right people in place and level of understanding it and 183 00:12:17.240 --> 00:12:22.700 verifying that. As for the risks, I think the biggest part 184 00:12:22.730 --> 00:12:27.170 is, again, the monitoring. And so there are so many 185 00:12:27.770 --> 00:12:33.170 regulations, each banks probably having 40, 50, 60 types of audit 186 00:12:33.170 --> 00:12:38.810 every year, maybe more. So it's how do you create the 187 00:12:38.840 --> 00:12:44.480 well-documented, transparent process of if I'm going to be 188 00:12:44.480 --> 00:12:47.720 using third-party service providers, or even I have my own 189 00:12:47.990 --> 00:12:52.100 private cloud, how do I know everything is where it's 190 00:12:52.130 --> 00:12:56.390 intended to be? And so it always goes down to people, process and 191 00:12:56.390 --> 00:13:00.500 technology. And I think it's in that order. We have a critical 192 00:13:00.500 --> 00:13:05.630 need to get people up to speed on just general cloud security 193 00:13:05.660 --> 00:13:11.780 practices, but also in specific, so each cloud, for those that 194 00:13:11.780 --> 00:13:16.970 are not technical, they don't realize that it's very different 195 00:13:17.300 --> 00:13:21.890 architecture and some of the security capabilities varies 196 00:13:21.890 --> 00:13:28.940 from GCP to Azure to IBM to Oracle to AWS. So I think having 197 00:13:28.940 --> 00:13:32.510 the training and understanding on an individualized level of 198 00:13:32.690 --> 00:13:38.030 what platforms are using, and I will say, the regulators are now 199 00:13:38.030 --> 00:13:43.130 coming to bank saying, "we think that if you were to use just one 200 00:13:43.160 --> 00:13:48.320 or two cloud service providers, that's not enough contingency, 201 00:13:48.440 --> 00:13:53.240 we want to see a more diverse spread of - and you saw this 202 00:13:53.240 --> 00:13:55.940 with the Pentagon, they made an announcement that I think it was 203 00:13:55.940 --> 00:13:59.480 at least four different cloud service providers would be part 204 00:13:59.480 --> 00:14:03.470 of this mesh of the cloud infrastructure that they want to 205 00:14:03.470 --> 00:14:06.980 put in place. And so that's going to be interesting in a 206 00:14:06.980 --> 00:14:11.240 trend for next year. And the upcoming years is how well do 207 00:14:11.240 --> 00:14:15.290 people understand and then can work in multiple environments 208 00:14:15.290 --> 00:14:17.660 that are unique, that are different from each other. 209 00:14:19.490 --> 00:14:21.830 Anna Delaney: Let's move on to faster identification and 210 00:14:22.010 --> 00:14:25.520 classification of bugs. Now we know that banks need to handle 211 00:14:25.520 --> 00:14:29.030 vulnerabilities more quickly and, arguably, CVEs are 212 00:14:29.030 --> 00:14:32.360 currently taking too long to come to market. So I'm curious 213 00:14:32.360 --> 00:14:35.600 to know what the Cloud Alliance is actually doing with NIST, 214 00:14:35.600 --> 00:14:39.080 MITRE and other industry bodies to help get vulnerabilities 215 00:14:39.080 --> 00:14:41.600 classify quicker, the critical infrastructure. 216 00:14:42.800 --> 00:14:46.520 Troy Leach: So for a guy that sometimes has been told, I talk 217 00:14:46.520 --> 00:14:51.260 too slow, things are moving very fast. And you're right on and 218 00:14:51.260 --> 00:14:56.900 it's just this CVEs take far too long to come. They have, they 219 00:14:56.900 --> 00:14:59.630 struggle, they don't have an ability to have this community 220 00:14:59.660 --> 00:15:03.620 get hubs style type of contribution. So we need 221 00:15:03.650 --> 00:15:08.390 identifiers that are easily discoverable, fast to assign, 222 00:15:08.420 --> 00:15:12.080 updatable, they're transparent to everyone. I think that the 223 00:15:12.080 --> 00:15:15.560 number of vulnerabilities is simply growing faster than what 224 00:15:15.560 --> 00:15:18.860 we can currently track. So what Cloud Security Alliance has done 225 00:15:18.980 --> 00:15:24.470 is, they have actually started a project for a global security 226 00:15:24.470 --> 00:15:29.420 database (GSD). And this will be cloud-centric. And, by the way, 227 00:15:29.930 --> 00:15:34.040 CSA is a non-profit. So all of this is publicly available too 228 00:15:34.070 --> 00:15:37.640 for people to look at and contribute on a personal level 229 00:15:37.640 --> 00:15:42.230 or as their organization. And people can go in and look at it. 230 00:15:42.230 --> 00:15:48.980 But the goal is to find ways to just have very good cloud 231 00:15:48.980 --> 00:15:54.530 analysis of the vulnerabilities quicker. So you mentioned MITRE. 232 00:15:54.590 --> 00:16:00.530 CSA, and MITRE-established CAVEaT, which is cloud 233 00:16:00.560 --> 00:16:06.260 adversarial, vector exploits and threats. I'm still learning all 234 00:16:06.260 --> 00:16:12.350 the acronyms at CSA, but the collaboration is to bring that 235 00:16:12.380 --> 00:16:17.390 relevant content to cloud security analysis so that people 236 00:16:17.390 --> 00:16:22.490 can respond really quick. And we also have a research paper out 237 00:16:22.520 --> 00:16:25.040 and it's mostly MITRE contributors. The editor in 238 00:16:25.040 --> 00:16:30.710 chief is Mari Spina from our CSA Washington DC chapter, but they 239 00:16:30.710 --> 00:16:34.310 are working on a same thing of what are the gaps in our 240 00:16:34.340 --> 00:16:39.980 vulnerability, enumeration, stay with, you know, compared with 241 00:16:40.580 --> 00:16:44.450 attack, and defend from mitre and caveat and where can we quit 242 00:16:44.480 --> 00:16:50.390 have this quick to market cloud adversarial analysis. As for 243 00:16:50.390 --> 00:16:55.130 NIST, NIST and CSA did talk on this particular subject, along 244 00:16:55.130 --> 00:16:58.070 with a lot of other research projects. The one thing I'm 245 00:16:58.070 --> 00:17:02.750 really excited about and keen to work on is NIST is developing 246 00:17:02.780 --> 00:17:06.620 version 2.0 of their cybersecurity framework. We've 247 00:17:06.620 --> 00:17:09.170 mapped our prior version of our framework, the Cloud Control 248 00:17:09.170 --> 00:17:12.740 matrix, to it. And some of the feedback that they received 249 00:17:12.770 --> 00:17:17.450 during their revision cycles was we really need to be focusing on 250 00:17:17.450 --> 00:17:22.280 the cloud and what can we bring in from from CCM and other 251 00:17:22.280 --> 00:17:28.130 resources to really demonstrate good due diligence as more and 252 00:17:28.130 --> 00:17:30.800 more organizations move to the cloud. So we're going to be 253 00:17:30.800 --> 00:17:33.980 working with them. We have NIST speaking at some of our upcoming 254 00:17:33.980 --> 00:17:37.700 virtual summits next year, as well. And I'm really excited to 255 00:17:37.700 --> 00:17:42.650 see where the industry goes to try to rather than create more 256 00:17:42.680 --> 00:17:47.090 security standards, how do we reuse and leverage and come 257 00:17:47.090 --> 00:17:50.600 together to have multi-party recognition of the work that's 258 00:17:50.600 --> 00:17:51.260 already been done. 259 00:17:52.760 --> 00:17:55.400 Anna Delaney: Fantastic. Well, you've given us comprehensive 260 00:17:55.400 --> 00:17:58.190 answers there. Thank you so much, Troy. Well, finally, we do 261 00:17:58.190 --> 00:18:01.280 this just for fun at the end. Last week on the program, I 262 00:18:01.280 --> 00:18:04.220 asked colleagues, who would they choose as their ghost of 263 00:18:04.220 --> 00:18:07.790 cybersecurity past? So it's a play on Dickens' A Christmas 264 00:18:07.790 --> 00:18:11.630 Carol. This week, we're in the present. So who would be your 265 00:18:11.630 --> 00:18:15.590 ghost of cybersecurity present? Who wouldn't you mind haunting 266 00:18:15.590 --> 00:18:19.640 you for a bit? Tom, I think you go first, so we give Troy a 267 00:18:19.640 --> 00:18:20.210 break. 268 00:18:21.050 --> 00:18:22.040 Tom Field: You want me to go first? 269 00:18:22.070 --> 00:18:22.580 Anna Delaney: Yeah. 270 00:18:22.820 --> 00:18:25.760 Tom Field: You know, first I was going to say Jen Easterly, 271 00:18:25.910 --> 00:18:28.280 because I think she's done a terrific job traveling around 272 00:18:28.280 --> 00:18:32.270 the world and in giving us a sense of where we are in 273 00:18:32.270 --> 00:18:35.270 cybersecurity and where we need to go. She has been a pleasant 274 00:18:35.270 --> 00:18:38.030 presence. But then I started thinking, I thought, "You know 275 00:18:38.030 --> 00:18:42.650 what? Kindervag." John Kindervag, I call him the 276 00:18:42.650 --> 00:18:46.070 godfather of zero trust, the greater of zero trust. I think 277 00:18:46.070 --> 00:18:49.340 he's done a pretty forceful job over the course of the year of 278 00:18:49.340 --> 00:18:51.560 speaking with lots of organizations in lots of 279 00:18:51.560 --> 00:18:53.900 different sectors and lots of different regions of the world, 280 00:18:54.200 --> 00:18:57.890 and helping them determine what it is they need to protect and 281 00:18:57.890 --> 00:19:01.400 how to do that. And I think if anyone is going to be that 282 00:19:01.400 --> 00:19:04.700 voice, Kindervag is going to be the one showing us that if you 283 00:19:04.700 --> 00:19:07.910 don't make changes this year, that little database in the 284 00:19:07.910 --> 00:19:09.680 corner over there is going to be empty next year. 285 00:19:10.830 --> 00:19:14.670 Anna Delaney: That's a great answer. And I've chosen somebody 286 00:19:14.700 --> 00:19:17.790 who is not a role model in any way, but he's certainly a man of 287 00:19:17.790 --> 00:19:21.090 the present. It might be interesting to have Sam 288 00:19:21.120 --> 00:19:23.100 Bankman-Fried just visit us right now because I know, 289 00:19:23.160 --> 00:19:27.090 between us, we'd have a few questions for him. So he might 290 00:19:27.210 --> 00:19:30.600 give us some nuggets of not knowledge, but something to 291 00:19:30.600 --> 00:19:36.120 think about. How to shape 2023. Troy, what are your thoughts? 292 00:19:37.800 --> 00:19:42.540 Troy Leach: So that's a tough one. Right before Tom spoke, 293 00:19:42.600 --> 00:19:46.050 those two names came to mind as well. Jen Easterly and John 294 00:19:46.050 --> 00:19:51.030 Kindervag, both are really helping to, and in similar 295 00:19:51.030 --> 00:19:56.670 veins, of promoting certain certain aspects of zero trust 296 00:19:56.670 --> 00:20:02.340 and the importance of integrity to our authentication. You know, 297 00:20:02.340 --> 00:20:06.570 it's hard because cybersecurity is a team sport. So it's really 298 00:20:06.570 --> 00:20:10.920 difficult to pick one. But I say, and it's probably just 299 00:20:10.920 --> 00:20:14.970 because it's top of mind, I have a tremendous amount of respect 300 00:20:14.970 --> 00:20:18.330 for the research teams that are identifying future problems that 301 00:20:18.390 --> 00:20:23.070 we can resolve today before they become massive problems. And one 302 00:20:23.070 --> 00:20:26.880 example of that, and there's many like these is the Google 303 00:20:26.880 --> 00:20:31.290 Project Zero team. And so I just listened to a podcast where 304 00:20:31.290 --> 00:20:35.490 Maddie Stone from that team was interviewed about just some of 305 00:20:35.490 --> 00:20:38.610 the amazing discoveries they've had over the years and how 306 00:20:38.610 --> 00:20:43.860 they've really limited, you know, some of the ways that our 307 00:20:43.890 --> 00:20:47.400 technology could have been exploited had we not been 308 00:20:47.400 --> 00:20:51.030 proactive. And so what I like about Google Project Zeroes is 309 00:20:51.030 --> 00:20:55.410 not just about Google products, they research any type of 310 00:20:55.410 --> 00:21:00.810 software that could possibly impact Google users. And so I 311 00:21:00.810 --> 00:21:03.840 think it's incredible that they're looking at any and all 312 00:21:03.840 --> 00:21:07.950 this stuff and that would be my guess, because it's, you know, 313 00:21:07.950 --> 00:21:14.010 the present, he was a ghost of plenty. So I'll say the entire 314 00:21:14.670 --> 00:21:17.280 team over there the Google Project Zero. 315 00:21:17.790 --> 00:21:18.510 Tom Field: Excellent choice 316 00:21:19.440 --> 00:21:21.450 Anna Delaney: I have to check that podcast out. Thank you for 317 00:21:21.450 --> 00:21:24.390 the recommendation. Troy, this has been absolutely brilliant. 318 00:21:24.390 --> 00:21:27.480 Thank you very much for joining us. We appreciate everything you 319 00:21:27.480 --> 00:21:31.590 said, your insight, and we look forward to you joining us next 320 00:21:31.590 --> 00:21:32.310 time hopefully. 321 00:21:32.760 --> 00:21:33.420 Tom Field: Thanks so much, Troy. 322 00:21:34.380 --> 00:21:35.460 Troy Leach: Happy holidays. 323 00:21:36.330 --> 00:21:38.340 Anna Delaney: Yeah, absolutely. And thank you so much for 324 00:21:38.340 --> 00:21:39.600 watching. Until next time.