WEBVTT 1 00:00:07.230 --> 00:00:09.660 Anna Delaney: Hello and welcome back to the ISMG Editors' Panel. 2 00:00:09.660 --> 00:00:12.990 I'm Anna Delaney, director of productions at ISMG and here is 3 00:00:12.990 --> 00:00:16.890 our weekly editorial take on the trending cybersecurity news 4 00:00:16.890 --> 00:00:19.920 stories. Have a stellar cast joining me today, Marianne 5 00:00:19.950 --> 00:00:23.190 Kolbasuk McGee, executive editor for HealthCareInfo security; 6 00:00:23.370 --> 00:00:27.150 Tony Morbin, executive news editor for the EU; and Michael 7 00:00:27.180 --> 00:00:30.990 Novinson, managing editor for ISMG business. Good to see you 8 00:00:30.990 --> 00:00:38.880 all. Good morning. So Tony, tell us more. I was saying, I hope 9 00:00:38.880 --> 00:00:40.320 that's not you on the cliff there. 10 00:00:40.860 --> 00:00:45.720 Tony Morbin: No, it's not, but it is a risk image. I don't 11 00:00:45.720 --> 00:00:48.240 think I would quite take those risks. And I'd certainly be 12 00:00:48.240 --> 00:00:51.030 taking a few mitigation strategies like having a rope 13 00:00:51.030 --> 00:00:51.840 around my waist. 14 00:00:51.880 --> 00:00:54.910 Anna Delaney: So Marianne, where are you today? You're outside 15 00:00:54.910 --> 00:00:56.290 enjoying soaking up the sun? 16 00:00:56.870 --> 00:01:00.290 Marianne McGee: Yeah, this was taken at the Boston Common a few 17 00:01:00.320 --> 00:01:03.140 weeks ago, which is where I go. There's Swan boats in the back - 18 00:01:03.140 --> 00:01:06.110 can't really see them. But it was a pleasant day. It was 19 00:01:06.140 --> 00:01:08.870 Mother's Day weekend and, you know, the weather was perfect. 20 00:01:08.900 --> 00:01:11.270 So one of those rare days. 21 00:01:12.110 --> 00:01:14.840 Anna Delaney: Very good. We have the same situation in London. 22 00:01:14.840 --> 00:01:17.480 We're just holding on to the sunshine whenever we can. 23 00:01:17.960 --> 00:01:20.090 Michael, tell us more. 24 00:01:20.900 --> 00:01:24.230 Michael Novinson: Of course, this is a little bit of deja vu, 25 00:01:24.260 --> 00:01:27.740 thinking back to my trip to Block Island last month, about 26 00:01:27.740 --> 00:01:30.650 10 miles off the coast of Rhode Island. This is a lighthouse. 27 00:01:30.650 --> 00:01:33.710 It's a very northern end of the island that's been abandoned for 28 00:01:33.710 --> 00:01:36.290 a little while. But it looks cool from the outside, just 29 00:01:36.650 --> 00:01:40.130 bikes up there. It's a pretty decent walk through the sand in 30 00:01:40.130 --> 00:01:43.490 order to make it to the lighthouse. But it does look 31 00:01:43.490 --> 00:01:46.970 like a relative time from the late 1800s. So just very pretty 32 00:01:46.970 --> 00:01:47.960 views all around. 33 00:01:48.590 --> 00:01:51.380 Anna Delaney: Good. And I'm sharing some urban art from 34 00:01:51.710 --> 00:01:53.180 London's East End Shoreditch. There's plenty of vibrant wolves 35 00:01:53.180 --> 00:01:59.390 in the area. And it's always fun to catch on or catch up with 36 00:01:59.540 --> 00:02:03.410 what's new in the area. Okay, well, starting with Tony this 37 00:02:03.410 --> 00:02:07.040 week, you've got some interesting analysis to share on 38 00:02:07.040 --> 00:02:09.680 a trend which is gaining more momentum in recent years. Just 39 00:02:09.680 --> 00:02:12.530 now, cybersecurity is moving from being traditionally 40 00:02:12.680 --> 00:02:15.680 tech-focused to risk-oriented. Tell us more. 41 00:02:16.350 --> 00:02:19.500 Tony Morbin: Absolutely! Very much risk to play with the month 42 00:02:19.500 --> 00:02:24.930 in the various events around the U.K. certainly. Not so long ago, 43 00:02:24.930 --> 00:02:27.720 cybersecurity didn't exist as a profession. So it's not that 44 00:02:27.720 --> 00:02:30.150 surprising the routes that people have taken to get here. 45 00:02:30.390 --> 00:02:33.840 It was varied as the people from the bedroom gamer or telco 46 00:02:33.840 --> 00:02:37.800 engineer to finance manager or IT consultant. But even today, 47 00:02:37.800 --> 00:02:40.380 most have come from a technical background in some shape or 48 00:02:40.380 --> 00:02:44.940 form. There's one very senior head of cyber in law enforcement 49 00:02:45.390 --> 00:02:48.870 confided in me once that he was made responsible for cyber as 50 00:02:48.870 --> 00:02:51.630 the most technically competent person in the office, though his 51 00:02:51.630 --> 00:02:54.240 technical skills initially amounted to being the only one 52 00:02:54.300 --> 00:02:57.870 who could fix the printer when it got stuck. But today, there's 53 00:02:57.870 --> 00:03:00.930 increasingly a shift among CISOs from a tech-centric to a 54 00:03:00.930 --> 00:03:03.810 risk-centric profession. And the reasons are obvious. 55 00:03:04.140 --> 00:03:07.200 Cybersecurity is now a vital component of our new digital 56 00:03:07.230 --> 00:03:10.860 society. Digital transformation has increased cyber risk, 57 00:03:11.040 --> 00:03:14.520 exacerbated by the pandemic. So our reliance on a connected 58 00:03:14.520 --> 00:03:17.580 world pervades everything and cyber risk has a level of 59 00:03:17.580 --> 00:03:20.460 interconnectivity that no previous risk has had. 60 00:03:21.060 --> 00:03:24.750 Cybercrime is now greater revenue than any nation state on 61 00:03:24.750 --> 00:03:27.000 Earth. And critical infrastructure is a legitimate 62 00:03:27.000 --> 00:03:29.970 target for state actors conducting cyber espionage or 63 00:03:29.970 --> 00:03:34.620 hybrid warfare. Our entire business can cease to exist, or 64 00:03:34.620 --> 00:03:37.080 our mission to deliver health care, critical national 65 00:03:37.080 --> 00:03:40.350 infrastructure or other outputs can be fundamentally undermined 66 00:03:40.350 --> 00:03:44.250 by a successful cyberattack. Consequently, cyber risk is now 67 00:03:44.250 --> 00:03:47.520 a tier one threat. It's no longer acceptable to see it as 68 00:03:47.520 --> 00:03:50.730 an issue that's too technical for the board to understand, or 69 00:03:50.730 --> 00:03:55.470 one that can simply be delegated to the CISO. The CEO, the CFO 70 00:03:55.500 --> 00:03:58.800 and every other board member and senior manager must now take 71 00:03:58.800 --> 00:04:00.930 responsibility for the cybersecurity of their 72 00:04:00.930 --> 00:04:04.080 operation, instilling a security culture in the organization as a 73 00:04:04.080 --> 00:04:06.990 whole. And the CISO is the expert who will help them make 74 00:04:06.990 --> 00:04:10.740 it happen. We often talk about how to explain cyber risk to the 75 00:04:10.740 --> 00:04:14.640 board. But we actually need a reversal of that process. With 76 00:04:14.640 --> 00:04:18.000 cybersecurity now, arguably, the Number 2 risk faced in many 77 00:04:18.000 --> 00:04:21.690 enterprises, the board and line managers need to be asking, "How 78 00:04:21.690 --> 00:04:25.320 can I reduce the cyber risk in my operation? What controls do I 79 00:04:25.320 --> 00:04:29.190 need? What skills, what staffing, what budget?" and in 80 00:04:29.190 --> 00:04:32.040 the language of business, the question will need to be 81 00:04:32.070 --> 00:04:35.670 fact-based answers. How much will it cost to reduce the risk 82 00:04:35.670 --> 00:04:38.790 by x percent? How are you measuring and quantifying the 83 00:04:38.790 --> 00:04:39.300 risk? 84 00:04:40.320 --> 00:04:42.480 Anna Delaney: Tony, I guess the big question is, how do you 85 00:04:42.480 --> 00:04:44.820 actually measure cybersecurity risk? 86 00:04:44.000 --> 00:04:46.112 Tony Morbin: It is indeed the thousand dollar, the 87 00:04:46.170 --> 00:04:49.653 multimillion dollar question. There are methods to assess any 88 00:04:49.710 --> 00:04:53.079 kind of risk as the insurance industry can testify. You can 89 00:04:53.136 --> 00:04:55.878 even get alien abduction insurance to cover post 90 00:04:55.935 --> 00:04:58.961 abduction medical bills. Unfortunately, cybersecurity 91 00:04:59.018 --> 00:05:02.388 seems to be less predictable than alien abduction. And it's 92 00:05:02.445 --> 00:05:06.099 such a potentially catastrophic and growing risk. Many insurance 93 00:05:06.157 --> 00:05:09.354 companies miscalculated, lost money and had to leave the 94 00:05:09.412 --> 00:05:12.781 sector or hike up premiums. They'll likely put the blame on 95 00:05:12.838 --> 00:05:15.865 lack of actuarial data. But others suggest that their 96 00:05:15.922 --> 00:05:19.519 understanding of cyber risk was lacking, with more focus on the 97 00:05:19.576 --> 00:05:22.375 impact and less on the likelihood of a successful 98 00:05:22.432 --> 00:05:25.972 attack. Alternatively, you can measure the risk yourself using 99 00:05:26.029 --> 00:05:29.684 models such as that provided by the FAIR Institute, which puts a 100 00:05:29.741 --> 00:05:33.339 monetary value on risk. As one CISO speaker from a luxury goods 101 00:05:33.396 --> 00:05:36.594 company mentioned at FAIR's inaugural London summit this 102 00:05:36.651 --> 00:05:39.963 month, he was able to use this approach to put a financial 103 00:05:40.020 --> 00:05:43.218 impact figure on the loss of sales resulting from a data 104 00:05:43.275 --> 00:05:46.645 breach, explaining how data showed that they would lose 10% 105 00:05:46.702 --> 00:05:49.671 of their highest spending customers and 50% of their 106 00:05:49.728 --> 00:05:53.155 occasional customers if they lost their customers' data, and 107 00:05:53.212 --> 00:05:56.581 this would reduce sales by X percent. How you present those 108 00:05:56.638 --> 00:05:59.779 risks to the board needs to be tailored to the specific 109 00:05:59.836 --> 00:06:03.377 organization and the decision makers involved. But measurement 110 00:06:03.434 --> 00:06:06.403 and quantification is increasingly an important part 111 00:06:06.460 --> 00:06:09.316 of that discussion. By prioritizing and addressing 112 00:06:09.373 --> 00:06:12.228 identified risks with appropriate controls, we can 113 00:06:12.285 --> 00:06:15.940 reduce risk in a measurable way. And that's how we calculate our 114 00:06:15.997 --> 00:06:18.852 ROI on cybersecurity expenditure. When it comes to 115 00:06:18.909 --> 00:06:21.993 controls, of course, we'll run through all the basics: 116 00:06:22.050 --> 00:06:25.134 patching, segmentation, encryption strategies, such as 117 00:06:25.191 --> 00:06:28.218 zero trust standards and frameworks, ISO 27001, NIST, 118 00:06:28.275 --> 00:06:31.758 MITRE ATT&CK framework, the need to automate, deploy AI where 119 00:06:31.815 --> 00:06:34.842 appropriate, but more fundamentally, it's become even 120 00:06:34.899 --> 00:06:38.211 more essential for CISOs to understand the work processes, 121 00:06:38.268 --> 00:06:41.295 the business outcomes sought, the organization's risk 122 00:06:41.352 --> 00:06:44.778 appetite, and then deploy the latest technological solutions 123 00:06:44.835 --> 00:06:48.090 available in line with an accurate risk assessment of the 124 00:06:48.148 --> 00:06:51.060 threats faced. While self-interest, protecting your 125 00:06:51.117 --> 00:06:54.543 bottom line or your ability to deliver on your mission, is a 126 00:06:54.600 --> 00:06:57.227 great motivator for organizations to implement 127 00:06:57.284 --> 00:07:00.140 appropriate cybersecurity, sometimes regulation is 128 00:07:00.197 --> 00:07:03.737 necessary because there may be things that organizations don't 129 00:07:03.795 --> 00:07:06.764 care about, but which have a wider impact, including 130 00:07:06.821 --> 00:07:10.305 secondary impacts. These can range from environmental impacts 131 00:07:10.362 --> 00:07:13.617 to negative impacts on the privacy of individuals such as 132 00:07:13.674 --> 00:07:16.586 sharing confidential information. But just as there 133 00:07:16.643 --> 00:07:19.784 are inadvertent secondary impacts due to the failure to 134 00:07:19.841 --> 00:07:23.439 address cybersecurity risks, it now appears that there are also 135 00:07:23.496 --> 00:07:26.979 unintended benefits. The more digital society is, the greater 136 00:07:27.037 --> 00:07:30.292 its cybersecurity attack surface, but digital maturity is 137 00:07:30.349 --> 00:07:33.375 also correlated with more sophisticated cybersecurity 138 00:07:33.432 --> 00:07:35.602 resources, enhanced telecommunications 139 00:07:35.660 --> 00:07:39.314 infrastructure, highly qualified human workforce. These factors, 140 00:07:39.371 --> 00:07:42.969 according to a new report from Moody's have a beneficial impact 141 00:07:43.026 --> 00:07:46.453 on a nation's economic health. The latest report says that a 142 00:07:46.510 --> 00:07:50.164 sovereign nation's cybersecurity strength is strongly correlated 143 00:07:50.222 --> 00:07:53.876 with economic and institutional strength, with more highly rated 144 00:07:53.933 --> 00:07:57.474 sovereign states, demonstrating stronger overall cybersecurity 145 00:07:57.531 --> 00:08:00.558 positions despite higher exposure to cyber risk. As a 146 00:08:00.615 --> 00:08:03.813 result, nations in the Five Eyes intelligence Alliance - 147 00:08:03.870 --> 00:08:07.467 Australia, Canada, New Zealand, the U.K. and the U.S. - as well 148 00:08:07.525 --> 00:08:11.179 as the European Union and others who have enacted more proactive 149 00:08:11.236 --> 00:08:14.834 cybersecurity measures, are now seeing cyberattacks shifting to 150 00:08:14.891 --> 00:08:18.203 other regions with less cyber preparedness and resiliency, 151 00:08:18.260 --> 00:08:21.116 particularly to issuers in emerging markets. So in 152 00:08:21.173 --> 00:08:24.771 conclusion, cybersecurity is now a risk that everybody needs to 153 00:08:24.828 --> 00:08:28.197 be cognizant of as individuals, business leaders and nation 154 00:08:28.254 --> 00:08:31.223 states. It's a business issue, not a tech issue. The 155 00:08:31.281 --> 00:08:34.764 consequences of failure can be devastating. But taking a risk 156 00:08:34.821 --> 00:08:38.362 approach, we can quantify and prioritize what needs to be done 157 00:08:38.419 --> 00:08:41.617 to mitigate that risk. And it does appear that for those 158 00:08:41.674 --> 00:08:45.272 unable to rise to this challenge of identifying and quantifying 159 00:08:45.329 --> 00:08:48.298 the cyber risks we face and implementing appropriate 160 00:08:48.355 --> 00:08:51.553 controls, we can indeed reduce the risks with beneficial 161 00:08:51.610 --> 00:08:54.980 impacts on our organization, and on our society as a whole. 162 00:08:56.840 --> 00:08:58.820 Anna Delaney: Excellent, Tony. You've given us plenty to think 163 00:08:58.820 --> 00:09:02.540 about and you were at the FAIR Institute's conference recently. 164 00:09:03.230 --> 00:09:06.260 How was it? Any key takeaways for you? 165 00:09:06.750 --> 00:09:09.150 Tony Morbin: Well, it was excellent. And I've kind of 166 00:09:09.540 --> 00:09:14.070 stolen a lot of the material from that for my talk just now, 167 00:09:14.070 --> 00:09:17.970 because it was really talking about this move from a 168 00:09:17.970 --> 00:09:22.020 technological approach to a risk-based approach. The key 169 00:09:22.020 --> 00:09:27.720 part of the whole FAIR approach is to put a financial value. And 170 00:09:27.720 --> 00:09:30.720 also, I guess one other thing I didn't really cover was 171 00:09:31.110 --> 00:09:34.770 motivations and incentivization, that they should be 172 00:09:34.800 --> 00:09:41.520 incentivizing your cybersecurity as opposed to necessarily purely 173 00:09:41.760 --> 00:09:45.690 incentivizing profits. So if your bonus depended on 174 00:09:46.320 --> 00:09:49.170 implementing certain levels of cybersecurity, you're more 175 00:09:49.170 --> 00:09:54.240 likely to see that being taken seriously. So that was a lesson 176 00:09:54.240 --> 00:09:59.100 one, the main one really was quantifiable measurement of your 177 00:09:59.100 --> 00:10:03.210 risk enables you to prioritize what are the biggest risks and 178 00:10:03.210 --> 00:10:09.570 implement the appropriate controls that are financially 179 00:10:09.570 --> 00:10:12.450 appropriate to to the level of risk. So it's a real 180 00:10:12.840 --> 00:10:14.490 quantification that was the key. 181 00:10:16.110 --> 00:10:18.720 Anna Delaney: Thank you so much, Tony. Marianne, tell us about 182 00:10:18.720 --> 00:10:23.010 how a ransomware incident which occurred in 2021 has come back 183 00:10:23.220 --> 00:10:24.780 to bite the health care industry. 184 00:10:25.110 --> 00:10:27.600 Marianne McGee: Sure, actually, this kind of piggybacks also on 185 00:10:27.630 --> 00:10:30.810 what Tony was just talking about with, you know, cybersecurity 186 00:10:30.810 --> 00:10:35.370 risks, the financial impact, the devastating sort of consequences 187 00:10:35.370 --> 00:10:39.030 that some organizations do face. And in fact, you know, we've 188 00:10:39.030 --> 00:10:42.540 seen severe disruptions that ransomware attacks have created 189 00:10:42.540 --> 00:10:46.620 for many hospitals and health care entities. But the financial 190 00:10:46.620 --> 00:10:50.070 toll and related problems that these incidents have can 191 00:10:50.070 --> 00:10:54.150 actually be fatal for some smaller health care entities 192 00:10:54.150 --> 00:10:57.690 that already have any sort of serious troubles going on in the 193 00:10:57.690 --> 00:11:04.650 background. And that was the case for a 44-bed rural hospital 194 00:11:04.650 --> 00:11:09.780 in Spring Valley, Illinois. St. Margaret's, which has announced 195 00:11:09.780 --> 00:11:14.010 that it and its clinics are permanently closing on Friday 196 00:11:14.370 --> 00:11:18.870 due to - in large part, not completely, but in large part - 197 00:11:18.870 --> 00:11:24.840 a 2021 ransomware incident that worsened the entity's financial 198 00:11:24.840 --> 00:11:30.570 woes and just added pressure on to the already existing staffing 199 00:11:30.570 --> 00:11:33.780 shortages and pandemic-related problems that they were facing. 200 00:11:34.380 --> 00:11:37.890 And in addition to St. Margaret's hospital in Spring 201 00:11:37.890 --> 00:11:43.740 Valley, the facility's sister hospital, a 49-bed hospital in 202 00:11:43.740 --> 00:11:48.930 nearby Peru, Illinois, is also permanently closing on Friday. 203 00:11:49.320 --> 00:11:53.520 Now that Peru, Illinois Hospital, which was formerly 204 00:11:53.520 --> 00:11:57.960 called Illinois Valley Community Hospital, had been temporarily 205 00:11:57.960 --> 00:12:03.660 closed since January, also due to the same financial problems 206 00:12:04.080 --> 00:12:07.620 related to the ransomware attack and other things that are now 207 00:12:07.620 --> 00:12:11.070 being blamed for the closure of St. Margaret's Hospital in 208 00:12:11.070 --> 00:12:15.090 Spring Valley. Now, St. Margaret's, in a statement 209 00:12:15.090 --> 00:12:18.390 posted on its website, said the cyberattack prevented the 210 00:12:18.390 --> 00:12:23.070 organization from being able to bill and to get paid in a timely 211 00:12:23.070 --> 00:12:27.360 manner for the services that it provided its patients, which all 212 00:12:27.360 --> 00:12:31.950 contributed to this closure. Now this isn't the first time a 213 00:12:31.980 --> 00:12:35.400 health care entity in the U.S. has closed its doors in the 214 00:12:35.400 --> 00:12:39.450 aftermath of a ransomware or other devastating cyberattack. 215 00:12:39.600 --> 00:12:42.390 Over the last few years, there have been a handful of other 216 00:12:42.510 --> 00:12:46.260 small clinics and doctor practices that said they were 217 00:12:46.260 --> 00:12:51.570 closing up shop permanently due to the inability to access their 218 00:12:51.570 --> 00:12:56.040 electronic patient records after a ransomware attack, as well as 219 00:12:56.040 --> 00:13:00.150 the financial impact of the incident. Now in terms of rural 220 00:13:00.150 --> 00:13:04.740 hospitals and the cybersecurity difficulties they face, this 221 00:13:04.740 --> 00:13:07.650 week, the U.S. Senate Committee on Homeland Security & 222 00:13:07.650 --> 00:13:13.260 Governmental Affairs appears set to push along a bipartisan bill 223 00:13:13.440 --> 00:13:18.840 that aims to help these small entities. That bill, the Rural 224 00:13:18.840 --> 00:13:22.440 Hospital Cybersecurity Enhancement Act proposes to 225 00:13:22.440 --> 00:13:26.640 require that the U.S. Department of Homeland Security's CISA 226 00:13:26.670 --> 00:13:31.140 agency develop a comprehensive rural hospital cybersecurity 227 00:13:31.140 --> 00:13:36.000 workforce developmental strategy. Now the aim is to help 228 00:13:36.000 --> 00:13:39.870 these rural hospitals develop the cyber skills and expertise 229 00:13:39.990 --> 00:13:43.590 needed to better defend against cyberattacks as well as more 230 00:13:43.590 --> 00:13:48.510 effectively respond when these incidents do hit. These rural 231 00:13:48.510 --> 00:13:52.410 hospitals and clinics are often under enormous pressures related 232 00:13:52.410 --> 00:13:55.800 to staffing shortages, as Tony was just mentioning about the 233 00:13:55.800 --> 00:14:00.090 skill shortage. But these rural hospitals not only faced the 234 00:14:00.090 --> 00:14:03.480 shortage for it and security expertise, but also often for 235 00:14:03.480 --> 00:14:08.400 clinical workers. And if these rural hospitals do have to 236 00:14:08.430 --> 00:14:12.480 either close temporarily as they deal with a cyberattack, or 237 00:14:12.480 --> 00:14:17.250 permanently like St. Margaret's, being unable to recover after 238 00:14:17.250 --> 00:14:21.150 the event, it's a major setback for the community. In many 239 00:14:21.150 --> 00:14:25.140 cases, many of these rural hospitals are the only hospital 240 00:14:25.140 --> 00:14:30.210 or emergency room for many miles, putting patients in those 241 00:14:30.210 --> 00:14:33.030 communities at jeopardy for safety issues if there's an 242 00:14:33.030 --> 00:14:36.840 emergency. So it's kind of scary to see these things happen. 243 00:14:37.920 --> 00:14:39.390 Anna Delaney: And Marianne, can you share a sense of what it's 244 00:14:39.390 --> 00:14:43.620 like for one of these rural hospitals? What they go through 245 00:14:43.620 --> 00:14:47.040 when they experience and recover from a ransomware attack just to 246 00:14:47.040 --> 00:14:49.710 understand that the scale of what they have to go through 247 00:14:50.490 --> 00:14:51.270 organizations. 248 00:14:51.360 --> 00:14:54.090 Marianne McGee: Sure. In St. Margaret's case, it's reported 249 00:14:54.090 --> 00:14:57.600 that, you know, they had incident response sort of 250 00:14:57.630 --> 00:14:59.970 preparedness, you know, in case something like that happened. 251 00:15:00.330 --> 00:15:04.590 But bottom line, you know, once the system is shut down, it's 252 00:15:04.590 --> 00:15:07.860 the behind the scenes, things that you can't do. We can't send 253 00:15:07.860 --> 00:15:10.500 out your bills, you can't do this, you can't do that. And 254 00:15:10.500 --> 00:15:16.950 this is, you know, this mounting effect on the operations. And in 255 00:15:16.950 --> 00:15:20.130 many cases, these rural hospitals, they have like one 256 00:15:20.130 --> 00:15:23.940 person who does the IT, they do the security, they might be, you 257 00:15:23.940 --> 00:15:26.640 know, troubleshooting the helpdesk, kind of like what Tony 258 00:15:26.640 --> 00:15:30.540 was just talking about. And, yeah, they're just unequipped. 259 00:15:30.540 --> 00:15:34.410 They really don't have the manpower to do what they need to 260 00:15:34.410 --> 00:15:36.180 do. And that's unfortunate. 261 00:15:36.000 --> 00:15:39.750 Anna Delaney: But there is this bipartisan bill, which has been 262 00:15:41.220 --> 00:15:44.670 discussed today, isn't it? I was going to ask you are there any 263 00:15:44.670 --> 00:15:48.510 initiatives going on at a grassroots level to help and 264 00:15:48.510 --> 00:15:50.130 bolster the defense? 265 00:15:50.540 --> 00:15:53.270 Marianne McGee: Yeah, well, the problem with the rural 266 00:15:53.300 --> 00:15:57.050 hospitals, but this is also sort of for health care, in general, 267 00:15:57.050 --> 00:16:00.440 is that, you know, the salaries are not competitive, 268 00:16:00.470 --> 00:16:03.830 necessarily. And if they get these people that will have a 269 00:16:03.830 --> 00:16:06.560 little IT experience in a hospital, you know, they get 270 00:16:06.560 --> 00:16:10.100 very easily blurred away maybe by another health care facility 271 00:16:10.100 --> 00:16:14.180 in a larger setting or maybe in another industry. Um, so the 272 00:16:14.180 --> 00:16:17.480 bill, you know, that's been looked at are being proposed, 273 00:16:17.480 --> 00:16:20.810 and the Senate kind of looks at the various ways that, you know, 274 00:16:20.810 --> 00:16:23.030 some of these rural hospitals can address some of their 275 00:16:23.330 --> 00:16:25.430 workforce problems when it comes to cyber. 276 00:16:25.000 --> 00:16:29.140 Anna Delaney: Well, thank you very much, Marianne. Michael, I 277 00:16:29.140 --> 00:16:32.740 would have liked to have moved on to sort of more upbeat story, 278 00:16:32.740 --> 00:16:35.860 but I'm afraid it can't be avoided. You've reported on 279 00:16:35.860 --> 00:16:39.520 further recent industry layoffs, which seem to be happening in a 280 00:16:39.520 --> 00:16:43.000 kind of domino-effect style. Talk us through the situation. 281 00:16:43.210 --> 00:16:45.400 Michael Novinson: Absolutely. I'm sorry to bring more rain to 282 00:16:45.400 --> 00:16:49.330 an already rainy day. But it really makes me think of that 283 00:16:49.330 --> 00:16:51.970 movie Groundhog Day, you know, the one with Bill Murray couple 284 00:16:52.420 --> 00:16:55.990 decades ago that came out. And basically being you looked at 285 00:16:55.990 --> 00:16:58.420 the Groundhog, does it see its shadow, that means six more 286 00:16:58.420 --> 00:17:00.550 weeks of winter, if it doesn't see its shadow, then spring 287 00:17:00.550 --> 00:17:03.310 arrives early. When thinking about the economic downturn, I 288 00:17:03.310 --> 00:17:06.700 think there was a sense that maybe we're at a crossroads 289 00:17:06.700 --> 00:17:09.610 really, people started to feel the effect just over a year ago, 290 00:17:09.640 --> 00:17:12.850 May of 2022 was really the first rumbling. So we started to see 291 00:17:13.270 --> 00:17:18.130 layoffs in June of 2022. Typical recession or downturn last 18 to 292 00:17:18.160 --> 00:17:20.680 24 months. So now that we're a year, and the question was 293 00:17:20.680 --> 00:17:23.890 really heavily hit rock bottom, and are we starting to climb out 294 00:17:23.890 --> 00:17:28.480 of it? Or is this going to be a downturn that lasts longer, and 295 00:17:28.480 --> 00:17:32.410 unfortunately, it does seem like things are continuing to be an 296 00:17:32.410 --> 00:17:35.770 issue in the United States, we continue to have the issues with 297 00:17:35.920 --> 00:17:39.250 stubbornly high inflation, which means continuing interest rate 298 00:17:39.250 --> 00:17:42.670 hikes, some issues with the supply chain are still 299 00:17:42.670 --> 00:17:46.630 lingering. And none of these are really great signs. Also the big 300 00:17:46.630 --> 00:17:50.050 failures in the spring that I know we've spoken about here as 301 00:17:50.050 --> 00:17:54.310 well. So all this has just put a dampening effect on the 302 00:17:54.310 --> 00:17:57.880 environment for cybersecurity companies. So we have seen 303 00:17:58.150 --> 00:17:59.920 companies and these were companies that were really 304 00:17:59.920 --> 00:18:03.970 trying to avoid layoffs either company culture wise or a 305 00:18:03.970 --> 00:18:09.160 sentiment that they're in a good space to play in. So we've seen 306 00:18:09.190 --> 00:18:11.680 four sets of layoffs since the start of the month, they're all 307 00:18:11.680 --> 00:18:15.250 a little different. So I'll talk through each of them. So first, 308 00:18:15.250 --> 00:18:18.130 we heard SentinelOne, which is a publicly traded company, 309 00:18:18.130 --> 00:18:21.220 probably the highest-growing publicly traded company in all 310 00:18:21.220 --> 00:18:25.810 of cybersecurity, growing at 70% a year. But they're set to lower 311 00:18:26.260 --> 00:18:30.250 their forecast going forward, which is not something you see a 312 00:18:30.250 --> 00:18:33.490 lot in the security space. It makes analysts very unhappy, 313 00:18:33.490 --> 00:18:36.190 their stock price got hammered. Essentially what had happened 314 00:18:36.190 --> 00:18:39.250 for them is there's some consumption-based products. This 315 00:18:39.250 --> 00:18:42.070 was based off their Scalyr acquisition, getting into that 316 00:18:42.070 --> 00:18:45.520 data lake space, data analytics. And essentially, the way those 317 00:18:45.520 --> 00:18:49.660 products work is the more data organizations send into the 318 00:18:49.660 --> 00:18:52.150 lake, the more they have to pay SentinelOne. And for 319 00:18:52.150 --> 00:18:54.760 SentinelOne, it's just been kind of continuously up into the 320 00:18:54.760 --> 00:18:57.610 right, regardless of this contractual minimums, but 321 00:18:57.850 --> 00:19:00.940 organizations are just shipping more and more of their data, all 322 00:19:00.940 --> 00:19:04.600 of their data into there to try to get some value out of it. But 323 00:19:04.810 --> 00:19:08.440 with the economy continuing to be an issue, a lot of companies 324 00:19:08.440 --> 00:19:11.020 recalibrated and Q1 and said, "We really need to send all this 325 00:19:11.020 --> 00:19:13.510 data," and a lot of organizations instead of 326 00:19:13.510 --> 00:19:15.400 continuing to increase the amount of data, they're 327 00:19:15.400 --> 00:19:17.980 extending, went back to the contractual minimum. And that 328 00:19:17.980 --> 00:19:21.640 really took a bite out of both their Q1 earnings as well as 329 00:19:21.640 --> 00:19:24.550 their projected earnings going forward. So they're looking at a 330 00:19:24.550 --> 00:19:28.000 layoff of about 5% or 100 people. Then we have two 331 00:19:28.000 --> 00:19:31.600 late-stage startups, very well regarded technology that also 332 00:19:31.600 --> 00:19:35.020 had avoided layoffs until now. We're proud of that. But they 333 00:19:35.410 --> 00:19:38.440 did have to succumb in recent weeks. The first is Dragos, a 334 00:19:38.470 --> 00:19:41.800 really well-known company. OT cybersecurity Robert Lee has 335 00:19:41.800 --> 00:19:44.890 testified in front of Congress a bunch. They were very 336 00:19:44.890 --> 00:19:48.460 transparent in terms of what they did, it was was 55 workers 337 00:19:48.460 --> 00:19:51.610 or 9% of their workforce, and just the trends you're seeing at 338 00:19:51.610 --> 00:19:56.080 so many other places with longer sales cycles and smaller initial 339 00:19:56.080 --> 00:20:00.250 deployments or purchases. It's something that Robert had sent 340 00:20:00.580 --> 00:20:03.190 in his email to employees that he has put on the blog that 341 00:20:03.370 --> 00:20:06.430 really had been avoided in that OT ICS space because it is so 342 00:20:06.430 --> 00:20:09.880 critical and such a priority that they weren't seeing the 343 00:20:09.880 --> 00:20:12.310 same slide under either, other than even other areas of 344 00:20:12.310 --> 00:20:16.870 cybersecurity, but eventually it did catch up with them. And 345 00:20:17.650 --> 00:20:23.290 given the revenue missed in Q1 and therefore lower projections, 346 00:20:23.290 --> 00:20:27.520 they did have to cut back some. Similarly, Expel' detection 347 00:20:27.520 --> 00:20:31.540 response just last month named the best MDR vendor in the 348 00:20:31.540 --> 00:20:33.940 entire industry by Forrester beating out companies like 349 00:20:33.940 --> 00:20:36.760 CrowdStrike, SentinelOne, despite being a fraction of the 350 00:20:36.760 --> 00:20:43.210 size, similarly did a layoff of 10% or 60 workers in a similar 351 00:20:43.210 --> 00:20:47.320 scenario where they're seeing a slowdown in customer spending. 352 00:20:48.040 --> 00:20:51.370 Then, the fourth and final one I mentioned to you is Sumo Logic. 353 00:20:51.400 --> 00:20:53.050 They're an interesting one, because they're kind of on the 354 00:20:53.050 --> 00:20:56.440 other end of that they just got taken private by Francisco 355 00:20:56.440 --> 00:21:00.460 Partners that closed last month. And Francisco Partners has a 356 00:21:00.460 --> 00:21:03.610 playbook. They most notably did this with Forcepoint when they 357 00:21:03.610 --> 00:21:07.840 bought Forcepoint in 2021, they boot the existing CEO, they have 358 00:21:07.840 --> 00:21:11.890 somebody on their own roster, a managing partner, director in 359 00:21:11.890 --> 00:21:14.920 their firm who they install is the CEO. And then they do some 360 00:21:14.920 --> 00:21:17.800 pretty heavy cuts like well beyond what a Thoma Bravo would 361 00:21:17.800 --> 00:21:20.920 do. They really cut out anything they think is ancillary, 362 00:21:20.920 --> 00:21:23.710 outdated, and they've been pretty secretive about it. 363 00:21:23.710 --> 00:21:25.960 There's been a lot of noise on LinkedIn of people saying that 364 00:21:25.960 --> 00:21:29.590 they've lost jobs, and they're looking for work. There's been 365 00:21:29.590 --> 00:21:32.350 some reporting on it in recent days. The information recorded 366 00:21:32.350 --> 00:21:35.650 on the email that their new CEO sent to employees, but that 367 00:21:35.650 --> 00:21:38.350 didn't actually say any numbers in terms of how many people were 368 00:21:38.350 --> 00:21:42.820 affected. The San Francisco Chronicle on Tuesday reported 369 00:21:42.820 --> 00:21:46.540 about one notification that Sumo Logic had sent to the State of 370 00:21:46.540 --> 00:21:50.110 California saying that 79 workers were impacted in 371 00:21:50.110 --> 00:21:53.950 California. So that's about 8% of their workforce. But Sumo 372 00:21:53.950 --> 00:21:57.280 Logic employs people in well over a dozen countries, as well 373 00:21:57.280 --> 00:21:59.620 as lots of states in the U.S., the corporate headquarters are 374 00:21:59.620 --> 00:22:03.010 in California. So what we know is 79 people affected in 375 00:22:03.010 --> 00:22:04.990 California, we don't know how many people are affected 376 00:22:04.990 --> 00:22:08.680 elsewhere. But yeah, they really did start off in that data 377 00:22:08.680 --> 00:22:11.650 analytic SIEM space, it seems like Francisco wants to pivot 378 00:22:11.650 --> 00:22:16.270 them. I know, SIEM has become a bit long in the tooth. So I 379 00:22:16.270 --> 00:22:18.130 mean, I think what we can expect, there are some pretty 380 00:22:18.130 --> 00:22:20.890 steep cuts and then kind of a rebuild, maybe some talking 381 00:22:20.890 --> 00:22:23.260 acquisitions, which we've seen with Forcepoint. And the 382 00:22:23.260 --> 00:22:27.070 stabilization, but it seems like pretty severe cuts out of the 383 00:22:27.070 --> 00:22:27.430 gate. 384 00:22:28.510 --> 00:22:31.390 Anna Delaney: Do we know what types of jobs are being lost? Or 385 00:22:31.390 --> 00:22:34.000 does that really vary across companies? 386 00:22:34.600 --> 00:22:36.310 Michael Novinson: It's a good question. And companies tend to 387 00:22:36.310 --> 00:22:39.160 be a little secretive on this, they're always going to say that 388 00:22:39.160 --> 00:22:41.620 it's not going to affect service delivery or customer support. I 389 00:22:41.620 --> 00:22:43.780 mean, no company is going to come out and say like, "Oh, 390 00:22:43.810 --> 00:22:47.530 yeah, expect longer response times." And to the extent that 391 00:22:47.530 --> 00:22:51.430 they do delineate, they always will say it's not to our 392 00:22:51.430 --> 00:22:54.970 technology, it's not our R&D we remain, it just aren't going to 393 00:22:54.970 --> 00:22:57.850 market people. So if they say anything, they'll always say 394 00:22:57.850 --> 00:23:00.820 it's focused on go to market, because whatever customers and 395 00:23:00.820 --> 00:23:03.040 prospects don't want to hear, "Oh, yeah, we're cutting back on 396 00:23:03.040 --> 00:23:06.070 our R&D, we're not going to spend as much looking at 397 00:23:06.070 --> 00:23:08.770 emerging threats." Yeah, no, nobody's going to say that. So 398 00:23:08.770 --> 00:23:11.590 either they say it's a go to market, and they don't say 399 00:23:11.590 --> 00:23:17.050 anything. But it's hard to say, I mean, in general, high-growth 400 00:23:17.050 --> 00:23:20.950 companies continue to hire. CrowdStrike, Palo Alto Networks, 401 00:23:21.520 --> 00:23:25.480 companies like that haven't had to slow down at all. And if 402 00:23:25.480 --> 00:23:27.610 companies are having to move in the other direction, it means 403 00:23:27.610 --> 00:23:29.920 that they've had some type of a speed bump, but it definitely 404 00:23:29.920 --> 00:23:32.980 doesn't have to be fatal. These companies can recover. And 405 00:23:32.980 --> 00:23:35.410 again, almost all of them have technology that's really well 406 00:23:35.410 --> 00:23:38.890 regarded by analysts, but it doesn't mean that they have to 407 00:23:39.070 --> 00:23:42.010 recalculate and shift their growth plans. 408 00:23:43.080 --> 00:23:44.550 Anna Delaney: Okay. Well, Michael, thank you so much. 409 00:23:44.550 --> 00:23:47.940 Hopefully, the industry will pick up very soon, as you say. 410 00:23:48.390 --> 00:23:51.300 So finally, just for fun, in order to lighten the mood 411 00:23:51.300 --> 00:23:54.600 somewhat, I'd love for you to share something or good news 412 00:23:54.600 --> 00:23:57.840 story, for instance, in the industry that you've picked up 413 00:23:57.870 --> 00:24:00.690 on recently. Fill me with hope. 414 00:23:59.910 --> 00:24:02.294 Michael Novinson: I'll start, which is that as challenging as 415 00:24:00.000 --> 00:24:05.220 Anna Delaney: Good to hear. Marianne? 416 00:24:02.349 --> 00:24:05.953 things are in cybersecurity, the big benefit economically is that 417 00:24:05.400 --> 00:24:14.310 Marianne McGee: Yeah, I was just going to say that over the last 418 00:24:06.008 --> 00:24:09.501 there's not the commodification that's going on in the consumer 419 00:24:09.557 --> 00:24:13.161 sector, if you look at companies like Uber or Lyft, or the rental 420 00:24:13.216 --> 00:24:16.598 car companies, where it's just a Race to Zero and everybody's 421 00:24:16.560 --> 00:24:22.680 several months, you've seen various security research 422 00:24:16.654 --> 00:24:19.648 price conscious, and they're just choosing whatever is 423 00:24:19.703 --> 00:24:23.030 cheapest. The big benefit in cybersecurity is people selling 424 00:24:23.085 --> 00:24:26.356 quality product, companies like CrowdStrike and Zscaler are 425 00:24:23.490 --> 00:24:54.900 reports come out saying that ransomware attacks are sort of 426 00:24:26.412 --> 00:24:29.683 proud that their their product costs more than competitors. 427 00:24:29.738 --> 00:24:33.176 They're very open about that, but it's more effective. And the 428 00:24:33.231 --> 00:24:36.613 fact that CISOs and other buyers and organizations are making 429 00:24:36.669 --> 00:24:39.996 decisions based on efficacy and quality rather than price is 430 00:24:40.051 --> 00:24:42.990 going to be a massive saving grace for cybersecurity. 431 00:24:55.320 --> 00:24:59.130 subsiding somewhat and, you know, the ransom payments are 432 00:24:59.130 --> 00:25:02.490 getting smaller. So, that might be a good sign. But then at the 433 00:25:02.520 --> 00:25:05.940 same time, you know, there's always been - what the good news 434 00:25:06.300 --> 00:25:11.040 is - that it could be that these attackers are now skipping over 435 00:25:11.070 --> 00:25:14.610 encrypting systems and just going right to extortion. So you 436 00:25:14.610 --> 00:25:17.970 know what to say but for hospitals, in particular, they 437 00:25:17.970 --> 00:25:22.290 can - not that they want their patient data exfiltrated - but 438 00:25:22.290 --> 00:25:25.680 if they can skip the encryption part, that might be helpful. 439 00:25:27.060 --> 00:25:30.240 Anna Delaney: Take any good news we can. Tony? 440 00:25:30.000 --> 00:25:32.850 Tony Morbin: Well, in the absence of any good news, what 441 00:25:32.850 --> 00:25:36.570 made me smile was somebody else's misfortune, when further 442 00:25:36.570 --> 00:25:40.440 details recently came out from crypto tracing firm Chainalysis 443 00:25:40.440 --> 00:25:44.850 about bitcoins stolen from 996 wallets controlled by Russia's 444 00:25:44.850 --> 00:25:47.640 foreign military intelligence, Foreign Intelligence Service, 445 00:25:47.790 --> 00:25:51.930 and Federal Security Service, which they had been using to pay 446 00:25:51.930 --> 00:25:54.180 hackers, including the people involved in the SolarWinds 447 00:25:54.180 --> 00:25:57.540 attack. And after it was stolen, the money was then sent to the 448 00:25:57.540 --> 00:26:02.310 Ukrainian addresses. So not a good news story as such, but 449 00:26:02.340 --> 00:26:02.730 maybe. 450 00:26:03.840 --> 00:26:06.420 Anna Delaney: Very good. And I was also going to jump on the 451 00:26:06.420 --> 00:26:10.260 Ukraine bandwagon, saying that, you know, their resilience has 452 00:26:10.260 --> 00:26:15.240 proved positive in a horrendous situation. And obviously, 453 00:26:15.240 --> 00:26:19.920 they've been practicing this since they'd been attacked in 454 00:26:20.040 --> 00:26:23.760 2014 onward by the Russian offensive campaigns, but anyway, 455 00:26:23.760 --> 00:26:28.350 I think we can learn from Ukraine's defense and we'll be 456 00:26:28.350 --> 00:26:31.710 talking about it for many years to come. Anyway, everybody, 457 00:26:31.710 --> 00:26:34.410 thank you so much. This has been brilliant as always. Tony, 458 00:26:34.590 --> 00:26:39.360 Marriane, Michael, thank you very much. And thanks so much 459 00:26:39.360 --> 00:26:40.770 for watching. Until next time.