Ep 35: Cybersecurity Strategies That Drive Profits and Cash Flow

Show Notes

Upside/Downside is a podcast about value creation and the strategies finance and business leaders can use to grow profits and cash flow.  I'm your host, Matt Cooley. 

In this episode, information security executive David de Martin joins me to analyze the many threats businesses face, and how adaptive tools like Calamu can neutralize those threats while growing your profits and cash flow through competitive advantage.

From threat Prevention to Detection to Response, what should value-focused companies be thinking about and how are security solutions responding in the era of AI?  

Take a seat at your security console and dial up your value creation skills on this episode of Upside/Downside!

Thank you for listening and please visit Upside/Downside podcast and enter your email for my FREE list: "10 places to look for higher profits and cash flow right now!".

Matt

Transcript

SPEAKER_01: 0:02

Welcome back, everyone. This is Matt Cooley, host of Upside Downside, where we explore value creation and how the actions we take affect your profits and cash flow. By day, I'm the unit CFO for Ericsson's global network platform API business and a nerd for value creation and how it impacts companies and everyday people. With us today is David DeMartin, an information security leader with a strong history of keeping organizations safe across multiple continents and threat scenarios. We've worked together before and I'll say what I really admire about David is his ability and need to be part of the business. He's definitely not the person on the side telling you all the things you can't do, kind of like finance people, right? David brings his technical expertise in security, privacy, and compliance right into the nexus of value creation and helps businesses grow. Welcome, David.

SPEAKER_00: 0:59

Hey, thank you for having me. Hi, Matt.

SPEAKER_01: 1:02

Hey, pleasure is mine, and I'm glad you're here. And I've wanted to do an episode on security for a while because it's so core to pretty much all business models these days. And I think we've worked together, and you and I have witnessed that more than once, how a company positions the broader need for security within their business models can have a huge impact on the ability to create value. So with that, Dave, David, let's launch into this, sir. What are some of the biggest security threats to companies today that can impact their profits and cash flow?

SPEAKER_00: 1:39

Well, I mean, today probably the most well-known is it's all around ransomware and typically it's not coming by itself. It's coming with triple or even quadruple extortion, meaning that it's not only encrypting your data. Before encrypting your data, they are typically exfiltrating it. And with that data theft, what is coming is also they're getting information regarding your customers or any other stakeholder that you have. So if you were well protected against ransomware and you had your backups in place and it's like, okay, they are encrypted and I can just record my data, no problem. Then they are going to try to extortion you regarding, okay, but before encrypting the data, we got the copy. So here is what we have and we're going to leakage that will destroy your brand, whatever. So even if you say that's fine to me, I'm not going to pay because this payment cycle only basically generates more ransomware interest from the bad actors. Then it's like, okay, you're not paying. Then with information that we got from your network or whatever, we're going to launch denial of service attack, distributed denial of service, DDoS, or we're going to contact your customers or leak information about them. So they sometimes go and and contact your customers and ask them for money, telling that they have information about them. So it's all around that. And even worse, the bad actors, they have realized that the big companies, of course, they are juicy. They have more money and more cash on hand, but they are the most difficult to crack. So they're shifting also the interest into medium-sized companies companies that typically they don't have that much of a good security and they still have some possibilities to pay and they don't know as good also what to do when something happens. If I'm

SPEAKER_01: 3:56

running the local gas station, they're probably going to leave me alone because I don't have much money, but if it's Cisco or Microsoft, they're going to be all over me.

SPEAKER_00: 4:08

Yeah, with the biggest companies, there's always, always, always a lot of adapters continually scanning you, continuously trying to crack at you. And that's a fact. That's a fact for the telco companies, because that's very juicy, trying to crack the communications of anyone to hack. But any company with a good cash flow that they can pay a ransomware, it's a juicy target. But what I'm saying now is even smaller companies with way less known, they are also going after them now because they are easier. So maybe not the local gas station, but somewhere in between that and Microsoft, which there's a lot of companies there. Imagine a law firm, a small healthcare provider. They're not going to ask for billions, but it's like, okay, give me a quarter of a Bitcoin. It's 10K. You know, maybe the dentist will will pay that just to avoid their patient data being leaked, especially on the European Union where they can have a really huge fines.

SPEAKER_01: 5:18

Right. So you mentioned a few minutes ago companies that are well protected. What is well protected? What does that look like to you as a security professional?

SPEAKER_00: 5:31

Well, it's prevention. So all the measures that you're having, not having vulnerabilities, having all your firewalls, all that defense in place. But then it's detection because you have to assume breach. So when something happens, you quickly detect it. So you don't do like SolarWinds that they have an attack ongoing for more than a year and they didn't notice. And then it end up how it end up. And after that, you need to have a team which is prepared for responding because once you detect the bad actors, it's the panic moment. And if you're not trained, it's not going to go well. So you need to know exactly what to do, how to contain, how to kick them out, and if something bad was done, to recover. And at the end of the day, keep the business running and minimize the impact. So those are the three pillars to me. It's prevention, detection, and response.

SPEAKER_01: 6:39

Wow. Okay. Now, that's great education. So you've had a lot of business and operations roles, which is, I think, a very cool component of what you bring to the table. From your perspective, can security drive value creation, or is it something that's purely defensive and protecting value. Seems like the world's changing. And what I'm thinking about is how so many companies are managing data in the cloud, for example, which can be really complex logistically and legally to set up. But if you have that security infrastructure in place, it seems like security is a value driver these days. I'm curious what your take is on that.

SPEAKER_00: 7:28

Yeah, so it is. Time ago, it was like, okay, let's ensure that there is no value in the instruction, because if you get hacked, then there's going to be information leakages, that's going to have really bad press, you may get fined by the regulators, your brand is going to be affected. But these days, definitely beyond the fines that you can get in terms of the branding, I guess at this more and everyone has been hacked one way or another so i don't see that it's having that much back into the public opinion any longer after target home depot experience um obviously if you're a bank and and you get hacked and then the money goes away that i will have a great impact right but uh but there is a lot of value because even if the brand is not that affected by the public opinion Any customer at the end of the day, you and I are the same customers of whatever, a bank, a healthcare, hospital, or companies. You don't want your data flying around, right? You don't want to know if you have a medical condition that is there for graphs on the dark web. You don't want your bank information outside or even money flying away from your bank account. If you have a car, you don't want it to be hacked and then you lose the brakes or suddenly all EVs stop on the highway. So everybody wants whatever product they are using to be secure, their information to be saved and well taken care of. So it's when it starts becoming a competitive advantage that you can advertise. Sometimes there are no brainers. For example, now there's a technology that is going to really ramp up next year, or this year even, which is called PassKey, basically using biometrics for replacing passwords. So it's passwordless application, which actually gives you better security than passwords, even together with a multi-factor authentication. It's not that secure, it's a bit better when you are using tokens, but at the end of the day, biometrics works better, it's better for the user, because it's frictionless and it's better in terms of security. So sometimes the planets align and you get security solutions that are totally really good for business. Sometimes security is just, you cannot run your business if it's not secure, as simple as that. So again, if I go to healthcare, you, ensure that you are protecting the data patients properly, not only because you have to be compliant with the regulation, but also because if something happens, the trust of your customers will go down and there will be severe damage. So the more you can show that you are on top of the people will go to your business instead of other business. Perception is important. here. So there is value there. To put another example, I mentioned before also SolarWinds. They were hacked for a year. Nobody noticed. And then it was discovered by FireEye, which is a security company. And they were users of this Orion product from SolarWinds that was hacked as a supply chain attack. They quickly made this hack public. They pulled SolarWinds and then they made it public because so many companies have this software. They got a small hit on their stock value, but the day after they rose 30%, far right. Because what people see is, okay, these guys have been hacked because of this supply chain attack coming through SolarWinds. But actually they have been the first ones realizing that. when there was like thousands of customers using that product. So it put them in a really good position. Plus, they were the kind of company that product was a security product to try to avoid these kind of scenarios. So for them, it was great, great value, actually.

SPEAKER_01: 12:15

Right, to be transparent and put it that way. I remember this story. It's good to have a reminder of that. Hey, I'm curious how AI is going to affect security in the years to come. That's pretty much all we hear about at the moment. What's your take on how AI can help the security posture going forward, and particularly from a value creation angle?

SPEAKER_00: 12:38

Yeah. It's going to have great impact. It's going to have great impact in both sides, both on the attackers, because they're going to be able to do better attacks, to use voice, to use video, to automate, to part of the phishing campaigns that they needed to do manually. You have a person behind, all of that could be now automated. I remember last Last April in the RSA conference in San Francisco, Brian Palma, the CEO of TrendLeaks, he made a really good provocative presentation about DevSecOps. He started the session with a video, and it was an AI-generated video of himself. And then AI is going to automate that, but then it also has to be used heavily on the defensive part. And that's where the value is going to be created because the good news, I think, is on our side, on the other side of the fence against the hackers, we have way more information. So whatever AI models we create, we can feed them with way more data. So they should be better. They should be more robust. So all the automation that can come with AI and help do the decision making and even automate part of the decision making, take the first response automatically, that's going to be a lot of value, especially on security products, of course, but for any other kind of business. Releasing that sources that today they are tired looking into logs that are not consolidated, trying to figure out what's something that is really an incident, what is not, that takes a lot of time. So with AI, that's going to be widely simplified. The first response can be also be automated. So then you will have the talent involved into high level decision making that is more critical instead of wasting their time looking into logs.

SPEAKER_01: 15:03

Right, which you could quickly see the value creation impact of that, right? By not only lowering your costs and preserving your revenue streams, but, you know, standing out from the competition and having a competitive advantage is just being a more overall secure organization, which is kind of what you mentioned. That's encouraging. That's actually encouraging to hear, David, because... I'm optimistic. Yeah, so what are the A's? AI right now, the AI message is, it feels like doom and gloom, but it's neat to hear this. I'm curious what security companies you admire right now or that you're following that businesses should keep in mind that help bolster their profits and cash flow. What can you share with us?

UNKNOWN: 15:54

Yeah.

SPEAKER_00: 15:55

I mean, there are several companies that they are doing a really good job. There is more security companies these days than stars in the universe because of how hot

SPEAKER_01: 16:10

the topic is right now. There shouldn't be any hacking going on in that many companies out there.

SPEAKER_00: 16:16

Yeah, there's no money enough in the world to pay for all of them. So the problem that I see with that is some of them, they are very neat. They are really good at what they do. But it becomes a nightmare for the CISOs to really put all that tools together, to put all that information together. So the ones that I think are going to be successful are the ones that are able to consolidate all of that, to offer a wide portfolio that integrates together so then they also have all that information they can start applying all that AI and there's more data available so to me it will be either that or other companies that are starting to pop up that they are integrators of all that data so okay you can have your vertical tools but they will all be putting their data and hopefully here there will be some sort of standardization but again AI can help if there's no standardization, to identify the building blocks of the information so you can put all together and help you understand better your security position or if you compromise what's happening and trigger response very, very quickly or automatically. In terms of that, I'm going to talk about a couple of companies, two verticals. I discovered them this month, but I think both of them they were doing things really cool and again related with what we discussed on your first question around ransomware so one of them is called Halcyon and they are able to basically when the tool is deployed if there's a ransomware attack they can identify how it's happening using AI and stop it right there but even if they start encrypting they are able to to collect information, to decrypt the data without without the key initially. So that's pretty cool because basically even if the encryption starts, you can decrypt like that in seconds. And there is another one which is putting more focus on the data, right? At the end of the day, when you're going to be excited to ransomware, as I mentioned, the two extortions are encrypting your data, so you have downtime. And the second one is leaking it. So they have something called data hardware, where your data is basically distributed in the cloud. And you mentioned, hey, the cloud, the risk. In this case, it's actually really good because they are applying the latest ideas in terms of having the information distributed and encrypted in the cloud in different cloud providers. So you can think into something similar to what RAVE 5 is for storage, but for data around the globe. So... they can reconstruct the information. So it's some sort of a backup at any moment once the encryption starts because it's redundant. And if the hackers get some of your data, it's useless because what they are getting is chunks of encrypted data that they cannot do anything with that. So they are basically solving both problems on one shot. So let's see how these two companies go, but definitely really cool products. that I've

SPEAKER_01: 20:03

seen. It feels almost like Battle of the Robots, right? I mean, it's very cool. All right. It is.

SPEAKER_00: 20:11

It'll be really exciting. With all the AIs, it's going to be like AIs against AIs. And it's like take the popcorn and start looking what's going on. Like war games.

SPEAKER_01: 20:24

I hope we can keep up. Wow. Well, listen, thanks for educating us today, David. That was awesome.

SPEAKER_00: 20:31

You're welcome to be here.

SPEAKER_01: 20:35

Yeah, no, it's great. And I feel like I need to ask you to do a security review of the Upside Downside podcast. Just kidding, but it's making me think. And to our listeners, thank you for joining us today. And if you find you need custom help with your value creation challenges, as always, please see the link in the episode notes for more information. We'll see you next time. And thank you.