Host Yigal Behar welcomes JC Gaillard, founder and managing director of Corix Partners, to his podcast, The Cybersecurity Insider.
Their discussion probes into the intersection of supply chain, MSPs, Shadow IT, digital transformation, and the ever-present Dropbox.
About JC
JC briefly introduces himself and his London-based management consulting firm, which he established after a decade-long tenure as the chief security officer at Rabobank. Corix Partners specializes in assisting large organizations with their cybersecurity strategy, organization, and governance challenges. With this introduction, the stage is set for a deeper dive into JC’s expertise and insights.
Current Issues That Your Customers Are Having
Yigal asks JC about the main challenges his clients are currently facing. JC explains that the past couple of years, dominated by the COVID-19 pandemic, have brought two broad types of customers into focus.
The first group consists of businesses that have long neglected their cybersecurity maturity. The pandemic’s relentless cyber attacks and increased reliance on digital services have forced them to confront this reality. Now, addressing cybersecurity has become a leadership imperative for them.
The second group comprises businesses that have been involved in various cybersecurity programs for a while, with varying degrees of success. However, they are now realizing that their past approaches may not have been effective. “Others are waking up to the fact they have not been dealing with the problem in the right way for the best part of the last 10 or 20 years. That’s roughly where we are. COVID has obviously opened the eyes of many people at the management and leadership level.”
In essence, both groups are awakening to the reality that cyber attacks are real. Some are just recognizing the problem for the first time, while others are realizing they haven’t been addressing it correctly.
The Democratization Of Cyber Threats
The conversation shifts towards the growing awareness of cyber threats among organizations of all sizes. JC asserts that cyber attacks, data breaches, and ransomware attacks are no longer exclusive to large firms.
Even small businesses with limited digital infrastructure are vulnerable. He points out that many small business owners mistakenly believe their information holds no value, failing to understand that this very information is essential for their operations. This misconception makes them prime targets for ransomware attacks, as malicious actors aim to disrupt business operations and extort ransom payments.
He warns, “If you don’t get your data back you cannot operate. You’ve got your customers waiting. You’ve got your own brand and your own business to save. And if you don’t pay the ransom—at least that’s their logic—you don’t pay the ransom you can’t operate and you die. You stop working.”
The Ransomware Business Model
JC contends that ransomware attackers exploit the critical value data holds for businesses. While the data itself might not have high market value, its importance lies in its ability to support daily operations, serve customers, and maintain business continuity. “What they’re banking on is the fact that you’re going to pay the ransom, irrespective of the actual value your data may or may not have in real terms. The data has value to you because it will run your business, operate your business, and serve your customers. Most ransomware gangs are really relying on that fact—that you’re going to pay the ransom, irrespective of the actual value of the data.”
A Consultant’s Perspective On Client Resistance
Yigal recognizes JC’s perspective and shares his own experience as a consultant encountering clients who question the necessity of investing in cybersecurity. He describes encountering small business owners who initially dismiss the need for cybersecurity measures due to perceived low-risk and cost concerns.
However, Yigal declares that these businesses often fail to grasp the potential consequences of a ransomware attack, including loss of revenue, damaged reputation, legal fees, and remediation costs.
Yigal relates his efforts to educate these clients about the long-term financial benefits of proactive cybersecurity measures, emphasizing how they can prevent costly incidents and ensure business continuity. He notes the prevalence of this mindset among small business owners, where there’s a need for greater awareness and education about cybersecurity risks and mitigation strategies.
How Do You Start Or Restart A Cybersecurity Program
Yigal poses a common question to JC: How do you start or restart a cybersecurity program? He points out that clients often seek guidance about implementing necessary measures like multi-factor authentication (MFA).
JC answers, “My first response, if you want my first line of response, would be to try to understand the actual background in which the realization is taking place.” He suggests that the first step for CEOs and CIOs is to take ownership of the cybersecurity problem.
JC urges leaders to take ownership of cybersecurity, integrating it into business operations instead of outsourcing or relying on quick fixes. He recommends a strategic approach, recognizing the ever-changing environment in which businesses operate.
Maturity Assessment
The next step, according to JC, is conducting a maturity assessment to understand the organization’s current cybersecurity posture. He says that cybersecurity isn’t a new concept; established good practices from decades ago remain relevant and provide a foundation for protection against modern threats.
JC asserts that even businesses claiming to have done nothing about cybersecurity likely have some basic measures in place. He prompts a realistic assessment of existing practices as a starting point for improvement, believing that doing “genuinely nothing” is impossible in today’s interconnected industry.
JC stresses the importance of conducting a maturity assessment to gauge an organization’s current cybersecurity status. This assessment involves “understanding what maturity is, and it starts with some form of maturity assessment: understanding what you’re doing, what you’re not doing, what you’re doing well, and not so well. Invariably, you will have things in place.”
Every organization has some level of cybersecurity, even if it’s just basic measures like firewalls and antivirus software. The assessment aims to align cybersecurity efforts with the specific needs and priorities of the business. JC dismisses the notion of a “green field” in cybersecurity, that it’s not about starting from scratch, but rather understanding existing practices and building upon them.
He uses the example of Microsoft Office 365, which comes with enormous built-in security features that users might not be aware of. The key is to identify these existing resources and understand how they can be leveraged to enhance security. Once the current state is understood, organizations can then determine their desired cybersecurity goals with the threats they face.
JC reiterates that the foundation for a successful cybersecurity program lies in “acceptance and acknowledgment that this is real; that this is part of business ownership. Figuring out who internally is going to own it and drive it – the objective being not to make it somebody else’s problem, not to try to make it disappear, not to try to give it to someone else to sort out, but really to find a way internally, within the organization, to make it happen. And then, figuring out without complacency where you are in terms of maturity, what you’re good at, and what you’re not so good at.”
Reframing Cybersecurity
Yigal insists cybersecurity is not just an IT issue, comparing it to medical specialization where general practitioners may lack expertise in specific areas. He stresses the need for dedicated cybersecurity expertise.
Yigal notes that many organizations mistakenly perceive cybersecurity as an IT function, hindering effective security implementation. He reiterates that cybersecurity should be treated as a fundamental pillar of the business, requiring ownership and support from both the CEO and the board of directors.
Building upon the idea that cybersecurity is not a magical solution, JC introduces the concept of layered protection. Relying on a single security measure, such as installing patches or enabling multi-factor authentication (MFA), is insufficient to safeguard against all cyber threats. He uses ransomware as an example, which needs multiple layers of defense to effectively protect against elaborate attacks.
Myth Of The Silver Bullet & Onion Layers
JC challenges the notion of single solutions or “silver bullets” in cybersecurity, particularly in the context of ransomware protection. JC advocates for a layered approach to defense. “In reality, to protect yourself against ransomware, you need to act on all those layers and probably a number of other layers, okay? But there are many, many vendors out there trying to push, obviously, their product and their solution as being the one silver bullet that is going to protect you. Those things simply don’t exist.”
Yigal agrees, stating that “we call it the onion layer, onion protection. So, you have, like an onion, you have layers. So, security is about layers, and they say layered security. They have different names, but they mention it in different contexts.”
Yigal also dismisses the idea that relying solely on staff training, email filtering, or patching can guarantee complete security. While these measures are important, they are not foolproof.
Yigal envisions cybersecurity as a journey from point A to point Z, with continuous improvement as the goal. Even if the starting point isn’t perfect, the objective is to enhance security over time. As Yigal states, “The objective is to be better in the next 12 months, to be in a better place in terms of your security. Layered security, this is the way. The onion approach is the best way to go.”
Supply Chain & MSPs
Yigal shifts the conversation to the topic of supply chain security, questioning whether the term accurately reflects the tricky relationships between organizations and their service providers. He points out that even seemingly basic services like Microsoft Office 365 or cloud-based email hosting involve third-party dependencies, effectively making every organization part of a supply chain.
He points to the role of Managed Service Providers (MSPs) who manage both internal IT and cloud infrastructure. Yigal expresses concern that MSPs, and even their customers, may not fully grasp the intricacies of cloud security, potentially leading to increased vulnerabilities.
He shares his theory that the growing reliance on cloud services is directly correlated with an increase in potential security risks.
Cyber Threats Are Changing & Gets More Challenging
Yigal then shares his personal experiences in the cybersecurity industry since 2000, noting the increase in the frequency of cyber attacks. He recalls a time when major cyber events were relatively rare but shares how the industry has changed dramatically, with daily reports of breaches affecting healthcare organizations, government entities, and even high-profile agencies like the FBI and CIA.
Yigal questions how smaller companies can realistically expect to survive such attacks and express skepticism about their ability to do so. He then invites JC to share his take on this issue.
JC says that recent security incidents like SolarWinds and Log4j have exposed a significant challenge for organizations: truly understanding and knowing their IT estate. The ability to react quickly to vulnerabilities, such as the Log4j issue, requires a level of visibility and knowledge that many organizations lack.
JC points out that smaller businesses are especially vulnerable. Without good knowledge of their systems, they are left with two unappealing options: either risk being breached or passively waiting for a patch to be released, hoping for the best in the meantime. He says that the lack of control and uncertainty associated with this situation is not a reassuring position for a business to be in.
JC suggests that this scenario plays out frequently for Chief Security Officers (CSOs) who are left explaining this predicament to their executives. He attributes this recurring issue to the unprecedented surge in cyberattacks, echoing Yigal’s earlier observation about the increasing frequency and intensity of threats.
The Cloud & Emergence Of Shadow IT
JC also addresses the challenges posed by the cloud and the rise of shadow IT. He explains that as businesses increasingly adopt cloud services, the traditional boundaries of IT control blur, leading to a phenomenon where departments and individuals procure and utilize technology resources outside of the IT department’s purview. This is often driven by dissatisfaction with internal IT’s responsiveness or capabilities.
He illustrates this with the development of the HR industry on how their increasing reliance on external cloud-based services like Talio for managing sensitive employee data has created new security risks and complexities. This trend of shadow IT extends beyond HR and permeates various business functions.
The growth of hidden IT makes managing supply chains harder. This is because companies lose track of their data, making it difficult to handle security problems effectively. JC says that without understanding the extent of hidden IT, companies are vulnerable and can’t take action to protect themselves.
He asks if companies know their IT systems and the possible dangers of hidden IT. He ends by repeating the problems this creates for keeping supply chains safe.
Yigal agrees with JC about hidden IT, saying it’s because company IT departments are slow to respond, forcing workers to find outside solutions. He then changes the topic to digital transformation, asking JC for his thoughts on it and how it affects companies.
Digital Transformation
JC offers to share his thoughts on digital transformation from a cybersecurity perspective. He explains that he previously used the term to describe the quick move towards online work during the pandemic when physical places were closed.
He then talks about the bigger idea of digital transformation, saying it started before new technologies like smartphones, IoT, and blockchain. JC says it’s been changing industries for over 20 years, starting with the Internet and maybe even earlier, depending on how you define it.
JC explains that digital transformation happens in small steps and big leaps. He says it started with mainframe computers in the 1960s and 1970s. While the Internet was a big step, he argues there have been even bigger changes in certain industries.
The Travel Industry Was First Disrupted By The Internet
He uses the travel industry as an example, showing how the internet changed how people book trips and buy plane tickets. JC also says the industry was already changing towards using more technology like virtual and augmented reality, even before the pandemic changed how people travel.
JC also talks about how digital transformation is shaking up the banking industry. New online banks are competing with traditional banks, and he thinks these changes are unavoidable but good for customers.
He says digital transformation is incremental and complex, which affects businesses in many ways. When it comes to cybersecurity, JC says digital transformation changes how companies handle technology, so they need to rethink their security plans.
JC explains, “When you talk about digital transformation, you need to understand the complexity of it. There are aspects which are incremental, aspects which are disruptive. You need to keep all that in perspective.”
JC says that cybersecurity used to be seen as an IT job, often managed by the CIO. But as digital transformation becomes more about business, the roles of CIO and CTO are changing with the rise of Chief Data Officers (CDOs) who drive digital initiatives and often control new technologies.
He observes a trend where the business takes the lead in driving digital transformation, often creating new roles like Chief Data Officer or Chief Digital Officer. This shift leaves the CISO or CSO in a challenging position, caught between the business’s drive for innovation and the need to maintain robust security practices.
JC says this changing situation is a big problem for cybersecurity experts. They have to adapt to the new environment and find a balance between business goals and security needs.
To fix this, JC thinks cybersecurity and data protection should be a bigger deal in companies. As companies use data more for growth, keeping personal data safe becomes very important, especially with rules like GDPR in Europe and similar laws in the U.S.
JC wants to combine privacy and security under one boss, as both are key for managing data. This change would make sure cybersecurity is not just an IT thing but a part of the whole plan for digital change, leading to better ways to protect important data.
Digital Transformation Rebranded As A Marketing Term
Yigal agrees with JC and adds that digital transformation isn’t new, but it’s been renamed for marketing. He notes that information security has also changed its name to “cybersecurity.” Yigal points out how COVID-19 made digital transformation happen faster by forcing companies to work remotely, which accidentally created new security risks.
He asks who should be in charge of digital transformation and how to do it, especially since there can be conflict between CIOs who manage old systems and those building new ones. Yigal worries about disagreements and problems that can come up when old and new systems share data, as this can lead to arguments about who owns and controls it, ultimately slowing down the company’s progress.
JC says digital transformation can’t happen without thinking about security. He stresses the importance of carefully placing and changing the CISO’s role as companies transform. JC points out that tech people mainly focus on making things work quickly, often forgetting about security and control. He says this is not a criticism, but just a fact about how different roles have different priorities and skills.
Integrating Security Into Digital Transformation
JC says security needs to be built into digital transformation. He warns about leaving cybersecurity only to CIOs, who might be ignored during changes led by CDOs focused on business results. This could create a gap between security and the changing digital world, leading to possible problems.
To address this, JC suggests separating the CISO’s job from the CIO’s and getting them involved in the CDO’s projects. This might mean changing the company structure and dealing with office politics. He stresses that this change needs to start at the top, as lower-level or sideways approaches probably won’t work because of competing interests and different departments not working together.
Promoting Security To The Executive Level
JC suggests making security a bigger deal by creating a plan that includes not only digital security but also privacy, resilience, and keeping the business running. This whole plan can then be given to a top manager who reports directly to the board or CEO, making sure security is a priority and matches the company’s goals.
Yigal agrees with JC and repeats that “information security” might be a better term than “cybersecurity.” He points out that information is everywhere, especially with the rise of hidden IT and faster digital change caused by the pandemic. He also says that “digital transformation” is often used as a marketing word rather than a clear description of the ongoing changes in technology.
Yigal goes back to the earlier talk about who should be in charge of digital transformation and how to do it. He points out possible fights between those in charge of old systems and those leading new ones, especially when it comes to combining data and who owns it. He knows these fights can cause problems in companies and asks JC for ideas on how to fix them.
Yigal also explains that hidden IT often starts from the bottom up, as workers look for quick solutions without going through company IT. He uses Dropbox as an example of how people might use outside tools to share files because they think the company’s tools are too slow or hard to use. This shows why companies need to close the gap between what the business needs and what IT can do, to stop the growth of hidden IT and its security problems.
Shadow IT Is An Ongoing Challenge
Yigal shares an anecdote about a customer who, as an IT manager, sought a quick solution for sharing files with vendors. The client liked a ready-to-use cloud service because it was fast and easy. Yigal adds that they need to “make sure that security is actually implemented regardless [of] where the information is, whether it’s on the cloud or on-prem [sic] or I don’t know, on the moon. They need to own that data, they need to be the data custodian, and they need to handle the information. Now, if you have a business requirement, then they need to move quickly.”
He notices that CIOs and CTOs are becoming more business-minded and know how to match technology with business goals. But, he points out that these leaders need to think about the security risks of using technology to keep important information safe.
JC says the problem of hidden IT, like using Dropbox, is not new. He remembers seeing similar things over ten years ago. He says the main challenge for cybersecurity experts is to make sure security is considered when making decisions. He stresses that if security teams know about the problem, they can fix it by teaching people, finding other solutions, and figuring out the risks.
JC adds that the main problem is not using cloud services or outside tools, but the lack of talking and working together between business teams and security experts. He thinks that by talking to each other first, security teams can help businesses find safe and useful solutions that fit their needs.
Dropbox, Data Sharing & Security
JC says it’s important to catch and fix web security problems, like using Dropbox for sharing files. This means creating ways for people to talk to each other and making sure employees feel okay talking to security experts without being scared of getting in trouble or being slowed down.
He knows that building this relationship is a big challenge for managers, but it’s important for stopping hidden IT problems before they happen. JC stresses that if security teams know about these things, they can offer solutions like teaching users how to be safe, finding other tools, or figuring out how sensitive the data is.
But Yigal disagrees with JC, saying even data that doesn’t seem important can cause problems if it’s shared with the wrong people. He points out the risk of losing control over information once it leaves the company, stressing that even a small action can have bad results if not handled right.
JC agrees with Yigal’s worries and says fixing them requires good communication between security and other parts of the company. He points out that people react differently to permissions, and some might abuse them, so careful management and controls are needed.
JC also says even unimportant data can be risky when moved between outside and inside systems. He points out that even with strong passwords and extra security steps, cloud services can be breached, putting companies at risk. Problems with remote access happen every day, so it’s important to know the difference between different types of data and connections to find and fix risks properly.
Real-Time Assessment & Response
Yigal adds that in big companies, checking and responding to things quickly is very important because there are so many different kinds of data transactions happening all the time. JC says it’s important to have many layers of defense, meaning you need different security measures to protect against all the different kinds of threats in today’s complicated digital world.
JC agrees that fixing the Dropbox problem needs a many-sided approach. He says it’s important to watch and set up ways to find and respond to unusual things and possible problems. He stresses that just collecting data isn’t enough; it’s important to look at the data, find strange things, and take the right steps to lower risks.
Yigal adds to this by suggesting clever solutions like keeping possibly risky activities on separate computers to reduce the impact on the network. He emphasizes that by working together, security experts and business users can find good solutions that work for both security and business needs.
JC repeats that the most important thing is for the security team to be involved from the start when making decisions. This lets them help choose and set up safe solutions that still work for the business. There are many ways to solve these problems while still following the rules.
Yigal reminds listeners that compliance is another crucial aspect to consider, citing examples like the General Data Protection Regulation (GDPR) in Europe and similar regulations in various U.S. states, particularly in industries like finance and insurance.
Best Clients
Yigal asks JC about their best client. JC says it’s usually a new executive, like a CIO, head of risk, or head of compliance, who joins a company and sees big problems with cybersecurity. These people usually know a little about cybersecurity but need help understanding the specific situation in their new company and making a plan to fix it.
Yigal then asks how these people know about cybersecurity in the first place. JC says it’s a mix of past experience and seeing the current state of cybersecurity in their new company. He points out that these people often find themselves in situations where there might not be a CISO, or the existing security team is too busy and can’t give clear guidance. They want JC’s help to assess the situation, give advice, and help them put in place effective cybersecurity strategies.
JC admits he might be overstating things a bit, but stresses that the situations he describes happen often. He finishes by repeating that Corix Partners is often asked to help new executives in these cases deal with the challenges of cybersecurity and create strong security for their companies.
Recap Of Key Cybersecurity Challenges
As the podcast wraps up, Yigal summarizes the main points they talked about, including following rules, digital change, keeping supply chains safe, MSPs, and the first steps companies should take to improve their security.
He suggests starting with a risk assessment, which means understanding where data is and writing it down to get a clear picture. He also mentions different ways to reduce risks, like watching and separating shadow IT activities, and highlights how important it is to control sensitive information.
Yigal says there are still many more things about cybersecurity to talk about, mentioning their past conversations as proof of how big the topic is. He then gives JC the chance to share any final thoughts and ideas.
In closing, JC expresses his enjoyment of the conversation and agrees that the diverse range of topics discussed will be valuable for the audience.
JC repeats how important it is for top management to take charge of cybersecurity. He says that the old way of doing things, where security teams try to bring their worries to higher-ups, hasn’t worked. He points to the many breaches in big companies as proof of this.
He wants the industry to change how it thinks, urging companies to see cybersecurity as a problem for the whole business, led from the top. JC believes this top-down approach will make security measures better and faster, lowering the risk of attacks.
Yigal agrees with JC, saying the goal of the podcast is to make people more aware of and understand important cybersecurity issues. The episode ends with Yigal hoping for more talks like this in the future and thanking JC for his help in the cybersecurity community.
If you enjoyed this episode of The Cybersecurity Insider, we’ve got more! Head over to YouTube, Apple Podcasts, or Spotify to listen to other episodes and learn more about how to keep your business safe online.
Yigal Behar – Host
