In an engaging episode of "On Location with Sean Martin and Marco Ciappelli," Sean Martin has an insightful conversation with Theresa Lanowitz at Black Hat Conference 2024 in Las Vegas. They explore the complexities of cybersecurity, collaboration, and innovative strategies in the tech world.
Welcome to Hacker Summer Camp Sean Martin kicks off the episode with his signature enthusiasm, welcoming listeners to another live broadcast from the renowned Hacker Summer Camp—Black Hat USA 2024 in Las Vegas. He introduces Theresa Lanowitz, a prominent figure in cybersecurity, who shares the latest developments and insights from her venture, Level Blue.
Sean Martin: “Welcome to a new episode coming to you from Hacker Summer Camp. We’re here in Las Vegas for Black Hat USA 2024, and I’m thrilled to be joined by Theresa Lanowitz. Theresa, how are you?”
Simplifying Cybersecurity with Level Blue Theresa discusses the origins and mission of Level Blue, a collaborative initiative between AT&T and World Gem Ventures. She outlines how Level Blue serves as a strategic extension to organizations, simplifying cybersecurity through consulting, managed security services, and innovative threat intelligence via Level Blue Labs.
Theresa Lanowitz: “We aim to simplify cybersecurity by helping you protect your business intelligence through our consulting services, predict your security investments through managed services, and mitigate risk with our Level Blue Labs threat intelligence team.”
The conversation shifts to how Level Blue addresses the complexities in IT, offering practical solutions and actionable intelligence to meet these challenges head-on.
Key Insights from the Level Blue Futures Report Theresa reveals exciting updates about their flagship thought leadership piece, the Level Blue Futures Report. Launched at RSA in May, this report anchors their yearly research agenda. Additionally, she introduces the C-suite Accelerator, focusing on the evolving roles of CIOs, CISOs, and CTOs in fostering cyber resilience.
Collaboration Among CIO, CTO, and CISO Sean and Theresa explore the dynamics between the CIO, CTO, and CISO roles. Theresa elaborates on how, despite their shared objectives, these roles often face conflicting priorities. She highlights the importance of these roles being equal partners within an organization to ensure cohesive responses during critical events, thereby enhancing overall organizational resilience.
Theresa Lanowitz: “The CIO, the CISO, and the CTO must be equal partners. If they’re not, achieving cyber resilience becomes very difficult.”
The Pandemic's Impact on Cybersecurity Reflecting on the pandemic’s effects, Theresa notes how it accelerated digital transformation, underscoring the crucial need for resilient cybersecurity measures. Despite some progress, she observes that cybersecurity often remains siloed, underfunded, and secondary in many organizations. She stresses the importance of aligning cybersecurity goals with business objectives to create a more integrated and effective approach.
Proactive vs. Reactive Budgets Theresa emphasizes the significance of proactive budgeting in cybersecurity, contrasting it with the more common reactive approach. Proactive budgets, she argues, allow for better alignment of cybersecurity initiatives with business goals, which is vital for preempting breaches and addressing regulatory compliance.
Theresa Lanowitz: “If you can align cybersecurity initiatives with business goals, you’re going to be proactive rather than reactive.”
The Role of Trusted Third-Party Advisors Theresa advocates for the involvement of trusted third-party advisors, such as consulting and managed security services. These advisors bring valuable external perspectives and experience, which are crucial for driving innovation and ensuring robust security measures.
Sean Martin: “By working with a trusted partner, you’re not giving up your creative ideas but rather ensuring they play out effectively and securely.”
The Human Element in Cybersecurity As the discussion winds down, Sean and Theresa agree that, at its core, cybersecurity is about people. Theresa underscores the need for cross-functional communication within organizations and with trusted third-party advisors to achieve comprehensive and effective cybersecurity.
Sean Martin: “It always comes back to the people, doesn’t it?”
Conclusion The episode wraps up with Sean expressing gratitude for Theresa’s insights and encouraging continued exploration of research and innovation across various sectors. He invites the audience to explore the Level Blue Accelerator Report for actionable insights.
Learn more about LevelBlue: https://itspm.ag/levelblue266f6c
Note: This story contains promotional content. Learn more.
Guest: Theresa Lanowitz, Chief Evangelist of AT&T Cybersecurity / LevelBlue [@LevelBlueCyber]
On LinkedIn | https://www.linkedin.com/in/theresalanowitz/
Resources
Learn more and catch more stories from LevelBlue: https://www.itspmagazine.com/directory/levelblue
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Insider Insights: Cybersecurity and Collaboration | A Brand Story Conversation From Black Hat USA 2024 | A LevelBlue Story with Theresa Lanowitz | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
00:00:00] Sean Martin: Here we are. You're very welcome to a new episode coming to you from Hacker Summer Camp. We're here in Las Vegas for Black Hat USA 2024. And I'm thrilled to be joined by Teresa Lenowitz. Teresa. How are you?
[00:00:15] Theresa Lanowitz: I am great, Sean. How are you?
[00:00:17] Sean Martin: I'm fantastic. It's good to see you. It's great to see you.
[00:00:20] Theresa Lanowitz: I love how you described it.
Hacker summer camp. Hacker
summer camp.
[00:00:23] Sean Martin: Exactly. It's full of hackers. Totally. We even ran some news segments this morning about all the hackers running around town and how to protect your phone and stuff, which is kind of funny, but, uh, we're not here to talk about hackers. We're here to talk about Level Blue and the great work that you do and the research that you do that helps inform organizations on how and where to position their They're, uh, protective measures, uh, and their teams to really, really shore up what they're working on.
So, um, uh, How are things been? What's new for you in the last few months since we've connected?
[00:00:55] Theresa Lanowitz: Last few months since we connected. We last connected at RSA back in May. So since then, Level Blue was announced at RSA. And just to remind your viewers, Level Blue is a joint venture between AT& T and World Gem Ventures.
And we're a strategic extension of your team. And what we aim to do is really simplify cyber security by helping you protect your business intelligence through our cyber security consulting services. Help you predict your security investments through our managed security services and help you mitigate risk and foster innovation With our level blue labs threat intelligence team and that's cyber security simplified.
So just a little commercial on it on who we are
[00:01:33] Sean Martin: That's important. It's important and all that stuff without you is huge complexity
[00:01:40] Theresa Lanowitz: It is. Yeah, we know everything is just unwieldy and the IT estate is just so complex. And the other thing that's new is when we last spoke in May, we had just launched our Level Blue Futures Report, our core, our big flagship thought leadership piece for the entire year.
And then what we do over the course of the year is we release other research projects which are part of that futures report family. And that's one of the things, that's what we did yesterday. We announced our C suite accelerator. Which is, again, a thought leadership piece. It's vendor neutral, forward looking, and actionable.
Really highlighting the roles of the CIO, the CISO, and the CTO with cyber resilience.
[00:02:19] Sean Martin: Well, let's get into some of that, because I remember it was on top of my mind, and I think probably yours the last time we spoke as well. We briefly touched on the point that the CIO, at least through the conversation that I had, is becoming more prevalent in the world of cyber security, and certainly risk management in general.
and not just leaving it to the cyber security folks to deal with. And I think some of the research you've uncovered, um, shows that there is a growing relationship, uh, around cyber and risk and IT ops between the CIO and the CTO and the CISO. So what, um, what are some of the, tell, I guess, kind of frame the report for us that you did, the research around it, and some of the things you were hoping to under, under, Stand and uncover.
[00:03:05] Theresa Lanowitz: Absolutely. So if we look at the differences between the CIO, the CTO, and the CISO, the CIO is in English. The business of the technology. So making sure that the technology that they're using to run the business is operational, functional. They're looking at ways to differentiate and so on. The CTO is all about that innovation.
How can we bring on new ways of satisfying our customers, regardless of who they are, B2B, B2C, it's all about innovation. And the CISO is really about. That operational security component, making sure that I am securing everything that's going on, I'm implementing the right security protocols, I'm bringing in the right cyber security controls.
And I think people think of the CISO, the CIO, the CTO, and they think they're kind of the same. They must be, you know, a trio. Right. And what we really found out is that there's conflicting goals, Not really conflicting goals, but conflicting priorities. Goals are the same. They want to do the best thing they possibly can for their business, right?
But they have those, these conflicting, conflicting priorities. And the CISO oftentimes does not report to the CEO. So you, oftentimes the CISO is reporting into that CIO. So in the event of some catastrophic event, whether it is a man made event, a cyber event, A natural disaster, a fire, a flood, a hurricane, an earthquake.
The CISO, the C I S O, does not necessarily have that full seat at the proverbial table to say, This is where we need to be resilient. This is where we need to bring cyber resilience in and work as a team to get our organization functional, operational again when that whole IT estate is impacted.
[00:04:57] Sean Martin: So when I think of, I like to think in terms of pictures, maybe diagrams as well.
So I'm Initially, I was thinking kind of a triangle where the three roles, whichever, however you want to spin them, right? Who's more important? It's probably whoever's, whoever's drawn the diagram. Um, but then as you were talking, I was thinking, especially with the, with the two, the CIO and the CTO, and then you mentioned CSO, CSO off to the side.
I was thinking, Two points and then a drag, a CISO kind of dragging on the two, right? And I think
in many cases that's kind of what it is. Right.
Right. And, and then, but thinking as a triangle, which I think we all hopefully want to see happen, right? Where they're kind of equal and joining together. I, I then look back at my, uh, product development, uh, days and I think, well, you can only.
You can't change that it's a triangle. You can only change the size of the sides.
[00:05:54] Theresa Lanowitz: Right.
[00:05:54] Sean Martin: To right. Usually it's around quality and speed and cost, right? Cost, quality, schedule, triangle, yes. So with that, I don't know, does that conjure up any Any thoughts from you, or does it trigger any points from your research?
[00:06:07] Theresa Lanowitz: Well, the CIO, the CISO, and the CTO, they have to be equal. They have to be equal partners in what's going on inside of the organization. They have to be equally seen, and equally visible, and equally understood by the CEO. So, in the event of some catastrophic event, the, uh, and this is where we bring in cyber resilience, the idea of cyber resilience saying when the whole IT estate is impacted, What are we going to do?
How are we going to make sure that we're all bringing things together? And the triangle that you envisioned, having the CISO kind of dragging along, the CISO is the only one out of those three, out of the CIO and the CTO, that has sort of a, uh, a reactive type of budget. And this is one of the things we uncovered from our research is that For all of the excellent work that the cyber security industry has done over the past two, three plus decades, cyber security is still siloed, underfunded, and an afterthought.
So we found out that there's not a line item budget through all projects for cyber security. And that's important because when you do have that, adverse event, that catastrophic event, or near catastrophic event, you want to say, well here's what we're doing from a security perspective, and if you don't have the CISO being that equal partner, that equal seat at the table, that becomes very difficult to attain, and very difficult to achieve.
[00:07:32] Sean Martin: Yeah, and I think one of the things I saw, and I can't remember which report, it may have been one, may have been the futures report, but there was a point, I think it was this report, but speaking to the Acceptance of uncertainty and which groups are okay with moving forward. My natural mind would say the CTO looking at innovation.
Eh, let's just go for it, right? Uncertainty is fine, let's see where we end up. But what did the research find in terms of
[00:08:05] Theresa Lanowitz: Exactly, the CTO saying uncertainty is there, but also The, the CIO can accept a little bit more uncertainty as well. The CISO doesn't want to accept a whole lot of uncertainty because the CISO knows that if there's some uncertainty, that means that if there's uncertainty in the project, if there's uncertainty in what you're deploying, the adversary is going to be able to find that uncertainty as well.
So the CISO is really concerned about making sure they understand all the different aspects, all the different risk factors. components. They want to make sure that they are being very proactive and not looking at things as an afterthought. And what the CTO sees is the CTO takes a look at things such as compliance and regulation and says, that creates friction for me because I just want to innovate.
But at the end of the day, you know, we look at some of these new types of use cases that are coming out there, this dynamic computing, think in healthcare wearables for remote patient monitoring, Robots on a manufacturing floor, autonomous drones, autonomous vehicles, smart buildings, in a, in a compliant driven type of industry.
The CTO knows they have to deal with compliance, but while they're innovating, they just want to have sort of a blank slate, so to speak, to be able to innovate and think differently.
[00:09:25] Sean Martin: So what can you share in terms of, I want to, I want to hear a conversation, because you get to talk to these folks. Is there, is there building and creating and transforming their organizations into something for the next, the next generation?
What did the conversation sound like, I don't know, maybe a year or two, three years ago between these three roles? And how do you help change that conversation so that they are better aligned and not just working toward the same goal, but actually in lockstep work? Yeah,
[00:10:01] Theresa Lanowitz: I think a couple, three years ago, we had the perfect storm.
We had the pandemic and what the pandemic did was it accelerated digital transformation. And as an industry, even without the pandemic, we were at this pivotal point where tooling is really good. Being able to develop a software program, being able to roll out a software program, a product is so much easier than it has ever been in the past.
We have the cloud. We have SAS applications. So we had this perfect storm of the technology is so good, so much better than it's ever been. And suddenly businesses of all types needed to pivot. So suddenly this, this conversation around resilience started to come into play 2020, 2021. And it was, I think at that point, we started to see that the CIO, the CTO and the CISO had conflicting priorities.
So even though people thought maybe they're working together, we still saw, and we still see, a lot of isolated silos where security is off by itself. It's not integrated into the business, and that becomes a big problem. for the business because the business looks at security and says, I'm spending all this money on security, but I'm not a hundred percent certain what I'm getting.
So it's up to the CISO to really advocate for a proactive budget and align the cyber security goals with the business initiatives. So not having those as two separate things, but really having them. Aligned together. And, and we also found out in our research that there's still a lot of unfinished business around digital transformation.
You know, digital transformation was all the rage a couple of years ago. And what we're finding out is that cyber security teams are still dealing with the after effects of digital transformation.
[00:11:49] Sean Martin: Interesting. What's um, so many questions in my head. What's uh, let's see, which one do I pick? Because uh, I'm just trying to think.
We're probably doing better. And so aside from reporting structure, are there signs that an organization can look for to say, we're not operating like we should? And then I have another question to follow that. But are there, are there signs?
[00:12:18] Theresa Lanowitz: I think there are signs. Cross functional communication. Does your development team talk to your cyber security team, to your networking team, to your operations team, to the line of business?
So cross functional communication.
[00:12:29] Sean Martin: So the signal there is, if you don't have that meeting scheduled.
[00:12:33] Theresa Lanowitz: If you don't have that meeting scheduled, if you're not talking to your counterparts, start talking to your counterparts. And you know, in the Accelerator, we looked at CIO, CTO, and CSO. But it is also the level below, as well as all the practitioners that report into those three groups.
So, if you're in security, go ahead. Go talk to your developers, find out what they're doing. If you're in development, talk to your security professionals, talk to your operations teams, find out what they're doing. So cross functional communication is a big one. Supply chain. So the supply chain is a really interesting one.
We found out that 60, nearly, I think it's 59%, almost 60 percent of the people we surveyed said they do not have clear visibility into their supply chain. And we think of the supply chain now, and it is beyond the physical supply chain for parts that we might be manufacturing or distributing or using.
It's also the software supply chain. So having that software supply chain be something that we have complete visibility in, is critical, especially now since you're required. to put your software bill of materials, your SBOM. Where did this source code come from? And we're seeing more and more requirements around visibility and transparency about what your software supply chain looks like, what your software looks like.
So that's another signal. What does your supply chain look like? And then, what do your, what do your budgets look like? Are your budgets reactive or are they proactive? Because the CIO knows, What budget they're getting every year. The CTO knows what budget they're getting every year from an innovation perspective, but the CSO doesn't necessarily know
[00:14:07] Sean Martin: what, what makes it proactive versus reactive?
The budget.
[00:14:10] Theresa Lanowitz: So if you know upfront, these are the business goals we wanna achieve, and we can align cybersecurity initiatives with those business goals, we're going to be proactive versus, as we found in our research across the board, on a per project basis. The budget for security increased 11 percent year over year 2023 to 2024.
And you look at that and you think pretty good, but in reality the reason the security budgets are increasing is because there are these external events, a breach. a competitor's breach, suddenly you as a security team, you start to get more money. There might be something from a cybersecurity insurance perspective.
They may say, you have to stand up this control that you don't have. You get more money for that. So it's not, it's, it's reactive in terms of some of those things. A breach, competitor's breach, cybersecurity insurance, new regulation or compliance, visibility into supply chain. So you want to be proactive in how that budget is being allocated to you.
[00:15:14] Sean Martin: So how does What you do with your program. Help organize, I mean, I can see smart people, we can figure this out, right? Let's build a program, let's staff it with people, let's buy some technology, let's deploy it, manage it, report on it, hopefully measure it. Let's leverage some standards and frameworks and things like that.
But still, at the end of the day, it's however that person thought about how That program functioning in connection to the business. And in there, there may be flaws. We're human. And so I'm just thinking, program to program to program. If you look across all of them, they're probably going to be very different in how they function and how they're staffed and budgeted and all this stuff.
And then I look to what you do and I can only imagine that there's learned experiences across all of these. To know if you're in this sector, and you have this kind of maturity, and you have this risk appetite, and you have this budget, here's how you want to do things. And not waste money, not waste time, not miss something and leave things exposed, or not really align to the business think you are, not really be proactive, when in fact you're still reactive, because you don't know what that really means.
So, tell me how you kind of bring some of this to the surface. Teams don't, I think, waste money and waste time on stuff.
[00:16:42] Theresa Lanowitz: I think you make such excellent points and there's so much new innovation, so much new technology that's coming out, so many ways to apply that technology. And that's where you make the case for that trusted third party advisor.
If you're doing something new, if you're innovating, you're creating new projects, you're creating new software, you're creating a new business idea. Bring in somebody who has done this before. Bring in consulting. Bring in managed security services. Maybe you're increasing the number of endpoints. Maybe you're going beyond the perimeter for the first time.
Bring in managed security services. Bring in managed security services to help you with network and security convergence from a SASE perspective. Bring in people who have done this before. Use that as that strategic extension of your team. Bring in global systems integrators. So people who have seen this.
You, you made the point that, you know, there's a lot going on and we might be living in our silos inside each business that's running out there. But there are people out there who are seeing this at, at scale.
[00:17:46] Sean Martin: And correct me if I'm wrong, but by working with a trusted partner, it doesn't mean you have to give up your own creative ideas.
[00:17:55] Theresa Lanowitz: Not at all.
[00:17:56] Sean Martin: Right? Not at all. Don't, don't give up the cool ideas you have. Just put them in them. Right. Put them in, put them in play in a way that actually works. Works.
[00:18:05] Theresa Lanowitz: And if you're using that trusted third party advisor correctly, they do become that strategic extension of your team. You don't think of them as, Oh, they're, you know, they're front, they, they wear a badge from a different company than I do.
They're part of that team. They're giving you that good input, that good advice, and they're working hand in hand. And that's why I went back to the idea of cross functional communication, something that a CIO can really help with. It's that cross functional communication internally. But also bringing in that trusted third party advisor and having them communicate on a regular basis as well.
[00:18:41] Sean Martin: Always comes back to the people, doesn't it?
[00:18:43] Theresa Lanowitz: It does.
[00:18:44] Sean Martin: Always comes back to the people. Well, Teresa, you are wonderful people and I love chatting with you and, uh, thrilled to have Level Blue on to, uh, keep chatting. We're going to talk more about some of the other sectors and some of the research that you've done in those areas to kind of help.
Healthcare and retail and others, uh, learn from the research you've done and the work that you do. And, of course, we'll include links to the, uh, accelerator report. Some of the things we touched on today are in there. It's a fascinating, fascinating report. Excellent. Lots of good stuff in there. So hopefully everybody grabs a copy of that and reads it and, uh, then takes action.
Because there's a lot of information to take action on there. And please do connect with Teresa and the Level Blue team. And thank you everybody for listening and watching this brand story here on ITS Week Magazine. Thank you, Teresa.
[00:19:39] Theresa Lanowitz: Thanks, Sean. It's so great to see you.