Join Sean Martin and Michael Piacente in this compelling episode of the Redefining CyberSecurity podcast, as they explore the complexities of cybersecurity leadership and liability with industry veterans Mandy Huth and Whitney Merrill. Discover pivotal insights on shared responsibility, regulatory expectations, and the future of security practices that every business leader should hear.
About the CISO Circuit Series
Sean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.
____________________________
Guests:
Michael Piacente, Managing Partner and Cofounder of Hitch Partners
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente
Mandy Huth, Global CISO - VP of Cybersecurity, Kohler Co.
On LinkedIn | https://www.linkedin.com/in/mandyhuth/
Whitney Merrill, Head of Global Privacy & Data Protection Officer, Asana [@asana]
On LinkedIn | https://www.linkedin.com/in/whitney-merrill-5ab05012/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of the CISO Circuit series on the Redefining CyberSecurity podcast, co-hosts Sean Martin and Michael Piacente lead an engaging discussion about the current state of cybersecurity leadership, liability, and protection. Their conversation features insights from two distinguished guests: Mandy Huth, an enterprise security leader with over 20 years of experience, and Whitney Merrill, a privacy attorney with a strong background in computer science and legal frameworks around consumer protection.
The discussion opens with an exploration of individual liability for cybersecurity leaders and broader business leadership within organizations. Whitney Merrill argues that regulators like the FTC and SEC are increasingly holding individuals accountable for security and privacy lapses. The conversation highlights notable cases where executives have faced scrutiny, emphasizing the growing expectation for tangible processes and proper security postures within organizations.
Mandy Huth underscores the importance of shared responsibility and accountability within a business, noting that security decisions are not made in isolation. She advocates for a collaborative approach where security leaders outline risks comprehensively to allow for informed decision-making across the executive team. Huth also expresses concern over the proliferation of CYA (Cover Your Ass) practices that prioritize documentation over meaningful risk mitigation, warning that this can dilute the effectiveness of security programs.
Another central theme in the episode centers on the need for standardized frameworks and a common language to articulate risk across an organization. Both guests highlight the need for clear, consistent communication of risks to build a unified understanding among all stakeholders, from the board to individual teams. Piacente and Merrill emphasize that while existing frameworks like NIST and ISO provide a foundation, there is an ongoing need to adapt these frameworks to align with industry-specific contexts and evolving regulatory expectations.
A significant takeaway from the conversation is the role of systemic risk and the potential outsized impact of seemingly minor vulnerabilities. Huth and Merrill caution against underestimating these risks and advocate for continuous improvement and adaptation of security measures. They suggest that prioritizing business-friendly security practices can help foster greater adoption and collaboration across the enterprise.
The episode concludes with reflections on the future landscape of cybersecurity regulation and practice. Whitney Merrill envisions a shift towards democratizing security, making it more accessible and achievable for small businesses through standardized, affordable solutions. Meanwhile, Huth calls for a balance between regulatory clarity and flexibility to ensure innovative small businesses can thrive without being stifled by onerous security requirements.
Overall, the conversation provides valuable insights into the complexities of cybersecurity management, emphasizing the importance of collaboration, clear communication, and adaptability in navigating modern security challenges. These discussions are essential for any business leader or security professional looking to enhance their organization's resilience against cyber threats.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Strategies for Effective Cybersecurity Governance and Protection to Better Balance Innovation and Regulation in Cybersecurity | CISO Circuit Series with Mandy Huth and Whitney Merrill | Michael Piacente and Sean Martin | Redefining CyberSecurity Podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. You're very welcome to a new redefining cyber security podcast. I am Sean Martin, your host, where I get to chat with all kinds of cool people about cool topics related to cyber and and doing so in a way that enables businesses to thrive, not just survive, but actually generate revenue and protect it in the process.
And, uh, I'm super thrilled. It's always fun to have, uh, Michael Piacente on for our CISO Circuit Series. If you didn't catch our last episode, it was live, well not live, but recorded in Black Hat. And Michael was a little silly, um, at the beginning of that. I wasn't, but Michael was. So you have to check that episode out.
We won't do any of that, that foolishness today, Michael.
Mandy Huth: I don't know, you invited me. Okay.
Sean Martin: It was, yes, it was stupidness in between, but, uh, in all seriousness, uh, I love [00:01:00] these, love these episodes and, uh, they can't happen enough, but I take them when we can, when we can align our calendars and our guests calendars.
Uh, Michael, what, uh, what's the latest my friend?
Michael Piacente: Yeah. Thank you. Thanks for having me. And, um, So enjoy these, um, the black cat one was classic and, um, had a lot of comments about that one. Uh, but yeah, today, uh, so, uh, we have two amazing, amazing leaders in, in the cyber and, uh, cyber and privacy and several other things. Uh, I'll let Whitney, Whitney go through her background, but Mandy Huth and Whitney Merrill are here.
Uh, I have had the pleasure of meeting both of them recently, actually, uh, in my daily meetings, uh, and thought their stories, uh, their narratives, their approaches were just, you know, Super interesting, uh, very unique, um, perspectives, um, and I just thought, wow, getting them together, uh, and having sort of a moderated, [00:02:00] you know, very casual panel about a very important topic, um, which would be, you know, CISO protection and liability and all that's going on.
Um, I was just telling them before we jumped on that. I just spent a few events down in Texas with, uh, the great Tim Brown and great Joe Sullivan. Um, and that was super educational hearing their stories. And, um, this is a huge topic. It's no longer sort of like, If, uh, a breach is going to happen that could create a material situation, um, for the CISO and their organization and the company.
Um, but it's more of a win. And, um, I think we should be talking about this topic openly. And so I'm so excited to get you both together. I thank you for doing this and, uh, we can kind of jump right in. I, I want to let you introduce yourselves. Uh, maybe Mandy, we'll let you start with you. Your background as well.
Absolutely. Fascinating. Um, every time I talk to you, there's like some crazy new thing I [00:03:00] learned, which is really fun. And, uh, Whitney, Whitney, the same. So maybe to start with Mandy and then we can jump into and jump into the comments here shortly.
Mandy Huth: Great, thanks, Michael. Thanks Sean for having me. My name is Mandy Hooth for those of you that don't know me. And I've been in the I. T. slash security world for over 20 years, which makes me like, you know, I started when I was 10, so it's all good. Um, but I, you know, my, my favorite thing to do outside of, you know, protecting the enterprise and protecting, you know, application developers and all of those things is to solve common problems.
And the way that we do that is I love to sit down and have a conversation. So, um, it's really, really exciting to, to be talking about this, this This particular topic because it's very real and a lot of CISOs are really, really worried about it. So, um, hopefully Whitney and I will be able to, you know, talk about this.
I have had great relationships with my, my privacy and legal teams. I'm not only a [00:04:00] CISSP, but I also am a CIT, a CIPT, which is a certified technology. Practitioner for those of you that aren't familiar. So I cross over into to some of the privacy stuff, which makes me one know enough to get myself in trouble.
So, you know, Whitney, you're always gonna have to follow behind me and make sure I'm not saying something I shouldn't be saying. But, um, it's really interesting. And I love the crossover because I think when when people can talk about security and privacy jointly and in an interconnected way, it's really good.
So looking forward to it.
Michael Piacente: That's fantastic. Thanks, Manny and Whitney. Speaking of crossovers, uh, you're like the definition of your career has been a crossover and break barriers, which I love my first conversation with Whitney. I think we went over like a half hour, 45 minutes. Um, and, uh, it just, uh, theme continued from there. One of the more fascinating people that I get to talk to, and I'd love to hear, uh, for the audience to hear your background, cause it's super unique.
Whitney Merrill: Thank [00:05:00] you. Thank you. You're gonna make me blush. Um, hi everyone, I'm Whitney Merrill. Um, I am a lawyer. I'm not your lawyer. Um, you may have heard people say that before in the past. Um, but I guess what is interesting is at the very beginning of my legal career, I decided to, um, join a program called the Cyber Core, which is a National Science Foundation program that pays for people to study computer security and in exchange they go serve the government. So I stayed at the University of Illinois and did my master's in computer science, um, which there's a whole long backstory about how that that came to be. But, um, after I did that, I went to the federal trade commission where I spent about two years, um, Doing investigations into companies for poor security practices, poor privacy practices, as well as other general consumer protection issues.
Like, I'm sure you're all so excited to hear about the mail order rule, which is just how, how things get shipped. Anyways, um, after the, after I spent time in the government, I've [00:06:00] basically spent the rest of my career, um, in various in house, um, roles where I have been the primary support for CISOs, um, at EA. At, um, Brax, a FinTech startup and now at Asana. And I have found that this is truly something I absolutely love. I love partnering with CISOs and with heads of security. Um, and under my current purview, I focus on privacy and often I'm called, you know, called the privacy team, but we own cybersecurity legal issues, which are. Continually increasing, uh, and growing as well as regulatory compliance. So, um, how do we sell to government, government, HIPAA, customers, customers, et cetera. So I'm really glad to be here. I'm excited to talk about this topic. I think about it a lot and,
um, yeah. Nice to meet
Mandy Huth: Isn't it great to get paid to do what you love though? I'm sorry. I can tell you're passionate about it too. So I'm super excited to talk to you.
Whitney Merrill: It is, except for then you can't let it go. Um, [00:07:00] you know, they say, you know, do what you love, you never work a day in your life, and that's not true. It's do what you love and you never stop working. So, um, yeah, but I do love it.
Michael Piacente: great. Thank you. Well, we're going to spend the next 45 minutes talking about the nuances of the mail order process. And, um, uh, no, yeah,
Sean Martin: That's what I was hoping for.
Michael Piacente: exactly. Sean's like, yes, yes. My dream. Um, well, let's jump in. I mean, I I'd love to hear maybe Whitney, we can start with you. Um, uh, And really curious to get your perspective on what, cause your, your, your, you unique view of this, uh, and knowing so many CISOs and being involved in the security community and what they didn't mention was, uh, DEF CON connections and everything.
So like, you've been in this world for quite some time and now you traversed into the, to the privacy world. So, you know, one of the first to do that. And. [00:08:00] So you have a really interesting perspective. I'd love to hear, like, what, what's this sort of, in your opinion, this sort of state of cyber leadership, liability and protection, like, where are we?
Um, are, is there, is there a beginning and an end to this? Like where, love to hear your thoughts. And Mandy, the same, uh, when we get over there.
Whitney Merrill: Yeah, my, my somewhat spicy take is it's not just cyber leaders. I think it's individual liability for leaders and companies generally, especially as it relates to consumer protection issues. And so I think, um, Individual liability for CISOs is like hot topic because of data breaches because of just what's in the news.
But the FTC has also brought cases against executives at Amazon and Adobe for their consumer protection practices. So I think what we're starting to see is a shift in the way regulators, the SEC, the FTC, et cetera, are handling issues that they feel like are not getting resolved at the pace they want them to get resolved.
And so the way [00:09:00] that they're starting to do that is they're looking at. CEOs, executive leadership, um, individuals who are actually making those decisions and saying, you can't just do this and hide behind a company and say, well, we're taking on risk. And so I think generally as a trend, it's growing more and more.
Um, for CISOs, it's kind of interesting because even though the individual liability is growing, I kind of have a theory that, you know, And Mandy, I'd love to hear your take. From my experience, security often doesn't own the business decision to not do something. Um, it's same with privacy as well. And so as a result, we're in this burden shifting, risk shifting within the business in order to make it abundantly clear who owns that liability. But for me, the cases that are happening to these other executives at Adobe, at Amazon, um, They have no one to burden shift to. It ultimately is them because they're on the business side. So I'm starting to like, think through who really is at big risk. [00:10:00] And to me, as, as we have these conversations about the CISO and the relationship with the business, um, Maybe the business leaders are at the biggest risk and the CISOs were kind of just the start of that conversation to, to make that abundantly clear to the world,
Michael Piacente: Yeah,
Mandy Huth: I haven't seen. Go ahead,
Michael Piacente: Sorry. Go ahead, Manny. Go ahead.
Mandy Huth: No, I think it's really interesting because I, while I agree that. The business decision is a joint decision. You know, one of my favorite, I'm a hashtag girl do with it. What you will, you know, I go around saying hashtag shared responsibility. Right. And, and I really preach that in a very approachable way to all of my business leaders, it's not me making the decision or telling you, no, I'm really outlining risks for you and CISOs know that practitioners know that, but ultimately the buck stops at my door.
And you really need an executive or a leader that supports that. So I'll give you an example. In one of my companies, you know, we were [00:11:00] really struggling with, do we go? Do we not go? And, and there were some risks that I just wasn't comfortable with. And, and I said, well, let me ask you this, if something happens there, who are they going to call and who are they going to hold accountable?
If you tell me it's that person. Then I will allow for the risk. I've talked to you about it. I've described it, but if it comes back on me, if it's, it's me that is accountable for the security of this company, then, you know, I get a say, I get a veto, right? So maybe it's not a pure go decision, but I at least get a veto right to say, I'm not comfortable.
And then how do you document that? And, and, you know, I, I worry that there's so much CYA going on, right? Document this document that we're spending more time documenting things. Then we are actually practicing our craft, like trying to secure the company with, with all the paperwork. So I agree it's, it would be again, I'm not trying to point fingers, but I do think there needs to be some joint [00:12:00] accountability that, you know, I'm not, I'm not making these decisions in a vacuum by myself.
Sean Martin: I'm going to throw something in. This might completely blow up the conversation. I don't know. It's a dial of Protection, right? Your, your posture, you can improve. You're never going to get a hundred percent and you'll never avoid a potential or a breach occurring, right? Something will come through. So to me, it kind of goes back to the program, the definition of the program, how you implement it, the tools you choose.
And I'm going to land on the tools for a second because there's no liability or warranty from. the tool perspective, right? So if we get investments and we deploy these things, we run our programs through our best ability with the staff that we have, we do our best. And I don't know, maybe there's a flaw in the program or a flaw in the tool.[00:13:00]
We're then responsible for that as a, as a security leader. I'm just wondering, do we see any shift to kind of the software liability end of this?
Whitney Merrill: potentially.
Mandy Huth: I was going to say terms and conditions, poor Whitney, right? Like you're right. Like that is how long does it take us Whitney to negotiate terms and conditions with our software vendors? Because. You know, if my contract, let's just throw a number out there. If my contract is 500, 000 a year, right.
And, and I get a breach that's 2 million because of them, they're not going to pay any more in most cases, you know, than what you've paid in the past 12 months, right. I mean, those are just, that's just the reality of most industry contracts and Whitney, you can correct me, but you know, that's like, that's max.
And so you're always working towards this again, shared accountability, but. You know, and Whitney, I want to hear your opinion on that. [00:14:00] I, it bugs me. We need regulation, but honestly, how do we get to, everybody's trying to do the right thing, including software vendors. And when we, Sean, when we, when we push that behavior, they're going to push development out too fast sometimes, right?
I mean, they're, they're doing iterations every two weeks. And if they're so worried about that accountability, are they going to be sending quality results or are they just going to be putting stuff out to drive? Like, look, I've been trying to respond, but it's not as quality of a product because, because of that.
So I feel like there's an inflection. I don't know, Whitney.
Whitney Merrill: so I think that there's a lot of different costs and liabilities and just you know, expenses that happen out of some sort of security related flaw. There's not just what the vendor will pay for, but there's the regulatory investigations. Honestly, if it happens to a vendor and your [00:15:00] processes are in place, and it's not something you could have caught in your systems or processes to find that flaw that caused that breach, that liability is likely not going to fall on you.
As much as it is going to be that vendor, like people are just going to point to them and say, this is a thing with their issue. Um, that's one piece of it. But I will say, I will, I will push back on. I think everyone's trying to do the right thing. I think people are trying to say they're doing the right thing.
And I think you see. Pressure in the market to be at a certain state from a security and privacy standpoint, but in practice, it's really hard to do. I think regulators don't understand how hard it is to do. I don't think we all understand how hard it is to do until we start doing it. Um, and as a result, because of this, like, I think Even between companies and enterprise sales, right?
You're getting this pressure to be at a certain level that you're going, you know, Amazon can say to a small vendor. Hey, like, are you hitting these these thresholds? [00:16:00] And you're like, we know you aren't even based on like a litigation you're involved with. And so there's this kind of like false reality. We all live in where we're like, Okay. Putting this pressure to be someplace we're not, where sometimes I think we should just be super open and say, you know, the community is where it's at. The security state of security and businesses is where it's at. And that's, this is why it's happening. And this to me, I think when much came out with his whistleblower complaint about Twitter, there were two. Types of people, those who were shocked and those who worked inside at a company, like, and I think that's kind of where my head's at is like, I think we all need to be a little bit more open about what the current state of security is in businesses, because I don't think it's where it needs to be, but to where regulators and the common folk it is right now, they think it's probably not an issue, but because. You know, it's bad luck sometimes when some of the bad security things happen. Um, those things don't really come to light until then.
Mandy Huth: So Whitney, as [00:17:00] you're, as you, but in your role as he, and this is obviously experienced in your role as. Inside counsel, right? Your company is not going to allow you to say that they're not doing well based on the current situation, right? Like that transparency like saying we're working on it. We're getting better like that's
Whitney Merrill: I mean, I
don't
Mandy Huth: feels like I, I'm not allowed to say that I like, you know, externally, we pull Chatham house rules into every security conversation so that nobody can attribute something to a company.
But if an Amazon were to stand up and go, you know, we're really struggling with false positives on our data loss prevention. So we've dialed it back again and taking that as a, just a crazy example. But if somebody, if someone big said that. You know, everyone is trying to show this pristine scorecard and they only measure the things that they're doing.
Well, they're not including, you know, what are in scope systems? It it's a game. It's, it's, it's smoke and [00:18:00] mirrors.
Whitney Merrill: I mean, this is why I'm you're going to get a very interesting take for me, even as a lawyer is I think people should do that. I mean, now, like, and I'm not going to speak to to where I, I work currently, because I'm not speaking on their behalf. But, um, I will say the purpose of the SEC's new cybersecurity rule, right?
The purpose of putting in disclosures about material risks to the business, the purpose of this materiality assessment, and like, Communication that they are encouraging, not only that you establish within your business, but that you, um, establish, you tell the street what's happening is kind of to start doing that is to tell the truth and say, where are your risks?
What are they? And I want them to be real. And so kind of, I think what came out of the SolarWinds SEC conflict, Or a case is, you know, they're saying you were just putting down generic risks. You were not giving any specific risks. [00:19:00] And I said, so I think that the landscape is changing where we're starting to go.
No, no, no, no. You need to be talking about the specific risks to your business. You can't just hide under these broad things. I think it's going to take a bit to get there because the big players have to come out and say that,
but I think via cases. I think it's going to come out with shifts in the way people are talking about it.
Um, and maybe in regulation, I mean, we'll see, I think two other things that, you know, that I've always, that have been top of mind of me generally is attorney client privilege. There are a lot of things in cyber security incident response that people have tried to put under privilege that just by the nature of public policy can't be privileged anymore. And you're starting to see a similar thing with privacy assessments, at least in Europe, when you're doing these privacy assessments, the DPAs, the data protection authorities can request them at any time. And so I think it's like, no one can be shielding from the truth. And that's, I think that. Whole conversation is going to continue to move [00:20:00] in that direction so that we can have open and honest conversations about what actually needs to be done and actually needs to be regulated. But it's hard to do, but I think also to go back to the original point about individual liability, when you put that on individuals, they feel like I'm not going to go say this generic thing if I know it's not true. Um, or I'm going to say to the business, I'm not signing up for this, right? This is, this is my thing.
I love to hear that you have veto power, but I think that there are a lot of people who are in
roles like yours who don't have any veto power. And when they say no, the business goes, we don't care. The CEO goes, we don't care. The board says we don't care. And I think the individual liability piece for the person actually making that decision is just going to continue to grow because I think unless people, and this is like Everyone knows you don't insider trade, except for those, unfortunately, who go to jail for insider trading. Um, you don't insider trade [00:21:00] and you don't, you know, you know, fudge your financials because you will go to jail. And I think until the end, we are moving in that direction in
order to shift.
Mandy Huth: No, that's, that's really insightful. Whitney gold star.
Michael Piacente: Couldn't agree more. We actually talked about this last week. It's like, until, until, um, the government is ready to, to, to open up that level of transparency where it is as big of a fraction of misstating your financials or insider trading, like, it's going to be this little cat and mouse game for quite some time, until we can get to a point.
And from a community perspective, maybe we're moving towards a transparency. Singular chief digital risk officer that would be responsible for. We don't know if that's CIO CISO combination of both or, or something else, but yeah, it's a fascinating discussion. Um, actually I, I had a followup question with you on that.
Um, Whitney is like, so as it pertains to materiality, like what happens to the [00:22:00] individual responsible for this? If they feel that they're doing everything right and it still ends up with the wrong result. Like. What, what is your recommendation on how they navigate that? Um, and how they navigate through that situation.
Like they're being asked to orchestrate and, uh, lead the process in many ways. And I'm just curious your thought from your perspective and Mandy's as well. Like, how do you go about when you think you've done everything right? Um, and, and it still goes wrong. Like, what do you do? Like, how do you, how do you go about this?
Yeah,
Whitney Merrill: that this, the legal system generally, um, as, as crazy as for the most part in these types of situations does not require perfection. They require systems and processes to exist to support the goal. And so if the systems and processes. Exist and yet something still fails, right?
They're going to look at to why well, was it a weird thing? Was it a nation state attack? Was it just one of those happenstance [00:23:00] things? Some was someone was on paternity or maternity leave and just the right person wasn't communicated to, right? Like, there are moments where when I was a regulator, we were investigating a company. And something bad happened. Like it, it was not good. And when we eventually looked in and got the documents, we went, okay, like they're doing the right thing. This
is not the Right. one to send a message to. And so I still think that that exists. And so people should not live in this fear that if it's not perfect, that
Mandy Huth: you do talk about like prudence. I use that a lot with my legal counsel. I'm like, are we doing what a prudent man, does it, does that, does that fit in this space? Cause I'm like, I'm doing what a prudent person would do. And I'm doing all of these things. So if I can demonstrate that I've been, you know, attempting all of these things, whether they're going slower than needed or, or whatever happenstance or consequential things happen that, you know, if I can demonstrate that Again, I, I, I keep going back to that word because we talk a lot about that, like, we've been [00:24:00] doing X that feels pretty prudent to, to solve this problem, even if it's not perfect.
Do you think that that still does that reside in this sphere? Okay.
Whitney Merrill: Yeah, I think that if you were trying and doing something and making progress towards it, I think it goes a really long way now. I can't. Who knows? There can always be that one person. The one prosecutor, the one person who doesn't want to drop it. But for the most part, I think it from what I've seen historically, that's true. Um, the other thing I will say is using your leadership above you as a way to communicate and buffer that. And this is like somewhat of the risk shifting. You have built out these processes. You communicate these processes to your executive leadership team. If you sit on that executive leadership team, your peers and to the board, and this is, this is what we are doing board.
You now are aware, should I be doing something different? And again, it's making that [00:25:00] abundantly clear to the rest of the business, what you were doing. So if something comes up or someone says that process wasn't sufficient, you'd say. I surfaced it to my leadership team and to the board. And now the conversation is not just on you as a singular individual
making that decision.
Mandy Huth: And I think one of the things that I spend a lot of time on in my position as a practitioner is not just putting the program in place, but adoption, right? So it's like, and that's where tone from the top really comes into play. You know, it's, if this is the process. You need to follow the process.
And, and I talk a lot about it and you know, I, I'm going to blow up the conversation now. I, my, my approach is try to make security, not punitive to, to your average user, right? Because most users, you know, they don't mind security when they understand why you're doing it. Right. And versus it's just this big, scary thing.
And we, as practitioners make it way too scary and technical. And, you know, [00:26:00] it's all about business risk and how they. They are responsible for their day to day work to be done in a secure way. So while I try to reduce friction as much as possible and make it adoptable and consumable at the very same time, when I introduce friction, it's intentional and they need to understand why so that they can adopt that.
So, you know, it can't just be cyber again, whether it's your executives or it's your cybersecurity team, there's a whole group of people in the middle. That need to adopt and understand why you're, you know, why you're creating friction in their business process. So they'll go to market planning or, you know, name, name, you know, supply chain, whatever it happens to be, you know, this is why I'm creating friction.
And, and we have the data to do that. And so I do agree. And that again, comes from tone from the top. If, if all those people in the middle are getting, Are getting so much pressure from leadership to get this out to out to market [00:27:00] by this date. Sure. We need those goals, but if something happens, we need to be able to auto correct, right?
And, and, and kind of an iterate and adjust. And when we start to do that, Security doesn't become, you know, one, their job isn't, you know, at risk because they, they're allowed to raise their hand with a little bit of, if it's not a veto card, at least going, ah, and it's because they understand and they've adopted that and they're real partners to security.
Right now, we're still just seen as an obstacle most of the time. And I'm trying to change that as a, as a practitioner.
Michael Piacente: man, you had a quick follow up with. That's that's really interesting perspective. Um, one of the things that I try to preach, so to speak, uh, is these conversations that I have with sisters every day, and they're constantly looking for guidance as to how to communicate with the executive team and the board.
And I heard a while back, so it's not my original idea, but just, um, been kind of preaching this concept of you, you need to figure out a common [00:28:00] language and nomenclature on narrating digital risk or risk to the, or some, some says those are running physical security as well. So it's not just digital, but, um, and so I'm curious, like coming up with a standard frameworks, the wrong word to use, cause I think it's overused, I guess, but, um, but just a language that when you're discussing risk.
At any level of the organization that the nomenclature is shared. And it's actually different from company to company, depending on the industry, how they sell their products, how they produce, et cetera. I'm curious to hear your thoughts on that. Is that a correct way? Uh, am I steering people the wrong way?
Um, we'd love to hear your thoughts. Is there a nuance in that as well? Um, what are your thoughts on that?
Mandy Huth: Yeah, thanks. Um, so I think, I think for me, and I have, I am actually a really strong believer in this. So, you know, without advertising, we do have frameworks. I'm going to start at frameworks. We've got three or four of them. Right. That, that people go to, right. That you choose [00:29:00] one, I don't care which one, but it helps define what does good look like.
And they really cross reference each other. It, and there are all kinds of mapping tools for that. And that's from a, at the cyber. So I'm going to start at the cyber level is, you know, controls and there's some consistency, right. In the way that they talk about the controls, right. We talk about encryption.
Everybody knows that we should be using TLS when it's in transit and AES. When, you know, it's at rest, we know those terms. We know the control on every single plat, every single framework has them. So move forward. We talk about those controls. And yet, when we talk about risk assessments, right, we, we answer a hundred different risk assessments for, for products, and they're all asking the same exact thing, but they all have their own version.
And so even though the control is exactly the same, We are spending again. I'm going to go back to what am I spending my valuable time on? I'm not supporting, you know, and building my [00:30:00] security program and protecting the enterprise. I'm I'm actually answering risk assessments, right? And and so why can't we get to that common language for Even just risk assessment, and that's that's the middle sphere, right?
And so, you know, do you do this encryption? Yes or no? Why can't we all ask that question the same way and get a standard set and it exists? So again without advertising it exists and we can't get everyone to adopt it It's like, take these 100 questions. If you answer these 100 questions about your controls, you should be able to hand this to any single person in the industry, and they should be able to apply it to the risk, which is the third piece of that.
So from a risk perspective, we've talked about controls. We've talked about, you know, how you implemented that and standardizing that. And then lastly, is how does that apply with your lens? With your specific lens to these risk, these risk categories, and we're [00:31:00] already starting to see some of them, but in a similar fashion, can we start to have, you know, we have the privacy controls and this is put those out.
Um, and, and so how do we. Shift though. So I feel like the frameworks are for practitioners. How do we then create that language? And I think we talk about it together, but how do we do that in a board governance fashion, right? Because people don't understand. They're like encryption. Oh, what a way. Like. Get out.
I don't even want to talk to you about that. But if you can start to talk in those risks in vernacular that's around the business risk, your go to market planning is at risk because you aren't doing proper, you know, validation of their identity. You don't have to start talking about, you know, authentication in which, you know, protocols you're using.
You need to talk about You know why you're go to market because you're not doing that That [00:32:00] validation creates risk for your company, right? So it has to be in that business. Um that that Business related risk versus tactical, um, framework controls, right? So it's, and we're not there yet. We're not, we're not close.
We do it together. So Whitney and I probably have a conversation, but you know, we're not, we're not really skilled yet at, there are some skilled people that do it and they're the really successful ones, right. That can, that can navigate that risk vernacular.
Sean Martin: How does that, does the CISO have to change how they look at that for materiality and their responsibility in life? Because to me, that seems like I do all of that and then I go through it all again with how does that affect me as the leader of this program and the responsibility that I have and potential liability that comes with it.
Whitney Merrill: You know, what's kind of interesting is risk is this boogeyman that a lot of people say, and then [00:33:00] people don't fully understand what it means or how to calculate or weigh the differences or how to, um, uh, you know, put a value to it
sometimes. And
Mandy Huth: it? Yeah, it's
Whitney Merrill: and, um, 1 of the things that I think from a materiality perspective is we're going to start to see how those decisions start to shake out.
But I think as probably. We see more of it both disclosed in filings, but also if the continues to do any sort of litigation in this area. Um, generally, I think we are moving towards a place where. Lawyers in particular, I think we're saying don't write anything down, but now with having to have these risk frameworks and communicating risks to different aspects of the business, those things not like have to be written down. They should be communicated. And I think there's been such a fear of writing things down. In an aggregated way from a liability perspective that we're not actually having the real [00:34:00] conversations about to my original like point before, let's just all say where we are. And so I think as you start to write those things down and look at them on a whole, you'll be able to communicate them more accurately in order to determine the materiality of those risks.
And so the SEC in particular, you know, now said, it's not just one risk that can be material. It can be a series of risks. a slew of
smaller risk materiality issue for your company. And so I think one of the reasons privacy teams and security teams get Get along so well is we're the poor souls who talk to everyone in the business and see all the risks.
And so we're running around with our heads chopped off going, oh my God, things are really bad, but everyone else works in their silos of risk, right? Or they're thinking about their business purpose and their goals, and we're looking more holistically. And so I think as we continue to think about that materiality piece, writing things down, it's going to help us [00:35:00] communicate it more clearly in a way that when we go to a business leader, we can say, Hey, Hey, I know that you think you haven't accepted a lot of risks, but take a look at what's happening across the business and why yours is kind of causing a tipping point or why yours at the bottom here is triggering all these other things to be medium risks as opposed to low risks.
And if we eliminated just your risk, these things would all go
down and we could for it as a business and it's most efficient as a business, not efficient for your team, unfortunately, but efficient for the business and the more we have those conversations, the better it will be.
Mandy Huth: So I think systemic risk, but I'm going to go back to Michael's question, and I'm going to challenge you on it, is So we don't have, you know, when you're doing accounting, you have your gap principles. There's only one way to do your numbers, right? Like you can't, there's no leeway. But when you talk about materiality, right?
You're really talking about the relevance of the risk to your business. And my question, or my, I don't have the answer rather, is [00:36:00] Forgive me for saying this. Does the SEC have the people that can apply a certain standardized, to Michael's point, standardized set of measures and, and, and quantify that in a way that creates that lens for relevance for my business?
Because, you know, what's relevant, a risk that's relevant to a bank is different than is, is a relevant risk to a manufacturer and that's just real. And so it, how do we standardize the quantification of it with the ability to put weighting factors, depending on your industry or your, you know, how it's relevant to your business.
And, and I don't think we talk about risk quantification, but it's really. It's still really mushy, right? Like it, it, it, it, what you did, what you do and what I do, we will come up with two separate numbers, even with the same exact controls and the same exact business. So how can we have the sec determining materiality for us [00:37:00] without understanding our actual business content context and without.
Standardization of that.
Whitney Merrill: The unfortunate answer is it will never happen, and I don't think that should be their role, and I don't think
that is their role. Um, in particular, what the SEC has come out and said is, you know, in SolarWinds and all of this, they don't want people to not take risks or to not document risks or to not be able to make risk decisions as a business because they recognize that, like, sometimes security isn't your number one risk.
Surviving or it's your budget or whatever it may be and so they want people to be able to take risks And so that's one piece. Two, to your point, no risk looks the same or is quantified by either the same person or the same business or the same people within the business or even the same businesses in the same type of, um, you know, ecosystem or sphere. So as a result, it's all going to go come down to the systems and processes you put in place to make those determinations. And so if [00:38:00] folks haven't already. You should have a way internally, a system and a process and work with your outside counsel to determine materiality, um, and to be able to make those disclosures, right?
You're going to need to be able to make a materiality decision as it relates to an incident within four business days. Um, and you're going to want to be able to make materiality decisions based on risk. And if you can have a committee or group of people within your business to help make that determination, which. I strongly believe whether something is material or not is a legal determination, and so probably something you should put on your legal teams. Other people may disagree with me there, but that should be the main people driving it again, speak with your outside counsel on how to do this, but you have to have that system and processing in place because then ultimately when if something comes up and they're saying, well, is this material you say, well, this committee made this decision.
And this is why they made this decision. And this is the thing in place,[00:39:00]
Mandy Huth: And there should be alignment for that, Whitney, right? Like your enterprise risk management group should have a committee that's talking about business risk and materiality, because as you said, it might be, uh, you know, it might be a fire in one of your manufacturing plants, if it goes down. You know, you can't make widgets anymore, right?
Like that. That's a key risk. So, and, and then getting that to, I really love this. And I talk about it the same way when we talk about ransomware, I talked to you want to talk to your executive team ahead of time and say, this is what we've listed as our top five things. And here's the risk that's associated with them.
So if anything happens to these things, you agree that these are our biggest risk. And we do that with ransomware. I'm like, where's your tipping point? Like you can say i'm not going to pay ransomware fine at day one You're saying that at day seven you're saying that at day 14 Again, that enterprise risk model comes into play and you go we are not going to survive So do we now pay [00:40:00] because you can you can be so Staunch against that, but then, you know, if your business is going to die, does your, does it change, right?
And you need to have that conversation before it happens. So I really like what you're talking about.
Michael Piacente: in our crazy country? Or are we, because I am seeing, uh, not, it's kind of an apples to oranges, but like the maturity model of where GDPR is today, right, um, seems to have everyone, uh, for the most part on the same page.
Certainly to start there, it's been a crazy journey, or if you look at SOX, right. Um, Sarbanes Oxley, like, these are things that have been in place, what, now, 22 years, um, and, and GDPR, what, eight years? Uh, so, I'm just curious, is it hopeless that we'll get there, or are there actual frameworks that [00:41:00] can get us to drive, uh, a more consistency, or at least capture a good portion of the market?
Whitney Merrill: the reason I would be so hesitant to put in a framework in place that is so rigid
that everyone can agree to it, that doesn't allow for the changes in technology. So like finances. And I'm not, I'm not an expert in finance. So if there's a finance person listening, I'm so sorry. But
like aside from like the rules that change, I think like accounting practices have been pretty standardized. Um, or if they change, it's like a new way of doing something, but everyone talks about money. Um, and negative money and positive money, where I think it's just so much mushier and security and in privacy generally, and just risk in general, that I'd be fearful that we'd get there. What I think will happen from like a maturity standpoint is we'll just see more guidance. More, um, more [00:42:00] actions. Um, GDPR is one piece where it's standardized, but I think now GDPR is the floor, not the ceiling. Um, and we're going to see things move much, much in a much more positive way. I just saw, and I did not read it. That there was a new bill introduced about cyber security practices for hospitals that are going to be much more rigid. They want to move past just HIPAA, and I think things like that are going to start materialized for certain types of industries in the security sphere from a regulatory perspective that I think are going to create new norms. that we can move towards where we don't really have norms right now, because no, there's been a lack of regulation and instead it's all happening through case law.
Michael Piacente: Yeah.
Mandy Huth: So I'm gonna, I'm gonna, I know one of the things we talked about, Michael was, you know, where, where does this put us in, in five years, right? Like, just, just in general, um, something. And I think Whitney, that's, you're right. You're going to have some more standardization for specific industries, but I worry. [00:43:00] You know, for the small businesses, you know, if, if this is the floor and it costs me this much to do security, that all of a sudden you've knocked out all your, your rapid fire, innovative, small business ideation. And I, again, hospitals, I get it. That it's a little different, but, but even there are small private hospitals and there are small, you know, small niche players that actually bring innovation to the industry.
And I, I worry. Uh, you know, from a business perspective, so let me take off my cyber hat, believe it or not, we do think about the business and, and at a macro level, I worry that, you know, yes, we need to be doing the right things and I do want clarity and controls, not rigidity, clarity. Right, because you can apply them different ways today, but I also don't want to lose that innovative spirit and that growth mindset.
And it's your point. And [00:44:00] maybe this is where some of that flexibility allows for that flexibility to accept a certain amount of risk, right? And to say, I'm going to be fast and I've decided not to do these three things. I don't think there is relevance. And so I think as practitioners, we also have to figure out how to, how to make that case, right?
Like, okay, we're not going to do this across all systems. And that one system got, you know, completely owned, but that was a risk based decision. It was a legitimate. So again, I'm just, I want to make sure we don't get so far in regulation to your point with rigidity. Um, we're looking for clarity. Right. All right.
Whitney Merrill: I think what will happen is innovation will be different. Um, and people always are like, I'm really scared that if I require a small hospital who collects nude photos of patients because they have to in order to provide medical care and then that's hacked. [00:45:00] What is that damage done to those set of patients and was it worth it to make them go that extra step? So I think one, there's like what type of data is being collected, stored, processed, cared about, minimization principles, retention principles, etc. But two, if There is that rigidity and it requires a certain type of security and you know That this is so threatening to your business that you the head of a hospital could go to prison for it You might require certain types of vendors to exist that make this easy and cheap for you to
do so is innovation in the tooling or in the In in what I can implement, so I'm not really worrying about it as a small business.
Is it the democratization of security so that it is not costly? Because the reality is, is we live in a world. The reason that it's expensive is it's not standard. We need it so that it's just the base. That everyone gets it. I have conversations with people all the time about what tools they should use and how they should be secretive and hackers.
I love you all security people. I love you [00:46:00] all, but you know, you want to stand up your email, own email server. The regular person can't do that. They should be using Gmail, the chances that they are going to get in trouble. And so the democratization of security is going to happen with innovation. Um, and so I I think the rigidity will allow for other types of innovation as opposed to killing those small businesses where they will stand up their practices and say, right now, no one's saying you shouldn't have an accountant. Um, you shouldn't file your taxes, which is costly, right to to exist as a business. Um, and so security, privacy, et cetera, should be key components of that and just standardize. Um, but not so costly that it prevents the innovation itself.
Mandy Huth: Sean, it sounds like we're going to have to do this again and talk about the vendor side of this
Michael Piacente: I
Mandy Huth: know, all the vendors are like their hair is on fire based on what Whitney just said, right?
Michael Piacente: I love it.
Sean Martin: Whitney just described is my vision for security. It's security by design, where You would, you would even outcome [00:47:00] that's great for the business, great for the customer in a way that protects the business and that customer. Um, I love it. So I think we do have to stop here.
Michael Piacente: Phase two. Yeah.
Sean Martin: of the hour, sadly, but, uh, I'm very happy to have you back and we can keep the conversation going.
And, uh, Yeah, I think I'll just close it here. Michael, thanks for, uh, thanks for rallying and these two amazing guests for a great conversation, important topic, and, uh, thanks everybody for listening and watching. Stay tuned for more redefining cybersecurity and, uh, more importantly, the CISO circuit series with Michael and I, and amazing guests like Whitney and Mandy, thank you all.
Michael Piacente: Thank you.
Whitney Merrill: Thank you.