Risk treatment planning in modern tech space (Panel)

Session Video

Session Transcript:

Diniz Cruz Hi, welcome to this open security summit session. In April 2023, we’re going to be talking about risk in the monetary space. We got some high super experienced hyper knowledge panelists here. Maybe Isaac give a quick intro and Marius and then.

Marius Poskus Hi, guys. My name is Marius vice president of cybersecurity for global financial services. Yeah, been around Cyber for a little while. Heavily involved in building risk treatment plans in modern tech space. Hopefully we have an interesting conversation with the guys this evening.

Diniz Cruz Yeah.

Izar Tarandach Me, I’m a senior staff engineer at Datadog and focusing on the security products over there. Lately for the last ten or so years been discussing this risk thing quite a lot, both from the side of the customer, like figuring out what is risk, and from the side of the producer saying, how are you going to explain risk to other people? As we can see, Dennis was in the middle of a very risky operation, trying to go from one place.

Marius Poskus To another in the rain.

Diniz Cruz I’m cycling through Central London. It’s less risky these days. Man they’re cycling now. It’s very civilized. When I was the risk analysis 15 years ago was way worse than now, right? For me, risk, I think I had a number of epiphanies on risk, I guess, in my journey, especially once I can start to visualize and think of risk as graphs and then maps. I guess one of the reasons me and these already had several of worldly map sessions, right? Marius do you want to take that one first? When I realized that you can think of it also has maps, you have a huge amount of context. I feel like for me, the big interest here is how do you make this scale? Which is also why I think things like GPT, like technologies are probably one of the missing pieces of the puzzle because it allows us to process data and maybe tree maps if you want it like that in a much more scalable and pragmatic way, but also in a way to customize the message to the audience.

Diniz Cruz Why don’t we kind of start there, right, like in terms of how to capture risk and then present it so that the audience understands the risk that they’re taking and makes good risk decisions.

Izar Tarandach Myers do you want to take that one first?

Marius Poskus Yeah, well, I think the problem normally I think we face because if we start talking about qualitative risk management, it normally starts with somewhere finger in the wind, because normally you do a three x three five x five matrix. You have to start some ways, and then once you develop enough of the risks and enough of the framework around it, then you can gauge in between how we define what’s risky and what’s not. I guess we define what do we care about by qualitative risk management and then we define by quantitative risk management whether it’s worth doing or not. That’s normally I see organizations kind of marry those two. The problem is, I think nowadays and I see a lot, actually the last few posts that I’ve been talking with some professionals in this space. The problem is how do you report risk further up the chain and how do you get buy in?

Marius Poskus Because the problem is normally I see some security professionals, they report things like vulnerabilities, found incidents because they can’t define how to report risks and how to put it in tangent numbers so the board will understand. That’s when I think that normally the problems arise. I don’t know what your experience with eyes are, but that’s where I see the big problems normally happening.

Izar Tarandach I agree with you completely and it’s interesting that immediately you took the risk to the board and I agree that’s usually where we see this thing expressed. Those are the people who apparently are the most interested in risk, at least in the quantitative side of risk. Actually you just popped that in my head. If we take it to the other side, to the developer, they are more interested in the qualitative side of risk, right? That’s where I think that the notion of risk becomes more important than the definition of risk. I mean, the formal definition that I have always been taught is that risk equals probability times impact. Impact is usually dollars, right? Probability is whatever between zero and one. So risk in that equation becomes dollars. One thing that I have noticed is that come to a developer and talk to them about risk in terms of dollars, they’re not really interested.

Izar Tarandach They’re interested to know is this bad, is this good? You pop into info low, medium, high, critical. Right! That’s when you fall back into the probability times impact. Well, there’s a probability of X that this impact is going to happen. The next question that they ask you is why? That’s where people start moving their hands very fast in the air because basically nobody knows the probability.

Diniz Cruz Right?

Izar Tarandach We don’t know what the probability of attack is. It depends on so many things and so many things that we absolutely have no control over. Denise, you were going to say something, you garbled.

Marius Poskus I think he’s gone, so I’m going.

Izar Tarandach To go to my ramp. We are losing.

Diniz Cruz I can hear you guys.

Izar Tarandach The winds of London are stronger than you.

Diniz Cruz All right. I was just moving around.

Izar Tarandach Oh, that’s better? Yeah.

Diniz Cruz Is that better? Yeah. Yes. No. Cool. Yeah. What I was saying is that I think you jumped massively right there, right? Because yes. There’s a number of risks that I think it’s hard to measure the probability. Right, fair enough. Right. I would argue that these days you have lots of data, right? There’s lots of data that you can start to make some very good fact based analysis on your environment, on the company that you work for. You have, man. Whatever company you work for has a history of incidents, right? Well, you should have okay, if you’re telling me that I just arrived at a company they haven’t, then be doing cybersecurity.

Izar Tarandach No. Even if they have, what does that tell me about the future?

Diniz Cruz Not necessarily. If you give me a mapping on what are your threat agents, right? What kind of attacks you see, what attack surface you have, what is the business model of the attackers. I can already tell you to a certain degree the kind of vulnerabilities, the kind of exploits you will have. Right. Like what kind of monitoring you have in place, what kind of impact you have.

Izar Tarandach You are asking for a huge job of threat intelligence to come back at the same list of vulnerabilities that we keep going back to all the time. So just fix those.

Diniz Cruz No, because you need context, right? Because the vulnerabilities depends on context. A vulnerability is just in fact, a lot of businesses have vulnerabilities by design, right. Like their business model is a f****** vulnerability. Right.

Izar Tarandach Let’s say that your company had an ATO incident. Does that mean that the next thing that you’re going to have is an ATO incident? No, it means that ATO incidents happen.

Diniz Cruz Sure.

Izar Tarandach You don’t know if the chance of the next one is 65% 95%. It will happen at some point.

Diniz Cruz No, it matters. Right? Because it depends how the ATO going there. Right. For example, I think in risk we have to have a level of objectivity here. Right. It’s like, I found that if I don’t have a data to support a point, let’s say, for example, inside the threat, right? You say that inside a threat is a problem, let’s say. Right, but I would argue in some companies there’s no evidence of insider threat. Also, if there was an inside malicious insider, the amount of damage they could do is massive. Right. That company current business model is based on them not having malicious insiders. Now, that’s an important distinction because you need to focus on what is their real threats. Right? Because when you go and say, and this is why I like that risk, quantifying the risk. Right. If you have a Pragmatic conversation with boards and with execs, right.

Diniz Cruz You need to be able to say, this is the things that we worry about. These are things that we’re not worried about. These are things that we cannot do anything about unless you double our budget because we just don’t have the capacity. And that’s a risk based conversation.

Izar Tarandach I guess that my point. That at some point you stop talking about risk and you start talking about priorities. Priorities are much easier to explain than risk. The language of risk at some point connects itself to the language of insurance. Right. That there is enough data out there to say that a male of a certain age, of a certain background has X chances of having a heart attack by I don’t know when there is enough data for that.

Diniz Cruz Priority without risk.

Izar Tarandach On the other hand, for risk, for our risk, a lot of what you see is casino mat. It’s people like Brooke famously says, it’s casino math. You see people like just throwing coins in the air and saying, dude, the chances of an attack happening is X. Even having the data that you mentioned, the context that you mentioned, which is very important, I agree with you. You still don’t come out with data that should be considered totally actionable.

Diniz Cruz Let’s explore that concept of how can you set priorities without having a good level of risk. Let me just define this. I like to think of risk as a series of whys, right? Is the five whys. It’s almost like it’s a graph, right? You start with a vulnerability. In fact, a vulnerability is a fact that has security implications. Right. I want to say a fact is that server unpatched. That’s a fact. Right. I could say, well, that server is unpatched with this type of thing that has a security vulnerability on it. Cool. Now you ask why does that matter? Right. You keep asking why until you hit some very top level items. Right? It could be that it matters because it holds highly confidential data. Well, yeah. Then that matters. Right? It matters because it’s connected to the Internet.

Izar Tarandach You see, it’s what I said about the developer. You went into five wise. I said the developer is going to two. So having those five is great.

Diniz Cruz The five wise is how you go to the top and every five, every answer to a Y is almost at a management layer, right?

Izar Tarandach That’s great. If at some point you don’t come and say the probability is X because you will never be able to support that X. That’s my whole point.

Diniz Cruz Where you can define probability these days when you’re hitting places where the probability is really low, probably needs to be this is with more or less risk appetite. Fair enough. In a lot of organizations, I would argue that if you cannot make a valid logical reason why that’s a f****** problem, right? Then the job, right?

Izar Tarandach There you go.

Diniz Cruz You should be able to right? Because you should say, look, you have a freaking server connected to the Internet with a loan vulnerability. There’s none exploits. Five companies got exploited over there. There’s a high possibility that you’re going to be hacked next, right?

Izar Tarandach Versus, wait, I want to hear my view because he comes from an executive point of view rather than the logic of the things that chain.

Marius Poskus Mayus yeah, well, I always have a view because we’ve been talking a lot about risk in terms of actors and attacks. There’s a much wider enterprise risk that I consider when I start talking, because we start talking about business continuity, planning, disaster recovery, we talk about obviously threat actors. There’s loads of other things that come into talking about business impact analysis and critical systems that not necessarily talking only about patches, but talking about business continuity of operations. That’s the key, I think. Especially nowadays, I work in the fintech space in kind of new they don’t have legacy systems. I’m a big proponent as well when we start talking about risk, because normally, even my post today, I think I’m a big proponent about creating a narrative. When you go to the board, you need to know who you’re talking to, you need to know the language you need to use.

Marius Poskus Security normally is always viewed as a cost center. How do you change the narrative from becoming not only cost center, but becoming potentially a money saving person, and secondly, becoming creating a security solution programs and strategies to gain competitive advantage against companies that you might be competing for tenders or competing in the same environment? If you create a narrative, not only talking about risk, but, as Isaiah mentioned, talking about probabilities, but talking about how do we do security to gain competitive advantage? How do we embed application security program into DevSecOps lifecycles? To make our product the best in class so that every single client that comes and puts their customer data with us, they are safe. That becomes much more conversation, not only about risk, but about all of these other things. And I think that’s normally.

Diniz Cruz What you just done with that is you anchor a lot of, I would say, top level risks that you can use as leverage to put context into the risks at the bottom. When you say, how do we get a developer to do X? First of all, the developers don’t do stuff because they like it or not. They’ll do stuff because on a f****** canban board, right? If it’s not a Kanban board, they’re not going to do it. The developer is not even the most important person to do is the PM is whoever owns a Kanban board. They’re the ones who need to take responsibility. I like what marriage you’re talking about has also taken into account the business continuity, like the business elements, right? The business practice, the business properties, because that’s where it matters, right? You could argue that, for example, if I change this in security, I’m now reducing the risk of business continuity.

Diniz Cruz That’s a very valid reason to do it. That has a lot of strength, right? Because it means that we’re going to make these changes to some part of the business, but we’re going to improve not just the risk of data loss or the risk of financial, but we’re going to improve the risk of, for example, disruption or lack of business continuity. And that’s what I mean. The five. Whys? Because when you follow the risk, you arrive at those at the top. The key is to make sure that you have contact. That’s the problem that most people have. The problem that we have is that we don’t easily connect this action on the ground, which is reality, make this change, patch this, fix this, make whatever to almost what is the business impact actually positive or negative in the business? Right?! We need to be following this in a data driven way and knowing something is data.

Diniz Cruz Right? Like, I could say I have no visibility on what the h*** happened over there, so you have to accept the risk of debt.

Izar Tarandach That to me, translates into the priority.

Diniz Cruz Right?

Izar Tarandach Because as Mari said, the narrative is important, but the narrative is important both at the board level and at the developer level. I agree with you, developers who want to do what’s on the Campbell board. The place where we come and unfortunately, the narrative that we’ve been using for a long time is selling insurance. We say you do the same or terrible things are going to happen.

Marius Poskus The thing is, I just wanted to add this. We’re talking about developers. I’ve been posting and talking a lot about developers and addressing potential risks and, and building devs across frameworks. I think the problems normally the people struggle. That because A, developers don’t hate KPIs in terms of looking at security, and B, normally to build an appsack program, you need to build security into development culture. That can’t happen in three, six, or even twelve months. Sometimes. It’s a big job to teach developers to do threat modeling to them understand the risk, and it’s not easy.

Izar Tarandach To Dennis point, yes, they will only do what’s in the Camban board. The question here is not what’s in the Camban board is how do we get our stuff in there? And that’s true priorities.

Diniz Cruz You use risk.

Izar Tarandach The thing that you’re proposing is more important than that next feature.

Diniz Cruz Yes. And you use risk ownership for that. The trick that we now start to use, and then it works really well, is that every risk needs to be accepted. The only variable is for how long? Right? The key here is to make the right person and the right organization chart accept the risk. Because what happens in most organizations, the security team is actually accepting a lot of risks on behalf of the business. The way I look at this is that let’s say that I represent security team is that you represent the engineering function and Mario, you represent the business function. Right. The way it works is Marius comes along and says, we need to do X, right, for this business objective, right. Either you come and you map a plan, you hire a team, you’re implementing it, security comes along, go, hey guys, there’s some side effects of security.

Diniz Cruz We have to do this XYZ, right? The key here is to give the risk and the whys of those risks, why is there a problem? Because this increases the exposure of this exposure of that compromises, these bricks compliance XYZ, and it’s Marios who needs to accept the risk. Now in this example, Mario, as a business owner, your only option is you want to accept the risk for a day, for a week, for a month, for six months. Because what that means is that Delta is how long you expect it to be done, right? If you say, oh, I’m not happy to accept this for more than two weeks, for example, you can only do that if you already have an item in the backlog, right? Because if that was on the backlog, there’s no way it’s going to be done in two weeks. Even if you, from a business point of view, say, yeah, that’s quite harry, I’m not comfortable with those risks.

Diniz Cruz We can challenge you to say, yeah, but if you don’t allocate resources in Isa’s team, which represents the engineering team, then you’re going to have to accept it for three months or six months or a month, because until you allocate resources, that risk will still be there. That completely changes because the problem I always have with risk is we don’t make the right people accountable for the decisions that they’re making. Every time you make somebody click on something, even adding an emoji to answer or replying to an email, they know that we are making them accountable because we’re creating a digital trail. That, I think, is the key, is to create a digital trail with a business owner for the risks that they’re buying, so they become accountable when those risks materialize.

Izar Tarandach First of all, I’m going to tell you I’m a huge fan of personal accountability. I love your approach.

Diniz Cruz Role with accountability, right? Role.

Izar Tarandach Yeah, let’s say role. My problem is exactly with that we live in a reality right now that people rotate very fast between jobs. Somebody in that role accepted that risk. The next guy is going to come in, the first thing that he receives is a bomb on his head of all the risks.

Diniz Cruz Absolutely. Yeah, exactly. That’s exactly how it should be. Right. But today what happens is the worst. Today what happens is a new person comes along and they have no idea what this is inherited. By the way, the other key element here is that when you give risk to an individual, you’re not giving the risk to that individual or that role, you’re giving it to the whole food chain. That means that you accept the risk on behalf of your manager, on behalf of their manager. So the risk follow upwards, right? Also we have also the power because we get to choose who ultimately is the ultimate arbitrator of risk, right? Because we could say, hey, you need to accept this, but your boss needs to underwrite it because actually this has bigger implications. What we’re doing is we’re making the people accountable at the right level of the organization.

Diniz Cruz In your example, when the person leaves, guess what, their boss has all their risks and ultimately ends up on the CEO or the board because all risks have to go upwards.

Izar Tarandach Comes the question, are we creating a bit of institutional paralysis in here? Because you’re going to start a dialogue that goes up and down the chain all the time. Do we accept this risk? Do we accept that risk? He accepted that one, but his manager won’t. Now they have to have a discussion between them to see who accepts what.

Diniz Cruz That’s great. Today is the worst. You get that and officially with no accountability, with people not paying attention because they know there’s no accountability.

Marius Poskus I want to add a couple of things. I think in modern organizations, what we try and do nowadays, you can preempt some of these things. So we started building Security Champions Network. One thing to preempt the risks and get visibility in various departments, but secondly, now organizations, and I’m a big fan of It, doing Cybersecurity Council. Normally before you take things to the board, you have a council that is built up of management team that has already pre approved your ideas and your solutions for risk.

Diniz Cruz Exactly.

Marius Poskus And for everything else. Before it goes to the board, you already have a big support behind your back.

Diniz Cruz But that’s key, right? The way this scales is that when you accept risks, you’re also accepting that level of risk across a particular so in a way, you created authority, in a way correctly, actually accelerates the business because you now know what risks you’re willing to accept versus what risks you’re not willing to accept.

Marius Poskus Yeah, it’s probably similar as to thinking about AA language model. You build a model because sometimes organizations, especially when you come in and new, it’s very hard to have a conversation of what’s your risk appetite because it goes up and down. Especially it depends which department you’re talking because obviously innovation and developers, they’re always going to be more risk takers because they’re all absolutely going to innovate. Whereas someone who’s dealing with 2008 servers in It, who’s just daily standing one stick, they’re not going to be as risk averse.

Diniz Cruz Yeah, and what you want is make sure that, for example, your startup model does not have access to all the assets of the organization. I think that’s why risk is interesting, because you can go, hey, you guys want to go 100 miles an hour. You want to have these shortcuts, which I get it from a developer point of view, but you now, for example, need to accept the risk that you have access to all our customer data. Immediately, if you say that, they’re going to go, whoa, I don’t want that risk, I don’t want to have that responsibility. Okay, fine, then let’s limit that. Until you give them that risk, they don’t understand it, right? Even, for example, like GDPR, I had some really cool cases where companies want to capture a lot of this data, right? We basically said, okay, but if you capture all this data, you’re going to have to accept all these GDPR risks.

Diniz Cruz You’re going to have to accept all these things and all these requirements that you now need to do, even something as simple as erasure data. Erasure, right. When we gave them those risks, they start asking the question, why are we capturing this data? Why do we need it? Do we actually need this particular data for our business case? And they didn’t. Right. It was giving them the risk was a much more business friendly way to say, look, we’re not going to stay in front of what you want to do as a business, but you need to be able to take accountability for the risk that you’re buying, for the business, for what you’re doing.

Marius Poskus That becomes a key sometimes even becomes people, I think struggle with it becomes a key skill. How do you follow this trend? How do you ask specific questions to get to the bottom of the truth? Because sometimes people just get frustrated, oh, I can never get done with this and that, or we can never do it. You get to the bottom of the root cause of why something is happening, why there is a risk, why somebody has to accept the risk, why there is because people sometimes forget, yes, data is king. Data collection comes with so many responsibilities, and it’s normally so many regulations. Especially, it always says you only collect the data that you need for your business operations, and if you don’t, that becomes very tricky.

Diniz Cruz You can use risk to drive that. Yeah, imagine he’s doing a thread model.

Izar Tarandach And we lost him again.

Marius Poskus Yeah.

Izar Tarandach Actually, I agree with everything that you guys are saying, but it’s just that all of a sudden risk is getting this huge profile, and all of a sudden you need this huge operation around risk to identify, to justify, to manage. Dennis, we completely lost you for the last 30 seconds.

Diniz Cruz I can hear you guys. It’s really weird. I can hear you guys.

Izar Tarandach No, continue where you were. You are going to an interesting place.

Diniz Cruz Go. Yeah, look, I think the idea is that you need to make for that to scale, you have to actually going just to the point you were saying this doesn’t work if it doesn’t scale. Right. That’s why I like the whole GPT stuff and it’s the chat GPT stuff. The next generation where you can feed it lots of data is the first time that I can see this can really scale because it can scale from the point of view of imagine feeding it all the GDPR. Feeding it. All of us, 27,000 feeding it. Also AWS best practices plus ASVs from OAS plus maturity model and say. Okay, now, here’s my data. Now what’s my priorities? Or how do I put context into this particular risk that I have here? Right? More importantly, how do I then translate it to the multiple audiences that I need to communicate it to?

Izar Tarandach Okay, that first part there, I’m allergic to the idea how to communicate. I’m totally for. To let that kind of model make decisions for me at this point.

Diniz Cruz In the technology I didn’t say make decisions, I say give me contact.

Marius Poskus I think loads of things. Depends how you build your enterprise risk management framework. Because, for example, I’m a big fan that we have a risk co, but we only talk about risk, about the top things. I have a cyber risk register which houses however many risks. The ones that go to Risco is the ones that within the context, within now and today we need to address. The thing is, the key point is it’s always changing. Things are happening, risk grows up and down. The one key thing as well, sometimes I want to mention that I think sometimes people really forget. You mentioned Dennis about accepting risk. Yeah, accepting risk or accepting risk with an end date in mind. But there’s another thing. Sometimes people, when they reach a risk that goes to an acceptable level, they close it. You never close the risk because no, you accept it.

Marius Poskus Something you added and the risk profile changed completely and now it became from low risk, became medium, and then all of a sudden, another month later became a high risk.

Diniz Cruz Yeah, but that’s why you don’t close it. You accept it. It’s very different.

Marius Poskus Yeah.

Izar Tarandach You don’t close it. You accept it, and that’s very different. I’m stuck on that.

Diniz Cruz Well, closing a risk implies it’s done, right? Implies that we got rid of it. Right? I would say close is close to eliminate because you can eliminate some risks, right. Or put this right. You can bring it to the level where they’re not statistically significant. Right. You don’t have to care about it.

Izar Tarandach Accepting is saying, I can live with it and it’s under my risk appetite.

Diniz Cruz Exactly.

Izar Tarandach And I’m not going to fix it.

Diniz Cruz Yes, but I’m taking responsibility for it. Because that’s what the business does every day. Every business executive every day makes business acceptance decisions. I invest here, I invest there, I live with this, I’m roll the dice here. I’m hoping that will happen. All those are risks, but what they’re doing is they’re accepting the risk. What we’re doing here is formalizing that, but we’re formalizing so that they’re accountable. What teach you about this is notice how so many business risk decisions are made in meetings. Sometimes it’s like you will say, XYZ, and somebody very senior goes, I’m not sure I agree with that. That’s a risk decision. At that moment in time, they just said, I don’t want to do this. What you need to give them is that little piece of paper going, Cool, then go on a record, right?

Marius Poskus Yeah, we did that before as well. What we do sometimes as well, we underpin, for example, a cybersecurity program based on level of threat. Sophistication so we say, for example, me, as a company, I say, I can’t invest enough money to prevent state sponsored threat actors so we can work up to the level of cybercrime, but I’m not going to try and invest millions and millions to prevent from state sponsored threat actors because it will just not be financially viable.

Diniz Cruz Or you haven’t hit them, right? Or you haven’t got to the point where you’ve been compromised by a state actor and the board asking you protect us from them, right? But you’d be a very different company. Think about what you just there was. You create a risk decision. The risk decision is that we’re not going to protect ourselves against state sponsored actors with this kind of sophistication but that’s the risk decision.

Marius Poskus Yeah, of course.

Diniz Cruz That’s when I would say, well, you can do it for six months, for a year, because in principally, it’s not going to change, but you can keep going down, right? You can then say, I’m not going to protect myself against highly sophisticated actors. Or, for example, you can say, I’m not going to protect ourselves against activists because we have a great brand, because our brand does not have activists hitting it, and because I have no evidence at the moment of being hit by activists, right. Or the other round, right? I’m not going to protect ourselves against commercially driven actors because it’s really hard to make money with our digital access, but I’m going to protect ourselves against activists because we kept f****** being hit all the time by that. But those are risk decisions.

Izar Tarandach Dennis I feel like I have to throw a bit of a bucket of cold water in this because you’re describing this amazing framework where you have access to all kinds of intelligence and understanding and you have these people sitting up in the top saying, we will need to accept this and this is our tractor. Meanwhile, I have a developer that I can’t even stop doing an SQLi. Okay? We’re building the whole risk treatment factory here, while at the ground level, we are not getting the most basic risks.

Marius Poskus Killed.

Izar Tarandach We had ten years ago.

Diniz Cruz No, but then yes and no. Right, okay, start with that guy. Right, okay. You have a developer creating SQL injection. All right? Does it matter what’s the implications of that SQL injection?

Marius Poskus Yeah, there’s a few things obviously yeah, you have to answer, right? What kind of data is he working exactly? Is there going to be sensitive data? I think there’s two ways you can angle it, isn’t it? I always tell people you work top down and bottom up. Bottom up, you obviously find out about the data is working. Does this matter? Secondly, normally when I build an appsack program, you have to get development managers on board, where you have to go to them, you have to build security KPIs. We have to talk because I hate about there’s one thing normally that breaks down when we talk about developers fixing security stuff. We go into their world, we bring our security tools, we go into their platforms, whether they work in Jira, wherever they work, we bring the platforms to the Jira. We create a context, we prioritize, we create risks we can’t do from SAS, output 10,000 tickets and try and solve it.

Marius Poskus No, you go to context, you marry that with SAS, Dast and Sea, and you create a risk narrative. What’s the impact of this particular? What data is going touch? What app is going to work with? You create KPIs with the people that are going to manage those developers, and you work together to create a plan.

Diniz Cruz What’s the top five things we want them to fix next week? Right? We should be able to give them that, right?

Izar Tarandach Let me close that loop for a second. We started with the divide between risk from the point of view of the board and from the point of view of the developer. Now we are bringing that together, saying there is a framework, somebody decides the risk appetite, and now the developer has to execute based on that. Where in you guys mind sits the decider of what is it that the developer will do next based on that risk profile, who is the function, what’s the role that actually gets to decide what goes next?

Marius Poskus It depends how you build. I’ve normally done frameworks, and I’ve been a big of a fan of what AWS does. I normally build plans similar to what they do. You have a development team, say, of teams are built off six, seven, eight people, whatever it is. You have a security champion in each development team. There’s the person who you gather them all and you teach them about risk, about the impact, about the likelihood, and they will become your essentially threat modeling champions. And they will identify the risk. You create they call it a security bar or a level of where the risk is. If that risk exceeds that level, there is an escalation point. So you create AbSec engineers. Normally I will say one engineer per three development teams. So that gets escalated. We do a second round of threat modeling to see if we can reduce that.

Marius Poskus There is a penetration test and a a gateway into release, into production.

Izar Tarandach To me, you’re describing a near verna situation where in the best of all known words, that would be the that’s.

Marius Poskus The framework, you know, getting there. That’s why I said to you, getting there is normally that’s why I say to people think, oh, we’re going to start doing AppSec. Yeah, but normally that framework until it’s operational. I always say to people, it’s 18 months. Developers, when they haven’t done security, you can’t just say, oh, we’re going to start doing security tomorrow. It’s a cultural shift. It takes effort, it takes training. You create security champions. Do you think these people want to be security champions for nothing? You have to create reward programs. Like, we send all of us to something like Black Hat, RSH. There’s tangible rewards. You become a security specialist on a team. You hire, obviously, the secured AppSec, security engineers. You bring all the tools. The tooling is fine. Fine tuning the tooling and force positives, force negatives. That takes however many months to get to the point.

Marius Poskus This all reaches a combination in 18 months. You get somewhere close to what you say is an Irana no, I love what you’re selling.

Izar Tarandach I think that’s definitely like paradise sounds like that, but my God, we are so far from paradise. How many companies do you know that actually do exactly what you’re describing?

Marius Poskus You can count on figures.

Izar Tarandach When you finish training those people in those roles, they move. They’re just gone. So, I mean, we need something that we can use immediately. Like somebody just came in, got on board. It, dude, this is risk for us here. These are priorities. This is what you do, this is what you don’t. We don’t have time to build that huge runway to get to the desired.

Marius Poskus I think that’s where we are heading that way because we starting to bring security tools into development. IDE. We start in going away from going to the boards and stuff like that. Nowadays, developer types code, and in IDE, it gets straight away pointers to raise. And now they’re even adding risk. You’re just quantifying and creating some framework of what needs fixing now versus you can push into production and we accept the risk. There’s a timeline for the fix. You just probably quantify critical high, we fix now and then medium lows, you have a time limit. You built in SLAs and it can go into production because then you prevent from them innovate. You’re not preventing them from innovating but at the same time you’re keeping security in terms.

Izar Tarandach Is this the time when.

Diniz Cruz We I just wanted to add a comment on when you said about who owns the risk. I think yes. The closer you can be to the technology teams and the engineering teams, the better. Right. I have to say that these days there’s a much bigger realization by engineering that they need to be secure. Right. I think Al.

Izar Tarandach I feel like these are the best parts of what he has to say.

Marius Poskus I think he just presses something like I’ve got great idea. Let me press a button to freeze.

Izar Tarandach There’s probably an app for that.

Marius Poskus Must be something in there.

Diniz Cruz I’m going on a rain.

Marius Poskus Here you go. There’s no reception.

Diniz Cruz Yeah, I’m on a South Bank in London. Can you guys hear me now? I think he’s taking the idea of.

Izar Tarandach Mobile way too far.

Diniz Cruz Yeah, I think you need to give it to the business owner. Right. You need to give it to the person who controls the development, the pipeline. Those are the ones who have to own the risk. The key is to make it official. And it’s not easy, man. It takes a lot of time and effort, but I think that’s the direction of travel is to give them the risks to accept. Yeah.

Marius Poskus Because definitely sometimes people even forget to the point we mentioned kind of thing you mentioned in the beginning saying security owns too many risks. Security shouldn’t own even a single risk. Security is a consultative function to the business that provides you provide ideas what business to do. If any of the risks are owned by security, then I would say you’re doing something wrong.

Izar Tarandach Totally agreed.

Diniz Cruz Yeah. The only risks that we should own are the risks that we need to own from our own business function outside of security for the security tools, for example, that we push, then we need to own those risks. Yeah.

Izar Tarandach And you know what?

Diniz Cruz As a business owner, as a business owner, that’s the risk we should own, not the business risks.

Izar Tarandach I think that mars you touch on a really important point that we as security people have to make peace with we are not as important as we think. We are here for consultancy.

Diniz Cruz Right.

Izar Tarandach So we don’t have to own risk. We shouldn’t. And if we are doing it wrong.

Diniz Cruz I agree with the second part, not the first part, but I think we are a very important part of the fruit.

Marius Poskus We are very important but people forget we’re not there to because sometimes we create such stories about the risk that might prevent business operations. We’re not there to stop business operations because of risks but now we are there to enable business and make those operations just more secure and that’s the key point. Sometimes people, especially people in senior cybersecurity positions, they keep saying no. The problem is, the more you say no, the less likely you are to be listened to. At some point, you lose the seat by the table and then you get frustrated because you can’t do anything because you caused it yourself.

Diniz Cruz Well, look, I tell the board and the senior executive says, my job is not to prevent incidents, my job is to prevent crisis. Right. Our job is not to make this secure, is to make it safe. And it’s a very different proposition. Cool. Guys, look, top of the hour. Any final thoughts? This is a great session. We need to do more of these. Love the session.

Izar Tarandach You should make a different event. Dinners in the park where you talk.

Diniz Cruz To people.

Marius Poskus Playing banjo and talking about security.

Diniz Cruz Actually, I’m about to go to an event here in London with tons of security professionals. I should go there and get them on here.

Marius Poskus Yeah, exactly.

Diniz Cruz I’m going to assist our event. Cool. Any final words, guys?

Izar Tarandach It’s a risky business.

Marius Poskus It’s risky business. I think the main point will be touching. It’s a journey and it takes a lot of work to get to a certain level of risk, treatment, maturity. It needs a change of thought, a change of narrative and a change of approach. Yes. I always say to people, there is one key saying here, stop doing the same things if you expect different outcome.

Diniz Cruz Exactly.

Marius Poskus That’s what we need to keep. We need some fresh ideas, we need fresh outlook of how we address the risk going forward.

Diniz Cruz The best part, we work in an industry that can still be super passionate about what we do, love what we do and make a difference. Right. Come on, that’s awesome.

Marius Poskus Exactly. It’s all about making a difference. I think just a caveat to that, I think the industry itself is probably nothing like anywhere else you would meet, because I’ve never met so many individuals that do stuff out of passion, serve their time and efforts to help others without any rewards. I’ve been involved loads in mentoring and all kinds of things, and they’re rewarding. You always say, Just pay it forward. I’ve never seen that anywhere in such a magnitude as in cybersecurity.

Diniz Cruz I agree. It’s a great industry to be part of. Man all right, guys, catch you later.

Izar Tarandach Mario thank you very much.

Marius Poskus Thank you. Great.