The Data Diva E221 - Matthew Rosenquist and Debbie Reynolds

Show Notes

Debbie Reynolds “The Data Diva” talks to Matthew Rosenquist, Mercury Risk's Chief Information Security Officer (CISO), cybersecurity strategist, and LinkedIn Top Voice. With over 35 years of experience, Matthew shares his dynamic career journey, which started with internal investigations, building Intel’s first Security Operations Center, and leading crisis response teams. His extensive background includes advising governments, businesses, and academia on emerging threats and cybersecurity best practices.

Matthew highlights the critical evolution of cybersecurity from a “nice-to-have” to a mission-critical business necessity while discussing how rising consumer and regulatory expectations are reshaping the cybersecurity landscape. He explains the growing gap between mounting security demands and available resources, emphasizing that cybersecurity leaders must demonstrate value beyond risk prevention. Matthew advocates for evolving cybersecurity’s role from compliance-focused operations to strategic business enablers that deliver competitive advantages and even revenue opportunities.


The conversation explores the interconnectedness of privacy and cybersecurity, framing both as foundational to digital trust. Matthew emphasizes that privacy failures and cybersecurity breaches undermine trust with customers, regulators, and business partners, making collaboration between cybersecurity and privacy professionals essential. He also illuminates the importance of proactivity in cybersecurity, contrasting it with the reactive “firefighting” mindset often seen in organizations.


Matthew goes into the threat of insider risks, distinguishing between malicious insiders and non-malicious actors who unintentionally create vulnerabilities. Drawing from his experience, he underscores the need for strong leadership, clear policies, and an organizational culture where employees feel empowered to report issues without fear. Looking to the future, he stresses the importance of having cybersecurity expertise on boards of directors, enabling organizations to navigate rising risks and better align cybersecurity initiatives with business objectives.


As the discussion concludes, Matthew shares his wish for the cybersecurity industry: improved communication, collaboration, and leadership. He calls for greater strategic thinking, proactive risk management, and a collective effort to stay ahead of evolving threats in an increasingly complex digital world. He also highlights his hope for Cybersecurity and Data Privacy in the future.

Support the show

Transcript

[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.

[00:12] Hello, my name is Debbie Reynolds. They call me The Data Diva. This is The Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world with information that businesses need to know.

[00:24] Now I have a very special guest all the way from California. He's also a top voice on LinkedIn. Matthew Rosenquist. He is the CISO at Mercury Risk.

[00:37] Matthew Rosenquist: Welcome. Good to talk with you, Debbie.

[00:40] Debbie Reynolds: Yeah. And you're also a cybersecurity strategist and advisor. Throw that in too.

[00:46] Matthew Rosenquist: Yes, I talk for a living. Yes.

[00:51] Debbie Reynolds: Well, we met on LinkedIn. We really hit it off and I thought, wow, I really like the things that you post and I thought you'd be great talk to on the podcast about cyber and what you do.

[01:01] So why don't you give us a background of your journey and your career and how you became the CISO at Mercury Risk.

[01:09] Matthew Rosenquist: You really want me to bore people? Okay, no, we can do this.

[01:13] So I've been doing security for 35 years. Somewhere right around there, you start to lose track as. As the brain erodes over time in this industry. But, you know, I started off actually doing internal investigations, Theft, fraud, embezzlement, things of that sort.

[01:29] And when I joined intel corporation, I spent 24 years with Intel. One of the first things I did in security there is I actually justified and built Intel's first security operations center.

[01:38] So its first 24 by 7 SoC. I built it, I managed it, put it in full motion, and then we needed a crisis response team. So we, you know, I ended up landing the incident response.

[01:51] We call them CERTs today, right? Computer Incident Response Team. But we did that for intel and the first incident commander for the company. So I owned. Anytime the company was attacked, I always look for the next impossible job.

[02:04] Right. So, hey, you know, we're having problems with the IT platforms and security. Okay, I'll own that. I'll go in and fix it and clean up all the, you know, the software and apps and.

[02:14] Okay, great. You know, what's next? What's next? What's next? Okay, hey, the factories, right? They're. They're getting attacked and we need to justify a system, come up with some new methodology to justify the financial investment of security in that environment.

[02:29] Okay, sure. Nobody's done it before. Okay, great. You know, and so just on and on and on. So we actually bought McAfee and a whole bunch of other companies and brought them under the umbrella of what was called Intel Security at the time, and it was the third largest security group out there.

[02:44] And they said, hey, would you be our strategist and figure out how do we get everything to work together? What do we need to say? Sure. Right. And so I did.

[02:52] I had probably 18 or 19 different jobs at intel, typically spending a year to a year and a half at each, fixing an impossible problem and then just moving on.

[03:01] And during my entire career, I worked for business units, I worked for it. I worked for all sorts of different stuff internally, but I also advised other business partners and consulted with them and governments and academia.

[03:19] And I started very quickly, you know, and that was back at a time when intel allowed you to be on advisory boards. I was on six advisory boards. Right. And I reserved two for intel capital for the companies we invested in, two for academia, because I knew we had to train more people to come into this crazy industry, and two, for either kind of innovative startups or for conferences to figure out, okay, what are we going to as a community, should we be talking about in the next year?

[03:47] And I did that. I was at Intel a little over 24 years.

[03:52] Absolutely loved it. Left it a handful of years ago, I think, five years ago, something like that. And from that point on, I started bringing on more advisory board positions.

[04:02] So I'm on 14, actually, 15 now advisory boards. I do consulting, fractional CISO work as well. And I advise governments, I advise businesses, and I advise academia all around the world on emerging threats, on industry best practices, and I've got a few followers on LinkedIn.

[04:20] But I love this industry. I love the challenges, and I have a passion for it.

[04:27] Debbie Reynolds: You definitely have a passion for it. I can definitely tell. Isn't that funny? So I think our career, even though your career was more in cyber and it. I'm a technologist, but basically that's what I used to do.

[04:42] I would, like, incubate. I will create and incubate things and then spin them off and then move to the next thing.

[04:49] Matthew Rosenquist: It's like your children, make them grow, slide and then kick them out, move on to the next one.

[04:55] Debbie Reynolds: Well, I want your thoughts about what. What is happening in cybersecurity now that's really getting your attention or has your focus.

[05:06] Matthew Rosenquist: There's a couple of things I do a lot of keynotes. In the last few keynotes, I've focused kind of on two aspects.

[05:12] One, how the threats are getting much more serious, the level of economic investment.

[05:20] And if you think about, like a business or an industry, if you've got A kind of a good equilibrium. Everybody's kind of competing. Then all of a sudden a big, you know, consortium comes in and dumps in hundreds of billions of dollars in R and D to come up with new tools and technology that's really disruptive.

[05:38] And that's what we're seeing in cybersecurity. We're seeing aggressive nation states that cyber is that asymmetric type of warfare that they've been looking for. And they can push the boundaries on it.

[05:50] And it doesn't matter. You don't have to have a border. You don't have to have heavy metal tanks, planes or anything like that. You have to have some smart people with some competing infrastructure, some legal cover, some other things.

[06:02] And you can do incredible things and potentially really harmful things. But it's great to be able to push your foreign political agendas. It's great to be able to get around sanctions and embargoes.

[06:15] And it's great to cause political upheaval, social upheaval, right there's. And even just to steal money, right? There's aggressive nation states out there that because of sanctions, they are very, very poor and they need hard currency.

[06:31] And this is a great way to bring in a few billion dollars, right? It's many billions of dollars to be able to do that. So that's one aspect, the threats, the other aspect, and it's more social.

[06:43] Expectations are rising.

[06:46] Sounds simple, right? But where are they rising? Well, as it turns out, consumers don't like when we're victimized. So when our data is breached or when our systems are hacked, or our social media goes down, or our favorite tool, right, online tool, isn't available, we get unhappy, apparently.

[07:08] And so expectations of consumers are going up. But that's not all, right, Expectations. When consumers go up, regulatory agencies feel that pressure because people are vocal. So regulatory expectations go up.

[07:22] You've got congressional expectations, you've got expectations of auditors as well. Now you get all this in a business market.

[07:32] Now you get C level, right? Expectations for security go up. And that also means the board expectations for cybersecurity goes up. Okay, so everyone's expectations about cybersecurity are continuing to go upwards, not downwards, right?

[07:49] And you start to get to a point where, okay, well, great, well, I need more budget, I need more staff. I need. But there isn't much staff to go get.

[07:57] And you're not going to get 50% budgetary increase year over year. Right now we're averaging a 20, an ask of a 25% budget increase year over year. For a business group that isn't generating any revenue now, they normally don't get that right.

[08:16] On average, they're getting between 9 and 15% increase every year. But cybersecurity, like privacy, right? I'm not alone here. We're in the same boat. We're often see it as an overhead, not a revenue generator.

[08:29] We're an overhead. And every MBA will tell you they are trained. It is ingrained in them for overhead costs. You drive efficiency and effectiveness, so you can reduce the costs over time.

[08:43] But cybersecurity, you have to increase the costs over time.

[08:47] And that is hugely problematic. We're coming up to a chasm, right? Where the expectations are so high. We need more resources and capabilities and we have to introduce more friction.

[08:57] But the organizations aren't willing to do that. And part of the problem is we can't prove our value.

[09:04] A perfect day in security means nothing bad happens, right? Insecurity, you can't measure the attacks you avoided.

[09:15] You can't measure the amount of loss that you know didn't occur. All you can measure the bad things that do occur.

[09:24] It's kind of like in physics, right? In physics, you can't measure darkness, you can only measure light, you can't measure cold, you can only measure heat. And the same is True here.

[09:37] And CISOs in my industry is going to go. As we approach this chasm, there will be a few that figure out a way to cross it by being able to show more value, be able to deliver more and different kinds of value, and then there'll be the rest.

[09:55] And it's going to be Darwinism. It's going to be a bloodbath, right? They're not going to survive. They simply won't be able to adapt to the greater threats and expectations while still being strangled or even reduced for their ability to introduce friction and spend money.

[10:13] So we are coming up, unfortunately, it's in the distance to this moment of crisis, this fork in the road that we have to deal with, and it's better to deal with it now.

[10:25] Debbie Reynolds: I agree with all that you said. You know, this is going to be really boring then.

[10:29] Matthew Rosenquist: Come on.

[10:31] Debbie Reynolds: Well, one. One thing that I think is really interesting, and I think it's hard for people who just like to say MBAs. You almost have to throw out the playbook of the way that we think corporations should work in order to face this new age, right?

[10:47] So I think the previous way we used to think about organizations, that was Santa's workshop and everyone had their little, you know, piece of the pie that they were doing and then magically a toy will pop out at the end.

[11:00] But we know that the organizations are more complex than that can be as siloed as that. But then also, and I want your thoughts on this. And so this, this is the shift that I saw as we went into the digital age.

[11:11] So a lot of what we did with technology when I first started my career, many, many moons ago, when you did things that were digital, it was kind of like a value add, right.

[11:23] As opposed to right now. It's critical. So a lot of businesses, and I think this is part of the reason why we have an issue with cyber and kind of getting funding, because they thought of it as it's time to make the donuts.

[11:37] It's like accounting. You buy accounting software and then buy it once and then it's there forever, that type of thing. So the difference is back then is, okay, so because we do things in a digital way, I could do it manually, but I prefer to do it in a digital way because it's more convenient.

[11:55] Now it's like you cannot do your job unless you have cyber or unless you have these technology things. But I want your thoughts on it.

[12:03] Matthew Rosenquist: No, I think you're absolutely right and you're really talking about that transformation in IT because years ago it went through this as well. It again two, three decades ago. We're dating ourselves here.

[12:16] Two, three decades ago, it was seen as a nice to have, right. Internet wasn't a thing. You didn't have a web page. Right. And so it was looked as an overhead cost.

[12:29] Right. But as the world has evolved, it has proven that no, this is critical. This is how we communicate. This is how we reach our customers. Now we're not sending them cards in the mail.

[12:41] This is how we reach our customers.

[12:44] Right. This is how we communicate to ourselves and our partners. This is how we innovate and this is how we deliver.

[12:51] And it has successfully moved out of that overhead category to be much more of a business enabler. And I don't think there's anybody now in most modern companies that would say it is not a business enabler.

[13:07] In fact, in most of any type of digital or high tech kind of companies or organization, they would say that's critical, that's mission critical. Yeah, I know I've got a factory that's producing, you know, toys out the back, but my entire supply chain is run through it.

[13:23] I can't order parts just in time and I can't pay people and I can't, you know, get the lights on or whatever. Without it, it's mission critical.

[13:32] Cybersecurity isn't quite there yet. Right. They still see it as well, we didn't get hacked yesterday, so we'll probably be fine tomorrow, you know, or, you know, very common sentiment, you know, a couple of decades ago even, and sadly even now today sometimes is, I'll go and talk with the board or talk with the C Suite A CEO and they'll ask, yeah, we need security.

[13:55] Just, just tell me what software to buy. Just tell me what magic black box to plug in so I can, you know, I'll, I'll take the capital or expenses and you know, one time cost.

[14:06] Turn it on and I'm secure. Right. I'm done. We're good. I just need security. Where do I order that? It, it doesn't work that way.

[14:16] But not understanding is part of the problem. And where we've grown up from is part of the problem.

[14:25] Right now most cybersecurity organizations root themselves in either compliance or a little bit of kind of risk prevention.

[14:36] And that's great. There's value there, there's absolute value there. But it's really hard to prove. Again, if bad things don't happen, there's no reason to have you. And if bad things do happen, well, you suck.

[14:48] Why do we have you? You know, you can't win anywhere on that spectrum.

[14:52] We need to move, we need to evolve right back to Darwinism. We need to evolve from that regulatory compliance and a little bit of risk management. We need to expand out to be more competitive.

[15:04] Adv.

[15:05] How does our secure infrastructure help us keep the factories up and running? Help us, you know, do what we do in a better way, maintain the privacy and trust of our customers.

[15:18] Right? That's important. That's competitive advantage. And then we move beyond that, right? How do we start increasing value of our products? Well, we're going to embed security in our products too, to make sure that they're not hacked.

[15:30] And if our competitor does get hacked and we don't, that also can help. That can help with market share. We need to understand what is share market. What is market share.

[15:39] How does security potentially impact, how do we communicate that out? And we can keep going down that evolutionary road, right? And go, hey, there are actually opportunities for good, better, best.

[15:52] I was on a plane and I was doing a keynote in Helsinki and I was on my last leg, so I was in Frankfurt taking a plane to Helsinki and it was a regional airline.

[16:02] And I got on there and they had WI FI service and they Had a basic free WI fi where you could like send an sms, like a text message that was it free, you could pay.

[16:12] First paid tier was you get dog slow Internet, right? 1980s speed Internet, but you get Internet. There was one more tier and the only thing different about this tier, it had a business vpn.

[16:29] They were targeting business travelers. And their business travelers were being beaten over the head by their security folks going, you have to use vpn, you have to be secured. And so they had a separate tier, right?

[16:42] Not faster speed or anything, but it had VPN protected.

[16:46] Now think about the brilliance of this.

[16:48] For every person that paid that, there is somebody in security of that airline going, I generated revenue through a good, better, best model investment in my organization in cybersecurity for this company as it relates to our customers.

[17:05] I've now generated revenue that we wouldn't have generated without me. Think about that, right? So there are opportunities to move beyond just compliance and a little bit of risk prevention.

[17:17] We can move definitely into competitive advantage space. We can move beyond all the way out, all the way out to potentially generating new organic revenue. So and in between there, there's market share, there's good, better, best, there's margin preservation or growth, there's asp, average selling price, there's all sorts of things that we can contribute to that add to the bottom line of the company.

[17:44] That's how you show real value.

[17:48] Debbie Reynolds: I want your thoughts about privacy and cyber. So to me, privacy and cyber have a symbiotic relationship, but I think a lot of people don't know the difference between the two.

[17:59] But I want your thoughts on that.

[18:01] Matthew Rosenquist: We are two sides of the same coin, right? We use the term cybersecurity nowadays and it's very, very common. But it actually wasn't the original term, right. Prior to cybersecurity, it was information security, right?

[18:15] Prior to information security, it was actually systems security, when you get back into the mainframe days and so forth. And we have evolved and as we've evolved, the scope of what we are being held responsible to, going back to those expectations, right, that are always rising.

[18:33] The expectations have grown. And when I talk about cybersecurity, I talk about certain aspects. I talk about the security of systems and data and so forth, right? I talk about the privacy of the people who are participating, right?

[18:50] So you've got security, privacy. And then the third one is safety. Because now a lot of systems, the safety controls and everything else are tied into cyber and you want those protected, especially with the type of attackers we have now, that want to turn things off or cause physical harm, you need to protect against and those types of attacks.

[19:12] So we've got the normal kind of security, digital security. We've got privacy, we've got safety, and then we've also got. Which has always been there, kind of the availability. We want to make sure whatever's going on for the products are available.

[19:25] But all of that really embodies this concept of digital trust and cybersecurity and privacy and ethics and everything else are under this umbrella of digital trust. And if you want trust from your consumers, you want trust from your business partners or your suppliers or your insurance agencies, your insurance company or regulators, you need to be able to look at the more strategic viewpoint that any one of these, a failure in any one of these will undermine trust.

[20:00] And all of these are connected and they have to work and collaborate together to really maintain or grow that trust.

[20:10] Debbie Reynolds: That's great. I would love your thoughts about proactivity. So a lot, unfortunately, what a lot of people think about cyber, I guess two things I want to say. One is a lot of times when people think about cyber, they think about it as almost like the fire department.

[20:31] So it's like, okay, we don't need you, but my house is on fire. So all of a sudden you're supposed to spring in action and all these things are supposed to help to kind of save you.

[20:40] But then also I feel like cyber has identity crisis, where I feel like some people don't regard cyber security as a profession, quote, unquote, like being a doctor or a lawyer.

[20:53] So I want your thought on both of those things.

[20:55] Matthew Rosenquist: Oh, we can talk a lot about this. Let me keep it down to less than six hours.

[21:01] So from a reactive, proactive perspective, you know, most cyber security organizations and major funding blocks come because something bad happens and you have to deal with it, or something bad is happening, you have to constantly deal with it.

[21:17] And we deal with intelligent threats. And unfortunately, these threats, they're people.

[21:22] And these people sometimes are smarter than us. They sometimes have more resources than us, and sometimes they actually know our environment better than us. Don't tell anybody, but they're constantly adapting and they don't care if they make a mistake.

[21:37] Right. We care if we make a mistake, but they don't care. They're willing to be risky. Let's try this. Let's do that. So it's constant what is being bombarded that the cyber defenders of cybersecurity really have to deal with.

[21:51] And so a lot of it is just responding to the emergencies and that's where you get a lot of this responsive nature of the industry.

[22:01] And you can fill your day and all your security employees days just with responding to the bad things that happened an hour ago, a day ago, or a week ago.

[22:13] So you'll never get ahead. But the thing is, it's not a real good use of resources. What you want to be able to do is you want to be able to proactively start to mitigate and offset these bad things happening.

[22:27] Right. Or if they do happen because of your proactiveness, you can go in, detect them quickly, and, you know, contain and resolve them for minimal impact. It's all about optimization.

[22:38] And if you're stuck in a response, you will never be proactive. You know, saying goes, right, an ounce of prevention is better than a pound of cure. It absolutely is.

[22:50] It is. But if you get thrust into that environment and everything's on fire, hence the firefighting. Right.

[22:58] Montage that we always imagine, you got to put the fires out. Well, the fires will never go out. You put one out, the bad guy starts two more. So you have to get ahead of it.

[23:10] And it's a struggle. It takes tremendous leadership. I did a keynote not that long ago, and I talked about, in cybersecurity, we lead either through leadership, right, Innovative leadership, or through crisis.

[23:23] This is how we manage cybersecurity leadership or crisis. And in the absence of leadership, you're left with just crisis.

[23:31] And I advise and I mentor CISOs and I advise boards and I advise C suites. And that's one of the messages, right? You have to have good leadership first off, to be able to navigate that and turn the corner.

[23:43] You'll always have to do some type of reactive response. You always will. But you also need to turn the corner so that you get in our positions to where you're proactive, measures, land and help deflect a lot of that stuff that would have been a crisis that you would have to react to.

[24:03] And it's just key. It is key. It's not easy though, right? Even talking about it isn't easy to explain it actually doing it is. You know, it's a world of complexity.

[24:16] And for the second kind of piece, right.

[24:19] Many times, unfortunately, cybersecurity is seen as, oh, it's just a branch of it.

[24:25] And I get why. Right. And in fact, most of the practitioners in cybersecurity started from a technical background. You have coders, developers, engineers, architects, you know, all sorts of people with a technical background that have filled the ranks of cybersecurity and for good reason.

[24:43] Right? Because cyber, right. Digital technology is the battleground. That's where the war is fought. And having an expert on the battleground is great.

[24:54] However, you're missing a couple of aspects and if you miss them, you're going to lose. No matter how bright your engineers and your technical people are. Right. There are behavioral aspects from the attackers side, from the defender's side, the victims.

[25:11] Right. And even the security personnel there to defend the victims. Right. You need to worry about process because all this has to fit within a business and can't crater the business.

[25:22] You can be more damaging and destructive than the bad guys. You can't over invest in security, but you can't underinvest either. So we have to understand, we do deal with technology that is the battleground, but we also have to understand the behaviors and the business processes that surround that.

[25:43] And this isn't new, right? If we go back to Sun Tzu, Art of War, thousands of years ago, right, when he wrote it, he said, you got to know yourself, but you got to know the enemy as well.

[25:53] And it, this goes back to it. And I love my IT brothers and sisters, right? I worked in those organizations, I love them and completely respect how brilliant they are.

[26:03] But they are trained, every engineer is trained in a problem solution mindset.

[26:12] Okay? Now imagine this. You're an it.

[26:15] Power supply on your server goes out, right? It happens. Hard drive fails, whatever it is, okay? Hard drive fails. You know what you gotta do? You gotta go over to that box, open it up, pull out the old hard drive, slap in a new one, put it all together, reboot it, and you're off and running.

[26:31] Okay? Now that actually is pretty scriptable. You can write down those steps, right? And hand it to somebody and they go, okay, step one, go to the server. Step two, remove the screws.

[26:41] Step three, okay, great. And in fact, because hard drives have meantime before failure ratings and so on and so forth, you could kind of predict it. Hey, this hard drive is probably going to fail in three years, okay?

[26:54] In two and a half years, I'm going to go buy a spare and just set it on top. That's going to improve, right? That's going to improve my response time to awesome.

[27:04] In fact, you know what, why do that? In 2 1/3 years, I'm just going to proactively swap it out. It's scriptable, predictable, right? And that's great.

[27:17] But now when you look at cybersecurity and an attacker is hacking that hard drive.

[27:24] Yeah. You might be able to go in and Reboot it or whatever. But then the attacker is going to figure out a way around, through above, whatever, whatever you did, whatever security control you instituted, they're going to get creative and find a different way to accomplish something that fulfills their primary goals.

[27:46] Now, that isn't scriptable. That's more like playing a football game. Yeah. You know, it could be a pass player or run play or whatnot, but every play is really different.

[27:57] You cannot predict exactly what every player and everything is going to do. They're going to adapt to you, and if you figure it out in one play, they're going to change it up the next one.

[28:07] That's what cybersecurity is about. It comes back to that intelligent adversary that we have to deal with, who again, might be more smart, smarter and more creative than we are.

[28:16] That's what we deal with. And it's a fundamental difference between cybersecurity and technology around it.

[28:24] Debbie Reynolds: I have written a post and actually did a video called Privacy is Safety. And so basically I was trying to talk about privacy from the lens of how when things aren't private or aren't kept in a certain way, it could be hurtful to people.

[28:41] And I feel like maybe that's probably a path towards really being able to explain cyber better to people who don't understand it. Right. Whether that be just layman, you know, ordinary people who aren't in tech, but then also boards and C suite people, what do you think it can be?

[29:01] Matthew Rosenquist: And it's been a typical practice. Right. Talking about the fear, the uncertainty, doubts, bad things can happen. And you people tend to start off okay, worst case scenario, you know, meteor hits the planet and we all die.

[29:15] But that doesn't happen every single day. Right. But if you really need funding right now, and they're concerned about it, and they saw on the news how it happened to some other company on the other side of the world.

[29:25] World, okay, it might be a good argument to get funding, but that only lasts so long. You can only go, the sky is falling so many times. And then they start realizing, wait a second, if I give you this bucket of money, that means I don't give it to my sales and marketing team and they're generating revenue.

[29:44] H.

[29:45] Okay, so I either give you the bucket of money or I give it them the bucket of money and they give me three buckets back. But you don't give me any buckets back.

[29:53] Right? I just give it to you and it disappears. I give it to them and they give me a big pile of money.

[29:59] Let Me think about this. Right?

[30:02] And then they start going, wait a second. You're asking for 30% budget increase, right? For new tools, new people, new things. Okay, great. But you don't have that now, and nothing bad's happened.

[30:15] So if we don't give it to you, nothing bad will happen. Tomorrow, maybe, Right. What are you going to say? Oh, no, it definitely will. You don't know. You don't know.

[30:23] So they go, okay, well, we're not going to give it to you tomorrow. Oh, well, yeah, nothing happened. Well, we're not going to give it to you next week either.

[30:31] Come back at the next week. Right. And so you go down this. This path that you have, this dance almost.

[30:38] And then we come across the first axiom of cybersecurity.

[30:44] And again, I came up with this almost 30 years ago. And the first axiom of cybersecurity is real simple. Cybersecurity is not relevant until it fails, and the moment it fails.

[30:57] Now, there is a very keen interest in cybersecurity because typically it impacts the business. It's very expensive.

[31:07] Right? What are you talking about?

[31:09] It's going to cost us 10 buckets of money just to recover from this.

[31:13] Yeah. You know, if you would have given me that one bucket of money, I could have avoided this.

[31:18] But, you know, you delayed it. You didn't want to do that. Okay, so now this is what we're left with. Impact to product, impact to reputation. Sales are going down, stock isn't happy.

[31:29] You've got the board of advisors breathing down your neck going, how did you allow this to happen?

[31:34] So, you know, there are behavioral, there are political, there are business issues that really have to be kind of discussed. Yes. We can talk about the bad things that happen.

[31:48] It only goes so far for so long. When bad things do happen, that tends to be a much greater motivator because it is a tangible, visceral impact that people see and feel.

[31:59] And that tends to go, okay, I'm willing to invest in some of those proactive things. Right. To avoid this in the future. Right. Some industries actually quietly in the background, and I'm just talking about behind closed doors as CISOs.

[32:14] Right. We sometimes call those incidents fundraisers, because that's really kind of what they are. If it happened, we don't want them to happen. We don't. We really don't. Right. But if they do, you're like, oh, I hear you had a fundraiser last week.

[32:28] Yeah, I'm gonna get budget for a new IAM system. Yep. Okay.

[32:33] So my fellow CISOs are going to hate me for saying that. But they're all smiling right now, listening to this. They're all smiling, going, yeah, that's what it is.

[32:42] But we have to deal with the perceptions of risk that may come to fruition and may not.

[32:51] We don't control everything.

[32:55] Debbie Reynolds: I want your thoughts on the topic that I like to talk about. And this is so funny, it cracks me up all the time. And that is around insider threats. So a lot of times when people talk about insider threats, they talk about Tom Cruise hanging from the ceiling, impossible type of thing.

[33:16] And I try to tell people, like most insider threats are not malicious.

[33:21] And they are likely.

[33:22] Matthew Rosenquist: Some of them are. Some of them are. I know where you're going. Okay, keep going, keep going.

[33:28] Debbie Reynolds: But I mean, if you're, if, if your focus is on the mission impossible, like way out of sight thing is going to happen, not say that wouldn't happen. You're not really thinking about probably the majority of insider threats that you have that aren't malicious.

[33:42] Right. So I just want your thoughts on it.

[33:45] Matthew Rosenquist: Okay? So again, starting my career, even before I was With intel for 24 years, one of the things that I didn't in this other security group was internal investigations. And I had a fantastic boss and I had an incredible team that I learned so much from.

[34:00] And you know, we would look for unusual activity, assets, missing financial assets, not syncing up with what it should be in financial audits, things like that, and then start narrowing it down.

[34:13] Okay, is this external? Is this internal? And we did a lot of internals. We put hundreds of employees and contractors in jail.

[34:23] So there are malicious and there are non malicious. And the basic definition of an insider threat is somebody that you trust. Could be an employee, could be a contractor, could be a vendor, could be a supplier.

[34:38] Right. But it's somebody that you're trusting, you are giving them that. And many times there's some kind of contract involved. But if they have that level of trust, it means you're probably giving them access to locations, systems, assets, whatever it is, a stack of cash, who knows, could be anything.

[34:59] An insider threat abuses that, that level of trust, typically for their gain. And it could be financial, it could be emotional. Right. And these are the malicious ones. Now we also have attacks and situations, data breaches, for example, which you know, fall in both of our worlds, cybersecurity and privacy.

[35:20] You know, a data breach may have been a social engineering attack on an employee and the employee did not mean any harm, did not want any harm, but they clicked on that link or they gave their login credentials or they did whatever, right?

[35:35] And because of that, that enabled the actual attacker to conduct an attack and do a data breach.

[35:43] From an insider perspective, they are definitely the vulnerability that was exploited, but there was no malicious intent.

[35:53] And we can sometimes point back and go, hey, because I've done investigations with organizations and said, okay, let's, let's find the root cause. Yes, it was an employee and we may look at it and go, wow, hey, that employee was thoroughly trained and in a culture where doing that was the wrong thing and everything was done right, they were well informed and trained and they should not have clicked on that.

[36:18] And they know better, right? And they may even come out and go, I know better, I know I did it, I know better. I just got done with, you know, okay, great.

[36:26] It, the vulnerability is them and the responsibility falls on them. But we also find other situations where, and it's actually more typical. I'll go into an organization that had a data breach and yeah, that employee clicked on that, but the policies really aren't there.

[36:43] And you know what, it's an annual training and I look at the training deck and it's horrible. I can't even understand it and I can't stay awake for it.

[36:52] And I'm like, really? This is horrible. I don't even know what they're saying. They're saying, do your job. And you have to click on all the email that comes in your inbox, but don't click on the bad ones.

[37:01] But we don't really know what the bad ones are. Okay, how does that help me? Right? You know, or, or, you know, I had one company that said, oh, we do this great.

[37:11] And they used an external vendor, this great training.

[37:15] And I said, okay, well the person that clicked on this is a new hire. And they're like, yeah, yeah, they're horrible. New hires are terrible. And I said, show me your process for training.

[37:26] And they showed me the materials and I said, no, show me your process. Show me your new hire process. The new hire process mandated the training occur within 30 days of the new hire sitting in the chair.

[37:38] And they hadn't done the training yet. It was day 28. They pushed the train, the management and staff, and they pushed it out to the very last day of that 30 day window.

[37:48] And this new hire, this was an intern, right? Clicked on it on day 28 and they wanted to blame the intern. And I said, that's great, you want to blame them, but it's not their fault, it's your fault.

[38:01] It's management's fault, it's cyber security's fault. Your policies are weak, they're not being followed very well. Why are you Giving people access 30 days that they can cause harm without any training?

[38:14] It's not their fault, it's your fault. Bad management, bad risk management. They didn't like my answer, but they fixed it. So once they got all, you know, huffity and everything, they're like, okay, well how do we fix this?

[38:25] Okay, well I can tell you that that's easy, right? But you know, there are malicious insiders too.

[38:31] And the non malicious ones are the ones that do something. And the good ones, right, if they're well trained and you've got a great rapport, they're immediately on the phone.

[38:42] Right?

[38:43] Debbie Reynolds: Right.

[38:43] Matthew Rosenquist: When I oversee security for business groups and companies, I, I go out of my way to build a great rapport. I tell them, hey, you click on something, everybody makes mistakes, don't worry about it, give me a call right then, right there, 2:00am in the morning, I want to hear from you.

[38:54] And if you call me 50 times going, I think I did something and it was nothing, awesome, I'm buying you coffee. I would rather waste 50 calls figuring out nothing happened because that one next call, maybe something does happen.

[39:09] And I used to run crisis management. The clock is my enemy. I have to detect it and contain it. And the faster I can do that, the better I can limit the damage.

[39:18] So yes, call me and I will never yell at you, I will never fire you. I will stand up for you with your manager. People make mistakes, right? But call me and when they do, they click on something, they're like, oh no, what did I just do?

[39:32] Right? They're on the phone and I've got security ops on it and we're containing things.

[39:37] It helps. It helps. Not only prevention and then when bad things happen, it helps with faster detection. And often it's those business people in that business group, they know the impact.

[39:47] It just hit this server. What does that server do? I don't know what that server does. I'm not in the business unit. But they do well. Hey, how can I help?

[39:54] Yes, you can help now. So the response time is also shrunk.

[39:59] But the non malicious ones, the overall damage tends to be lesser. All things concerned. The internal malicious ones, that's where damage can get massive.

[40:12] And we've seen this, right? Think about a disgruntled employee, they didn't get their raise or they're being fired or whatnot. They can come in, we've seen put Logic bombs in products and destroy the company.

[40:23] We've seen them siphon out funds, embezzle funds, massive funds, because they felt that they were owed. How dare you fire me? Right? Or they're just greedy, Right. And they just want to siphon funds.

[40:34] Right. They've been embezzling. You know, we've seen people go in and modify records.

[40:40] That's, you know, the finance people really hate that when you go and move their decimal points around, they have no humor, no sense of humor whatsoever when you start moving their decimal points around.

[40:50] But the malicious ones can do great harm and we will even see behavioral issues. Right?

[40:58] It's a horrible example. There was a manager who was abusing a employee verbally and then it ended up being some touching that should not have happened. And she reported it.

[41:12] That person's manager didn't do anything. She reported it to hr. HR didn't do anything. She reported it to. They actually had methics reporting hotline reported to that nothing happened. Nothing happened.

[41:23] It kept going on. And finally she got so mad that she ended up going into this person's email. She had access to it, Right? She had access to this person's email as part of her job, went in there, grabbed a whole bunch of embarrassing communications and so forth and made them public.

[41:41] Right.

[41:42] So there, there's some pretty bad things that can happen with malicious insiders, whether it's justified or not. Right. But they're trusted and they have access and they can do tremendous arm to the company.

[41:54] They know the weak spots.

[41:56] Debbie Reynolds: I could talk to you all day. I want your thoughts on having cyber experience people on boards.

[42:04] Matthew Rosenquist: Oh, on like board of directors.

[42:06] Debbie Reynolds: Yeah.

[42:07] Matthew Rosenquist: This is something that's gaining momentum. And we predicted this back about five or six years ago and said the trends of expectations and accountability, they're going to go up and up and up and pretty soon CISOs are going to be held more accountable.

[42:22] You can't have them two levels under the CIO and have them at that accountability. And we saw the CISO start getting elevated in the organization, getting much closer to the CEO and then at the point to where now they're a C suite officer, whether a junior or senior level.

[42:40] But even with that, right, the boards, because this visibility and accountability is getting so high, right? Ftc, sec, you name it, they are pointing the boards and saying, hey, ultimately you're responsible.

[42:58] And the boards are like, yeah, I'm responsible for the business. I don't really understand cyber. Right. It's not like my normal business risk.

[43:04] And so having somebody on the Board to do a couple of things. When I'm sitting on a board, the first thing that I do is I'm translating for the CISO because again, CISOs tend to have risen up from the technical world and they're giving all these technical terms and talking about crossover rates for false positives and false negatives and how many alerts that they got on a firewall.

[43:31] And you know how the ACLs are configured. Absolutely. You got to tell the board about that. The boards, you know, eyes are glassed over like, yeah, we're business people. What is an acl?

[43:41] What, you know, how does that impact?

[43:44] And so first role is to translate.

[43:48] The second role is to then help that CISO craft their messages into relevance to the larger business. Right. From a shareholder perspective, basically from a board perspective, translate the value of security to that board so the board can make good decisions.

[44:09] The board should be able to accept risk. And a lot of new CISOs go, and they're going, hey, I'm going to tell them the risk and they're going to give me all the money and I'm just going to squash a risk.

[44:18] No, that's not the way it works. Right. In business you decide how much risk you want to accept. And they are the representatives of the shareholders or the owners or whoever.

[44:27] So they have that. Right. They may go, yeah, we're okay in being hacked once every three years with less than a million dollars impact. Yeah, we're okay with that. Right.

[44:36] Target that and that is that two way communication that has to happen. And there's learning on both sides.

[44:44] Another reason to have a CISO or somebody really experienced in cybersecurity brought onto a board, and I'm asked to do this periodically as well, is they will want to understand how mature is the system.

[45:00] Right. They're really good at telling me, this is our business, this is our primary goals, this is where we're expanding to, this is what we want to do, so on and so forth.

[45:08] This is what we're worried about. From a business perspective.

[45:11] I understand that from them, then I go look at the security infrastructure and we have that conversation. What should your security goals be? Right. And is your security environment capable of attaining to that goal, reaching that optimal level?

[45:26] Right. Not too little, not too much. That zone, that sweet spot. Right. And so I will evaluate the cybersecurity capability and that also includes third parties and all sorts of stuff.

[45:39] Right. Because it's all mixed in.

[45:41] The third thing I many times get asked is a board or even a CEO will come in and Say we have a ciso and in many cases we've elevated them up.

[45:53] They were in IT and they were an IT manager, and then we made them a security engineer and then a security director. And because we're required to have a ciso, we elevated that person up.

[46:05] Right, to see. So. And they want to know two things.

[46:09] Is this person incompetent and we need to get rid of, is this person trainable? That if we, you know, give them resources or training or a mentor or something else, can they kind of do what they need to do?

[46:24] Can they grow into those shoes?

[46:27] Very rarely do I get brought in and for a company that has a super star ciso, then go, you know, hey, are they okay? Well, yeah, they're okay. It's pretty obvious.

[46:36] It's normally in those situations where they're just not sure and they're probably not confident in the delivery and leadership of what that CISO is bringing. And again, that CISO just a handful of years ago may have just been a project manager in it.

[46:54] So they have been on the fast track, but they don't have the skills or experience in this. Fundamentally different. Right? There's overlap, but we talked about the differences in cybersecurity and that's foreign to them.

[47:09] And it can be a big struggle. And it's almost a disservice to elevate somebody without the proper skills and tools and put them in a position of leadership and accountability for something really big.

[47:22] And now even legal liability and legal accountability, we are seeing CISOs being charged and investigated by regulatory agencies.

[47:33] So it puts a tremendous amount of stress on people. And so I'll get brought in. So if there are boards out there that aren't completely confident and understand what their security environment is and doing, and it's at the right level, maybe you've got the right CISO or the right talent already on your board to incorporate cybersecurity because it's not going away.

[47:54] But if you don't, then I would suggest finding a good cybersecurity leader to augment your board. At the very least, the very least, make sure you've got them on retainer on call, just like you have legal on call.

[48:07] Right? Have them on call to go, hey, I got something here, maybe an issue, whatever. Can you come in and just keep an eye on it and tell us, is it going well?

[48:14] Is it not Any red flags? Great. And other companies who know that they need much more focused, bring somebody an expert and put them on the board or on one of the, you know, Sub boards to really oversee things and help the ciso.

[48:32] Debbie Reynolds: Very good.

[48:33] Well, Matthew, if it were the world according to you, and we did everything you said, what would be your wish for cyber or privacy anywhere in the world? Whether that be regulation, human behavior, or technology.

[48:46] Matthew Rosenquist: Oh, so this is. This is rubbing the genie lamp and I get my wish.

[48:52] Oh, I like that. You know, where's Robin Williams when you need him?

[48:57] It's an Aladdin joke for those people who haven't seen that. Probably too young.

[49:00] Debbie Reynolds: Yeah.

[49:02] Matthew Rosenquist: So there will always be conflict. There is a tremendous amount of value that cybersecurity is now trying to protect.

[49:10] And where there is value, there are always people that are looking to take advantage of it. So there will always be a conflict.

[49:19] The best I can hope for and what my wish would be, is that we, as a cybersecurity community, and as we continue to evolve and keep pace with the bad guys, we need to be better at communication.

[49:34] We need to be better at collaboration amongst ourselves.

[49:39] Right. And we need to drive better leadership, because it all comes down to leadership. Again, in the absence of leadership, you're left with crisis. And even if you can communicate well, you're still left with crisis.

[49:52] So, you know, we need to do those things, communicate, collaborate, and at a much greater level. And then we have to have the right leaders that can navigate us down these dark corridors.

[50:06] Right. And be the tip of the spear and really figure out, okay, what are the bad guys doing? How is technology changing? What are the emerging risks? Not the ones that just shot past me on the freeway.

[50:17] Right. Which we often do. It's like we're standing on a six lane freeway and we're seeing these cars go by. Wow, that one was close. Oh, that's. That was a big truck.

[50:24] Oh, that looks terrible.

[50:26] And what we really should be doing is turning around to see what's coming at us, not what just blew by.

[50:33] And that takes leadership.

[50:35] So that would be my wish, Genie. Oh, great. Genie. Gin of the bottle.

[50:41] Communication, collaboration and leadership. That's how we continue to evolve and move forward, move our industry forward to keep pace with the advancing threats.

[50:51] Debbie Reynolds: That's tremendous. Well, thank you so much. It's been fun to have you on the show and you dropped some really wise nuggets here that we can actually listen to over and over again.

[51:02] Very, very good. Thank you.

[51:03] Matthew Rosenquist: My pleasure being here anytime you want to chat. This is all fun stuff.

[51:09] Debbie Reynolds: It is. Well, thank you so much, Matthew. I really appreciate it. I'm sure we'll have a chance to hopefully collaborate again in the future.

[51:17] Matthew Rosenquist: I look forward to it. Excellent.

[51:20] Debbie Reynolds: Bye.