Discover the intriguing parallel worlds of cyber security and finance as we navigate through compelling discussions with our distinguished guest, Igor Volovich. Promising to equip you with a nuanced understanding of the convergence of risk and compliance, we catapult into the breach of SolarWinds and the ensuing SEC charges. With Igor's expert insights, we introduce the concept of the "ultimate audit", prompting you to rethink the necessity of a cyber Sybanes Oxley within the current regulations.
Our journey doesn't stop there. We venture into the realms of evidence-based risk management, championing the need for factual data over subjective opinions to assess security posture. We challenge the traditional compliance models, urging for a shift towards an approach akin to medicine, where evidence is king. The episode culminates in a thought-provoking discourse on the interconnected dynamics of CUMULAS, SolarWinds, convergence, and the SEC, all in the context of Enron. So, are you ready to redefine your understanding of cyber security with Igor Volovich? Tune in.
Discover the intriguing parallel worlds of cyber security and finance as we navigate through compelling discussions with our distinguished guest, Igor Volovich. Promising to equip you with a nuanced understanding of the convergence of risk and compliance, we catapult into the breach of SolarWinds and the ensuing SEC charges. With Igor's expert insights, we introduce the concept of the "ultimate audit", prompting you to rethink the necessity of a cyber Sybanes Oxley within the current regulations.
Our journey doesn't stop there. We venture into the realms of evidence-based risk management, championing the need for factual data over subjective opinions to assess security posture. We challenge the traditional compliance models, urging for a shift towards an approach akin to medicine, where evidence is king. The episode culminates in a thought-provoking discourse on the interconnected dynamics of CUMULAS, SolarWinds, convergence, and the SEC, all in the context of Enron. So, are you ready to redefine your understanding of cyber security with Igor Volovich? Tune in.
Igor Volovich. Thanks for dropping in, my friend. How are you and how is the world of compliance and risk? I know you're always talking about the convergence between risk and compliance, and also for those who are just tuning in and have never met Igor before, igor is one of the best security strategists that I've ever met and he is just full on in this space of compliance and risk, and so they do a thing called compliance therapy. So tell us what's new in compliance therapy, and I know you've got an update on SolarWinds, let's hear it.
Speaker 2:All right. Well, josh, thanks for hearing me back again, and of course, I'm humbled by that great introduction. Thank you, I try to live up to the hype. So well, let's get into it. So, first of all, solarwinds. What is it? What's about, right?
Speaker 2:The case has been out there for a while. I've talked to other folks about it, I've put some podcast episodes out there and some articles. In a nutshell, what happened was SolarWinds got breached Everybody knows about that and of course, there were second order effects. So once SolarWinds got breached, their platform was used to get into other environments, and that's where the plot gets kind of thicker.
Speaker 2:The CISO of SolarWinds has now been charged by the SEC personally in his own name, and the reason he was charged is because they're alleging that he participated in misleading the investors and, of course, solarwinds is a public company. They had an IPO a couple of years back that he misled the public and the investors, particularly about the state of security controls, not only before the breach but also after the breach. And so before we go any further, I just want to put it out there the SEC, the government, is not penalizing SolarWinds for being breached. The breach became the ultimate audit, and I'm very fond of saying it and it's kind of a bumper sticker I've put out there for a while Consider the breach the ultimate audit. You can have all the audits in the world, you can have all the assessments in the world, but the breach will be the ultimate audit. And that's exactly what happened here, and it basically exposed that alleged misrepresentation and malfeasance.
Speaker 1:So more about that in the middle he was on the hook for the whole thing.
Speaker 2:Well, he's not being on the hook for the whole thing. So there's something that the SEC sounds out called the Wells notice, and the Wells notice is basically the same thing as what the FBI calls the target letter in a way. Basically, they're saying you're under investigation, get your ducks in a row, get your evidence ready, because we will be sending a subpoena and you will be investigated. So that's kind of a very nice way in the kind of the white collar crime world where the SEC or the DOJ will let you know that you are under investigation. Stop shredding evidence, stop pulling it and run, because we're going to be after you.
Speaker 2:And so that's where you get into what's called evidence spoilation. But that's for the lawyers. But so they got the Wells notice and sent out that one went out to the CFO of SolarWinds, the other one went to the CISO of SolarWinds. The CISO is the only one who's been charged so far, so that tells you something, right? The CFO is the one who signs off on the actual control status.
Speaker 1:Yeah, that's kind of strange.
Speaker 2:Yeah, it is a little bit strange. It is a little bit strange. So I think what they're alleging and if you read the complaint, which goes on for some, you know, I think it's like 50, 60 pages, if you do read it, that's what's in there, right? There were emails, there were Slack messages, were basically engineers that reported to us. So we're confirming that we just lied to a customer. The customer was asking what's going on? Is the platform breached, doing to worry? And they're telling no, no, no, we got it right. So and then there in a second, they sign off the client and there's an internal slack message saying hey, we just like this client and this happened and infinite.
Speaker 1:So it's like cyber security is now being treated a lot more so. You know, if we look back to the Enron as sort of the example of this, cyber security is being treated more like finance because with the SEC rule, I mean, obviously they're looking at it as finance and they're looking at the CISO as the CFO or, like you know, the CFO would have been the counterpart in in the any kind of financial Ponzi scheme or any sort of financial liability you know that might befall a company.
Speaker 2:Well, it's a funny thing to say, right. So, and this is something that you know, a lot of folks in the cyber security arena don't necessarily understand right, especially kind of the more the technical practitioners we don't need. Like, there's this calls for, you know, we need a cyber Sybanes Oxley, right? Enron gave us Sybanes Oxley, also known as SOX. Right, and what folks talk about typically within the audit sphere, right, and and I go back with this probably over 20 years right, you know, I was at Microsoft when we had our first Sybanes Oxley four-on-four audit and we had an audit firm come in one of the big four and you know kids with clipboards fresh out of B school we're running around and looking at controls and and asking us a lot of questions and filling out these, these checklists. And that was the first year. The second year they were a lot better, a lot more in depth. Folks kind of figured out how to do four or four controls audits, four, four controls. Basically these are internal general controls. Cyber security controls are included within IT general controls, right? So? So we don't need a Sybanes Oxley for cyber, we have it. It's called Sybanes Oxley, okay, but there's another section in Sybanes Oxley that folks don't necessarily pay attention to, and that's the section 302, and this is where the CEO and the CFO, or the or these officers of the corporation sign off on this state of controls. They sign off on these compliance statements and regulatory filings. So the personal accountability that, again, people are asking for, that's already built in, right.
Speaker 2:What we have different now is the SEC, the FTC and the DOJ are aggressively enforcing the law. Right, they have new rules, no doubt about that. But what they're really saying is we're going to become more strict. We're going to be, we're going to deploy more scrutiny against the public statements that you make, the regulatory filings that you make and the contractual claims that you make. So if you tell a client that you have security in place and then you get breached and, as a consequence, your client gets breached wishes, the perfect example solar winds right, that's exactly what happened, that we're going to come after you. Right, it's not the fact that you get breached, it's the fact that you lied about the state of control. It's the delta between what you have in hand and what you're telling people right here. Where the thing gets even worse is that most people don't know what they have in hand, and we can talk a little more about that right, right, well, that's what.
Speaker 1:That's what I was going to ask. It's you've got four days to report a material breach, right, and that's not a lot of time for a lot of people to get all their ducks in a row. And you know, you conduct maybe a pre-audit once a year and then you do your official audit once a year, and a lot of times that's when you realize that you know you've got an issue. It's sort of like I hate to use this analogy, but it's sort of like the abortion issue. It's like if you're going to ban it at six weeks that's before most people know that they're pregnant, so you know if you're in a terrible, terrible analogy, but it's what that's. What comes to mind is if you're going to enforce something that will affect somebody's life, affect their livelihood, affect their job, affect their reputation, is it fair to give them only four days to report?
Speaker 2:well, you know, we we saw the kind of response from the industry when the charges happened against Joe Sullivan and uber. Right, we saw the kind of response that happened with solar winds. There was a lot of big backlash against the sec, saying you know, this is not fair. You know the syso is a scapegoat. Well, what the sec is that alleging is actually garden variety malfeasance. The cyber thing is just that's a sideshow. Right, the fact that his title was a syso and not cfo. If the cfo had lied about financial statements, they would be right, just leaving after them as well, right? So just because it happens to be cyber and sysos have in the past been, have been made scapegoats, that makes no difference in my book, right? You know you lie about things and these are statutory regulatory filings, sure you can't lie, right? So I mean there's disclaimers you have to sign. You have to. You have to sign that this is under the penalty of perjury. I am making these statements and then you have slack messages literally saying we just lied, right? So that's that. That's the issue. That's yeah, that's fair. This is a thing is a is a sideshow. Uh, as far as the four-day thing, look, if you're waiting for the breach or for the audit for that matter. I already established the framing right, the breach, as the ultimate audit right. If you're waiting for that to figure out if your house is in order, where your controls are, you know, it's like that old commercial back in the 80s it's 10 pm. Do you know where your kids are? It's like, yeah, it's breach o'clock. Do you know where your controls are Right? And if you wait for the breach to go figure it out, spin up a crisis response. Look, iran answered a response. For many years I've created one of the first instance response plans that one of the bigger companies out there in the world right, I get it. I understand the answer response. The biggest thing in answer response is not the day of the breach.
Speaker 2:80% of the work happens before the breach. You prep, you drill, you figure out what your controls are, you figure out who you call, how do you get people engaged, how you get them spin and spin in and spin out of the incident response process. That's the bulk of the work. You get ready for the fight and you train as you fight and you fight as you train right. You will not rise to the occasion. You will sink to the lowest level of your best training, right. And so that part of that preparatory mindset, the proactive mindset, it's about knowing where your controls are.
Speaker 2:Guess what If it takes you a big forefirm or somebody like that to come in and tell you what your world is right, tell you what time it is on the watch that you're actually wearing. You can't tell what time it is on your own watch. You have to give it to somebody else. They borrow it. Then they charge you and they tell you, oh, it's 4.15 in the afternoon, in the morning what? And they go, I don't know, looks about 4.15 to me. And you go, what's your time belt? You're like I don't know 4.15, dude, that's all I know. Right, that's audit. That's what we have with audit and compliance, and I'll say this and take it and move forward. It's worth.
Speaker 2:I think the audit and compliance model has been broken. I think it's been broken since day one. We borrowed these models and you made mention, right, the parallels between financial and cyber. Yeah, we took a lot of stuff from financial and we kind of poured it over to cyber, except we forgot that cyber moves too fast and this kind of this deterrent model of we're going to, you know, find some old fissons. We're going to do it retroactively, we're going to do it after the fact, and then we're going to go ahead and punish somebody and they'll create a deterrent effect, and then you know the next CISO or the next CTO or CIO, they won't do it right. Cyber moves too fast. We can't apply standard audit models to it. We have to have this continuous, always running audit and compliance model. Right. We have the tools, we have the frameworks. These standards were designed with all these threat models in mind.
Speaker 2:Nist is a great organization. I love them. I worked with them. I still sit on a couple of advisory boards. I absolutely believe in the mission. Right. All the standards, all the frameworks. They're there for a reason and they're well designed and well thought out. The problem is we're not applying them in real time, so we don't know what's going on. We have the lens, but we're just not using a telescope. That's the problem. And so if we can flip our mind around that and say, hey, don't wait for the breach, don't wait for the audit, know where you are right now, every minute of every day, wake me up at three in the morning on a Saturday and ask me where's control X. Stop control B in this particular framework and show me on the system within my domain where it is. Most people can't do that yeah.
Speaker 1:They wait for the breach. What do you think about maturity? I'm going to plug TrustMap a little bit here, because that's who I work for and we think about this all the time. We're always thinking about continuous improvement and we use maturity as the measure of. You know, that's the measuring rod. We don't use compliance, we use maturity because we often find when people rely on compliance, it's like, okay, we did it All right, get us up next year. But we want people to think about continually improving over time and then, maybe once a year, to satisfy the powers that be, whoever it is that you need to satisfy.
Speaker 1:But CSOs want to be able to have a report that can be handed over to their customers, their partners, their board at any given time that says okay, here's where we were back in, you know, 2021. And here is where we want to go and here's how we've moved the needle over time. Here are the trends. Sometimes it goes down, sometimes it goes up, but, like you said, it's that people don't want to be lied to. They want to know that whatever we're telling them is that's the accurate state of our security posture and if there are issues, we'll deal with it. And so, you know, at TrustMap we kind of have the system as one source of truth that at any point in time you can go into the system and you can see what the maturity scores are, you can see how compliant you are, the percentage of compliance for all of you controls, and then be able to communicate any of those records to anybody at any given time. So what do you think about maturity versus compliance as sort of the measuring rod for a security posture?
Speaker 2:I think we're talking about the same thing, my friend. Okay, I think we're talking about. So, from my perspective, security is what you do. Compliance is how you prove it, if you do it right, right. And so the problem again with traditional legacy let's call them legacy compliance models and audit models is that they rely on opinion, not fact. Right, and I think you and I have talked about it the length before.
Speaker 2:But for our audience, again, a quick reminder when you ask the question, how do I know what I believe I know about the state of my controls, the state of my security, the state of my posture, the state of my maturity, right? These are in some ways synonymous, right? The question to ask is well, how do I know this? Because somebody told me, because I actually have evidence and telemetry and data in hand that shows me objectively what's going on, right? And so I think, if you're looking at subjective opinions, you know, just because you have a platform that somebody filled out a form in, that doesn't make it true. Now you have built in certain models and certain mechanisms to ensure that there is trust across that system, right? People shouldn't lie at work, right? That's kind of a thing we rely on.
Speaker 2:But ultimately there's very few checks and balances because it's too complex and we're under the gun. Right, we have to get these compliance reports out because we can't do business right. If we don't do a regulatory filing, depending on the industry, we'll literally have to stop the presses, we can't do work and so you have to basically scream through these controls, do the best you can. Maybe there's some level of QA and if you're paying, you know an external firm to come in and do it for you, which most people do right. Maybe they have some internal career as well. And I have been an auditor, I'm still a certified auditor, so I get the model right, we get it.
Speaker 2:But when you kind of ask, you know you can get very deep in the weeds very quickly with compliance right. It's very complex. But if you go macro right, you kind of go strategically 40, 50,000 for view and just ask one question how much of our compliance report or audit report is representing opinion versus fact? And ultimately, if you ask fact, you're asking for evidence, you're asking for telemetry, you're asking for system data, not somebody's opinion of same right. So asking where this came from, it's an interesting eye-opening because folks invariably go. I didn't even think about it that way. I didn't even understand that my compliance report or my regulatory filing that is going to be scrutinized by the SEC, the FTC, the DOJ, the DOD, depending on who you do business with or which regime you fall under, it's going to be scrutinized the day after the breach. They will ask the question hey, you have five years of clean reports, have five years of regulatory filings that say we have no material deficiencies in our critical controls. That's the border-plate phrase yeah here you are being breached.
Speaker 2:So what gives? Yeah, right. And the thing that folks don't understand is that the audit can only see so much. You know, I've been to environments where we have 4,000 line of business applications. I'm on site for three weeks. You think I'm going to look at 4,000 line of business apps? No, we've got to do a sampling, right, and hopefully that's a representative sample. Who is at? Who do I ask for the information about the sample? The client. So my knowledge, my ability to discern any level of credibility around that data is based ultimately on what they give me.
Speaker 2:And guess what? The first 10 pages of any compliance report is disclaimers about exactly that. Hey, this is based on what we were told. It's a limited scope, limited time. There's a scope around this thing, right? So we only see a subset of a subset of a subset of data, yet we try to approximate a risk picture for the entire enterprise.
Speaker 2:It's a probabilistic model of risk management. It's not evidence-based. So we've evolved and you know, forgive the lab coat, right, but we have evolved in medicine to evidence-based medicine, evidence-based treatment. It sounds like. You know what does that mean? Well, it means we actually are not shooting, kind of firing off into the dark and saying, hey, hope for the best, let's see if it works. No, we're looking at data, we're looking at clinical data, we're looking at experimental data, we're going through trials, we are pulling together data to inform decisions and yet, in cybersecurity risk, we still keep relying on audit and compliance to tell us where we are, and not to make decisions about where to invest. And the entire thing is devoid of any meaning. And that's my big thesis.
Speaker 1:Oh well, said I have a feeling you're going to die on that hill and it's a hill that we're dying on. I hope I'm not going to die on this hill.
Speaker 2:I hope this hill gets destroyed and that we can move, evolve into something better.
Speaker 1:Some other hill.
Speaker 2:Yeah, some other hill. Well, I mean, you know it's a funny thing you mentioned Hill. I've had this probably for the last 10 years. I've carried around this chart and I've shown this chart to every client and every person I've ever talked to. When they talk about compliance and I say, great, do you know what a full speak is? And they go, yes, I do.
Speaker 2:Okay, you know, you think you're climbing a peak and then you get there and turns out, no, there's a valley and then there's another higher peak. You've been looking at the wrong peak and so that's compliance. Right, you can reach compliance and still be insecure. That's where a lot of folks have found that they feel like they're being very strategic when they say this you're going to throw this off the cuff. Compliance is not security and insecurity is not compliance. I couldn't agree more. Right, and I am the head of compliance strategy for cumulus, a compliance automation vendor. Right, and I'm the first to admit compliance is not security.
Speaker 2:But then we have to dig in why. We have to deconstruct, we have to understand, we have to dig into why it's not, and the only reason it's not is because compliance is great. It's a wonderful measuring stick of maturity of your posture. It tells you how well you're doing on security. If only you're applying it real time, which means on the same time scale, is security? Security operates in real time compliance three year cycles in federal Absolutely Right.
Speaker 2:So you look at the time horizon in security. We're looking at days, right. Maybe I mean sure, some stuff you want to look at some persistent threats. You know that might go back months or years, but ultimately we're operating in a real time in compliance, with three years behind the ball. How are you going to manage risk doing that? Right? So we need to converge on the time scale first.
Speaker 2:And that's when you start asking questions about compliance automation. You start asking questions about where does my compliance data come from? How much of that can I automate? Can it be end to end? And another thing to understand is most folks who say compliance automation don't actually meet it or, worse yet, don't understand the difference with the compliance automation and compliance digitization. Just because you took a paper process or a paper form and turned into a digital form did not create more credibility in the data. It's still somebody's opinion, right? So understanding that figuring out is an opinion effect and asking that basic question across the board, that's one of the ways to kind of rethink how compliance can be a true vehicle for risk management across the entire enterprise.
Speaker 1:And that's why we need CUMULAS, and that's why we need you, igor Volovich. We talked about SolarWinds, we talked about convergence, we talked about the SEC. We even got some Enron references built in there. Thank you so much for dropping by, and those who are listening and watching this. Thank you for dropping in as well. Thanks.
Speaker 2:Thanks for having me, josh, always a pleasure.
Speaker 1:All right Okay.