Podcast
    Threat Intelligence

    Get Cyber Resilient Ep 124 | Finding the right cyber insurance cover with Dan Elliott

    We are joined this week by Dan Elliott, Principal for Cyber Security Risk Consulting at Zurich, member of CyAN (Cybersecurity Advisors Network) and former intelligence officer.

    CR_podcast_DAN_elliot.png

    In this episode, Dan walks us through the evolution of cyber insurance and how organisations should think about cyber insurance. We wrap the interview with Dan’s perspective on security convergence and its benefits.

     

    The Get Cyber Resilient Show Episode #124 Transcript

    Gar O'Hara: Welcome to The Get Cyber Resilient Podcast on Gar O'Hara. Dan Elliot, principal for cybersecurity risk consulting in Zurich, member of CyAN, which is the Cybersecurity Advisors Network and former intelligence officer joins us today. Dan is known globally in cyber as a clear thinker with an engaging understanding of risk in the modern organization. His past work and transition into the private sector gives him a fairly unique and well-rounded perspective on cyber and the world of organizational risk.

    Today, we talk about cyber insurance and cover a lot of brands. Dan walks us through the evolution of cyber insurance, how organizations should think about cyber insurance, which is not how they often do think about cyber insurance, risk profiling, breaches and how cyber insurance can help on what Dan calls the bad day. We ran that with his perspective on security, convergence and its benefits. Over to the conversation.

    Welcome to The Get Cyber Resilient Podcast. I'm Gar O'Hara. Today, I am joined by Dan Elliot, global cybersecurity risk advisor and former intelligence officer. How are you going today, Dan?

    Dan Elliott: Doing well, thanks.

    Gar O'Hara: Awesome. So good to, uh, to have you here. We've had many, many good conversations over, what, probably the last year, I suppose, maybe more actually and, um, we finally get to hit record and, and get one on, uh, well, I was gonna say tape, it's not tape anymore, isn't it? Like ones and zeros, but, uh, so good to have you here today, uh, Dan. Hey, let's do it, the first question, and we always get to, um, is how did you get to where you are today? And I'm looking forward to this one because I kind of know your, your backstory [laughs], so, uh, I'm looking forward to a good tale.

    Dan Elliott: Yeah, it's, you know, it's good to finally get something discussed out because we talked so much while I was still on the inside of government that now things can come out. So it's, it's great to have this. Thanks for having me, Gar. Uh, so I'm with Zurich Canada now as our resilient solutions have been since fall of last year. Uh, doing this job, I, basically, I advise all of our clients, internal and external on their cyber programs, look at what their risk posture is and, and help to improve their resilience. Prior to that though, I spent, uh, 15 years in the public service in Canada, the last six of that with CSIS with our branch, I guess, of, uh, uh, ASIO that, that, you'd be more familiar with.

    During that time, I had a bunch of confidential roles, doing work in the field, um, looking at, I mean it's, it's no grand secret, looking at everything from counterterrorism to counterintelligence and, and state-sponsored threats. I also had a, a in-office role, and in doing that, I worked in, in risk management and risk services type of deal where doesn't have a direct relation, but looking at what the service did and, and the potential risks and, and looking how we, we assess that and how we offset that.

    So that was, that was a good time and, and lots of stuff that I, I won't open up to on, on the pod. Sorry, you, you missed that.

    Gar O'Hara: [laughs].

    Dan Elliott: [laughs] but I mean, before that, um, I was with a, a pile of different, uh, law enforcement acronyms in Canada, uh, working in, uh, national security and, and cross border terrorism and organized crime. I did some undercover work way back in the day and, and then I worked in, within integrated enforcement team, chasing after, uh, terrorists in, in big city and small town Canada doing, uh, interviews and takedowns and, and, you know, uh, online investigations into organized crime that we're doing the early days, I guess, while earlier days of business email compromised and granny scams and pulling that working with the Germans and the Americans and a pile of other people. So it was a, it was a good 15 years, I'll say that [laughs].

    Gar O'Hara: I now you've made the, you've made the switch, right? You've, you've sort of jumped over into the private sector. How's it been? Like what are some of the differences you've seen?

    Dan Elliott: You know, it was, it was the right time to go. I love the mission and mandate that, that CSIS had and, and loved my work, but there's a specific road. I mean, uh, everybody in, in that job, uh, knows their roadmap for their 10, 15, 20 years. And then I just decided that I wanted to go a different direction moving into the private sector. It's a lot more, I hate using the term over and over again, but it's greenfield, you know? You, as, as long as you can see an opportunity to build something and develop something and, and make it better either for the, the organization or for clients, they'll give you the space to do it, you now? They, they, even a company as big as Zurich, that's basically a country unto itself, um, there's loads, been loads of opportunity for me to see how we can change the way we work with clients, how we can build things, how we can develop as an organ dictation and that flexibility is very different than the way the, the public sector works.

    Gar O'Hara: Yeah, fantastic. And cyber insurance, um, it's, it's sort of an interesting topic and, and sort of area of cyber, I, I, I suppose, um, and has been controversial along the way, I suppose. There's been some interesting, um, stuff that the media runs, you know, its value and, and where it sits. I think, you know, it's clearly very, very important, um, but it's changed. And I'm keen to get, get your take on how it's evolved over the sort of last, say, five years, because it seems like it's a very different kind of conversation these days.

    Dan Elliott: Yeah, uh, it's, I still think it's, it's, uh, a bit of a black box. I, I, I have a chance in a few occasions to liaise and, and interview with kind of on the side a bunch of CISOs and IT directors, uh, who aren't necessarily our clients to get an idea of what they see it as. Um, and, and there's still a lot of rumint going around, uh, where people think, "Hey, I heard from this guy that, you know, all I need is this and I can get, get it covered," or, or, "There's a 200-page report I have to fill out just in order to, to get in the front door," and it's, it's everything that you don't wanna hear. And I sit on the inside thinking, "I don't wanna read 200 pages and I don't wanna, wanna see you walk out the door with two, two risk controls in place, and sure, tell you to transfer all the rest."

    So I mean I, I think as an, as an industry, there's a bit of cart before the horse where we, and, and it's a bit of generalizing, but I saw a lot of people in early days looking at risk transfer, risk insurance as their first piece of that risk assessment or risk management equation and risk mitigation and risk ownership sitting down the, the troughs. So it's like, "Well, let's see what we can get risk insurance to do, cyber insurance to, to cover off and, and what we can transfer and then we'll mitigate the rest." And, and what I've started to see and I think it's been driven a lot by, you know, big breaches and, and payouts in the media is that ...

    Gar O'Hara: Hmm.

    Dan Elliott: ... risk insures, that insurance has gone up and the ability for people to get it has, you know, become a bit more difficult and has meant that they've had to look instead at, "Okay, well, what can we mitigate? What can we do first inhouse before we go out to, to get, to transfer what's leftover to, to get the insurance on the other piece?" I think that's a healthier equation because I, I, I, I hear from people all the time in the industry who are concerned about, "Well, before agreed, this is all I can get in funding, you know, to, to improve my program after a breach. You know, the coffer opens and I'm able to spend all this and all these controls." And I don't think that that was a good equation then, especially when they were spending money on premiums for, for insurance. Well, you need to, you need to find a mix where, "Okay, we're spending money on, on better controls. We're making ourselves more resilient internally, but we know we have to transfer. We have to have some of this, you know, whether it's business interruption or, or assets that were covered off from financially through, through insurance."

    Gar O'Hara: Yeah, that makes, uh, well, that makes a lot of sense and it does feel like, um, the other way. It's an interesting psychology, isn't it? The, the sort of transfer of risk and, and the idea you can just throw money and not do the work in, you know, in a way to oversimplify. Um, you sort of covered it here, but look, what, what do you think organizations as they sit down and think, "Okay, well, cyber insurance, we, you know, we need to have a good think about that and, and kind of go after?" What, what should they be thinking about and considering as they evaluate their approach to cyber insurance and maybe they're insured and they're looking to, you know, ratify, um, you know, kind of rationalize a policy or, or change? Like what, what are the things that you would say they need to be thinking about?

    Dan Elliott: So I think it depends on the size and scale of, of the organization ...

    Gar O'Hara: Right.

    Dan Elliott: ... but the first thing that I'd be saying is they should be having conversations internally. And, and I see, uh, I, I see it run the gamut. And, and when I've talked to people, you know, over a pint or have had a meeting an interview with them, it, it comes up the same thing, which is you'll see some it leads, whether it's CISO IT director, whomever, who just gets handed the, the questionnaire sheet that came from the risk manager, "Please fill this out. We need to, to meet with the insurer or the broker," and then you see the other side where they've had, you know, a, a conversation over the year through the, the, the last couple of years to understand where their program is sitting and, and have that kind of collaboration so that it's, it's assessed as a business risk not just as an IT problem with an IT questionnaire that then goes through insurance.

    So I think that ideally you wanna have a conversation inhouse so that the IT team understand or ITIS team understands the business risks that they're taking on some responsibility for and then they're all having that discussion to go, "Okay, well, what are we doing to mitigate that, that risk or offset some of that risk inhouse and protect o- ourselves and look at our crown jewels? And then, you know, how expensive is it going to be for us when we go," because it will be when, "when we go down, when we get hit, you know, and how long does that can last?" And that way they can have a, a realistic conversation with their broker or with their insurance and say, "Okay, well, I can see that this is how much it's gonna cost me per day if we go down and so this is how we need to run. This is what we expect our, our RTOs to be. This is what we expect to happen and, and what, what will be costing."

    Hey, I think a lot of times those conversations will not [inaudible 00:10:45]. Let's say, hey, in, in the, the less mature organizations, those conversations aren't happening. So by the time they start talking with me or talking with, uh, an underwriter, it's a bit of a deer in the headlights sort of situation where they don't know what their crown jewels are. They haven't really thought about, you know, what it costs them and you talk to a CISO who doesn't know what it costs if the network goes down for a day, a week, a month. Uh, I mean those are numbers that, that they wanna know because when they're talking to the board, they need to be able to, to say that. And when they're talking to their insurer or their broker, it, it behooves them to be able to say, "Well, you know, I know if, if our primary network goes down, if our OT system goes down, this is how much it's gonna cost on a, on a daily basis or a weekly basis."

    Gar O'Hara: Do you think that sort of things ... You, you kind of used the phrase, "Deer in headlights," and I, I kind of get that and, and you know, even skim the surface of some of the kind of approaches for risk analysis, you know, when you get into the quantitative/qualitative stuff like, uh, it can get pretty gnarly and pretty difficult. And I suspect many teams are already underwater and just, you know, struggling to get through their day jobs and then someone says, "Well, you know, how much is it gonna cost per day?" And, you know, it is that kind of, "Oh, my God, how do we even start to tackle, you know, the actual financial costs and probabilities and, of impact?" Uh, what's the solution there? Like you got a small team or, uh, an experienced team, is that something like your teams can come in and kind of help with?

    Dan Elliott: Yeah, so I, I do think it would be really helpful for organizations to bring in outside assistance. It's always beneficial. Uh, it's gonna bolster their, their position. I think there's a, a tendency of leadership, a tendency of boards to take that outside view, that outside report before just taking the reporter or instruction of their CISO or their, their IT team. And I'm not sure really where it comes from, whether it's the idea that, that they don't speak the same language or they don't understand all the goals of the business, but, uh, I see it over and over again when, you know, a, a CISO will tell me, "Well, this is what we're trying to do. These are the, the, the goals we want," or, "This is the, the risk control I wanna put in place," and then we go in and do an assessment, come to the same conclusion and all of a sudden, there's funding for, for those goals or, or those controls.

    So it's beneficial, but I would also say that if you don't wanna do that or you, you're a really small mom-and-pop shop, an SME, can't afford to do that, whatever the case may be, look at your, your top line, right? If, if you just look at, "Okay, what is my revenue across the year, and in a worst-case scenario, if we grind to a halt tomorrow," because, you know, forget about, you know, e- employee HR data going out the door, "If, if we cannot operate tomorrow, how much are we, revenue are we losing on a daily basis?" And even if you start with that, you know, the sky is falling sort of number and gauge that out, at least at a simplistic view, that will give you a starting point for, "How much is it costing me when we get hit and if we don't have things in place?"

    Gar O'Hara: Uh, no, that makes absolute sense. And, and to your point around having the outside voice, um, in Ireland, you too had to leave and go to America before the Irish people realized they were a good band, same with The Cranberries. So t- there's something there. And I'm gonna tell you like and this is probably not the time or place and I'm probably gonna get in trouble, I could say something like a hundred times that I think is a good idea to my wife and I'll get a nod and, you know, it'll be, "Yup, cool, whatever." One of our friends will say it once and s- she'll go, "You know, Bob just said this and I think it's a really good idea." I'm like, "You're kidding me?" Like I haven't, haven't been saying that for six months. Anyway, this isn't a therapy podcast. This is-

    Dan Elliott: [laughs] I, I will get in the same amount of trouble, so I'm just gonna sit quietly [laughs].

    Gar O'Hara: [laughs] yeah, uh, so looking, I mean y- y- you've sort of pointed to some of this, I think, but like the difference between SMEs or even mom-and-pop shops versus like a very large organization and, and the value they derive from cyber. I'm assuming there's some differences in complexity, premiums, differences in value, you know, this sort of worst-case scenario and you need to kind of lean on cyber insurance, there's gonna be some differences there. What, what are they? Like what do you see the big ones has?

    Dan Elliott: So, so most of our clients, we work, we tend to work in the kind of middle marketer. So you're looking at 10 to 20 million in revenue a year and, and, and up. So that's, that's an easy space, easier space to assess because it is pretty quick for them to look at, "How much I'm bringing in and how much it would cost me in business interruption if I get shut down for, you know, three weeks or three months. We, like it's, it's gonna cost more than, than either our ownership or our shareholders want to bear. So, so we go there." When you're getting into the SME space and smaller, you really have to look at what it will cost you to go down versus what risk controls are worth and what you can afford to put in place. And I think one of the challenges in that space is that a lot of the insurance market is built for middle market and up, for the large scale, you know ...

    Gar O'Hara: Yup.

    Dan Elliott: ... yeah, not eight-figure, nine-figure companies to, to step into because the question there is all of the assessments are based on, you know, I, I, I don't say a gold standard for, for NIST or ISO, but definitely a silver standard, right [laughs]? And, and mom-and-pop are, are looking at, you know, things like the ASD Essential 8s and, you know, "Can we get these half dozen to, to a dozen items in place to, to just look after our, our day to day?" And I think that's where you wanna really look at what you're doing per day and, "Can I do the basics?" or, "Can I offset this another way?" Uh, I work with some of the, the smaller insurers and, that work in that space and what they're finding is, if they can help bring a client along, that the actual insurance is not that expensive for their size, but ...

    Gar O'Hara: Yup.

    Dan Elliott: ... they are not doing any control. So a lot of them are, are sitting in a space where they have, you know, there's password 123, you know, our, our default passwords on, on their, you know, in-shop Wi-Fi networks. And, and I think coming in with some risk controls first makes it a lot easier to have a discussion with an insurer or with a broker about, you know, what do I actually need to offset.

    Gar O'Hara: And, and that's a really good point, actually, excuse me, one of the things we, we've sort of spoken about a little bit is the, you know, the risk profile of an organization as you walk in the door or your team walks in the door, you're presumably gonna see different things in different organizations for all the reasons, we are all well aware of in our industry, uh, when it comes to the people process, technology side of things and cyber considerations and how they even think about risk. Um, you know, I- I- I've had my mind blown even on the vendor side sometimes in conversations with CISOs who are frustrated because their owner has an iPad that doesn't even have a PIN code on it and that iPad has all the corporate email. And, um, you kind of think, "Well, that's the, the sort of age we live in."

    Anyway, when you kind of walk in the door, w- when you're looking for risk profile, what are the, what are the things you're kind of looking at for as you and your team kind of start to evaluate what an organization's premiums will ultimately end up being?

    Dan Elliott: So I sit in a, a really fortunate space in risk services that the underwriters get to assess, "Okay, this is where, what our actuarial tables are and this is where the premiums are gonna be said, 'This is what it costs.'"

    Gar O'Hara: Mm-hmm.

    Dan Elliott: I get to sit in the space where I advise them. I close my eyes and, and, you know, cover my ears when, when they start talking the premium numbers because sometimes it's scary. And, and I think ...

    Gar O'Hara: Yeah.

    Dan Elliott: ... it's sometimes scary because organizations haven't invested in risk controls for so long that now there's an expectation that they've slid up that maturity chain and, and they're not as far up as they'd like to be. So when I go in and, and have a chat with them first, I'm looking at, "Okay, what's your, what are your crown jewels? What are the vulnerabilities around that? You know, what are the risk controls you put in place?" And I start to build those layers out from, from that point and then look at the basics. And, and I really say the basics are, "Well, what are your backups look like? Are you running MFA? What are your identity and access management controls? Like, you know, what, what is your, your security training look like? Is it a once-a-year click-click questionnaire or is this something that you've got employees going through all year?" So I mean, there are ...

    And oh, man, governance and policies, like, like, that could do a whole discussion on, on the wide array of telephone books that I've seen dropped when we've had, you know, chats about, "Okay, well, what do your, what do your policies look like? And then what's your incident response plan look like?" And they're competing to see which is gonna be thicker. So, you know, it's, it's a huge gamut. So I'd say I, I, I tend to with our team look at, "Okay, what are the bare basics that we wanna, wanna see that, you know, everybody basically needs just to show up, you know, 'This is your buy into the game.'" And then from there, we look at, "What are the specific risks that your organization has and what are you doing? How well do you understand, you know, the vulnerabilities of, of your core, your, your core business, your, your, you know, the crown jewels to, to be able to run and, and keep going?"

    And there are a lot of organizations that understand NIST and understand the list of controls that they wanna have, but you can't have a conversation with them about, "Okay, well, what's your crown jewels? What, what will stop the business in its tracks? And, and what are you doing around that?" I, I think when you, when you see a company that can have both of those conversations, I feel a lot more comfortable going over to the underwriter and saying, "Okay, they, you know, they're missing these things or they have all these, but they understand, you know, what's going on." So obviously, there's a building there.

    Gar O'Hara: Yeah, understood. Um, it will ruin the conversations I had this week. Actually, it was this, uh, the idea of, and I think we may actually get to, to this in, in later part of the conversation with the idea of the kind of mature conversation around risks and that it's, it's on a scale of, you know, sort of zero to 100. And these days, you can, it's probably veered off towards the, you know, a probability of one. And the psychology of that is very different from the ... We're gonna put a bunch of controls in place and it's gonna be fine. And, and I say that because what you've just said there is that idea that they, they understand the things that are missing and they kind of, they've had the adults conversation around where they are and does that sort of fit in terms of the business and, and what they're comfortable with.

    Do you feel like that changes the psychology then of the CISO role or the security team role, because they're not expected to do the impossible or expected to basically hit a, a sort of point on the, on the dial?

    Dan Elliott: Yeah. Uh, and sadly, and I think in Australia to Canada and, and Canada to the US, I, I see differences geographically and, and in markets ...

    Gar O'Hara: Yup.

    Dan Elliott: ... when I'm talking to people because Canada has been, uh, I'm gonna, I'm gonna hurt myself statistically ...

    Gar O'Hara: [laughs].

    Dan Elliott: ... when I say this, but Canada has not had the, the degree of, of hits and breaches publicly that AUS has had per capita and, and that the US has had ...

    Gar O'Hara: Yeah.

    Dan Elliott: ... just based on scale and, and on media. So I, I, I'm finding a lot of CISOs, who have taken a bad hit and are fortunately still employed by that organization and now they can have a much more mature conversation with their leadership team. And their role has changed because it's no longer about a cost center that I have to go in each time and explain why I need to spend money on this tool or this control or this security awareness program, that now the leadership and executive understand how they fit into the overall structure of the business and keep the business up and running and moving forward.

    And I think that I see a, a lot of companies in that space. There is not as high a percentage of organizations where the CISO or IT director still has that relationship with the leadership pre-breach. And I think it's because, in Canada at least, we haven't had as many, you know, media headlines that have made it clear that everybody is, is on the verge of getting hit like where you, you must have that relationship with your CISO or your IT director where they are in the room chatting with you on a regular basis about, you know, what the vulnerabilities are, what they need, what-

    Gar O'Hara: Mm-hmm.

    Dan Elliott: You know, that, that it's not two disparate groups.

    Gar O'Hara: Yeah, yeah, that definitely makes sense. Hey, with, um, the sort of requirements we're seeing these days quite often for cyber insurance even do contracts with other companies and you see they show up more and more. And, um, you know, obviously, the, the stuff going on there, you see that, you see the, the kind of the impact of premiums and for cyber, um, insurance based on the kind of maturity and you've kind of mentioned a lot of that already. And you've sort of hinted towards this, but do you see this kind of incentivization to better cybersecurity controls and better approaches from boards when it comes to kind of risk within organizations? Do you think cyber insurance has been that good lever?

    Dan Elliott: Yes, I, I, you know, and, and, it, uh, I'm new enough in the industry that I, I won't sound completely like the whipping boy when I say this, but I think ...

    Gar O'Hara: [laughs].

    Dan Elliott: ... it's, it's been the, the case where cyber insurance has taken the heat for where people should have been investing before now.

    Gar O'Hara: Yeah.

    Dan Elliott: So cyber insurance was inexpensive, so people just, "Well, we'll throw it there. I don't need to invest in our own controls, our own defense in depth." And, and now all of a sudden, cyber insurance is really expensive, because as an industry, it was losing money and so, "Hey, you know, maybe we should invest in the controls inhouse," and, and it's changed the mix. And, and, you know, I, insurance never gets a good name. I mean when, when has somebody in the insurance industry ever g- gone to a party and I'm pretty sure that I, I had one of my cover years and years ago where I said I was in the insurance industry and nobody would talk to me. So, um ...

    Gar O'Hara: [laughs].

    Dan Elliott: ... I, I mean, it's a quiet place to be. You're, you're not the life of the party. And when you are, it's usually for the wrong reasons. But I think what it's done is it's forced people to look at other options. They know that, you know, there's, there's a concern, there's a threat and, and maybe insurance isn't the only way I can do this or I have to retain more of that risk before I, I can start insuring it. It's, I look at it as if you had, had car insurance and then all of a sudden next year, you went in to get it again and they said, "Okay, well, the first $5,000 of, of any accident, you have to pay for out of pocket."

    Gar O'Hara: Mm-hmm.

    Dan Elliott: Y- you'll travel a little lower, you know [laughs]? Like you, you might, you might find a different way to, to get to in and from and, and I think that's the difference between ... I had that that conversation where I was telling people that, "Okay, if right now your deductible is 500 bucks or 1,000 bucks on your car insurance and, and you know, your insurer is gonna pick up the rest as long as you're not driving like an idiot. " Well, I think what's changed is, all of a sudden, it's gotten more expensive and you have to pick up the first 1,000, 5,000, 10,000. Well, it changes the way you do things and, and cyber insurance has changed the way people ... You, you can't change the way you, you generate profits, so it has to change the way you look at your own defenses and you, you look at the way you're controlling your business.

    Gar O'Hara: And, and we're gonna kind of move on from the topic shortly, but, uh, I suppose the last part when the, when the bad thing does happen. Um, obviously, that will, this whole conversation has been around, you know, evaluating cyber insurance and, you know, that sort of pre-incident in, in many ways, but worst thing happens, it's probably gonna happen. Um, what does an insurance company do? Like what, what can you guys help with?

    Dan Elliott: So it, it, it's a nice, "It depends." I love this space. I love being able to answer everything, "It depends." Um, you know, I, I would say I hope there was a conversation with the insurer long before that bad day, right? Like ...

    Gar O'Hara: Yup.

    Dan Elliott: ... if, if your insurer has a claims division that's willing to talk to you, which they normally will, then you should have that conversation from the get go. I, I talked to a ton of people with our claims group and independently where we talked through, "Okay, well, you know, what's a bad day look like? And, and you know, do you have these people on a call list? Do you need help finding those people? And, and what are you gonna do, um, so that your bad day isn't as bad?"

    Gar O'Hara: Mm-hmm.

    Dan Elliott: Let's say you likely, let's assume you've done that, when bad day happens, your insurer is probably gonna be one of the first people you call. And depending on whether they have, you know, uh, uh, to keep it simple a list of, of, you know, service providers you have to go to, you should have probably already engaged with those groups to see who you wanna work with. And like those are all the pieces that, that as an insurer or as the, the risk services group attached to an insurer, we end up helping people get to really fast because that, that lag time or dead time can, can be really expensive [laughs] for you ...

    Gar O'Hara: [laughs] mm-hmm.

    Dan Elliott: ... and, and really stressful. We see, I see a lot more gray hairs on the organizations that don't have a call list of who's gonna be their incident responder than the ones who already have figured it out they've tested it, they've, you know, run through tabletops. And they talked to their insurer about what they need to do. So I think early engagement is the key and then, you know, notify your insurer when it happens and, and if you're really caught with your pants down and you have no idea, no list, then your insurer is like, our policy, our policy guys, our underwriters, our claims people have done so many of them.

    Like they know who to talk to. We know who's gonna help, so we're very quick to, to direct somebody because the faster that a company gets back up and running, you know, I hate to be selfish, but, you know, that's the less expensive it is for your insurer, and from my personal point of view, the quicker it, you know, screws over the bad guys [laughs], so, so I'd like to see that happen pretty fast.

    Gar O'Hara: Yeah, it's, uh, uh, excuse me, um, it, it seems like there's so many analogies to cars here and, you know, when you think about when you've got a car crash, like nearly the first call you make is to your insurance company, right? And they're the ones, who know the panel beaters and the, the best shop to get it fix and to get ... Yeah, like i- i- it's the, an, it's the comfort feeling because if you had to do that on your own, it would be a bloody nightmare. So, you know, it wouldn't be the same and, um, and sort of little ... Let's kind of pivot a little bit here. And you actually wrote, uh, pretty recently I think, correct me, it's like the earlier this month and you put out an article on, uh, security convergence, uh, which I thought was a pretty interesting, uh, article, but it'd be great if you could kind of walk us through what security convergence is.

    Dan Elliott: Sure. So it, it, I, I love it because it sounds like something new even though it's like a decade old and, and, you know, it just keeps spinning the drain while people decide what they're gonna do with it. It's basically bridging the silos between your physical and your cybersecurity groups ...

    Gar O'Hara: Yup.

    Dan Elliott: ... who usually work disparately and, and don't talk to each other and, and often have, you know, completely different leadership teams and completely different goals. And, uh, it's, it's bringing them together so that they work together in a, a unified purpose rather than cross purpose and they share information. And they'll often, you know, share risk and, and threat information back and forth. And they'll have an awareness at least on a general knowledge of what the other group is doing on a regular basis. So in its, its, you know, 20,000 foot view, it's looking at your security team as a digital and physical portions of one unified group rather than, you know, "Where's my physical security and where's my IT IS group?"

    Gar O'Hara: Yeah, that makes sense. And what, what, what's the kind of outcomes there? So you kind of talked about the convergence, but presumably, you don't do it for, for fun, um, unless those guys love to party together and maybe you do it for fun, but I'm assuming that there's, there's [laughs] gonna be some sort of key benefits that will come out of, of moving to converge model.

    Dan Elliott: Yeah, I mean it's, it's basically information sharing and, and crisis management. It's, it's ...

    Gar O'Hara: Yup.

    Dan Elliott: ... using the skill bases from all of these back and forth. I, I look at it as, you know, if, and, uh, you know, without, without naming names, you know, I used to have at times when we had to get into a building to be able to access a network or to be able to access a room. And the organizations that have really disparate security groups, it makes it a lot easier because they're not thinking cross purposes of, you know, "Who is getting into a building and what's our security look like for access there and physical camera security, and, and, you know, door access points versus the network security and, and digital risk who you face?"

    And then I, I deal with, you know, on a corporate security side, when it comes to threat intelligence, where we see threat intelligence that may be sharing your, your name, your date of birth, your home address and your family and wife's name and all that sort of fun stuff, that, uh, that, that may be floating around on the dark web, may be really useful for the executive leadership team security detail and things like that when they're traveling. And I, I think those back and forth, that information sharing and awareness, it's, it's the same reason why ... So working in the intelligence world, we used to do a lot of security awareness training for all of our staff.

    And the discussion used to be that, if I was in Ohio trying to approach somebody when I was working in the intelligence side, I would not approach it another intelligence officer to try to recruit. I would try to recruit somebody on HR or finance or, you know, some, some level that had access, but wasn't a hard target and didn't know everything that I knew to, to be able to offset it. And this is similar to that. When, when I'm looking at physical security, I want to get as many people up to my standard as possible. When I'm working on the digital security, cybersecurity side, I want to get as many people up to my standard as possible.

    And if you have people who already have a security awareness, just in a different field, it's a lot easier to get them engaged and aware and up, so that, now I've doubled my workforce, I've doubled my, my information sharing and awareness, it's a lot easier to get champions for, you know, cybersecurity awareness if you've got all the physical security guys who are interested in it as well. So I think that it's, uh, we can talk about cost savings and efficiency and all that and I, I mean HR would, would love that stuff and the executive would love that, but really, it's, if I can increase engagement and get, get more people who are ...

    Gar O'Hara: Mm-hmm.

    Dan Elliott: ... interested in all this stuff and there's cool stories, I used to, to, to do some, you know, reaching out to, to private companies and reaching out to kind of critical infrastructure, talking about war stories and everybody thought it was cool, whether I was talking about, you know, cyber offenses or if I was talking about, you know, some, some physical, uh, building breaches and, and everybody thinks that the other person's work is cool, so like engage those groups to get, "Yeah, they may like drinking together, who knows?" But ...

    Gar O'Hara: Yeah.

    Dan Elliott: ... engage those groups together professionally, so that they start to understand what the other guy is doing and, and then you double your team.

    Gar O'Hara: Yeah, just painted a picture for myself, a little bit like Dolly or, you know, there's physical security and the cyber guys just blind drunk together and, um, as the, as this sort of cyber attackers casually walk into the building and plug straight into the matrix. Gotta love it.

    Dan Elliott: I bet that would be a great way to start your team, you know? "Hey, let's have the, the CSO bring all the guys together, drinking all in one night."

    Gar O'Hara: [laughs].

    Dan Elliott: "Nobody's in the shop." Yeah, that's, that's when my whole theory goes too, uh, really fast.

    Gar O'Hara: [laughs]. Love it. Well, I mean looking at, you've painted a pretty, uh, compelling picture, you know obviously allies, when it comes to any kind of initiative in, in an organization and it's going to be good thing. Clearly, it's not something that, that does happen maybe as often as you would like to see it happen. What, what do you think is going on there? Like why is there sort of a reluctance or a slowness in that convergence?

    Dan Elliott: Uh, uh, I think, uh, of the, the groups I've talked to, there's a couple of things. Uh, I think people don't know where to start, so you have a, you might have a chief security officer, might. You might just have a, a head of security and, and he doesn't necessarily know who to speak to within the, the IT director group or within the CISO group or whomever. So it's, it's not knowing, "How do we blend these together?" because they're in completely different channels. One's probably reporting to the COO. One's reporting to the CIO or the CFO. And then you also have an issue of assumptions in communication where, "I assume that that guy doing, you know, building security or security guards, well, they don't know anything about what I need to protect." And, you know, the, the building security guy looks at the, the IS group and goes, "Well, a bunch of computer guys, they don't know anything about security." And, and I see those types of kind of profiles going back and forth where they've watched too much TV about what the other person is doing. So they think that ...

    Gar O'Hara: Right.

    Dan Elliott: ... either that's too complicated or that's too easy. And, and they're not having those realistic conversations about where their job overlap is. I used to say that, um, uh, the number of times I've seen in a movie, somebody pick a lock with a hairpin, everybody assumes that they know how they're gonna do that, until they actually have to try to do it. But every bit of security controls and anytime you see somebody either protecting or breaking into a, a, uh, a network, it looks like The Matrix. So you know, "Which one am I gonna think is easy and which one am I gonna think is, is impossible to communicate with?" And I think once you break down those conversations in those silos, it's a lot easier to start to converge.

    Gar O'Hara: Yeah, it, it definitely ... Well, you said there's gonna ring a few bells for me. Uh, there's a YouTube guy called the Lock Picking Lawyer, uh, which is fascinating for anyone who's, uh, even vaguely interested in picking locks, which it turns out, maybe I am. Um, but it, yeah, it becomes very clear. Like there's, there's a lot going on there that involves more than [laughs] more than a hairpin or a credit card, you know, which you see in the movies. And then on the cyber side, I mean, it's the, you know, this famous hacking scenes, but I, I, [laughs], but I think is it NCIS or one of those shows where they literally have two [laughs], two people typing on the same keyboard to hack quicker. It's, uh ...

    Dan Elliott: Yeah.

    Gar O'Hara: ... it's a-

    Dan Elliott: I love the blow out screen. [laughing] Yeah, the like ... It's, my favorite is still to this day Hackers where, you know, this age myself a little bit, where you see all of the, the code popping up in the sky around them like, "Oh, this is what they're doing."

    Gar O'Hara: [laughs].

    Dan Elliott: Yeah, and it's, it's amazing how little the impression has changed in media over the last 40 years.

    Gar O'Hara: Yeah, I think Mr. Robot, they, they sort of got it when you look to, you know, even the detail of, of some of the stuff that was getting sort of typed in. It, it, it was actually [inaudible 00:38:13] make sense and it's contextual. Dan, it's been an absolute pleasure as it always is to, uh, to talk to you, and finally, glad we've got a little red circle and we've managed to record, um, the conversation. So thank you so much for taking the time out and we have the audience, um, very, very much appreciated, and, and hopefully, like if it's something you're interested in, we chat on in the future.

    Dan Elliott: Thanks so much for having me. It's, you know, we have had far too many conversations without the red dot. So, you know, it's, it's great to, to get on and happy to come back anytime.

    Haut de la page