Producer [00:00:00] Welcome to Security Visionaries, a podcast powered by Netskope focused on bringing you conversations with senior executives from the world of cybersecurity, technology, trust and networking. This episode features a conversation between Shamla Naidoo, Head of Cloud Strategy and Innovation in Netskope and Homaira Akbari, president and CEO of AKnowledge Partners, moderated by Steve Weber, a professor at UC Berkeley in the School of Information and a partner at Breakwater Strategy. As coauthors of the recent book The Cyber Savvy Boardroom: Essentials Explained, Shamla and Homaira discuss their impetus for writing this book, how it addresses evolving trends in cybersecurity ,and the sorts of feedback they've received on it from their peers. Here's our conversation with Shamla, Homaira, and Steve.
Steve Weber [00:00:45] Welcome to the Security Visionaries podcast. My name is Steve Weber. I'm a professor at UC Berkeley in the School of Information and a partner at Breakwater Strategy, which is an advisory firm based out of Washington, DC. It's an honor for me to host this podcast. I've spent ten years in and around the cybersecurity world from the technical side, the business side, the policy side. And one of the most interesting and challenging and important dynamics has been the cybersecurity conversation as it happens in the boardroom, watching directors grapple with oversight and governance is this really fast moving and complex set of risks and into that mix now come Homaira Akbari and Shamla Naidoo with a new and very compelling book, The Cyber Savvy Boardroom. I'll say it's it's remarkable on a number of different dimensions but for me mostly for its readability, its immediate practical usability and frankly, the scope of its coverage. So let's start from the beginning. Homaira, Sharma. Tell us who you are, how did you come to write this book, and why now?
Homaira Akbari [00:01:58] I am Homaira Akbari, president and CEO of AKnowledge Partners. I started my career as a scientist in experimental particle physics and worked at CERN European Center for Nuclear Research. I spent half of my business career leading technology businesses with companies such as Thales in France and Microsoft, Liberty Media, and was the CEO of Skybitz, an IoT company. I'm currently a board of directors of Banco Santander and Landstar System. In my current role at AKnowledge Partners. I work with large and large corporations on private equity in domains of security, cyber security, IoT, energy transition and artificial intelligence.
Steve Weber [00:02:43] Shamla?
Shamla Naidoo [00:02:44] I'm Shamla Naidoo. I'm a long time technologist. I spent four decades in technology and about half of that time I've spent as a leader of cybersecurity in large organizations. I'm on three public company boards and I teach emerging technology law and global privacy law at the University of Illinois. So I bring three different perspectives to the same conversation, which is being a practitioner, being on the receiving end of those board updates, and then learning and understanding the regulatory commitments and obligations of the board.
Steve Weber [00:03:16] Talk about why now? Talk about the timing and the importance of the urgency of the book in 2023 moving into 2024, if you would.
Homaira Akbari [00:03:27] Realistically, this book should have been written a year ago or several years ago. But but the urgency now is that, as you have seen, Steve and as everyone has seen every day, we have news of this type of cyber breach and these cyber breaches are becoming larger and larger and bigger and bigger and they are extending. It used to be that it would be only financial services or health care, but now extending across all industries, all customer, all entity sizes, whether they're not for profit or family offices or large public or private companies and the small ones equally. And that is specifically due to ransomware, which is basically the type of attack on that data or other assets of an entity gets compromised and then gets hijacked, if you like , encrypted and hijack. And for it to be released by the hackers, they request for money. And so that has become really a criminal matter now. And every sector, every company is subject to that. And secondly, the reason, there's urgency is many regulators and specifically in the US, FCC just adopted disclosure rules, it is primarily for public companies. But as you know, usually private companies follow that as well, which is to report any material breach within four business days through filing and 8-K. So all of a sudden it has put cybersecurity similar to the other risks that organizations have. Additionally, S.E.C. now requires companies to also develop or elaborate on their strategy, governance and an organization of how they support the organization against cyber risks and bring all of that information into their 10-K on annual basis. So. Boardroom, more than ever, is now involved in cyber, in supervising cyber security risk, and in ensuring that SEC requirements and generally other regulatory requirements are met.
Steve Weber [00:05:58] Shamla, anything to answer that from your perspective? This is the first time you've sat down and taken the time it takes to write a book. Why now? What? Where was the urgency for you?
Shamla Naidoo [00:06:10] What I would add is that right now businesses are growing at just lightning speed, right? And every company, I would argue that most are already digital companies of some sort. But they are all increasing the digital footprint. We live in a data economy, so we are creating and producing more data than we have ever done. Our technology is working faster and faster. And frankly, those are all good things because they bring huge opportunity for business growth. At the same time, though, we need to pay a corresponding effort and a corresponding level of attention to the cybersecurity risks because larger digital footprints increase the exposure points. They increase the the opportunity for compromise. They increase the opportunity for theft and other kinds of fraudulent activities. So I think right now is the time for board directors as they oversee strategy is not just to focus on the good things, but also to give the corresponding level of attention to the things that could go wrong, which is what boards are tasked to do. But what we try to do with this book, and why now, is to create attention, to create an awareness in that community that we do need to look here, that they cannot bypass this time.
Steve Weber [00:07:34] Interesting, so it's almost as if every time we see the word digital transformation being used, we should make sure that the word cybersecurity is in the same sentence or the next sentence. Let me come back to you Homaira. Even for the least savvy or the most savvy from a technical perspective, directors, there are a lot of publications, there are courses devoted to educating board members on cybersecurity. Obviously, you're bring this book into that environment. How did you structure this book with all those alternatives in mind? What was different about it in your perspective in terms of adding real value to a crowded, but still tough to serve educational view?
Homaira Akbari [00:08:22] Shamla and I actually studied, if you like, what was in the marketplace, and the impetus for writing our book was because we saw a gap, in fact. So what we saw with what exists now primarily is writings, books, pamphlets, which talk about basic, if you like, basic terms of cybersecurity and what these are basic concepts. And then it jumps usually to sometimes hundreds of questions that board members can ask. As CISOs, we have both noticed and observed in real time that some of my director colleagues would ask these questions in a boardroom, the CISO we do respond to that. And they the board member would say, Oh, okay, thank you. But there's no really meaningful discussion and engagement with the CSO and with the management as a whole to really understand what were behind these answers and whether you know what you do, for example, when you ask an accounting or financial question, there's frequently a debate and usually when when you see in cybersecurity there's no debate because really the board member just not does not have that basic and that foundational knowledge of cybersecurity. So that's what we decided to do to create in a fairly short volume, 80 pages, that foundational knowledge that every board member needs. And then our plan is that they will continue building on that knowledge, on that platform. And, you know, it's a continuing learning, as we know, specifically for cybersecurity. But what was very unique, what we did was, is we created a series of mental models that really can be digested in a graphics format and can be digested fairly rapidly by intelligent board members, of which all the directors are highly accomplished people. And those were the way we defined it is a series of maps. We have four maps across the book with the first map defining business asset groups, and we basically created ten categories. Some of those is, for example, data is one business asset group, financial assets. People are the other ones. But we have about ten, in fact, ten business asset groups, and we define them. Once we defined them, then we went to to to show what our white hat is. Our asset is business asset. What kind of gain do they get by accessing it and what are their motivations, why they would do it, how they would do it. And that brought us to what we call attack vectors. So we mapped into each business asset group the attack vectors that exist today to attack these business asset groups either to get to them directly or to use them as a conduit to get to crown jewels of the organization whereby, for example, data is defined as crown jewels, not only but just one of them. We then move on to map three, and map three was about, again, the same ten business asset groups we showed. How do you protect them? So we showed the typical way that today defense strategy of a good company, of a good organization which has a very good or preferable security posture, has actually defended these particular asset groups. And then we come to map four, whereby we provide metrics again for each business asset group as to show the efficacy of the protection. And then we also include, because this is the defense system it's not just protection, but in cybersecurity is also detection, response and recovery. We also included metrics about measuring efficacy of the security posture through testing as well as through the metrics for detection and response. So I think this is unique that has never been done and is very comprehensive, but it's also very easy to digest and to learn.
Steve Weber [00:12:40] Yeah, I will say from a readers perspective, I think other readers will find the same thing. These mental map constructs really, really help to put some definition around priorities and the hierarchy of questions to ask. So for me, certainly that was quite new and quite important and helpful. Sharma Let me come back to you and ask specifically about cloud. For so many organizations of so many different sizes, digital transformation has now become a conversation about moving to cloud in all sorts of different configurations. So let's talk about the cloud. And when you think about that cloud transformation and cloud migration, what kinds of possibilities, what kinds of questions does that raise for the board specifically with regard to security?
Shamla Naidoo [00:13:29] You know, I think when we added the cloud concept to the book, that was an important topic because in the boardroom, most board directors understand the concept of speed. They understand that we need to build capability really quickly. And when you tell them that, you can either put something in the cloud, or consumes some service from the cloud, the immediate connection is that this is going to happen a whole lot faster because I don't have to have our team spending the time and the effort to build out the basic capability. Somebody else already did it. We're just going to buy it, borrow it, lease it, etc. and we're going to use it to build our proprietary capabilities on top of it and it's going to be ready for market really quickly. So if you want to see the benefit of the cloud and that speed is a currency in boardroom conversations. The question though for us was what should they know how it might go wrong? So for example, is it obvious that the infrastructure that supports the cloud environment is outside of their physical control? What are the things they should do that they would otherwise not have done if it was in the data center? And so that really was the reason we focused on this topic, is we need to understand the risks of putting things in the cloud. And it's not always about what you can touch and feel. Sometimes it's about who do you need to oversee, who do you need to supervise, What kinds of expectations should you have from your partners and third parties, etc. But again, with all those great benefits comes risk and they have to figure out how are they going to oversee those risks in the most efficient way to get to the outcomes they want.
Steve Weber [00:15:20] Great. Shamla, I'm going to jump off your point about risk because it's such an important one. Lots of directors that I talk to talk about themselves essentially as risk managers in an oversight setting. And I want to come back to you, Homaira, and ask about your view and the way the book addresses this question of cyber risk appetite. You can't reduce your risk to zero. You're spending on services, products, processes inside the organization to improve cybersecurity. And the natural question to be asked is how do I know I'm getting return on investment and getting value in terms of modulating the risk to where I want it to be. So talk about how the book helps decision makers or directors in this case specifically think about risk constructively in that context.
Homaira Akbari [00:16:12] We do give a number of examples and a number of guidelines. And then and then from there, we also, as I mentioned earlier, do talk about a set of metric which would be also helpful to measure that, whether those those investments have a return. But let me first go to the sort of examples what we talk about is, so first of all, a board has to be comfortable that the organization is making the necessary financial and non-financial, and I want to emphasize non-financial, investments to prevent those attacks that are preventable and defend against those attacks which are not preventable. So one measure is, of course, to look at when coming to financials do have best in class and one of some of the best in class cybersecurity defenders who have best defense ecosystem are tier one financial institutions or banks. So a typical tier one bank, we spend somewhere between 500 to $1 billion a year, Steve, every year on cybersecurity, and that usually corresponds to 5 to 10% of their I.T. budget. You know, obviously smaller companies and that's tier one. They're banks and they're really best in class. But the smaller companies that we probably obviously will not have the ability to spend that kind of money using that 5 to 10% of your I.T. budget is a good measure, except if you are quite a small and that budget for IT is fairly small, you probably have to spend more like 15 to 20% of that budget. The key point is what you earlier said. When you think about defense, when you say I need to defend myself against cyber security risk, there's four aspects to it. There's protection of your assets, there is threat detection and then response to that attack and then recover from that attack because invariably you are going to have some cyber breach. So you need to make sure that you have that security posture defined and and security like to create it. And therefore, you have best in class and various tools in place. But I would be missed if I don't finish this explanation by emphasizing that non-financial investment. And what is that? It's really first and foremost for an organization to have the right cyber culture. What do you mean? What do we mean by that? It is really awareness across the board, starting with the CEO and executive team, the awareness, their engagement with cybersecurity all the way to every single employee of the company. And you know what we know today is still two-thirds and maybe closer to 80% of all breaches are due to some error, intentional or not intentional done by people within the organizations of our subcontractors. So therefore, that awareness, that building cybersecurity culture by the CEO saying, I believe in it, I am committed and dedicated to it, which will then flow through the organization and also making sure all of the executives are responsible it's not only CISOs and Shamla can tell you more since she's been a CISO that is responsible for cyber security.
Steve Weber [00:19:51] Shamla Let me come back to you and ask you the question of the day, which sure is on everyone's mind right now. You folks started writing this book when large language models were still a research toy that folks in laboratories and universities were playing around with. I guess it's about eight or nine months ago now. ChatGPT burst onto the scene and suddenly is one of the most interesting and intriguing and important developments and the word A.I. is everywhere. So talk about how the rise of technology like generative AI ChatGPT changes or accelerates the need for a book like this and the kinds of changes that Homaira just spoke to, including the cultural changes.
Shamla Naidoo [00:20:39] You know what's interesting about that, Steve, is that a decade ago we had the same reaction to cloud technology. Right. And so in the recent past, it was cloud. Now it's artificial intelligence and in particular large language models. You know, in a year or two, it's going to be the quantum computer. And the point is that innovation doesn't stop. So there's going to be constant innovation. We are going to be faced with new technologies, new approaches, new architectures, new tools constantly. That's just the nature of technology. And so the idea here, I think, is we need to be prepared for anything. And board directors in particular have to understand the pace of change and that they need to create the foundational knowledge pretty quickly, because that's the biggest gap. If you don't have a foundation, all this great information out there is going to land, but it doesn't land on a strong foundation, which means that you cannot really build from it. This book, I think, is going to give them the foundation from which they can build to be prepared for those new technologies, new constructs that are going to come at them. And so the idea is this is the beginning of the learning. It's not "the" learning. It's the foundation upon which other knowledge is going to be built. So I would say, you know, be prepared for the innovation of the future. This book is going to give you the basic concepts, the approaches, and the models upon which to think about the future of innovation. But, you know, large language models is a big topic right now. It is a topic because we live in a data economy. There's data everywhere. Most of the data has been invisible until this technology has been made available to us. So we can grab the business insights that are embedded in all of this data. And so now I think is the opportunity for us to focus on data, data protection, the risk of data, the risk of error, the risk of omissions, and all of those activities that are embedded in the large language model that we're going to use for businesses. But again, it's the foundation.
Homaira Akbari [00:22:53] If I could ask Steve to that. What is very interesting is in the book, we do talk about emerging technology, as Shamla mentioned, and we specifically talk about air and chat, but we also talk about IoT, but for example, when it comes to IoT, we talk about the fact that 80% of cyber risks are very similar to anything else that we've had. But then there are specificities to it. In the case of ChatGPT or AI, one of the big risks, as we all know, is feeding the model the wrong data, and as a result, getting results which are incorrect because you actually create a fake data. Which brings us to something called deep fake, where the data becomes so fake, so unbelievable in some ways, but some people believe in it, that creates what's called deepfakes. So so I think that's exactly what Shamla said, is that, you know, we talk about how emerging technology, how you should think about it, but then we do give some specificity for these cases. So I think we do help the board member to think the topic du jour, how they should go about it.
Steve Weber [00:24:10] I'm quite sure there'll be a new one in 2024 and that will get tested as we go. Homaira, let's talk a little bit about the way in which boards do and should evaluate themselves. It's obvious you kind of have a large number of boards and public companies and so on and so forth. And people ask themselves, how are we doing? How do we know that we're doing? We're doing well. What does good look like is the question that I think we all hear a lot. So if a board wants to evaluate its company, think of maturity or excellence in cybersecurity, how should they go about it? And how does the book talk about metrics and comparisons and answering that question, What does good look like relative to what others are doing?
Homaira Akbari [00:24:55] Stevie We have a whole chapter, and this called chapter seven, where we talk about metrics for for measuring because, you know, it's a question that has been asked millions of times by board members and CISOs and other other people in the ecosystem. In chapter seven the approach we took, we basically defined two sets of metrics. One is operational level metrics, and the other one is board level metrics. Operational level metrics corresponds to that map for that area it talks about, which basically shows for each business asset group how to measure the efficacy of your protection and then your detection and response methodologies that you use. It also talks about the fact that you need to measure or test the security posture of the organization, which really gives you one measure, not the only one, but one measure of that maturity. We then come to board level metrics, and to our knowledge, nobody really has created this concept that Shamla and I have created that this board level metrics actually has five components, two of which are operational. So one was as an input it would be what is your cybersecurity program, efficacy and regulatory compliance, and what is your cybersecurity risk profile, which comes from that operational metrics that I mentioned. But it also adds three more assessments. One is what's your cybersecurity culture? Second is what's your investment levels and insurance coverage? And lastly would be what is your organization's readiness, if you like, to manage cyber breach impact? And this we think we don't believe any organization is using this the way we have articulated it, but we believe once they do that, they're going to be able to determine the maturity of their organization. And for us, this is this is the key.
Steve Weber [00:27:04] Wonderful. Let me turn back to you, Shamla. Between you and Homaira, you live and breathe the cybersecurity universe every day. You've been on so many different sides of that puzzle, and I found it very important to actually to, at the end of the book, to get a sense of like, what do you think is the most important reflections, thoughts, and takeaways that people really need to bring home with them at the end of the day. Because prioritization is such an important piece of this conversation. So talk a little bit about the closing thoughts, reflections at the end of the book, the stuff that matters the most to you that readers take away from it.
Shamla Naidoo [00:27:48] So, you know, I think I would start with, we all know how to measure the benefits of technology, right? And that's the easy part. What we struggle with is measuring, calculating and really confronting the issues when they go wrong and the board is charged with that. So to help them, I think we need to think about, there's a lot of upside to the technology. How can it go wrong? Importantly, I think unless you're a cybersecurity company and you sell cybersecurity product or services, the revenue generation is not from your cybersecurity practice. Revenue is generated from your business practices, however, the security practices, the technology, the tools, the controls, etc., they enable those businesses. So when we calculating the upside of our business and the revenue that we generate from our business, we need to offset that with the cost of security because it really is, it's that it's not just the business enabler, but it's an investment in that revenue that you generate. And so once you take out the investment, you say, okay, this is how much money I made my net profit. So it's yes, it's a cost to do business, but it's the cost of the revenue. So that's an important consideration. I think the other thing to remember is that leadership for this topic is not interchangeable with the technology and the tools for the topic. So we need good, strong leaders that can help the board with risk selection. How do we pick the biggest risks that face the company and then wrestle them to the ground? And then how do we pick up the next step that are on point and we just keep whittling away at our risk? Because if we just focus on the tools and the technology, how do we know if we're focusing on the right things with the right level of priority? And we have, you know, this, we have so many issues that we can confront, it's not possible to confront them all at the same time with the same level of rigor, at the same level of investment. So selecting those risks carefully is what I think the CSO and the security leaders have to help the board to do. And then I would also say that it's really important that you have a good, rich, open, transparent dialogue. So the board should have dialogue with the CISO. Not just about the status, not just a status update. It should really be a risk discussion on what are we not doing, what are we not focused on, what haven't we spent enough time on? Because we all know there's just not enough time to do it all. And so there needs to be some transparency on that discussion. And the CISO shouldn't be the only leader that's on point for this topic. Every business decision, every business area, when they make money, they know how to report that, they should also be tasked with knowing and understanding how cyber impacts them, how it enables them, and how it might constrain them and how it might hurt them or harm them. And so business leaders have to start taking as much accountability for the results as the CSO does, because cybersecurity is not the business. It is just a part of everything else that you do. So I think the cyber IQ, the cyber culture are all, really important considerations. And then like I said, lastly, the CSO is not the only executive that should be on point for what fails or what successful.
Steve Weber [00:31:35] Interesting. Homaira, any additional thoughts about the most important, most powerful takeaway is the quality of strategic conversation at the board level about the cybersecurity risk profile, its relationship to the business. What's the most important takeaway that should sit with people and live with people as that as they finish the book?
Homaira Akbari [00:31:53] Steve, there are tens of takeaways and we do have these called out. But yes, I do have one takeaway and that's based on again, many times this question has been asked from me specifically and also I think from Shamla. How is it that we can be efficient, secure? What can we do to be 100% secure? I want to spend enough to be 100% secure. I've been asked that even once by a senior from a Fortune 50 company, how come the government doesn't make us 100% secure? Thay can, they said. And reality is no, you cannot be 100% secure. Why? The three reasons for it. First reason is that basically all companies and government and any, you know, any entity in the world, including consumers, are relying on outdated technologies and I.T. systems that were not designed with security in mind. And they they create vulnerabilities. And the issue is many of those vulnerabilities are not obvious today, today. And the second reason is that every day we are adopting new technologies, new innovations, some of which even have security designed in it. But as soon as they integrate with these old technologies, they become vulnerable too or they create vulnerabilities even in the old technologies. So that, you know, that increasing attack surface and impacting what that surface that we already have creates tons of vulnerabilities, some of them are known to us. And some of them are not known like the so-called zero day vulnerabilities. And lastly, this is one sector where you have adversary. You have armies of people who are paid extremely well or where some of them are extremely wealthy and organizations, criminal organizations, which are actually looking for vulnerabilities and exploiting them. And they you know, why we were asked, why do they give this to a before us? Because of the first two that I mentioned, because we just are not aware and these people are actually working continuously and they are smart people to look for these vulnerabilities. As a result you're never going to be 100% secure, which is why detection, having good threat intelligence, having working and coordinating and cooperating with the government on other businesses and other entities is very important to have that threat intelligence and be able to detect, respond and recover from any of device.
Steve Weber [00:34:34] It's really important. The lesson I remember going back to what we were talking about earlier, what is good look like? Nobody should ask the question what is perfect look like because there is no perfect and maybe even what is good look like isn't the right question. I take away from what you just said that maybe the right question is, how do we know we're getting better and getting better faster than our adversaries are?
Shamla Naidoo [00:34:54] You know, Steve, I would add to that, that's such a great point, because all risks are not the same across all companies. Right. And so it's what's appropriate and what's within your appetite. And one thing I would say to board directors is just say what you want. Just be clear on what you think is material, because in the absence of that. CISOs will try really hard to give you what they think you want and what they think you need. So just be clear on what is material to this company at this point in time, to this board. What's important? What do you want to know? And I will tell you that from being a practitioner myself, CISOs will give you what you need. But if they're guessing, expect them to get it wrong.
Steve Weber [00:35:43] Fantastic. Well, look, I've had the advantage of the opportunity to read the book, but many of our listeners probably have not. So can we close out by explaining where they can get a hold of this book? Where can the audience find the book? When will it be available?
Homaira Akbari [00:35:58] It will be available starting September 5th and will be available at Netskope URL.
Steve Weber [00:36:05] Shamla, any last thoughts to share with our audience today?
Shamla Naidoo [00:36:08] I would say read what your boards are reading. So read the book so you know what kinds of questions you should anticipate when you get in front of them in that boardroom.
Steve Weber [00:36:16] Thank you both so much for doing this podcast today. But thank you even more so for writing this book. I think it will be a tremendous resource for many directors. I hope it is widely read and distributed and enjoyed by those who read it and used most importantly.
Producer [00:36:32] Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone who might enjoy it. Stay tuned for episodes releasing every other week and we will catch you on the next one.