Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. If there's one thing I've learned by hosting The Tea on Cybersecurity, it's that having a solid cyber risk management strategy in place from day one of your company is essential. It's way better to be prepared, then unprepared, and that is what this episode is about. On this episode of The Tea on Cybersecurity, we're talking about being proactive versus reactive, and even how those strategies relate to cyber insurance. I have two known voices with me on this episode. I would like to welcome Jim Goldman and Ryan Dunn. Hello, gentlemen.

Jim Goldman: Hi, Jara. How are you?

Ryan Dunn: Hold the applause everybody, please.

Jara Rowe: Hold the applause. I'm doing great. I'm so excited to talk to you guys about this. I actually feel like now that I've learned so much, I know the difference between being proactive and reactive and which one's better, but I'm still excited to learn more from you guys today. So going to get right into this. Jim, I have the first set of questions going to you. For the listeners that may not be familiar with this, can you talk about what a proactive cybersecurity strategy is and what a reactive one is?

Jim Goldman: It really comes down to being aware. The first thing you have to do is be aware of what we call your system boundaries are. Now I say something like that and people might say, " Oh, Jim's getting overly technical again." And I'll tell you what just occurred to me is what if you were a rancher, right, and you had cattle that you were trying to protect? What's the first thing you're going to do? Well, you're probably going to put up some kind of fence around the boundaries of that ranch. How do you do that? Well, if you don't know where the boundaries are, you can't very effectively put up a fence, and that's exactly what we're talking about. You need to understand the boundaries of the system that you're trying to protect because within that system, instead of having cattle, you have data and it may be a customer's data. And so first and foremost, what's the rancher have? The rancher has a plot, a survey that says exactly where their boundaries are. It's a diagram, it's a system diagram. That's what we need, we need a system diagram, we need a plot, we need a diagram that shows system boundaries of our information system rather than our ranch. That's really where it starts. Unless you know where your boundaries are, again, keeping with the same analogy, unless you know where the gates are, where you purposefully let cattle go in and out. In our case, where are the gates where you let third parties, whether they're customers or vendors or service partners, where are you letting them come into those gates in your fence? Same thing. That's proactive.

Jara Rowe: All right. I love that analogy. Your analogies are always so helpful.

Ryan Dunn: They're always spot on.

Jara Rowe: They really are. Jim, next thing for you, how does a proactive approach to cybersecurity help organizations identify and mitigate potential threats?

Jim Goldman: It's a really good question, and again, it's a spot where people get hung up. So if you now picture that we've got that system diagram in place and we've got the vectors, where our different service providers come in, now those are authorized people that are getting in. But where are the weak spots in the fence? Going back to the analogy, where could cattle wrestlers get into your periphery fence and steal your cattle? In this case, it's like where could cyber criminals break through your boundaries that you've set up? Whether it's technical boundaries, logical boundaries, et cetera, protections, where could they get through your protections? Where are the potential holes? There's going to be a limited number of what are called ingress points where third parties can get in and egress points where data could potentially go out. It's just like protecting a venue, like a large concert venue or a convention center. There's only so many doors, and so that's where you put your security. It's the same thing in this case with your information system, there are only so many doors, so that's where you have to put your security.

Jara Rowe: Ryan, why do you think so many people typically lean towards being reactive? It just seems like a natural response. Why is that?

Ryan Dunn: Well, I'd like to touch on one point on what Jim was saying and how it relates to insurance. And then I'll get into why agents tend to fall into a reactive stance. But it's similar on the being proactive side for insurance. Jim's alluding to knowing where your boundaries are. And being a proactive agent, you are understanding the vectors that are going to influence your client's insurance renewal. So for example, when you go out to get cyber insurance, a lot of these MGAs and carriers are analyzing your clients using a vulnerability management scanning tool. If you're not equipped with that, it's tough for you to be able to understand what is going on with your client's cybersecurity infrastructure, to be able to address that ahead of time. Understanding where your client sits in their renewal is extremely important and that takes a proactive stance in order to accomplish that.

Jim Goldman: The phrase that comes to mind when you say that, Ryan, is you're flying blind. What do pilots do when they can't have visual? Good pilots, commercial pilots do they need to be able to see with their eyes? No. Why? Because they've got instrumentation. And so it's the same thing, what do cyber insurance agents have for instrumentation so they're not flying blind?

Ryan Dunn: Exactly. Right now it's just like, please don't get referred to the underwriter, because then I'm going to have to go back to the client and I'm going to have to pretend like I know what this open port is. Frankly, I don't know if I have a nice answer as to why agents tend to be reactive. I think it's only just human nature, but we tend to just sit on our laurels and just think about cyber as if it were GL or property insurance or workers' comp insurance, where we're just going out there and we're getting a quote. And for a general liability policy, there's not much preparation. For a general business, there's not much preparation that needs to be done. You're just collecting info on the application and submitting it for insurance. And so I think it just falls into human nature coordinates where we're just resting on our laurels, resting on what we're used to doing instead of trying to think outside the box, " Okay, wait, how can I avoid this situation?" Or, " How can I improve this for my client?" We're going to hear a lot that is going to take proactive thought and creative thought in order to accomplish that.

Jara Rowe: Yeah, I would much rather be prepared than wait for something to happen. That freaks me out, it causes anxiety.

Ryan Dunn: I don't sleep.

Jara Rowe: Yeah.

Ryan Dunn: I don't sleep. My mind will run in 20 different directions all night.

Jara Rowe: Exactly. If you guys could give a tip for someone about third party, checking to make sure everything is good, what would that one tip be?

Ryan Dunn: I'll let you take that.

Jim Goldman: Yeah. Well, what we tell all our customers is it doesn't have to be that complicated or expensive. In other words, you could just have a spreadsheet. So the first thing again is inventory. Do you even know who all your service providers and third party providers are that you're given access into your system? And usually it's very simple, on a simple spreadsheet, they fall into two buckets, those that have access to your customer's data and those that do not, all right? So those that do not, you have one set of security questions for them, one set of security requirements. Those that do have access to your customer's data or your intellectual property, well, gee, now we need to do a little bit more scrutiny. And so what do you do in that case? Well, you ask them, " Do you have a certification, a compliance certification? Are you SOC 2 certified? Are you ISO certified? Okay, I'd like to see your report or your certificate." They should be very happy to provide that. If they don't have some third party attestation as to the veracity of their security program, then you have not just a right, but you have an obligation to send them a security questionnaire, whether you ask them some fairly detailed questions about what they are doing and what they're not doing.

Ryan Dunn: I actually went to a doctor's office recently that I had visited frequently and they lost all of their customer's data. And so it was very interesting to go through that experience, because I'm like, " Well, how did you lose it and where did it go?" And that's inaudible.

Jim Goldman: And they said, "I don't know."

Ryan Dunn: "I don't know." They said, " I don't know."

Jara Rowe: That's so terrifying. Oh my god.

Ryan Dunn: That's a really good... From what Jim's saying, do they have your customer's data or do they not?

Jara Rowe: Wow. Well, I hope that never happens to anyone else, that's terrifying. Next question, I know that you two are passionate about how technology can help all of this. What role can technology play in supporting a proactive cybersecurity strategy for both agents and their clients?

Ryan Dunn: There's a few different areas to address here from a technology standpoint. I think the clear and obvious one is a vulnerability management tool, right? Stop flying blind with no instrumentation, you fly blind inaudible.

Jim Goldman: You can't fix what you don't know about.

Ryan Dunn: Let's start there, I think that's the obvious first choice. The second piece of technology that can help agents and their clients, and it's not really something that is really out there in the market yet, and that is real risk quantification benchmarking. What I mean by real is what we see is benchmarking based off of purchasing behavior. And this purchasing behavior goes like, " Hey, what are my people and my peers in my industry buying in cyber insurance?" And benchmarking says a million, so they go a million. But they're 50 million in revenue hospitals, so that doesn't make any sense. So what does that tell us? The data sets that we're feeding in the benchmarking are incorrect. We need to start having an honest conversation about how that technology can be deployed. But in my mind, it needs to be some type of risk quantification based off of your risk score within your industry and finding a way of correlating premium to that. That would give us a good reading of, " Okay, what are my peers buying that are investing in security like me?" That's the real question, not what are everybody else buying because your security isn't like Company B's security. And that's another piece of technology that I think could deliver a ton of value to clients that really isn't out there in the market right now.

Jim Goldman: I agree a hundred percent and that's really where we're trying to head. I often use analogy of the credit score and the credit industry, that's risk, right? If people have a low credit score, then the banks are going to be less likely to give them a loan opposed to if they have a high credit score. Well, it's no different in the cyber risk realm. We're trying to standardize on something we call the Trava Risk Score. In this case, we'll say high is good, just to be clear. So the higher your Trava Risk Score, the less risk you have, the higher level of comfort an insurance carrier or an insurance agent would have to write a policy with higher limits, lower premiums, et cetera. It's the same type of situation, same construct, same model that's being done. And we need to do the same thing in cyber risk that we've been doing in credit for years.

Ryan Dunn: Yeah, definitely.

Jim Goldman: Now what's interesting is Ryan mentioned vulnerability management, and that certainly is first and foremost. But in some sense, going back to the cattle ranch metaphor, all vulnerability management is doing is telling you where the holes in your fence are, so you can go out and fix them, right? The question is, what can you do so you stop having so many holes in your fence, all right? That's where we get into the other type of more proactive. Because think about it, just by identifying vulnerabilities and fixing them, identifying fix, identifying fix, that's reactive. We're not proactive yet. Is it an improvement? Yes. Should you do it? A hundred percent, absolutely. But it's still reactive. Sometimes people call it whack- a- mole. " I'm never going to gain. I'm never going to get ahead of it." Right? Well, it's the other security processes and sometimes associated technology that gets you ahead of it. So patching management, multifactor authentication, security awareness and training, backup and recovery, encryption at rest and in transit, intrusion detection and recovery. These are the types of systems that companies eventually put in. So do they still need vulnerability? A hundred percent. However, what's going to happen over time, their list of vulnerabilities, they list of critical vulnerabilities that need to be fixed is going to start to reduce. We're going to start having fewer holes in our fence that we need to go out and fix.

Ryan Dunn: Yeah.

Jara Rowe: Yeah. We don't want to keep fixing the holes.

Jim Goldman: We don't want to keep fixing the holes in the fence, that's right.

Ryan Dunn: Yes. You start to become fatigued there.

Jim Goldman: Yeah, exactly.

Jara Rowe: You guys are providing with such great gems of knowledge.

Jim Goldman: Yeah, this is a fun one. We're on a roll, let's not stop.

Jara Rowe: Yeah, I understand that we can be as proactive as we want to be, but there still may be potential of something happening that we will have to react to. In a world of constantly evolving threats how can organizations strike the right balance between proactive measures and reactive incident responses?

Jim Goldman: So I'll take that first. I mean, you used the right word there, Jara, incident response, right? And I always like to demystify the cyber end and say, " Okay, there's nothing different about responding to an incident in cyber than other incidents." So what are some other kinds of incidents that we've been handling for years? What about house fires, right? So how do fire departments get good? Or even how the new firefighters get good responding to a fire incident? What do they do? They practice, they do drills all the time and they train. Well, cyber's no different. You can't wait until your first fire breaks out in your information system and then wing it in an incident response, of course, it's going to be a disaster. You have to train, you have to do incident detection and response tabletop exercises depending on how serious your organization takes that, how well organized they are, et cetera, et cetera. How many people from the organization actually participate and respond accordingly? Do you record it? Do you take good notes? Do you have an after action review? Do you write a management report afterwards? Do you do it at least once a year? That way it becomes second nature. So if God forbid you actually have a real incident, people aren't flailing saying, " Do we even have a plan? Well, we were going to write one, but we never got around to it, great."

Ryan Dunn: Our insurance agent wrote us one for our insurance renewal.

Jim Goldman: And it has nothing to do with our system.

Ryan Dunn: Yeah.

Jim Goldman: They downloaded one from the internet and they gave us one and it's like, this is trash. What are we doing?

Ryan Dunn: Yeah.

Jara Rowe: Yeah.

Ryan Dunn: Insurance agents, don't do that. You want to talk about a little E& O exposure just to get a renewal, i strongly suggested, actually do a tabletop exercise for an incident response plan.

Jim Goldman: Historically speaking, cyber is really pretty new. It hasn't been around that long as a thing, and that's part of the difficulty. And that's why I'm always forcing people to look at other systems that have been around for longer like firefighting. I often use the example of, okay, there were terrible tragedies in building fires before someone said, " we really ought to require sprinkler systems." Well, what's a sprinkler system? It's a proactive technology. It's an instant response, proactive technology, that's all it is. And it's required, nobody complains about it, nobody says it's too expensive. Nobody says, " I got other priorities." It's like if you have a building and you manage a building or you build a building, you put in its sprinkler system. Nobody argues about it. Why can't we have that same perspective on properly protecting our information systems?

Ryan Dunn: I feel like property is really the best analogy to get people to understand the correlations between security controls and security controls that are implemented in buildings, so I love that correlation.

Jim Goldman: It's a very good point. Property is considered a hard asset. Why can't data be considered a hard asset?

Ryan Dunn: Yeah, exactly.

Jara Rowe: It definitely should be.

Jim Goldman: It definitely should be.

Ryan Dunn: I've gone on this ran a few times about... I mean insurance started from a building catching on fire when businesses were ran from brick and mortars.

Jim Goldman: Right.

Ryan Dunn: But now your businesses ran from a digital enterprise or digital experience, and so you have to be applying the same mindset even though you can't feel it-

Jim Goldman: It doesn't matter.

Ryan Dunn: It's still pretty real. I mean, look at your bank account through your digital phone app, right? It's real. At least I hope it is, but it's real.

Jim Goldman: Like we always say data is currency, right?

Ryan Dunn: Yeah.

Jara Rowe: Data is currency for sure. I've learned that from all of my guests on the podcast. Can you share best practices for organizations looking to adopt a proactive cybersecurity stance?

Jim Goldman: What I would say as I started, the first thing I said on the podcast was understand your system boundaries. Not everybody's equipped to do that. And so again, don't mean to make it a shameless plug, but hire someone like Trava or an equally qualified organization to help you with what we call the baseline cyber risk assessment. This is not something that everybody should do for themselves, but you need that initial assessment, and that's why we purposely call it baseline. It's like, here's your starting point. There's no judgment, right? You're not bad if you get a low score or something like that. It's just everybody has to start somewhere. The reason it's important to do that and make that small investment in that baseline cyber risk assessment is the other analogy that they often use is you're going to become a victim of just buying the hot... If they had a shopping channel for cyber tools, you'd be stuck watching the cyber shopping channel, and you'd say, " Oh, I need one of those. Oh, I'll get one of those too. I'll get one of those too." Guess what? That's not a solution.

Ryan Dunn: Yeah.

Jim Goldman: I often use the analogy of if you check engine light goes on in your car, you pull into the nearest auto parts store, you're not going to grab a shopping cart and just start pulling random auto parts off the shelf, you don't know what's wrong. Same thing with cyber, if you don't know what's wrong, if you don't know where your biggest weaknesses are, why would you pay a dime on any solution?

Ryan Dunn: Yeah, you start to become a cybersecurity hoarder.

Jim Goldman: You hoard tools.

Ryan Dunn: "Oh, I got this EDR somewhere in here."

Jim Goldman: Yeah, you hoard tools that don't work.

Ryan Dunn: Yeah.

Jara Rowe: All right, you too. This conversation has been absolutely fantastic. I've learned a lot and I hope the listeners have as well. But before I let you go, I have a couple of fun questions I would like to ask you both.

Ryan Dunn: Okay.

Jara Rowe: All right. Ryan, I'll ask you this first. If you could compare your job to a superhero, who would it be and why?

Ryan Dunn: We actually had this conversation as a leadership team.

Jara Rowe: Oh, really?

Ryan Dunn: What is our voice? And I mean, it's also because I just love the character, but Deadpool. You got serious business to do, but you have fun doing it. I just like Deadpool as a reference to that.

Jara Rowe: Yeah. Jim, what about you?

Jim Goldman: So I don't know why this occurred to me, but I feel like Spider- Man, because I'm like over there taking care of that, I'm swinging across and I'm over here taking care of that, and then I swing again taking care of something else over there, so I feel like Spider- Man.

Jara Rowe: That's important, that's important. All right, next one. If you could create a new cyber attack, what would it be called?

Ryan Dunn: A new cyber attack?

Jara Rowe: Yep.

Ryan Dunn: So we're the bad guys?

Jim Goldman: The bad guys, yeah.

Jara Rowe: You are the bad guy. What would your attack be?

Ryan Dunn: Oh, man. My mind is too pure to think like that.

Jim Goldman: I don't know what I'd call it, but I come back to that as much technology as there is involved with cyber systems and data and protecting data and so forth and so on, the weakest link in all of this is still people. The truth is the most effective attacks are playing on people's personalities and social engineering and that kind of thing. And you know what? The cyber criminals know that.

Jara Rowe: They do, they know that for sure.

Ryan Dunn: What would I do?

Jara Rowe: Yeah, Ryan, I'm curious.

Ryan Dunn: I'd definitely attack people. Just don't know how I'd do it.

Jim Goldman: Well, it's the old story. If you're a criminal, you're going to look for the easiest way in into any system. My contention is that the easiest way into any cyber system is through the people.

Ryan Dunn: To the person out there, I would stop trying to impersonate Jim Goldman through text saying that you need help.

Jim Goldman: Asking Ryan to buy gift cards.

Ryan Dunn: It's not working.

Jara Rowe: Before I let you go again, do either of you have anything you would like to run home on either cyber insurance, proactive or just cybersecurity in general?

Jim Goldman: I think that the one step way back perspective is we're still figuring this out. We may be having a very different conversation a year from now. Sometimes it's hard to, they call it see the forest for the trees or step back far enough to gain a perspective. It's like cyber insurance is a very new thing, we have not figured it out. It's not being done right, we're in transition, so just realize that, don't accept the status quo as, " Oh no, this is the way we do it. We got to do it this way forever and ever." No, there are better ways to do this and we're on our way to a better way.

Ryan Dunn: Yeah, I really like that humility around cybersecurity. One of my biggest pet peeves related to insurance and security is people coming out to market, acting like they got the silver bullet to solving all cyber crime. And all you're doing is frustrating the buyer and causing him not to reinvest into his cybersecurity infrastructure, so you're going to be inaudible.

Jim Goldman: Or maybe not buy a legitimate tool, because they got burned on something that made promises that didn't deliver.

Ryan Dunn: Exactly. You're doing way more harm than good. I actually talked about this with, shout out to Sauger at Driven Cyber. Him and I talk about this quite frequently, where these companies, these large entities that you host your Cloud with or do business with, I just saw a commercial last night, it's like, " You're safe with us, don't worry about it. It's a click and forget it type of thing." And that couldn't be a worse representation of what actually the truth is, and so they are doing way more harm than good.

Jim Goldman: Or how about be SOC 2 certified in weeks?

Ryan Dunn: Yeah, exactly. It's these marketing and sales messaging that are really getting in the way of progress.

Jara Rowe: Wow, yeah. I know that you cannot get SOC 2 certified in weeks, it takes a long time. I've never fully been through the process, but I've talked to enough experts that I know that that's impossible.

Jim Goldman: Right, right.

Jara Rowe: Well, Jim and Ryan, I really appreciate your knowledge on this topic, and that wraps another episode of The Tea on Cybersecurity. Now that we've spilled the tea on being proactive versus reactive, it's time to go over the receipts. I think one of the overarching things that I took away from the conversation with Ryan and Jim is that you don't want to fly blind when it comes to your cybersecurity. You need to understand where your vulnerabilities are in your company to make sure that you have things in place, to make sure no one actually comes in. And another thing, in order to be proactive, you have to understand your boundaries, specifically your system boundaries. And Jim did a great job at relating this to protecting a ranch. You want to make sure your fence, you have your defenses up in the places that are necessary. A third receipt that I have is about third party risks as businesses, we all work with outside companies and things like that. And it's essential to understand what their vulnerabilities are. One of the tips that Jim gave for this is super simple that anyone could do just to create a spreadsheet that lists all of your vendors and you have columns so you can see which vendors have access to your employee data and which do not. That is just a very simple way to start being able to check your third party risks, because once you partner with these companies, you also take on their risks as well. So it's just important to know where they are, so you'll be able to decide if that's the right vendor for you or not. From a technical standpoint, specifically for insurance professionals, Ryan talked about some tools that you can use that will help with ensuring your clients and most importantly, the renewal process. So Ryan talked about vulnerability management tools as well as a real risk quantification benchmarking a lot of the times now in the insurance world, specifically with cyber end up comparing yourself to another company that is really like apples to oranges, it's not exactly the same. And so Ryan talked about real risk, quantification, benchmarking will help understand to be able to make sure that everyone is insured the way that they should be for their industry and for companies. Jim talked about the different technical things that you should have in place, number one being MFA or a multifactor authentication, which we talk about a lot on The Tea on Cybersecurity. He also mentioned security awareness and training, which we have an upcoming episode about that here soon. Encryption at rest and in transit, backup and recovery, as well as intrusion detection and recovery. Again, it's way better for all of us to be more proactive than reactive. Let's figure out how to stay safe earlier on. I hope you gained as much information as I did from this episode, and that wraps another episode of The Tea on Cybersecurity. Bye. And that's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.