The Smarter Singapore Vision

Agnes: Hello, everyone and welcome to The Game Changing podcast. The game changing podcast is bringing to you point of views around technology and the challenges it's solving in Australia, New Zealand, Korea and ASEAN. And today I have a fabulous guest with me, Brian Hazzard, who is the CEO and Co- founder of Randori, a security startup company that IBM acquired last year, actually. And we are going to talk a little bit more about what Randori is and why is what Randori is doing so important in today's marketplace. Maybe let's start at the foundation, Brian. First of all, thank you for being here. And what is Randori? What does Randori do?

Brian Hazzard: Thank you, Agnes. So Randori is a cybersecurity company and we were founded in 2018 and I founded the company with a fellow named David Wolpoff. And it was in response to a breach experience that I lived through while building a company called Bit9. And prior to the breach we were doing things like pen testing and vuln scanning, but yet we still experienced that breach and we decided something had to be fundamentally different and we wound up hiring David Wolpoff, now the CTO, to attack us to effectively red team us. And that went on for a number of years and through that whole experience I learned a lot about cybersecurity and how attackers actually attack and we started Randori to effectively democratize access to that red team experience.

Agnes: That's a very promising discussion to dive into, but maybe let's start with talking a little bit about why does it matter. IBM regularly publishes the cost of breach study where we basically calculate what does an average breach cost? Doesn't matter if it's social engineering, email, phishing, ransomware, text, et cetera. And last year's study basically said, we are around$ 5 million U. S. dollars now, and the number is just rising. At the same time, studies that actually show how much companies organizations are spending on security, on defending themselves isn't quite linear to this rising cost of breach. So what does it usually take for a company, an organization to kind of wake up. What is this, " Oh, we need to do something," moment, usually?

Brian Hazzard: Well, I'll share a few thoughts on that. I think that's a really great question. The number amount, that is important and we know breaches and breach response and everything else is getting more and more expensive as time goes on. Having lived through breach, I can tell you the number itself is almost insignificant. The real world impact of breach, what it means to your customers and your partners and everything else associated with it, your efforts building the company, the company itself, it's serious. What I came off of that experience is the simple recognition that we're all working harder and harder and we're spending more and more money, but yet the onslaught of breaches is just going up and to the right. So something fundamentally has to change within our industry, and that's really what that whole experience brought to me.

Agnes: I can just kind of live through this, just imagining the way you kind of describe it. What really strikes me in this part of the world is that most of the clients, most of the organizations that work with actually have a hybrid cloud reality. So they have applications, they have data, on- premise in various clouds, and we also know when we look at what's going on generally globally, that the most costly breaches are actually those that hit organizations that exactly have that reality, live in a multi- cloud, live in a hybrid cloud scenario. So do you see that there's a rising interest due to that setup or do you feel like we are just more exposed? What would be your feedback to these type of clients and organizations?

Brian Hazzard: Yeah, immediately what comes to mind is when thinking about building a cybersecurity program, the foundational controls in cyber, the principles, you got to know what hardware you're protecting, you got to know what software you're protecting, and then you think about hybrid cloud, everything's in a constant state of change. And so we have clients that I'm speaking to here as well as across the world, the infrastructure's moving from data centers to cloud and back and forth. You got M& A activity taking place. You have complex business processes and business initiatives that are resulting in infrastructure being stood up and taken down and constantly changing. And if you put yourself in the CISO's position, you're only able to protect what you know about. And if you have blind spots and if you have misconfigurations and process failures and shadow IT, that's where a lot of risk is introduced into the business. An attacker's not going to hit you where you're best defended, they're going to hit you where you have that weak spot, where you have that blind spot inside your internet- facing assets.

Agnes: It's all about visibility. I like when you said before to where the attacker's hat is kind of really, really paramount to be able to have a defense strategy. So let's assume we have several CISOs out there, security executives, so just technology executives out there listening today to our conversation here, what would be your three best tips, the three pro- tips that you would give them?

Brian Hazzard: One set of thoughts I'll share is a shift from a big, big focus on visibility and control to include discovery and validation. So we've all made a lot of investments to get the right controls in the right spots to prevent as much as we possibly can, and then visibility to detect and respond when under attack to be highly efficient, resilient in that situation. But the reality is all of those investments are only as good as what we're deploying it against. So if we think we're defending something that looks like that's a subset, an attacker sees us differently, well there's going to be things that we know about that the attacker can't see. There's going to be things that both the defender and the attacker sees, and then there's going to be the operational mistakes. It's incredibly important to have some mechanism to do discovery to ensure that you can see your business the same way that the attacker sees your business. And the next thing I would think about would be that validation. Once you have a good handle of what you're actually defending, you got to make sure you have the controls in the right spot, configured in the right way, that your team in fact knows how to use them and they're highly resilient and effective at using those controls and able to respond quick when under attack. So the shift from visibility and control, the emphasis now needs to maintain visibility and control, but add to it discovery and validation to understand how real attacks take place. The last I would say is having gone through that experience set, it's incredibly important for the defender to get a very strong sense of what the crown jewels are. We're not able to protect all assets equally, and it's really important to make sure that you understand your attack surface, get it as tightly managed as possible, get those crown jewels far away from that attack surface and get your program in place to be highly resilient in that face of compromise.

Agnes: That's great. I think that's actually a fantastic summary of the evolution of the security technology business really. I mean, first we all talked about control because attacks are real. Then we talked about, well, it's not a matter whether you're going to be attacked, it's just a matter, when will it happen. Then it's the visibility component, but now discovery and validation, putting a lot more quality to what we're doing. I think that's really the next evolution that we are facing here. And we are all very excited that Randori is part of IBM and the IBM company, and we can go about this jointly together with the organizations and clients we work with. Thank you, everybody for tuning in. Thank you, Brian for being here in the region with us and being my guest today and I hope you'll tune in for the next episode of The Game Changing podcast.