Martin Hinton (00:17.646) All right then, welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor and host of Cyber Insurance News Podcast, Martin Hinton. Joining me today is Lee Nolan, the general manager for the UK and Ireland for Hitachi Vantara. And they're a company that helps big business manage data, which as anyone listening to this knows, involves a lot of security, a lot of cyber. So Lee, first of all, thanks very much for joining us today. How's your day been so far? Lee Nolan (00:42.537) Thank you. Yeah, good, good, very good. Thank you. I'm excited by this interview, so looking forward to Martin Hinton (00:48.502) Excellent, excellent. Now, you've not been at Hitachi terribly long. Six months is what I think. Is that correct? Lee Nolan (00:54.601) just over six months so it's been a bit of a whirlwind but it's been exciting nevertheless. Martin Hinton (01:01.078) And your career to this path tracks a pretty interesting path. I wonder if you could take me through a bit of the stuff you've done that involves enterprise technology and infrastructure and managed services and that sort of thing. Lee Nolan (01:13.435) Yeah, no, absolutely. Goodness. So this is going to make me feel incredibly old. So 1998, I started at Computer Center who are blazing a trial across the US and Europe and elsewhere at the moment. yeah, and they were certainly in the embryonic stages of sorts to drive managed services. I was there nearly 10 years. Moved into a startup organization, so Pillar Data Systems, which was Larry Ellison's VC through TACO Ventures, which was great. And then had a couple, well, I'd stint at NetApp and then into Insight Solutions, who again is a worldwide reseller and solutions provider, which was fantastic. Then had a, into a private equity organization, which had an exit into Rico. And then beyond then went back to NetApp, which was fantastic. And then into Pure. for a very short period of time before Hitachi Vantara came calling and pulled me in as general manager for the UK. yes, certainly in the UK channel, a fairly wide experience there, but also in the storage industry from an IT perspective amongst some of our competition who are now and they're now exciting and looking forward to the time that I'm going to have at Hitachi Vantara. Martin Hinton (02:36.056) So you've got the background in cybersecurity and infrastructure. I wonder whether that dual perspective, how do you think that helps you see cyber risk and the sort of state of that reality for companies now? Lee Nolan (02:50.5) Yeah, helped enormously. if I roll back to Computer Center, there was a lot of client-side managed services rather than data center managed services. I know across the board at the moment that's where their offering is, but it was a lot of client-side. So understanding individual users, behavior, programs to roll out. So that's certainly the most prevalent attack surface. But then also moving in from a storage perspective and backups. Clearly those are the areas that get attacked before generally people are aware that there's an issue. Working in the PE organization, which was a company called MTI, focusing enormously around cyber security, working with both public sector organizations and private sector, it gave me the opportunity to understand in a lot more detail around how cyber resilience was being deployed and how various agents were looking to attack certain organizations and the reasoning and how it works. So I've got a good view and also things around how managed services and cyber managed services have evolved over time. know, 24 seven eyes on glass. It's nowhere near quick enough, you know, moving through. multiple false positives and how you can filter through just the logs and the notifications, getting into an environment that is automated, that does become a labyrinth for attackers. But really the market at the moment will always look to defend as best they can, but everyone realizes at some point there will be a breach and it's ensuring that you have a clear and well-trained process to recover your organization. And so that broad spread of different understanding of different attack services, the technologies that are behind it, how they've evolved over many decades now, and definitely feeling old, has really helped. And it helps and take a common sense view. Lee Nolan (05:01.848) of a lot of these environments that the cybersecurity market is enormously disparate. There's so many different organizations spinning up. And I think just having that very straightforward view about and clarity about how you're looking to defend and how you're looking to recover is so important because you become highly effective then in the deployment of any plans or any defensive mechanisms that you're looking to deploy as well. Martin Hinton (05:29.144) So you've used the word insurer, defensive mechanisms, recovery, and that pivots us to one of the topics we discussed as we prepared for this is the idea that cyber insurance covers something, doesn't cover others. And with regard to recovery costs, I wonder whether you might sort of parse out some of the things that you've experienced, the things you've seen go left or right or sideways or up or down with regard to coverage and what happens when. As you touched on just now, the inevitable occurs and that breach happens. The if, the not if, but when reality of this and the cyber insurance role and all that. Lee Nolan (06:07.496) Yeah, and I think this is normally where the presentations start, Martin, which is, you know, this is how much it costs and it could happen to you. I think it's so well publicized. know, those organizations, JLR, M &S, Co-op, they're all in a position and people can genuinely see the hundreds of millions of dollars that they've been impacted by. You know, it wiped out profitability for a year for M &S. And so getting ourselves in a position when we're talking about insurance, what does that mean? What does that look like? And I know from our previous conversation, it really does roll back to business continuity. Where is your planning? How are you organizing your business to be able to function when that happens? What are the steps you are going to take with regards to cost? That's really down to your own organization. The assessment of the ransomware is never anywhere near as much. And I think there was one that said it's the cost to your business is always is circa 20 24 times more than the ransomware itself. Right. So under that basis, you look at it and say, well, we need to be in a position where we protect our organization and we recover based on a multitude of different scenarios. The cost assessment has to be there because there's always how we balancing risk to our organization, ongoing brand that's affected. And what does that look like with regards to customers potentially that we may lose? Because these are all impacts that occur. when a breach happens inside your organization and how do we manage our PR, how do we manage what we've done and how we're resolving ourselves. With regards to coverage, you also mentioned what's covered in insurance. Lee Nolan (07:54.397) really is down to the provider, right? And, you know, I don't provide cyber protection, cyber resiliency, cyber recovery insurance per se, right? I'm not in the insurance industry, but what I do know with the organizations I've worked with, it just depends on what you're looking at. Some organizations will protect you when it comes to assisting for recovery, what's happened, that could be down to funding forensics, audit. where you're trying to understand what's happened, how far it's gone within your organization. And others will go right the way through to brand protection, PR organizations being spun up to look after you during that period of time dealing with the media. Because these are, depending on your organization, what type of business you're in, they can be enormously impactful from a brand point of view that I mentioned earlier. So coverage is... It's a big one. And I think having that specialist assistance as well, they will often provide assistance, audits with regards to your environment, methodologies that you're looking to follow. So there's a whole, it's such a broad market and it is quite complex and the detail is really important. Martin Hinton (09:07.15) You used a great analogy related to car insurance to help simplify this because you touch on a reality. It is very complicated and it isn't something that even some of the more sophisticated companies are particularly familiar with. The car analogy was if your car insurance prepares the tire or the fender, but while the car's in the shop, you don't have a courtesy vehicle covered by your insurance so you can't get to work. Lee Nolan (09:23.899) Yeah. Lee Nolan (09:33.989) exam. Martin Hinton (09:35.468) That's a very simple way. If we take business continuity and just put it in terms of living life continuity, that is the sort of gap that you see quite regularly with cyber insurance where the 24X part of the ransomware is not covered to the extent that a company thought or they would like. And then these other sort of, I wouldn't say surprise costs, but they come along in the long tail in the form of litigation and... PR is very complicated, depending who you're messaging to, and it's very expensive, I say as an expert in the field. You used a phrase as a company to look at this situation and to analyze where your resiliency stands on, maybe a scale of one to 10. And the phrase you used was minimum viable business. And I take that to mean, should you suffer an attack, any kind of attack, let's take it out of these abstract cyber worlds, your factory burns down or... Lee Nolan (10:08.988) Hahaha. Lee Nolan (10:22.706) Yeah. Martin Hinton (10:32.238) You know, there's a disease that stops everyone from coming to work, for example. None of that sounds crazy anymore. What do you think, what do you actually mean? How do you practice that? How do you parse that out when you're looking at these situations? You know, how do you figure out what's important and what you really need, what becomes absolutely necessary for during and post a breach? Lee Nolan (10:56.336) Yeah, look, minimum viable business is critical because it prioritizes your speed of recovery, which systems and how fast really do you need to get them back up and running? There's a, environments today are so interconnected, right? And so one relies on another and it's a huge domino effect often and incredibly difficult to map. Minimum viable business, and it can mean different things to different organizations. But in super simple terms, it's really about what do we need to trade? Income is your lifeblood. And so you need to be able to service your customers to be able to maintain your income as an organization, which then allows you to function as a business. Which systems are an absolute necessity? to deliver some of the fundamentals that you need as an organization. This is a board level conversation. What do we need to function as a business? It really isn't bells and whistles. It's just the bare minimum to be able to operate. And you'll isolate down a core set of systems. And you will need to ensure that you have a very clear recovery plan against each of those systems with speed where they're interconnected to make sure that your organization can run. That's a minimum. Now, generally, I think the average now is about seven months for an organization to fully recover and ensure that the systems are you're in a better protected state than you were before, at least, right? So you're looking at seven months. Average is 21 to 24 days to get your systems back up and running in an environment that means you can trade. of sorts as normal, that's still too long. If you were to say to any organization today, right, you're not gonna trade for three weeks, everything stops. It's paralysis, it's such a difficult situation to be in. Finance teams would just kind of look at this and go, hey, how are we gonna operate? Let alone the customers you lose, how do we function financially? And depending on your type of organization, that's a real problem. Lee Nolan (13:08.994) If I take JLR as an example, the impact to them and their supply chain, for argument's sake, is almost immediate because they need their stock straight off for their conveyors to keep moving, for the production line to keep moving. They need that stock available and it's delivered just in time. That's the idea behind the phrase. And so it's not only the organization, this has a wider impact on supply chain, right? So the organization supplying JLR have been impacted massively. So again, it's understanding, right? How do we function as an organization if we have this enormous reliance on one single business to be able to deliver what we're doing? So there is a wider impact in an economic supply chain. beyond just one single company when these incidents occur. And I think that in itself is a topic that I think the likes of JLR has really allowed people to focus on as well as the supermarkets like Co-op and &S. Martin Hinton (14:18.497) You, I think in the last year Hitachi Ventara had an incident without giving away any sensitive details. What can you tell me about how, listen, one of the things we know is that as painful as it is, when bad things happen, it's typically that the pressure in that moment and the stress of that moment that really clarifies the learning curve. you learn a lot when, whether it's a mistake or someone, a bad actor or whatever it might be. Lee Nolan (14:23.12) We did. Lee Nolan (14:43.602) Yeah. Martin Hinton (14:43.842) So I what you can tell me about that experience and what you took away with regard to it. Lee Nolan (14:49.892) Yeah, look, I think it's well publicized. It impacted the organization. It was the early half of last year and I wasn't here, but it was certainly publicized and, you know, it did impact the business for two or three weeks was, you know, some significant impact. But the business got back with its core system very quickly by employing the recovery processes that we talk to our customers about. And so as an organization, whilst you're always at some point you're going to get hit, it's how quickly you can manage your customers, how you can work with them, allow them to understand, have very clear communication. And of course, in parallel, recovering your systems, identifying where there is a breach, ensuring that's isolated and that was very quickly identified and isolated, and then bringing systems back up in a clean way. And Hitachi Vantara, because I've spoken to our CISO about this, who we actually use to present to our customers and other organizations that we're engaged with about what happens. Our customers constantly feedback to us and say, our relationship with you as Hitachi Vantara is so much stronger. because of your communication. We kept everyone updated. We allowed them to understand what was going on. They also work with us because they learn what we did. How did you do it? How did you manage it? So from very personal experience inside of Hitachi, we understand what it means, what impact it has. And so with some of the lessons learned that we have from that, about how we could be better, there's always ways that you can improve. And we are proud. of how we manage that. We know it's going to happen to everybody at some point, know, one time or another, but how do you get the organization working so we continue to function? And we have done that. We got back to a working organization very quickly and we've just finished our financial year, you know, in which that cyber breach was in. So very proud of the results we achieved. Martin Hinton (17:02.55) You touched on something that is a little outside what we discussed prior to this, but it's really interesting. What you described is the communication level of it. And I've read more than a couple of reports about the perspective CISOs benefit from or believe they would benefit from. And one of them is to be able to talk to other CISOs at other companies, which in a competitive business environment is maybe not traditional, should we say, but that idea of sharing information about what they're seeing, how they reacted, what went right, what went wrong. And also the level of communication about, and the word I like is transparency, with customers or clients and that sort of thing. I wonder whether, you you might have something to add about that, that being slightly counterintuitive, but because we're facing, in the case of cyber risk and cyber crime and an almost relatively new problem in the business landscape and the phrase I've... heard used by consultants is it's one that requires adaptive change, as in yesterday's solutions won't solve today's and the problems coming in the future. And in the interest of being a business leader, I wonder whether you have any thoughts about that from a managerial point of view, that this is something that requires a little more, is collectivism too much of a word? But that idea that CISOs, again, at competing companies, wouldn't normally share secrets and I'm not suggesting that's what's happening, but that idea of communication and telling war stories even about how you dealt with a breach and what worked and what didn't. Lee Nolan (18:35.88) Well, I think we learned a lot about what that communication looked like as a business. And I think you've touched on an important point, which is it's still a bit of a sensitive topic. People don't want to talk about it maybe too much. They don't want to discuss it. But actually, that openness amongst the good guys is what allows everybody to learn and understand what does good look like? What did you learn along that way? What happened to you? And it's really important. I guess tentatively Hitachi Fantara did share and was very transparent in the communications. And I wouldn't say a surprise, but were happy that that approach paid huge dividends. know, there was an enormous level of respect for that openness. Trust was built up enormously in being so open and transparent with our customers. and our suppliers and working together, we now have a much higher degree of proximity to those organizations because we did that. And we still have sessions and workshops today with a wide variety of organizations, giving them a view about what happened to us. This is not, you know, a dark, dirty secret. This is something that we need to share and learn together. And it is difficult to do because people just want to hide away sometimes, I think, and just go, well, it never happened to us. But the truth of the matter is it does. Martin Hinton (20:00.942) I I think that the flag to raise here for anyone listening or watching is that it's quite common for studies to report that only one in nine ransomware attacks is ever made public. And when you're trying to assess risk, whether you're an underwriter or just a business, it's really hard to do when you don't have intelligence about the threat. And that is the most obvious intelligence there is. How often does this happen? Well, if you're only hearing about 10 or 12 % of the incidents, And you're going to maybe have a slightly positive outlook that isn't deserved. You touched on the JLR, the Jaguar Land Rover hack. one of the things that we've, I believe, this is my opinion, we've come to this moment in the tech information age revolution where we've enjoyed all of this frequency reduction, excuse me, friction reduction. And you know, it's as simple as being able to email something and not mail it. And we went from mail to fax to email. And you know, now we're complaining about email because we get spammed so much. But there are so many other ways, even the paying of bills, mailing checks, you can wire money now. These seem like they've been around forever and they are relatively new things. Even doing things on a personal level like, you know, sitting on the train and maybe paying your bills on your bank app. These are things that happen. But these reductions in friction have come at a cost. the phrase you use, the just-in-time supply chain, which obviously means that you're not warehousing things, you're not paying that extra cost to store things somewhere because you're not quite ready for them yet, or you're worried about them not being delivered on time, this great efficiency means that there's not a lot of redundancy. And I wonder whether you could sort of parse out and, if you will, double-click on the... to JLR reality and how that isn't just a JLR reality. This is a reality across business, whether you're dealing with physical supplies or even just data moving through, if you will, the internet. Tell me a little more about that landscape and that reality that really also touches on the idea that you've mentioned. It's not if, but when for this sort of thing for companies. And it's because we share a common vulnerability. Lee Nolan (22:12.986) Yeah, there's a couple of things here, but I did reference JLR and I think that's a physical component example of just-in-time, right? So those components by the conveyor belt, it's highly efficient and then effectively almost doesn't touch the shelves, right? As it's then deployed within the vehicles and then off of the conveyor belt or the production line. And my point there was that with the JLR impact, then there were a whole stack of supply chain organizations, many of which were SMBs in the UK, that were hugely affected and didn't have the deep pockets of someone like a JLR to be able to tolerate that type of impact from that incident. So I think there's such a economic impact beyond just that one company. You know, these these incidents now, especially with the larger organizations, are much wider. And there were many stories of supply chain organizations that were impacted in that. think when you start looking at, you know, from a digital perspective, we're seeing suppliers, whatever that may be, whether that's physical or digital of some way, shape or form, that we see act bad actors attacking the supply chain to get into the main organization. So there are a whole stack of issues there about making sure that your supply chain, and we're seeing this an awful lot more over the last few years, how secure, how protected, how quick are they to recover in your supply chain, identify issues that have occurred beyond just the main single organization that they're supplying to. So there's a whole wider ripple effect around these challenges that organisations have that they need to make sure they're constantly adapting to. Martin Hinton (24:16.894) In the insurance context, when you look at that supply chain liability, suppose, what's your experience with where policies have lines that maybe people didn't realize were there beforehand, or they hadn't been talked through a policy that extended through their entire supply chain to protect themselves, them against the liability, and also to give them the ability to call back money in a case of a breach. What kind of boundaries are there for that? Lee Nolan (24:42.908) Yeah, I think that's like any insurance policy. Number one, make sure you understand it in detail and where your coverage is and where it isn't. There are challenges here where who is liable? know, if it's the breach is from a supplier, then is the supplier liable? Are you chasing down a supplier for that? Is it the insurance company that's then going to be looking at compensation from them? That's a challenge. And if the issue then extends beyond the remit of your policy, then suddenly you're left exposed. How far can you go? I use that there was a film many years ago called Deep Impact, right? And then it was about the president having an affair with a woman called Ellie, which wasn't the case at all. There was an asteroid heading towards Earth and it was going to destroy Earth. And Ellie is an extinction level event, right? And And actually, think Deloitte's have been talking about this for many years. And we are at that stage. This happens. This is not something, oh, we're going to get to the stage where organizations are going to stop trading. This is happening. Businesses, I agree, but they're a lot smaller than some of the organizations we referenced. And maybe that will take it where one of these large names will end up going out of business. An extinction level event where the incident is so severe. has such paralysis on that organization that they're out. How does an insurance company cover that? Is it the liability then from a cyber perspective where an organization no longer functions? So policies can go so far. I certainly see an awful lot of the insurance area providing very valuable insights from an assessment point of view. How risky are you as an organization? What specialisms do they have? What methodologies do they follow? Because we all understand, forgive me, some of the very basic accreditations on cybersecurity, tick in the boxes, I'm not going to reference any names, are very basic. They give a level of security, they give maybe some kind of security, they feel okay, but they're not genuinely probably fit for purpose at that stage. Lee Nolan (27:04.2) I would, my advice would be genuinely to lean on those insurance organizations. should feel more like a partnership that they're working with you. And it's not a arm's length policy with someone, you know, in dark clothing, standing behind a piece of paper. It shouldn't be that way. And I think under that basis, you can only get very good advice about options and how you can strengthen your posture, you know, and I'll go all the way back to it's how you recover, right? Accept, you can be very defensive. It will reduce. your probability, but it's going to happen, right? So you just extend the time it takes is how, how you can recover, how quickly you can recover and get your business back up and running in that minimum viable business that we've already discussed. Martin Hinton (27:45.848) So when you talk about recovery, one of the things that happens in a breach is typically your data goes unusable, right? You lose access to your data. And the phrase you use, which I love, was data is the new oil. And if you could imagine as a company that you start a Monday morning and you don't have access to anything, like overnight, your organization has lost all its data or has had it encrypted. And I wonder whether companies, you touched on this, don't quite appreciate The phrase that I've heard used and you use is data sprawl. This idea that they've got, it used to be you had to keep paper copies of things. In the US it was, know, IRS tax records for seven years as an individual in boxes on paper. And now it's easier to keep things because the storage has gotten so much cheaper. And I wonder whether or not you could talk about like the exposure that exists in that respect and the way that complicates recovery. Lee Nolan (28:40.208) Yeah, goodness me, there's a lot. well, although it's quite topical at the moment, the straight home is still blockaded, you know, however you were to perceive it. But, you know, I look at that and say, you know, oil, if you don't have oil, then economies, you know, slowly grind to a halt. You don't have data, everything stops immediately. Right? Everything stops. because there is no information. So, yeah, data is the new oil. I think when it comes to data sprawl, this is important, right? Generally, the most important applications, your minimum viable business, there is a level of centralization and you need to make sure that's covered and it's backed up. But there is so much data. You know, the data created this year is more than all of the years ever put together, right? There's more data created in the next 12 months. than there ever has been, all cumulatively put together, which is crazy, but those are the stats and next year will be the same. So, you know, lot of people talk about, don't know whether they can remember this, use the backup things to tape, that still happens. But the challenge here is, because data's got so big, how quick can you load all of that information back where you know it's clean to get your business, your minimum viable business up and running? know, Hitachi, it's about flash and speed of recovery. We work with the likes of Commvault, so we have a fully integrated solution that allows us to recover quickly. And that centralized approach, identifying those critical applications that allow you to continue your business under a... a minimum state, right, as you bring systems back online, but you need to be able to recover very quickly to those key applications. We are in a global environment now, but at the same time there is data sprawl and there are solutions that will understand in an automated fashion critical information and bring that together for you so you can recover. Lee Nolan (30:38.98) And that's where then your policies, your processes come into place to say, right, this works here, technically, what processes are we now deploying in these situations? And one of the things that we did discuss around this when we talk about data sprawl and if you're bringing it together is when you recover, are you training? You don't suddenly walk on, forgive me for the sports analogy, but you don't suddenly walk on a football pitch and be the best football player in the world. It just doesn't work that way. It's many thousands of hours of training and continuous training. know, the best football is in the world, best sports people in the world. They train all the time. And so you have to be in an environment that says, are we training ourselves to be able to do this correctly? When did we last train? Who was here? Have we tested these processes? And you need to continually do that. So you need to have technology in place that allows you to do that. It's not about walking around pulling plugs out of things or deploying certain systems down. You can spin up these environments to allow your teams to train and you can report back and then you can start getting better at what you're doing. That also gives board level confidence to say, if these things happen, our teams are trained. to be able to bring us back. And they will be able to bring us back in these timelines. We're confident we have the coverage to be able to do it. I think just sitting there and saying, well, let's hope we don't get hit and we're protected and we've got some backup somewhere, it's just not gonna get you through. And that's where we've seen some of the impacts. Martin Hinton (32:11.342) Yeah, mean, that sound advice that you hear from everyone who knows what they're talking about is you practice like you play, and if you don't practice, you don't play. These are not, again, the sports analogy is a side, but it's no different than anything else. If you're a pianist or if you're a singer or an actor, you have to, and some of that training is mundane. And aside, I went on tour with a... big rock band once. And I was amazed that the lead singer was doing vocal coach work for an hour before each concert, just to warm his voice up and to keep it fresh. he was singing five nights a week. And it's a, I didn't even think about it being a physical strain on his neck. And he ate and drank to prepare himself. And it was just one of those moments where you realize that that idea, that idea of preparation leads to performance. And that is ubiquitous piece of advice. it's very important that you take that on board. It's also, Amazing how hard it is to do for people sometimes to take that time and to train and not just make it some sort of you PowerPoint that you check a box on and so yeah, they trained but they didn't really learn anything They're not really prepared so that I think that sounded nice you you gave me a castle and moat metaphor when we spoke I wonder if you could take me through that because as Anyone who's seen my podcast knows I like people to explain things to me like I'm a fifth grader to put it in the American school context But I also think that they that helps because a lot of this Lee Nolan (33:27.431) Yes! Martin Hinton (33:39.931) is really important to people who maybe aren't technical. So take me through the castle and moat metaphor with regard to this. Lee Nolan (33:44.711) Yeah, no, of course. So this is where you'll hear terms potentially like air gapping, et cetera. So in a world of everything's connected, when everything is connected, that means that the bad actors can get everywhere, right? Because everything is connected. And so under that basis, even if you have a backup environment, even if you have terms like multi-factor authentication, these bad actors will still gain entry into that data. And obviously it's then encrypted and then they'll start this potentially in a ransomware environment. You'll then go, my goodness, go to the backups. They're all encrypted. So in very simple layman's terms, you build a castle for your most critical data. And that's where you store the clean copies of that data. right in that castle and you build a moat around it. It's not connected, right? It's not on your network. It's in a very clean environment, isolated from the rest of your network where no one can get there. And then in a very, I mean, this is, this is very simplified. you would lower the drawbridge, load your new data and lift the drawbridge up again. It cannot be attacked. You cannot be in an environment. And the only things that pass into that environment are clean. So all of those things, things like clean rooms, et cetera. So you shall not pass the drawbridge unless you've been truly inspected and you're allowed in. And I think having environments like that, we have to be smarter. You can't adapt to everything. As an example, this was back back in, I think it 2017, 2018, you talked about an adaptive environment. There was some of the people watching this may even recall this potentially, an American casino that was breached through its smart fish tank. Sometimes you just can't anticipate. Lee Nolan (35:43.497) what's going to go on, know, all devices, light bulbs, all sorts of different devices are now completely connected, know, secured door, physical doors, they're all connected. There's access points and your attack surface is so wide now, it's really difficult. So having an environment that says, well, data can get bigger, could be more complex, our systems can have sprawl, but our minimum viable business lives in a castle, right, with a moat around it. And we know we're safe. The team, can access that castle when an incident occurs. And we can now know that those systems can exit the castle and we can deploy our business and we can recover from a horrible situation, but we can recover from it and we can continue operating as an organization. So yeah, there's a whole stack of things to take into account. And you're right, being adaptive because especially in the development of AI, which on a one year development cycle is crazy, so who knows where that's going to be in 24 months, 36 months time. You just never quite know, it's always developing and growing. So having an environment where you know the basics work well, and the castle and the moat does work well, very well, then I think that's sound advice for any organization, just making sure they're prepared. Martin Hinton (37:02.958) So, prepared. Preparation starts at the top and we've touched on communication and leadership and phrases like adaptive change. I wonder whether you might take me into the sort of C-suite and the board level conversation that needs to be occurring. You know, if a board member or a CEO or CFO is listening to this or any member of the C-suite, what kind of things should they be asking the CISO, the Chief Information Security Officer about? You know, that's sort of a new role at a lot of C-Suites. you know, sometimes they don't report directly into the C-Suite. They report to the CFO. So they're slightly outside the core decision-making group. The board maybe meets quarterly and has time demands, and they only get 30 minutes a quarter. What types of things should be on the agenda top of the list for a conversation with a CISO if you're at a board or C-Suite level now? Lee Nolan (37:55.461) Yeah, and this is a big topic, right? Because some things will generate profit and some things will stop you from no longer making profit, right? So, and it's one of those stops, you know, you'll be in a position where there won't be any profit to kind of worry about because your business no longer is functioning properly. So I think there's a couple of things. A CEO is a board level topic. We've seen it on the IT agenda items for at least the last five years, the cybersecurity is in the top three, a board level discussions. I think predominantly we've moved beyond, you know, your basic certification to say we're fine. We've got the tick box, right? And everything's okay. I think there's a few things. Everybody seated around that board needs to take cybersecurity seriously. The number one entry point for bad actors is your end users. Over 90 % is to do with some kind of end user integration. Fishing attacks are well over 90%, right? And when it comes to entry points. So everyone around that room making sure that all employees are taking it seriously from a protection point of view, but recovery is critical. So the number one, the CEO has to take cybersecurity as a top priority. It's something that can stop you from trading in the same way that you're a financial services institute and you need to be compliant to FCA regulations or SEC regulations. Cybersecurity needs to be there too. Right. So number one, CEO takes it seriously. CISO, the CEO needs to hold the CISO to account, right? The CISO needs to hold the business to account. There is always a trade off because you can just keep spending on security and you need to make sure that there is a balance. There is not a bottomless pit of money. But the CISO also needs to demonstrate the value of recovery. So protection with an acceptable level of risk. No risk is acceptable. Well, I'm afraid in cyber you have to accept some. Lee Nolan (40:02.16) And recovery has to be the demonstration of your minimum viable business with a demonstrable record of how quickly it takes you to recover and what impact that is to your business. So if your recovery window is three weeks, is that acceptable to your board? And if not, what does it require ongoing as investments to make sure that recovery window is accept no, by the way, no recovery window is ever acceptable, right? Less than 10 seconds, but Realistically, when you hit these types of incidents, what can the business just about absorb to be able to carry on? And that's an honest debate around the board to make sure that the investment balance is there with regards to the acceptable window for recovery. And then that kind of defines your investment profile. So it's never about whether you have the ability to recover your minimum viable business. It's generally the speed of which you can recover that business because The lowering of the investment generally means the elongation of the window that it takes to recover your organization, even under a minimum viable business scenario. it's a board level topic and it has the ability to close you down. And as I suggested, you need to have it as the same level of FCA or SEC type regulations, because if you're not taking it seriously, it's going to very quickly come back and bite you. And you may well have an event like Ellie, right? That's the simplest. Martin Hinton (41:28.878) You contextualize this when we spoke in planning this, that it needs to rise to the level of health and safety standard. And health and safety for my American audience is like OSHA. This is high vis vests and hard hats on a construction site. And then a myriad of other rules and regulations that are designed to keep the employees safe, largely for their safety and physical protection. Lee Nolan (41:37.777) Yes. Martin Hinton (41:56.44) But the wise part of that for our business is that then they're safe to continue working and making money as in not interrupting business. the health and safety reality and the OSHA standards that exist need to, that mentality about why they matter and adherence to them, this issue of cyber needs to rise to that sort of level. And that's a way to equate it to something that already exists and you see, okay, we have to spend a lot of money on that stuff, but A, it's required and B, it's actually quite wise or A, it's wise and B, it's also required. However, they might look at it. Is that a sort of way to think about it for a company that maybe is not cyber, but everyone's cyber and digital now? Lee Nolan (42:36.484) Yeah, and it's interesting because the health and safety example that I use with you, the reason I use that was that it's relevant to almost all size organizations, if not all actually, which is that there is a sense of responsibility to someone's well-being and everybody has a level of ownership, right? You know, if you see someone that's not being safe, you need to flag it to them, you need to keep everyone in account and you're accountable in turn for their safety. And the reason I spoke about cybersecurity is if we don't have that same level of focus and attention, then OK, it's not personal injury per se, but there's lots of people that could be out of a job. Right. And that level of impact arguably could be just as bad, if not worse, to those individuals. Right. So I think health and safety is something that's non-negotiable. It's not about fines. It's about lives. And so it's taken that seriously. Cybersecurity has to be considered in that light. However, it's not a bottomless pit of investment, And so this is why you have insurance to ensure that, forgive that, you have insurance to make sure that you've got that coverage in place to fall back on, right? And you've got those experts that will immediately step up as part of your business continuity planning. It has to be taken seriously. Look, I think most of... most of the market now has moved into a position where they are taking it seriously. I still think there's elements of it won't happen to me. We still have very basic issues among our user base, know, password management, know, multifactorial authentication is only deployed in about a quarter of organizations even today. You know, these are very basic tools that people need to be leaning on just to that first. first defense protection, right? And making sure they're in a position to be able to move forward. So sometimes the investment profile doesn't allow you to do those things. And that means it's not really been taken seriously. It is a matter of priorities inside the business. Any CEO or all of those members around the board will have a set of priorities they want to spend on. You just can't compromise on cybersecurity and recovery, right? Because it's the reason why your business actually runs. Lee Nolan (44:58.504) And unless you've got that investment and the recovery elements there, your business is not gonna exist, right? So you must be taking it seriously. Martin Hinton (45:06.04) We've touched quite a bit on incident response planning and the sort of fundamental things that get overlooked. In the UK, the Cyber Resilience Act, one of the tenants in it is that you have a physical copy of your incident response plan. And I think I mentioned to you when we spoke that I'd been told about a lumber company that spent two weeks trying to begin their incident response plan, but they didn't have all their phone numbers in a physical form, right? Lee Nolan (45:20.87) Yes. Martin Hinton (45:31.926) So I wonder whether there are other sort of fundamentals in that space that get overlooked. And the Cyber Resilience Act, it strikes me as pretty forward tilting in this space. I wonder what you have any more thoughts about those basic things that exist in planning for failure, because you know it's going to happen in almost that sort of mindset that any complex plan has in a complex environment. The environment and the future and any adversary you might have, they have their own plans, which is going to make your plan obsolete. the minute you start to employ it, right? There's gonna be things that change your plan and it'll rain on your wedding day comes to mind. What else might you have to say about that? Lee Nolan (46:12.506) Yeah, look, I think it's an interesting one that is often overlooked. If you don't have a hard copy of people's telephone numbers, you can't you're not going to able to look them up, right? Because you can't get access to the data. doesn't exist. It's not there. So it's very basic things like that that allow you to move forward. For me, it's critical individuals. The basics. And I'll say this because And this should strike a chord with most. It's keeping up to date. Right. You will tend to find there, unfortunately, it goes in waves. You'll have initiatives inside of organizations. We're all about cybersecurity. We need to make the investment. We need to get these things done. It's business continuity planning. We need to make sure we're covered on this. It's a big wave, big initiative, perfectly done. Everything is amazing. And then... It troughs, the attention moves to something else. The spotlight moves elsewhere and nothing's kept up today. And people move on, they change, systems change, priorities potentially change, your organization becomes international when it was once national. The systems are now hybrid, cross between number of hyperscalers. So your data becomes disparate. Therefore your process planning, your recovery planning will change. The telephone numbers on those pieces of paper. I'm sure, right, will also need to change. And yet it's not a one time only thing. Part of your process and your basics need to be, okay, each month, let's just double check everything's as it should be. Are these people still employed? Are these their telephone numbers? Have any of our applications changed? That can be done very quickly. You know, in this world of workflow automation, those checks can be done, right, in a matter of minutes. But they need to be done. Those workflows need to be employed to make sure that there is a cross-check against all of that. Are those plans correct? And up to date, yes. Right. In that case, fine. We don't need to reprint everything. Right. Actually, there are some changes. We need to get the hard copies done, and we need to get them printed out. So it's super basic things like that. Well, I'm talking to you, and you would say, well, of course we do that. But actually, would say common sense tells you, you know that those waves of initiatives inside an organization move on. Lee Nolan (48:36.552) And then there is an assumption that somebody, not that anybody's been allocated the responsibility, somebody will keep them up to date. And it just doesn't happen. And then the whole thing folds and falls to bits in nine months time, two years time, when suddenly you realize, goodness, everything's changed. We've had an incident and now actually three quarters of this data, this information that we printed off isn't worth it. And that's when you get into these situations where people think they're prepared. and they're not because they had an initiative 18 months ago, but nothing's kept up to date. So I would probably pull that out as the most basic thing that needs to be this obvious that isn't that obvious when you're in the corporate world and there are waves of focus over here and people are time poor. Martin Hinton (49:22.828) Yeah, I mean, I think you make a good point. know, what keeps you secure is perishable. Plans are perishable. Information is perishable. You know, what's true today may not be true tomorrow. And that's just a function that time changes things. And it is one of those easy things to look at. And you make a really, really good point. And the analogy I've used is that, you know, cybersecurity in this side of the business is almost like being good at retreating. If you're a general, nobody gets promoted for being good at retreating. get promoted for being good at attacking and if you equate attacking to revenue creation and defending to what, you know, protection of things or spending, I suppose, it is that idea that you need to do very simple things and there needs to be a routine to it. For me, this is one of those examples where I can't imagine there isn't, and you touched on it, some sort of AI integration where it can create a quick, moment where once a month or however frequently you think you need to do it. Maybe it's something you should check your cyber insurance policy and make sure you're doing as frequently as you're supposed to to stay insured. That idea that it goes away is really, it's important. mean, something as simple as phone numbers, being able to call people. Do you have everyone on that list you need? Do you have legal counsel? Do you have an outside consulting firm that's engaged in PR on the B2B level and then to consumer level as well? There are a lot of boxes to check and then make sure you can keep them checked over time. You touched on, and I wonder whether you could just explain this for maybe a non-technical executive, immutable backups and clean rooms a little bit ago. I wonder if you could tell me for someone who maybe doesn't really know what that means but nods their head knowingly when they hear those words, what that means to someone who is only capable of the plain English. Lee Nolan (51:10.114) Yes, so we'll start with immutable backups. So you'll hear a lot about immutable backups or sometimes they are known as worm. You'll hear the term worm, right? Worm is write once, read many. And what basically means is you write the data once and from there on in, it can't be changed. You can read it lots, but you can only ever write it once. And immutable backups are effectively the same thing, right? You, you those backups are written once and cannot be changed. Access to them can be changed, but the backups themselves cannot be changed. The backups themselves cannot be changed at all. So I think when people say, well, I've got immutable backups, you go, okay, that can freeze you out of the backups, right? So you can't get access to your backup environments. This is why I talk about a castle. So. you need to be in a position that says, if all of our data is clean, i.e. there is no bad actor or bad code or whatever it may be within that environment that if I suddenly recover it, I've effectively recovered the ransomware all over again. If it's clean, then I can bring it back. And immutable backups allow you to say, we're good. But that's not a singular solution, right? It has to be harnessed with... forgive me, my castle, right? You need to put it in an environment that itself you're not blocked to get access to. So you can retrieve those immutable backups. Those things become really important. And a clean room is ultimately, I'm gonna think of a really terrible analogy at this point, Martin, let's, you know, if you're open, you don't know what's inside the box, right? Imagine backups like a box, it's full of all of your data. And, but you know that someone's infected all of these boxes or all of these boxes to a certain point. Because when you get ransomware in your environment, every time you back up, you're backing up the ransomware. I, I, the badness is in, in that backup. So you need to go back to a point in time where your backups are clean. It was, it wasn't in that environment. There's a couple of ways of doing this, but I'm going to take the basic one first. The clean room. Lee Nolan (53:28.9) allows you to open the box and go, goodness, it's still there and it doesn't get out. Okay. You effectively can close the box. I don't want it anymore. Cause once you've opened it, then it, you know, it starts to spread all over again. So that's your clean environment. It's your environment say, right, what have I got? Until you get to the point where you go, okay, this is good. Now you can take that into your Tura environment. So this, this environment is called clean. It's almost, if you were in a, medical facility, right? It's one of those rooms that says, okay, the virus doesn't go out beyond this environment. And so that's what it allows you to do. Sometimes, depending on, you know, how long something's been in your environment, or how far it's penetrated, you can get that box, open it, and you can actually try and clean your backup, right? How can you unpick what's there, what's infected, there's possibility of doing that. And then what you're left with is okay, and then you can put it into your environment. That's rare. especially if you're in a pickle, you might need to do that. But that's those clean rooms, the immutability, all of those are part of, to be honest, fairly standard recovery process. And I think everybody in an organization at board level should be just intrigued, be inquisitive about what capability your organization has within your recovery. Spend a half a day, get someone to talk you through it in very basic terms. What have we got? How does it work? What does it look like? And the laws of physics still apply, right? Just because it's technology speak, right? Common sense is still absolutely appropriate. And so never worry about some of the language that you use that you may feel is fairly basic terminology. I always say if someone can't explain it to you in very simple form, then they probably don't understand it that well themselves, right? So suddenly you're getting confused by terminology. It's quite all right to exactly as you did earlier. you know, I'm in fifth grade, explain it to me simply. And if they can't do that, then they don't understand it. And you've got a whole whole problem in itself with the staff you have. So I wouldn't be too worried about the terminology. I would just ensure that you understand and it makes sense to you. Never be in a situation, even at board level. doesn't matter whether you're HR, the CEO or whatever role you have. If you don't understand it basically and say, well, what happens, what happens, what happens? OK, get it. Lee Nolan (55:54.225) And until you understand, you need to understand it as well because business incidents and continuity planning affect everybody sat around the board. So you probably need to understand it, at least what's happening, where are we up to? So whether you're communicating with your staff, your suppliers, your customers, you can do it in a way that everybody else understands. So take that time and understand it. And I'm glad you asked me that question about, you know, things like immutability, clean rooms, you know, I explained about things like worm. Everyone loves an abbreviation in IT and it is really not required. Sorry, I'm completely digressing, but there was one thing where someone said to me, oh, we've got some TOR switches. Now, anyone in generally most people in IT will go, they'll know what that is. Now, to a man or woman on the street, go TOR switches. What is that? TOR? What does that mean? Is that some complex terminology? Well, when you're in a data center, you have racks, right? And the switch is, guess what, the top of rack. So it just means that a switch is at the top of the rack. Why don't we just say the switch at the top of the rack? OK, great. But no, we will just sometimes, I think it's just a language maybe just to alienate everybody else. It's like a secret code. There really is no need sometimes. Martin Hinton (57:12.91) The cynical journalist in me thinks that you can probably charge more when you train people in acronyms, but maybe I'm Lee Nolan (57:19.226) Maybe, maybe true. Martin Hinton (57:22.478) I want to wrap up because one of the things I really enjoyed about preparing for this was that it's yet, and I have them quite frequently to be fair, a reminder of how little I know. And Hitachi Bantara is a massive organization. Is it 200,000 employees and 70 billion in revenue? I wonder if you could tell me a little more about this enormous global technology company that I guess I should know more about. Lee Nolan (57:24.988) Yes. Lee Nolan (57:46.281) Yes, look, we're really good at not making a lot of noise, right? So Hitachi Group, so Hitachi Vantara is part of that group. Hitachi Group is, yeah, it's in excess of $70 billion to over well over 200,000 employees worldwide. And it's a digital organization, right? A lot of people who maybe are as old as me remember Hitachi for all sorts of different consumer electronics, amongst other things. Hitachi has really looked to focus on social infrastructure, digital enablement and really driving technology where IT meets OT. And I'll give you an example of that. So things like Hitachi Rail, we have AI stack solutions that are deployed from a rail operator's perspective. We've got those also in providing it to various organizations worldwide from airlines. Also renewable energy, huge. focus on sustainability. Itachi Vantara are the only storage company to provide Energy Star certified and rated products to market. So we deliver the highest level of storage per watt used than anybody else in the industry. So there's a huge focus, Japanese production. So we are a Japanese organization, whereas in this economic climate or political climate, that's a pretty positive thing for some these days, right? really powering ahead with sustainability, Japanese high-end production, and Hitachi is used in some of the most critical digital infrastructure in the world. Bulletproof is what people always term, and right now it's, you know, we're a sleeping giant in a lot of senses, although we're a 70 billion dollar organization, and Hitachi Vantara is a sleeping giant. We have, of course, I would say so, but some of the most innovative market leading products in the environment, we just don't tell enough people about it. So we are a behemoth with agility and innovation at our core, always associated and underpinned by sustainability, really pushing out into the market. So I'm glad you asked me. You know, it's one of the reasons that I'm talking to a host of different organizations, really to allow them to understand there is a choice. Lee Nolan (01:00:10.182) You can choose different and you will be very pleased and surprised. It's just, yeah, we provide the dial tone to IT. People just don't realize who provides the dial tone and that's us. Martin Hinton (01:00:21.976) So we've been talking about an hour and as promised, I wonder whether there's anything we didn't touch on or we didn't get to that we discussed prior to the recording that you'd want to say something about. Lee Nolan (01:00:32.744) I think we've covered an awful lot. think something that's really important to me, which is maybe off topic a little, is coaching others. I'm a big fan of paying it forward, right? So I think anybody that is listening to this, if you've got experience, you've got skills and capabilities, I think it's really important to think about how you pay it forward to others. And I think not only are you helping somebody else, which is a decent human being thing to do, I think it helps that feed your soul as well. Right. So it's something it's a good thing to do those early in career, those others that need help. I think it's really important. no matter what industry you're in, I think sometimes, you know, whether you're in cyber insurance, I.T., sometimes you can go, what good am I doing in the world? Right. And society where you can help others. That's your gift. And I think it's good for the soul. And I think in this world of self-serving, often driven by social media and various norms in society, I think the ability to be kind has been lost sometimes. So my final words would only be about just be kind to others. It's not only is it the right thing to do, it's also good for you too. So those will be my final items to cover my tim. Martin Hinton (01:01:50.264) Well, I will say on behalf of Cyber Insurance News, here, here. I completely concur and I'm a professional in a business that's built on mentoring and that sort of thing. And I've enjoyed them myself and I hope I've been able to be one in some way for others as well. So one last question. You're in London, you're in the United Kingdom. Lee Nolan (01:02:10.536) Yeah. Martin Hinton (01:02:14.86) for UK business leaders listening and watching, what's the one big thing they should take away? If they only remember one thing from this conversation, what should it be? Lee Nolan (01:02:23.784) If you haven't asked your CISO inside the last four weeks how long it takes you to recover I suggest you go and ask them that question. Be inquisitive in all seriousness, be inquisitive ensure you understand and you have to understand what your minimum viable business is. That would be it. Martin Hinton (01:02:45.898) Lee, anything else? Great. Well, Lee Nolan, General Manager of UK Island for Hitachi Vantara. Thank you so much for the time. Everyone else, appreciate it. We've referenced a few things here. There'll be links down in the show notes as well as links to Lee and Hitachi Vantara. So you can find them and follow up. If you got a question or a comment, please, wherever you might be listening or watching this, leave it in the comments and we'll get an answer to you or I'll pass it on to Lee and see what we can find out. And that's it from us. Lee Nolan (01:02:47.782) Not from me, thank you so much. Martin Hinton (01:03:15.662) for today. I'm Martin Hinton, the executive editor of Cyber Insurance News and Information. Thanks for watching. Enjoy the rest of your day. Martin Hinton (01:03:25.75) Stand by one sec.