Yaniv Kapluto (00:00) at the end of the day, to really get into an organization, the easiest way, the soft belly, is people. Martin Hinton (00:08) to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton, and you've all probably heard about human error being one of the primary causes of a cyber breach. Today, we're going to be speaking with Yaniv Kapluto the chief revenue officer at nuKudo about another human reality in the cybersecurity space. ⁓ First of all, Yaniv, welcome. Thanks for joining us. How are you doing today? Yaniv Kapluto (00:32) Very good. Thank you for having me, Martin. Martin Hinton (00:35) So I know that your pathway to this position now at Nucudo comes through medical device security. And I wonder if you could tell us a little bit about your background and come into this moment in your career. Yaniv Kapluto (00:47) Yeah, yeah. So I've been in cybersecurity long before it was called cybersecurity. So I got into it by mistake sometime in the early 90s. I was a practitioner myself ⁓ and moved ⁓ at a certain point to customer facing and revenue roles. ⁓ That's about it. Martin Hinton (01:14) So you are solving a problem that exists in cyber security that is maybe not the most talked about. Tell me about nuKudo and its origin story and the mission itself, you know, on a path to solve or achieve. Yaniv Kapluto (01:29) Yeah, we basically, originally our company was founded in Singapore. The reason it was founded is because we had some government contract to help them build cyber centers. And then the next thing that happened is, okay, so now we have the methodology, the tooling, everything is set up and working. How do we stuff it? Right? And we realized that it's hard. It's hard to find the right people for the right roles. A lot of people get a cybersecurity like I did by kind of a mistake. ⁓ But for a lot of people, it's not really a good fit. It's like, you know, some people see it as some sort of a glamorous role or something that's interesting to do, but you need a specific type of personality and you need greed. other traits that require and there are different type of roles and you need to know exactly where to go to. And the company was founded. Today we have about 400 employees globally in Secondment. Some of them are in B2G, so working in different government functions in different places. ⁓ And some of them are working for... businesses. ⁓ And the way that we do it is we're looking for basically diamond that are rough, right? They have everything that is required, but they're not there. And it's really hard to get into a cybersecurity career because everyone are asking for three years experience and things like that. So we find the right people. we identify exactly what type of roles are those customer facing roles like SEs or implementation engineers or things like that, or is it people that will sit at the SOC or analysts and so and so forth. We train them for those roles. We give them all the basic training plus all the advanced training and certification. And then we place them in organizations that really feed their personality as well because it's different to work for a bank to a software company that's developing the new, I don't know, breaking AI solution or cyber security solution or an industrial company or a hospital system. Each one of those require different personalities even for the same roles because it's a different way to, different cultures, different ways to communicate. We built Nukadu here in the US about two years ago. Right now, we're in the process of hiring 50 new additional engineers. About 20 of them will be cybersecurity, and about 30 are going for another gap in the market, which is AI front engineers, people that are actually being able to securely and in the right way help organizations do the transition into AI-driven organizations. Martin Hinton (04:35) we could delve a little deeper on this idea that cybersecurity is a culture and alignment problem with sort of perspective. You talked about different types of businesses and different types of industries requiring a different mindset and skill set. When you arrive at a company or you're involved in helping them staff out or improve their cybersecurity personnel or their situation broadly, how quickly do you see whether they're on the right track or what they've got wrong? How quickly can you Can you guys assess that need or where the need lies and what types of personalities, you know, are you looking for for those certain roles in certain industries? Yaniv Kapluto (05:14) Yeah, so we'll separate the customers themselves, the people that have the need of bringing in, because we're servicing two types of customers, basically. One is the end customers. Those are businesses or organizations that are minded to their security risk. They understand that they're at risk. A lot of them are well-informed. They know what they need and but they can't find it. They can't find the right people. So that's one side. And naturally, for those that know that they have a problem, we always are there to lend and advise, right? Or to help them build. Like we have, as I said, a part of our company is Dart, which is an organization that help organizations build their security platforms and security teams. The second part, which is for me the most important part, is working with people that are looking to get into this market. And they go through, some people will call it an extreme ⁓ process of filtering. ⁓ About one or two out of a thousand candidates will make it in. ⁓ They go through different types of tests. ⁓ Those are online tests. They also have a set of interviews. Again, depending to what type of roles they will fit to, or we believe that there will be different type of interviews for those. And if they pass all of that, they'll get accepted to the program. We will hire them as a... ⁓ as employees in a three years contract. Basically, they have a training contract where they basically in the first four to six months, depending on the role, will learn everything that is required to know to be successful in their future roles in cybersecurity. And then they go to real life, three years of real life roles in real customer situations. Some of them will spend those three years in the same customer, moving between roles or being promoted through that, we support them through those roles. Through these three years, we provide... upskilling and coaching throughout those three years. And then some of them will move, right? They'll do six months in that customer, a year at that, and so on and so forth. So, but basically when they graduate the program, they have certifications, have actual credentials, like they actually worked in those roles in the market with top companies. So they have really something to be proud of. A lot of times they'll be hired by those companies as well. And sometimes if they're really, really good, we may keep them in the organization if they want. But that's the idea. It's fun because you basically meet people from all walks of life. And then we have teachers that are really successful. know, kids, teenagers and so on and so forth, want to make a change in their life. And if they're a good fit, I got to tell you, that's an amazing resource usually because they communicate very well. They normally will around it. They know how to keep calm when everything is like a complete mess. So we love working with teachers. A lot of people are coming with advanced degrees. Sometimes it's disappointing because we see people that spend six years studying specifically software engineering and cybersecurity and they don't pass the filter because and that's a great indication that maybe they picked the wrong thing. Martin Hinton (09:16) I would say so. You know, I started talking about people in the sort of context of a breach. And one of the things that you said when we were planning this podcast was that you've never seen a breach that didn't involve a person somewhere in the chain. And I wonder if you could unpack that a little bit and what that means or how that presents itself in the real world. Yaniv Kapluto (09:38) Absolutely. you know what, it's funny because if you ask me that question today, I'm going to tell you that we're going to see agents that are impersonating to people involved in chains or that are taking people's roles involved in that. I think that's one of the biggest challenges that we're going to see. So look, at the end of the day, ⁓ to really get into an organization, the easiest way, the soft belly, if you want, is people. Right? ⁓ I can put a lot of walls, someone's gonna, because we, in order to operate as an organization, we give people access to resources. ⁓ And if these people can be tricked into letting someone in, if it's by getting their credentials exposed, if it's installing something on their... ⁓ if you allow them to install something on their laptops or credentials, even if they connect their laptops in a non-secure network, right, or their mobile device, and even if it's at home and their kids have something going on and someone tricked them, that will be a great and easy way in. ⁓ In addition to that, look at it. Devices that I'll be like I'm in a coffee shop. I leave my laptop, you know on my desk I gotta grab my coffee takes 20 seconds and someone if I'm a target someone can plug something into my laptop I will never know about it, right So people are always involved in getting into organizations. And then once you're in, navigating within the organization can involve additional people, can involve other mistakes or things that people didn't pay attention to and to get to where you need. So I think if we need to, like the best investment, I believe in an organization. is to make everyone aware of the risks and provide them with basic understanding and tooling. And if you create a culture that everyone understands and feels that it's important to participate in that game of protecting the company, this is where your organization is probably more secure than everyone else. Martin Hinton (12:01) You touch on the next point and it's something that think a lot of people don't quite appreciate. An enormous number, the vast majority of breaches go unreported. And without that visibility, there can be a false sense of security about the threat. And having everyone across an organization understand they're all gatekeepers to an extent in a very literal way even with regard to the company's cybersecurity is a challenge that seems to be. universal regardless of the size of the company or the location of the company. And one of the realities of the threat that I'm curious what you have to say about is the scale and complexity of the bad actor that the criminal business is highly organized, well funded. I wonder what you might say that might stick with people so that they appreciate the fact that there is a very real and sophisticated adversary here that's trying to take things from you, your company that if they succeed is extremely, potentially extremely jeopardizing to a company's resilience and existence. And we see some stories because they are made public, but I wonder if you could touch on or help the audience understand that the true scale of the threat with regards to why MFA matters, why you don't leave your laptop unattended, why you don't use public Wi-Fi and a myriad of other things they've probably heard in some seminar that's a a box check exercise for insurance policy from a year or two ago that really is, ⁓ in some respects, dying reality. Yaniv Kapluto (13:36) Yeah, so I'll touch the basic for a second and that's if we're looking at the US market, I moved here many years ago. I've been working in the US market for about 30 years now. If you want to drive people to participate in something or to be a part of something, they need to see a benefit out of it. So if organizations find, and the point is that adversaries are after people and organization, different adversaries, sometimes the same, right? But today in today's world, we're all a target, right? We don't have to be scared of it. That's the situation, right? But we're all a target. I think that ⁓ organizations that help their employees and members ⁓ protect themselves, basically teach them those basics, not only how do you protect the company, but also how do you make sure that people are not stealing your credentials, taking credit on your name, I think. So if we make it a benefit, if they see that, if they take it home and they teach their kids, they go to their parents and their friends and they share that information, if we manage to get that flow, they're going to be aware and they're going to keep on. looking at them because they see the personal benefit. So that's the first thing. think organizations are really, really successful in building such a culture is organizations that understand that people should see it as a benefit and not as a task or something that they have to do. Right. ⁓ And then when it comes to the adversaries, you know, these organizations are businesses. ⁓ They act like a business. They come in to work in the morning. Sometimes they're 24-7, right? And they have real business plans and they have investments and they make money and they make a lot of money out of that, right? ⁓ So it's not that thing that we see in the movies like this hacker that is alone and sitting at no, those are big businesses. ⁓ Some of them even have very large offices. Some of them are government funded even, right? like a Desireo's government. ⁓ There's a lot of money there and that's the only thing they do. Their job is to exploit other businesses. Their job is to get information. A lot of times they're guns for hire. people will pay them to do something, to break something, ⁓ to steal something, to get some type of a result that they are not able to do and they'll buy it as a service. So just like today when we're subscribing to, I don't know, like a streaming service or to ⁓ get some storage somewhere. Similar services are there today. There are businesses that their job is stealing information, breaking things, exposing things, and so on and so forth. And because of that and because of the fact that there's a lot of money there, everyone are involved, organized crime, everyone are involved in that, right? So. When we look at that, we need to understand the power, they're stronger than any other business because that's the only thing that they do. And with AI now, they're way stronger because they multiply their work by a lot. And they don't care about failing a thousand times. They care about winning one. Right? So it's a different way of thinking. Martin Hinton (17:19) You, the situation you described toward the end there is there's a bit of an asymmetry between the scale and budget of the bad guy versus the good guy. If I'm right about that, and I've understood you correctly, that asymmetry creates a situation where there's no really winning in this scenario. There's just persistence and managing loss and, being prepared for when things happen that allow you to turn your business back on as soon as possible. that magic word we hear a lot in this space called resilience, right? The ability to survive the bad knock. And if you can imagine being a professional athlete, injuries are going to occur and you need to have a protocol around you to manage those sort of weak spots in your system and your business. ⁓ Am I reading that right? Am I hearing you correctly? Yaniv Kapluto (18:09) Kind of I think look at the end of the day ⁓ like any other business Businesses invest like we're about the adversaries, right? Businesses invest more time and effort in places that are easier to reach that are less challenging So the idea is that if you are challenging if you are more complicated and you need to be need to be a bit more complicated than the value of your data or of your systems right of what it worth right then they'll move on to the one that is less complicated. So I think that even the small investment is going to protect you, is ⁓ going to provide to your protection. At ⁓ the end of the day, look, think that if I'm a business, don't know, of printing photos, or from a hospital, or from whatever, business that I have, right? I need to focus on my business. I need to hire the right organizations for people that will help me protect my business in a budget that fits the risk, right? And I definitely recommend also ensuring that risk as well, right? ⁓ And then the other sources are gonna go to the ones that are not well protected, right? That are an easier, low-hanging fruit basically. Right now, if what you have is pure gold, if for example, you are in a financial organization, family office, or whatever that is running billions of dollars, right, for your customers or whatever it is, right? Yes, I will spend more on insurance and I'll spend way more on having the right teams protecting my business, right? If I'm in lemonade stand, probably less, you know? Martin Hinton (20:05) Yeah, yeah, yeah, certainly. So you touched on something there that I think is a bit abstract, and that's the idea that there's a real economy around stolen data. And obviously, this ties heavily into cyber insurance claims and litigation that can come after. I wonder if you might ⁓ walk me through how stolen data becomes valuable and why that's a bit counterintuitive for people and helping people understand why protecting that data then becomes important if it has, to your point, value. And obviously there's a difference, right? you're running a certain kind of business, the value of the information is going to be less, but it can vary great deal. Talk to me about that reality and how the data is monetized. Yaniv Kapluto (20:45) And so first is the value chain of data and the value of the data can be different to different people. Some people will just look for passwords, emails, and things like that. And that's something that is almost like a commodity today. It's just being sold. It's easy to get. And it's a lot of records. They're not expensive. Some can be corporate espionage or other types of espionage where there are research and formulas and other trade secrets that people would like to put their hands on it. ⁓ And that can be very, very valuable for a very small group of people, right? ⁓ Sometimes it's not about the data, it's about disruption. It's about locking you out of your data. And to gain access to it, you'll have to pay some ransom. A lot of times, not necessarily you'll get your data back after you pay that ransom. That's another problem, right? So disrupting the business is a big problem, right? And people on insurance will pay a lot, right? So now, once someone managed to get their hand on something, Right? It can be PII, can be PCI related, like financial information, credit card information, whatever it is. ⁓ They don't just have to monetize it immediately. They can use it a longer term. They can use it order to like passwords or things like that. They can use it in a longer game and to gain additional access to other places and other organizations. That's why, for example, it's important to... include our employees in that awareness and educate them on the risk. A lot of time it will start in a personal asset, but that employee is using the same password right now for his personal email to the password that he's using to log in to the company assets, right? Or things like that. at the end of the day, ⁓ Data have value and have long lasting value. Martin Hinton (23:06) You, you, when we were planning this podcast, you use the phrase data is the new oil, but unlike oil, there's a renewable nature to it. That's kind of what you're describing now. This idea that there is a prolonged value to this stuff in the iteration or the iterative value can go on and on. And then the cyber claims reality of this, that creates a little very, and the phrase long tail comes in here, long tail of liability and costs that can be associated with the data breach. i want to do my dive into that from the cyber insurance point of view and sort of lay that out you had mentioned some european insurers and health care space and that sort of thing tell me a little bit about that Yaniv Kapluto (23:35) Yeah. Yeah. So, you know, first I wish there was more cost to allowing data being stolen. Right. So I wish that there was more cost to from a regulatory perspective to organizations. I think sometimes for different reasons, the personas that are actually getting hurt are not protected. you know, as they should be, right? So that's one thing. The second thing, I think the biggest cost for organizations today is reputation. It's about trust. We all informed already that this is a problem with everyone, no matter where they are, right? So I think ⁓ organizations want to show that they're secure. That's one of the reasons, by the way, that they hide those breaches and they try to close them when it doesn't hit the public, which is another problem. think that's something that, again, regulators need to address. ⁓ And then at the end of the day, if you're being hit by ransomware or if your business is disrupted, ⁓ the cost that Of that specific breach if it wasn't caught in time is way bigger than what? You the adversary made out of it, you know a good example like I'll give you like an example that is not in data But makes a good idea of that as ⁓ there was a the Trans-siberian train many years ago, they had ⁓ Those they're very expensive They're like heavy ⁓ copper doors for the train. So copper is expensive. So people will actually steal the doors while the train was running. They will screw them out and they'll drop them. And they can make, I don't know, back then I think they could have made $500 or something like that for every door, right? The cost of replacing the door was like $10,000 to the company, right? So, and that's the same for data, right? So the cost of fixing the problem. or getting your business up to speed, fixing your reputation, everything is long lasting. It's something that you'll have to do additional investments and so on and so forth. So this is one. Imagine that if I'm in a hospital, for example, and someone managed to get access to my network and shuts down my imaging system, there can be no procedures. That's it. I just locked that hospital from being able to operate. That can be millions of dollars. Insurance have a problem, right? Cyber insurance have a problem ensuring that, right? ⁓ So yeah, when I touched on the European ones, it's like several years ago when I was working at that market, I was shocked working with insurance to learn that 70 % of European hospitals are not insurable. There is no way to calculate the risk, the cyber risk that they have. They cannot insure it, right? They can calculate more practice risk. They can count things that they have data on and things that there are practices and tools to make sure that they're operate and and policies, most of those organizations don't have the right cybersecurity ⁓ culture, cybersecurity tools, cybersecurity setup to protect themselves. And I don't think that the situation is different here, by the way, in the US. Martin Hinton (27:24) Well, mean, we're overwhelmed with healthcare breach information because of the reporting requirement, but I think you're probably spot on. I'll put a pin in that because I want to come back to this, but before we move on past the data point, one of the things that we discussed was the idea that even encrypted data stolen now or stolen in the past that can't be broken into, a few years from now, if the promise of quantum computing comes to fruition, That changes everything. And then you have this whole new bucket of data that has value that becomes a vulnerability for a company, perhaps years after the breach. I wonder if you might, if you will, double click on that idea and how there is the potential for this looming additional layer of liability and costs and whether that's financial or reputational, all of that affecting the bottom line, how that might play out in your mind. Yaniv Kapluto (28:19) Yeah, first, I don't think there's a question if it's going to come, it's coming, it's already here, and it's just going to be more affordable very, very quickly. If we learned is that our estimations are usually miss things by 10 fold. So usually it's faster, 10 times faster than we think. So I think it's there. think that government funded adversaries always already have some access to some of this. ⁓ And at the end of the day, encrypting data, and we'll find other ways of dealing with that, but at the end of the day, ⁓ a lot of organizations were basing their solutions on encrypting things, and that may not be a solution. ⁓ Even today if I'm operating in an encrypted network, I can still decipher based on the patterns on the network What am I looking at and I can still exploit it, right? So ⁓ Providing that to that quantum computing that can actually you know, read what's what's reading there decipher it pretty quickly You know or finding the right passwords because the fact that they can do way more way faster iteration. Then, so yes, I think that we will need to do retooling. I'm working in this industry for many years and I'm surrounded by amazing people all the time. meet amazing entrepreneurs that find great ways to protect ourselves. So for every problem that we're going to have, we're going to have a solution. The point is, is we need to be minded, right? And it's never a single solution. There's always like a set of tools that we will need to implement. I think right now we'd be more concerned with implementing AI wrong with, with the lack of visibility to what, what AI is doing within our organizations today, who's using it, how they're using it, what kind of information, even the simplest stuff, even typing in a simple query or taking. ⁓ a mail that is supposed to go out to shareholders and holds information that should not be released and then say next, you know, 10 days or 30 days and put it in AI. I don't know where that's going, right? If I want to take some records, put them in a nice Excel spreadsheet, I'm going to have any of those AI tools that are available for everyone today to do it for me, and that Excel spreadsheet holds confidential information, I don't know where it's going, and people need to put policies on it. And I've seen amazing solutions, by the way. Some of our customers are developing some of those solutions. And I'm actually shocked to see how they worked around that because a lot of the systems today also were built before GEN.AI. So they don't have the ability to have those controls around them. And I've seen solutions that will basically go over that and make sure to look at the traffic and filter it or make manipulations and identify. So that's amazing. We're very far though. from even understanding the risk. Martin Hinton (31:44) I, know, this, this, the, the, the phrase visibility gap with regard to AI and liability and, whether it's just a purely security perspective, or if you start to fold in the insurability of it all is, you know, I like words and I feel like it undersells the dilemma. It's, it's, it's more of a Gulf than a gap. I think there's a, there's a real, ⁓ there's a real concern there. And again, it touches like you just did on the human element, right? People using it. Yaniv Kapluto (32:05) Yeah. Martin Hinton (32:14) The phrase shadow AI, meaning that employees are using AI outside of company parameters and using, if you will, unsecure AI that is on a personal device or a personal logon. The myriad of issues that we've opened up to combine with the myriad of solutions, I suppose, is significant. So I want to come back to the 70 % of the study from a couple of years ago. 70 % of hospitals in Europe are uninsurable. again, keeping with the personal side of this, the human side of it, There was a story you told about visiting your son in the hospital where you realized this. I wonder if you might use that as a way to explain to people who are familiar with healthcare environments or healthcare institutions. And by that I mean hospitals or doctors' offices. There are an enormous number of devices and connected devices. Tell me about that reality and the sort of, you know, the entry points or the attack vectors that exist in a medical facility. Yaniv Kapluto (33:09) ⁓ it's everywhere and it starts at the door. It starts at the parking lot, right? So like with my son, when I walked in with him, he had a little accident, need to do a procedure, right? At first there was a laptop next to us that allowed the doctor or the medical staff to get information. That laptop was a good day. I don't know, maybe $500 when it was new, right? But it was locked in like a metal cage. Right? Because we're protecting that asset. It's USB ports were open and there were like, you know, port replicators connected to them. And nobody really knows what's connected to those port replicators. And it would have taken me exactly 10 seconds to compromise that device. Right? And it was funny because, you know, even that like there was like movable drapes kind of thing so we can get some privacy, right? Those actually had rapid, you know, devices on them to make sure that nobody walks away and that they'll know exactly where those are within the hospital, right? But the network was not segmented and it was easy to, you know, to see open ports everywhere and it was easy to see that, specifically, that hospital was not well protected. Now, it starts at the door because it's a cultural thing, right? So they had security and they had security cameras. And again, I was playing around, just to see, you know, because it was interesting, right? But I think I found like 10 or 15 ways to have my wife stop me and say, boy, but to get access into the hospital. And it didn't take time and I'm not an expert. Right? And so someone that is really smart and is an expert can do damage if they want to. Right? And it's even with the simple things. Right? Again, it starts with people. ⁓ You know, the understanding of what you can connect to the clinical network. Right? And what you can connect to. ⁓ I don't know, public network or employee networks and so on. Suppose you see more and more hospitals today implement more and more advanced technologies around that. A couple of years ago, this was like completely open. I haven't looked at it right now, but, and then the devices themselves, a lot of them were designed like 20 years ago, 15 years ago, even those that were designed. three years ago are having a problem now because we're running really, really fast. A lot of them don't have standard protocols. They're like, I think 50 or 60 different protocols today in every hospital because different devices are talking differently to a different network and everything. A lot of those devices are running Windows ME, Windows 98, all kinds of things like that. And you won't even believe exists still. But, this, and, and, and to be frank, the hospital want to keep on moving. They need that operation, they need to move patients in and out from the hospital. That's the name of the business, right? And they need to do it quickly and efficiently, right? So nobody has time to shut down systems and update them. Nobody has time to deal with vulnerabilities and good hospitals with good teams will find a way to squeeze it in. But it is for them another interruption. Martin Hinton (36:43) Are there, if you're an underwriter looking at a hospital or a medical environment, are there two or three things that are high on the priority list in your mindset that you would want to be able to know about and use to analyze the risk right off the top? Yaniv Kapluto (36:59) First thing specifically for hospital, I'll send someone in. I'll send someone to see how easy it is to get in, how easy it is to find yourself alone in a room or next to network port and how easy it is to compromise devices there. It really takes like a very short visit by someone to understand. So that's one. Second, I think that the human element, like what do you do in order to make your... people in the hospital aware and how involved they are in the process. That's before I even start, right? Afterwards, I look at policies, protocols, tooling, and so and so forth, service providers that they're using. ⁓ Again, hospitals are really complicated because they have a lot of third parties. So what do they do to manage the third party risk, right? They have vendors that are coming in. They have people that are connected to the network. So what did they do with that? ⁓ but yeah, specifically for hospitals, I would definitely send someone in also for factories, right? Everyone that have devices that are not just, you know, convenience, right? That like things that are like OT, IOT and things like that. Martin Hinton (38:17) Well, I mean, you touch on a reality that, you know, hospitals have to be in operation, right? That's their whole role. ⁓ The word operation, don't use, pun not intended. But this idea that they are, I mean, we're all familiar with the photographs of ships at sea and people hanging out beside painting them and maintaining them because they're not near a port. This is a complex reality. And I wonder whether or not you might. Yaniv Kapluto (38:29) Yeah. Martin Hinton (38:44) use that as a launching point into another topic we discussed prior to this, that there's still a disconnect at say the C-suite level between the IT department and cybersecurity and that there is a distinction between the two and a need to look at them and budget and hire, create a different mindset and sort of approach to them. How could you explain that difference to a CEO who thinks that they're the same thing? Yaniv Kapluto (39:09) Yeah, so you know, first of all, this is a good example. I can talk about nuKudo for a second on this, right? So when we look at a part of our filter is when someone is coming in, they may have passed all of the exams like flying colors. Everything is great, right? They're top of the class, right? And then... we have a short conversation and they cannot take something that is technical and translate it into a simple, you know, a person in the street kind of thing or an executive in the office language. If they can't do that, maybe they're not a good fit. Right? So the idea is that if I'm looking first on that, teams themselves, I think the burden on these teams and definitely on their management is to find good ways to help them communicate ⁓ risks, exposures, and things like that to management in an effective way. And it's a part of our training, for example. It's an important part of the training. So that's one. ⁓ The idea is at the end of the day, a lot of the executives work, especially in like hospitals or practitioners that we're doing all of that. IT people ⁓ are there to make sure that people have access to data. They have some idea about ⁓ cybersecurity because they're trained employees, they have IT training and education. naturally cybersecurity is a part of it, right? Their job is to keep access open, not to close it, not to lock it. Like if they can say, hey, someone else is protected, there's a bubble around me, everything will be open, right? Because that's the easiest way. So that's their way of thinking. The people that like the clinical engineers or medical device engineers or OTIOT, people that are in the field supporting those devices, again, their job is to keep them running. It's not to protect them. They don't even understand that language of protection. ⁓ So that's another team to have a different way of thinking. And then cybersecurity, if they could lock everyone out, the data is locked. So let's just lock it. So the idea is that everyone are pulling different directions. And if these teams are working very well together. Let's start with that basic thing. That's the right way. You need to create that type of an environment, right? And again, coming back to all employees, they're a part of that game as well, because they are, at the end of the day, also agents of that cybersecurity ⁓ organizations. Now, communicating that to management, that's hard task, right? ⁓ You know, this is where professional CISOs are in, and this is where professional CISOs bring experts in, right? ⁓ But it also can be a simple conversation between an employee that is in the cybersecurity team to an executive that they made in the lunchroom or in the break room or somewhere, right? And it's a part of the ⁓ awareness program that is implemented within this organization, right? teach risk to executives, right? So nobody's surprised. I did see organizations, I think I see them less and less, but in a past decade I did see organizations that they didn't want to know. Executives did not want to know, right? As a way of saying, oh I didn't know, right? So you could see that, you could see people that will just walk out of the room when it started to too detailed, not because they couldn't understand the concept, because they would rather not. understand the risk, you know. ⁓ Martin Hinton (43:15) From an insurance point of view, and maybe you could speak to the people who are listening that are in that insurance world, if you're looking at a company and you're trying to discern whether or not they're prepared for this, and staffing it properly and budgeting it properly, what are things that indicate that they understand the distinction, even if maybe they're not practitioners of what you need to be in order to exercise the distinction? Is there anything that someone might say or a telltale or a canary in a coal mine for for people listening in the insurance world that a company needs some help sort of basically even understanding the distinction between the IT and the cybersecurity roles. Yaniv Kapluto (43:55) Yeah, so first I think I have a lot of friends in the cyber insurance market. And I got to tell you, this is probably one of more exciting markets that are going through an amazing technology revolution in last decade. And so all of them are really talented and smart. I actually go to them to learn more a lot of times. So this is what I think. And they also have a problem because this market, because it's like that and it's getting more and more advanced. ⁓ Their competitiveness, a lot of times is also dependent on how fast they can quote. So if they can calculate your risk quickly and give you a quote quicker and if they understand your risk better than the other one and they can ⁓ understand that they can give you a ⁓ premium because, know, or higher coverage because they know that you're actually more protected. there's sorry, there's ⁓ open questions on that. I think. So that's where they stand, right? Now, I do think that in some type of organizations, they need to send someone. I do think that they, it's a great. If I want to understand the risk, it's great to have a discussion with an executive or a manager within the organization, have discussion with an employee. Something simple. ⁓ Like, what do they understand? What's an exposure? Explain to me, like, basic things, right? You know, are you reusing the same password in different places, right? It's a simple giveaway, right? Or anyone told you that you should use MFA? Do you know what MFA is, right? So... ⁓ I think that at the end of the day, even like, so they're using a lot of questionnaires that, you know, they're using different ways to evaluate in high risk ones. They're actually seen teams, right? ⁓ I don't know if there's like a dead giveaway, but I can tell you like walking into the building, you know how security is. ⁓ Martin Hinton (46:12) I mean, the thing that jumped out at me when you were talking just now is the idea that some of the questions you might ask for people in this space are the most basic of questions, things that you would think the answer would be yes, like do we use MFA? Do you use the same password across, say, your Netflix logon and your email logon? There's a report out today, I've only just glanced at the press release, and it's about passwords and how many of them contain some variation with Messi or Ronaldo is the two footballers names in there, right? Like there is this consistency and again, it's back to the human side of this sort of thing. Those sorts of things, that reality that there's a real, I mean, I don't wanna be sort of insulting, but the bar is quite low in a lot of these organizations. And what that means from an improvement point of view is that there are some very basic things you can do to help people A, understand the problem and also improve their security. Yaniv Kapluto (47:12) Absolutely. Yeah, I think, I think you're spot on. Look, if I go to an organization, they have a zero trust, zero trust implemented across their system and they know what that is. You know, good. You know, I know what, you know, they know what they're doing. There's someone there that is running the, that, that specific part of the business as well. Right. Most of them don't know what it means. Right. But I'm seeing even the simplest questions a lot of times can reveal. Martin Hinton (47:12) Do I have that right? Yeah. Yaniv Kapluto (47:42) that there is a gap. don't need to know all of the gap. All you need to know that there's a gap. Now, the question is, how do I help you reach it? Because I do want you as my policyholder. want your business. And that's where I see a lot of cyber insurers advance. All of them are partnering with technologies, building technologies, building platforms, providing those platforms to their customers providing services on top of them. So I've seen some of them partnering or actually buying or building their own like MSSP type of an organization. So I think that's why it's exciting. I think that ⁓ for many years in insurance and cybersecurity, you know, we're kind of competing on the same wallet share today where they're working together. And I also see, you know, cyber. organizations that are providing warranties in the last several years, right? They'll say, we'll cover, if you've got a bridge, we'll take care of the disaster recovery. We'll take off the incident response. We'll help with you with dealing with it, right? Martin Hinton (48:48) It's an aside now. I'll step out my you know my editorial side, but I agree with you I've been doing this reporting now and I've met a great many people in this space on the cyber security and the insurance side over the last couple of years as I've been in this role and there is a real I Don't know energy about it and enthusiasm a sort of idea that they're they see a real problem and fixing that problem does two brilliant things It makes you know countries more resilient industries more resilient the business is more resilient Yaniv Kapluto (48:52) Yeah. Martin Hinton (49:17) thus protecting employees and their families and the incomes earned to pay mortgages and college tuitions. It does exist there. I think it exists in a lot of businesses, but it's just interesting to have experienced that and come to see it in a business with the word insurance in it, which you would not generally associate with a really forward-tilting enthusiasm about solving a big problem with a lot of work to do. I just wanted to second that idea that there is this really pleasant energy and it is almost as a sort of cliche now that people are, you know, it's against the rules and norms of society be too enthusiastic about things. And there's a real enthusiasm among a lot of the people I deal with that exists in this space, which kind of brings me to the next topic. it's sort of, you touched on a little bit, nuKudo's kind of model in the talent crisis in this world with regard to cyber insurance and that there's a... Yaniv Kapluto (49:56) Thank Martin Hinton (50:11) you know, a gap in the role. And I just want to, I know you've done this, but to just separate out sort of the model that nuKudo has to address this, if you will, workforce gap, is that the right word or right phrase rather? Yaniv Kapluto (50:25) Yeah, do. People call it in some roles, it's like forward deployment engineers when it comes to like engineering type of roles, right? And in stuff augmentation is something that comes out a lot, companies are used to pay a lot of money for these roles. We made sure that our business models support businesses and actually provide them savings even than just going out and hiring. And in military organizations, they call it secondment, right? So basically you place someone for a specific role in a specific time and that's their expertise, right? So that's what we do. And by the way, enthusiasm is, and if anyone that is looking at our program and trying to join it. We look for enthusiasm. We look for people that are extremely enthusiastic about pen testing, about solving puzzles, about understanding risks, right? You have to do it because you're not going to be able to survive that market for a long time if you don't have it. You've got to be a bit crazy about the subject. Right? And enjoy it every day, wake up and hey, because it's hard. There's a lot of hard work. It's like 95 to 99 % of hard work. So this is one. What we do is we basically identify these people and see that they really want to do it. And we help them get there to the point that they, after three years, they're just rock stars. Right? And we're looking for things that Martin Hinton (51:52) Yeah. Yaniv Kapluto (52:11) Normal employees, employers will usually not gonna look at, right? ⁓ Martin Hinton (52:17) If you're with regard to the staffing role, we hear a lot about tools and technology in the security space. If you're underwriting a company or you're looking to underwrite some risk at a company, how much more focus should be paid to the composition of the human security team? know, the people who are making sure things to your point are updated and policies are adhered to and staff is trained in a way that's effective. There is a real sort of. You know, there's a consistency to this. There's a persistence to it. know, cybersecurity is a perishable reality given the nature of the threat and how dynamic the changes, AI coming along lately being the sort of 800 pound gorilla in the room. How important is looking at the non-technical parts of cybersecurity within our organization if you're looking to underwrite the risk? Yaniv Kapluto (53:06) I don't know they have the access, right? But if they do, it's great, right? Because if you can see a team that is spending time, 30%, 20 % of their time learning new things, I know that this organization in the long term is going to be well protected, right? If I see an organization that is understaffed, And there people right now are dealing with 50 more cases that need to, that they're able to do, right? And they support more endpoints and then I'll be concerned. Right? And actually that's the said reality today, right? Because, you know, it's you meant to say, hey, this is just risk. I'm focused on creating value. ⁓ I think some organizations figured out that being secured is creating value for them. Right? So I think if I have access to the team. And if I see that, like the most important thing is that this team is doing rescaling and upscaling all the time. right, that it's a part of their targets, then I'll be comfortable with that team and I'll say, hey, that's what the other organization understands. What it takes is the adversaries we talked about, they learn new things every day. They experiment on new things every day. So we can't do that, but we can, if we, you know, give our employees or actually pass them to learn. more, maybe 20 % of the time, then we're probably going to be more protected than the guy next to us, which is again, probably the better way of doing it. Martin Hinton (54:53) Yeah, I would say so so Stepping back and looking at the big picture, know one of things that we discussed in planning this podcast was the idea that for all we've done and for all the change that's occurred in the way businesses operate and the the information age going back to say the beginning of the internet and dot-com There is there is a true reality of the fact that we're still at the very dawn of the technical age or the information age or whatever you might want to call it And in some respects, there's an analogous sort of to the industrial age where, you know, it's amazing what's happened, but wait to see what's coming. You had used in the context of ⁓ the risk in the cyber world, the arson analogy with regard to insurance. And I wonder whether you might sort of step back and, you know, go up to 30,000 feet and paint a picture of where we are now in the landscape, you know, into the future to the degree any of us can predict the future. What's coming? What's ahead of us in this space? Yaniv Kapluto (55:45) you The one thing that I can promise you is that everything is going to change. ⁓ you touch the industrial revolution, right? So if we look at systems that haven't changed. the education system. Schools are still looking like factories. Kids are still standing in front of a single manager, a teacher in front of all of them, right? So some organizations, and to be frank, schools are not doing very well, right? ⁓ Unfortunately, right? We really don't cope with how kids, some of them do finally, but right. So I think everything's gonna change. We need to change, right? ⁓ I think that what we see right now is the tip of the iceberg when it comes to ⁓ the benefits of AI, but also the risk that AI is going to pose on our organizations. Most of the people I've talked with say that we don't even start it. know that there are risks there, but we don't know what they are yet. or we can identify or estimate some of them. But everyone understands that there are great benefits there. And people start to understand that there are also great costs to do it. So if I'm looking at that, think we're... We are again, yet again, in another great and amazing revolution right now. I'm not even touching quantum computing, and that is going to take research, and I would like to be completely out of places. I've seen some crazy stuff that are not specifically in... like the silica type of like the chipping or the computers and these type of devices, but actually a technology that is already stepping in into other things, ⁓ That is going to be interesting, right? ⁓ And like synthetic biology and how that is going to play a role in all of that. So there's so many exciting things ⁓ that are happening. And with that, we'll come risk and we will need people that will be informed on how to protect ourselves. Martin Hinton (58:00) I mean, I think you're absolutely right. mean, I think when we spoke earlier that the example I used was the car and the way that the automobile has had technology introduced to the device over the decades that, or more than the decades, I guess, that it's existed ⁓ that have made it safer. that, you know, while seat belts came along and then things like airbags and multiple airbags and the technology around lane avoidance. And now you look at the idea of know, automated driving, creating safer cars that, you know, could be networked so that they know where each other's are and you take the human risk out of it. Is, you think that's a fair analogy? The idea that, you know, someone who was buying a Model T Ford couldn't have imagined, you know, the Volvo airbag or the three-point harness being something that was A, necessary or B, even possible. Yaniv Kapluto (58:53) Yeah, absolutely. think, you know what, it's funny, I live not far away from a car museum. And I remember like, I don't know, 15 years ago, first time we visited there. ⁓ And I was walking around and I discovered something that I didn't know before I felt ignorant. There were electric cars when, you know, the idea of cars started. It wasn't efficient, it didn't work. But there were cars that were driven, that were being pushed by electricity and not by gasoline. ⁓ And when we were kids, we were looking at Star Trek and other sci-fi ⁓ movies and TV series. These guys were holding tablets. long before Steve Jobs introduced us to those, right? So I think, yeah, it's exciting to see what's gonna happen. I'm really excited about that. Martin Hinton (59:58) No, I mean, you're not wrong. Our science fiction literature is full of examples of people imagining things, know, decades or even centuries before they were technologically possible or actually existed in the real world. I agree with you in this context, that's something to keep in mind that just because you can't figure out how to make it yet doesn't mean you shouldn't, ⁓ you know, be able to imagine its reality. And I guess the great examples are things like Da Vinci and his basic design for helicopter. Yaniv Kapluto (1:00:03) ⁓ Yeah. Martin Hinton (1:00:28) that didn't have a power source, right? how does that gonna, you know, how would you actually create the energy to your point about electricity and cars? It came before the, so yeah, now, so we've been talking about an hour. Any final thoughts for CISOs or risk managers or insurers in the audience or anything else you wanna touch on before? Yaniv Kapluto (1:00:36) Yeah. Yeah, I'll have to. By the way, and with DaVinci, will say Jules Verne, know, Asimov, you know, it's like a long list, right? Yeah, look, I think the first one is, and it's actually the education part, right? So if there's any educators or just people with kids, I think the most important skill that we need to teach them today, is how to ask the right questions. It's hard. Think about it. It's not just how to ask questions, how to ask the right questions, how to be curious and inquisitive. ⁓ think ⁓ the same goes for our employees. Because everything is moving so fast, everything is changing so fast. And actually, the secret of utilizing this amazing AI tooling that we have right now is based on how I ask questions as well. So that's one thing. think when I'm looking at CISOs or executives in an organization, make sure that first all of your employees are well informed, but also ⁓ that your IT teams and technical teams work together as a single organism, that they feed on each other. that they help one each other and that they understand the problems of one each other. So you develop a culture of cooperation with these teams. ⁓ I would even have them, you know, maybe intern or work a bit at the other person's shoe or do, you know, role plays or others. ⁓ This is gonna be do magic. And right now, when we're looking at all the organizations that are to ⁓ transition to AI technologies and including AIs in the solutions in their day to day operation ⁓ for multiple needs, I would say ⁓ include your security team, include your GRC team, include your IT team in those decisions, make sure that they are well informed, invest. in their education, bring some experts that can help you out because it's changing so fast. And if you think that you can learn something today and it will be good for, you know, in six months, it's obsolete. Everything's changing. Martin Hinton (1:03:14) Well said, well said. I think that that idea of collaboration and that the lowest person on the totem pole, if you will, might be able to see things in a way that protects your company or creates a more secure environment is something to keep in mind. Yeah. Yaniv Kapluto (1:03:26) And in value, right? That first, you can also see value where we don't see it today. Martin Hinton (1:03:32) Yeah, no, think that's a great point. Anything else? Yaniv Kapluto (1:03:35) No, thank you so much for having me, Martin. Every time we talk, it's different, ⁓ Martin Hinton (1:03:40) it's been my pleasure, Yaniv I really enjoyed it. Yaniv Kapluto the Chief Revenue Officer at nuKudo There's a ton of stuff we've referenced. in the show notes, there'll be links to various things, places to find Yaniv and nuKudo. ⁓ Again, Yaniv, thank you so very much. Everyone else watching, thank you so much for watching. My name is Martin Hinton. I'm the Executive Editor of Cyber Insurance News and Information. Again, thanks for watching. Enjoy the rest of your day.