Martin Hinton (00:01) And welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News and your host today, Martin Hinton. Joining us today, we have Joshua Brown, the Chief Information Security Officer or the famous CISO for Spektrum Labs. Joshua, thanks so much for taking the time today. How's how's your day been so far? Joshua Brown (00:20) it's been pretty great for a Monday, Martin, but thanks for having me. I'm excited for the conversation. Martin Hinton (00:24) Well let's dive right into it because we we've shared some back and forth, some notes and some discussion. And one of the things I I wanted to get right ⁓ off the top of the head was GRC. Why has it failed? And why don't you start by telling us what the one of the many f acronyms in this world mean? What does what is GRC? Both literally and go ahead, pardon me. Joshua Brown (00:34) Mm. So GR. Yeah, GRC stands for governance, risk, and compliance. ⁓ and it's, you know, it in in so in in previous roles, I've worked for much larger international companies. I'm currently working for Spektrum Labs, which is a startup, but typically a a company will have a an organization within its IT function or sometimes with it within its audit function that handles oversight as as it relates to internal policies and how you ⁓ align with those, as well as any regulatory requirements that you may. so I think you know, a lot of your viewers, I'm sure, have heard of of SOC 2 or Star Bain's Oxley or things like that, right? Those are control frameworks ⁓ that are designed to ensure that companies are doing things in specific ways to ⁓ reduce risk or maintain financial transparency, you know, et cetera, et cetera, right? ⁓ so that's that's what GRC is. ⁓ and the I think In my in my more optimistic days, ⁓ I would say that the the point of GRC was to produce better security outcomes. ⁓ I'm not sure that's true, but I like to believe it. the problem is that we haven't produced better security outcomes through compliance. So compliance work generally produces ⁓ And sometimes substantially so it places a burden on companies, right? And so they have to go through ⁓ a process of audit, they have to go through a process before that of constructing their procedures and their policies in a way that aligns them so that they can pass an audit in theory. ⁓ and then they have to, you know, make sure that people are working and following those processes, those standard operating procedures. And ⁓ you know, I like to say when I was a CISO previously, We shouldn't design our systems so that they produce auditable artifacts for GRC purposes. We should design our systems so that they produce good security outcomes and auditable arti artifacts should be a byproduct of that. So we should design for security, not design for compliance. ⁓ and compliance becomes a byproduct. ⁓ but I think the fault here lies in a lot of different places, and of course, we can go down a lot of these paths and discuss it. ⁓ in my less optimistic days. I think that the security industry has not done itself a favor here because we're always trying to sell the latest technology, the latest shiny, blinky thing that people need to buy that's going to magically make them secure. ⁓ and and that hasn't really happened either, in terms of producing better security outcomes. You know, I mean, I think we all have fatigue about the amount of breaches that we see in the news, the the letters we get that our social security numbers have been compromised yet again. ⁓ and so, you know, we have this what I think is a a foundational category mistake where we we have conflated compliance with security. You can be a hundred percent compliant and still be breached. and and the reverse of that isn't guaranteed either, right? You you could be secure and not compliant, depending on how you've architected your systems and what sort of frameworks you're you're subject to. So ⁓ That I think underpins the whole problem, but there's other specific things that layer on top of that that that can point to why compliance has not produced better security outcomes. And I think part of it is how we've defined compliance. ⁓ we've defined it or the industry has defined it as, hey, I can attest that I do this thing. Like I I pinky promise that I'm using MFA multi-factor authentication everywhere, right? ⁓ here's a screenshot showing that I have it turned on. ⁓ and even if when you're answering those questionnaires and preparing for the audits or being audited, even if those attestations and those promises are a hundred percent accurate at the time you make them, they're only good for the moment they're taken. Everything else after that is drift. What's happening the other 364 days, right? ⁓ and so the result of this and and and other things, I don't want to oversimplify, but the result of this is that fully compliant companies are getting breached every single day. And that leads to fatigue, it leads to Martin Hinton (04:58) No. Joshua Brown (05:00) A lack of trust, it leads to ⁓ a lot of executives saying we're spending how much on security and we're still getting breached, right? And you told us that we had our our unqualified SOC two report. Yeah. Both those things can be true at the same Martin Hinton (05:15) So to to to y you don't want to dumb it down, but let me see if I I mean part of what you're saying here is that a company that putting it in a human context has a BMI that is okay doesn't necessarily mean you're healthy, right? And then the other compounding problem that we hear a lot about is that particularly in the case of software, it's never been designed to be secure, it's designed to be efficient and work. and be cheap and that we have now come you know a few decades into the the the real tech age you know if you if you take I'm 55 so you know the I I was working when I paid my first rent check by the by mail with a stamp on an envelope and mailed it and now I do it from my phone while I'm waiting for the subway while I pay my mortgage. But anyway, we are we are coming to a point where there is real generational failure to not just do it properly but even start with the right Joshua Brown (06:03) Yep. Yeah. Martin Hinton (06:12) mindset and goal in mind. Is is that is that the right way to think about it? Joshua Brown (06:16) Yeah, I think it is. And, you know, I think that ⁓ you know, GRC in general, regulatory frameworks, ⁓ I I would like to say, and maybe I'm naive here, but I'd like to say they're put out with the best intentions, right? The intention is we want to make sure that the kind of financial fraud that Sarbanes Oxley was designed to to protect doesn't happen again, right? So we need to increase transparency and we need to make sure we're doing these basic things. With a with a SOC two, it's about, you know, hey. Are you ⁓ are your controls effective at securing whatever systems are scoped by those controls over a period of time? And can we prove that they're effective? These are good ideas, right? And and the again, the the noble purpose. ⁓ but ultimately the question comes down to: you know, can you make a regular a regulatory package that is Specific enough to achieve the ends you want, regardless of the company that it applies to. And this is re a really hard problem to solve. ⁓ and so I think what we're starting to see in the industry now is a recognition that these point in time attestations are insufficient. And we're seeing this across insurance, we're seeing this across regulators, ⁓ and and of course where those two things combine, right? Is I'm sure the insurers are sick of paying out claims for companies that were ⁓ a hundred percent compliant, but actually not that secure. ⁓ and what we're seeing is a a shift towards continuous control validation, especially in the federal space. and I think that's a recognition of, hey, we need more than just once a year ⁓ raising our hand and very solemnly saying that we're doing everything we can do. Martin Hinton (07:55) You d ⁓ I mean, again, I I I'm not a security expert, I'm not a cybersecurity expert. I the the joke I've made many a time is that I'm a journalist, which means that I learn enough about something so that after maybe your first glass of wine at a cocktail party, I might sound like I know what I'm talking about. And I and I and I say that jokingly, but also because one of the things that I think happens here, and you touched on this a little bit, is that there's a real disconnect between the the threat and cost to the general public given how broad and Common these breaches are that's now compounded by this sort of numbing effect where people are just like, they're like, yeah, another time, another one. And and we we know that we don't hear about the vast majority of breaches. Never mind the ones we do hear about, and we're still numb to the reality. So I wonder, you know, when it comes to this, the what I'm hearing you say is that in the same world, a physical security world, you might have 24-7 monitoring. You your guard doesn't go home from the warehouse at Joshua Brown (08:37) Yes. Martin Hinton (08:50) eight and then show up the next morning at eight, there's someone who comes on at eight and stays overnight and patrols the the grounds and monitors the cameras. That's always happening. And what's not the case in cyber right now is that phenomenon that's very common in literal real world security. Is is it that simple a gap? Joshua Brown (08:57) Yes. Yes. ⁓ I think that I don't think it's inaccurate to say that. I so I I s I f I phrase that negatively, but I think, you know, in general, as companies grow in size, complexity, and if they exist in more regulatory, you know, spaces like the federal government, they do tend to be doing more of those types of things. Twenty four seven monitoring, you have a security operations center that's always online, they have shifts, you know, et cetera. ⁓ but if you think about, you know, the The vast majority of businesses in the US are small to medium businesses. ⁓ and many of those fall below what I would call the cyber poverty line. So, you know, they think about your local dentist office that's got, you know, three to six, three to six locations, something like that, right? Do they have an IT team? Probably not. Do they have a security guy? Probably not. You know, the the receptionist may be the person who in the old days changed the backup tapes. it's that sort of a situation, right? But they ha sure do have health data. ⁓ and so they rely on the the providers of those those tools that they use, those technology tools. ⁓ but it's it's not a game, you know, this isn't a game where ⁓ you can offload all that responsibility to other people. There's still responsibilities that are that are taken on by the consumers of those products, those electronic medical records and ticketing systems and all of that. And they don't have the expertise or the manpower to to manage those things. And that's and I worry a lot about that. and how do we solve the problem for those types of people. the big corporations, you know, the the cap ones that have ⁓ 200 million dollars or whatever it is in their security budget, like I don't worry about them so much. ⁓ that said, you know, we've seen the targets of the world and the Blue Cross Blue Shields and the Home Depots and the TJ Maxxes. Like these are big companies and they've they've fallen down too. So anybody is susceptible to a security incident. And I I I would just say at this point, I don't think there's any necessary connection between how compliant you are with whatever framework is out there and how secure you are. Martin Hinton (11:12) So before moving on to the next topic, what you're saying is something I've been hearing for the three plus years I've been focused on this area of journalism. And I guess I'm curious why you think it's so slow to change. Wha what are the barriers or hurdles that exist? I mean, we know change is hard, and and I think one of the things that on a podcast I did a while ago about CISO specifically is that they're in this era where they need to particularly at a large maybe legacy company. They're bringing adaptive change to a place that is used to doing things the way they were done yesterday. You don't have to I mean, these are a lot of what you're discussing is a human behavioral psychology concern about, you know, using the same passwords and, you know, being compliant but not actually complying, if you will, like that the the fine line between those two things. Why do you think that the sl the change is slow? I mean, other than maybe what I've just said. Joshua Brown (12:05) I mean, I think part of it is money. ⁓ so you know, it's intuitively you think, man, a big company has a big breach. That has a massive impact to their bottom line. And it and they do for very short periods of time, right? So if you look at stock prices of major companies that have had breaches, like you see a blip for a while afterwards, maybe three, six months. ⁓ but it's very rare for a company to completely go out of business because they had a breach. ⁓ and I think The other piece of this, and I I don't want to get, you know, political, but there's been a lack of holding executives accountable ⁓ for these things. And because security costs money, ⁓ and does not directly drive revenue in most cases, right? CEOs, CFOs, COOs are are they want to do things that that drive value, that drive shareholder value, that drive value for their customers. And so security puts a lot of obligations on other teams and other other other people in the company to do stuff and do stuff differently in ways that, you know, I'm sure you've you've heard the phrase, you know, it's convenience versus security. And and so the the pace that that executive teams want to move at can be hampered if security becomes an obstacle to those things. So I think, you know, until ⁓ until companies are are held more ⁓ financially liable for security breaches. there is not necessarily a lot of incentive for those companies to adopt better practices, particularly if doing so slows those companies down in in terms of how they deliver value to their customers. Now those things don't have to be connected, but I think they often are. ⁓ Martin Hinton (13:42) I mean Do you do you think I mean the I mean the cost of doing business is the phrase that jumps to mind? Like this is just one of the things we deal with like any other cost. And reducing and lowering those costs when possible is one of the, you know, oldest tricks in the book for maintaining profitability or, you know, doing well in the next quarterly report. I before we move on, you you were just chatting about the the scale of these attacks. And the one that I've been trying to read as much as I can about lately is the Jaguar Land Rover hack. Joshua Brown (14:14) ⁓ yeah. Martin Hinton (14:14) and the scale of that hack and the impact on the British economy, even the GDP. Aside from that one, are there other ones that could be could be maybe looked at as the canary in the coal mine? Like, you know, there are Joshua Brown (14:27) I mean colonial pipeline, right? Remember the I mean the whole East Coast was was having gas problems ⁓ you know, for for weeks, if not months, when that happened. ⁓ you know, I there's a whole lot of worry in Martin Hinton (14:39) I I I I just w I before before we move on, for those who don't know, w what w could would you just explain how the colonial pipeline ha hack ca happened? Joshua Brown (14:48) ⁓ I mean I don't have any special knowledge of it. you know, that and and it's been a while so I'd have to refresh the details, but but essentially, ⁓ they they kinda got ransomware, right? And so the Martin Hinton (14:59) Well I I was what I was gonna say that the the the endpoint was a was a stale identification that had never been turned off. It was someone's log on who'd left the company and that and had never never been dealt with. So it was like an identity governance kind of issue where, you know it was Joshua Brown (15:05) Yeah, right. Yeah. Yeah. Right. And and that's the thing, right? Is that the root of so many of these like the the security industry wants to sell the latest shiny thing, like I mentioned that, right? And and and true, the threats are changing all the time. In the era of AI, they're gonna change even faster. There's definitely an asymmetry there between attackers and defenders. But at the same time, most of these attacks that you hear about, they they happen because of bad hygiene. ⁓ basic stuff. didn't apply patches, didn't rotate passwords, or, you know, didn't didn't ⁓ validate that when comp then people left the company that all their access was removed. It's it's those types of things. And it's it's unsexy. And so the industry really doesn't talk about it that much. ⁓ but Martin Hinton (15:54) Yeah, I y y y you you didn't use the phrase AI in any of that. So I think that's a h that's a that's a marketing issue these days, I suppose. Joshua Brown (16:01) Right. Yeah, I'm definitely not gonna be like on the vendor floor at at ⁓ at Black Hat talking about password hygiene, right? That's not that's that does not sell sell entrance tickets. But the fact is that most companies still don't do the basics and don't do them well. Martin Hinton (16:17) So you we we've identified the problem and a few parts of the problem, which brings us to spectrum and the sort of approach that you have about how companies should be addressing this from I don't know if the is it the ground up the the way to think about it. And within this context is one of my favorite words currently. It's immutable. So take take me through your your your approach to dealing with these problems and and I mean what and s one of the harder things is you go into a place and you have to Joshua Brown (16:36) Ha. Yeah. Martin Hinton (16:46) undo things and rearrange things. Tell me how you go about it all and what what what the what the spectrum approach is. Joshua Brown (16:52) Yeah, so you know, we are ⁓ we're we're sort of forging a new category ⁓ because nobody is really doing what we're doing. ⁓ people do parts of what we're doing. So we're not really a GRC tool, for example, although we can help companies understand and track how they're doing ⁓ against any any package of requirements, whether it's a regulatory package or their own internal best practices. but what we do is we start With answering three questions, and we think they're the three questions that the CISO, the CEO, and the CFO most care about. ⁓ or or actually the so the the CFO wants to know, like, hey, if ⁓ if my CIO and CISO have have both fallen down on their jobs, will insurance make us whole? Right? The CISO sa is worried about, hey, we've invested in all these security tools. ⁓ How do I know that all the security tools are working and configured optimally in our environment? And then the CIO or the CTO is saying, Well, ⁓ I don't understand anything that the CISO is talking about. I just want to make sure that if his stuff all fails, that we can recover from our backups and get back up and running in a reasonable amount of time. And so we think those are the three key questions, the three areas of concern. And so what we do is we connect in to whatever a company's tools are, security tools. We call them safeguards. And we grab the posture data from those tools and we write it into ⁓ encrypted immutable tokens. So I get to use your favorite word. ⁓ and we store those in a graph. And what that enables you to do is see exactly what your configuration was of any tool going back in time. So we're like a flight recorder for your resilience posture data. and then we look at all of the criteria that are exposed by the APIs on those tools. And we map those to control requirements in ⁓ regulatory packages. So rather than starting with the questions and saying, let's see if we can map any of this into our environment, we look at the actual state of your environment, we record that for you. And then if we can map that to a regulatory package, we do that. ⁓ so our focus is on resilience, not compliance. ⁓ but we do help automate the provisioning of immutable data for. Compliance purposes, if that makes sense. Martin Hinton (19:20) I i it does. I mean I mean it sounds to me like you're sort of flipping the script a little bit. You're you're you're creating a situation that by consequence of its existence and methods achieves compliance as well. But i is the argument that it because it puts security as its primary goal, not compliance, that there is a greater likelihood of security and resilience? Joshua Brown (19:34) Yeah. Well, that's the hope, right? ⁓ and I think, you know, most of what we see in terms of tooling that's being put out by the security industry right now is is ⁓ optimized for security operations, which means most tools will tell you what's wrong right now and what you need to do to fix it, which is important. ⁓ and and we do that as well. But nobody else is giving this view over time. And so what what we really focused on was How do we take signals from any type of tool you might have, normalize those into a data fabric that standardizes what they look like, and then provide them in an immutable format where you have really granular control over who you share that with? So if you have to provide, let's say you have a bad day, right? You have a breach. You go back to the day before that breach in our system, and you can export the view of all of your controls. And you can also bounce those off against, say, your cyber insurance technical requirements. So we can take your cyber insurance contract and turn that into code that every day tells you whether you're meeting those requirements or not. And then you can export that and give that in encrypted format to your insurer and say, you don't need to come audit me. This is proof that all of my things were configured and applicable to all of the requirements that I attested to. it it's kind of like if you think about what Progressive did a few years ago where they had that dongle you could plug into your car in the ODB port and it would tell them if you were driving like an idiot and they would theor theoretically adjust your rates. ⁓ this is kind of the same idea. and in that model, there has to be a trade-off for the consumer, right? Because you're giving up ⁓ or at least you could be viewed as giving up a certain amount of of privacy, right? You're giving insight into your driving habits. It's not just saying, hey, I haven't had a wreck or any tickets in the last six months. You saw me doing jackrabbit starts and driving 30 miles an hour over the speed limit, right? so there has to be some trade-off, which is you have to charge me less as long as my driving is good. Right? Something like that. And so we're seeing the same kind of thing in the security industry where MSPs and and MSSPs, so manage. ⁓ you know, security service providers as well as managed service providers are being sued by insurers when there's a breach of one of their customers because the customer has to rely on their contractual obligations, you know, that they've signed up for these services. The MSSP says, Yeah, absolutely, I'm providing these services. There isn't, generally speaking, proof of those things. And so then when there is a breach, the insurer is going after the MSSP and saying, Hey, look. ⁓ you know, you're not doing the things you claim you're doing. You're not doing them well enough, or you're not doing them fully. So we're seeing we're seeing interest at the MSP and the MSSP level to have this kind of to provide this sort of ⁓ transparency to their customers. ⁓ and also to protect themselves a little bit, to say, hey, look, don't come after me. I have proof right here that I was doing all the things, all the tools that I managed for you were configured properly. ⁓ I'm I'm doing literally everything that was in our contract. Martin Hinton (23:02) Yeah y the the the the the phrase who watches the watchman jumps to mind here. The the idea that this is a layer above the security layer. But you you touch on one of the big issues now in cyber insurance is at its attestations versus proof. And there are a a number of ⁓ a number of insurance companies that are trying to do this because they see the upside of being able to sell this policy if they can provide it to people who are to use the car analogy Joshua Brown (23:31) Right. Yeah. Martin Hinton (23:31) driving safely or at least driving risk free or driving within the law compliant, if you will. So I wonder if you could just sort of drill down on the the situation you see with regard to cyber. You know, is is this are you being sought out or are you having to go out and find insurance companies to to to sell yourself to or how how how's the demand for the product? Joshua Brown (23:35) Yes. Yes. Well ⁓ Yeah, so we have I I believe the last count was we have twenty two insurers and five brokers that are that are using or or will accept the platform as proof, which is a great starting point, right? ⁓ you know, when I came into this, so I've been with Spektrum for about a year and a half now, I didn't know much about the industry, the secure the the security insurance industry, other than I'd been a customer of it. So I had been through the the questionnaires, the annual review process, the you know, the negotiations, and had seen that as a CISO. ⁓ and I had assumed that the industry was writing its policies based on what just like on the auto industry side, like here's we've we found that if you have anti-lock breaks, that reduces your likelihood of a crash by 17%, right? So we're gonna give you. We're going to give you a bonus if you've got analog brakes. We're going give you a bonus if you've got a car security system. We're going to, you know, all of these things, right? ⁓ we see that you're an 18-year-old male. we're definitely going to raise your rates because just that fact. Well, it turns out to be not really true. ⁓ the industry was pricing its policies based on what customers had told them had happened. ⁓ and so there was a a a truthiness gap, let's say, ⁓ that That the you know the policies weren't necessarily built on facts. And and you saw that, you got a reflection of that when you looked at the questionnaires that insurance companies were providing, with questions like, do you have MFA everywhere? Yes or no? Like I don't I don't even know how to answer that question. It doesn't make any sense. ⁓ and what they really wanted to know is is things like, ⁓ do you have are do you require MFA for all remote access? Do you require MFA for all administrative access? ⁓ you know, things like are you only using strong factors, or are you allowing email and and SMS text messages as second factors, right? Those are the things they really want to know. And they didn't know how to ask properly. And so when we go into a company and we partner with them as a customer and they start consuming ⁓ our resilience product, we're connecting to their tools and we're pulling out the criteria that we can answer without knowing anything about their environment. So I can tell you, you know, do you have a default policy that applies to all your users that's requiring MFA? Yes or no? Like these are these are all binary questions. And so just like the compliance industry says, look, you're either compliant or you're not. There's no such thing as being sorta compliant. We're measuring all of these criteria individually and saying you're either doing it or you're not. We don't have yellow on our dashboard. We have red and green, which is another problem for colorblind people. But that that's really what it amounts to, right? Is The CEO doesn't need to know the operational details of what the security team is doing. He doesn't need to govern through tickets and and how busy the team is with the number of things they've worked on. He wants to know: I need a dashboard that shows me that all of the all the key controls are green every single day. Right? The engineers need something different. They need to see if something isn't green, why is it not green? And what do I do about that? And how do I address that? And then of course the audit and the risk teams, the GRC teams need to be able to pull this proof out of the system and give it to third parties that need that proof. ⁓ And so, you know, all of the everybody has different different needs, and we're trying to serve a lot of them through the platform. ⁓ But yeah, we, you know, so we we've got this concept of of safeguards, right? And and pulling out that posture data and that resilience data and storing that immutably. And then we also have this concept of journeys. And journeys are just bundles of requirements. So they could be any regulatory framework you could think of. They could be the ⁓ the technical requirements from your cyber insurance application. They could be your own internal best practices. It doesn't matter to us. But we will take your safeguards and bounce them against those journeys wherever possible to show you in an automated daily fashion that you're meeting those requirements or not. So it it it it You're right. It does turn everything on its head a bit. We're focusing on resilience first, answering those questions like, are my tools configured properly? If they fail, are backups gonna save me? And if backups and all my security tools fail, where will insurance make me whole? That's that's the the three pronged attack. Martin Hinton (28:19) Are you now w you know, w what what do you think the tension is between adopting what seems like a quite reasonable approach given the scale of cyber and the potential upside for the ability to sell these policies? Why is the adoption not bigger? I mean w I mean what would it take for a major insurer to come on? D do you think it's just, you know, think change comes slowly or is it something is there more practical r reason to Joshua Brown (28:43) Yeah, no, I I think, you know, and and we are working with with some very large insurers. ⁓ I think they they do move slowly. ⁓ you know, they're they're risk averse for obvious reasons. ⁓ I think, you know Part of it is they are they through our platform, they get more data than they've ever had before. And so there's a real question of like, what do you, what do you use that for? Right? ⁓ now when we each of our customers, we encrypt their data at the token level and the field level with a customer-specific key. So they have control over who can see that data down to very discrete, a very discrete level, right? So if the insurance company says, hey, ⁓ We our questionnaire has 160 questions on it. You can automate 90% of that through control monitoring, right? The customer could say, okay, I'm only going to share these these 94 fields with you. And the rest of my operational stuff is mine. So there's there's a lot of different ways to do that. But I think, you know, I've been talking to several audit firms that focus on regulatory audits, and it's the same type of question, right? We have the ability to give them way more data than they've ever had. And it's going to change the way they think about compliance. Because if you go for a SOC 2 audit, right, they'll pick a time period, let's say 30 days, and they will look for 90% success or passing of a control in that audit period. Well, we're going to give them 365 days of data. So what does it look like to pass or fail a control, right? If I had 17 failures over the course of a year, one day at a time, right, it does that am I still good? You know, does my policy say if I have a critical control failure, I'll correct it within 48 hours? Well, okay, then that's that's fine. So it's it's gonna change the way they think about things, it's gonna change the way they price things. but at the same time, we've had multiple brokers who are taking our ⁓ what we call our passport, which is the collection of all your immutable tokens, as proof. And it completely bypasses the normal cyber insurance application. That is a win for the customer and it's a win for the insurer, right? ⁓ and so I think there's a lot of benefits that that both sides of that equation are going to reap. ⁓ but you know, we're we're a startup and we are this is a new approach. And so there's always some skepticism, there's always some risk aversion. ⁓ and we're just continuing to beat the drum and and sign up customers and and push on. You know, everybody in the ecosystem. Martin Hinton (31:26) You you touched on the the the federal level and we we saw the executive order recently about hardware, I think it is, with regard to quantum computing coming into effect in January. We've we discussed some very high profile publicly traded ones. We we Jaguar Land Rover is an enormous one, but earlier than that, Marks and Spencer's you know, there's the Cyber Resilience Act in the UK where they seem to be largely 'cause of Russian interference with all levels of their healthcare system and other parts. I'm very aware of the nation state weight of all this. You know, leadership comes in odd forms. Sometimes it comes from the middle, sometimes it comes from below. In America, we've got 50 states, we've got different rules in different states. I wonder, do you think that there is ⁓ a coalescing of these ideas, however slowly, into sort of the idea that both on the grandest of levels, you know, the the Tom Clancy level movie about Joshua Brown (32:00) Yeah. Yeah. Martin Hinton (32:22) zero days assaults that are nine, eleven times ten but digital and still life threatening. And we know that that does happen, right? We we know that that that there have been there has been life loss to to cyber warfare acts. Do you think that those ideas are sort of raising the awareness at the the highest level? And that, you know, whether it's boards at Fortune 50 or 100 companies, that that there is a trickle down through the economy, even if it comes as a function of saying, listen, all our suppliers need to Joshua Brown (32:23) Yeah. Martin Hinton (32:51) to get on board with this because we don't want our soft underbelly, which we know is a problem, these supply chain third party vulnerabilities to be where the the threat comes from. As I mean Archie Norman said in his pr parliamentary testimony for Marks and Spencer's, I think he referenced having 50,000 employees and realizing in the wake of their hack that he he needed to know whether the ones in India working IT and the ones working a register at a store in Manchester were all up to speed on how they should conduct themselves. And that's that's there are I'm trying to think what else there is in that realm that isn't generational, or the kind of thing you learn growing up, like be polite to people and and please and thank you, right? Or cle you know, lock your door after you leave, or turn your computer off at night, or last one out shirt shuts the lights off. That there is the need 'cause it's easy to criticize, they should they should know this, the threats there. ⁓ but but we're talking about humanity and humanity evolves slowly, and I don't mean evolution wise. I mean like the way we organize ourselves. It's it's a lot to change companies. You can't go spending all the money you need to this quarter on whatever it is. ⁓ and I I I guess like you know, the that the pace of change is coming. Do you think all of that is moving in the right direction? Joshua Brown (33:54) That's right. Well, yes and no. I I think what you've put your finger on is is a a tension about the human element ⁓ that that I've worried about for a long time. And so, you know, in the last ten years or so, we've seen a rise in ⁓ at least in the corporations I've been involved with, right? ⁓ security awareness training, you test people, you you send them, you know, fake phishing messages and you you report on that. ⁓ my my view, I'm not saying those things have zero value. I think security awareness is important in our personal lives and in our professional lives. But I think it's a mistake to ⁓ to hope that your employees are going to make the right security decision 100% of the time. Like you can't hang the success of your program on on your employees. ⁓ you need to assume that they aren't and and provide layered protection to sort of catch that. ⁓ I think the rise of the third party risk, the rise of insider risk, ⁓ really points to this. ⁓ you know, you mentioned the, you know, the the offshore ⁓ employees. When you've you've made the financial decision to take a function and move it to a place where incomes are lower, right? And and it's purely financial, right? We can we can staff our ⁓ our call center at a tenth of the price. Right. So instead of paying somebody fifty thousand dollars a year, you're paying them five thousand dollars a year. It just got way easier for a bad guy to bribe someone because it's way easier. Like I might have to take a, you know, a domestic employee and offer them five or ten times their salary to do something crazy. I can do it for a fraction of that offshore. And it's going to be harder for you to detect potentially, right? So there's there's there are these trade-offs that that get made, and we make them sometimes without understanding the holistic implications of those trade-offs. ⁓ You know, is the nation state thing I think is interesting because it would be difficult for any company to stand up to that that type of an attack. ⁓ and and I think people people understand that at a a fundamental level. It doesn't mean you shouldn't harden yourself, but but also not it not everybody is needs to be hardened like Fort Knox. And so you have to balance usability versus security. The costs of doing that, the slowness of that it could implement into your practices. And it's it's just a it's a tough position to be in. I I do think though, the US is at a disadvantage in our with our federal state divide. As you said, you know, 50 states, and there's a handful that seem to be a little more out ahead on privacy, on on cybersecurity. ⁓ but we really, I think, need a federal solution that has some teeth. ⁓ and and is going to force it. ⁓ I will say, and I'm I'm part of one organization, there's multiple organizations that are working public private to try and bridge some of these gaps. ⁓ because I think there are things that the private sector has access to that would be very helpful for the for the feds to have. And I'm sure vice versa, right? And so figuring out how to share data in ways where we can react more quickly is is going to be fundamental for improving things going forward. Martin Hinton (37:20) I mean you you you I mean you touch on one of the things you touched on just now and I think is really important because sometimes when I have these conversations it feels like we're we're we're talking about a world where perfection, where there is no chance, where you you can go out and leave your home and nothing bad's ever gonna happen and you don't have to worry about it getting in an accident. We know that's not possible, but I I one of the, you know, legacies of tech is that it's marketed to us ⁓ As a perfection, right? The video plays right away, the f the iPhone does this. And largely it works, right? We see in my line of work, if a video doesn't play within fractions of a second, people move on, right? There's no tolerance for when these things go off. And you know, you think about the Verizon outage or the AWS East outage where you know these little tech glitches caused issues. People didn't know what to do. And I I wonder whether or not there needs to be, you use the word holistic, a a a more appropriate sense about The idea that resilience, not perfection, is is what's achievable in the context of what regulation. Because you could see some someone coming along and creating an onerous punishment for a cyber breach that resulted in a data privacy. I mean, you mentioned offshore call centers, and one of the big issues there, as I'm sure you know, is how much information do they get to have about the clients that they're dealing with in America? Do they see their social security numbers? Can they can they process a financial return or a refund on a product? Right? That means that they're in another system and that system has potential value as you noted to criminals. ⁓ do do you think there needs to be a mindset about this that is, you know, ⁓ these things are just like any other tool we might have. If you don't use it properly or you don't maintain it properly, there's a chance it could it could break, it could not work properly, it could bite you. Joshua Brown (39:02) Sure. Yeah, I think so. And I think ⁓ you know, one of the things I've pushed for ⁓ not always successfully in my career, is you know, I think and but we are starting to see a change of this, is is having is security having a seat at the big boys' table, or the big girls table. I I don't want to be sexist here, but i the tech industry is f fairly male dominated in my experience. But you know, the again, I I I don't want to attribute, you know Poor outcomes to maliciousness on the part of executives, I think broadly speaking, people are trying to do the right thing for their companies. ⁓ but the they don't always understand what the implications are. And I it it's not so much as having security be the party of no, where you get to tell people all the bad ideas they have. It's more about, hey, listen, if you want to do this, here's some of the bad things that could happen, and we can help mitigate some of that risk if we get in here early and help. you know, shape how this is done. So ⁓ one one method would, you know, you mentioned you like will offshore teams have access to social security numbers. Like in most cases you don't want that. you don't want that data to move. And and when you have regulations like ⁓ you know, GDPR, like that data accessing that data from another country counts as data moving, which a lot of people don't realize. Like just looking at it on a screen, even if the database is still in the UK, like now I've broken the law. and so you have to think about how you build these systems properly to to align with those requirements. ⁓ and it's just it's just a matter of of ⁓ again, I I think holistic is the right word. Like let's take a holistic view of what we're trying to achieve and let's let's actually go into it with eyes wide open. It's not about zero risk, right? Security is not about ⁓ guaranteeing an outcome. It's like shaving, right? Sh shaving is not about hair removal, it's about hair reduction. and so security is really about risk reduction. So I can accept the risk, I can transfer the risk via insurance, I can mitigate some of that risk by controls, whether they're technical or procedural. and it's combining all those things together to get a company to where they are comfortable with the risk that they have left. Every company has risk, and you have to take risk in order to make money. And so that's and I think, you know. non-technical executives understand that at a fundamental level. So you have to speak that language and say, hey, look, I know what you're trying to do here. I at least I think I know what you're trying to do. Let me help you identify what the risk is so we can go into this eyes wide open and not get blindsided by some Martin Hinton (41:40) So the reason I raised the topic is because there's a there's a broader reality as as we we all have to admit that we have appendages now, right? There is a reliance on the technology that a great many of us have really ⁓ limited understandings of how it works, why it works, you know, and ⁓ and we only really notice it when it's gone, right? So you had we've touched on small businesses, public awareness, and and I again it's easy to cast blame and I certainly live in a in a ⁓ I work in a business where that's common practice. But the other important thing to remember is that all of this is just made up of people, right? And all people are inherently have the same flaws and capacities and that maybe some people are better at this and better at that. All those things exist. When it comes to the broader stakes and the the sort of responsibility to raise awareness about this, I I wonder whether we could come back to small businesses. As you noted that, you know, w w whether it's eighty five or ninety five percent of the the American economy They're an enormous driver of this. And the the the line you can't have is the sort of what was it, the ⁓ I wrote it down, the cyber poverty line, where it's very easy for a cour corporation with a $200 million budget to think, well, we can take another hundred thousand here or do a million of this or whatever it might be. When you're dealing with a small business, and some of them are quite small, you reference, say, a multi-location, I think, dry cleaner, but or a dentist office, part of me what it was. Yeah. That that that idea that Joshua Brown (43:02) Dennis, yeah. Martin Hinton (43:06) If you're one of the challenges of being a business owner, a small business owner, is that just running the business day to day is an enormous amount of work and time. Layering on top of that, what we're talking about is improving how the business runs. Right. And that is a hard to do yourself if we only purely look at it as a time restriction. And then if you think about hiring someone to do it, you have layers of concern about the cost. Joshua Brown (43:15) Yes. Yes. Martin Hinton (43:31) competence of those people, right? Like, you know, do they really know what they're talking about and they just hang out a shingle? That sort of thing. So I I I guess what I'm I'm sort of getting at and the reason I raise that is that that in the small business environment, there is probably a need for greater awareness, right? Where do you think that comes from? And wh where is the responsibility of that? Obviously we get marketing from insurers and, you know, brokerages and all that sort of thing. Local governments do it. I I'm seeing increasingly things that that are, you know, suggesting that financial institutions are becoming a little more savvy about the level of particularly elder fraud that exists. And I I've read a about banks talking to tellers about recognizing if someone comes in and they're, you know, a senior citizen and they're trying to remove half their money in cash or do something, you know, you like just like you noted that can you note a phishing link? Can I note someone who's physically in front of me who is maybe the subject of a scam that's ongoing? So to tell me about that that idea because what what From an insurance point of view, what I'm slowly getting to is the idea that what makes really good customers for insurance companies is people who are insurable and good risk because they don't have problems, right? They don't cost their car. They don't need the Donegal because they only ever drive like five to ten, maybe a little over that, over the speed limit. Those peop types of customers are ones that typically make those choices because they're smart. It's smart not to drive like a lunatic. It's safer. You don't have to worry about hurting yourself or someone else. Joshua Brown (44:37) Right. Yeah. Martin Hinton (44:55) Moving that the digital world, you've got passwords, phishing resistant MFA, you know, patching, updating, ⁓ you know, not leaving your servers in an unlocked closet off the showroom floor, things that that really people aren't ever taught. Like these things are not part of, you know, K through twelve education. You know, if you go to a liberal arts college, you know, you might maybe there'd be a class that's a quarter of a semester in cybersecurity. I come around to my eleven year old niece, twelve year old niece. Joshua Brown (45:07) Yep. Yep. Martin Hinton (45:24) She's in public school here in New York City. Around Christmas, I was chatting with her about school and what's going on. I asked about health class, and there's a cybersecurity curriculum. And I thought, well, maybe this is about ⁓ you know, stranger danger stuff. And it turns out it was about MFA and it was about complex passwords. And the what really struck me, and I've said this more than a few times, is that she came around to the very philosophical vision that. We've taken all these things we value and we've moved all these processes economically that are incredibly important, wiring money and transferring things. There's so many ways to do that now into a digital space. And we should remember that we need to protect them in that digital space in the same way we would if they were sitting in our room or in an office. We would have a safe, we would lock the doors, we would have a guard overnight, all that sort of thing. Well a lot I've said a lot there and I guess I'm wondering, you again from the cyber insurance point of view, what makes a small business more insurable is if they get it and they just need help making it happen. Do you think that insurers coming in with like cybersecurity discounts and then they bring a company that they vetted that like Spektrum perhaps is the the one that gets their stamp of approval, is a business model for companies to help grow their the the you know portfolio, if you will, or their book to use the phrase? Joshua Brown (46:38) Yeah. I mean, I think there's a lot of a lot of inroads that could be made here. And and frankly, you know, the the cybersecurity industry as a sales function has failed these small and medium businesses because there's not a lot of money to ring out there compared to going after the big corporations, right? ⁓ but I I do know of a few service providers that are targeting small and medium businesses with very reasonable, you know, like Here's here's your top five controls that you need to have, and we will implement and manage all of them for you for a reasonable amount of money. And by the way, that's gonna pay for itself for your cyber risk insurance. and so I think, you know. I love hearing that that we're starting to get more awareness, even at the, you know, the eleven or twelve year old level. Like that's pretty amazing. we I did a few years back when I when I lived in a different city, I I worked with a a local ⁓ nonprofit that went into the high schools and did ⁓ cybersecurity capture the flag tournaments, which is basically like a a a a fake hacking type of thing where you try to recover flags from from different systems, right? And these kids, these were largely in disadvantaged school districts without tech programs or without substantial tech programs, and nothing and they were clueless about cybersecurity. But it was the most rewarding thing because, like you said, people understand. Hey, I used to do this, I used to have to go to a bank and get in the safety deposit box and turn the two keys and get my thing out, and now I can do it from my phone. So there's a convenience factor there. Now You know, go back. I I if I go back in my career like 20 years, I remember pitching MFA to a CIO 20 years ago. And the CIO was basically like, if we put this in place, our users are gonna be at our door with pitchforks and torches, right? And and she wasn't wrong. ⁓ now we just sort of it like it's just it's become commonplace, right? And so I think people are willing to make trade-offs convenience for security when they get something bad. Maybe it's a lower cost on their insurance, or maybe it's, hey, I can sleep better at night because I know that even if somebody guesses my password, they can't get into my account or whatever it is, right? But we need to make those connections more explicit so people understand what they're giving up versus what they're getting. ⁓ and I think, you know, I would love to see more companies targeting those SMBs with solutions that are again, not assuming that they have to take on those responsibilities and we can take this off your plate. And you will get these benefits and here's what it will cost you to do that. I think that's the piece that needs to come together. ⁓ you would think with that number of businesses out there, you would i the market would drive it already and it hasn't, which which makes me wonder why. Martin Hinton (49:33) Yeah, that so you you I mean yeah so so I wonder why too, because it's it seems to me that that you know, there's obviously the big fish and you you you want to be at, you know, Morgan Stanley or you where you know, whatever whatever n name a big bank, right? Right the you're the there is again, from a resilience point of view for the nation's economy and its population, but then these this our economy is built on these little companies. And I again it's one of the you know And I you know, we say little companies, but some of these companies can have hundreds of millions of dollars in revenue, right? But little doesn't mean mom and pop you know, bakery. But but w you know, I I had a ⁓ a podcast recently and one of the analogies was a relatively large regional paper company that had a cyber attack and they went to their incident response plan and it took them two weeks to find all the phone numbers because they didn't have a paper version of it. It's like, you know, I mean, so they were like it was a half measure. So I you know, again, y like things that that escaped Joshua Brown (50:06) sure. Yeah. That's right. Yeah. Yeah. ⁓ Martin Hinton (50:32) our ability to conceive of them like a cyber attack, like how does it happen? Why do my why does a hundred million credentials being stolen and on the dark web matter to me? All this vagary that's built around it is is is ⁓ a fascinating thing to me. Because again, when I look at this as a business owner, myself and someone who's been in the the the the media for a long time, it seems to me that there's a real market to seize there. And I you maybe I mean maybe I'm missing something, which I probably am, which is not uncommon. Joshua Brown (50:59) No, it's it I've thought about it a lot too and and it's a bit of a head scratcher, right? So ⁓ you know, I think if you could if if you put together ⁓ so the what we see from the insurers when we're looking at at partnering with cyber risk, you know, insurers, we see ⁓ email security is a big factor, multi factor authentication is a big factor, ⁓ endpoint protection, so s you know, the the old what we used to call antivirus, but it's that's all evolved now. Backups, so being able to recover if something goes really bad. And then ⁓ the big differentiator we see is managed detection response, MDR. And so that one alone, ⁓ one of our one of our key partners in this space, and we launched a a thing with them ⁓ going back several months ago now with Sophos. They found that their MDR customers have less than a point zero one percent breach frequency, which is ridiculous. ⁓ and so That perked up the ears of a lot of insurers who are like, hey, listen, we could do a partnership here where ⁓ MDR customers, if you can validate that you have MDR with auto response turned on, which means that MDR provider can remediate something in real time if they see it happening, then we're gonna give you a 20% discount on your ⁓ on your cyber insurance policy, or we'll give you zero retention for IR services or whatever it is, right? And so we launched that partnership with Sophos, and we can quote bind and issue insurance through our platform with their broker or bring another broker to the table. It doesn't matter. We're the only, I think the only company that can do that right now. And and so there's there's these basic things that you could do and you could bundle them together. And I I'm aware of a couple of companies, MSSPs, that are doing this now and targeting small and medium businesses, because the way they make that profitable is they do it at scale. So They're basically providing a a security operations center that scales across many, many customers. And they're just trying to go after these 20 person companies and provide those key services. and it's, you know, I think I would like to see it get to a point where it's like, hey, look, you own a house, you have to have homeowners insurance. Right? Security cybersecurity is not an insurance policy. It's a risk, ⁓ you know, a a risk mitigation type of thing. But Martin Hinton (53:23) Yeah, I you you you make a very, very good point, right? There I mean, we can all be annoyed about insurance and I think one of the issues insurance has in America, largely because of the health insurance environment, is that there's a real negative connotation around it. But but this idea that that there are elements of insurance that is about asset protection. And when you think about asset protection, you think if I don't have this, we don't exist. I. My house burns down and I don't have the ability to rebuild it, right? Joshua Brown (53:33) Yes. That's right. Martin Hinton (53:50) Or I need my car to get to work and I don't have a replacement car if my car's in the shop for two weeks if it's ⁓ you know ⁓ you know up on a jack or something like that. And I think that that is one of the really weird quirks in in this space when you look at it from a cost versus you know, a business health kind of idea, right? You know, it it you you touched on a few things here, but it's a bit like do you you get a discount on health insurance if you have a gym membership, okay? But now if you have gym membership and we monitor how many times you swipe your key and if you're going there for three times a week, you get a bigger discount, right? Like that's constant monitoring, right? You're actually, you know, the but there is a r ⁓ this is where you get into a at least on a personal level, very privacy thing. So I I I wanna t I'm sort of move on to sort of looking into the future and and with regard to the future and spectrum, ⁓ you have a new chief operating officer. And let me just say his name and make sure I've got it right. It's Mark Cravada, is that correct? And it was just announced it was just announced at the end of last week. Joshua Brown (54:24) Yeah. Right. That's right. Yes, yes. Martin Hinton (54:47) I I wonder if you could tell me what ⁓ what's the headline from the press release? 'Cause I I did read it, but you know. Joshua Brown (54:52) ⁓ yeah, I mean, I think, you know, we are where we are in our journey right now, ⁓ we needed someone with Mark's expertise who has been down this path with multiple startups that have successfully launched and converted. ⁓ you know, there's when I joined the firm, I think I was the 11th employee. So that's 18 months ago, right? And In startup environments, everybody wears a bunch of different hats. ⁓ so I'm responsible for our cybersecurity internally, but I'm also the product owner. So the development of our platform rolls up through me. I was supposed to be the ⁓ customer zero. ⁓ when I was the the the CISO at H and R block, I was working with Spektrum and I was an advisor for them, but I decided to come over and and help build the product. ⁓ but we You know, we've gotten to the point now where, like, and I do all the product demos, or at least most of them. I'm talking to other CISOs and and evangelizing. We needed Mark's expertise to help pull some of that off of people that were wearing second, third, and fourth hats and have somebody just to focus on our operations and how we interact with our customers. ⁓ and and so that is a big piece. And Mark's, I think he's this is his second week you know, on the job. So he's he's drinking from the proverbial fire hose, learning the platforms, meeting everybody. but is already, you know, we're looking at what do we need to do as an organization to pursue ⁓ federal customers, for example, right? So navigating the FedRAMP and the CMMC stuff. ⁓ how do we how do we optimize our customer profile so that we're delivering a consistent message ⁓ to the different categories of customers we're going after, whether it's a small company, whether it's a big company, whether it's an insurance provider. And tying all those things together so that our message and our delivery is seamless. And that's that's what Mark brings to the table with all of his relationships and years of of expertise. So he's ⁓ definitely gonna be a change agent for us, and we're extremely excited to have. Martin Hinton (56:59) I mean, I listen, I mean, I I one of the amazing things that I've been exposed to in this business is for the first time in in an intimate level is the the startup environment. 'Cause there are a lot of companies in this space because there are a lot of people who see the problem and in the great American way w we can do things, is the idea that that okay, not only is there a problem, I can create a company and make some money fixing it. Like this is a great thing, right? It's exciting, it's dynamic, it's got a long future ahead of it 'cause this this technology and these threats aren't going anywhere. Is there a in that context, is there a single sort of market change or regulatory change? I mean, I hate to say it would be something like a a digital nine eleven that got everyone to go, man, we need to do something about this. But unfortunately history suggests maybe those sorts of things are what's required for us to to at least pay attention. Maybe it's a technological thing. I mean we we you know I'm I'm I ⁓ mythos comes to mind and there was a piece that I haven't read yet about the th that Joshua Brown (57:50) Yeah. Mm-hmm. Martin Hinton (57:57) Some Chinese AI that's now jumped the the the shark, or maybe that's not the right comparison. But is there something that you you guys are looking for or you think would be, you know, again, like a trigger for this? Pardon me. Joshua Brown (58:09) ⁓ yeah, it's a great question. I I'm not sure I've got a great answer. I think that ⁓ we're gonna see more consolidation in the marketplace. I think that ⁓ f as far as cyber insurance goes, it's been a pretty soft market for a while. That's gonna harden. ⁓ and you know, does this get driven from the top down from the big players? Probably. ⁓ as much as I would like to see it driven grassroots from the bottom up and and all those S and Bs. You know, I think that Consumers aren't really going to yell about this until it hurts them personally. And you would have thought that getting your social security numbers and all the all of the data theft and and identity theft that's happened around that would have been enough. And it hasn't, clearly, because we're not seeing wide-scale change. ⁓ yeah, it's a really tough nut to crack. And I think, you know, the we may, and I don't want to fear monger around AI, but I think we may see. Some of that asymmetry I spoke about earlier, right? The the bad guys have have had the advantage forever. ⁓ we may see that gap widen before it narrows. and that may drive some action at at it in a regulatory sense at least. we already saw the US restrict the use of, you know, these new frontier models from from Mythos. ⁓ and I I don't think hiding the technology long term is gonna be the solution. it's you know, information wants to be free, so it's gonna get out there. I think ⁓ I think the insurance industry is gonna come together and and force some of this change. ⁓ I I don't know. ⁓ you know, it's it's a great question and it Martin Hinton (59:54) Yeah, no, I was listening I mean w w I I asked you to look into the future and the and the that is not a place we any of us can see. We're all just guessing, no matter what the what level of confidence. I mean, do you think bringing it back to how we started, do you think five years from now continuous monitoring or at least at some level is gonna be just the stor the norm? Like it there's just no way around it. Joshua Brown (1:00:13) Yeah. I do. I think so. ⁓ and you know, I'm I'm I don't just say that because we have a great story to tell around that, ⁓ and and I'm happy to sell a product that does it. ⁓ I think that ⁓ you know, I think we are gonna get some regulatory movement on this. I I hate to say it, but I think the next segment that is poised for a disruption in a bad way is ⁓ the public utility space. ⁓ whether it's water or power or communications or whatever, ⁓ I just and I don't want to be doom and gloom about this stuff, but I there's just so much in that space that is ⁓ vulnerable. And I think that could be the trigger that gets enough outrage in the public that we see a change, right? So when you can't get clean drinking water or you can't get power because those I mean, the the the the pipeline issue that we talked about earlier, like that was Martin Hinton (1:00:55) Yeah, I I Yeah. Joshua Brown (1:01:12) That was bad, but it affected a relatively, you know, narrow part of the country. If you have something that it that takes out the grid for a while, like that is a big deal and people are gonna freak out. Martin Hinton (1:01:22) Yeah. I I I you know, I maybe maybe it's 'cause I'm a parent, but I thought, you know, most recently the the is it the ⁓ canvas hack that the impact 'cause children, right? Our children are, you know, the the why we do things and why we you know, the that's the but again it's so abstract. You know, I th I think it's it's tough to nail down. So we've been talking about an hour, ⁓ and as promised, we did not get to everything. Joshua Brown (1:01:33) ⁓ Sure. Martin Hinton (1:01:48) But I wonder if there's anything we didn't get to that you'd like to touch on before ⁓ w we move on, or anything that we you we didn't discuss or we're planning on discussing that you'd like to say something about? Joshua Brown (1:01:58) ⁓ no, I appreciate that offer. I mean, I think we've talked about the problem a lot and some some solutions. We talked about, you know, how Spektrum fits in and how we're approaching this. ⁓ we're really excited about what the future holds in this space. And I think, you know, what what we've built and continue to iterate and develop on, everyone that I've shown, like I have not, I've probably demoed the product 200 times in the in the last six months. I have not had a single CISO or ⁓ IT executive be like, yeah, I don't I we don't need this. Like everybody wants it and everybody feels like they need it, right? ⁓ and so that's exciting for me. ⁓ I love thinking that what we're building is actually gonna solve a problem in the industry. ⁓ and that's that's kind of what drives me at this point in my career. ⁓ you know, I I started, I don't know if if I told you this or if you knew this, but before I switched into IT, which was a lifetime ago, I was working on a PhD in philosophy, right? So I am ⁓ I like asking big questions and I like thinking about big questions. ⁓ and I love being able to bring that to bear to a a massive underlying problem in the industry. So, you know, I think in five years from now, if continuous validation becomes the norm, it we look very different as an industry. And and that I think is a good thing for consumers. I think it's a good thing for businesses of all sizes. ⁓ because all the things that we've been trained to think of. Are going to help us solve these problems actually don't when you break them down, right? Attestations are not proof, evidence is not proof. ⁓ thinking something is the case is not proof. What we need is actual proof. ⁓ and and so being able to get that and and and enable companies to both have it so they know and to be able to share it with partners that need to know is is a pretty big game changer, in my view. Martin Hinton (1:03:53) I mean, you touch on something that I experienced now as a journalist, where in confidence people at corporations will ⁓ betray great concern, but they're not in the position to say it publicly because you want to appear strong and you want to appear like you're on top of things. But there is I I think ⁓ and this is where the sort of knowledge gap gets a little vague, is that I I think people know, but there's a little bit of a mystery about how to address what they know. Yeah. Joshua Brown (1:04:17) Yeah. Yeah. No, that's fair. I mean, I I had a a buddy of mine, ⁓ who's a CISO that I showed the platform to, and he had just taken a new role at a new company and and you know, they they always talk about the CISOs know where all the bodies are buried. And he was like, Dude, I love what you've built. I cannot implement this right now because it would look so bad. He's like, I already know, but I don't want the board to see how bad it is. I need some time to get things cleaned up first. And I think, you know, there's a little bit of that, right? Is is There's the class of people who don't want to know how bad things are. There's the class of people who know how bad things are, but they don't want other people to know. And then there's the full transparency advocates who are like, look, the no judgment here. Like, this is just the state of things. And if you want it to be different, we need to have a different conversation, which is we either need to prioritize whether that means more people, more resources, whatever. Or we need to change our risk appetite. Like if you think there's too much red on the dashboard, I agree. To make it less red, we either need to decide, like, well, I don't need a hundred percent endpoint protection coverage, let's go with ninety-five, right? ⁓ but let's at least have these honest conversations about risk and align on what the risk appetite is for the business. And then we can run the business according to within those parameters, right? What we can't do is pretend that risk doesn't exist and just push it off to the side. And then the you know, the CISO becomes the the chief information scapegoat officer. ⁓ and and gets pilloried, which is what we saw with you know, Uber some other things, right? So Martin Hinton (1:05:46) Yeah, well we we it y CISO is the the the most popular C suite the whipp whipping horse, I think is it's it's fair to say. So one last question. We've been talking a lot and I this is gonna lean on your philosophical mind. If you could replace one term in cybersecurity with a better one, what would it be and why? Joshua Brown (1:06:07) man. ⁓ well, it would actually be a question, right? Because it's a question I've gotten in every single company I've worked at, and it is a well-intentioned question, right? And so whether it's you get in the elevator and the CEO gets in and says, Hey CISO, are we secure today? Like, I don't know how to answer that question, right? And so every CISO gives the answer that they hate giving, and everybody also hates hearing, which is, well, it depends. Right? I got asked that question by boards, by C all level of C suite people. It's the wrong question, right? The right question is how resilient are we? That's what they really care about, right? Can we take a punch and come back from it? How is the business going to be if if Scattered Spider or you know the Russians or the Chinese come after us? That's ultimately the question. It doesn't really have much to do with security at all. It's about resilience. Martin Hinton (1:07:01) Well said, well said. ⁓ Joshua, anything else? Joshua Brown (1:07:05) No, I think we've covered a ton of ground today and it's it's been a great conversation, Martin. I really enjoyed it. Martin Hinton (1:07:10) I I I really have as well. Joshua Brown, Chief Information Security Officer at Spektrum Labs. Thank you so much for the time. really appreciate it. Enjoy the rest of your day. Everyone else, thank you so much for watching. If you got a question or a comment, please leave it. We'll do our best to get an answer to, and if we can't figure it out, we'll go back to Joshua. We mentioned a few things in here, some past reporting, some other stories. So there'll be some links in the show notes for you to ⁓ to explore if you choose to learn a little more about those things. And with that Thanks very much for watching and listening. I'm Martin Hinton, the Executive Editor of Cyber Insurance News and Information. Enjoy the rest of your day.