Investing in Cybersecurity: The ROI Dilemma | Jamison Nesbitt

[00:00:00] Jameson Nesbitt, thanks very much for joining me. How are you?

[00:00:03] David Raviv I'm good, sir. How are you, David?

[00:00:06] David Raviv Good. So as you mentioned, you could be on the

[00:00:09] other side of the IR.

[00:00:12] David Raviv Yes.

[00:00:12] David Raviv That doesn't make you feel, I'm sure this

[00:00:15] from years of experience, it's amazing when you learn how to ask questions, you also learn

[00:00:20] how to answer them.

[00:00:23] David Raviv Yeah.

[00:00:24] David Raviv It's interesting. It's just nice to not have to manage

[00:00:29] the technology, I have to say. Because that's it, isn't it? It's trying to get everything,

[00:00:34] all the moving parts to work. We can't really depend on technology and that goes across all

[00:00:41] the sectors, doesn't it?

[00:00:43] David Raviv Yeah.

[00:00:44] David Raviv We're running a podcast.

[00:00:46] David Raviv We'll delve into that for sure.

[00:00:49] David Raviv But walk me to memory lane. You've been involved in the critical infrastructure,

[00:00:55] cybersecurity for a long time. And what's amazing about you is also you've been giving back to the

[00:01:01] community by organizing events, being part of a larger community. So walk me through kind of

[00:01:07] memory lane, how you started, your background and so on, just so people can get to know you.

[00:01:13] David Raviv Sure. No, I moved to the United Kingdom back in 1998. And I actually started working in the

[00:01:20] events industry at that time. And I had various different roles. I had no idea what I was doing.

[00:01:28] And it was just a job that chose me. But as time progressed, I started to find that for particularly

[00:01:39] in the events sector that I needed to align myself with something I was a little bit more passionate

[00:01:44] about, as opposed to just running events. I ended up producing and managing and looking after energy

[00:01:51] sector division for an events company. And part of that was basically diving into the research into

[00:02:00] topics like battery storage, demand response. I launched one of the first smart grid cybersecurity

[00:02:08] shows here in Europe. And the more I dove into the energy side and the digitization side,

[00:02:16] the more passionate I got about the fact that we were building things that were not secure,

[00:02:25] that had a lot of promise, but simply weren't secure. And from there, I have just grown

[00:02:33] into this particular role. I still run events. And I run those events, one to give back to the community,

[00:02:41] two, but it's also my core financial stream for the Cyber Senate. And everything I've learned from working with

[00:02:49] amazing individuals, mostly CISOs, through this whole journey. I've not been the guy that went to

[00:02:58] school and got certifications. I'm not the guy that configured PLCs over a national grid or anything like that.

[00:03:07] And I'm the guy who sits up on stage and talks to a lot of these C-level executives about what's keeping them up at night

[00:03:15] and how we're going to get from point A to point B, what those challenges are. And I've been doing this for years now,

[00:03:23] as you rightly said. Yeah. And isn't it amazing that this is when I interview folks and I get a chance to

[00:03:31] speak with them and it's, you feel like that, oh, you like chose your career path. You picked a fork in the road,

[00:03:41] but a lot of times they, as you mentioned, the fork picks you. Yeah.

[00:03:46] You fall into things. And sometimes it's just because you find a passion, but the passion you find is

[00:03:53] through doing. Not necessarily that you are like looking to see what you're passionate about, but

[00:03:58] you end up doing something and then you realize that something you like to do. And it's really

[00:04:04] interesting because that's what I suggest to like the younger generation is just go out there and do stuff.

[00:04:10] In your case, you're organizing niche events. It's amazing. You can do an event about the battery power.

[00:04:22] Think about the long tail of what does that mean? There's a lot of people that are interested in

[00:04:26] particular energy sector, but the slice of that and in the cyber security space, the critical infrastructure

[00:04:33] is another slice. It's a very, it's a slice of a slice, but it's a still the long tail, meaning that

[00:04:40] there's a lot of people that are very interested in the specialization, meaning that you're really

[00:04:47] focused on that particular sector provides value by itself. So talk to me about the fancy host.

[00:04:55] You mentioned that the, you talked to the C-level executives about the risk associated with the

[00:05:05] infrastructure and so on. First and foremost, why host these events? Aside from financial gain,

[00:05:13] you're obviously passionate about doing that and again, giving back. Why do they need that? Is that

[00:05:18] because the information sharing is not available to them or is it something that they need to do

[00:05:24] to get better? I know that the adversaries are doing that on a regular basis, meaning that they have

[00:05:30] forums and information share internally. Do you find that creating these events provide that platform

[00:05:37] for people to, for these type of executives to advance themselves and share ideas? Yeah, absolutely.

[00:05:45] They, when you look at it, these are companies, right? And they all have their HR processes and they, and what

[00:05:55] they require for each division. And they all work in silos. There's these different divisions and they all work

[00:06:03] for these very large companies. And often as we see in the corporate world, there's a lack of communication and a lack of

[00:06:09] collaboration from one office to the other. And then, you know, when you consider the impacts of that lack of

[00:06:18] communication, and then you look at the wider spectrum of say cyber threats even is it's okay. So how, how are

[00:06:26] these folks getting outside of the box? How are they getting outside of their office comfort zone or their normal workplaces?

[00:06:35] You know, what the, the people of the world have to do is to understand what their peers are doing and understand what types of

[00:06:40] threats others are experiencing. And there's a, there's, there's a lot of channels out there for, a lot of ISACs and

[00:06:49] information sharing forums, and things of this nature. And it's a great, it's a great resource. And I think that the industry

[00:06:57] really needs that. What I would say is that, that folks need to get out more. They really do need to get out more. And I think that's a

[00:07:04] and they really need to press on their C-level executives

[00:07:09] to help them get out more, get out and learn.

[00:07:13] Just at our last event, I had several graduates there,

[00:07:17] and I have people who contact us who are new to the industry

[00:07:20] and just want to dive in with some of these C-level conversations

[00:07:24] and learn more.

[00:07:26] And I think, okay, let's bring them on.

[00:07:28] This is karma.

[00:07:31] Let's get these people in here.

[00:07:32] Let's get them ingrained in what's happening in the industry.

[00:07:36] They can hear from a lot of these C-level execs about what's happening.

[00:07:41] And one of these days, they'll come back as a C-level exec and say,

[00:07:46] hey, I spoke on the Cyber Sun.

[00:07:47] And that's where I got my interest or my passion,

[00:07:51] or that's where I met Joe or Sue or whatever the case may be.

[00:07:55] But, yeah, these events are critical for people to share information.

[00:08:00] And there's some very good ISACs out there as well.

[00:08:03] And there's, of course, a lot of threat intelligence information resources.

[00:08:07] So it really depends what you're looking for as a professional.

[00:08:11] But I find that collaboration and information sharing at these shows is critical.

[00:08:19] From our perspective, if you're running an event and you're trying to reach people,

[00:08:23] they're not going to pick up the phone if they don't know you.

[00:08:26] Rarely.

[00:08:28] And even from another perspective, if you're a cybersecurity professional that works for

[00:08:32] this utility company or this railway, you're going to want to know what your competitors

[00:08:38] are doing and what your peers are doing.

[00:08:40] And by going to these forums, they get that opportunity to have that cup of coffee in the

[00:08:45] hallway and talk a little bit more about what's happening in the world and how they might be

[00:08:50] able to assist each other.

[00:08:52] Once they've met, they can pick up the phone.

[00:08:55] They can share emails.

[00:08:57] They can whitelist a domain so they can have that communication.

[00:09:01] But otherwise, things get very siloed.

[00:09:03] And it's a bit of a dangerous place to be.

[00:09:06] Double-edged sword.

[00:09:08] We took a bit of a break during the COVID and things are starting to come back.

[00:09:16] And what do you feel makes an event successful?

[00:09:20] What's the secret sauce?

[00:09:21] Because some events are like, ooh, blah, a little flavorless.

[00:09:25] And some events are, you can really feel the energy in the air in terms of the participant

[00:09:31] really getting, and I feel like, again, it's all about the feeling.

[00:09:38] It's not so much about the content, how people felt when they attended the event, how they

[00:09:43] felt when they rubbed shoulders with others, how they felt being perceived, and so on.

[00:09:48] Sure.

[00:09:49] Sure.

[00:09:50] Sure.

[00:09:51] It's a very difficult industry.

[00:09:54] Probably one of the most stressful jobs you could possibly have.

[00:09:57] And as far as the secret sauce, I don't really think that there is one.

[00:10:03] At the end of the day, it's about who you know to some extent.

[00:10:08] But our vision and my core ethos on this whole thing is content is king.

[00:10:17] I run these forums to deliver content that folks may or may not get elsewhere.

[00:10:27] And there are some very good competitors out there of ours that run some very intelligent

[00:10:32] content-driven events.

[00:10:33] And I actually see some of them almost step over the edge on it.

[00:10:37] It's almost like they're too academic or too intensely content-driven to where if you're

[00:10:43] not an engineer, you really wouldn't understand what the heck's going on.

[00:10:49] But I would say for us, it's content.

[00:10:51] The content has to drive people to these.

[00:10:54] There has to be conversations taking place, the right conversations, the right discussions

[00:11:01] on what's emerging or what's keeping them up at night.

[00:11:06] And they have to know that some of their colleagues or peers are going to be there addressing

[00:11:11] the same things.

[00:11:12] And they also need to know that there's some solutions there as well.

[00:11:18] Sometimes we see folks coming to events specifically to meet technology vendors.

[00:11:24] Sometimes they really don't want that aspect at all.

[00:11:28] But there's always something that you can derive from these events if you come with an open

[00:11:33] mind, no matter what your focus is.

[00:11:37] But for me, David, it's content is king.

[00:11:41] You can line up a lot of vendors on a show for two days and make a lot of money, but that's

[00:11:50] not a good product.

[00:11:53] Yeah.

[00:11:54] And you mentioned something interesting.

[00:11:56] The defined balance being super technical and keep it in the high level.

[00:12:02] Because some of these executives are not necessarily technical.

[00:12:06] They have a much wider view of what needs to be done.

[00:12:12] And they even have to communicate some of that to the board of directors and so on.

[00:12:16] So they, the stakeholders and business units and so on.

[00:12:20] So it's not even if I would say a fraction of it is technology.

[00:12:24] Yes.

[00:12:24] But there's so much more to it than that.

[00:12:28] Is that a correct statement?

[00:12:30] Yeah.

[00:12:31] Yeah.

[00:12:31] I think that's what I enjoy the most about the people I work with.

[00:12:35] They are C-levels, executives.

[00:12:40] They have a decision-making capability.

[00:12:42] They're not always the final say.

[00:12:45] Everybody reports to somebody, right?

[00:12:47] But they have that wider view of what's going on within the business.

[00:12:53] And some shows or some folks are very technical.

[00:12:57] And I'm not a technical guy.

[00:12:58] I haven't had that experience.

[00:12:59] I like talking about technology and learning about it.

[00:13:04] But I do find a lot of the C-level folks we work with, they have specialists for all the technology.

[00:13:12] And that's where those decisions are made and those conversations are had.

[00:13:16] They have that intelligence that's accessible to them.

[00:13:20] But they are also seeing the wider business risk.

[00:13:23] They're also seeing where the funding's coming from or not coming from.

[00:13:27] And they see how the organization's really looking at their risk profiles.

[00:13:37] And they can stand back and look at this process, people, and technology.

[00:13:44] And make some pretty strategic decisions.

[00:13:48] And I can relate to that.

[00:13:50] I can look at that and say, okay, you're right.

[00:13:52] Obviously, if you don't have the skill sets in place, you're going to have a hard time taking care of A, B, and C.

[00:13:59] If you don't have the money in place, you're going to have that problem.

[00:14:03] A lot of these C-level people will look at it and they'll say, I need to have a relationship with my chief financial officer.

[00:14:08] I have to have a relationship with the technology divisions and the threat mitigation teams and the analysts.

[00:14:14] And, yeah, I enjoy working with those folks.

[00:14:18] They've got their eye all across the board.

[00:14:21] And speaking of critical infrastructure and specifically the aviation industry, first and foremost, I would say, isn't it amazing that the sheer volume of air traffic around the world at any given time, even when we're having this conversation?

[00:14:42] And yet, and there's just so many moving pieces associated with the aviation industry from ground operation to the whole supply chain.

[00:14:55] And things are just working.

[00:14:58] And these are the folks behind the scenes that have to keep it that way.

[00:15:03] And first and foremost, I would say the sky is not falling, pun intended.

[00:15:10] But there is just so much involved.

[00:15:13] Talk to me about, from your perspective, when you're talking to these executives, what do you see that the emerging trends that are, that they're considering now from a security perspective, from a cyber perspective?

[00:15:27] Yeah, it is a miracle, I suppose, when you think about it.

[00:15:40] How many planes there are in the sky as we're having this conversation?

[00:15:44] How many people are going through these airports?

[00:15:47] And how safe everything actually is?

[00:15:50] It's a magical feat, without a doubt.

[00:15:54] And it's difficult to even think about what could happen.

[00:15:59] But doesn't every five minutes.

[00:16:01] It's what potentially does, and we're just not hearing about it as much as we, as the regulators or authorities maybe.

[00:16:12] But I'm sorry, what was the question again?

[00:16:15] I'm just digressing here a bit.

[00:16:17] No, just in terms of the executives, like what do they fear the most?

[00:16:23] So what's their, what's on the agenda right now in terms of, and you have the kind of the glimpse because you were a flystander.

[00:16:32] Yep.

[00:16:33] Sitting there and they're talking about their issues and they're collaborating, but you have a unique view of things because you were the, sometimes the organizer, they fly on the wall and be able to absorb some of that.

[00:16:44] So it'd be great to hear your perspective.

[00:16:46] Yeah.

[00:16:47] Yeah.

[00:16:47] I write a lot of it as well.

[00:16:48] And then I go back to them and I say, is this right?

[00:16:50] Did I write too much?

[00:16:51] And I always write too much.

[00:16:54] And they always help whittle my content down.

[00:16:58] God bless them.

[00:17:00] There's just, there's, to me, the sheer level of complexity of the sector is really shocking.

[00:17:07] And I think aviation's probably my favorite sector.

[00:17:12] It's the hardest sector that we work in, but the sheer complexity of it all is profound.

[00:17:20] And the ecosystem is so massive, right?

[00:17:23] So depending on who you speak to, there's a plethora of different issues that are keeping folks awake at night.

[00:17:32] We had a wonderful presenter recently talk about ransomware and ransomware is still probably from what, from my perspective, the biggest threat from what I've learned and across all these industries.

[00:17:45] And it continues to be.

[00:17:46] And we don't hear nearly, you don't hear as much about it as, as what's actually taking place.

[00:17:52] Who's paying out?

[00:17:53] Who's not paying out?

[00:17:54] Who's, who's been hacked?

[00:17:55] Who hasn't?

[00:17:56] But we had a fantastic presentation recently on ransomware and some of the nation state actors and some of the others that, that are targeting these organizations, these aviation airports and airlines for financial gain.

[00:18:13] And the sheer amount of attention.

[00:18:41] And they're trying to track some of the, and then not be able to track some of it.

[00:18:45] It's pretty shocking to see what some of these specialists are actually able to track and see on the dark web that, you know, of those who are attacking this industry.

[00:18:59] All industries for that matter, for that, for that sake.

[00:19:02] But, and I think that, that really stuck out to me and it'll stick with me for a long time.

[00:19:07] And I've heard some really good presentations in my time, but the, the quality of that presentation was so clear.

[00:19:14] So that, that's one, just one element.

[00:19:18] And the supply chain, of course, supply chain is just a massive issue with all of these industries.

[00:19:25] And it only gets more difficult when you bring the politics into play, whether it be tariffs or Brexit or these types of things.

[00:19:34] And we've had conversations over the years about procurement and legal language.

[00:19:40] Who's, how do we solve the supply chain issue?

[00:19:43] With Heartbleed, I was told at one point by a business colleague that it was all in the procurement language,

[00:19:49] that we need to address this from a legal perspective and hold those accountable,

[00:19:53] those third-party vendors accountable for situations that presently they're not accountable for.

[00:20:03] There's, there's, uh, Jason, just a double click on the supply chain.

[00:20:08] We just recently with the CrowdStrike kerfuffle where the airlines were,

[00:20:16] they've got any windows machine that was in fact, they were not infected, but had they, the update error,

[00:20:24] that, that crippled the airlines.

[00:20:26] And I believe that, I don't know how many flights were delayed or canceled for those couple of days,

[00:20:32] but that's a pure supply chain issue as well as just as you described.

[00:20:37] Yeah.

[00:20:37] That, that cascading domino effect, right?

[00:20:40] Because there's, everything's connected.

[00:20:42] And from what I have learned, CrowdStrike, of course, wasn't a, it wasn't a hack, right?

[00:20:48] It was a, it was, it was a mistake.

[00:20:53] Somebody in that organization did the wrong thing at the wrong time and it wasn't monitored appropriately

[00:20:58] and it had a pretty devastating effect.

[00:21:00] So it brings us back to the original question of what's keeping these folks awake at night.

[00:21:08] And it is that insider threat as well.

[00:21:11] So you have these insider threats and some are malicious and some are just pure accidents.

[00:21:15] Somebody happened to press the wrong button at the wrong time and it had catastrophic consequences.

[00:21:22] This, the skill set and the training and the culture around cybersecurity is one of the,

[00:21:28] one of the key elements I'd have to say just, just to round this question off.

[00:21:34] That we see is probably keeping most people awake more than the technology and the ransomware.

[00:21:41] We have all these things that are going to happen. It's not if, it's when.

[00:21:44] How prepared are you?

[00:21:46] Are you able to get back up after an attack and keep operations running?

[00:21:51] Then those are the champions.

[00:21:52] And we were talking about that at the recent show.

[00:21:55] The real champions are the ones that are going, that are ready, that know it's coming.

[00:21:59] And they're going to get hit.

[00:22:00] And you can't cover all the bases.

[00:22:02] You can't get all the best skill sets in.

[00:22:04] You don't have all the money in the world.

[00:22:06] You don't have all of the endpoints covered.

[00:22:09] Many of these organizations don't even know where their assets are.

[00:22:13] Some of the critical assets they might have identified.

[00:22:15] If you ask, most organizations, they don't have sight on the 30,000 assets.

[00:22:22] And if they had to blueprint them all, you'd probably see that they only highlight 1,500.

[00:22:26] But there's all these endpoints every place else.

[00:22:29] So there's all of these different areas that could be the attack surface that brings down the organization tomorrow.

[00:22:39] But it is, of course, how quickly do they get up?

[00:22:41] Okay.

[00:22:42] We're ready.

[00:22:43] We're ready for this.

[00:22:44] And it would be great to see a lot more of that.

[00:22:47] But I think that we are shifting in that direction.

[00:22:50] And it comes back to that collaboration and that information sharing.

[00:22:55] And what good are these conferences for?

[00:22:58] And how well do you know?

[00:23:00] My colleagues' business across town just got attacked.

[00:23:03] They haven't been able to operate.

[00:23:05] And they lost $18 billion in the last week.

[00:23:07] What can we learn from them?

[00:23:09] Will they share any information on that?

[00:23:13] That's the way forward, isn't it?

[00:23:16] I don't think we're ever going to get ahead of a lot of the other aspects.

[00:23:21] Yeah.

[00:23:22] And, Jason, you alluded to something during this conversation.

[00:23:25] You mentioned something to the effect about the regulation and how it affects especially the critical infrastructure.

[00:23:34] There's directives from the U.S. government, but I'm assuming that there's also some that are similar directives on the European side to manage and enforce security and cybersecurity measures specifically on critical infrastructure.

[00:23:54] There's always this dichotomy between the private sector protecting themselves and then there's a regulatory body that enforces some rules and guidelines on how to do so.

[00:24:08] What's your take on it?

[00:24:10] Should we rely heavily on the regulation, the regulators who will support this?

[00:24:16] Or should we let the private sector do their own thing?

[00:24:22] My personal opinion is that regulation is a good thing.

[00:24:28] Most of our events themes are secure innovatively or innovation, securely innovate.

[00:24:40] And I believe that we should be promoting secure innovation and that we need those private companies to continue to innovate.

[00:24:47] But one of the problems I've always seen in critical infrastructure, and it gets quite frustrating year after year, it keeps talking about the same things.

[00:24:58] And the fact is that folks need direction.

[00:25:01] They need that framework.

[00:25:04] They need to know where to go and what to do.

[00:25:08] And, of course, compliance and ticking boxes isn't security.

[00:25:13] But somebody needs to provide a list of what to do and what not to do and what's going to happen if the board doesn't take this seriously.

[00:25:22] And I think regulation is a really good thing.

[00:25:25] I think there's far too many organizations out there thinking they might be able to solve the problem with a silver bullet.

[00:25:32] They might be able to solve some of the problems.

[00:25:34] They can't solve all of them.

[00:25:36] And there's a responsibility that comes with this power and this complexity that these organizations should ensure that they're accountable.

[00:25:46] They need to be accountable.

[00:25:49] And for far too long, I think they haven't been accountable.

[00:25:54] We see the graphics of the ostrich sticking its head in the sand.

[00:25:57] And there's just been far too much of that going on for a long time.

[00:26:01] And I think that the regulation, especially, say, in the United States, if you're not up to speed, if you're not compliant, they're going to bring the hammer down.

[00:26:10] You're going to get penalized.

[00:26:11] That provides a lot of financial motivation to people that have the money to actually make a difference.

[00:26:18] And they need to get busy.

[00:26:21] And that's the way I feel about it.

[00:26:24] I'm also a big proponent of innovation and private sector, having the freedom to do what they need to do to create new solutions and new avenues for growth.

[00:27:08] Jameson, it's funny because my perception is the other way around.

[00:27:16] The European Union is actually very on point and forceful on the regulatory side.

[00:27:23] And the U.S. is more relaxed.

[00:27:25] That's interesting.

[00:27:28] It's from a GDPR perspective that there's more enforcement in the European Union as opposed to the U.S.

[00:27:38] much more relaxed on the privacy, for example, the Consumer Protection Act and so on.

[00:27:44] Yeah, I can understand that perspective.

[00:27:46] I think when it comes to privacy, that Europe is far more focused on privacy and they take it far more seriously.

[00:27:56] Data privacy or these types of things.

[00:27:59] But we don't really, we don't, I don't see the hammer coming down very often.

[00:28:08] They are in place.

[00:28:10] GDPR, GDPR is something that scares a lot of folks, I think, and NIS.

[00:28:18] And it's really put that fire under people to get compliant.

[00:28:26] But we really aren't seeing, from my knowledge, a whole lot of companies being held accountable yet.

[00:28:35] And yeah, they are strict.

[00:28:36] And also, they just, yeah.

[00:28:38] Yeah.

[00:28:39] Yeah.

[00:28:39] And they just released also a guidelines on how to use AI.

[00:28:45] The European Union just released one too as well.

[00:28:48] It's really interesting.

[00:28:49] But then, how do you balance things out with the consumers?

[00:28:53] All they want is, for example, cheap airline tickets.

[00:28:57] That's all they care about.

[00:28:58] Most people, I would say, including myself, like all I care about is I want to be able to fly inexpensively.

[00:29:05] I wouldn't say the word cheaply.

[00:29:07] Inexpensively everywhere.

[00:29:11] And the airlines are, there's a lot of budget airlines that are flying around trying to balance it out.

[00:29:19] Again, all the regulation, the security, the maintenance of these airplanes, the ground crew, everything else.

[00:29:27] And even salaries to the pilots and staff, balance it out with the cheap tickets.

[00:29:38] It's a very, between a rock and a hard place for a lot of these companies.

[00:29:43] Yeah.

[00:29:45] I think it's an interesting conversation, David.

[00:29:48] I want cheap airline tickets as well.

[00:29:53] But, and then we sit here and we're like, wow, how can any business afford this?

[00:29:58] And then next week you'll see on the front page of the news that the board of directors and the shareholders have been given hundreds and thousands of pounds or dollars in bonuses.

[00:30:09] Look at the water companies in the UK.

[00:30:14] Every week there's a new announcement of some of these companies that are paying out very large bonuses to shareholders.

[00:30:24] And our waters here, they've been finding all types of pollution in them and they're not doing what they should be doing.

[00:30:32] We're just assuming as consumers that they're doing the right thing.

[00:30:37] But no one's shining a light in those dark places.

[00:30:40] And I think there's a lot of people making a lot of money off taxpayers.

[00:30:46] And I would be bold enough to say that probably most budget airline shareholders are doing quite well.

[00:30:55] Yeah.

[00:30:56] And it's interesting.

[00:30:57] Maybe they, it's on one side, they cry to everyone saying that they're in dire straits.

[00:31:03] And then, as you mentioned, the executives are that they make what's at 500 times what normal wages.

[00:31:12] Yeah.

[00:31:13] It's not 20 times, it's 500 times make 15, $20 million a year.

[00:31:17] Yeah.

[00:31:19] And then if they're speaking innovation cyber, they will go out to the vendor and nickel and dime them asking for 85% off on their solution on a yearly basis.

[00:31:35] Just because they're a big airline.

[00:31:38] So they knock off the, so it's quite a dichotomy.

[00:31:42] But again, nothing is perfect.

[00:31:44] I think this is a, we have to operate in this imperfect world.

[00:31:48] I guess there's nothing we can do about this.

[00:31:51] I think there are solutions out there.

[00:31:54] I've met a lot of really interesting people who've really created some, some interesting hypotheses on how to move forward, especially in cybersecurity.

[00:32:05] I can't begin to really understand how something like an airline or a small business, small airline business of that nature could articulate its funding and its costs.

[00:32:18] But I think when it comes to seeking cybersecurity investment and the old question of, hey, we're not investing in this because we don't know where the ROI is.

[00:32:31] There's, there is money there when the money is being spent.

[00:32:35] The shareholders, of course, they're used to a certain lifestyle.

[00:32:38] And anytime it dips beneath that, that fundamental baseline that they're used to, it's the panic zone, right?

[00:32:45] But when we consider how much money is being invested in digitization and predictive maintenance and all of these operational efficiencies, and of course, AI is now this thing.

[00:32:58] But from the CIOs and the CTOs, they're the ones who are driving forward most of the digitization and digital transformation.

[00:33:07] They're the ones who are getting the budgets.

[00:33:09] And I've been told that the IT sector is, of course, more mature.

[00:33:13] They're used to getting bigger budgets than the OT sector.

[00:33:17] Fair enough.

[00:33:18] I think fundamentally, professionals in the industry have to look at how they can sell cybersecurity to the board of directors more effectively.

[00:33:27] One is the language they're using.

[00:33:29] I think we all know that.

[00:33:30] And there's a massive language barrier between IT and OT.

[00:33:33] But there's also a massive language barrier between the divisions that need that funding and how they approach the CFO, right?

[00:33:41] Because the CFO doesn't know anything about it.

[00:33:44] It doesn't want to listen to a techie nerd talk about network architecture and vulnerabilities and things of this nature.

[00:33:52] They have to go in there with facts and figures about how much money they're going to make or how much money they're going to lose to get the funding that they need.

[00:34:00] And I've seen presentations that I thought were quite inspiring on predictive maintenance and AI and how cybersecurity is being built as an undercurrent backbone of resilience underneath these digitization programs.

[00:34:16] So the representatives are literally going to the boards of directors and saying, listen, this is how much money we can save you by optimizing your enterprise, to use buzzwords in the industry.

[00:34:31] But I mean, it's how they can become more efficient, how they can save more money.

[00:34:35] And their eyes are lighting up.

[00:34:37] These people are creating pipelines, sales pipelines, using this methodology instead of going in there and trying to sell cybersecurity.

[00:34:44] And I think it's, hey, you know, your predictive maintenance program, it could be, you could be saving XYZ annually.

[00:34:50] And if for some reason this maintenance or asset management program goes down, you're going to lose billions.

[00:34:57] Every single day, you're going to lose billions.

[00:34:59] But if we can, if we can look at these asset management and predictive maintenance strategies, and they're secure by design when we deploy them, they have a security element already built into them.

[00:35:12] We don't actually need to talk security so much.

[00:35:16] And I find that quite inspiring.

[00:35:18] Folks are finding a way to talk security to people that don't understand security, but they do understand money and they do understand digitization and they do understand that will make them more money.

[00:35:30] They might be able to cut jobs or operate their businesses differently.

[00:35:36] But there's a way of selling cybersecurity.

[00:35:39] And I thought that was quite innovative.

[00:35:44] Yeah.

[00:35:45] And it's interesting because a lot of the industries like the airline operate in a manner that's based on past, past issues or things that happened in the past and they had to fix it.

[00:36:01] And sometimes by, with disastrous effects, some of the regulation associated with the airline maintenance, for example, is due to the fact that there were airline accidents.

[00:36:14] Things that happened in the past that then need to get fixed.

[00:36:18] And now that's becoming industry standard, right?

[00:36:22] So you have to, for example, a certain amount of sleep with the crew, a certain amount of maintenance and so on.

[00:36:29] So I hope that the cybersecurity industry is becoming more mature over time.

[00:36:34] And as you described, succinctly so, the cyber piece needs to be incorporated into every fabric of the airline industry and not as an act thought.

[00:36:50] And then needs to take that and then translate that into normal speak that the executives can understand.

[00:37:00] Because as you mentioned, no one really cares about network architecture.

[00:37:04] Maybe some people do, but the majority of the people, especially the ones that write the checks, do not care.

[00:37:11] And in fact, all they want to know is the bottom line.

[00:37:14] How can you prevent my business from stalling and how you can help me make money?

[00:37:23] So speaking about innovation, you mentioned that you're a huge proponent of advancing through innovation.

[00:37:29] What have you seen from an industry perspective?

[00:37:34] Where is innovation coming from in the next six to 12 months?

[00:37:39] Maybe technology, but also just from what type of technologies within the cyberspace?

[00:37:47] I think obviously from a technology perspective, you do see AI, the big buzzword.

[00:37:57] There's all types of presentations and industry leaders coming to these shows talking about how they can use AI.

[00:38:11] And AI is a bit dangerous, isn't it?

[00:38:15] So it can create all of these efficiencies and all industry sectors that I've worked with are using it in one way or another in ways that I don't even understand.

[00:38:26] But they're creating these efficiencies.

[00:38:29] They're taking those redundant jobs and AI is filling those gaps.

[00:38:35] And they're finding new ways, you know, but one of the things that came up at one of our rail shows in the U.S.

[00:38:42] that a business colleague mentioned that was quite profound is we want to use it.

[00:38:49] We want to deploy AI.

[00:38:51] But the biggest focus here should be on how it's used responsibly because it's quite complex, really.

[00:38:57] And it's all data dependent, right?

[00:38:59] And we have massive data problems already.

[00:39:03] It doesn't matter what industry you're in.

[00:39:04] There's so much OT data and IT data out there.

[00:39:07] No one knows what's actionable and what's not, right?

[00:39:12] And if we did, they would be more profitable, really.

[00:39:16] And we talk about this a lot.

[00:39:17] What is actionable data?

[00:39:19] But AI depends upon how it's programmed and what type of data sets it's running off of.

[00:39:25] And there's this responsibility factor, right?

[00:39:29] Where do we stop this machine?

[00:39:32] How much is AI going to be protecting us against cyber attacks by identifying anomalies and behavior and whatnot?

[00:39:40] And those adversaries out there are also using it to attack organizations.

[00:39:49] Basically, we got massive robots.

[00:39:51] We just got robots attacking robots here in the future, don't we?

[00:39:54] It's like a scary movie.

[00:39:56] We do.

[00:39:57] We see that.

[00:39:59] There's a lot of discussion about AI and how it can be used responsibly.

[00:40:02] I think one of the areas of innovation that I see and that I'm most inspired by is really the human element.

[00:40:10] The collaboration and the awareness and the passion to get the job done, regardless of your paycheck, regardless of...

[00:40:22] There are those out there that work in this particular industry and critical infrastructure that know that what they're doing will save lives, ultimately.

[00:40:32] I've worked with...

[00:40:33] I've even had hospitals, medical centers come to some of these shows, and they're under attack.

[00:40:38] And it used to be that they were off limits.

[00:40:42] And they're not off limits to hackers anymore.

[00:40:45] There's no place a hacker won't go now to try and...

[00:40:49] Yeah, Jamie said it was...

[00:40:50] Just double-click on that.

[00:40:52] There was already an incident where due to, I think, ransomware, an operation got postponed, and the patients basically...

[00:41:00] Unfortunately, it expired because of the ransomware attack.

[00:41:05] So it had the right correlation to that medical center.

[00:41:10] There's a lot more horror stories out there in the healthcare sector than people are aware of.

[00:41:17] And I think there's a lot of really good PR people keeping a lot of this stuff from hitting the papers.

[00:41:22] I think there's a lot of talent out there in that respect.

[00:41:26] It's like an interest PR.

[00:41:28] Yeah.

[00:41:29] But, you know, some of the people working in this industry are amazing, and they're innovative.

[00:41:33] You know, there was an airport out in Florida that I had met once who did a presentation for us.

[00:41:38] And, you know, the head of IT and then the head of safety and security noticed that there was a problem within the airport,

[00:41:46] that there was a vulnerability and a gap, really, in the business of addressing all of that gray area

[00:41:55] and that middle ground where most of the threats are probably sitting,

[00:41:59] and the fact that none of those departments communicated together.

[00:42:02] And they came together and they put together a team.

[00:42:05] And I get goosebumps still talking about it.

[00:42:07] And they came together at our conference and they talked about how they did this for this airport.

[00:42:13] And they weren't asked to do it.

[00:42:16] They weren't paid to do it.

[00:42:17] They weren't asked to do it.

[00:42:19] They just saw that it was a threat and that it needed to be, a team needed to be put together to solve some of those problems.

[00:42:25] So they came out of their silos.

[00:42:28] They created a team for this airport.

[00:42:30] And they were moving forward.

[00:42:33] To me, that's innovation.

[00:42:35] That's driven by passion.

[00:42:38] And it's amazing, James, to hear stories like this because, again, if you look at the passenger that is frustrated that the flight got delayed by an hour,

[00:42:55] so they go to the check-in counter and start yelling and screaming at the attendant.

[00:43:03] But the underlying, I think, notion that you provided is that these people actually, I would say a majority of them do care and provide this human element of protection.

[00:43:15] At the end of the day, they want everybody to fly safe and be safe and provide the best experience possible.

[00:43:24] And I think we as passengers, first of all, we take everything for granted, as we described earlier.

[00:43:31] And it's absolutely amazing that things are just keep on chugging along.

[00:43:36] And then we also take for granted that these people have our best interests in mind.

[00:43:44] Yeah, I would say that's a fair assessment and very kind.

[00:43:51] We all get frustrated at Air Force, I could tell you.

[00:43:53] And on top of that, I would say that the cybersecurity people that are working for these organizations, it's not the biggest paying job in the world.

[00:44:04] They're doing this because they care.

[00:44:06] And I find that a lot.

[00:44:08] They care.

[00:44:09] These people working for energy companies I've met.

[00:44:12] And I used to run nuclear cybersecurity shows, too.

[00:44:15] These folks know that they're making an impact and they're doing a good thing by showing up every day and giving it 110%.

[00:44:27] And I think you see that with the cybersecurity people involved in aviation as well.

[00:44:32] They're passionate about what they do.

[00:44:34] There's a massive need for it.

[00:44:37] But there's not nearly enough specialists out there in any of these sectors.

[00:44:43] And it's a real opportunity.

[00:44:46] I think we're all blessed.

[00:44:47] I think we're quite blessed.

[00:44:49] Yeah, absolutely.

[00:44:50] And the issue is as well, it's a bit of a fantastic job.

[00:44:55] Because if you do a phenomenal job, nothing happens.

[00:44:59] Yes.

[00:45:00] How do you then quantify what are the key performance indicators?

[00:45:07] I think they're just basically the project base.

[00:45:09] But how do you know that the security department is actually doing well?

[00:45:14] Well, besides from the fact that you don't get hacked or you remediate real quick if something does happen.

[00:45:24] Yeah.

[00:45:24] I think there's probably some KPIs and some measurements there.

[00:45:28] Again, I think if folks are going out to conferences and they're going out and they're meeting their peers,

[00:45:34] and they will hear the horror stories, obviously, in the press.

[00:45:38] And if they're not on the front page of the news, they should be celebrating.

[00:45:43] Because from what I've heard, there's a lot of activity going on.

[00:45:48] And with this Ukraine war and the Israeli conflict, and the Russian and China threats have been a major focus of cybersecurity professionals,

[00:46:04] trying to mitigate those.

[00:46:05] From the day I started, those were always the key threat actors, right?

[00:46:13] But, yeah, I think there's a lot going on.

[00:46:15] And if they're not on the front page of the news, then they can celebrate.

[00:46:19] But I think going to the conferences and talking to people and meeting your colleagues,

[00:46:25] they may be able to tell you about some pretty scary stuff.

[00:46:30] And I think at that point, if you're an industry professional and you're like,

[00:46:34] man, I'm really glad that didn't happen to my team last week, then you've got some...

[00:46:39] Is there a time where people just say, hey, listen, turn everything off?

[00:46:44] Like, we need to...

[00:46:45] There's something we need to discuss in private that doesn't be this area.

[00:46:53] Were you...

[00:46:54] Did you have any previous things like that that happened where people,

[00:46:58] executives wanted to share stuff that happened, but they could not do it in any other form?

[00:47:05] Yeah, they usually take place over a coffee, out in the hallway, amongst trusted individuals.

[00:47:15] We do see that a lot of the folks in this sector know each other or know of each other.

[00:47:22] And there is a lot of...

[00:47:23] It's like a water cooler conversation.

[00:47:24] Yeah, yeah, it is.

[00:47:26] The Cyber Senate itself, we operate a very sensitive forum.

[00:47:31] We don't let journalists, publicists, we...

[00:47:35] And we're even sometimes quite strict about phones and recording things and taking pictures of things.

[00:47:43] But it does depend on who you're working with.

[00:47:45] Some stuff's too sensitive.

[00:47:47] Obviously, speakers aren't going to share it.

[00:47:49] But we do get a lot of conversations in there.

[00:47:52] But I think cybersecurity professionals are very careful.

[00:47:56] They're very careful about what they share.

[00:47:59] Because that information sharing is so important, but it's often been said you have to know what you can share.

[00:48:04] And you also have to be...

[00:48:05] You have to know what not to share, right?

[00:48:08] It's equally important to make sure you don't share some things.

[00:48:15] See?

[00:48:16] Yeah.

[00:48:16] I think there's some pretty good...

[00:48:17] Pretty good...

[00:48:18] Pretty good conversations.

[00:48:20] It's been an...

[00:48:20] Yeah, amazing conversation.

[00:48:22] So before we part ways, I want to spend a couple minutes about the event themselves.

[00:48:28] Sure.

[00:48:29] How to get involved.

[00:48:30] Who's it for?

[00:48:33] Just in general, so people that want to...

[00:48:36] They listen to this and want to take part.

[00:48:40] Any information you can share.

[00:48:41] That'd be great.

[00:48:42] Yeah.

[00:48:43] Sure.

[00:48:43] So we just finished our Aviation Cybersecurity Show.

[00:48:47] And that ran for four years before COVID.

[00:48:51] COVID kind of wiped that out for a bit.

[00:48:53] And then I focused purely on some of our OT shows after that.

[00:48:57] I've been running industrial control shows for over 10 years.

[00:49:01] Right now, we're very focused on transport.

[00:49:05] We see that as an emerging sector.

[00:49:08] There's still a lot of other great sectors out there.

[00:49:11] But for now, we're focused on those transport sectors.

[00:49:14] So we'll have Aviation Cybersecurity webinars coming up quarterly.

[00:49:17] So we're going to keep running with the professionals we know and building that visibility and those opportunities.

[00:49:26] Those will take quarterly.

[00:49:27] And they'll be announced on cybersenate.com shortly.

[00:49:33] And we will run our Aviation Cybersecurity Show in London every year.

[00:49:38] We've been asked to do it in the Middle East, and I'm probably going to take it to the United States next June.

[00:49:43] We also have the Rail Cybersecurity Show.

[00:49:46] And I launched that about 10, 11 years ago now.

[00:49:50] And the progress that sector has made has been phenomenal.

[00:49:56] You wouldn't believe how quickly they've matured compared to some of the other sectors.

[00:50:02] And it's been an absolute privilege to work with those people.

[00:50:05] But, yeah, that takes place in March on the 11th and 12th in London.

[00:50:09] And we pioneered that topic.

[00:50:11] We run it in the United States as well at the end of May when we typically do these things in Florida for the U.S.

[00:50:17] And, of course, that's railcybersecurity.com, or you can just visit cybersenate.com.

[00:50:23] Our events, all of our events are designed for critical infrastructure operators or operators of essential services.

[00:50:29] So one of our core focuses is to make sure that we get in those who are responsible for our safety and security of our airlines, our airports, our railways, our nuclear plants, whatever it may be.

[00:50:44] So those are our key speakers.

[00:50:45] They're always asset owners.

[00:50:47] Then we also like to bring in a layer of really high-value vendors, particularly those who have really good case studies, not sales pitches.

[00:51:00] That can show exactly what role technology and innovation can play and how it can assist.

[00:51:06] So those are the types of folks you meet.

[00:51:08] We work with a lot of government people as well.

[00:51:11] Big shout-out to CISA and as well as the NCSC here in the United Kingdom who have always been quite supportive of us.

[00:51:17] But we do work with CISA a lot in the United States.

[00:51:21] So you'll always meet those folks at our U.S. shows too.

[00:51:26] Fantastic.

[00:51:26] And then I like to typically part ways with something positive that you've experienced or that it is remissioned.

[00:51:37] The sky is not falling and coming from you, if you can share something positive that you've experienced or observed in the past year or so, that would be great with the audience.

[00:51:50] Sure.

[00:51:51] I would say that there's a lot of hope in what we're doing.

[00:51:56] There's a lot of awareness.

[00:51:58] What we've seen is that the culture of awareness and the perception of cyber risk in these organizations is changing profoundly.

[00:52:06] We still need more government oversight, so more government involvement.

[00:52:11] They should have been involved a long time ago in saying, hey, these are risks.

[00:52:16] But those who work in this sector live for it and die for it.

[00:52:21] And they love what they're doing.

[00:52:23] They're fantastic at it.

[00:52:25] They're building amazing teams.

[00:52:27] They understand the role of collaboration.

[00:52:31] They understand the role of information sharing.

[00:52:34] They're looking for those with skill sets in OT particularly.

[00:52:40] We're working with lecturers now as well who are training up the next generation of OT cybersecurity people.

[00:52:46] They're putting together virtual labs.

[00:52:47] So, you know, it's all very inspiring.

[00:52:50] There's a lot of jobs out in cybersecurity.

[00:52:53] There's a lot going on, obviously, in this sector.

[00:52:58] And like I said before, I think innovation really is at the human level here.

[00:53:03] And we have some really very knowledgeable and very passionate leaders that are developing teams in critical infrastructure to make sure that we keep the lights on.

[00:53:16] And I just tip my hat to those people because they're getting calls all day and all night.

[00:53:21] I have people in my conferences taking calls in the hallway.

[00:53:24] And, man, they're sweating.

[00:53:25] Some of them are sweating it.

[00:53:26] They got a massive responsibility.

[00:53:28] And they're keeping people safe.

[00:53:32] There's folks out there defending the border, so to speak, day and night.

[00:53:38] And you just can't applaud them enough.

[00:53:41] They're doing a wonderful job.

[00:53:42] So there's a lot of hope there.

[00:53:43] It's not all doom and gloom.

[00:53:45] There's a lot of scary digitization stuff going on out there.

[00:53:48] And there's a lot of risk.

[00:53:49] But there's also a lot of folks out there that are very good at what they do.

[00:53:54] And the future is wide open for this job sector, which is great for those of us with kids who are like, you need to work in cybersecurity.

[00:54:06] Fantastic.

[00:54:07] Jameson, thank you very much for joining me today.

[00:54:09] Much, much appreciate it.

[00:54:10] It was a wonderful conversation.

[00:54:12] Looking forward to maybe popping in one to U.S.-based events.

[00:54:17] And until then, for all those who join us, stay safe online as well as all fine.

[00:54:22] I'll see you in the next episode.

[00:54:23] Thank you very much.

[00:54:24] Thank you for having me, David.

[00:54:27] Thank you.

[00:54:27] Thank you.

[00:54:28] Have a good day.