All Tools, No People: Cybersecurity Is Missing The Boring Human Investment
OT security spending is at an all-time high, yet all these tools do is fill the “do we have X product” hole if the organization isn’t investing in a human-driven aggregation layer to curate and make decisions based on the telemetry and data pouring out of them. Danielle Jablanski has examined this problem from a rare intersection of vantage points: as a strategist working with asset owners at Nozomi Networks, as a leader of OT strategy inside CISA’s Office of the Technical Director, and now as the OT cybersecurity consulting program lead at STV, an infrastructure-focused firm building security in from the start rather than bolting it on. She joins Matt Calligan to explain why treating cybersecurity as a technology problem instead of a people problem is dangerous in environments where the stakes couldn’t be higher – where failure doesn’t just interrupt data or access, it stops water, electricity, and the systems society runs on.
- The OT cyber gap is not a technology gap—it is a human capacity gap. Organizations are buying detection platforms and continuous monitoring systems at record pace, but not investing in the human capacity to manage them, oversee them from a centralized decision-making perspective, and act on what the tools produce. When you treat cybersecurity as a tech problem instead of a people problem, you misdiagnose the issue—and that misdiagnosis is dangerous in OT, where consequences are physical.
- The industry needs trusted advisors—not resellers. Danielle joined the consulting world specifically to push back on the reseller and managed service models. Trust creates speed and efficiency and organizations that get that model right need to be heard.
- Competence, capacity, capabilities—in that order. Competence has grown: OT training, vulnerability assessments, threat modeling, asking the right questions of vendors. Capacity is improving: GRC is moving beyond annual checkbox exercises toward continuous improvement. But people rush to capabilities without the first two. You can buy all the tools in the world, but without the capacity to run them, they become expensive costs.
- “Point solution” is no longer an ugly phrase. The market is suffering from ‘overconsolidation’ where too few solutions deliver a large swatch of mediocre overly general features that are becoming single points of failure. Now organizations are asking what they actually need, whether they need every feature, and whether one tool that does a specific thing well beats paying for features they will never use. That shift is healthy.
- Everyone assumes someone else is doing the gap analysis. It is not that too many people have a stake in a deployment—it is that everyone assumes the other person is doing the work to make it the best possible deployment. Architecture reviews have turned up entire sections of networks that are black holes. People turn in their homework and think their job is done, when the updates have barely begun.
- The hardest part of deployment is the human ask, not the technical one. It is easy to tell someone their portion of the mission is important to protect. It is much harder to say: I need a day of your time for eight hours of training on this product, and I need your boss’s boss’s boss to approve it. People do not plan for that in the deployment phase. It is often called a cultural gap, but it is really a mission-critical gap.
- Beware the “God complex” in cybersecurity. Some practitioners assume everyone thinks about cybersecurity all day, and that without security, all the dominoes fall. But without HR, you do not get a paycheck. Every mission matters. At CISA, the lesson was that everything is critical infrastructure—which means your mission is important, and so is everyone else’s. The fix is branching out: Danielle takes courses on rail operations because train operators are more important than she is, and understanding their world makes her better at hers.
- Security should be boring. The most valuable conversations are about gateway configurations, destination ports not set up on a switch, segmentation—not personifying threat actor names into otherworldly creatures (the CrowdStrike superhero figures at RSA). Those are real, regular people doing things that the right tools, techniques, and practices could prevent. Segmentation remains the most important control: tried, true, and proven in adversary emulation to make attackers without an overarching impetus give up and move on.
- The OT threat-sharing problem is structural—and getting more urgent. There is no statistically significant pool of OT incident data; the government does not have it, the private sector does not have it, nobody has it. Major vendors are private companies with no obligation to report. Worse, threat sharing is still very manual—and in an era of compromise at machine speed, manual indicator sharing of OT data is a gap the industry will suffer from if it does not get ahead of it.
- Standardize the telemetry, or the data stays uncomparable. STIX/TAXII standardizes IOCs, but the underlying data is not standardized—you cannot compare one vendor’s telemetry analysis to another’s. If a report claims a 55% increase in ransomware in a sector, that has to be couched against the vendor’s deployment rate in that sector, the way you would normalize per capita. Standardized, caveated reporting would change the game.
- Combine the best threat intelligence with cyber-informed engineering. The needle-in-the-haystack incident everyone wants to find and prepare for could actually be packaged: take CIE fault-tolerance and design principles to understand what is plausible (not just theoretical) in a given environment, then pair that with strong threat intelligence analysts. That output would be the tailored, purpose-built scenario organizations keep chasing.
- Before buying anything: rationalization and maturity. Start with tool rationalization—not what is on the market, but what you already own and operate, your technical debt, your shadow IT. The network security monitoring tools already in your switches might get you 60% of the way there. Then build your own maturity model: beg, borrow, and steal from existing frameworks (APTA’s public-transit OT maturity model, the CISA CPGs with their scope/impact/cost breakdown). If you are not in a regulated industry, you do not have to conform to one standard—take the aspects you can most readily achieve.
- Less is more—audit what is already at your fingertips. Years ago, compliance was the “Paul Revere of industrial cybersecurity”—buy now, because compliance is coming. It did not happen. Rather than chasing the next shiny object, the next unicorn hire, focus on what is tangible and unused today. That includes people: the brilliant, hungry person already in your organization you might be overlooking because you are so focused on tool adoption.
Navroop Mitter:
[00.00.03.21–00.00.31.08]
This is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of the Lock and Key Lounge, where we bring you the smartest minds from legal, government, tech and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site and listen to them on your favorite streaming channels. Be sure to give us feedback.
Matt Calligan:
[00.00.31.14–00.00.59.08]
Hey there folks! Welcome to the next episode of the Lock and Key Lounge. I am Matt Calligan and I have a guest today who I’ve actually really been looking forward to. I say actually like it’s a surprise. No, I’ve been genuinely looking forward to talking to you because she’s been asking very similar questions that I think a lot of folks are either not asking or avoiding or just haven’t thought through entirely.
Matt:
[00.00.59.08–00.01.32.04]
So it’s something that’s been on my mind. And in a lot of conversations of folks that I’ve been engaging with lately, OT security spending, it is at an absolute all time high. The TXOne Networks 2026 annual OT/ICS’s report found that 88% of organizations increased their OT security spending by more than 10% in 25 and then SANS Institute OT/ICS’s report tells us that only 1 in 8 organizations have a full visibility across the ICS kill chain.
Matt:
[00.01.32.05–00.02.16.21]
And that gap between what we’ve spent money on and what’s actually working is really where we’re focusing on. And I think it has a lot to do with where the industry has been putting its attention. We’ve gotten very good at building and selling security technologies and generating a lot of Gartner hype cycles around those. But what I’m not sure we’re seeing, or what we’re keeping up with, is where the humans pick up from that security portfolio, if you will, the capacity to actually use what they’re buying and make decisions off of what the tools do as an output and manage that as a service area, and then obviously make decisions and respond even when
Matt:
[00.02.16.21–00.02.36.13]
those things start working, or when something like Glasswing reveals that there’s been a vulnerability in there for whoever knows how long, and in environments that matters in a way that you know, matters more than it in a lot of cases. Because when it fails, it’s not data or access that gets interrupted. It’s a physical system that stops.
Matt:
[00.02.36.13–00.03.07.06]
It’s water stopping. It’s electricity, nuclear stuff. Doing what nuclear does all is not flowing through pipelines or the environmental controls in a, in a farming system going haywire and animals overheating. These are all physical impacts that directly flow into, you know, our our existence here in society and continuing to use it. So my guest today has looked at this from a really interesting sort of intersection of vantage points.
Matt:
[00.03.07.07–00.03.39.11]
As a strategist at Nozomi Networks, working with asset owners and as someone who has led OT strategy inside CISA’s Office of the Technical Director, and now as the cybersecurity consulting program lead for OT at STV, which is an infrastructure focused professional services firm, and where she’s focused their on building security in from the start rather than bolting it on afterwards, which they call cyber-informed engineering, it is Danielle Jablanski.
Matt:
[00.03.39.12–00.03.41.11]
Danielle, welcome to the show.
Danielle Jablanski:
[00.03.41.12–00.03.44.08]
Thank you, Matt. Excited to be here. Thanks for having me.
Matt:
[00.03.44.09–00.04.04.04]
I’m glad you’re excited. Me too. All right. So let’s jump right into I mean, typically we go into the extensive bios here, but I know you’re on a compressed timeline and we, you know, everybody’s heard what they do before. So if it’s okay, let’s just jump right into to the topic here with I’ll give a quick overview and then into the questions.
Matt:
[00.04.04.06–00.04.37.15]
The you and I spent some time talking about this earlier that gap in OT cyber that the industry is really not focusing on. It’s not a it’s not a technology gap. It’s not that there’s missing tools. It’s that organizations are buying things like detection platforms, continuous monitoring systems at record pace. But what they’re not investing in is the human capacity to manage it, to manage and oversee this sort of from a centralized decision making perspective that then can lead to informed decisions.
Matt:
[00.04.37.15–00.05.00.20]
So what we’re going to talk about here is what happens when we treat cybersecurity as a as a tech problem. Or maybe we’re going to talk about how we’ve done that so far instead of a people problem and why this misdiagnosis is dangerous in operational technology environments where those consequences are physical. So first question here just we’re going to set the stage.
Matt:
[00.05.00.22–00.05.27.18]
I want to start with something simple. Obviously from your perspective, I talked a little bit earlier about sort of this intersection of the various jobs that you’ve you’ve been in over the years from inside this space, from this perspective, you have vendor government. Now you’re on the engineering consulting side. When you look at OT cybersecurity programs from that lens, what patterns are you seeing with with the context of this topic?
Danielle:
[00.05.27.19–00.05.43.21]
Yeah, I was happy to myself because I thought of a new one that I used to say pretty frequently before I went to CISA, and even now, I think across the board, I recognized even as an industry analyst when I went to work for one of the vendors, and then when I went to government, that there were no true, trusted advisors in this space.
Danielle:
[00.05.44.02–00.06.03.16]
And so when I left government, after writing some of the advisory documents and review of what was top of mind, even in classified briefings, I said, I want to go to this firm STV because of two reasons. We’re not a reseller, so we can actually remain technology agnostic for our clients, and we’re not doing managed services. So there are no kickbacks.
Danielle:
[00.06.03.16–00.06.20.11]
Even if we were to have the managed service application of like, we don’t care who you go with, but we’re still going to be able to be embedded. And that’s not to fault the organizations that have that approach. It just lets us work with our clients in a much more trusted capacity. Hey, once you’re ready to purchase something, go and work with our partners that sell those tools.
Danielle:
[00.06.20.11–00.06.37.16]
We’re not going to do that, but we’re happy to do all the evaluation to get you to that, that finish line. And I think that just allows for different conversations to be had. And so I am building the practice still. I’ve only been here just under a year actually. And we focus on three things. And that’s competence capacity and capabilities.
Danielle:
[00.06.37.16–00.07.00.11]
And I think that’s really important from a competence perspective. There’s actually been a lot of growth right. The expansion of OT training awareness, vulnerability assessments, how we’re actually saying it’s not normative to patch these systems. That’s all been pretty well accomplished right across the board. We get that right now. We’re starting to see more maturity in threat modeling and internal training to beef up personnel and requirements to actually ask the right questions of the vendors.
Danielle:
[00.07.00.16–00.07.15.16]
When we’re getting to a point to make sure that we’re actually providing docs in our environments, rather than a kind of out of the box office CO2 that’s going to work, you know, nine times out of ten and looks really good. And there’s a lot more OPI experts today. And so those are all good things from a competence perspective.
Danielle:
[00.07.15.17–00.07.43.00]
From a capacity perspective, the needle is really moving in terms of like GRC. So the governance risk and compliance is moving beyond basic paperwork and annual check box exercises, whatever you want to call them to more defined requirements and continuous improvement. So I always kind of tell this anecdotal story. Years ago, I was brought into an Air Force project just to do like the assessment work, and we were getting the project off the ground and they were saying, you know, here’s the scope, here’s the location, there’s the systems, whatever.
Danielle:
[00.07.43.00–00.08.03.16]
We want to know the best list of security controls we can put together for ourselves to do this work. And the Air Force was actually made strides and the other security. But at the time I looked at them and I said, do you want the best list of controls, or do you want the list of controls you can achieve within a reasonable timeline with the resources you possess today, and how to maintain that or achieve those resources?
Danielle:
[00.08.03.17–00.08.20.05]
Because everyone can build the best list, right? We’ve got plenty of lists. Oh yeah, and you can make a custom list. You can make a list of lists. But like how to actually achieve continuous improvement is actually a different list. It’s a different maturity approach to different conversation. So that’s really where we’re seeing the GRC you know capacity building and then personnel.
Danielle:
[00.08.20.06–00.08.39.21]
Right. You can buy all the tools in the world. And if you don’t have the capacity to run those tools, they just become expensive costs and then capabilities, right. I think a lot of people rush to capabilities without those first two, competence and capacity capabilities continue to center on the visibility to a market. But the significant breakdown in market solutions that are centered on asset identification versus threat detection has been further distilled.
Danielle:
[00.08.39.23–00.08.54.20]
If you look back 2017, it was a very fragmented market, right. Like some tools just did log review, some tools just did one thing or another. And so then we put them all together and that was great. Everyone wanted a single pane of glass. Now people are saying, wait a minute. What do I really need? What is my requirement list?
Danielle:
[00.08.54.20–00.09.11.02]
And do I need all these features? Do I need to pay for all these features in this tool that I might not use compared to the other tool that does one specific thing? Right? Point solution is not an ugly phrase anymore, which I really like. When I was an analyst. It was an ugly thing, right? Everyone, everyone wanted to converge all the information.
Danielle:
[00.09.11.04–00.09.29.12]
So I think that breakdown between the ID and the threat detection is another kind of extrapolation from the bottom market. And then I think we’re seeing less set it and forget it. Right. More strategic approaches to adopt adopting the technology better roadmaps. Roadmaps are not just for deployments right there for the use cases, for establishing what data you need and what value you get out of it.
Danielle:
[00.09.29.13–00.09.49.14]
A question I’d love to ask people after they’ve deployed a school is, how will you measure the value of the school? And the answer for detention visibility asset ID is different across the board. And so it needs to be defined in the requirements. Right? Not post-deployment. Right. There are also some kind of broader things I’m seeing beyond that breakdown of competency capacity and capabilities.
Danielle:
[00.09.49.15–00.10.07.19]
One is that visibility is not the only tool on the market, and nor is it the perfect solution. So I think that’s great, right. You’re continuing to see emerging market spaces that we hadn’t actually seen five years ago. Because this is new, right? We’re not in the IT space where everything has been around for a long time. And we’ve got 25, 30 competitors in each market segment.
Danielle:
[00.10.07.20–00.10.25.12]
And the second one is that even in unregulated markets or industries are sectors we’re seeing less tying of the hands is what I call it in quotes around. We’re just going to wait until something is mandatory by a regulatory body to do anything right. And we had seen that for years and years. And I think that’s shifting as well.
Danielle:
[00.10.25.12–00.10.31.03]
So I know that’s a lot of like high, low middle what we’re talking about a lot of different sectors. Right, right.
Matt:
[00.10.31.05–00.11.11.09]
Well sectors are all responding differently. I find it really interesting like comparing electricity sector which is heavily regulated, driven by that kind of framework versus manufacturing, which, you know, in some ways can argue has has even more OT components to it. But you’re seeing manufacturing not have the equivalent of a NERC CIP. And they are sort of self choosing to self enroll into these more stringent programs, more stringent protocols, paying for the stuff even when there’s no like private sector profitability thing tied to it.
Matt:
[00.11.11.11–00.11.57.15]
So it’s interesting to see how these different sectors kind of approach the problem in that sense, which is I mean yeah, manufacturing. It’s great to see as far as that goes, it’s kind of sort of the self enforcement with the investment by organizations that, you know, they’re making into these, these various toolsets, the visibility gap. And again, you can maybe correct my interpretation of this, but the way I read it when when we first kind of kicked around, the idea is that you have a lot of outputs from these tools still, and the ability to kind of curate, I guess, or synthesize for a lack of better term is still reliant on on a human
Matt:
[00.11.57.15–00.12.05.01]
layer that oftentimes isn’t as is invested in as actively or heavily is that is that the gap? Is that the visibility gap?
Danielle:
[00.12.05.03–00.12.27.21]
There’s three gaps, actually. There’s the ID versus threat defection gap that I don’t think people fundamentally understand when they purchase and deploy these tools. You have to define that use case, and it can be both. But a lot of times you’re just going to get this on side of data and you’re gonna have to tune that data. And if you don’t know if you’re tuning it to the operation versus the threat detection and risk reduction mind frame, then you’re still disrupted a lot of data.
Danielle:
[00.12.27.21–00.13.03.21]
So that’s one I think the other one is operational use case. We still naturally have security. People want something that is again just out of the box. Seamless single pane of glass. Let’s kick your buzz grade phrase. But when I actually talk with those that have deployed these tools, regardless of the tool, across 100% of the time, I’ve never not heard this that there’s always even with the best deployments, this required comprehensive check in with operators, engineers, field staff, technician, whatever to confirm both what is normal operations and baseline traffic, as well as what needs to be investigated.
Danielle:
[00.13.03.21–00.13.27.15]
So the human aspect of personnel and training for the tools would be the third gap I see, which is that operators don’t want to look at what the most beautiful GUI in the world. Right. That’s just not their world. And so yes, there’s of course tons of training that can go into risk reduction and understanding effects based approaches rather than means based approaches to separate security and working back, doing cyber-informed engineering.
Danielle:
[00.13.27.15–00.13.45.06]
All of that stuff is great training and education, but at the end of the day, you’re still not typically going to have a ton of OT managers that are wanting to look at an output from a centralized security tool all the time. And if that tool doesn’t integrate with your thought or you don’t have an MSB, then you know, again, the measure of value.
Danielle:
[00.13.45.07–00.13.54.16]
If you’re only opening it once a month or you’re not opening it at all, or you’re not able to tune it, or you have nobody that really wants to look into the idiosyncrasies of the data, why is it there? So those are.
Matt:
[00.13.54.16–00.13.55.12]
Three just orphaned.,
Danielle:
[00.13.55.13–00.13.57.03]
Sustained gaps that I’ve seen.
Matt:
[00.13.57.04–00.14.21.08]
Yeah, yeah. So when when an organization has already spent the money, you know, on on some sort of, you know, continuous monitoring platform or something to that effect. What what does it look like for you six months after that, like from your perspective, you know, when an organization’s not ready. What does that look like?
Danielle:
[00.14.21.11–00.14.24.09]
Do you mean the deployment phase or like, okay, it’s up and running.
Matt:
[00.14.24.09–00.14.31.22]
And six months in we’ve bought the thing. Given the gaps that you’ve mentioned, sort of walk through what that would look like.
Danielle:
[00.14.31.23–00.14.55.07]
Yeah. So they’re typically wouldn’t be goals associated with the deployment. Like I mentioned before, the asset ID versus detection breakdown into is this an operational tool or is it a threat modeling threat detection tool. What data sources do we even have might be compartmentalize. It might not actually be all incorporated other security tools. It might be able to build redundancy or do kind of, you know, double checking on like this.
Danielle:
[00.14.55.07–00.15.12.18]
Logs like that haven’t been configured. You know, sometimes there’s actually networking here that has to be updated after the fact. So you have some of those breakdowns in just the readiness factor, I think because some of that wasn’t done. And then the other one, I would say more towards the risk landscape side, where most people actually do focus on the world.
Danielle:
[00.15.12.18–00.15.38.01]
Is is everyone operating with the same risk landscape and or understanding? That’s a big gap. And then the other one I see is kind of the ability to predict zero days slash unanticipated on IoT detectable types of incidents. I think some, not all of the buyers kind of assume that these solutions will detect anomalous behavior no matter what.
Danielle:
[00.15.38.01–00.15.59.01]
That would give us an indicator of something we haven’t seen before. That takes actually a lot of tuning. That is a very sophisticated use case, even for the best of the tools. The tools are absolutely there in terms of their features and like required training and testing, etc. even down to the process anomaly detection that they have in many of the OT purpose built solutions.
Danielle:
[00.15.59.03–00.16.32.23]
But getting to that granular ability to detect something and know without a doubt that it’s a non IOC level cybersecurity incident happening within maybe the native functionality of your field or DCS, or to use at that level is such a mature way to use these tools. And so it takes that continuous care and feeding. And again, if you haven’t defined the requirements, haven’t decided the value measurement and haven’t defined, you know, the data sources and all of those barriers to that, you know, perfect or close to perfect deployment and configuration, then you’re never going to get to that.
Danielle:
[00.16.33.00–00.16.53.09]
I used to do this talk when I was at that point is four quadrants is like the no known, the unknown known, etc., etc. of detection. And I broke that down with, you know, signature based malware bits here, you know, anomaly detection in your baseline traffic this year. And here’s an example of that in the past. And I said everybody that is, you know, investing in these tools wants to find the in controller, right.
Danielle:
[00.16.53.10–00.17.20.02]
The needle in a haystack type of an incident that is so tailored and purpose built for your own and being targeted. Yet when we do scanning and comprehensive evaluations of OT architecture reviews, we still see things like, you know, the destination ports not set up on a switch, we still see configure and different, you know, issues that have it died in these these networks that are what we would consider low hanging fruit.
Danielle:
[00.17.20.02–00.17.34.08]
And I would never, you know, like hassle anybody for not taking care of that. But getting from point A to point B in terms of monitoring is an uphill battle. If you’re not doing those low hanging fruit kind of reasonable things.
Matt:
[00.17.34.10–00.18.06.07]
The reasonable is it. Do you find you’ve said before that, you know, 90% of security is or security program is the people. Do you see when when people aren’t addressing sort of the if you want to call it low hanging fruit or blocking and tackling sort of the basics, is it is it a just from your perspective, is it related to just the human propensity to go after what’s sharply shiny, sparkly, new, or and not cool with the unsexy basic stuff?
Matt:
[00.18.06.07–00.18.07.11]
Or is it something else?
Danielle:
[00.18.07.15–00.18.17.19]
A couple of things. So I actually just gave a talk last week at the UK Cyber Attack, which is a cooperative electric cooperative conference. And they’re not regulated, right? Even though they’re in the electric industry, they don’t.
Matt:
[00.18.17.21–00.18.20.12]
Usually. Power threats.
Danielle:
[00.18.20.14–00.18.38.03]
So I gave a talk on actually visibility tools and kind of the breakdown of what we’ve been talking about in terms of what features to look for and how to compare them, what the techniques are between passive and active, and what the background in history of the market is and things like that. And at the end, before I gave a roadmap to actually evaluating these tools, I did a reality check, a couple of slides.
Danielle:
[00.18.38.05–00.19.00.03]
So the main concern when the sales pitch happens, I mean internal external, I don’t just mean that the vendor sales pitch is that there are ubiquitous threats. Right. But ubiquitous threats are typically network wide. Ubiquitous is not synonymous with OT, right. We don’t have a lot of ubiquitous threats. So we have this reduction in ransomware push. We have baseline gap.
Danielle:
[00.19.00.03–00.19.19.23]
So we definitely understand you know our IT. And there’s a large gap in the OT side of inventories up to date status configuration, running software, etc.. So that’s a good deal right? We should probably mirror those if we’re going to invest anywhere, because you’re only as strong as your weakest link, right, in an architecture or in a security approach.
Danielle:
[00.19.20.00–00.19.45.08]
But then we have other issues like vendor lock in. You saw the Doe 100 basis sprint, which is a push for visibility and one and real time visibility. What we don’t talk about often enough, I think, is the telemetry gap when we’re leaning towards security tools for the sake of security. And so at scale organizations, I think, still lacks kind of specialized tool and expertise required to perform root cause analysis notice.
Danielle:
[00.19.45.10–00.20.04.16]
And that’s really where it kind of breaks down in the end of the day. So yes, there are configuration issues and deployment issues. And yes, there are sometimes gaps in your ability to actually deploy the tool. But then when it comes to staffing, there’s also kind of a misperception of what even an incident is like. We don’t even have a shared definition still of a cyber incident.
Danielle:
[00.20.04.16–00.20.10.12]
And so how do we do event triage and forensic analysis and root cause analysis if we don’t have that established, you know.
Matt:
[00.20.10.14–00.20.11.15]
Right.
Danielle:
[00.20.11.16–00.20.31.20]
We don’t have as much reporting as we would like to see across the board. So, you know, focusing on the security element of detection actually makes your deployment and your efficiency much harder. Focusing on awareness of your network, right. Architectural defense, you know, building a defensible architecture, those kinds of things I see that. Get us a little bit further.
Danielle:
[00.20.31.22–00.20.58.06]
What is ironic to me, though, is some people assume that nobody’s paying attention to these deployments and they’re just like, kill darlings. At some point, I actually see the opposite. I see too many people have a stake, and you have calls with like small to medium to large size outside of the small to medium, that would say, like once you get to medium and beyond it, you have like their project manager, your project manager, the vendor.
Danielle:
[00.20.58.07–00.21.20.11]
Yeah, it’s and it’s, it’s not that it’s too many people. It’s that I think everyone’s assuming that the other person is doing the gap analysis to make the deployment the best possible deployment. And so I think that’s another gap. I’ve started to see where, of course, there’s going to be operational silos, but we’ve done architecture reviews where entire sections of the network are just black holes, these organizations.
Danielle:
[00.21.20.11–00.21.38.00]
And it takes a long time because those those people aren’t network people. And it might be remote sites, it might be different teams. It might be like a dispatch organization, like it’s difficult to get a handle on. And then they kind of turn in their homework and they think their job is done, and you have to go back to them and say, no, we have to do these updates.
Danielle:
[00.21.38.00–00.21.55.09]
And so that’s the other performance issue with personnel that I think people miss, which is to step back and they call it a cultural gap all the time between 1903. But it’s really like a mission critical gap because it’s easy to go tell somebody, hey, your portion of the mission is really important to protect and defend against, and we’re going to do that.
Danielle:
[00.21.55.10–00.22.10.12]
It’s much harder to say, and now I need this and we’re going to come do that. And I need this day from you to do this eight hour training for this product. And also and you did assign this, and I need your boss’s bosses boss to approve that. Right. That’s something I don’t see people plan for in the deployment phase as well.
Matt:
[00.22.10.15–00.22.35.14]
How do you jump in one thing here, but you’ve used tabletop exercises a lot with with your work. How do you tune an exercise like this to address some of those gaps that you’re talking about? Like, what else do you focus on? Or I’ve been in exercises just for context, where everybody gets real wrapped around the real technical details of whatever kind of breach it was.
Matt:
[00.22.35.15–00.22.54.07]
And they miss a lot of the high level connecting the dots across the organization components of it. So when you were doing these exercises yourself or participating in them, what kinds of changes would you see or do you see that would effectively address some of those? Lack the gaps, right. The missing overlaps.
Danielle:
[00.22.54.11–00.23.30.10]
I love doing so. Some of my favorite work to do. Typically, when I’m asked to run a tabletop exercise, I am strongly encouraged or asked to go with the most likely incident. So I’m still doing a lot of instant response and credential breach type of kind of starting points. In my council work a couple of years ago, though, I built this methodology, if you want to call it that, that I presented at S4, and it’s actually a paper that’s out there free that helps organizations choose the right scenario based on what they’re less likely to be prepared for in terms of a cascading impact.
Danielle:
[00.23.30.12–00.23.52.17]
I think that’s really interesting because I use the 806 examples of an OT impact that work for any sector, and you can tailor those to your organization. So say you’re working with a rail operator or even a Department of Transportation or a manufacturing group. You can take those six incidents and actually make them more specific to your environment, more specific to your crown jewels, and more specific to your actual operators that are going to be on the ground in an incident.
Danielle:
[00.23.52.17–00.24.13.20]
And every time I’ve done that methodology, which it just takes like a half a day, it’s just applying some statistics and weighted values to your preparedness. Essentially, most people don’t go with the worst case scenario for their ICS infrastructure. They’re actually pretty well prepared for that. It’s typically somewhere in the middle where they’re not prepared. The most common one is the example in there.
Danielle:
[00.24.13.20–00.24.37.22]
That is, your operators are actually basically sent poisoned information. And the next step in the attack kill chain is that your operators take a step to change something within the environment, within the control logic, within whatever’s happening that causes the quote unquote exploit. Right. So however that data is, you know, poisoned and provided to you is part of the attack chain.
Danielle:
[00.24.37.22–00.24.51.01]
But the actual action that happens in the organization and the trust and verification between yourself and a machine or automation or instrumentation is what’s corrupted. Not a lot of organizations have gone through that incident, so that one’s really fun.
Matt:
[00.24.51.06–00.24.56.19]
When people trying to genuinely make the right choice, but making it with intentionally distorted information.
Danielle:
[00.24.56.20–00.25.12.13]
And there’s machine bias, of course, which has taken on a whole new contest with the evolution of AI and the workflows that AI is producing. And we’re seeing that across the environments as well. Right? We’re not immune to that. But some things that are already outlined are the exact same questions that I would go through for those tabletop exercises.
Danielle:
[00.25.12.14–00.25.29.20]
Are we looking at an operational shutdown regardless of what type of threat, actor and setpiece they have, or are we really wanting to showcase active threat capabilities or the means based approach that we have seen before in destroyer? Do we want to do a tabletop on the industry capabilities and apply that to our infrastructure and our response capability?
Danielle:
[00.25.29.21–00.25.53.13]
Two different questions, two different exercises. What data sources do you have that’s important for a deployment of a security tool? That’s also important for a tabletop exercise. A lot of ownership models outside of manufacturing are shared, right? Transmission and distribution, transportation. Like I mentioned, you’re sharing a ton of resources and information and data. What are your data sources and who’s responsible for what.
Danielle:
[00.25.53.13–00.26.14.11]
That’s a huge indicator going into some of these exercises. What current victory tools do you have? We call this tool rationalization and we do it as a service. But tool rationalization is typically thought of for buying. I go in and say, what do you already have? Like what network security monitoring tools does your switch to your have that you’ve maybe never looked into that might actually get you 60% of the way to where you want to go?
Danielle:
[00.26.14.11–00.26.37.10]
And what do you have for a tabletop? Same question. What are you looking at? What’s your analysis center look like? How many people do you have? And then of course, the manual personnel required for sustained outages is huge. And that’s a big question going into the tabletop design, if you have to go replace the firmware on 300 devices across your jurisdiction, how much time is it going to take and are you prepared for that?
Danielle:
[00.26.37.11–00.26.56.04]
Is it going to cost over time? Right. Do you have to bring in a third party, be kind of in, and then is everyone operating again with the same risk landscape or understanding? I think that one’s often missed. I have seen a lot of tabletops get into the weeds on the initial attack vector. Right. And oh, that wouldn’t happen because we have this.
Danielle:
[00.26.56.07–00.27.12.02]
That wouldn’t happen because our vendor does that. And I think you have to get on that beyond that and really focus on that impact analysis of the affects mindset. So assume they’re there. What can we do. What’s the damage. What’s the damage control. And how do we reduce the severity of impact regardless of that effort.
Matt:
[00.27.12.04–00.27.37.14]
Yeah. Focus on the resilience aspect versus did we stop it or not. Yeah. Yeah. I wanted to pivot to an interesting comment. You made a statement you’ve made before. You’ve used the phrase God complex to describe a dynamic that you see in cybersecurity. Yeah. And I guess I get the sense that it’s not not meant as a compliment.
Matt:
[00.27.37.15–00.27.48.20]
So I’m curious what it is from your perspective, what you know, what do you where do you think that comes from? What’s what are you seeing on that side from that perspective when you when you use that phrase?
Danielle:
[00.27.48.22–00.28.11.01]
Yeah, I think I’ve seen a lot of security practitioners just basically assume that other people think about cybersecurity all day, every day, and that I’ve actually heard people say, you know what? Without us, all the dominoes fall and it’s like, okay. Also without HR, you don’t get a paycheck. So all the dominoes are where they are. And so I think we just have to kind of get out of our own mindset.
Danielle:
[00.28.11.03–00.28.33.07]
And that’s why I think that collaboration I’m seeing within organizations to do some of that value based assessment, like I mentioned, or some of those trainings that go beyond general awareness and talk about, you know, basically even just doing kind of a crown jewel assessment as a brown bag lunch for your entire organization is so important. I’ve seen a lot of organizations really bringing everyone into the fold and saying, hey, this is what we show up to do every day.
Danielle:
[00.28.33.07–00.28.56.12]
And cybersecurity is working to analyze how, you know, somebody with the right intentions and resources might prevent us from doing that. So it’s not just hand-waving of like, everything is critical. We’re in a critical infrastructure sector. Everything’s on fire. And we have to just like put Band-Aids everywhere instead. And I’ve seen that God complex, too, right? Like, were the most important people because we’re protecting critical infrastructure.
Danielle:
[00.28.56.13–00.29.15.04]
Well, if you were to talk to anyone at CISA, which I was just with some of my old friends from my job last week, we maintained really close relationships. I really do miss my government team. Everything is critical, not just because it’s all important, and we can’t really compare and contrast from the sectors that are on that list, but it is one of the critical infrastructure.
Danielle:
[00.29.15.09–00.29.20.11]
So you could actually argue that any organization is critical. And so.
Matt:
[00.29.20.13–00.29.21.04]
It’s everywhere.
Danielle:
[00.29.21.08–00.29.41.04]
Exactly. And it’s going to be critical to someone somewhere. So that breakdown I think just it used to overwhelm. And I think there was a lot of marketing right, about different things of what we’re protecting and why. And it doesn’t mean that our mission isn’t as important. It just means that everyone else’s mission is also important. And so that’s what I’ve seen starting to change, actually.
Danielle:
[00.29.41.07–00.30.00.00]
And it is just this realization that, yes, I think about cybersecurity from like, not the moment I wake up because I’m a mom now, but two hours after I wake up until. A little bit, yeah, until I go to the gym and try to, like, wash myself of it. But, yeah, I think it is a complex, like I won’t shy away from that, that word, because you are what you do, right?
Danielle:
[00.30.00.01–00.30.18.14]
And if we spend all of our time thinking about security, we think security is the most important thing. And so I think we have to take it on ourselves to branch out from that, to do things in our organizations that are offered to us, to understand other people’s perspectives in their mission. I cannot overstate that. Of course, I get to do that because you work in somebody’s sector.
Danielle:
[00.30.18.14–00.30.43.23]
So I’m over here doing like you demi courses on train in history, right? So cool. And then it dawned on me that, like, train operators are much more important than me. So it actually helps you do your job better. Rail is one of our biggest industries, and it’s one I didn’t have a background in. So I’m spending my free time learning about what keeps, you know, these operators up at night versus just thinking about, you know, what’s the next type in TTP that I’m going to see in the real world.
Danielle:
[00.30.43.23–00.30.45.22]
So I think that we just have to have that perspective.
Matt:
[00.30.46.01–00.31.08.09]
Do you see that? Do you see that breakdown on on lines between OT and it? I hear a lot of folks talking about like the OT operators having a very low trust with cyber teams that operate on the IT side because they see them as as a threat. Don’t let them get too close if they’re, you know, whatever they’re doing is for a security analysis.
Matt:
[00.31.08.09–00.31.11.14]
Do you see that break there or does it cut across both sides of that?
Danielle:
[00.31.11.15–00.31.31.10]
I do still see it when we’re introducing deployments and we say something is passive and they don’t quite buy it in the OT world where they’re like, well, it’s passive, but it’s bidirectional. So it could still be an access vector. So there is some of that like hearts and minds work that goes into it. But that’s why I think that perspective I just mentioned is even more important.
Danielle:
[00.31.31.11–00.32.00.00]
You know, you have to understand where they’re coming from. At the same time, regardless of where they fall in the organization. The other place I see this in the in the OT cybersecurity industry itself is around threat intelligence. Actually, there’s so much more telemetry data from it. And even in the OT network, what you’re going to see is a large percentage of IT incidents hitting OT network because of the lack of network segmentation and because of kind of what I call spaghetti attacks, you’re throwing things against the wall, seeing.
Matt:
[00.32.00.00–00.32.00.22]
What sticks.
Danielle:
[00.32.00.23–00.32.24.03]
And so, yes, you still want to see what is sticking in a network, right? That doesn’t mean that because the predominant nature of the attack is going to be it protocols that we don’t want to track them in OT, that still means somebody is trying to do something right. But that’s where I kind of see. The other breakdown is there’s some hardcore industrial focus, people that say, like, if it doesn’t have any of these protocols, it doesn’t matter to us.
Danielle:
[00.32.24.03–00.32.32.04]
Well, that’s not a good perspective. And then there’s the opposite perspective, which is like 24 over seven. We are hunting for tailored attack. That’s also not going to be the case.
Matt:
[00.32.32.09–00.32.33.04]
A little exhausting.
Danielle:
[00.32.33.05–00.32.53.10]
Exactly. And we just don’t have the statistical relevance for that. So there’s no good data sources. There’s no good amalgamation of OT, Intel or KM data or whatever you want to call it. The government doesn’t have it. Private sector doesn’t have it. Nobody has it. Yeah. And so that leaves us in the dark. We can’t do a lot of threat modeling in terms of who what we’re when why.
Danielle:
[00.32.53.12–00.33.10.20]
So you have to take it upon yourself to bridge those gaps in the organization. Again, not everybody is operating at the same risk and understanding. You know, we see water utilities, we come in and the gateway is this, you know, out of the gateways are not considered a threat vector because they think it’s a radio communications. It can’t be impacted.
Danielle:
[00.33.11.02–00.33.34.00]
You know, there’s gateways out there that can be configured as Imps. But that’s just the handbook is like 8000ft long, right? Like the vendor wants to get it up and running. They think, oh, this is just a small portion of my network. It’s an upgrade already. It’s would be more secure by default because it’s newer. And so those conversations are still conversations you have ever on security I think people want to have the like hardcore super interesting.
Danielle:
[00.33.34.01–00.33.49.05]
I think the only other quote you haven’t heard me say somehow in the last like 5 or 6 years is security should be boring. I was like infamous for saying that for a long time, and I still think it’s true. Security should be boring. We should be having conversations about gateway configurations nine times out of ten, and I still plug.
Matt:
[00.33.49.10–00.33.52.13]
Collecting superhero figures of each of that hacking groups.
Danielle:
[00.33.52.14–00.33.58.01]
Oh my god, that used to drive me nuts. The CrowdStrike at RSA. Okay. Sorry, sorry.
Matt:
[00.33.58.02–00.33.58.20]
Yeah.
Danielle:
[00.33.58.22–00.34.14.09]
Godspeed to you all. But yeah, the personification of these, like, threat actor names into these, like, otherworldly creatures when it’s like real regular people doing things, you know, that we could prevent with the right tool, techniques and practices of our.
Matt:
[00.34.14.09–00.34.15.14]
Own and same boring stuff.
Danielle:
[00.34.15.15–00.34.42.16]
Yeah, yeah. And I mean, it still is based on stuff. I mean, I still harp on on segmentation all the time. I still think it’s the most important control. It’s tried and true. There is evidence in adversary emulation work that it does work, and that start actors without some overarching impetus give up and move on. And there’s also a ton of evidence to show that it’s solely based on indicators of compromise, to do based analysis for threat detection, that we’re always waiting on somebody else to be a victim.
Danielle:
[00.34.42.18–00.34.55.18]
Do you have twice as much onus to not be that victim, to do those preventative measures? So yeah, it should be boring. I actually did I not to plug another podcast on your podcast, but I did a podcast with AJ Nash called unspoken.
Matt:
[00.34.55.19–00.34.56.17]
Delete it. It’s fine.
Danielle:
[00.34.56.23–00.35.17.03]
It’s called Unspoken Security, and it was actually a breakdown on the telemetry question of like, do we even need two specific threat Intel types not worth, but like detection platforms? And I thought it was really interesting conversation and that kind of statistical significance question on actual telemetry data. And ODI is what I actually really care about and think about a lot.
Danielle:
[00.35.17.04–00.35.39.05]
And I always I still plug the Theory of 99 from Mandiant, that blog they wrote in 2019 that is all about the intermediary system, right? Because there’s kind of this other argument that never bubbles to the surface on. Do you need OT detection beyond your endpoint, beyond your normal operating systems, all the way down to the field level, and you’ll get every different opinion under the sun on that.
Danielle:
[00.35.39.05–00.35.48.09]
And I think it all security answer is always it depends. Right. That’s going to be the most regular answer. But it’s an interesting kind of stone decent imagining.
Matt:
[00.35.48.11–00.36.10.10]
Do you. I’ve heard a couple people take both sides of that. As far as their doesn’t. Some people are like, there doesn’t need to be actual like threat intelligence sharing and collaboration doesn’t have to have an OT angle. I feel like I feel like that presumes a lot of things into the future that might turn out to be wrong.
Matt:
[00.36.10.11–00.36.19.23]
What’s I’m curious, kind of like where that discussion kind of shaped up as far as the threat sharing component of a threat intelligence piece of it on the oh two side.
Danielle:
[00.36.20.00–00.36.44.10]
Yeah. So sharing is a little different. So in terms of like statistically significant incidents or activities, we don’t have the big end. We don’t have the right. We don’t have the sharing for that understanding. So because the major vendors are private companies, they don’t have to report on anything they’re seeing. And the companies still don’t have to report unless they are, you know, both both regulated.
Danielle:
[00.36.44.11–00.37.09.17]
Yeah. So basically, yeah, I still believe that 99% of incidents are going to be IP in nature. In terms of the attack path, I think you’re still going to see predominantly it exploits, you know, credential exploits, spear phishing, that type of thing. The way that we get into OT is always typically going to be lack of segmentation. You know remote access something like that.
Danielle:
[00.37.09.18–00.37.32.07]
Right. Vendor access, internet connectivity something. This is what we’ve seen across the board. And so I mean, if those things are true, does it matter how many OT incidents we’ve seen if the access is already there. Right. If it’s that constant I’m not sure. So there’s this problem. The the sharing problem is a different problem in my opinion.
Danielle:
[00.37.32.07–00.37.53.22]
And that is it is always going to be reactionary for two reasons. One is you can’t look for an indicator of compromise if you don’t have the indicator. And that gets back to the zero day versus what we’ve seen before, and having to rely on somebody else to be a victim before you have any IoT. The second is a different problem that is way more important today than it was couple of years ago.
Danielle:
[00.37.53.22–00.38.24.10]
And that is threat sharing is still very manual in okay. And so it’s worth seeing compromise at machine fees. I won’t say attack that machine speed because I know we have not seen that, but compromise that machine speed allowing for the access and leverage exploitation and espionage not at a pace that never seen before without having automated indicators sharing of any OT data, I think is a big gap we’re going to suffer from if we don’t get ahead of it.
Danielle:
[00.38.24.11–00.38.41.16]
So a lot of the information sharing, if you think it’s important, if we have enough blemish free regardless, it is still very manual. There’s still long gaps. You’ll still hear asset owners complain, oh, I went to this so-and-so sharing everything was open source. Or they were telling me something that happened eight, nine, ten, 12 months ago. And they assume it’s not important.
Danielle:
[00.38.41.17–00.39.06.04]
It is still important. I mean, if anything, this automatic paint gauge, I’ve been talking about that for two years. It’s been open source, and now you’re seeing a revitalized emphasis on it because threat actors rinse and repeat that we’ve seen before. That is the spaghetti method. And so now we’re taking a lot more seriously. So if you’re an early adopter of some of those provisions, then you’re not saying a year from now, oh yeah, we’ve seen that before.
Danielle:
[00.39.06.05–00.39.17.05]
And I’ve actually seen organizations that I know publicly say that they’ve done X, Y, and Z, and behind the scenes, they haven’t done any of it. Right. They’re just as bad as the rest because they thought it wasn’t that important.
Matt:
[00.39.17.07–00.39.39.16]
Yeah, yeah, yeah. So the manual nature of the I was pulling on the threat of threat sharing because I think it’s largely it relies so much on just people wanting to do it. There’s no real cultural, you know, incentivized to incentives to do it with the sharing component being very manual. How how do you overcome that from if possible?
Danielle:
[00.39.39.16–00.40.07.20]
I think a couple of things. I think an early warning capacity. So I ran ETHOS for two years and that was the goal of that. I think it was a operating foundation, mutual benefit corporation and state of California. So not be a nonprofit, but we’re not for profit. Where the large OT cybersecurity vendors came together to say, well, our system and our engines will triage indicators in one of three ways.
Danielle:
[00.40.07.20–00.40.27.06]
One is known bad. One is proprietary detection. We’ve decided that this behavior, or whatever is associated with this threat feed that we’re able to provide based on TPS or other types of kind of explanatory statistics. And then this other one is never seen it. Not sure if it’s bad. Let’s put it into a pool. And that pool was going to be a shared resource, right.
Danielle:
[00.40.27.07–00.40.59.01]
We don’t have that. Like I said, across the OT courses of all which are these vendors, these private vendors that their their investment set. And so some type of early warning detection like that. What we have today is the unified national security strategy of persistent engagement and defend forward. That’s the best early warning we have. So I would love to see a statistical pool of indicators from actual vendors in the space that can do more real time sharing because of the sort of AI allowing easier and more pervasive access to these environments.
Danielle:
[00.40.59.06–00.41.34.05]
So that’s kind of like the first answer. The other answer is there’s too many sources and there’s no standardization of data to fix. STIX/TAXII, obviously, is a way to standardize IOCs and direct sharing, but data is not standardized. So if you were to open the threat reports of different organizations back to that kind of misalignment of the definition of an OT incident for a manufacturing a boat manufacturer or a rail operator or a water utility, there’s no shared other than the, I guess, the definition for the SEC.
Danielle:
[00.41.34.06–00.41.40.04]
They have a definition, right? And TSA, I think has a definition as well. But you know if murky.
Matt:
[00.41.40.06–00.41.40.21]
Yeah.
Danielle:
[00.41.41.03–00.42.00.08]
Standardizing shared telemetry data. You can’t do it today. You can actually compare one vendor report telemetry analysis to another. So I think one way to get ahead of it is to standardize some of that. So like even if the vendors will not share real time information from their customer deployments, that’s fine. That would be that first early warning example.
Danielle:
[00.42.00.09–00.42.19.03]
The second best, I think, would be some standardized lemon tree where we’re anonymizing, of course, the end user. But saying that when we do report on anything within the realm, these are kind of the caveats to that reporting to standardize, what were you doing honeypot work, or were you doing sector specific work? Do you not operate in this sector?
Danielle:
[00.42.19.04–00.42.42.10]
Right. If you’re saying you’re seeing 65, 55% increase in ransomware in one sector, you have to couch that with the rate of your deployments in that sector, right? Like we would divide populations per capita like some type of standardization. Net reporting, I think would change the game a little bit. Right now, I hear from asset owners that they’re just inundated with threat intelligence and information, and they have to process it in many different ways.
Danielle:
[00.42.42.12–00.43.11.05]
And like you said, it’s voluntary to share out, which there’s a lot of benefits to doing. So I’m not an anti threat Intel person. And the people that do threat intelligence and analyze these threat actors from these I don’t want to name vendors. There’s incredible vendors and people and experts that do this. And I actually think we’re not even using them to the best of their ability and capabilities to define what to look out for, what to analyze, and back to those examples of operational impacts that we could see from incidents in the industrial world.
Danielle:
[00.43.11.05–00.43.35.13]
If you were actually to combine some of the best threatened with those, you could really get some specific tabletop exercises and scenarios and start to tailor. I always tell organizations to take an effect based approach, because there are so many ways to analyze the means based approach. But actually, if we could get together and say, here’s your model for looking at scenarios in OT incidents, taking some of the CIE status quo, right?
Danielle:
[00.43.35.14–00.43.56.15]
Not diving too deep, but understanding how we do fault tolerance, design, etc. to understand what’s actually plausible in your environment and not just theoretical. And then take some of the really good threat intelligence analysts out there and put together something that could be really packaged together. That type of output would be that needle in the haystack event that ever wants to find and prepare for.
Danielle:
[00.43.56.16–00.44.12.07]
Right? So, I mean, these kinds of conversations actually make me really excited because we have so much more to do and to accomplish. But I do think that standardization of the data, how we analyze it, the telemetry work, as well as how we share it and make sure that it’s significant would be really, really interesting.
Matt:
[00.44.12.09–00.44.36.10]
I would, I would I wish we’d had this conversation two weeks ago because you would have found we did a panel. We had actually a client conference in New York last week where one of the panels were various utilities and regulated critical infrastructure folks discussing the value and what the architecture of a honeypot telemetry sharing program might look like.
Matt:
[00.44.36.11–00.44.42.02]
Oh yeah, that would have been. I would have loved to have you in the room on that one. That would have been fun.
Danielle:
[00.44.42.04–00.44.45.05]
I’m a fan. I do think they’re really good. Yeah.
Matt:
[00.44.45.07–00.45.19.15]
Yeah, yeah. We’re about we’re it was all TLP Amber so we’re kind of clipping it up. But I’ll send you the video, see what you get your thoughts on it. Final question here I know, I know, we’re we’re tight on time for you. So I don’t want to kind of keep on going. I have lots of questions. But the if someone is listening to this right now and you can make this short because again, I know we’re running out of time, but if someone’s listening right now and they’re looking at making some kind of significant investment in a tool, what would you want to have them consider first or have in place first?
Matt:
[00.45.19.16–00.45.20.16]
Yeah.
Danielle:
[00.45.20.18–00.45.37.09]
Rationalization and maturity. That’s where we start on that front. So if you think you’ve got the confidence down to say, like we understand the problem, we’ve got awareness on some of the sticking points in our environment as well as our sector. Maybe at a location could be some geographic input. Cool rationalization. Again, that’s not looking at the tools on the market.
Danielle:
[00.45.37.09–00.45.57.16]
That is what do I own and operate today? What is my technical debt? What is my shadow IP? Right. Like what do I have going on here. Kind of take that inventory that’d be my first piece and then build your own maturity model. So a lot of people will start with a contract right for consulting. And they’ll say we really liked and estate hunter guide or we like to or we like to 2.3 right.
Danielle:
[00.45.57.16–00.46.23.16]
We want to build for that level. If you’re not in a regulated industry and you don’t have to build to a conformity, make your own beg, borrow and steal. These are all out there for you to do, to use and to borrow from. I don’t think we have to fit into one of these. Specifically, APTA is an organization, a public transit organization of Pure members were a part of it, and they actually developed an OT maturity model for public transit operators.
Danielle:
[00.46.23.18–00.46.43.20]
Excellent. It’s really, really good. And now they’re going to build out an implementation model. So if you’re in a sector that doesn’t conform specifically to one of these, why pick take your favorite aspects or the ones you can most readily achieve. This is actually why I really like CPGs as well. The OT portions of the CPGs are cool, but there’s also different ways.
Danielle:
[00.46.43.20–00.47.05.17]
There’s a Excel spread that came out with the first version of the CPGs, and you could break it down by scope, impact, I think costs. And so you could actually say, like if we had six months, you’re the low hanging fruit. If we have $60,000. Here’s a little thing, fruit and that ability to slice and measure things according to the resources you have and the timelines you have.
Danielle:
[00.47.05.18–00.47.24.16]
That’s how we do project management, right? Budget schedule. ET cetera. So yeah, beg, borrow and steal. And they’ll drawn maturity. But start with that inventory of what you have. And it doesn’t just have to be security tools. That’s the other thing that I think is routinely overlooked. And we’re actually starting to see emerging solutions. Like I said, this space is so young that take that into account.
Danielle:
[00.47.24.16–00.47.50.09]
So I’ve seen some really cool things that are looking at like vendor specific, how do we bridge like C with S bomb stuff that was too sophisticated for security industry and bring it back to like our forecasting models and efficiency on like how much paint we use in production. So there’s a whole different segment on the operational side as all these data sources we don’t think of as securities, especially in manufacturing, if we were talking about that first.
Danielle:
[00.47.50.12–00.48.12.13]
Also obviously very true for the energy sector. So I teach a course and I always walk through like, do you know why there’s so much data when we talk about it? Conversion and I go through like here’s production, here’s routing, here’s scheduling, here’s dispatch. This is what forecasting is. This is what this type of data is. And when I hear security, people thought, I never hear the breakdown of like, all of this data.
Danielle:
[00.48.12.13–00.48.31.21]
And then all of a sudden you’re like, and we have Oracle and Emerson and peak and mine fear. And none of that makes its way into the visibility conversation. So I think that’s an interesting space to watch as well. How do we actually make the most of all of this data, which tends to be kind of frivolous when we do those rationalization studies and like, why do we have all this?
Danielle:
[00.48.31.22–00.48.40.11]
Can any of us use the secure access to secure operations to reduce the amount of data, to reduce the severity of potential tabulation? Yes. No. Maybe.
Matt:
[00.48.40.12–00.49.06.05]
Yeah. Right. Right. Like I said, I’ve got a lot of a lot of other places I’d love to take the conversation, but with our constraint here, I will I will pivot quickly to kind of our wrap up question, which is more of a personal question. I love to get kind of some some color from each of our guests, but the question we lock and key lounges sort of got this lounge imbibing kind of, you know, theme to it.
Matt:
[00.49.06.07–00.49.23.00]
The theoretical question is if you are the way we phrased this is if you were in a, I like to say like a nice bar, like where you don’t you don’t have to yell. This is the way I like to define it. You know, you don’t have to yell to be heard. Right? It’s a good it’s a nice bar like that.
Matt:
[00.49.23.03–00.49.46.05]
And you are at one end. And on the other end of that bar is someone in security that you’ve been dying to have an interaction of conversation with one. What if you, you know, if if libations are kind of your direction, you know, if you do imbibe or not, what are you ordering? And then who is at the other end of that bar?
Matt:
[00.49.46.06–00.49.46.21]
Yeah.
Danielle:
[00.49.47.00–00.49.52.13]
Well, as most of my friends know, I haven’t had many drinks. And dad, my baby that since he doesn’t sleep until one drink puts.
Matt:
[00.49.52.13–00.49.53.05]
Me out. Totally.
Danielle:
[00.49.53.06–00.50.13.10]
She did sleeping. So I like to know I’m pretty casual, so it’s just a red wine for me. And I did think about this. So I was so fortunate early in my career to be adopted by both the industry but also the broader infosec industry. And so as a lot of us know, there’s many people that we’ve interacted with and we know and info sex, but we’ve never met.
Danielle:
[00.50.13.10–00.50.31.21]
And so the one person I’ve never met but I’ve been on like Skype calls and we have very similar close friends but haven’t actually met in person is Alyssa Miller. So she’s the easiest one that I can put out there. I also recommend her book to everyone who comes to me. So I’m at that stage of my career where I get a lot of requests for mentorship.
Danielle:
[00.50.31.22–00.50.50.01]
What classes should I take? Courses should I take, what can I afford? Should I go back to school? And it’s really difficult to unpack. But what I remind people is all of us have these like substitutions that we focus on, and we typically find it organically. We don’t just, like set out and say, you know, some people do, especially if you come out of like the military, you’ve got to keep some experience.
Danielle:
[00.50.50.01–00.51.12.03]
But Alyssa’s book breaks down all these career specifications, right? If you’re going to do reverse engineering of malware for the rest of your life, right, versus different aspects. And so, yeah, I’ve never asked me, but I purchased her book, I’ve skipped of her book, I’ve recommended her book, and we have similar friends that we have met. And I think we did like a girls like Skype thing once, but she’s lovely.
Danielle:
[00.51.12.03–00.51.15.06]
And she by planes, I mean she was seems like the tools for.
Matt:
[00.51.15.08–00.51.20.14]
Anybody who, like, goes out and takes the initiative to just learn how to fly without wanting to be a pilot. Yeah, it’s a.
Danielle:
[00.51.20.17–00.51.37.03]
I think she has her own plan now. So nice. That’s incredible. I also just want to get back to a place where I can invest in hobbies. So I just have so much respect for for that. But yeah, like I said, pool and I would like to meet her with her without the wine.
Matt:
[00.51.37.09–00.51.41.04]
Hey, maybe one day she’ll actually listen to this podcast. And then there you go.
Danielle:
[00.51.41.05–00.51.41.10]
Yeah.
Matt:
[00.51.41.11–00.51.46.02]
That’s great. We can hope. Yes. Any any final thoughts?
Danielle:
[00.51.46.04–00.52.07.15]
No. I think one thing I would encourage people in the industrial space is to just not be overwhelmed with the information that’s out there today. Years ago, there was this giant compliance push and everyone was like, you have to buy because compliance is coming. And it was like the Paul Revere of industrial cybersecurity. And that didn’t happen.
Danielle:
[00.52.07.16–00.52.26.18]
And so I think we need to make people ask me for predictions all the time. It’s the least part of my job. But like, we need to make your prediction and really focus on the what’s tangible at our fingertips today that we’re not using. Right. And I just see that across organizations I see it across or I see it at home.
Danielle:
[00.52.26.19–00.52.51.22]
I mean, we just have access to so much and we’re expanding copilot here and this use case there. And that’s great, right. We’re continuing to, you know, just expand our horizons. And, you know, progress is on everyone’s radar, but sometimes less is more. And I think we just need to audit what’s at our fingertips more. And I think that from a data perspective and you get the security perspective and personnel perspective.
Danielle:
[00.52.51.23–00.53.05.10]
I was introduced somebody else at STV the other day and I was like, oh God, you have to go to this team and you have to do this, and I’m going to send you this project because she’s hungry and she’s brilliant, and it’s like, you might be overlooking that person in your organization because you’re so focused on the tool adoption or something like that.
Danielle:
[00.53.05.10–00.53.21.15]
So I just think we have way more at our fingertips today than we think we do. And it’s always this next, maybe shiny object or next unicorn we want to hire. And we might already have those people or those processes or anything. Exactly. Yeah. That’s that’s my message for sure.
Matt:
[00.53.21.17–00.53.24.21]
Well, Danielle, I appreciate you appreciate you taking the time today.
Danielle:
[00.53.25.01–00.53.27.14]
I know we could have gone on like I said, maybe we’ll do another round.
Matt:
[00.53.27.15–00.53.52.16]
Yeah. That’s fine. It’s doors open. Absolutely. Cool. And folks, thank you for also taking the time to listen. Everybody’s everybody’s time is constrained and we’re pulling a million directions. So we appreciate the time you gave us today. And I hope today’s conversation give you something to think about. I believe the human element is insecurity in particular a thing that can be under invested, if not over, if not directly focused on.
Matt:
[00.53.52.16–00.54.14.07]
And it shows up a lot in cyber cybersecurity programs, a lot. And the organizations that are going to handle the next incident well are the ones that built not only the right tool layer, but also that human layer and have practiced it and know what to do. If you have any ideas on on what else you’d like to hear on a podcast, feel free to reach out to us.
Matt:
[00.54.14.07–00.54.28.07]
Lounge at ArmorText all episodes obviously available at ArmorText, Spotify or iTunes. And I am Matt Calligan. Until next time, be well, stay curious and do good work.
Matt:
[00.54.28.09–00.55.01.08]
We really hope you enjoyed this episode of The Lock and Key Lounge. If you’re a cyber security expert or you have a unique insight or point of view on the topic, and we know you do, we’d love to hear from you. Please email us at Lounge@ArmorText.com or our website ArmorText.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.