Rethinking Cybersecurity in the Age of Infinite Attack Surfaces
We are living in the age of infinite attack surfaces where there are practically unlimited ways in which the enterprise can be breached. In this scenario, how should CIOs and CISOs rethink their cybersecurity programs to stay ahead of the adversary?
We recently hosted this panel discussion featuring legendary tech leader and former CEO of Cisco, John Chambers, Balbix customers John Shaffer, CIO, Greenhill & Co, Daniel Gisler, CISO, Oerlikon, and Gaurav Banga, CEO, Balbix, which was moderated by veteran journalist and Editor in Chief of Techonomy, David Kirkpatrick. In this lively discussion, they touched upon:
- The current cybersecurity landscape and what has changed
- How these changes have impacted CISOs and CIOs mandate of protecting the enterprise
- What do CEOs expect from their CISOs and CIOs
- Elements of a proactive cybersecurity program
Watch the entire video above or read the transcript:
Panel Discussion Transcript
DAVID KIRKPATRICK:
Welcome everybody to this conversation about Rethinking Cybersecurity for the Age of Infinite Attack Surfaces, which is of course sponsored by Balbix, I’m David Kirkpatrick, I am a journalist and a conference person, I run a company called Techonomy and I worked with Fortune for many years, I’m very honored to be moderating this session.
Let me quickly tell you who we have here with us- It’s an extremely interesting group. First of all let me start with our most famous member John Chambers who as many of you know was executive chairman and CEO of Cisco for 2 decades. John left Cisco as executive chairman in December 2017 and started something called JC2 ventures. He’s now doing investing and mentoring/coaching CEOs.
I don’t know how much coaching he needs but one of the people John works with is Gaurav Banga who’s here and Balbix is one of the companies of course that John has invested in. Gaurav is the CEO of Balbix which is a company that is really transforming cybersecurity through automation. We’ll hear a lot about how that works in this conversation. Prior to Balbix, Gaurav was founder and CEO of another cybersecurity company called Bromium, where he led the company from its inception for 5 years.
We also have two Balbix customers with us. The first I’ll introduce is Daniel Gisler, who is the chief information security officer of Oerlikon, a global manufacturing powerhouse for surface engineering, polymer processing and additive manufacturing. Daniel is responsible for the cybersecurity of Oerlikon and it’s more than 10,600 employees and (get this) 179 locations in 37 countries so you might not want his job. But we’ll see how he likes it. I bet he probably likes it anyway.
JOHN CHAMBERS: Sounds like job security Daniel.
DAVID KIRKPATRICK:
There you go…
Now our second customer panelist is John Shaffer who’s the CIO of Greenhill & Company based in New York, a leading independent investment bank. He’s the global CIO and also the CISO, and he’s doing all kinds of creative things there which we will hear about and is very experienced in managing and developing global IT infrastructures.
So let me just quickly start off… kick us off by asking Gaurav to just tell us a little bit about why a Balbix, why did you start it, what is it, what does it do?
GAURAV BANGA:
Thank you David, in a nutshell, about 5-6 years ago, we realized that the enterprise attack surface was just exploding. It is just becoming very- very hard for the defenders to keep up with all the different ways in which they could get beached. Cybersecurity is not a human care problem anymore, and that’s the reason why we started Balbix. So that we could use automation, machine learning/data science and provide better visibility into enterprise cybersecurity posture, which might then be used to automate the defense of the enterprise. To make enterprise cybersecurity more proactive.
DAVID KIRKPATRICK:
Okay, and I know you have a lot of clever sub themes in the way Balbix works, I hope we’ll get to all of them. Is there any one thing that you’ve done at Balbix that you would especially call out right here at the outset that you think makes it different from any other company?
GAURAV BANGA:
Yeah, the most important thing is we started with the assumption that there are a lot of human mistakes either in programming, or in how we use computers that result in insecurity.
And the insight to solve these issues is to make a (design) assumption that no single fault should result in an enterprise getting compromised. That’s the secret to building cyber resilience. And Balbix uses every trick to make sure that people are mindful about the fact that there should be no single point of failure in your cybersecurity posture, and that results in a more cyber resilient enterprise.
DAVID KIRKPATRICK:
That’s an ambitious mandate and I didn’t even really say much on the onset about the environment we’re in when it comes to cyber security but it is crazy, scary, really shocking. We just recently had this Colonial pipeline hack which is kind of the most public way of visible major flaw in American systems possibly ever. Also SolarWinds invaded many- many corporate and government systems and we don’t even know how much damage was done by that. I personally have been subject to a cyber attack not too long ago and identity theft and it’s really bad…. And as I went through dealing with that I discovered in the pandemic, this stuff has become even more common. It’s sort of been a growth industry for some reason during the pandemic.
Let me turn to you John Chambers: why did you invest in Balbix and what was it that grabbed you and what point in your dialogue with Gaurav did it grab?
JOHN CHAMBERS:
So, 3 different questions David, first is that I focus on market transitions, not on competitors. I did that during my time at Cisco and now with start ups. When you see a market in transition enabled by new technology that’s when I look at either acquiring it (at Cisco when we acquired 180 companies) or at 20 JC2 start ups- that’s when I look at investing.
As I see that occur, I then go to the CEO, you focus on the CEO. She or he is really the heart of the company and where you have the right CEO with a good market transition and new technology, then you have a chance for a real winner.
I try to pick a company that has differentiation just like you said in your earlier comments to Gaurav and where the CEO really wants to be coached, knows what he knows and knows what he or she does not know on it and it is close to inflection points. And all of those occurred in Balbix.
You said it well, when I left Cisco, just 3 years before that I made security our number one objective. As we digitize the world and five hundred billion devices get connected, it was very clear that not only will the attack surface change dramatically but the complexity of attack, the speed and the potential damage they could do was going to increase dramatically as well. With all the positives in the digital world, you also have all the negatives that could unfortunately slow down the implementation of the digital world if we didn’t address it.
So I’d think there are 2 areas that I’d bet on that are gonna be very exciting for the next decade: on the positive side- artificial intelligence and the internet of things, and on the negative side- the issues of cybersecurity to go with it. So it was all those together. Gaurav did not have me at ‘hello’ but he did have me once he went to his business model and went through here’s how he’s gonna differentiate the company and unfortunately it is playing out very much as we anticipated in terms of the opportunity for the business perspective with tremendous damage that is being done in today’s world.
DAVID KIRKPATRICK
Well thank you.
Ok, John Shaffer and Daniel I want to ask both of you something. John Chambers said in 2009 (believe it or not) that the only difference between companies was those who knew they’d been hacked and those who didn’t know they’d been hacked. So how have things changed in the subsequent 12 years or so? What do you see as the sort of central features of the cyber security landscape that you have to deal with today.
Let me just start with you Daniel.
DANIEL GISLER:
Well that’s a tough question, I would say that a lot of things have changed since then. Firstly I would say the distance and the speed between attackers and defenders has increased dramatically unfortunately to the favor of the attackers I have to say. This does not show us cyber security folks in a good light unfortunately. In addition, enterprises need to quite often outdated or over the internet laws and regulations which is then also playing into the hands of the adversaries at the end of the day, which slows us down as well because we have to attend to those things.
As a second point also from a manufacturer’s point of view, cybersecurity viewpoint in the good old days related to the production environment was kind of more relaxing as though the IT integration was not that critical in that time so it was kind of negligible at that time. We are not too much concerned about these things. Whereas in these days it has dramatically changed so this is no longer true and in fact it’s extremely frightening. I would say because at the end of the day, even more dangerous. People worry about the safety of people. You’re talking about in the worst case death and life. It’s about life and death so this is probably something which is quite critical especially in the manufacturing side.
DAVID KIRKPATRICK:
That’s a scary way to put it, so let me turn to you John, we’ll get back for more details here too, but John Shaffer would you agree with that way of putting it, how does it look to you and how scared should we be? Maybe this is another way to put it?
JOHN SHAFFER:
Well I think we should definitely be aware of what’s going on. I mean 2009 was 12 years ago and that’s see that’s forever in technology years. In a nutshell I think the biggest change is that there are just so many more devices connected to the Internet and that you know that that’s the number one thing. 12 years ago you were worried about spam and it seemed like we were still very naive in the scheme of things. And now everything has really changed where you can just plug anything at home. You know just about every device is Internet connected and as security people we just need to look at things from a totally different lens on a daily basis. So, I just think the explosion in the attack surface totally correlates to what we’re seeing these days.
DAVID KIRKPATRICK:
But going back to John’s statement of 12 years ago presumably it has remained true but is everyone… would every organization need to assume they are being targeted every single day? Is that sort of the world we are now living in?
JOHN SHAFFER:
I think that’s the world we’re living in yeah.
JOHN CHAMBERS:
You know David I would agree and I think John and Daniel said it very well, the complexity of the attacks are going up, the frequency is going up, it takes us longer to fix attacks once they occur. The world is going digital. It isn’t just a few hundred billion devices, everything will be connected from our cars, to the manufacturing floor, to our oil pipelines, to our electrical grids and, as will the number of challenges that companies face in this area. This is why I was teasing John and Daniel about having job security.
You are so reliant upon your chief security officer and your CIO, and after I’d have my chief security officer John Stewart report to the board and John would get up and give all the statistics and “here are the tools we are using” etcetera,in the end the board would look at me and say “what do you think?” and I would say … “We’re dependent on our chief security officer to be able to pull all these pieces together and to keep us one step ahead of the bad guys”.
That’s what’s moving to what Balbix does. When you automate this, where you begin to know where you are versus others. You begin to see, for the CIO and the chief security officer, the data they need to make the decisions to avoid what’s going to become more and more frequent and more complex.
And your comment about how much it cost…Well the only question in my mind is, Solarwinds was a tremendously damaging issue and when you talk to Wall Street, they don’t know the cost a trillion dollars to the U. S. economy or five trillion.
DAVID KIRKPATRICK:
Wow
JOHN CHAMBERS:
And we’re just seeing this start to occur in nation states.. and.. unfortunately very organized crime, terrorists and just hackers in general. So, as we become dependent upon this digital world we’ve got to make our electrical grids, our businesses as defensive as we can and try to stay one to two steps ahead of the bad guys. Which means you have got to automate it. It can no longer be done with human intervention. By the time you intervene it is already too late.
DAVID KIRKPATRICK:
Well and as you mentioned the Internet of things earlier on in this conversation, with 5G and IOT that’s going to really make the scale of the attack… attackable surface much greater. Is that the way you look at it?
JOHN CHAMBERS: Yes and when you originally asked the question, you zeroed in on market transitions. I am a huge believer that you make market transitions easy to understand. At Cisco, we said the internet is going to change the way you work, live, learn, and play and that was the time that only the techies were talking, everybody said “You got to be kidding me. It is not going to happen”.
That was 93 and then voice would be free and all of a sudden when you talk about “voice will be free” that completely destroyed the resource models and business models and if you didn’t get ahead of it, you are in real trouble economically. And then the digital world coming at us and then understanding the implications of it and then the World Economic Forum where I said that statement about only two types of companies those that have been hacked and those who don’t know they have been hacked and everybody looks at you with kind of like their head sideways, almost like your dog looks at you “Well, what am I supposed to do?” The answer is – it is just getting started.
So, I think this is going to be a very important part of the digitization, as how well we defend ourselves security wise and well, personally I am excited. I love hearing from customers and so, what John and Daniel have to stay here and lessons learned as I am taking notes as we go guys if that is alright.
DAVID KIRKPATRICK:
Good John, you are always a learner. I have always known that about you.
Daniel I know I kind of didn’t let you finish your full thought before, tell us a little more about what you think has changed and how you describe the nature of the environment especially for a manufacturer and a global manufacturer, and also, I would throw into that the challenges you faced with whatever it is… 179 locations all over the world. How do you do it?
DANIEL GISLER: Well I that was a tough… It is a tough question again David thanks for that (Laughs) This is exactly the challenge. This great or wide footprint we have. The key is really to gain visibility. So, without having the visibility, you don’t have a clue what you actually need to protect and assess. So we are manufacturers, we need to make sure that we really do protect all the things, especially the whole production area where it now gets really serious because it can harm people. That is the key element where we need to do and also change to bring in this visibility. Balbix helped us here really in a great way.
DAVID KIRKPATRICK:
Well, John can you talk about this, your company is very -very different. It is more of an intellectual property based business, a financial money based business. What particular challenges do you face given your work at an investment bank or with those kinds of issues in front of you every day?
JOHN SHAFFER:
It comes down to our users. I think the… To me, people are the weakest link in the whole chain. We spend a lot of time trying to train them. I think one of the things I was going to mention is that we just really asked our employees to work differently. The things that we asked me to do now they would have walked that 10 years ago. If they had to use multi factor authentication or change… make their password tougher. Everything was hemming and hawing and now I think they really get through a lot of security awareness training and making people aware. We are trying to strengthen that, because you can have all the good systems in the world but you still have people that are just really curious and I think that tends to cause problems. When we have seen issues, it has been typically the user base that is where it starts.
DAVID KIRKPATRICK:
Is that because generally users think they know more than they actually do about how to manage their own vulnerability?
JOHN SHAFFER: No, I don’t even think that they really think about it.
DAVID KIRKPATRICK:
Oh.
JOHN SHAFFER: I keep thinking, you can hook your refrigerator, your light bulbs. Everything in your house you can connect to the internet and can control and if you can-can do that, somebody else can potentially do that and I don’t think that people really… I think people plug things in and think they are safe. That’s kind of what I think particularly maybe on the consumer end of things and, you know hopefully going through our security awareness training that they think a little bit beyond that and are a little bit smarter about how they practice better habits.
DAVID KIRKPATRICK: Wow. I’m tempted to ask anybody if you think that might change, because, everybody thinks they are safe, that’s scary. But let me go to John Chambers, and you could feel free to comment on that question of whether everybody’s going to eventually start feeling more scared because the incidents are going to increase but also I’d love you to talk about what expectations you would have for your CIO or for your information security officer, in this moment we’re in and as it gets more and more challenging.
JOHN CHAMBERS:
Well, I think part of the day that we’re all motivated by a combination of how do we get our job done and what do we do important in our work and in our personal life and I know we’re in a stack. If we take things too much for granted and become too complacent, bad things can happen. I do think John nailed it when he said that the number one issue that cause most cyber issues starting is somebody didn’t follow the procedures the right way. But I think the degrees of attacks are going to get much worse so what I do and what I focus on my investments and what I was focusing on as CEO of Cisco is how do we automate more of this, how do we know our exposure, how do we educate our workforce not of fear but let them know how sophisticated the bad guys are really becoming and then educate them on the damage. I think most people often don’t respond because they become too complacent and think it will not happen to them and the bad guys just go from one vulnerability to another to another. The minute you can’t, they go to the next level so, having that visibility is I think as Daniel said early on is very key as well.
So what I expect out of my Chief Security Officer – they protect my brand. I add that they’ve got to figure out how they put this digital world together and understand that there will always be weaknesses in our employee base and they’ve got to say how do we educate them and how do we make it less likely that is to occur. And then if something happens how do we recover from it quickly, not in the time that’s now going sequencing out and how do you avoid the ransomware to where they lock you up and how do you protect yourself from that so, I think it’s an education process, it’s one that intellectually find stimulating and I think it’s going to be at a very good business for companies like Balbix to be in.
DAVID KIRKPATRICK:Unfortunately but at least Balbix is there for the customer so Gaurav. I haven’t specifically asked you too many things so far but anything you want to drop in here and comment on? Anything you’ve heard that you just underscore?
GAURAV BANGA:
Yeah I think we heard several things that are indicative of the crux of the issue. You know the internet was really designed for collaboration, it was designed for point A… machine number A to be able to connect to machine number B. And in fact, there’s a lot of engineering to make that as seamless as possible. The internet was never really designed to keep people from connecting to other things. And that’s the fundamental issue that we’re dealing with. The internet assumes that you have a right to connect and the right to connect has now become a biggest liability from a cybersecurity standpoint.
And I think the second unifying theme over here is that we continue to think at human speed. We make (security) mistakes at human speed, and we fix these mistakes at human speed. The adversary has automated the heck out of it and we haven’t automated enough. And unless we automate, we will forever be behind the adversary.
DAVID KIRKPATRICK:
Right, it’s a question of scaling your response to the scale of the threat. So, automation makes so much sense. So I’d love John Shaffer and Daniel, both of you to talk about why you chose Balbix. Let’s start with Daniel. We are in this very scary time with colonial pipelines, solar winds etc. Talk about why you picked Balbix for this kind of work and how you’re using it in this environment.
DANIEL GISLER: I mean that I said earlier, I think we have a lot to improve on the cybersecurity side. So I was really looking out for a new approach to really address all these threats. So, I was not looking for something that did not work out that well. I was looking for something with the latest generation, tools of the latest generation which helps us really to focus on the critical things. And also looking at own abilities not only from software view point but also a kind of a more holistic part. There is also the end user plays a role in configuration… misconfiguration, all these kind of things that was certainly one thing which we looked and Balbix helped us a lot here.
Another important aspect to us also in regards to a risk-based approach. I do not want to have or to find or look for something which pops up hundreds and thousands of alerts which isn’t really tricky to follow up and also let’s say then tries out the people who is doing that because they get fed up with these kind of things. I was really looking for something where we can work on a risk based approach that we can really hand over the focus to the teams to work on the rights things so that we do not overload and with tools around in the cyber security world, it is easy to to really go and pick the wrong path, sometimes less is more. You have to do the things which you do implement in the right way so that was certainly one thing and Balbix helped us here in a great way. So it really focus on automation which helps us to get some time to focus on the right thing and then also brings up to the right spot to focus on.
DAVID KIRKPATRICK:Okay thanks. One of the things that I should you Balbix does is that it marks the entire technology landscape of a company in such a way that its software essentially identifies every device and maps its vulnerability in the context of the larger system and is constantly adjusting as the device landscape shifts and, that to me is very interesting and it’s a concept that I love. I’ve talked to Gaurav about this. It’s sort of a digital twin of the entire company that that it creates which allows you to essentially emulates what might happen and then protect against it, so, John Shaffer, talk about Balbix from your standpoint and what you do with that specifically.
JOHN SHAFFER: Well just to follow up on your point. One of the things that Balbix does is that it’s continuous and I’m always looking for that continuous improvement which is a change over the way we’ve done things in the past. Things like annual penetration testing in quarterly vulnerability scans, that’s sort of a… to me, that’s a little bit of a legacy way of thinking, of doing things. A lot can happen between today and tomorrow and if you’re just waiting 90 days, you’re going to run into a lot of problems. So, I think that whole idea of continuous improvement is sort of something that I go by.
I chose Balbix for a number of reasons. I’m interested in AI and ML and we’re a small organization. I don’t have a lot of people and even if I did have even if I had 100 people it’s still not going to… It’s still difficult to just parse through everything, all the information that you get that you really need computers to think for you. And, I think that’s part of the reason that
Balbix was attractive to me but what I really wanted to use them for was to really measure my security program. To measure it over time and to be able to provide some type of statistics to show that our cybersecurity posture is maturing and improving and I think that’s what really attracted me to the way they took to their platform. It’s really difficult to improve what you can’t measure. That’s something that I chose Balbix for, that’s a way for me to do it. There may be other ways but I think that the best way to do it from what I’ve seen.
And one of the other things that we I really wanted for is, we spent an awful lot of money on security, quite a bit of money on security and I want to make sure that the tools that we’re using are effective and I think that Balbix provides me an avenue to test against what I have and to make sure that I’m putting my money in the right places and to maybe look at reallocating the way I source the money that I get into maybe a better tool based on the types of vulnerabilities that Balbix finds for me and so I think that was that was something that really attracted me to their product.
But, I think that in the end we report to people and they want to know how we’re doing and the people that we report to aren’t necessarily cybersecurity experts. They read what’s in the paper, they get scared when they hear solar winds and “do we have something”. What I wanted to be able to do is have a system that can produce basically an executive summary of our cyber security posture and say “hey, this is what we’re doing” and “we’re doing well we’ve done better over time” and then that’s what Balbix… Aside from all the other things it can do for me, that was really the primary reason that I went with it.
DAVID KIRKPATRICK:
Are you confident that Greenhill is safer because you use Balbix?
JOHN SHAFFER: Well, I think Balbix shows me that over time I’ve been safer. By itself I wouldn’t say any tool and just check the box to say you’re safer but yeah, I think that it summarizes our cybersecurity effectiveness and when we see something, we see it quickly and we can address it. So, I think that we are not supposed to brag here but Gaurav told me I could. We are big into patching and how fast we get things remediated. Our organizations average mean time to response has been reduced by over 95 percent
DAVID KIRKPATRICK:
Wow
JOHN SHAFFER: To me, that reduces our risk significantly.
DAVID KIRKPATRICK: So from the time you find out you’ve got a problem to the time you feel you have sufficiently addressed that as well as you’re able, that time has reduced 95 percent?
JOHN SHAFFER: Yeah. We’ve always wanted to be aggressive about it but Balbix shows us how much better we’ve done over time. And one of the issues is you still have to contend with your users in the organization and the impact that you have. Nobody likes it when their system is rebooted and it’s a pain in the neck and I have to close all my work. But when we can show that we pushed these things out and were up to date and that’s part of the reason that we have a lower risk, they will learn to accept it. I think it’s the part of the way that we live now. You get multi factor authentication in your bank account, you just deal with it now, and you understand that there’s a value to it. So, Balbix has really helped prove what we’re doing… I think it’s more effective than not doing great.
DAVID KIRKPATRICK:
Daniel, do you feel that early kind of safer because of Balbix?
DANIEL GISLER:
Well like I just said on the line what John said, this is also quite true for us. For us, Balbix is really a cornerstone to get safe of course and at the end, it makes us also safer but it’s a constant journey because these things can change every day hourly and we need to address it. But Balbix makes you believe like you’re doing the right thing at the right place to minimize the pervasive cyber threat rates at the end of the day, which is really again, focusing on the right thing to mitigate risk at the end of the day.
DAVID KIRKPATRICK:
So John Shaffer… you know most problems start with somebody doing something wrong or careless or insecure, you must have to spend a lot of your time trying to educate people and to get them to feel more concerned. I’m not sure the word is alarmed but possibly even alarm. Does having Balbix help you make a better case for how people ought to take this seriously. Maybe not only your leadership but even down to the level of the individual employee?
JOHN SHAFFER:
Well I mean I think it starts at the highest levels. Yeah it does help. You know we’ve gotten buy in from our CEO and that just water falls down. You know they buy into it, nobody can complain anymore. So they… I mean everybody has bought into it, I think our users are much more well informed right now so I think we’ve done a better job of minimizing the risk to users. Yeah, that users can cause because they are much more aware. We work to get them more aware about it, but we still use tools to make sure that there’s simple things that they just can’t do here… we try to limit what users have the ability to potentially create havoc. That combination I think has worked out really well for us but it’s a top down approach and we’ve gotten buy in from the top levels and that’s helped our organization up quite a bit.
DAVID KIRKPATRICK:
Yeah having leadership that understands makes all the difference.
Okay Daniel, you know one of the things about Balbix that I find intriguing is that you know if it does automate your ability to detect your threats, you may end up having to invest differently or configure differently because of what you learn. How has your cybersecurity investment strategy changed as a result of using Balbix if at all?
DANIEL GISLER:
Maybe not that much so far but what Balbix did is that it ruthlessly showed us the weak points in our internal processes. First of all we need to fix that internal process to really get the best out of to process before we then look into some other things that do the things what you should do in a perfect way, so therefore it has not changed directly investment, but of course inventory and vulnerability management – this was a strategic decision on those investments.
DAVID KIRKPATRICK:
So okay, John Shaffer what about you, did your cybersecurity investment strategy change once you had more visibility into the system and while using Balbix?
JOHN SHAFFER:
Yeah I would say. I mean it’s helped us, you know, reevaluate vendors that we use, reevaluate the actual way that we use tools. You know, really try to push… if we see some type of vulnerability that’s pervasive in the Baltics platform. Why aren’t the tools that we have dealing with it properly or maybe we don’t have them configured properly or you know maybe we need to make an investment in something a little bit different so we’re probably spending about the same money but we may be putting it… we may be allocating it differently.
DAVID KIRKPATRICK:
Well I’m gonna ask you both a question and you know even answering it might mean repeating something you already said but feel free to do that, what’s the biggest pain point that Balbix solves for would you say?
DANIEL GISLER:
Well in the beginning Balbix did exactly the opposite, because for the first time we saw really the extent of the problem but let’s now be serious, but for the first time I have high confidence that we could really see all our assets and it’s assigned risk to really focus on and to do, this is a really great achievement.
DAVID KIRKPATRICK:
Great John quickly… John Shaffer what would you say?
JOHN SHAFFER:
Yeah, I mean it helped me consolidate a lot of disparate tools and kind of show us you know where we were having problems and how we might be able to fix them quicker and…
DAVID KIRKPATRICK:
Yeah that’s good, so Gaurav I’m gonna pull you in here, what would you say are the elements of a proactive cybersecurity program?
GAURAV BANGA:
Yes I’m going to focus on 2 pieces:
One which I don’t know too much about but I know enough about it to say- First, you have to want a better cybersecurity posture. You need to have a mandate, and this needs to come from the CISO and the CIO taking it to the very top, the board of directors, the CEO, the CFO and get them to say ‘we want better cyber security’ without that you got nothing.
Once you have that mandate, I think it really is the recognition that the attack surface is massive, we are falling further and further behind so how can we use AI and data science to get as much data analyzed as quickly as possible, combining business context, IT context, and cyber security context. And then use that visibility to identify issues and fix them in as automated a fashion as possible. That to me is the blueprint of the future.
DAVID KIRKPATRICK:
Just quickly talk about how you gamify things, will you? Because I think that’s one of the more interesting things about Balbix.
GAURAV BANGA:
At the end of the day we’re talking about human beings and human beings have to do stuff, even if it is to know to press a button in a (mostly) automated workflow. How do you get the human beings to not get in the way, how do you get humans to align with pushing it out in one of the things is
You know most people really don’t understand risk. If you put the right information, the right tools, and the right options and get a competition going. We have seen fantastic results (with gamification) because then everybody starts becoming an owner of risk and they start competing to maybe mitigate risk as quickly as possible. Gamification of cybersecurity, which obviously requires automation and requires data science, is a very key part of our (cybersecurity) future.
DAVID KIRKPATRICK:
So interesting you’ve got AI over here and you’ve got a way to engage real people over here which is quite intriguing. Ok we’ve just got a couple of minutes left maybe 5 minutes but I want to go to John Chambers for a sort of big picture way to think about what brought us all altogether, So you’ve executed out of challenging situations many times you know you’re a legendarily successful CEO at Cisco for all those decades so if you look at the overall cybersecurity industry, what would you say is the way forward for cybersecurity?
JOHN CHAMBERS:
You know David, it’s an excellent question and I knew you’re gonna hit me at the end with one pull-it-together. I like the direction you’re coming from, one of the reasons I like taking notes is I learn as we go. I think this is something that is just going to grow by orders of magnitude and it is something that by definition has to be automated.
It’s something that’s got to meet the need for scale in the future. We can’t be swapping out solutions every 6 months or every 2 years we go forward. So when you look at the big picture, what I like from today’s discussion and the way that John and Daniel described Balbix was very simple, they defined it as a platform. They defined it as a platform which is the best that they were able to find out in the market. They then went straight to automation, as if you don’t automate this you can never keep clear of the bad guys and they defined it as meeting today’s needs but positioning for the future. Then they talked about order of magnitude improvement 95 percent again that’s a 20 to one improvement type of approach. And they explained it in a way that as the CEO or as an investor or board member, I would understand that if I make the changes, then here are the benefits I get. That is such an improvement and just looking back just a couple years ago we define the strategy and the concerns that kind of shock people with everybody’s gonna get hit… how you gonna position yourself for the future.
DAVID KIRKPATRICK:
Yeah and so I know speed has been our mantra of business for a long time but if you don’t have speed in this area, you’re really in trouble right John?
JOHN CHAMBERS:
You are, you’ve got to be very fast and by definition you’ve got to be automated, it is the rare exception that you are going to have any time to respond, and it’s a rare exception where the human being can get involved with more than just a fraction of the solution.
DAVID KIRKPATRICK:
Gauravany closing thoughts for us from the man behind Balbix… final takeaways…
GAURAV BANGA:
Yeah I just want to say one thing that you know it’s been an honor, fantastic honor to work with some of our early adopter customers. John has been a customer for 3 years, he knows more about Balbix than he is letting on over here and there is …. a lot of what we’ve been able to build from the feedback that we’ve gotten from our early customers they’ve trying to meet up to the requirements we’ve learned a lot about their challenges.
If there’s a call to action over here: speed is of the essence. Without a cybersecurity automation platform you’re going to get further and further behind. And if you haven’t started, you’re already late.
DAVID KIRKPATRICK:
Well this has been a pretty interesting conversation; I was really pleased to get a chance to moderate it with you all. Thank you so much for inviting me to do that Gaurav. Thank you so much for being here of course and John Chambers thank you so much for joining and if I was Gaurav reiterated of course would have said thank you for investing.
And John Shaffer and Daniel, thank you so much for being part of the conversation, we’ve had a really good conversation and I look forward to following Balbix closely myself so thanks everybody.