Security Insights - Cybersecurity for Real-World Workplaces

Death, Taxes and Phishing: Cybersecurity Research Results (Part One)

Ivanti Season 2 Episode 33

Daniel and Ashley review the latest research report from Ivanti -- Press Reset: A 2023 Cybersecurity Status Report -- including prioritizing phishing and DDoS attacks, security ROI challenges, and why organizations should never increase their cybersecurity budget by sacrificing their IT allocations.

Download the full report at Ivanti.com/CybersecurityReport  

  • Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)

DISCUSSION TAKEAWAYS

Research: Only 22% of cybersecurity professionals saw phishing attacks as “critical” threats in 2023

Ashley Stryker reviewed the results of Ivanti’s latest security research – Press Reset: A 2023 Cybersecurity Status Report – noting that “only 22% of people are saying phishing attacks are critical” (pg. 11, “Preparedness and experience gaps”).

Daniel Spicer, Ivanti’s CSO, was surprised by the low number, given that “phishing attacks are still the primary way that any threat actor” uses to gain access to organizations’ IT systems.

Ashley suggested that the next report should ask a more specific question about experienced phishing versus impacted by phishing attacks, to get a better understanding of the impact of these threats.

The 4 “inverted threats” companies must prioritize in 2023: ransomware, software and API vulnerabilities, and supply chain attacks 

Continuing through the research, Ashley observed that many organizations had “elevated threat levels [predicted] but [respondents’ reported] preparedness lagged the estimated threat for 2023” (pg. 13, “Security threats versus security preparedness”), resulting in four inverted threats:

  1. Ransomware: 54% rate as "high" or "critical," but only 51% report being "very prepared" 
  2. Software Vulnerabilities: 54% rate as "high" or "critical," but only 52% report being "very prepared" 
  3. API-related Vulnerabilities: 48% rate as "high" or "critical," but only 47% report being "very prepared" 
  4. Supply Chain Attacks: 46% rate as "high" or "critical," but only 42% report being "very prepared" 

Daniel observed that “supply chain attacks were way lower on the report than [he] was expecting,” and he believes “we are still as an industry not as prepared as we want to be,” adding that “[supply chain attacks are] going to be a continued way to carry out all sorts of end impacts.”

He went on to explain that “taking a more manual approach [to supply chain attacks] puts you a little bit more risk,” and that addressing supply chain attack resiliency and proving ROI of security activities is a focus for the Ivanti team moving into 2023.

Companies must prioritize their tech spending and staffing to maintain and expand their current cybersecurity stacks.

Daniel noted that organizations need to “right size” their security solutions and “not take a more manual approach” to avoid putting themselves at risk. 

He also discussed the need to “represent risk in dollars” to prioritize those security solutions and technologies for optimized risk reduction and remediation moving into 2023. 

Ashley agreed. “Leaders can say they prioritize things all the time, but they put their money where their mouth is for the things that truly matter: those risks,” she said. 

She referenced the Press Reset report results in which a vast majority of executive leaders say they support cybersecurity initiatives (pg. 20, “Leaders say they’re aware of cybersecurity risks but still engage in risky behaviors”), yet have some of the worst security habits of any end user within the organization (pg. 21, “Leaders engage in more dangerous behaviors”).

Daniel brought up an industry trend spending on consultants instead of hiring new employees, commenting: 

“We use consultants for too many things, and we use people in the wrong way. The worst thing that you can do with your budget is to outsource a bunch of work to a temp agency or to consultants – and in some cases, even interns! – and hide an operational need for permanent headcount within your team.”

Daniel also warned against overlooking technical debt in security. He mentioned previous employers and clients would paper over building security issues until an incident forced the remediation, reminiscing, “We would find some kind of misconfiguration, whether it was definition updates or [something else. Sometimes,] it just wasn't configured to block properly – or no one was looking at the alerts at all!” 

Ashley then compared cybersecurity to car maintenance, saying, “The solution is to check the pressure in your tires – not just to say, ‘Screw this car; it's got bad juju. I want a new one!’”

Organizations must find the balance between funding both cybersecurity and IT operations – empowering both teams to face 2023’s security challenges together.

Daniel emphasized the need for proper staffing – and not just on cybersecurity teams – especially in light of the report’s finding that only 1% of cybersecurity teams projected their 2023 budgets decreasing (pg. 5, “Cybersecurity budgets are growing”), with the majority predicting an average 11% security budget growth year-over-year.

He worried that the cybersecurity budget would be increased by decreasing the IT team’s budget and ability to staff.

“Infosec can't do anything without the [IT operations] partners that actually go and implement things!” he exclaimed.

Ashley pointed out that organizations often don’t have the resources they need to manage either their security or their general organizational technology – leading to overworked staff, inadequate asset discovery and poor ticket management. 

“If you guys don’t have the proper security people – and the proper bandwidth and ability to prioritize that [cyber] hygiene and that maintenance and those patch cycles properly – it’s [the IT operations] team that has to restore everything from the backups and deal with blue screened death," she said.

Daniel agreed. “It’s a real issue that the interdependencies [between IT operations and security] can’t be understated,” he said, adding, “I think Tony [Ivanti’s IT Director] would fight for certain places, especially when it has me prioritizing things for him to make sure his resources are spending the right time, or making sure his team has the right advice on how to implement and configure things.”

Ultimately, Daniel said, the budgeting and purchase process “is about looking back at the core challenges that an organization faces and looking at, hopefully, your increased security budget and how you're going to actually rectify and improve the controls that solve your core challenges well.”


FULL TRANSCRIPT:


Ashley Stryker [00:00:05] Back to Ivanti security insights, where best practice cybersecurity meets real world workplaces and roadblocks. I'm your host, Ashley Stryker, and with us today is the one the only our chief security officer, Daniel Spicer. Hi. 

 Daniel Spicer [00:00:21] Everyone. 

 Ashley Stryker [00:00:24] So today, Amanda is recovering from a bit of a strep throat and Chris is flying in an airplane somewhere important, along with half of his team. So. It's just you and me. 

Daniel Spicer [00:00:40] It stuck with me. 

Ashley Stryker [00:00:41] I mean. 

Daniel Spicer [00:00:41] Stuck with me. 

Ashley Stryker [00:00:42] Stuck. I'm just excited because usually you just get to banter with Amanda or you banter with Chris. I don't get proper Daniel banter time. 

Daniel Spicer [00:00:51] Oh, we'll have plenty of banter today. We're going to fill the banter meter. 

Ashley Stryker [00:00:56] I mean, and there's actually a really good goad for the banter today, at least for me. And it's going to be very easier to to start the banter for me because I have been working on something for a long time and harassing everyone about it. So Daniel can finally tell me what he genuinely thinks without ever hurting my feelings or, you know, dissing on the team. No, I'm kidding. But like. I'm really excited to get your specific insights on this. I know you've read it through. I had to double and triple check it as we were working on it, but you only got to see the final version of this report. I'll stop talking around it. The press reset a 2023 cybersecurity status report, the first of several reports to come actually from this data set. It just dropped recently and you didn't get to see it really until like Monday, at least with the pretty graphs. You got the. 

Daniel Spicer [00:01:57] Sons of Barry, you know. 

Ashley Stryker [00:02:00] And and beyond it just not being broken from a cybersecurity perspective, which was really what you were checking for. I didn't have a chance to ask genuinely what you thought about it, what you in particular thought was really interesting. 

Daniel Spicer [00:02:16] Yeah, like marketing accuracy versus do I agree with the data, Right. 

Ashley Stryker [00:02:20] Yes. 

Daniel Spicer [00:02:21] I guess we need to talk about the data, actually. 

Ashley Stryker [00:02:27] Oh, dear. Because we worked very hard for data. Clear. So. So to specify, you're not worried about the data source, but what some of your fellow cybersecurity professionals said. 

Daniel Spicer [00:02:38] Yeah, exactly. I you know, going through that, there are some things like. Yeah. That that makes sense they align with that and then I like who what do you what do you talk? Do you work in cybersecurity? I don't, I don't. I'm not sure anymore. 

Ashley Stryker [00:02:51] Ah. 

Daniel Spicer [00:02:52] So, so your, your methodology is fine, but I do have some questions about what what my fellow professionals said in the report. So let's talk about that. 

Ashley Stryker [00:03:03] Sure. All right. So let's start with the one that I think that you personally were most surprised about in terms of self-reporting. And that would be the graph in which we charted the reports of how critical a threat do you see this being for your industry in 2023? And we had a list of a whole bunch of them organized, by the way, from most critical to the highest percentage thought that was most critical to the least, not alphabetical, that was designed to bait. And then we put in a little little marker indicator because we asked that same cohort. Have you. Has your organization experienced this threat in the last 24 months before you took the survey? That graph is actually found on page 11 of the press reset report, which I will make sure I'll include a link in the show notes as well as in the description here. But if you want to go in really quick, search it. It's Ivanti dot com slash cyber security reports and just go ahead and you can hop there, download the report and follow along if you'd like. But page 11 Preparedness and experience gaps without any further ado, which one caught your eye? 

Daniel Spicer [00:04:25] There's a few. There's a few. But the first one that caught my eye was was phishing. And it caught my eye first because it was. Did you experience this in the last 24 months? 43%. And I just want to know which organizations, you know, that the other 57% of the organizations did not have a phishing email at all. And I'm not even talking about whether or not you had an impact from the phishing email, Right. Maybe maybe your users are really that good. Maybe you're a smaller organization and so you get to really enforce some of that that user training on there. But like phishing emails are still sent. Like there is a 100% chance that your organization received a phishing email like that. Is that when you talk about risk and want to start with that likelihood 100% Now, did you did you get an impact from that? Right. Did you receive an impact from that? That that's not that's a different question. Right. And and even then I think the numbers is too low. Right? The number is too low. I am sure someone and a lot of these orgs got phished and I am sure that they spent some amount of business disruption time cleaning that up at a minimum. Right. But I also I'm just kind of surprised about its ranking. The design decisions aside for a moment. Right. Saying that that only 22% of people are saying phishing attacks are critical when phishing attacks are still the primary way that any threat actor, whether you're talking about a financially motivated threat actor like ransomware, which is on the top of the chart, or a nation state threat actor or more sophisticated adversary, they all use phishing, right? How I interpret that is that people are not considering the true impact of a security event, right? Even if it doesn't lead all the way to ransomware. Right. Or, you know, in phishing emails, even if it doesn't lead all the way to a wire fraud, for example, another common financially motivated attack that comes directly after phishing. There is still business impact in terms of of recovery. Right. So and then even if if you don't take that in the context of just recovery, right, you take that into. Did you experience it at all? Right. It really should be 100%. There is a 100% likelihood that you will receive a phishing email and that will continue until the Internet and email is dead. So I think that's just a fact of life at this point. Death, taxes and phishing emails. 

Ashley Stryker [00:07:13] I looked into how we phrased the question. It was Do you experience phishing? And to that end, you are completely correct. And I'm wondering if maybe in the next report we asked, have you had an impact from and we define what experience means and then we define what impact means. And that way maybe we'll see the number jump. Maybe we'll see it as it self-correct. Maybe there really was a misunderstanding and they thought like to experience this was a global survey. Maybe it translated badly. I'm I was really surprised to see how. 

Daniel Spicer [00:07:47] Well and this is actually a good segue way to talk about two other points on the report that I was a little surprised about. I'm going to start with with denial of service distributed and it is classified as distributed denial of service. Right. There are a lot of other denial of service attacks that are just as impactful. Right. But my experience, especially from my previous job when I was performing more incident response is you are not ready for a denial of service attack until you have experienced it. It is. It is it is frustrating, truly frustrating. And and they're not common enough for everyone to have that is getting to the point where, like everyone has lived through a ransomware attack, unfortunately, like that. And by the way, everyone's lived through a phishing attack. But the. 

Ashley Stryker [00:08:38] Drive that it's getting. 

Daniel Spicer [00:08:39] To the point where, like it's getting it's getting to the point where, like, everyone has had some kind of Russian with ransomware, the denial of service attacks, especially something where a threat actor comes and says, I am going to take down your website until you pay me this, watch me. And then they do it and they say, You've got 24 hours to pay me before I keep it. Right. And until you've really experienced that, you don't you don't actually know that you're prepared. 

Ashley Stryker [00:09:12] I mean, I was telling you the story about that kind of quasi denial of service attack. I had that like a microcosm that I literally get the chills whenever I think about it happening to me. And I'm a dramatic person. We've clearly all seen that. But genuinely, I was scared. So I worked as a temporary secretary at a Honda call center when I first got out of college, get my feet underneath me, trying to get a full time gig, all that jazz. And one of our employees who worked at the center had their debt go to collection. And I was working as the front desk person. And so if you were to try if you found out they worked at this call center, I would get routed and route you to whoever they needed to talk to. And they had called in before asking to speak to this person to collect the debt. And I had forwarded to the manager and they had said, We're not letting her talk to these people while during work hours. This is completely private affair. We're not getting involved. They called back and said, unless you get that, be out here right now to talk on the phone. You won't be able to do anything. And they had hung up. And before I could ask them what had happened, I had one of those and I was in the office and I had one of those like 12 line phones that you see the secretaries have because that's what I was. And and I had never had to juggle more than two or three or four at a time in order to put people on hold and then get them to the right places. That thing lit up and it wouldn't stop ringing. And I had I just felt this panic mounting because there was nothing I could do. It wasn't like I could unplug the phone I had and I was terrified. This was happening in the call center, too, because it's a call center. If people can't get through the phone lines, people can't pay their car leases, they can't avoid repossessions like it was. So I'm just sitting there desperately trying to hang up all of the lines at once. And it wouldn't stop. It wouldn't go away. It would. There was nothing I could do. And I was I was literally shaking and having a panic attack and like, Curl, I remember curling up in the leg well of my desk, just crying. And I'm early 20 something, desperately trying to do a decent job. And it was so. To have that sense of control stripped from you over something as mundane as just so a detox attack. Even if it's just a website. Oh, God. 

Daniel Spicer [00:11:42] What you experiences is resource consumption, right? Yeah. Is denial of service. And they consumed all of the lines, right? Hmm. So we'll step aside. How how terrible debt collector practices are and how awful that industry is for a moment. Yes. And focus on the on the report. Right. The denial of service is something that you're not really going to be prepared for. And there are always there's always something more you could have done to prevent it. A lot of people who implement Cloudflare, for example, for for denial of service prevention, forget how to set up tunnels or forget that like the IP is still exposed and don't set things up quite right. And so there is things like that. But there's there's also just like sometimes it's a resource that you can't put behind Cloudflare. Right. You you have to have something else. And by the way, your firewall is not a traffic shaper, right? Like your your your your your Cisco or your Palo Alto. It has a finite amount of resources. And most organizations are trying to make sure that they right size that right. And you don't want to overpay for that bandwidth. So yeah, that'll go down. It is not designed to handle a denial of service attack. So I think the experience is a little higher than I expected. More importantly, I'm just surprised how many people think that they're prepared for that. 

Ashley Stryker [00:13:09] Yeah, and it wasn't one of our four inverted threats where people reported a high they considered it a high risk for 2023. But the generally reported percent of people who said they were very prepared to meet it. So this this is not an inverted risk as self-reported by the by the cybersecurity professionals who took it. And for inversions, you can go to page 13 for those. And some of the specific risks where we found people were reporting elevated threat levels, but their preparedness lagged the estimated threat for 2023, which I found particularly interesting. 

Daniel Spicer [00:13:49] Also just, you know, on that kind of note point out supply chain attacks. Yes. Way lower on the report than I was expecting, because I think we have all gotten to brush up around a couple different of supply chain attacks. Right. And I don't think any of us are fully prepared. We keep running table tops. We keep running thought exercises. And I think we are still as an industry, not as prepared as we want to be. And they are increasing, right. I think the SolarWinds campaign especially made it show how successful these campaigns will be and kind of in a different direction. The attacks we have seen on especially open source code repositories that have been under secured and seeing a lot of like containing malware and remote code software or remote code packages embedded into into those repositories. You know, both of those are just showing and I think giving confidence to the attackers that this is going to be a continual way to carry out all sorts of of and impacts. 

Ashley Stryker [00:15:01] Yeah, that was a really interesting point that I remember going back to you and Amanda and Chris about when we were doing the questions for this, because I was asking I remember like back in September, August time, I'm like, okay, so I want to ask about threats. What threat should I ask about? And you specifically had me put on DOS, I remember, and then somebody put on supply chain attacks and I said, Wait a second, we're not talking logistics here. What are you talking about? And so I got a whole education, enthusiastic education with links about what supply chain risk really meant and understood. And it makes me wonder if not that people would be not that cybersecurity professionals, obviously, obviously they understand what that term means within context of of their position. You guys are in that all the time. But I wonder about have you do you think that some of the lagging preparedness and lack of criticality that supply chain is rated could be possibly due to internal representatives not understanding what that means within a cybersecurity context? 

Daniel Spicer [00:16:17] It's totally possible. And I think it's important to to kind of acknowledge that supply chain attacks still are a logistic. Right. We were actually just recently there was a news article talking about how supply chain attacks are actually a little bit easier when you start talking about the use of GitHub actions, automatically pulling from certain code repositories and updating builds, and you don't actually know whether or not those code repositories have recently been impacted by something malicious. Right. And so because you're not taking a more manual approach to that, you're actually, you know, putting yourself a little bit more risk. And it's not a vulnerability, right? It's just a potential weakness. And that and that is still a logistics thing, right? There is there is nothing different from taking individual packages and components in order to do compilation as there is and like a an Amazon warehouse grabbing the individual things to put into a box to ship to me because I do a lot of Amazon shopping. Right. But but you know those are still supply chain and it's actually interesting. There's a lot of people, especially right now with some of the world events going on, talking about new and novel warfare tactics. And a lot of that has to do with cyber. And my first got to looking at that is. We're not coming up with new tactics, were coming up with new ways to implement old tactics because supply chain issues all the way back to, you know, medieval warfare. Right. It's totally possible that people are not applying this the same way. Right. Because it's the same topic. It's the same discussion. You're just having to apply it in new ways. 

Ashley Stryker [00:18:14] And so for those security professionals looking at this report. Right. And and realizing, oh, my gosh. One. I think this is underreported or two because we've all been fished people that might be the name of the episode. We've all been fished. We've all been fished. And yet. We're not able to take it seriously. And that's going to be my generous reading of some of this language is that Cyprus critics are reporting on what they're able to rate as critical. Right. How can they get internal stakeholders, the people who can help affect change at the organization and and get budget for the technology they need to be prepared for some of these attacks? To properly vet, I mean, not have somebody on board a vendor without having security look at their security protocols. Thanks for approving that one that just came through, by the way. Really appreciate it. Much breach, but not having. How do you how do you get them to understand that when the language is sometimes confusing. 

Daniel Spicer [00:19:25] Internal education is is always a challenging thing. And the problem with internal knowledge and internal education about what threats are out there and then trying to actually apply that to your organization after you're done with all of that. You have to prioritize. And when you're talking to business executives, right, that prioritization comes in the form of dollars. This is actually a lot of fun to talk about because this is something I'm really focused on, on revamping internally right now for security at Ivanti. Right, is how do I represent risk in dollars? Right. And that actually changes the conversation a lot because financial risk is is a well-studied thing, right? This is pure play economics. So I can have a conversation with our CFO, with our different business leaders about what are acceptable risk tolerances and dollars. Right. And then but the challenge is turning a security problem into into dollars becomes a little bit more difficult. And I've said this before, but the thing that I have to think ransomware for the most is actually making that story. There are two things that really enable the transformation of risk into dollars, and that is how much it costs for a personal record exposure, right? Her for her and her identity for her record. And what is the cost of a ransomware event? Those are those are the most realistic views that we have on what does it actually mean for a security incident to happen that is impactful. The other thing that is not well-studied is business impact, which is something that insurance actually will cover for you if you can represent it. And it's so hard to represent the insurance probably always under pays on that. But like business interruption is normally covered within the cyber policy or within an insurance policy. And it is so hard to to get that actually represented. And I'm sorry, I just I felt like that was worth sharing because it's another dynamic aspect to this cost offhand. 

Ashley Stryker [00:21:43] I know it's 4.24.3 estimated million dollar impact for every ransomware where incident per IBM and some of the bigger wigs that that's the statistic that normally gets thrown around. But I was wondering, do you have a ballpark estimate of how much. Per record does Is it cost if it gets leaked? 

Daniel Spicer [00:22:00] I've heard numbers between 20 and $60 an individual. I know that it can get a lot more expensive when you start talking about three years of of monitoring and some of these other newer requirements. But yeah, those are kind of where the fines are starting to lay out. And it's actually interesting, the precursor to this as the best record was actually PCI data breaches, right? When when someone goes and steals a bunch of credit cards, that model is a complete black box. They do not tell you. And as someone who's helped defend customers on those on those numbers to make sure that we're holding the files to to the to the buyer to be accurate about what the impacted number of records are. I've seen crazy variances in those numbers. And because that's a black box, it doesn't actually help justify the controls that need to be in place in the first place. 

Ashley Stryker [00:22:59] Right? Because if it's a limited number of records or it's not as valuable records because there are certain types of records, even within an individual account and certain individuals or information is worth different types and more critical and less critical. So not to put. Boy, I'm really just putting my foot in my mouth. 

Daniel Spicer [00:23:19] We were actually we were. We were checking a meme earlier. We saw a meme as like, I was browsing the dark web and I saw myself for sale, and I was only $0.50. Yeah. 

Ashley Stryker [00:23:31] Yeah. 

Daniel Spicer [00:23:32] That's how cheap the records are on the dark web, right? But of what a company actually pays out is the. 

Ashley Stryker [00:23:36] Fine anymore, the fine and then the monitoring. And then there was that, as Chris was referencing in the last webinar with like there was that Australian cyber breach where they had to pay for it, get everybody's passports redone, and I'm sure the government didn't offer them out for that. But speaking of money then. Budgets because I was kind of surprised about this. This was encouraging, I thought. Only 1% of. I believe this is actually both leaders and cybersecurity professionals. So this wasn't just optimistic cybersecurity professionals. These are people who also have a seat at the financial budget table and discussions. Only 1% of respondents said that they expected their cybersecurity budget to go down. And in fact, we have a quote in here that something like if I need budget, it isn't coming from cyber. And I thought that was both encouraging from from an industry perspective, because it really leaders can say they prioritize things all the time, but they put their money where their mouth is for the things that truly matter, those risks. Right. And so the fact that budgets are going up and much faster than the record of inflation. Page five In the report, it seems to be an average about 11% increase is estimated. I know in marketing. And you're going to say, Oh, no, of course not. But. And. You'll facepalm, of course. But in marketing, when you give marketing a lot of money, like after a after an investment round and you say, I want you to do really cool stuff. Marketing professionals can find a lot of things to spend money on and they might not always be strategic. I know it's a shock, but sometimes we just really want to give out the cute teddy bears. And I have this really cool idea of little inflatable flails like you see at the car dealership. Pass those out to cybersecurity people. It's like, Are you tired of going like this? But I can spend so much money. Daniel It's disgusting, but it might not be strategic. Do you security? Do security people have a problem with that? 

Daniel Spicer [00:25:46] Yeah, no, I think we do, obviously. I think we do. And I think the most obvious place where that becomes an issue and I actually this practice in general. Right. But there are always organizations around, you know, beginning in November like, hey, you have some of that infosec budget left if and obviously again, I don't like the practice, but they use it or lose it thing. I know that's a real thing, especially in public sector but. Um, to, to, to not already have a strategy for how you're going to spend that does point to a problem. And I think that is a bigger problem than the the industry that we're probably not talking about a lot. Right. Which is one we overspend on consultants. And I say that having previously been an InfoSec consultant. 

Ashley Stryker [00:26:49] Amanda was one, too. You hired one permanently. 

Daniel Spicer [00:26:52] I know, I know. Well, because they do have the widest variety of experience to bring in to an internal work. So it's a it's a smart hire that way. And most of us who are looking to exit consulting or just tired, you know, will will trade we'll trade a little bit of of financial cushion to to be able to have a more normalized workweek. The truth of consulting. Right. And that's not just in infosec consulting. It's just consulting in general. Right. 

Ashley Stryker [00:27:27] Don't go there if you ever want to have a work life balance. I've done it twice. It was it's best in house. Just yeah, I feel you. 

Daniel Spicer [00:27:37] We use consultants for too many things and we use people and the wrong way. The worst thing that you can do with your budget is to outsource a bunch of work to a temp agency or to consultants and in some cases even interns. Right. And hired an operational need for permanent headcount within your team. And I don't know that that's even true just for InfoSec. I think that is a general truth, that InfoSec is just, in my personal experience, a little bit worse with. Right. We're very comfortable going in and getting outside people to come in. And the most common reason is it's too hard to hire people or they're too expensive. And of course I feel very strongly that a lot of time it is better to hire outside of InfoSec specifically and go grab some some people that 80 or some people in engineering development who want to gain that security expertise because they have a lot of that similar experience. So I think that's a big thing. I also feel like in general, companies don't do a good job of paying attention to technical debt within security coming out of a ransomware. Something that I had to coach a lot of companies on is like, Ah, antivirus is horrible. We're going to rip it out and our firewalls are horrible or in a rip them out. And all of these tools that they had were apparently not working. And I'd be like, Well, your antivirus did detect it, but it wasn't blocking because you didn't configure it. Right? Right. Your your fight, your firewalls weren't patched, right. That is, those are hygiene and and just loving care and maintenance of your tools that wasn't being provided. And so you have to like you have to to pause them for a moment. Right. And actually one of the things that we did a lot was we had a whole bunch of the antivirus software and we would just take the malware and be like, give them a report of which ones actually would have detected it. And nine times out of ten it includes their own solution and we would find some kind of misconfiguration, whether it was definition updates or it just wasn't configured to block or go in, was looking at the alerts. That happens a lot. And so like people don't clear technical debt and that is a better use of of money and resources than buying the latest and greatest thing off the shelf. That isn't going to make a significant. 

Ashley Stryker [00:30:09] Difference if you're not going to tune it properly. There's no point. You've got a clunker. You've ended up in a car accident because the brake lines failed. It would be like you going out and buying a new car, the latest and greatest, and then refusing to get it serviced just like you did the last one. And the brakes will work for a while because you had them checked at the time that. You bought the car. But eventually, if you don't go back into the shop, if you're not paying attention to the check engine light, if you're not paying attention to the your tires need air light, you're just going to end up having your tire blowing out right before the Baltimore Harbor Tunnel. And then you're going to have scary people driving past you at 60 miles an hour and you're going to think, oh, dear God, I'm going to die because I didn't check the air pressure in my tires. The solution is to check the pressure in your tires, not just say, screw this car, it's got bad juju. I want a new one. Despite your impulse. 

Daniel Spicer [00:31:08] And again, going back to how people spend their money, they spend money on the big fancy products and a bunch of people to implement them and don't then make sure that they're using the rest of their budget on the right number of staffing to maintain the thing they put in. 

Ashley Stryker [00:31:22] Right. 

Daniel Spicer [00:31:23] And that is that is one of the big things that makes or breaks an organization on sustainable security versus in sustainable security. And I know there are plenty organizations and people who will listen to this. They're like, well, obviously, Daniel, of course. But you got to remember there are a ton of organizations and really the ones that get him backed by these things have that issue. And so the last point I really want to make on this is it's not only just about infosec people, right? I'm really glad that we are protecting and in some cases increasing infosec budgets. Right. So what are you going to do when they do that by taking away I.T resources because InfoSec can't do anything without the partners that actually go and implement things. 

Ashley Stryker [00:32:12] So if you spend all the money because infosec are security professionals who report that their budgets are increasing for next year, they're like, yeah, because we need these fancy consultants and we need this brand new firewall because it was the firewall that got breach next door. So clearly we have the same one, so it can't work, right? And so we need the money for that. Like, Oh yes, yes, yes, yes. And then Finance looks at the budget sheet and goes, We should take it from the same kind of flavor of organization. And then so you have all of this fancy technology on all of these devices that is now being managed by. A staff that was already overworked and now doesn't have the tools it needs for research, for asset discovery, for resource management, for ticket management, for any sort of I mean, God patch rollouts. 

Daniel Spicer [00:33:06] Your help desk is the number one place that you don't want to be overwhelmed because they skip processes on validating password resets and identity and role changes. You run into a whole nother level of issue. People don't realize how important this partnership is. So I think the last time I was on here, I was actually spending a lot of time with Tony. I spent a lot of time defending Tony's budget and Tony's people and telling like, Hey, I need Tony to have another person here because that team needs more people in order to support what I need to get done. And so I think that my concern, seeing that number is okay, So if the infosec budget is is not being touched, where is it coming from? Right. Is it still creating impact that ultimately ends up affecting InfoSec in the first place? 

Ashley Stryker [00:34:00] That's. That's deep. I wouldn't. I wonder what Toni would say. And. And I bet you Tony would have probably fought the exact same fight you did for him. He fought it for you. Because if you guys don't have the proper security people and the proper bandwidth and ability to prioritize that hygiene and that maintenance and those patch cycles properly, it's his team that has to restore everything from the back ups and deal with blue screen of death. Give me crypto or your grandma dies. You know, like. 

Daniel Spicer [00:34:41] It's like. 

Ashley Stryker [00:34:42] It's there to you has to save grandma. 

Daniel Spicer [00:34:46] That's the name of the web server that they denial of service. It's called grandma. 

Ashley Stryker [00:34:50] Yes. So if you want to. 

Daniel Spicer [00:34:52] Have one day, we'll talk about a Windows a Windows seven machine named router. And one day will one day we'll talk about that on the air. It's a real issue that the interdependencies on those teams can't be understated. And I think. Tony would fight for for for certain places, especially when it how has me prioritizing things for him to make sure his resources are spending the right time or making sure his team has the right advice on how to implement and configure things? Right? Because those kinds of security guidance or things that we come in and help with. So it's not just about us creating more work for them. And that's why, jokes aside, you know, we had fun on that last podcast, but that's why Tony is such an important and strong partner for me, right, is because we both see how we rely on each other, even though there is a separation between us. Because at some point I have to hold him accountable. 

Ashley Stryker [00:35:53] It doesn't matter how big a company you are. Does it matter how small a company you are? These core security challenges remain. 

Daniel Spicer [00:35:59] To wrap this up in a bow, Right? What I actually really like about this report is it's not a bunch of predictions, especially like I hate the prediction reports that come out where like, you know, like we predict that there's going to be malware next year, Like there's malware now. Like, nothing's changed. You're not predicting anything. 

Ashley Stryker [00:36:19] I think phishing will. 

Daniel Spicer [00:36:20] Be a promise. You it will happen. I predict. 

Ashley Stryker [00:36:29] I'm an expert. 

Daniel Spicer [00:36:31] It. What's really interesting about this report is seeing how it comes back to core challenges that still have issues throughout the industry. And a lot of people, as the report kind of opens up, would not take a small bet on whether or not the things that they've already put into place actually protect against these core issues because that they are not actually that confident in their controls. And so it's kind of interesting to rather than predict what 2023 is going to be about, it's about looking back at the core challenges that an organization faces and looking at hopefully your increased security budget and how you're going to actually rectify and improve the controls that solve your core challenges. 

Ashley Stryker [00:37:19] Well, talk about a bow. Thank you, Daniel, for being willing to play with me and and talk about this report. He'll tell you I've been talking to everybody's ear off about it for about four weeks. So that being nice. 

Daniel Spicer [00:37:36] It was a lot to unpack and so it was good talking about it. 

Ashley Stryker [00:37:39] Thank you. Thank you guys so much for tuning in and being willing to follow along with us. And if you'd like to talk, learn more about the resources we mentioned in the conversation, say specifically the press reset report. I will make sure there's links directly to those resources for you available in the show notes and in the description on your podcasting platform of choice, though if you'd like to search for it now it's Ivanti dot com slash cybersecurity report. And yes, that's a vanity URL. And yes, I promise just going to a landing page with the normal cookies and tracking, not hacker cookies and tracking just putting that out there. If you found today's conversation interesting, insightful. You two think it's ridiculous that only 43% of people experience phishing? I'm sorry. It's just ridiculous. Go ahead and tell us about it. Well, you can find us. Hopefully if Twitter still exists when this comes out. You can find us on LinkedIn. Please do join the conversations. We look forward to hearing your responses along with all of the responses we have been getting so far. It's been really interesting to see what people find interesting about the report. Hashtag Metta. And as always, if you found this interesting and you think one of your coworkers, your teammates, your grandma, if she's not a server, thinks would find this interesting. Please do forward this to them. The more people who download and listen to our episodes, the more the algorithm likes us. I'm a marketer, Shosh. Daniel, you know I have to do this. It's important. Your words are worth hearing, Daniel. 

Daniel Spicer [00:39:22] I'm sorry. I couldn't help it. Just kept thinking about web server. Did you say? I'm sorry. You were doing well, and I had to use a web server name to grab. Okay, let's go back to it. We're way. 

Ashley Stryker [00:39:42] Over. No. Yeah, we are. So please do share that. And with that, we're signing off. Stay safe and we'll talk soon.