Techstrong TV: Industry Powerhouse Releases Cybersecurity Conversations Report
Herjavec Group and Fishtech Group recently announced their merger, creating an industry powerhouse with more than 600 security professionals around the world. The combined company has released its 2022 Cybersecurity Conversations Report, detailing the key conversations that executive teams should have this year in order to build resiliency for the evolving threat landscape. The video is below followed by a transcript of the conversation.
Mitch Ashley: I have the pleasure of being joined by Atif Ghauri. Atif is the Chief Product Officer with Herjavec Group. Good to be talking with you today, Atif.
Atif Ghauri: My pleasure.
Ashley: Great. Well tell us a little bit about yourself, and tell us a little bit about Herjavec Group. I think we’re gonna go into that, as well. Just tell us a little bit about the merged company and then we’ll get into how this came together.
Ghauri: Yeah. So I’ve been with the company for close to … since 2014, and we’re very excited about what we’ve been doing in the market, and more importantly, just more very recently, we announced a major acquisition and merger with Fishtech, which is a extensive, complementary offering for us around managed security service, which is the cornerstone of all that we do. So very excited about that. I am the head of product for the new company together, formerly the CIO of Herjavec Group. We have some extensive plans for what we’re gonna do moving forward, to expand our managed services offerings, given this complementary acquisition merger.
Ashley: Excellent. Well, if you’ve been security for awhile, you know Fishtech, and probably know Gary Fish. He’s a long time friend of Allen and mines, especially Allen. So he’s always well respected, so congratulations on the merger acquisition combination, whatever those are these days. Sometimes you can’t tell how things roll out.
Ghauri: Yeah. Gary’s been tremendous, a visionary in the field. Started Fishnet several years ago, and has gone on to found other companies as well, including Fishtech. And Robert and Gary actually had been good friends, Robert Herjavec, CEO of Herjavec Group, have been good friends for close to 20 years. And so it was just a matter of time before they pulled together into one organization. And so the cultural fit couldn’t be better for us.
Ashley: Some things are inevitable. You just don’t know it until it is, right?
Ghauri: Yeah.
Ashley: Well good. Well congratulations on that … gosh, Fishtech. I haven’t said that word in a long time, and Fishnet. So, we’re excited to see. So are you in the integration process, sorting things out about how the services are gonna complement each other, and how that’s gonna work? Or did you already have a plan pre merger? How’s that going?
Ghauri: Yeah. We are mushing it together. No. In fact, it’s, given the complementary nature of the merger, it’s been very fluid, in that we’ve … both of our organizations have been experiencing tremendous growth, especially towards the end of last year and going into this year. So our theme has been continue the momentum. And so almost operating in a place where there are some synergies, but really just continue the momentum, what we’ve already doing. And given the complementary nature, which is why we conducted the merger acquisition, it’s really been a fun, and we’re still experiencing that growth, and we expect to have great earnings to report at the end of the quarter.
Ashley: Excellent, excellent. Well, we’ll look forward to that and other good news coming from Herjavec Group. Speaking of news, you’ve come out with your 2022 Cybersecurity Conversations Report. Now this is something. I don’t know how long have you been doing this report? I assume you’ve done this before. I know it’s come out years prior, right?
Ghauri: Absolutely. Several years we’ve been do this, and our customers especially really appreciate it and look forward to it.
Ashley: Interesting Conversations Report. We’re always talking about security. Tell us some of the interesting things that have com eout from this year’s report.
Ghauri: We dialog around the report is focused on how we’re seeing the cybersecurity landscape from an executive standpoint. And there’s key themes there that tie back down to key engineering operations, type of reports that the architects and the engineers also like to dig into. And the big themes in cybersecurity. If you watch the news, you see cybersecurity regularly, especially these days, given the activities across the Atlantic here in Russia. The capability for each organization to be agile. I think that’s one of the key themes that come out of the report is, being able to take the program and adjust, based off of the types of changing apps, whether it’s going from long on-prem to cloud or whether it’s the state of the attacks that are coming in to the network or to the endpoint. So the agility of your security program, we cover that.
And secondly, I would add on is visibility. So in 2022 especially, if you don’t have visibility, you are in trouble, and that you can’t stay ahead or even up with an attack if you don’t know where you’re being attacked. And where you’re gonna attack has now extended to Internet of Things, and operational technologies, which before we talked about, but now it’s in your face, and as you see in the reports from the media around different types of attacks that are actually being published. But what about the attacks that aren’t published? So we need work in digital forensic insta response for many of our customers, and there’s a lot more attacks out there, and a lot more breaches that are happening that have not been publicly talked about yet.
And so, the ability to have visibility is a key factor, another theme that came out of the report. And finally I would say, the Boy Scout motto, always be prepared, and the capabilities that you may have, the capabilities that you want to develop, those are an area that we talk about as well, is what types of capabilities from a cybersecurity standpoint can you build on. I would say those are probably the three big themes.
Ashley: Makes total sense, especially giving as you mentioned what’s happening internationally. Just my opinion about things, seems like we’ve moved past the era of, uh-oh, we’d better go back and get things shored back up. Right? Yes, we’ve gone through the whole COVID and rapid expansion, and we are revisiting some of those things. But now everybody’s expected to be well protected and have the proper defenses in place. And, as you mentioned, visibility, which is a two sided coin. There’s visibility into what the attacks are, and the unknown unknowns that are happening. But also, where, and what is being attacked? Because security has to deal with, it’s not just infrastructure in our data centers, not just cloud infrastructure. It’s all the way through the application stack, third party services, supply chain, attacks off of supply chain. It’s a much broader landscape visibility we need to have into the security posture.
Ghauri: That’s right. And we absolutely see that, and that extension and that visibility, it’s often challenging, especially for mid enterprise corporations, and of course large enterprise corporations as well, because of the, okay. So you spent this time, energy, tooling within your environment, what about your third parties? And are they doing the same level of due diligence? And as a cybersecurity professional by trade, it’s the weakest link that is what can make all things go wrong. And so security is only as good as the weakest link. And oftentimes that’s the third parties, and the third parties you do business with. And having their security infrastructure doing this level that’s more … equal to if not more advanced than yours. And organizations have adopted a zero trust model, which is easy said. Zero trust, then done. Given the amount of controls required for your applications, for your end users, it’s almost an overhaul for some organizations. Again, going to zero trust model to adapt to the third party risk from vendors and external parties.
Ashley: Yeah, some great points there, too. I think we’ve come to the realization we knew all along that shared risk model is not outsourced risk. It’s still our risk. It’s just someone else is responsible for making sure we don’t have issues. But, just because they’re outsourced to a service, or we use services, right? And I would imagine, especially in your business, that’s an important thing to communicate with your customers, what that shared risk model really is, and how you work together, because breaches and attacks are gonna happen. I’m not saying you’re gonna be breached tomorrow, but we all are gonna experience incidents as well as, of course, attacks. And I think there’s a much more heightened sense to the roll that service providers, SAS applications, all of it play in the ecosystem of our software stack, if you want to think of that, our infrastructure stack.
Ghauri: I’d say the key word is accountability. And as we’re a partner for many of our … all of our customers, we try to be a partner, vs. a vendor. And all partners will say, “Well, we’re gonna take care of you. We’re gonna be there for when you need us.” But what does that really mean, from an accountability standpoint? And so we like to have those conversations. Sometimes they’re uncomfortable, but they’re direct to talk about, “Okay. What are we doing? What’s our responsibilities? What have you really signed up for?” So that way everyone is clear as to what type of responsibilities the service provider has, vs. what the customer has. And then let’s figure out the gaps and address them. Especially as your partner, as we’re saying, we want to be your trusted partner, we can help you address those gaps. But let’s make sure we have the right services, the right resources that are gonna be tying that in, so that when things do happen, ’cause they’re happening, that can bring something down, or cause an outage, we all know who’s on first and who’s on second, in order to get back and recover and operational again.
Ashley: I totally agree. It’s not just signing a contract or providing a credit card. ‘Cause you also don’t know what the risks are on the other side that might be coming your way, or affect the service that you’re providing to them. I’m curious about zero trust. You mentioned people’s adoption. We’re in this adoption curve, I think early most people would say. And you mentioned rethinking security and the kind of controls that you need over software and applications. What are some of the lessons we’ve learned so far, thinking, planning, architecting and beginning to implement zero trust? Any thoughts you could share, either from the report or your own experience, Atif?
Ghauri: Yeah. We could talk about that, and we cited part … components in the report around zero trust as well. Zero trust is really born … it’s a cloud led idea. Whereas in the cloud, you have a hypervisor, you have virtual machines. Some of them live for years, some of them live for minutes. And you have the ability to do more software enabled security controls on the fly. And so with that, what we’re seeing in the industry is adopting a zero trust model is … a great enabler of that cloud based platforms, computing platforms. So if you have a workload that’s moving to the cloud, or even a set of workloads or whole department or organization that’s moving to the cloud, great time to architect a zero trust model. So we can, based off of different types of controls, whether it’s through a multi cloud approach, or whether it’s through hypervisor controls, whether it’s through a cloud posture management solution, all of which we do for our clients as a managed service, as part of our offerings, you can begin to build that zero trust model, vs. the traditional on prem model where you have to rip and replace and tear things down. So as far as transition and adoption, using the cloud journey to enable that is something that many organizations have had success with.
Ashley: Zero trust isn’t a feature or a sticker on the outside that says Intel … Zero Trust Inside.
Ghauri: Yeah. And for the folks that are just still learning about cybersecurity watch, zero trust basically means that layer, layer, layer, layer of security. And it’s not just the castle with the walls around it that once you get past that wall, you’re in the castle. Those days are gone. So it’s just maybe hundreds of walls that are attached in the center of the data, that is their most prized possession, the crown jewels, vs. one big wall on the border.
Ashley: Yeah. Great way to describe it. Give that report’s called Conversations, what are some of the conversations security executives, security professionals should be having with senior management, executive board, other parts of the business that either we aren’t having or we’re starting to have more of?
Ghauri: I would say the ransomware conversation is very real, and if man organizations have already been impacted by ransomware in one form or another, or a third party was ransomwared and they were indirectly hit by it. And so ransomware preparedness is a key topic, because this … in the past, if you look at cybersecurity as a whole, there’s the CIA triad, the Confidentiality, Integrity, Availability are the foundations of cybersecurity, availability. It’s there. It’s the A. And that is what’s really being attacked. And so in the past we have like a grocery store or an organization that doesn’t, I don’t really have any data, and so I’m not … I don’t need to, ‘cause don’t really need to invest in security. You can’t say that anymore, ’cause availability impacts everyone. The A in the CIA triad. And so how to address business continuity, disaster recovery, availability of systems is something that’s top or the mind of executives, because why they could have dismissed the technical guy, around technology and maybe cybersecurity in the past, they cannot dismiss the factory or plant that’s gonna be shut down, unavailability, that’s gonna impact your revenues and the number of widgets that are gonna be produced.
And so the Colonial Pipeline incident from last year, it was a great mini lesson within the larger issue that happened. Everyone’s well aware of the Colonial Pipeline attack, but people aren’t as aware of the fact that the CEO of Colonial Pipeline was asked that, you had controls in place. You were able to recover, ’cause you had backup. So why did you pay the ransom? And you would think, okay, well you have backup, and you can recover, so why would you pay the ransom? So the answer that he said was that because I didn’t now how they came in. And so therefore, they could do everything they want, but it could happen all over again. And so the lesson at the C level, to the executive team around availability is know your environment. Have that visibility, have those controls in place, and organizations like us, as a managed service security provider that prides itself on how we’d be able to detect, respond and be able to enable the remediation of attacks is we actually know how they came in, based on controls we deploy. That’s something that’s really you need. Either you need it in house, or you need a partner that can help you answer that question of how did they come in? Otherwise, you may be in the situation that that poor CEO faced last year.
Ashley: You never know if you’re in the same situation and it could happen all over again. I think it’s a very wise question to ask. Should be asked.
Just one thing I wanted to get your opinion on, just as an aside. One of the trends that people talk about and you start to see happening, I’m curious if you see this too, is the roll of the CISO and the CIO, and those being combined in some cases. Sometimes it’s CISO also takes over the infrastructure. Sometimes it’s a full CIO job. Is that a edge case exception? Is that a trend that you see starting to happen and building momentum, or is it really good for articles on websites, but not really happening in the real world?
Ghauri: I’ll tell you, the importance of the CISO is more important than ever before. In the past, if anybody asked, “Well, we’re paying the CISO all this money to do help the organization, but we have all these engineers that do this, and these technicians that do that. Why do we need the CISO? He’s just telling us what …” Well, the answer is pretty in our face these days, especially I could use a wartime analogy. When things go down, you have tanks, you have fighter jets, you have submarines. You have all these different security controls, let’s call it, like firewalls, end point detection, but which one do you deploy when? And how? And how do you coordinate them together in order to accomplish your mission? And so it takes a CISO to do that, to be able to understand the different types of technologies that you have in play, and how to be … how to deploy them. What layer goes between another? The engineers are brilliant, and they’re in the weeds on the keyboard, but they’re not seeing that bigger picture, the general approach of overall cybersecurity controls and cybersecurity operation, the cybersecurity architecture and governance. And that rests with the CISO. And so that role has become more important now than ever before, just given the complexity of the types of controls and applications of controls you can put in play.
Ashley: Excellent. Thank you for your perspective on that. So the report. Where can folks download that, and start those conversations if they’re not already having them?
Ghauri: It’s bright and center, and on our website, herjavecgroup.com, fishtechgroup.com. You could download the report. There’s a pdf version of it, and happy to talk to anybody who wants to talk more about what they’ve seen, any of the references we refer there. For cybersecurity professionals it’s good recap of things that need to be focused on in the year to come, and questions to ask your vendors as well around how they’re helping you with accountability and security controls as well.
Ashley: Excellent. Excellent. Very good. Well, Atif, thank you for joining us. I hope you’ll come back … welcome to come back for 2023’s report, but please come back in the interim and share some more with us, what’s happening with Herjavec Group, and what exciting things are on the forefront.
Ghauri: It’ll be my pleasure. Anytime. Thank you for the time today.
Ashley: Great.
Ghauri: All right.
Ashley: Thank you for talking with us.