In this conversation, Dan Elliott, principal cybersecurity risk advisor at Zurich, discusses new ways leaders can assess their risk appetite.
KEY TOPICS:
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
In this conversation, Dan Elliott, principal cybersecurity risk advisor at Zurich, discusses new ways leaders can assess their risk appetite.
KEY TOPICS:
Chapters
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
New Ways Leaders Can Assess Their Risk Appetite
Topics: understanding your cyber risk appetite, how risk appetite effects your cyber security plans, explaining risk appetite in cyber security to leadership, how security planning involves risk appetite, new ways leaders can assess their risk appetite, how does cyber insurance work, how cyber insurance works, how cyber insurance is only one part of risk management, risk management beyond cyber insurance,
Dan Elliott, Principal Cyber Security Risk Advisor at Zurich, and notoriously talented storyteller for complex subjects, joins us.
Summary
In this conversation, Dan Elliott, principal cybersecurity risk advisor at Zurich, discusses new ways leaders can assess their risk appetite.
The conversation covers:
• how risk appetite effects your cyber security plans,
• explaining risk appetite in cyber security to leadership,
• how security planning involves risk appetite,
• new ways leaders can assess their risk appetite,
• how cyber insurance works,
• how cyber insurance is only one part of risk management,
• and risk management beyond cyber insurance.
Takeaways
• Transferring risk and understanding risk appetite are crucial in insurance and risk management.
• how cyber insurance is only one part of risk management
• Communication between technology leadership and the board is essential
• Security programs need to constantly evolve
• Measuring and quantifying risk in cybersecurity is necessary for effective risk management.
• Compliance and security are separate but interrelated, with compliance serving as a leading indicator for security.
• Incident response planning is crucial for organizations to effectively respond to data breaches.
• Preparation, practice, and collaboration with law enforcement and other experts are key to successful breach response.
Chapters
• 00:00 Introduction and Role Explanation
• 03:26 Transferring Risk and Risk Appetite
• 06:01 The Complexity of Insurance and Risk Management
• 07:41 Insurance as One Part of Risk
• 08:10 The Impact of Breaches Beyond Insurance
• 09:48 Career Journey: From Coding to Law Enforcement
• 16:32 Concerns of Organizational Leaders
• 20:22 Breakdown in Communication between Technology Leadership and the Board
• 21:19 Explaining Risk Mitigation and Funding Needs
• 22:46 Constantly Evolving Security Programs
• 23:02 Challenges and Techniques in Fighting Breaches
• 24:07 The Complexity of Cybersecurity Breaches
• 25:13 The Priming Process and Research Involved in Breaches
• 26:07 Measuring and Quantifying Risk in Cybersecurity
• 27:03 Compliance vs. Cybersecurity
• 28:03 The Importance of Cyber Risk Quantification
• 29:11 The Role of Compliance and Security in the Financial Industry
• 30:02 Preparing for a Data Breach: Incident Response Planning
• 34:06 The Role of Law Enforcement in Incident Response
• 36:22 The Difference Between Compliance and Security
• 43:38 The Impact of Poor Preparation on Breach Response
• 44:34 Preparing for a Data Breach: Incident Response Plan
• 48:28 The Importance of Practice and Preparedness
• 49:24 Upcoming Events and Focus on Helping Clients
D. Mauro (00:01.281)
It is always good to see you, my friend. Welcome everybody to Cyber Crime Junkies. I am your host, David Mauro and in the studio today we have Mr. Dan Elliott. He is a fascinating storyteller and also serves as a principal cybersecurity risk advisor at Zurich. He is a notoriously talented storyteller and
is able to translate complex subjects into little booklets that we can view with very cool people and animations on LinkedIn. And it all makes sense. And it actually has business impact. So Mr. Elliott, thank you so much for joining.
Dan Elliott (00:48.974)
You kidding? Thanks so much for having me back. I love these conversations.
D. Mauro (00:53.313)
Yeah, it's good stuff, right? I mean, I learned something every time I get to speak with people smarter than me. So it's always which is a lot of people. So it's always it's really good. So let's talk about what you know. Let me just start broad. Well, first of all, for those who may not know you, your current role, explain your current role. And then I want to find out.
Dan Elliott (01:02.798)
Well hopefully you learned something talking to me too, because I don't think I fall in that category.
D. Mauro (01:21.281)
kind of like, did you always want to be Batman when you grew older? Walk us through that. So explain your current role for everybody in English, regular, plain language.
Dan Elliott (01:27.086)
Well, you know, uh,
Dan Elliott (01:34.382)
I think that, you know what, that has been probably the key piece of my role over the last 18 months. So with Zurich, insurance is complicated enough. And I think one of the things that a lot of people are used to is their typical personal insurance where they're just buying it, they get a product, they get a five page document that they never read, and that's the end of it until they have to call for a problem. Commercial insurance is...
D. Mauro (01:45.057)
Correct.
D. Mauro (02:00.033)
Right.
Dan Elliott (02:02.606)
is like layers more complex than that. And then you add in all of the complexities and nuances of security within IT and cyber more broadly, it can be a nightmare, especially when you think that people are working in InfoSec and IT touch on insurance once a year in a lot of cases, and their risk management and insurance counterparts.
touch on for the most part, IT and InfoSec also one time a year, it's this kind of explosive moment where you get on calls and people don't really know what the other is saying. So a lot of what I do is about helping to bridge that gap between IT and InfoSec people, risk management and insurance people so that they're all assessing risk similarly so that for Zurich, we get the best quality risk and for our customers,
We're helping them mature and helping them grow. And especially for the IT and InfoSec people I work with, that they're able to get the right leverage within their organization so that if their insurance policy moves and ebbs and flows, that everybody is on the same page as to why. It's not this shock that, well, what the heck, we spent all this money last year and this is where things are going. So.
D. Mauro (03:26.081)
Well, it's really about transferring risk too, isn't it? I mean, I have a lot of colleagues and friends, personal friends that are in that commercial insurance space and it is much more complex and it is not boring like some people would think typical insurance is. It is pretty high stakes. It is really substantive conversations with leadership at
good size organizations about their risk posture, about their risk appetite, isn't it?
Dan Elliott (04:02.734)
Yeah, and I think you hit one of the key phrases right there. It's that risk appetite. And what I think we've done, I don't want say poorly, but we've been late to the game on, is really speaking to companies largely about risk management within IT and InfoSec. And I think risk transfer came too early. Pass all our risk onto the insurance company, and then we'll spend some money on InfoSec.
D. Mauro (04:08.639)
Mm -hmm.
Dan Elliott (04:32.814)
the market changed, the market ebbed and flowed, and then everybody had to get back in line, and they were behind the eight ball, and you saw a whole pile of breaches. So that, what's our risk appetite? What are we willing to just accept as the cost of doing business? What are we looking to manage and mitigate and can build controls against? And then what's left over? What's the rest that we want to transfer to the insurance agent or to our captive or whatever their risk transfer product is that they're using?
D. Mauro (05:02.401)
I always love the conversation of, of well, you don't need any insurance. Like, you don't need to transfer any of the risk. But when you get breached, not a matter of if, but when you get breached, right? Are you ready? Like, are you going to if that phone rings, right? And none of anything is working, right? And you have a little note, you can't access your computer, your phone.
Nothing. Everything's turned white. Right. And you have a little note there, a little hello note from Russia that says and you peel it open and it says, download this and let's talk on a talks channel. Like, you ready for that? Are you ready for that? And then to figure out how to get rid of it, how to restore things, how to how to set things up again so that it doesn't happen again.
Dan Elliott (05:48.014)
Yeah.
D. Mauro (06:01.633)
It's all about various risk levels of various risk appetite, isn't it?
Dan Elliott (06:09.23)
Yeah, I've heard the blanket statement, you know, insurance is bad. We don't need to transfer risk. We can just do it in our own hands. And then I joined the insurance industry. Oh, yeah. Yeah. If you've planned for that and that's still a risk transfer. Yeah. And yeah, you have to you have to have a plan for it. I don't think it's ever a blanket statement. Thou shalt do this. Thou shalt not do this. But.
D. Mauro (06:19.489)
In some fields, they have like self -insured retentions, right? I mean, yeah, I mean, that's different, right? Those are just various layers, right? Yeah, those are just various layers.
D. Mauro (06:32.895)
Right.
Dan Elliott (06:39.15)
I will say that the organizations that just say, ah, we'll squirrel a little bit of money away. It's that idea that, well, I'm saving a bit of money so that I can repair my car, but that's not going to save you if the engine blows out. You really have to think about and plan for your worst day. What is the most expensive piece of this operation that could go down? How long will it take me to get back up? And what's that going to cost me?
D. Mauro (06:51.137)
Right.
Right.
Dan Elliott (07:09.038)
That business interruption is so, so big, such a big chunk.
D. Mauro (07:09.193)
Yeah.
D. Mauro (07:13.025)
It is and nobody really thinks it's either going to happen to them or or that it's not going to be that big of a deal when it happens until it happens and you talk to the people that have been through it and just the emotional toll the the family ripple effect it has on leadership's families and extended families. It's brutal. But in in the same sense, insurance is one part of the risk, right? Like,
it ensures certain things, it doesn't cover everything. And so there are long term reputational harm and employee morale and the ability to retain and capture good talent. All of those have statistically been shown to be adversely affected from a breach. Insurance can't stop that. Insurance can't fund you like
They're not giving you a check for your reputation. Like it doesn't work that way. So it's, it's really tough. So, so when you were a little kid, you were like, I'm going to grow up to work for Zurich and I want to be dead. No, I don't want to be a fireman. No, I want to be a principal cybersecurity risk advisor with Zurich, dad. I don't think you said that. So tell us.
Dan Elliott (08:34.894)
Yeah. You know, it was it was the title. That was the thing at age six. Yeah.
D. Mauro (08:38.625)
That was the title when you were like six. Get your GI Joe, you get your toy, you got your little game boy and you're like, I am ready. Zurich, principal advisor. Like they were like grooming you from a young age. No, it's just, it is a great career. It's just one of those things that how did we wind up here? Like, you know, when I was a kid, this industry didn't exist. It was not in existence.
Dan Elliott (08:55.694)
Oh, you know.
D. Mauro (09:07.84)
there wasn't a person in my role or in your role on the planet, right? And so what like, what did you start off doing? Like, first of all, what did you want to do when you were first coming out? Because people always, they always see people that have achieved a lot in their career like you, but then I'm like, yeah, but let's find out the origin of it, right? Because it's really like that you could get there. Like so many people are like,
why I didn't get an engineering degree and I didn't do this and I didn't get this cert and I'm like, you can still get there. You just, it's still a lot of work, but you can still get there. So walk us through your walk us through your story a little.
Dan Elliott (09:48.686)
Sure, sure. I mean, I program from a very young age. And I mean, this is Visual Basic was kind of my programming language starting out. Visual Basic, C++, that's kind of where I left it. And I went from there, thought that corporate law was, I know, this is, it is scary how many people I talk to now coming up in the industry that give me a blank stare.
D. Mauro (10:07.841)
Visual Basic is cutting edge, man. Visual Basic is huge now.
D. Mauro (10:15.521)
Yeah, that all had that. Oh, yeah. I remember it.
Dan Elliott (10:18.798)
Like, and those were the, that was kind of the core piece back then. And I diverted away from that and I don't even know why. Who knows? I was probably chasing something and ended up in government. I was looking at foreign relations and landed myself in law enforcement. I was working with border security, dealing with drug smuggling.
D. Mauro (10:24.577)
Sure.
D. Mauro (10:45.761)
Okay, hang on. Hang on a minute. How did you go from coder, like little kid in a little Canadian hoodie, right? Like go hockey team, then coding, and then to working for the government. Like I want to explore this.
Dan Elliott (11:03.47)
Yeah, that was, it was a jump because at the time I really didn't see a career in software programming or in any of that side. It wasn't, it was a hobby for me. It was fun. I love doing it, but I mean, I love doing this stuff at the time that we'll call it. It was a gray area. It was that, that like, you know, it, I didn't, I bent a few laws. I didn't fracture any. We'll, we'll say that.
D. Mauro (11:06.889)
Yeah.
D. Mauro (11:16.193)
It just wasn't what appealed to you. Yeah, it wasn't. Yeah.
D. Mauro (11:25.673)
Mm -hmm.
D. Mauro (11:32.017)
Wow! Alright!
Dan Elliott (11:33.326)
And so I never thought of that as bridging into a permanent career because that was just something I liked to spend time doing. And...
D. Mauro (11:39.841)
A career. Yeah, right.
You cherish your liberty more than the achievement of a hack. Right? Yeah.
Dan Elliott (11:50.862)
Yeah, it was. And so when I started looking at where I was going to spend my time, I thought I was going to join the foreign corps. I was going to work as a diplomat. I was going to do work abroad. That was kind of the vision. And I.
D. Mauro (12:02.239)
Mmm.
D. Mauro (12:08.065)
How did you get into the Canadian government? Were your parents involved or did you have relatives involved?
Dan Elliott (12:13.838)
No, I went straight from outside. So I, much of the way that I tell people now to get into cyber, it was through networking. I was in the right places. I just went everywhere. And I got introduced to a few of the right people, made it through a long application and training process and ended up working as a...
D. Mauro (12:17.249)
Really interesting.
D. Mauro (12:24.193)
Excellent.
Dan Elliott (12:40.174)
first an immigration officer and then a plainclothes officer working in an intelligence unit with Homeland Security and the FBI and a few other acronyms around the world. And it was fun. I mean, we were doing human smuggling and drug smuggling and gun running and running covert operations and human source operations in all of those areas.
D. Mauro (13:03.425)
Did you start the P. Diddy investigation a long time ago? No, let's not touch that. That's not our podcast. I want to stay clear of that one too. I'm not touching that one. Okay, so segue. Maybe I'll edit that out. We'll see. Okay, so really interesting. Did you have any relatives that were in any form of law enforcement?
Dan Elliott (13:11.47)
You know what, I'll stay clear of that one. You know.
Dan Elliott (13:21.23)
Yeah.
Dan Elliott (13:33.486)
Not at the time. So I have siblings who now moved into law enforcement after I did, but I jumped out of the law enforcement side of it pretty quickly and into the intelligence community because that was the side that really spoke to me. Some people in the community like having closure and putting cuffs on and ending everything that way. I love dealing with people.
D. Mauro (13:35.413)
Hmm.
D. Mauro (13:45.055)
Mm.
D. Mauro (13:57.377)
All right.
Dan Elliott (14:01.166)
I loved looking at the puzzle from different angles, finding ways to work with people and to work through problems. And I think that's the piece in the Intel community that spoke to me more than the law enforcement side. I accepted that we're not gonna get to an end resolution of these things. We scratch away at the surface and something new appears. And we have to build into that.
D. Mauro (14:21.385)
Mm -hmm.
D. Mauro (14:29.057)
very similar processes in the mind to coding, right? Like the puzzle pieces, the viewing things of different angles, very similar to the same processes you needed back when you were a kid in coding. So there is a relation. We may not be conscious of it, but...
Dan Elliott (14:45.966)
Yeah, it was a loose run that I didn't see kind of playing through it. And working within the Intel community was great. Yeah, I did a fair bit throughout both law enforcement and my Intel side. It was a lot of fun. I'll put it that way. It was challenging training. It was demanding on...
D. Mauro (14:53.313)
Did you ever do any undercover work? Yeah.
Dan Elliott (15:12.174)
everybody demanding on me, demanding on the family, demanding on the organization. But they were really important cases. They were really important subjects to work on. And I felt very privileged to be able to do it. And I still see it today. I know of people who are still out there doing it and hold immense respect for being able to carry that on. I just got to a point in my career where...
D. Mauro (15:26.047)
Absolutely.
Dan Elliott (15:39.79)
I kind of looked around and the amount of time I was spending with my own family was less than I was spending with my work family. I didn't see them that often. They're probably still guys who think that I'm embedded somewhere out that just assumed it was gone. But it was, I knew I had a lot of friends who had very lovely ex -wives and I just decided that wasn't the path I wanted to tread.
D. Mauro (15:44.513)
Mm -hmm.
D. Mauro (15:52.381)
Because yeah, right.
D. Mauro (16:03.585)
Yeah, very, very, and some guys can still do it and some guys can do it. I don't know how they do it, but it was a similar experience with me with the practice of law. So yeah, I mean, I just, that's kind of the path I saw and I just needed to find a path that was similar, but more balanced. Really interesting. So in your current role, what are you seeing as some of the...
concerns that organizational leaders have, whether it's business leaders or a government agency or whatever you are providing advice for and you're working with CISOs on and security. I know what the stats say, but I'm curious in real life what you're seeing. What are some of the main concerns?
Is it the zero days? Is it the, we don't have a broad enough technology security layer stack? Is it social engineering? Is it, I don't know whether we're prepared enough. So maybe we would need to focus on incident response planning. You know, anything you can share with us on that?
Dan Elliott (17:18.286)
I think it's very divergent answers for each of the groups would be the nicest way to put it. So I think executive leadership who are looking at it from a business value finance side and then technical leadership who, whether they're on the risk management side or CISO side, IT, ITIS side, I think that there's some divergent thoughts on it.
D. Mauro (17:24.065)
Sure. How would you break them up? Yeah, how would you rate them or break them up?
D. Mauro (17:43.361)
Mm.
Dan Elliott (17:47.118)
I think on kind of a board and executive leadership side, they don't know what they don't know. And they're counting a lot on everything being in order. I mean, my CISO, my risk manager has told me I'm good. You know, this is then I'm good. And they're really concerned about the spend that they're currently looking after rather than the spend on their worst day. And that...
That is what I see a lot of on that side until they're really communicating across because on the other side with a lot of risk managers and a lot of CISOs, the concern is that whether or not their organization is prepared for their worst day. I mean, I don't see a lot that are necessarily primarily concerned with zero days. And there's still a lot of zero days in the wild right now, frankly. I mean,
D. Mauro (18:44.769)
Of course. There's only so much they can do though. There's only so much they can do by the very definition of what it is.
Dan Elliott (18:45.646)
I keep track of the monthly numbers.
Dan Elliott (18:52.302)
Yeah. So I think most of the CISOs that I speak to are looking at the human side of risk, looking at, you know, social engineering and phishing attacks. And how do we get, how do I get everybody on board? How do I get everybody ready? How do I look after that? Because they know how to build a security stack and a lot of the technical tools are there now. We're, we're much further, we're light years ahead of where we were when I began.
D. Mauro (19:00.095)
Mm -hmm.
Dan Elliott (19:20.43)
We're much further ahead now to the point where they can build technical layers. Whether they're doing it is something altogether different.
D. Mauro (19:28.001)
or whether they get the executive buy -in to fund it is another issue.
Dan Elliott (19:30.926)
And that's that bridge across. So having the tools available out there to apply, I speak to a lot of them on both sides going, well, if you can get that clarity with your executive team and with the board so they understand what you can actually mitigate, what the cost is and why, then you'll be able to build the proper stack. And the only thing you can't always build for is the human risk.
And that becomes the training piece and trying to get those champions throughout the organization so that people get, you know, why am I doing the monthly training? Why shouldn't I just race click through my, my training and why should I be reporting fishing and all these other great cyber hygiene habits that you hope people are doing.
D. Mauro (20:16.929)
Right. Yep. So.
There's still, there's more breaches now in terms of volume than there was in the last few years. The total amount collected has increased. Let me ask you, is there a breakdown in your opinion of what you're seeing in the internal communication between the internal technology leadership in whatever shape or form that
is in an organization and the board or executive team that funds it. I mean, are they, do you find that they struggle sometimes to speak the same language or to be able to explain the business impact or the level of risk mitigation that certain things happen? Where do you think that breakdown is?
Dan Elliott (21:19.982)
I think you hit the nail on the head all across the way. And I think it's all three of them. It's being able to explain what we can mitigate, what we can't and why we have to prepare for a bad day and limit that BI, limit that business interruption. And then it's talking, speaking early about, very early about the funding needs, about what, and speaking of it, and I, I, I,
D. Mauro (21:26.625)
Yeah.
Dan Elliott (21:48.11)
hesitate to use the term, but in business terms. So speak to it in terms of CapEx and OpEx and exactly where are we spending this money and why and how's that gonna affect the business? I have a few colleagues and friends that I love some of the ways that they speak to their business side in terms of what is the business value I'm providing to our marketing department? What is the business value I'm providing to my COO? What is the business value I'm providing here? So that,
they get that direct buy -in as an accelerator for the business rather than an expense line. And that makes it a lot easier to start to stomach the cost as you're moving through and build a program that's constantly evolving because it has to constantly evolve here. And that's the leftover piece that the executives don't necessarily see all the time that I get brought in often to speak to boards and leadership teams about.
where we're sitting come October. So buy a Q3, Q4, and they've spent through their plan, but there are new breaches coming out and we need to start looking at new.
D. Mauro (22:55.187)
new TTPs, new techniques that you have to now challenge, fight against, right?
Dan Elliott (23:02.382)
I wish, and I guess part of me wishes that that we're making up the majority of them too. The sad part is that the majority of the breaches I'm seeing and the majority of challenges I'm seeing are the same ones that I was seeing when I came out of the public sector, out of government. And it's the same eight to 10 items that we shortlist every time. And you, I get it.
D. Mauro (23:20.537)
Absolutely.
D. Mauro (23:28.481)
Yeah. Everybody believes they can spot a phishing email that this training is dumb, that I don't need it. But yet overwhelmingly, that is the cause. Right? Everybody knows they can tell a scammer or a threat actor if they call. But yet every like that's still involved. Right? Time after time after time.
Dan Elliott (23:35.982)
Yeah.
Dan Elliott (23:41.774)
Yeah, yeah, every month.
Dan Elliott (23:54.638)
It's those layered approaches, I think. And one of the things that I'm seeing as an evolving piece of it is the layers of telephone scamming layered with phishing emails and so that they build a relationship.
D. Mauro (24:07.841)
They're all data points. Yep. They're all data points. Somebody calls and asks for something random and they get one data point and then do this. Like when we think of the breaches that have been in the news, think of like the MGM breach or the Caesar's breach. And you hear about, you know, Alpha V, the Russian ransomware gang, but they were coordinating with Scattered Spider, the social engineer, this young scattered group, right? And everybody felt...
at the time that they just skimmed LinkedIn, made a phone call and got in in 10 minutes. That's not how it happened at all. Like it was months and months and months of research. It was so much like when those calls were made, they were made to people in roles that are designed to want to help, right? They were made with
a vast amount of research so they could address any question that would come up, all from data points they just gathered over time until they launched.
Dan Elliott (25:13.23)
It's that priming piece so that you set everything in place so that you know and we used to do it in the Intel community as well. I'm sure they still are, I shouldn't say used to. But it's that notion that you want to have an expectation of what they're going to say or what the next answer is going to be based on how you've cultivated the relationship and built yourself up based on stereotypes in their mind and.
D. Mauro (25:22.113)
Yeah.
Dan Elliott (25:41.326)
what you already know about them and their organization and their boss and their colleagues. And it all comes together and it can be done much faster now than it could five years ago, but it still requires time and organization. And I think a lot of the threat groups have latched onto that, realize that that's a lot easier than they thought it was. And that's why we're seeing the types of breaches that we're seeing.
D. Mauro (26:07.615)
Absolutely. Have internal IT and security and compliance leaders in organizations, have they gotten better in your opinion or your experience in being able to measure or quantify risk in terms of cybersecurity? Like, are they able to say, you know, by doing this type of layer or by doing X
practice monthly. We are reducing our risk by a certain percent range based on all the data. Because there's so much data out there. And I know that there's several books out there. I've read one of them about measuring risk. And there's a lot of different models out there. I'm just curious if you're seeing them speak in that type of language or are they still, in every other industry,
Dan Elliott (26:44.494)
Right? Yeah.
D. Mauro (27:03.169)
They're able, like in every other department within that organization, executive leadership there says, well, if we do X, it will reduce our ability to hire by X percent, right? Like HR can explain that sales clear metrics, right? But yet cybersecurity oftentimes is good, better, best, high, medium, low, right? Like it's, it's very, very hard to, to quantify. Um, yeah.
Dan Elliott (27:29.582)
We like stoplights.
D. Mauro (27:32.607)
Right, we like stoplights.
Dan Elliott (27:34.094)
Yeah, it's, uh, I, I don't think it was, it's interesting. I was at a, um, a cyber insurance conference just last week and we were talking about the exact same thing. And I would say it's, it's challenging for cyber professionals to quantify just based on what they've gotten used to and based on all the standards and all the measurements that exist are based on qualitative inputs and qualitative outputs. And the cyber insurance industry.
largely has done a lot of the same thing and given companies the ability to continue propagating this, and we're moving. That cyber risk quantification piece is now more important. We've gotten to a point where we recognize in the industry, and I'll say the broader cyber industry, that to get financial buy -in, to get organizational buy -in, we need to start quantifying it.
because everybody else is speaking that language. And insurers are realizing that we have to leverage the tools and the data and the knowledge that we have to help companies speak that language, both because it makes it easier for us to risk score and risk assess, and it makes it easier for them to get better. So I would say it's a work in progress, and it was something that everybody was allowing to happen from.
D. Mauro (28:34.527)
Mm -hmm.
Dan Elliott (28:58.946)
you know, all the organizations with their standards and metrics to the companies themselves, to those of us in the financially associated sector that were just measuring based on what everybody else was using.
D. Mauro (29:11.329)
Absolutely, absolutely. So you're in, when you're involved in the financial industry, there's a lot of compliance, there's a lot of regulations. It's one of the first verticals or industries in any country that really imposes cybersecurity controls before the other industries. Are you, what is your,
position or opinion on defining compliance versus cybersecurity because different people in the industry are always, well, that's a compliance matter, it's not cybersecurity. And I'm like, okay, but, so I have my opinions, but I'm curious what your view of that is.
Dan Elliott (30:02.4)
separate but interrelated. I think is the easiest way to put it. There's compliance components, which are important and they're kind of they can be a bit of a leading indicator. So actually in in FI in financial institutions, they're a leading indicator in the rest of the world. They're a lagging indicator. But it's that that notion to get people started. But security is its own piece. And and we if we're just building to that.
D. Mauro (30:04.831)
Hmm.
Dan Elliott (30:30.382)
low watermark for compliance. We're missing all the other pieces because threat actors are not playing to compliance. They're playing outside the rules. So I think at FI, so within the whole financial sector, they've done really good because they set high compliance bars. So playing security to that standard is a great, I would call it a high watermark, because I know what our global CISO network is doing and it's playing well above compliance.
So it got people started, but you have to really make clear to all the business and to everybody within your organization that security is bigger than compliance. It is, we don't lock the doors at night because compliance says we have to lock the doors. We lock the doors at night because we don't want anybody breaking in. And I think that that's really the line. Part of the job has to include a compliance function, and that's great.
D. Mauro (31:00.545)
Right.
D. Mauro (31:22.465)
Right.
Dan Elliott (31:29.324)
PCI compliance is great for requiring an organization to do some things and it hits those kind of the lowest common denominator. Yes. Yes. Yep.
D. Mauro (31:36.801)
It provides the evidence that certain controls were met, right? Which is great. Which is without compliance, security would be far less effective, I think. But security seems to be like an overarching evolution. It's more of a process. It's not necessarily that that task was done. That task needs to be done. And thank God you required that task, right? But...
Dan Elliott (31:48.814)
Yes.
D. Mauro (32:03.745)
that needs to be done in the holistic evolution of the almost like a maturity development of the organization in terms of cybersecurity. Is that a fair statement?
Dan Elliott (32:15.022)
I think that's 100 % accurate. I really think that we have to look at it as part of the organizational growth. I love using, you know I love using analogies, but that idea that you don't put cheap brakes on a racing car. I'm not gonna over -engineer pieces of that vehicle unless I'm lifting it all up. And...
D. Mauro (32:26.411)
Always, you're a great storyteller, man. Like, it's awesome.
Dan Elliott (32:42.478)
I think that's the same piece as compliance and security with have to move with the organization. If you want to drive faster, then you need to lift up your game on both sides. And yeah, there'll be some overlap where you can cheat in shortcut that, well, I did this for compliance and it improved my security posture. But you have to be looking at both sides if you want to move faster and leaner.
D. Mauro (33:05.407)
Absolutely. And I always like to think of that analogy where brakes on a racing car are not to stop the car, right? It's to improve control around curves, around, you know, other obstacles, things like that.
Dan Elliott (33:19.566)
Yeah, that's that's my my go to I still remember, you know, driver training when they kept moving our pylons in closer and closer and and reminded us, you know, you're tapping those brakes, you're not you're not hammering them, you're tapping them. And it it's a confidence piece, right? You know that you're not going to hit the wall. But you also have the control to be able to weave a lot cleaner.
D. Mauro (33:22.089)
Yeah.
D. Mauro (33:27.081)
Yeah.
D. Mauro (33:36.065)
Right.
D. Mauro (33:43.393)
Absolutely. So in terms of organizations preparing for a data breach, how do they go about doing that? I mean, they use incident response planning, right? I mean, what is that? Like, explain to the listeners and viewers kind of what is a true kind of incident response.
Dan Elliott (34:06.094)
Sure, so I'll say I think there are two streams that organizations should be looking at. And the first one is going the route of a business impact analysis and business continuity because if you don't know where your critical business processes are and where your critical data pieces are, you'll survive the first 72 hours with a good incident response plan, but you won't win the war. So I think that that's the stream that.
D. Mauro (34:30.593)
Right.
Dan Elliott (34:33.486)
companies are starting to forget that I need to do with that BIA to move that and understand and assess what I really have. For the Insight Response Plan itself, it needs to be manageable and succinct enough that everybody is in on it. The playbooks should be more technical so that your technical teams know to act on certain types of attacks and what order and who to contact and whatnot. The Insight Response Plan itself,
is largely the executive document or that document for your incident response team to be able to go through as mental reminders as they're going through the processes and checking the boxes and making sure that they're hitting all the notes during what I'd say is that first 72 hours of, you know, whether it's a privacy breach, whether it's a, you know, our network's being shut down, who we have to contact and when and why. And I kind of...
I do more traveling than I like to do. And I always compare it to the pilot sitting at the front with their checklist. Even if they have the confidence that I know what has to be done, they still have that document in front of them that they can work through as they're going to overcome any emotional blocks that may be causing them to miss a step. And that's really what your IRP is for. It's helping people who have full -time jobs doing everything but.
D. Mauro (35:37.601)
Mm -hmm.
Dan Elliott (36:00.18)
incident management step in and be fully present at that time. I still look at them as, you know, this is the document to get you started on your corporate fire drill so that I can handle that 80 % and I have mental and emotional space to cover off for the 20 % that's not in my IRP and that I haven't planned for.
D. Mauro (36:10.849)
Yep.
D. Mauro (36:22.945)
Right, because you always have to plan for the unexpected. Yeah. So in the incident response, that was a great explanation, by the way. And you didn't even like relate it to the woods or a bear or anything like that. That's phenomenal.
Dan Elliott (36:26.158)
Yeah. And then.
Dan Elliott (36:35.406)
You know, I left my woods analogy this time.
D. Mauro (36:40.801)
Okay, that was good. The the here in the US, the FBI has encouraged fact Christopher Ray, the director of the FBI has come out publicly and said we invite all organizations, private and public to build an incident response plan, build an incident response playbook, and invite us into the process. Partly because what they don't want is for them not to know who you are.
not to have any information. And then on the day, on the day of boom, right, somebody's calling them, like, help us immediately. Like we can't do anything, help us. And then there's, they're like, have to spend an initial amount of time just figuring out who you are and what happened, right? As opposed to if they know who you are, they're part of the plan, it's in the system, then you could just hit the, hit the ground running together.
Are you seeing that, my question is, are you seeing that in Canada and in other parts of the world where you're consulting?
Dan Elliott (37:47.118)
So law enforcement is always a delicate space when it comes to instant response. And that's because they have an overarching role.
D. Mauro (37:53.631)
Mm -hmm. Why is that? Why do you - why is that? Yeah, why is that? Because people don't want the feds in their books, basically, right?
Dan Elliott (37:59.694)
Yeah.
Dan Elliott (38:03.31)
Well, I mean, in Canada and I can speak very clearly to the Canadian situation, less so to the US situation, but realistically, they're not gonna, the RCMP, the FBI's equivalent here is unlikely to send in the cavalry and stop it right there and take over and solve your problems for you. And in most cases,
D. Mauro (38:09.759)
Hmm?
D. Mauro (38:18.773)
Mm -hmm.
Dan Elliott (38:31.374)
in Canadian breaches, you'll have legal counsel who is quarterbacking, project managing this incident for you from the non -technical side. So truly kind of a project management side. And a lot of that information that's flowing out, the RCMP and police services are looking for a larger solution. How are we looking at this as piece of a bigger puzzle?
D. Mauro (38:41.631)
Mm -hmm.
Dan Elliott (38:59.662)
this is one incident from this group, how can we figure out where this group is located? How can we track back to them? What other instances is it located to? Do we have a key for this? And those pieces, which are all very important, but in the throes of an incident, not all of them are gonna get you back up and running right away. The reality is that they have a role to play and there's a relationship that needs to exist there.
D. Mauro (39:21.889)
Sure.
Dan Elliott (39:29.166)
but it's not necessarily in the room. They won't be in the room with you. They don't have that role here. And I'm not sure that they have the manpower, the mandate to be in every single incident to help that out. So I think one of the things that's important in all of this is A, to build a plan, B, to test it, and.
see to have conversations with law enforcement and with those cyber groups, whether it's the National Cyber Center or the like, so that you have an understanding of what information they're looking for, what assistance they can provide, and how that interaction happens. And breach counsel in a lot of those incidents will also hold that role and they'll act as a filter back and forth. But it's...
D. Mauro (40:18.303)
Mm -hmm.
Dan Elliott (40:25.006)
It's a challenging space, let's say. And I hesitate on it because I have a lot of great friends who still work on the law enforcement side in cyber, and I know that they're doing their utmost to cull a lot of this spread, but I also see it from the organizational side and asking, so if I call them, will that get me back up and running faster? I'm happy to answer questions, but answering questions for law enforcement, is that gonna help me?
D. Mauro (40:47.581)
Right.
Dan Elliott (40:53.9)
resolve my incident faster, get back the data that was stolen or decrypt the information that I'm dealing with. And the answer isn't always yes. That's the reality.
D. Mauro (41:06.497)
No, not always. I mean, there are cases, I mean, there certainly are cases where that's happened in some of the larger breaches. But it does seem that the information sharing, though, is important on both sides, right? Like the more they're aware of it, the more they can tie together that, you know, connect the dots between these groups that they are tracking, because your information could could connect a dot that they've been working on for a while.
And that can help all of the organizations, right? Whether it's through, we've got decrypt keys or we've, we can develop these or whatever it might be. Um, uh, so, so it seems like the information sharing would help, right? But, but I think you, it absolutely seems like it's not like they're going to come and help you immediately negotiate with a, with a Russian ransomware gang who's very good at his job, right?
But don't they turn it over to when there's cybersecurity insurance involved? I mean, they turn it over to oftentimes ransomware negotiators or extortion negotiators, as well as like the triage team, or even if the project is coordinated by legal counsel. Is that what you're seeing?
Dan Elliott (42:27.31)
Yeah, they're experts and that's my first recommendation as people are building out their plan is looking at all those roles and responsibilities that need to be there and having organizations or experts at the ready to assist you there because you're not gonna wanna do it in house. Very few organizations have the budget to keep people who are really good at those things.
D. Mauro (42:50.249)
No, right.
Dan Elliott (42:57.274)
in -house to do that. And that community is where the interrelation happens between the info sharing and the knowledge sharing from law enforcement, from the Intel community, from private enterprise, from vendors. It is another puzzle that everybody has to come together and bring their pieces to bear on it. And I definitely don't think it's useful to leave any of them out.
D. Mauro (43:17.345)
All right.
Dan Elliott (43:24.75)
You can't. This is not, you know, a one man army where you're going to I'm going to fix it all myself. You have to be prepared to carry your weight and be a part of that.
D. Mauro (43:38.175)
Absolutely. How would you categorize the difference between a breach? You know, we've seen the same type of organization, let's say the same industry, the same size in terms of employees or revenue, however you want to measure it. And some of them will go through a data breach and it is an issue, but it kind of goes away and there's relative amount of downtime. And then there are some.
that it exposes just bad practices or the reputational harm is long standing. What are you seeing? Why do you think that happens? Is it the individual organization's lack of preparation? Is it a combination of things? Why is that?
Dan Elliott (44:34.574)
I think it is a combination of factors, but often cases it's poor preparation. I mean, the organizations that I've seen in the news that have some of the most reputation damage, it's because they didn't have the right preparation pieces in place to limit the amount of damage done, limit the amount of, you know, for.
D. Mauro (44:42.537)
Hmm.
Dan Elliott (45:01.55)
that data that was exfiltrated, the amount of personal information that was exposed out in the dark web, their communication was not ideal in messaging to the public and to concerned stakeholders of what went wrong and what we're doing to try to improve the situation. And they, in a lot of cases, were running around like chickens with their heads cut off during the incident because they hadn't prepared for that either. So.
D. Mauro (45:28.001)
Right.
Right, or tested it.
Dan Elliott (45:30.99)
I think all three pieces, yeah, it's, it's you, I love that idea of sweating, sweating during training so you don't bleed during battle. And that really for me is, is that piece where I want to make sure that I have technical controls in place. I know where my, my most sensitive data is, and I know that it's not spread everywhere throughout, throughout the organizational infrastructure. And then.
D. Mauro (45:55.617)
Right.
Dan Elliott (45:59.214)
my non -technical and technical teams are prepared for what's coming for them on a bad day so that messaging happens right, technical teams are acting in their roles, and that that's ticking off like a clock. So I know who's gonna say what and where and who's not gonna say what. And then I know that I've done everything I can to lead into that, and it doesn't leak out three months later that,
Oh, you actually weren't doing anything.
D. Mauro (46:29.985)
Right. Because it shines a light on your organization's internal handling of the most valuable internal data you have. And so it's like it's a very deep light that gets exposed. And so it's going to show the fact that you were doing a lot of things and a bad threat actor just got through, right? Which happens. But you handled it well. And...
people will still want to do business with you. And then it also exposes some people, like some organizations that just didn't seem to care or didn't understand or whatever. And you're like scratching your head going, well, you're going to be in a lot of pain for a long time.
Dan Elliott (47:18.094)
Yeah, we've gotten past the, we, and I'll use the royal we, have been having the discussion for a long time of it's not if, but when. And I think that's starting to really burrow its way through leadership everywhere, that they all have this. Exactly. And that next step.
D. Mauro (47:35.105)
Once that's recognized, then you can prepare accordingly. Well, it's like children preparing for fire in school, right? Like, you know, it may never happen, but if you don't prepare, the difference will be all the kids get out safe and many of them die. I mean, it's that stark of a difference. And so it's a very similar analogy.
Dan Elliott (47:59.598)
Yeah, that's literally how I start all of my tabletop exercises, is having that drawback that how many of you went through those fire drills once a month or once a quarter at school, and how many of you actually went through a fire? But they still saw the value in practicing, the value in getting it stuck in your head, where you need to go, where you don't wanna go, and who you follow, and I think that that's important.
D. Mauro (48:15.937)
Right. Right. Yep.
D. Mauro (48:25.153)
Right.
Dan Elliott (48:28.206)
There's a reason why you get on a plane every single time and they walk you through the same, while adding advertising. If anybody from the airline industry hears me, I am not a fan of the five ads I listen to along with that. But there's an important piece at the beginning where they're telling me all the things that I have to do in case of an emergency that I've heard 50, 60 times before, but they want to make sure that everybody knows the bare minimum so that...
D. Mauro (48:37.345)
Yes.
D. Mauro (48:42.337)
Yes.
D. Mauro (48:56.513)
Right.
Dan Elliott (48:57.26)
you know, they're prepared. And that's really where we need to get in cyber is get to a point where everybody's going, oh my God, I have to hear this again. I know it, I know it. And when they actually do.
D. Mauro (49:05.857)
I know, right. Right. That's fantastic. Great insight. Thank you so much, Mr. Elliott. It was an absolute pleasure talking with you and getting some insight. What do you have coming up? What's on the horizon for you?
Dan Elliott (49:24.174)
Well, first thank you again for having me. It's an absolute pleasure to be here. I love our conversations and I love chatting about all this stuff. I'm on a bit of the conference circuit right now. I'm gonna be in Toronto, Canada, speaking at a couple conferences coming up in the next few weeks and then spending the rest of my spring and summer really working with a lot of our clients to get them better prepared because...
D. Mauro (49:28.801)
It's our pleasure.
Dan Elliott (49:52.302)
As I find as the year progresses, it's really a curve. We can see this early on in the year where that curve of breaches is starting to happen. So I'm trying to help my clients get out in front of that before it becomes a swell.
D. Mauro (49:57.089)
Right.
D. Mauro (50:06.945)
Yep. Yep, absolutely. Well, thank you so much. We absolutely appreciate it. Thanks, bud. Appreciate it. See ya.
Dan Elliott (50:14.446)
Thank you for taking the time.
Dan Elliott (50:19.566)
Thank you.