WEBVTT 1 00:00:00.000 --> 00:00:02.280 Anna Delaney: Hello, welcome to Proof of Concept, a 2 00:00:02.280 --> 00:00:05.310 cybersecurity talk show where we discuss the most important 3 00:00:05.310 --> 00:00:08.850 security and privacy issues with the distinguished experts in the 4 00:00:08.850 --> 00:00:11.850 field. We are your hosts, I'm Anna Delaney, director of 5 00:00:11.850 --> 00:00:13.470 productions, here at ISMG. 6 00:00:14.220 --> 00:00:16.140 Tom Field: I'm Tom Field, I'm senior vice president of 7 00:00:16.140 --> 00:00:19.740 editorial at ISMG. Am privileged to be able to talk about the 8 00:00:19.740 --> 00:00:21.750 hottest topic in the world. 9 00:00:22.470 --> 00:00:25.620 Anna Delaney: And Tom, I get to meet you in person next week. 10 00:00:25.620 --> 00:00:26.610 How exciting is that? 11 00:00:26.670 --> 00:00:28.830 Tom Field: Finally, we've worked together for two years now. And 12 00:00:28.830 --> 00:00:31.200 we finally get the chance to meet in person. Excited! 13 00:00:32.400 --> 00:00:34.980 Anna Delaney: To say the very least. So, Tom, last time we met 14 00:00:34.980 --> 00:00:38.640 here, Russia's invasion of Ukraine and the cybersecurity 15 00:00:38.640 --> 00:00:41.670 impact was very much the biggest story and it remains a top 16 00:00:41.700 --> 00:00:48.270 concern today. We haven't really seen the massive cybersecurity 17 00:00:48.270 --> 00:00:51.870 global attacks that some had predicted. The conflict has 18 00:00:51.870 --> 00:00:54.210 certainly changed the balance of risks, I think. 19 00:00:55.290 --> 00:00:58.170 Tom Field: It has and, you know, I happened to be at our Pacific 20 00:00:58.170 --> 00:01:02.160 Northwest Summit in Greater Seattle last week, convening our 21 00:01:02.160 --> 00:01:06.000 first live event in two years, and it happened to be the day 22 00:01:06.000 --> 00:01:10.740 after President Biden put alerts out there that businesses and 23 00:01:10.740 --> 00:01:13.890 critical infrastructure entities ought to be on heightened alert 24 00:01:14.340 --> 00:01:18.330 of potential attacks or repercussions from what was 25 00:01:18.330 --> 00:01:21.060 happening in Russia. In other words, as the West puts pressure 26 00:01:21.060 --> 00:01:25.620 on Russia, expect to see some blowback. So, it was interesting 27 00:01:25.620 --> 00:01:29.760 to be among our CISO community, as this warning was out there. 28 00:01:29.880 --> 00:01:33.030 What reaction do you think we might have seen from security 29 00:01:33.030 --> 00:01:34.530 leaders hearing this for the first time? 30 00:01:35.220 --> 00:01:39.030 Anna Delaney: Wow. Yeah, I think you're right. There's this high 31 00:01:39.030 --> 00:01:43.620 alert. There's a lot of latent anxiety, I think, for the past 32 00:01:43.620 --> 00:01:47.400 couple of years. And so they're really kept on their toes. And I 33 00:01:47.400 --> 00:01:50.280 was saying earlier, there's been no major cyberattack. But we 34 00:01:50.280 --> 00:01:53.940 have seen a lot of cyber disruptions. A news this week 35 00:01:53.940 --> 00:01:57.930 that one of Ukraine's national telecoms operators suffered an 36 00:01:57.930 --> 00:02:02.460 attack as well as satellite communications provider Viasat, 37 00:02:02.490 --> 00:02:05.460 on the day of Russia's invasion of Ukraine. And I think that's 38 00:02:05.460 --> 00:02:09.060 quite an interesting one, because it highlights the 39 00:02:09.090 --> 00:02:13.980 politics and the complexities of attribution, because Western 40 00:02:13.980 --> 00:02:16.770 intelligence agencies believe it is Russia, but they haven't 41 00:02:17.100 --> 00:02:20.880 called them out publicly. So that's an interesting one. Also, 42 00:02:21.420 --> 00:02:23.970 Ukraine's resilience, their systems and their 43 00:02:23.970 --> 00:02:26.790 infrastructure. And I think the Western officials have been 44 00:02:26.790 --> 00:02:31.200 fairly surprised about their, or at their resilience. But they've 45 00:02:31.200 --> 00:02:34.320 had a few years of practice to build their defenses to say the 46 00:02:34.320 --> 00:02:34.800 least. 47 00:02:35.550 --> 00:02:37.530 Tom Field: And what was interesting was on the day after 48 00:02:38.250 --> 00:02:41.580 President Biden's announcement, I was convening a panel on stage 49 00:02:41.580 --> 00:02:44.310 and it was about Russia and Ukraine and the potential 50 00:02:44.310 --> 00:02:46.800 implications. So I had this panel set up in advance of this 51 00:02:46.800 --> 00:02:51.810 happen. So I had two CISOs, one from business, one from a county 52 00:02:51.810 --> 00:02:56.550 government. And I had an FBI agent up there as well. And the 53 00:02:56.550 --> 00:03:01.500 response was, yes, this is serious. But if you're just 54 00:03:01.500 --> 00:03:04.830 getting the message now, for the first time, it's already too 55 00:03:04.830 --> 00:03:07.800 late. These attacks aren't something you haven't seen 56 00:03:07.800 --> 00:03:10.650 before. And if you don't have the proper measures in place 57 00:03:10.650 --> 00:03:11.970 now, you're not going to. 58 00:03:13.230 --> 00:03:15.930 Anna Delaney: Well-said. Well, the other story, of course, this 59 00:03:15.930 --> 00:03:19.830 week in the news is the fallout from the Okta breach response. 60 00:03:20.010 --> 00:03:21.120 Tom, what are your thoughts? 61 00:03:21.630 --> 00:03:24.240 Tom Field: You know, I happened to be at the event as well, when 62 00:03:24.240 --> 00:03:26.580 this was breaking in the news, was sort of going around and 63 00:03:26.580 --> 00:03:30.870 people were talking about it. In some ways, this isn't new. We've 64 00:03:30.870 --> 00:03:34.830 seen this before. An organization gets breached, it 65 00:03:34.830 --> 00:03:39.330 detects the incident, and then you sort of have two paths in 66 00:03:39.330 --> 00:03:42.000 front of you - the path of clear communication and the path of 67 00:03:42.000 --> 00:03:44.820 we're going to wait until we know exactly what's happening 68 00:03:44.820 --> 00:03:47.910 here before we say anything. One of those paths tends not to work 69 00:03:47.910 --> 00:03:52.680 out very well. And I'll go back to the case of FireEye. Back 70 00:03:52.680 --> 00:03:57.030 when the SolarWinds breach first became announced in December of 71 00:03:57.510 --> 00:04:01.950 2020, FireEye was one of the first entities that suffered a 72 00:04:01.950 --> 00:04:06.300 breach, and Kevin Mandia came out immediately and revealed 73 00:04:06.300 --> 00:04:08.880 what had happened and did whatever we could in terms of 74 00:04:08.880 --> 00:04:12.330 transparency, to help other organizations to be able to 75 00:04:12.330 --> 00:04:15.630 detect and respond. That's the right way to do things. I think 76 00:04:15.660 --> 00:04:18.690 Okta has come out and acknowledged, maybe some 77 00:04:18.690 --> 00:04:21.720 missteps and what they did in terms of response after 78 00:04:21.720 --> 00:04:26.760 detection back in January. You know, it's a hard lesson to have 79 00:04:26.760 --> 00:04:29.640 to learn publicly. I think the other thing I take away from 80 00:04:29.640 --> 00:04:34.830 this is that social media is merciless. When you see the 81 00:04:34.830 --> 00:04:38.430 blowback against Okta for what has happened and I always come 82 00:04:38.430 --> 00:04:41.220 away from these things, thinking there's nothing quite like the 83 00:04:41.220 --> 00:04:45.870 outrage of the uninvolved. You really get a diversity of 84 00:04:45.870 --> 00:04:48.210 opinions from people who aren't necessarily connected to what's 85 00:04:48.210 --> 00:04:52.980 going on. But, again, I come back to the message that when 86 00:04:52.980 --> 00:04:56.460 bad things happen, the faster you can get the news out there 87 00:04:56.460 --> 00:04:59.430 and be transparent about it, the better the situation is going to 88 00:04:59.430 --> 00:05:02.610 be for you, your customers, your partners and the community. 89 00:05:03.390 --> 00:05:05.640 Anna Delaney: And it's easy to point fingers. But this is an 90 00:05:05.640 --> 00:05:08.400 opportunity to learn from the incident and I've got a 91 00:05:08.400 --> 00:05:13.500 highlight our colleague Matthew Schwartz's article on effective 92 00:05:13.560 --> 00:05:17.250 crisis communications and the lessons learned from this breach 93 00:05:17.250 --> 00:05:20.880 response. So go check it out. Well, Tom - 94 00:05:20.880 --> 00:05:23.400 Tom Field: But for the grace as well, because okay, today, it's 95 00:05:23.400 --> 00:05:27.300 Okta. And two years ago, a year and a half ago, it was FireEye. 96 00:05:27.540 --> 00:05:30.120 Who's it going to be tomorrow and there's going to be another 97 00:05:30.120 --> 00:05:30.570 tomorrow. 98 00:05:31.740 --> 00:05:33.840 Anna Delaney: And at what cybersecurity event are we going 99 00:05:33.840 --> 00:05:37.560 to or incident we're going to see happen next week when we're 100 00:05:37.560 --> 00:05:38.190 in Chicago. 101 00:05:39.150 --> 00:05:40.500 Tom Field: As part of the excitement to get it together 102 00:05:40.500 --> 00:05:42.690 next week. What will we be covering what we'll be talking 103 00:05:42.690 --> 00:05:43.860 about on stage? Yes. 104 00:05:44.430 --> 00:05:47.610 Anna Delaney: Who knows? Well, Tom, I think it's time you 105 00:05:47.610 --> 00:05:49.080 introduce our first guest. 106 00:05:49.320 --> 00:05:51.270 Tom Field: I am excited to introduce our first guest. She 107 00:05:51.270 --> 00:05:54.120 has been called the princess of privacy. She is Lisa Sotto. 108 00:05:54.120 --> 00:05:56.700 She's a partner and chair of the global privacy and cybersecurity 109 00:05:56.700 --> 00:06:00.540 practice at Hunton Andrews Kurth LLP. Lisa, it is always a 110 00:06:00.930 --> 00:06:03.000 pleasure to see you. Thanks for being with us here today for 111 00:06:03.000 --> 00:06:03.960 Proof of Concept. 112 00:06:04.200 --> 00:06:06.150 Lisa Sotto: Thank you for having me, Tom. I'm delighted to be 113 00:06:06.150 --> 00:06:06.480 here. 114 00:06:06.900 --> 00:06:10.580 Tom Field: So Lisa, amidst the fallback from last year, and 115 00:06:10.657 --> 00:06:15.335 continued ransomware activity, and now the backdrop of Russia 116 00:06:15.411 --> 00:06:20.166 and Ukraine, tell us how has the threat landscape evolved over 117 00:06:20.242 --> 00:06:22.620 this first quarter of the year? 118 00:06:23.470 --> 00:06:27.670 Lisa Sotto: Well, you know, I would say it's more of the same. 119 00:06:28.060 --> 00:06:33.550 It is an extremely malicious environment. I think the big 120 00:06:33.550 --> 00:06:40.270 change over the last few weeks, or a month or so, since Ukraine 121 00:06:40.270 --> 00:06:45.700 has really risen to the fore is that I have gotten many calls 122 00:06:45.700 --> 00:06:49.720 from critical infrastructure organizations who are saying 123 00:06:49.720 --> 00:06:54.460 what else can we do? And the answer is exactly what you said, 124 00:06:54.460 --> 00:06:58.300 if you're not already doing it, it's too late. So I think that 125 00:06:58.300 --> 00:07:04.240 was a very apt comment. And you know, the only advice really is 126 00:07:04.270 --> 00:07:08.830 do everything you're doing with extra vigilance and on steroids. 127 00:07:09.520 --> 00:07:14.950 So all of the activities we should have been undertaking 128 00:07:14.980 --> 00:07:18.970 over the last couple of years in this very pernicious environment 129 00:07:19.360 --> 00:07:24.640 need to be done tenfold. And it's the extra vigilance that I 130 00:07:24.640 --> 00:07:31.810 think really matters here. We may not be able to avoid having 131 00:07:31.810 --> 00:07:34.690 a threat actor get into our system in the first place. But 132 00:07:34.690 --> 00:07:38.860 we cannot afford to have that threat actor sit in our systems 133 00:07:39.010 --> 00:07:41.260 for any period of time. So we need to make sure that we're 134 00:07:41.260 --> 00:07:45.610 identifying them quickly so that we can brute them as needed. 135 00:07:46.800 --> 00:07:48.660 Tom Field: So Lisa, given what we've seen already this year, 136 00:07:48.660 --> 00:07:52.050 we're sort of, I think we're post Log4j right now. We're 137 00:07:52.050 --> 00:07:55.410 awakening to news of SpringShell. We've had warnings 138 00:07:55.410 --> 00:07:59.460 about critical infrastructure entities being probed and 139 00:07:59.580 --> 00:08:01.920 entered. What are the trends that you're paying most 140 00:08:01.920 --> 00:08:02.790 attention to now? 141 00:08:04.740 --> 00:08:07.560 Lisa Sotto: We're hearing so many new government briefings. 142 00:08:07.560 --> 00:08:12.300 They're coming out just constantly now. And honestly, 143 00:08:12.510 --> 00:08:17.340 there's not much new under the sun. It's just more of the same. 144 00:08:17.340 --> 00:08:22.620 And there's just sort of a ratcheting up constantly. What 145 00:08:22.620 --> 00:08:25.530 are the trends? We're still seeing ransomware like crazy. 146 00:08:25.920 --> 00:08:31.020 Business email compromise is rampant. Credential stuffing, 147 00:08:32.130 --> 00:08:37.530 it's constant. Two or three or more times a week, we get calls 148 00:08:37.680 --> 00:08:41.460 from clients about credential stuffing. Doxing as well. So all 149 00:08:41.460 --> 00:08:45.300 of the same exploits are being carried out. One thing that I'll 150 00:08:45.300 --> 00:08:48.000 note that I think is particularly interesting is the 151 00:08:48.420 --> 00:08:55.380 revelations around Conti and the Ukrainian who revealed the 152 00:08:55.380 --> 00:08:59.040 communications and the decryptors. And while this is 153 00:08:59.040 --> 00:09:03.150 not news, it is of course, always interesting to see that 154 00:09:03.180 --> 00:09:08.790 criminal actors are in fact, linking arms with government 155 00:09:08.790 --> 00:09:14.400 actors. And we saw that through those communications. So more of 156 00:09:14.400 --> 00:09:17.580 the same, just everything a little bit beefed up. 157 00:09:18.360 --> 00:09:20.460 Tom Field: One thing we haven't talked too much about this year, 158 00:09:20.460 --> 00:09:22.740 because of everything that's going on, is the regulatory 159 00:09:22.740 --> 00:09:26.610 landscape. Now I know we've had some clarity from Washington 160 00:09:26.610 --> 00:09:30.030 about zero trust and the President's cybersecurity 161 00:09:30.030 --> 00:09:33.120 executive order from last year. We had an executive order on 162 00:09:33.660 --> 00:09:36.180 cryptocurrency and then there's this one coming on identity 163 00:09:36.180 --> 00:09:39.870 fraud. Everyone's still talking about privacy. What regulatory 164 00:09:39.870 --> 00:09:41.700 shifts are you paying attention to? 165 00:09:42.510 --> 00:09:48.390 Lisa Sotto: It's sort of a tsunami. We are awash in new 166 00:09:48.420 --> 00:09:52.530 requirements and new proposals just about every day and every 167 00:09:52.530 --> 00:09:55.050 day I wonder how I'm going to get through the next 42 page 168 00:09:55.050 --> 00:09:59.760 proposal and and absorb it all. So things are changing truly at 169 00:09:59.760 --> 00:10:03.660 the speed of light. This administration really 170 00:10:04.500 --> 00:10:08.910 understands that cybersecurity is a deep, deep threat in every 171 00:10:08.910 --> 00:10:15.030 respect. So we saw most recently that the omnibus appropriations 172 00:10:15.030 --> 00:10:21.090 bill now has in it a requirement to notify if your critical 173 00:10:21.090 --> 00:10:25.530 infrastructure, you need to notify the government within 72 174 00:10:25.530 --> 00:10:29.940 hours of having reasonable belief that there's been an 175 00:10:29.940 --> 00:10:34.020 incident that requires reporting. You need to report in 176 00:10:34.050 --> 00:10:39.000 24 hours if you've paid a ransom. So we now have the 72 177 00:10:39.000 --> 00:10:42.780 hour reminiscent of course of Europe reporting obligation to 178 00:10:42.810 --> 00:10:47.040 the government, along with a 24 hour reporting obligation for 179 00:10:47.070 --> 00:10:52.500 ransomware payments. In addition to that, for banks, there is a 180 00:10:52.500 --> 00:10:57.030 new rule that as of May 1, banks are going to need to report 181 00:10:57.030 --> 00:11:02.400 certain incidents, substantial incidents within 36 hours. And 182 00:11:02.400 --> 00:11:06.030 there are a couple of SEC proposals that are on the table. 183 00:11:06.030 --> 00:11:11.790 And the one that really is, I think, taking all public 184 00:11:11.790 --> 00:11:16.080 companies' issuers by storm is the requirement that is not in 185 00:11:16.080 --> 00:11:19.800 place yet. It's still in draft form. But it's probably coming 186 00:11:19.800 --> 00:11:24.480 in some form or another that public companies disclosed 187 00:11:24.540 --> 00:11:29.460 within four business days that they've had an issue. In 188 00:11:29.460 --> 00:11:32.280 addition to all of this, so we have all of that on the cyber 189 00:11:32.280 --> 00:11:37.650 side. And then on the privacy side, we now have four states 190 00:11:37.680 --> 00:11:41.820 with omnibus, with comprehensive privacy laws. California started 191 00:11:41.820 --> 00:11:46.140 the trend, followed by Virginia, then Colorado and now and most 192 00:11:46.140 --> 00:11:51.090 recently, Utah. So you know, there is there is this wave of 193 00:11:51.090 --> 00:11:54.210 regulation, and we are struggling to keep up. And 194 00:11:54.210 --> 00:11:57.120 that's the US, of course, alone. And there's plenty happening 195 00:11:57.120 --> 00:11:58.080 overseas as well. 196 00:11:58.770 --> 00:12:00.330 Tom Field: As I've been dedicated to this field for 197 00:12:00.330 --> 00:12:03.180 almost 15 years now, I've known you for almost that length of 198 00:12:03.180 --> 00:12:05.580 time. I've never seen a busier time than now. 199 00:12:05.910 --> 00:12:09.030 Lisa Sotto: Nor I, and our hours reflect it. 200 00:12:10.260 --> 00:12:11.610 Tom Field: Anna, let me turn this back to you. So you can 201 00:12:11.610 --> 00:12:13.050 introduce our next guest, please. 202 00:12:13.200 --> 00:12:15.630 Anna Delaney: Absolutely. Thank you very much, Tom and Lisa. So 203 00:12:15.630 --> 00:12:19.860 David Pollino. Come and join us, Former CISO, of course, of PNC 204 00:12:19.860 --> 00:12:23.160 Bank and a veteran in the fields of information security, fraud 205 00:12:23.160 --> 00:12:27.120 prevention, and risk management. David, good to see you. 206 00:12:28.710 --> 00:12:30.210 David Pollino: Thanks for having me. It's great to be here. 207 00:12:30.720 --> 00:12:33.240 Anna Delaney: So David, we mentioned the Okta event. And it 208 00:12:33.240 --> 00:12:36.420 certainly brings up questions about third and fourth-party 209 00:12:36.450 --> 00:12:40.440 management. Where did it go wrong? And how can we improve on 210 00:12:40.440 --> 00:12:41.100 that front? 211 00:12:42.270 --> 00:12:45.060 David Pollino: Well, I think having either third or fourth 212 00:12:45.060 --> 00:12:48.870 party breaches is part of doing business now. But the question 213 00:12:48.870 --> 00:12:53.730 is, how informed are you as to what third, fourth party risks 214 00:12:53.730 --> 00:12:56.310 do you have? Do you know which one of your vendors that are 215 00:12:56.310 --> 00:13:00.570 critical to your business are utilizing whether it's a cloud 216 00:13:00.570 --> 00:13:04.860 service provider, Amazon, Google, Microsoft, or some of 217 00:13:04.860 --> 00:13:08.610 these pervasive services like the Okta authentication service? 218 00:13:08.610 --> 00:13:13.500 So it's important to realize not just that, you know, this is the 219 00:13:13.950 --> 00:13:17.190 reality of doing business today. But as we're going through and 220 00:13:17.190 --> 00:13:20.520 doing our due diligence, and answering the questions, should 221 00:13:20.520 --> 00:13:23.880 we be in business with this firm, that we gather that bit of 222 00:13:23.880 --> 00:13:28.170 information, so if something does hit the news, like this 223 00:13:28.170 --> 00:13:30.870 particular breach, we could go to our vendors and ask the 224 00:13:30.870 --> 00:13:34.500 questions and have a quick response to know how our 225 00:13:34.500 --> 00:13:35.700 business may be impacted. 226 00:13:36.450 --> 00:13:38.940 Anna Delaney: Great advice. So David, I want to talk about 227 00:13:38.940 --> 00:13:44.160 fraud trends. The IRS investigators have uncovered 228 00:13:44.190 --> 00:13:49.440 more than $1.8 billion in fraudulent activity related to 229 00:13:49.440 --> 00:13:53.850 federal COVID-19 stimulus funds. So I welcome your perspective on 230 00:13:53.850 --> 00:13:57.300 this and the fraud trends are of most concern to you right now. 231 00:13:58.710 --> 00:14:02.250 David Pollino: So it's a very interesting topic. If you see 232 00:14:02.250 --> 00:14:07.830 that NBC report, they said as much as 80 billion, or 10% of 233 00:14:07.830 --> 00:14:11.580 the PPP funds might have been fraudulent in some way. And 234 00:14:11.580 --> 00:14:16.620 that's on top of the 90 to 400 billion that was related to 235 00:14:16.620 --> 00:14:19.950 unemployment fraud. So they're calling it the largest fraud of 236 00:14:19.950 --> 00:14:24.840 our generation. So you know, a lot of questions come up for 237 00:14:24.840 --> 00:14:28.680 businesses. Yes, it was a unique time. There were guidelines, the 238 00:14:28.680 --> 00:14:32.400 program, maybe the guidelines weren't where they needed to be. 239 00:14:32.880 --> 00:14:35.940 But this is a massive amount of fraud that was allowed to take 240 00:14:35.940 --> 00:14:39.030 place in an all-remote environment. So when you think 241 00:14:39.030 --> 00:14:41.520 about your business, when you think about the services that 242 00:14:41.520 --> 00:14:46.260 you're providing. Most businesses would wholeheartedly 243 00:14:46.260 --> 00:14:49.200 say we do not want to contribute to anything that could even be 244 00:14:49.200 --> 00:14:54.300 shady or downright illegal. So there have been guidelines in 245 00:14:54.300 --> 00:14:58.890 place for many years, around financial institutions around 246 00:14:58.890 --> 00:15:03.300 knowing your customer, doing due diligence on your customer. All 247 00:15:03.300 --> 00:15:07.800 these things add time to either underwriting or account opening 248 00:15:07.800 --> 00:15:11.580 or transactional process. But these things are important to 249 00:15:11.580 --> 00:15:14.820 make sure that we understand who is on the other side of the 250 00:15:14.820 --> 00:15:18.030 transaction. And whether or not this transaction is going to be 251 00:15:18.030 --> 00:15:22.410 utilized for good purposes, or for bad purposes. And in many 252 00:15:22.410 --> 00:15:25.800 cases, we also need to not stop there. Not just stop at 253 00:15:25.830 --> 00:15:29.580 validating the customer, but also look at the activity. Is 254 00:15:29.580 --> 00:15:33.420 this activity consistent with good things or bad things? And 255 00:15:33.420 --> 00:15:37.080 what can we do to really create a better environment for 256 00:15:37.080 --> 00:15:40.380 transacting online? So I think, you know, maybe learning from 257 00:15:40.380 --> 00:15:42.540 some of the regulations that we've had on books for many 258 00:15:42.540 --> 00:15:46.350 years, and taking the next logical step is going to be in 259 00:15:46.350 --> 00:15:48.090 all company's best interests. 260 00:15:48.510 --> 00:15:50.490 Anna Delaney: And of course, security is important in 261 00:15:50.520 --> 00:15:54.300 validating new accounts, but how can we find the balance of 262 00:15:54.300 --> 00:15:57.750 appropriate security controls and ease of use for frictionless 263 00:15:57.750 --> 00:15:58.590 experience? 264 00:15:59.670 --> 00:16:01.560 David Pollino: Yeah, so the important thing is to make sure 265 00:16:01.560 --> 00:16:05.340 that we're not thinking in the past. You know, in past we may 266 00:16:05.340 --> 00:16:10.320 have had second day review, manual review cycles. It's 267 00:16:10.320 --> 00:16:14.040 better to get into automated real time checks and controls, 268 00:16:14.430 --> 00:16:16.980 and you know, also have a risk-based approach. So if 269 00:16:16.980 --> 00:16:20.460 something does maybe trigger, some level of risk, maybe we, 270 00:16:20.460 --> 00:16:23.790 you know, modify the products and services or put them on some 271 00:16:23.790 --> 00:16:28.080 sort of additional, you know, watch list. But you know, making 272 00:16:28.080 --> 00:16:31.620 sure that whatever controls you put in are automated, are 273 00:16:31.980 --> 00:16:35.460 risk-based, will be important to make sure that, like you said, 274 00:16:35.460 --> 00:16:39.870 there's not unnecessary delays, and we're able to provide those 275 00:16:39.900 --> 00:16:42.750 services. Also, you know, thinking about new and 276 00:16:42.750 --> 00:16:45.420 innovative ways. You know, it used to be we looked at 277 00:16:45.630 --> 00:16:47.970 information around the individual, but now that we're 278 00:16:47.970 --> 00:16:51.000 looking at information around the email address, the phone 279 00:16:51.000 --> 00:16:54.540 number, the mobile device, you know, the reputation with with 280 00:16:54.540 --> 00:16:58.440 other providers, or the tie between a financial payment 281 00:16:58.440 --> 00:17:02.670 instrument, and that particular computer, or mobile device. So 282 00:17:03.090 --> 00:17:06.000 there's also additional authentication services out 283 00:17:06.000 --> 00:17:08.610 there, whether it's through Apple or Microsoft or Google. 284 00:17:08.850 --> 00:17:12.030 And so you know, staying up to date and realizing what 285 00:17:12.030 --> 00:17:15.600 information is now available to us that wasn't available before 286 00:17:15.720 --> 00:17:19.050 can help us to provide services that are not only quick and easy 287 00:17:19.050 --> 00:17:20.760 to use, but also secure. 288 00:17:21.750 --> 00:17:24.900 Anna Delaney: Oh, great insight, David, thank you very much. 289 00:17:24.930 --> 00:17:29.700 Well, let's just bring the band together. Lisa, here you come. 290 00:17:29.730 --> 00:17:34.410 Great. Well, live events are back, at least with hybrid 291 00:17:34.410 --> 00:17:38.130 version. How do you feel about it? Re-embracing the stage, 292 00:17:38.730 --> 00:17:41.490 chatting, talking in front of live audiences again? 293 00:17:42.420 --> 00:17:49.290 Lisa Sotto: It's so much more fun. It's much better to be live 294 00:17:49.290 --> 00:17:54.990 and to be engaged with an audience and to have that 295 00:17:55.560 --> 00:17:58.650 repertoire that you really can't have as quiet as well over a 296 00:17:58.650 --> 00:18:01.080 video conference, which actually, as you know, video 297 00:18:01.080 --> 00:18:03.810 conference has been a godsend over the last couple of years, 298 00:18:03.810 --> 00:18:07.830 but it's not quite the same. So I'm thrilled to be able to be 299 00:18:07.830 --> 00:18:09.090 back at live events. 300 00:18:10.770 --> 00:18:13.740 David Pollino: 100% agree. In my personal practice, one of my 301 00:18:13.740 --> 00:18:17.850 customers had off site meeting last week. It was my first real 302 00:18:17.850 --> 00:18:22.470 offsite business meeting in a couple of years or more. And we 303 00:18:22.470 --> 00:18:26.640 got so much done in two and a half days, more than we could 304 00:18:26.640 --> 00:18:30.630 have accomplished in six months. So, Zoom is great, remote is 305 00:18:30.630 --> 00:18:33.930 great, has its place. But sometimes there's just no 306 00:18:33.930 --> 00:18:36.990 substitute for that face to face contact. So I'm eagerly 307 00:18:36.990 --> 00:18:40.470 anticipating being in person for ISMG event. 308 00:18:41.530 --> 00:18:43.630 Tom Field: It's terrific. I did it for the first time last week 309 00:18:43.630 --> 00:18:48.550 since I guess it was December of 2019. It was amazing. I'd say 310 00:18:48.610 --> 00:18:51.490 two lessons learned though - When you get people back on 311 00:18:51.490 --> 00:18:55.630 stage, the answers to questions are a lot longer than they were 312 00:18:55.630 --> 00:19:00.190 on Zoom. And the other thing I would say and I know you're all 313 00:19:00.190 --> 00:19:04.180 going to sympathize on this too. It hurts to wear dress shoes all 314 00:19:04.180 --> 00:19:04.450 day. 315 00:19:05.880 --> 00:19:07.320 Lisa Sotto: Yeah, we're done with that. 316 00:19:09.930 --> 00:19:13.230 Anna Delaney: Slippers all the way. Is there anything upcoming, 317 00:19:13.230 --> 00:19:18.300 Lisa, any events that you're speaking out on topics that we 318 00:19:18.300 --> 00:19:18.720 should know about? 319 00:19:18.720 --> 00:19:21.930 Lisa Sotto: So many. So many are now live. I mean, I think you 320 00:19:21.930 --> 00:19:26.400 know, what I would say about topics that have really come to 321 00:19:26.400 --> 00:19:30.540 the fore are the state privacy laws and setting up compliance 322 00:19:30.540 --> 00:19:33.870 programs in the United States, which is new to us here in this 323 00:19:33.870 --> 00:19:37.380 country. That's one thing and then the other, of course, is 324 00:19:37.410 --> 00:19:42.270 cybersecurity from a proactive readiness perspective, there's 325 00:19:42.270 --> 00:19:47.130 so much to do to prepare for these events. Tabletop exercises 326 00:19:47.370 --> 00:19:50.850 are so critical and also understanding, making sure that 327 00:19:50.850 --> 00:19:53.880 boards and senior management understand the threat landscape. 328 00:19:54.510 --> 00:19:56.820 Anna Delaney: Sure, how about you, David? Ransomware still out 329 00:19:56.820 --> 00:19:57.090 there? 330 00:19:58.710 --> 00:20:01.500 David Pollino: Absolutely. You know, with what's going on in 331 00:20:01.500 --> 00:20:04.860 the world situation today, whether it be fraud or the 332 00:20:04.980 --> 00:20:08.130 political conflicts and wars that we have got going, these 333 00:20:08.130 --> 00:20:10.770 will all have an impact on the security and cybersecurity 334 00:20:10.770 --> 00:20:13.830 space. So definitely look forward to, in the months to 335 00:20:13.830 --> 00:20:17.250 come, having opportunities to have good conversations with 336 00:20:17.250 --> 00:20:20.610 practitioners across the board. And hopefully make the world a 337 00:20:20.610 --> 00:20:21.870 better, safer place. 338 00:20:22.440 --> 00:20:24.900 Anna Delaney: Absolutely. Well, I look forward to meeting you 339 00:20:24.900 --> 00:20:29.070 all in person at the same event, I hope very soon and see you 340 00:20:29.070 --> 00:20:30.300 next week in Chicago, Tom. 341 00:20:31.050 --> 00:20:33.690 Tom Field: Next week in Chicago. Anna and Tom, together again for 342 00:20:33.690 --> 00:20:35.820 the first time. I look forward to seeing you and introducing 343 00:20:35.820 --> 00:20:36.960 you to deep dish pizza. 344 00:20:38.340 --> 00:20:41.160 Anna Delaney: Can't wait. Well, we have to leave it there, 345 00:20:41.160 --> 00:20:44.160 unfortunately. This has been an excellent discussion. So thank 346 00:20:44.160 --> 00:20:46.530 you very much, Lisa Sotto and David Pollino, for your 347 00:20:46.530 --> 00:20:50.370 insights. And Tom Field, thank you very much for co-hosting. 348 00:20:50.790 --> 00:20:52.260 Tom Field: We'll do this again. Thank you so much. 349 00:20:52.350 --> 00:20:55.440 Anna Delaney: Absolutely. It's goodbye from us. Thank you.