Road Work Ahead
We stand on the brink of disruption that will change the world in ways we could never imagine. Artificial Intelligence, Data Privacy, Cybersecurity, and the Future of Work have converged to create a perfect storm of fear and hope.
How do we respond as business owners, workers, and humans? This podcast explores the many answers to that question. This is not a forum for wild speculation or doom-and-gloom, end-of-the-world posturing. Instead, we are navigating disruption the same way we navigate a freeway under construction: When you see the bright orange sign that shouts "ROAD WORK AHEAD" you slow down, pay attention, and look out for the drivers around you.
Join me as I seek out and interview the people who are embracing disruption and committing themselves and their organizations to a brighter future.
Road Work Ahead
#5 - Kristi Hoffmaster: Cybersecurity Risk Management, Individual Responsibility, AI Impact, Freedom
How do you approach your duty and responsibility to protect yourself and those around you from cyber threats? Whether you're a large organization or an individual, it's never right to assume that someone else is protecting your best interests.
Our generation is living in an incredibly significant transitional period, and the rules and expectations about how people should be treated are still being tested and hotly debated. The only way to ensure that you and your business remain safe is to take personal responsibility for that safety. In addition, we should also be lining up to preserve the safety of the more vulnerable members of our community - the older and younger generations.
This week, I sat down with Kristi Hoffmaster, who is a senior analyst at Okta, a company that provides secure identity management for businesses of all sizes. Kristi's experience and expertise in third-party risk management yielded a conversation that centered around the need to carefully evaluate and monitor the technology that you allow into your business and your life.
While we spent a good deal of time talking about the specifics of securing an organization's technology stacks, it was the individual, human aspect of cybersecurity that resonated most deeply for me. I was left at the end of our conversation feeling very confident that the only way for humankind to ensure our future cyber safety is to begin fostering a strong sense of individual responsibility across the board.
I hope this discussion leads you to the same conclusion.
Welcome everybody to Road Work Ahead, a podcast that explores the unmapped future of business and technology. My name is Sam Gerdt and I am your host. How do you approach your duty and responsibility to protect yourself and those around you from cyber threats? Whether you're a large organization or an individual, it's never right to assume that someone else is protecting your best interests. Our generation is living in an incredibly significant transitional period, and the rules and expectations about how people should be treated are still being tested and hotly debated. The only way to ensure that you and your business remain safe is to take personal responsibility for that safety. In addition, we should also be lining up to preserve the safety of the more vulnerable members of our community the older and younger generations.
Sam Gerdt:This week, I sat down with Kristi Hoffmaster, who is a senior analyst at Okta, a company that provides secure identity management for businesses of all sizes. Christy's experience and expertise in third-party risk management yielded a conversation that centered around the need to carefully evaluate and monitor the technology that you allow into your business and your life. While we spent a good deal of time talking about the specifics of securing an organization's technology stacks, it was the individual, human aspect of cybersecurity that resonated most deeply for me. I was left at the end of our conversation feeling very confident that the only way for humankind to ensure our future cyber safety is to begin fostering a strong sense of individual responsibility across the board. I hope this discussion leads you to the same conclusion. , you are in third-party risk management, which, to my understanding, is not a specialized role. It's more of a general role. You have eyes on every part of cybersecurity, is that correct?
Kristi Hoffmaster:That's right. Third-party risk management, also known as VRM or vendor risk management they usually mean the same things.
Sam Gerdt:So you have eyes on, then, auditing companies, looking at every aspect of cybersecurity, as you're looking at the industry because everybody knows that this is shifting and changing so rapidly as you're looking at all types of business small business, large business what would you say is the greatest challenge that you're facing in the next five years?
Kristi Hoffmaster:So the challenge I would say is first of all for a company understanding what's there, what is their inventory, what suppliers exist that that company is doing business with, and then, from a TPRM assessor standpoint, when you're looking at suppliers and their businesses, I would say they're understanding kind of two lanes. The first lane would be what is the baseline, what are we doing business with? From a baseline assessment, static point in time, what is this organization structure, what is the primary systems that this organization is made out of? And then how are they managing those risks across their organization? So that's the first lane. The second lane would be periodically saying what has changed about that company, what has there been incidents that would affect that company's operations or how they service the companies that it does business with, and then just looking at what is the response to those changes. Has the response been nothing? Has it been? An auditor has come in and attested to the fact that they've handled this change in some way, hopefully in a positive way.
Kristi Hoffmaster:So those two lanes are kind of what an assessor, third party risk management professionals looking at the challenge for an organization that is being assessed by TPRM evaluator would be the overwhelm, because there are multiple inquiries and there are multiple questions that a TPRM professional would issue and request from that company or that supplier. So sometimes those teams that are like I mentioned the trust team, the assurance team would be the team in-house fielding those questions and responding to those inquiries. A company that does business, a larger company that does business with hundreds of other companies. They could be answering thousands of questions a month from these external companies. So there's a lot of overwhelm in this field as well and there needs to be a strategy from leadership and managing both sides of TPRM and how to kind of optimize and deal with that function efficiently. Otherwise it could be anywhere from one extreme of legal liability to the other extreme of just burnout from employees working in this field.
Sam Gerdt:From a subjective standpoint, it seems to me that this thing that you're talking about, all of this overwhelm, is going to be the greater challenge for the small business versus a larger corporation. And we're getting to the point now where the small business can't ignore cybersecurity and really needs services like what you're talking about, but half the time they're not even aware that it's a need, and then the other half, when they become aware, like you said, they're overwhelmed at the very prospect of undergoing even an audit. So in that case, when you're discussing these things with a smaller business who's facing that challenge, what's the response?
Kristi Hoffmaster:Sure, I think small business owners and those who are involved in protecting a small business can do the same thing that third party risk management professionals do, which is look at the data. The data is the crown jewels. The data is really the king of your business. So step back and like from a very high level. You might want to do this once or twice a year. A small business owner can say what kind of data does my business handle and manage and deal with? What kind of promises do I need to make to my customers to protect that data?
Kristi Hoffmaster:Obviously, a landscaping small business is going to have financial data. If they take digital payments, they're going to have invoicing personal data on some of their customers that they need to protect. How are they protecting that? What systems are they using? So, if they're using a cloud point of sale system to handle financial transactions, they need to be looking at, first of all, internally, what can they do procedurally to handle that data properly? And then looking at the actual third party vendor that is providing those financial transactional services.
Kristi Hoffmaster:Looking at is this a company that just created itself last week and is using your business as a guinea pig? Is it a friend's startup? In that case, you're taking on some risk. There's not a lot of history there to prove that they've maturely been able to handle that capability. Or are you using a very well-established cloud vendor that's been around for a long time, that has a track record of protecting data and dealing with challenges in a transparent way with its customers? Those are the kind of things you, on a high level, would want to do as a small business owner.
Sam Gerdt:Are there any other things that you would consider if you were evaluating a vendor as a small business, or are there any other red flags that you might look out for?
Kristi Hoffmaster:Sure, that's a really good question, the number one I work for. I am employed with an identity provider company, so identity is how you're logging into an application, how are you authenticating and how are you doing that safely? I happen to work for a company that you know. Our pride is, you know, promising that we can help businesses secure that authentication handshake. So the number one red flag I would say is if a small business you know is wanting to take payments but not requiring any kind of single sign-on authentication to its application, that would be a huge red flag. Or just that the system of record for your business with them and operating and sharing that data doesn't have consistency, or maybe it's not even present, those would be red flags.
Sam Gerdt:So, to give you an example, so I work for you know we do digital marketing, digital sales. We're in this digital space as an agency and a big part of my job is recommending software as a service platforms for companies to run things like marketing and sales. And the average size of a tech stack for a company that we would work with, depending on the size of the business but even the landscaping business, as an example, is going to have at least a dozen vendors and the tech stack for a larger, mid-sized company, say, is going to be way higher, maybe even close to 50, 60, 70 vendors. And so, as we're evaluating these vendors that we, sometimes we resell them, sometimes we recommend them, sometimes we just test them and use them ourselves and then, if the need arises, we have it as a recommendation.
Sam Gerdt:You're looking at it completely differently than the way we look at it. We look at it and we see pricing, we see feature set capability, we might look at customer reviews, we might hop on a call with a salesman from that provider and hear more about the internal workings of the company from them. But what we lack a lot of times, and a lot of times it's not even available to us. What we lack is insight into their security, their cyber security practices, compliances, all of that stuff. And so I'm curious, for my own benefit and for the benefit of our customers what's the mark of a really conscientious vendor that you're not going to get that email that says, hey, we had a data breach, your credit card might have been exposed?
Kristi Hoffmaster:Right. Okay, that's a great question. So I think that there are, on a positive note, there are actions you can take from that perspective, sitting in that chair, that don't require a lot of legwork. First of all, in this day and age, most people and there have been studies that show this with consumer purchasing habits, most human beings do a little bit of research on their own before they even engage another party in a transaction or a question or any kind of engagement. So you can look at their privacy policy, which should be on their website.
Kristi Hoffmaster:If a company doesn't have a website, that's not necessarily a red flag, but that is an easy way to tell. A hallmark of this is a company I want to do business with. They have some kind of statement that is publicly available for customers to look at and see. How do they handle information. What kind of commitments do they make to you, a consumer, or you another business that they're doing business with, and how are they going to promise that they are going to make an effort to protect that information?
Kristi Hoffmaster:Also, usually most likely, if you scroll down on any application or any software or any business or organizational website, there should be at the very bottom of the privacy policy, a small paragraph that talks. That speaks to how you can engage that company, how you can communicate with them, whether it's a phone number, email address, and so you can look very quickly. If that's there, that means we are open to talking with you and working with you. There's also legal reasons and regulatory reasons that that business might be subject to providing that information, which is another reason they do it. So usually a privacy policy would be present, as well as a security statement or some kind of portal or page speaking to what frameworks are they compliant with? What kind of you know regulations do they acknowledge that they're out there and that they are subject to keeping your information safe with?
Sam Gerdt:Yeah, you actually bring up an interesting secondary point to this whole thing, and that is it's not just ensuring that your data is safe from outside attack when you engage with a third party, it's also making sure that that party is going to be responsible with it themselves.
Kristi Hoffmaster:Absolutely.
Sam Gerdt:And we're seeing more and more of this. There was the incident with Zoom, where they were. They had changed their policy to indicate that data collected on the platform could potentially be used in the training of LLMs AI, and people lost their minds.
Kristi Hoffmaster:Yeah, there was a lot of industry pushback there.
Sam Gerdt:Yeah, there was a huge backlash and they walked it back and they tried to say no, no, no, that's not what we meant, but it was very apparent that they intended to quietly allow themselves access to that data for that purpose, and customers obviously did not want that. So how do we protect that? You can have the most compliant vendor in the entire world, and if that vendor chooses to use your data in a way that you don't want them to, what's the recourse other than leaving them?
Kristi Hoffmaster:Leaving them is one recourse. There is strength in numbers when customer behavior can influence a company's response and posture. For sure and that's kind of what happened here with Zoom is there was a lot of noise in response to what had been reported. So you bring up a really good point, which I would probably tie this point to a lot of questions that someone like you could ask about cybersecurity, which is the importance of socialization and normalization of the human factor in protecting information so it can work on both sides. The human factor can influence company behavior in that type of scenario where people are just saying we don't like this, this isn't right, we don't want to enter this territory of information being used in a way that we aren't sure they outcome.
Kristi Hoffmaster:And then on the other side, there's the human factor, and you brought up this question with what can organizations do internally to keep those promises? There's the human factor of just. There's always subjectivity when it comes to human beings making decisions and they can be safe decisions or unsafe decisions. So what someone in TPRM wants to see a company do is have those internal controls that are administered within the company background checks for employees, security training happening regularly, whether it's once a year or upon hire, and then every quarter or twice a year. You would want to see those types of things and activities happening. You would want to see an auditor coming in and attesting that they have looked at that and that activity is actually present and working as intended.
Kristi Hoffmaster:So as far as public recourse there's, you know we live in a society and a culture, fortunately, where there is the ability to discuss this and have public recourse about it. What can really happen in this situation with Zoom is where you have customers saying you know what's happening, we don't, we don't appreciate this, and then you have practitioners from the industry breaking it down and saying here are the risks that you know this could introduce and here are the things that we see wrong with this picture. So public recourse is actually really effective in a lot of situations.
Sam Gerdt:It just comes down to then whether or not you can uncover it Before we get to that individual responsibility, that individual vigilance. There's one more thing that I want to touch on a challenge of the small business that kind of goes along with that building a tech stack and just a kind of outsourcing to these third party vendors, pieces of your business. And that is when we do this, especially on the small business side I see this all the time there's this assumption of just letting go and okay, they handle that. I don't have to think about that. So we saw this a lot with GDPR and the data privacy rules that came out of GDPR. There was this, there was this idea, this attitude that my vendors will be compliant. My vendors will sort this out. I don't need to necessarily know the inner workings of this law and how it affects me because I'm using a very popular vendor, or if they're compliant, I'm compliant. I don't need to worry about this. They're worrying about it for me. Is that always a good idea?
Kristi Hoffmaster:No, great question. You can take that statement and you can blast it out to a macro perspective. For a company like the one I work for and have the same problem which we do, large companies have this challenge, which is continuing to have a pulse on what is happening, number one, with your data, with your customers data, continuing to understand what those promises that vendor is making to you are and what is the termination of those promises. So now we're looking at the legal, contractual agreements. You are most likely going to sign a purchase order and a contract with that business and that vendor that you're handling your business and giving them part of your data to you. So what are those? What's in the contract? So I would say, for a company like the one I work for and for you as a small business owner or anyone out there, you need to have someone in-house whether it's you or someone that you hire, part-time, full-time that handles those relationships and what I would call the supplier inventory that is helping operate your business. So because, ultimately, the business is accountable for any problems, any residual problems or any just gaps with omission of knowledge of what's going on that could introduce data loss, financial loss. It could affect your let's say, your employee. You've got 20 employees and your scheduling cloud vendor is not available for two days and something goes down and that affects your operations, that's a good example. So having that resource whether it's you or someone else to understand what has been agreed in writing, how long do those agreements last?
Kristi Hoffmaster:And what is Amazon kind of coin-saving this for their industry landscape, which is the phrase of shared responsibility and having the shared responsibility model, and what that means is what is the vendor responsible for and what are you, as the customer of that vendor, responsible for doing on a regular basis? And a good example would be let's say, your cloud vendor is responsible for the infrastructure and that platform and providing that to you and being available 99.5% of the time. They make that promise to you, they ask you to be responsible, in this example, for patching the software that lives in that cloud instance. That's your responsibility as a business. So if that goes down and it's on your watch because you haven't patched it in 13 months, that would be your accountability that you would be facing. So having someone in-house that can look at what the promises are and what their responsibilities are from you as a business and from them then you kind of have a template of you can apply that to any vendor that you do business with, whether it's five or 20 or 100 vendors.
Sam Gerdt:And something additional that I think a lot of small businesses neglect to think about is the fact that their vendors have vendors.
Kristi Hoffmaster:Yes.
Sam Gerdt:And this relationship. This relationship is just not two people. There were two companies. This relationship is your relationship with this organization, who has a relationship with dozens of organizations and those organizations.
Kristi Hoffmaster:And some of those vendors are open source products. So there is no company managing that organization that's providing that software to you, for example. So you might be reliant on an open source project that is handling some aspect of your business and that's important to know as well.
Sam Gerdt:So, for every listener out there, what we're saying is you need somebody knowledgeable about all of this stuff to evaluate your business decisions with regards to who you work with, and don't just take a simple reputation metric as gold and go from there. You need to have somebody who's constantly on top of this.
Kristi Hoffmaster:Yeah, and fortunately it's the cost of doing business in 2023 and beyond.
Sam Gerdt:Yeah, that's. It's really good to hear you say that, because a lot of what I do in my capacity is evaluating vendors for specific tasks and looking at all of this, and it is a challenge.
Kristi Hoffmaster:Yeah, and you have to look at jurisdiction too. Is your company doing business with locals within a 30 mile radius, and that's your jurisdiction as the state you're in and the operating in, or are you subject to laws and regulations all over the world? It depends on what your business is doing.
Sam Gerdt:Yeah, it gets really complicated as soon as you go global. I'll tell you that.
Kristi Hoffmaster:Yes.
Sam Gerdt:So let's get into then the individuals responsibility. This is for businesses they have responsibility but also for employees. I feel like there's this great need for everyone, in every capacity, whether you're at home sitting on your couch, or at work sitting at your desk, driving. Even these days, you have to have this awareness of all of the things that are happening around you, how they're affecting you and how they're affecting your family, your organization. Data is constantly being collected. We are constantly interfacing with platforms who are watching us, collecting data on us and using that data, whether it's toward us or for the benefit of a company somewhere else that data is being used, and so we talk about vigilance with your individual accounts, two-factor authentication, email confirmation, all of these other little things that most people are aware of, but there's also just this general need for, I think, a basic cybersecurity education across the board.
Kristi Hoffmaster:I agree.
Sam Gerdt:Is that something that we're seeing more of on the company level? Are companies getting on board with this and providing this kind of information, or are we still woefully behind?
Kristi Hoffmaster:Well, I grew up I'm going to date myself here, but I grew up in this industry. I started in IT many, many years ago, and so security was the phrases that it was bolted on, and now systems and organizations are attempting to operate with security and privacy by design as a concept in the best practice. So I do think that it's been forced on us, culturally and society, to become more mindful and aware, because it's not really a matter of if it's a matter of when things are stolen in the you know society that we live in digitally. So I do think there's more awareness, which is great. We're coming on the annual presence of Cyber Security Awareness Month that happens every year around this time that CISA, one of our United States federal agency, promotes each year and to the common public with publications and tips and best practice reminders. So there are activities like that that happen on a cyclical basis that can help us be more mindful. But going back to, you know, cyber security traditionally was thought of as endpoints and firewalls to a network, and now it's everything it's data management, it's the network, it's the human factor. So, going back to that aspect, you know, I would say one of the most costly and impactful and expensive impacts to any company or any organization. You know hospital, school anything would be. You know ransomware and taking that data and those systems and holding them hostage, as well as social engineering, that the tactics and the threats are out there and they're more sophisticated than ever. So, as a baseline best practice, individuals you know should be handling their credentials in very, very safe manners, like not writing down passwords, were way past that age. You should be using a vault and using two factor, multi factor authentication with this, you know phishing resistant mechanisms for every authentication login that you personally have.
Kristi Hoffmaster:So I'm a parent. I grew up, you know, raising my children. You, like most parents, wanting to protect our family and I would make that analogy from a family to a company with operations. You know you want to protect your family's physical structure, their brains, their citizenry, their you know spiritual, you know soul and everything else. As a parent, you would want to protect that child that's vulnerable. You might even set up some best practices for protecting your family with disciplining and correction. You know working with your family and your partners in the village that's raising that child or those children.
Kristi Hoffmaster:So it might seem far fetched, but you could even take it to your family as taking that responsibility that you're talking about and write a policy and a procedure for how your family handles digital best practices and applications in your home.
Kristi Hoffmaster:Everything's going to look different depending on what family and how you're raised, but, for example, you can make a policy that you know doesn't doesn't allow your children to do certain things with technology. So those are ways that you can and have responsibility, helping educate people, whether it's older or younger, understand what happens when you download that application. What are you giving that vendor access to then and residual Lee. So those are steps that you can take for responsibility, but I do think that companies are doing a better job of training the workforce and understanding everything from best practices to innovative steps to be mindful of, like you know, ai and deep fakes. What should we look for? So, just helping understand what your expectations are for yourself and for anyone that you're responsible for, whether it be a family or a school or a business, having those things that are aware and those expectations laid out is really important.
Sam Gerdt:We've arrived at this place and I think we've been here for a little while where we really need to be looking out for the more vulnerable and and lifting them up and coming alongside. I think you touched on it, but you think about the older generation and the younger generation. The older generation that didn't grow up with this stuff, with these threats, is woefully incapable of managing the real threats that are kind of at their doorstep, and in many ways, they're the more targeted demographic as well, because they're the ones that have money, they're the ones that have something to take, and so you think about the, the myriad of scams that prey on the elderly. This is something that we, as you know, the generation who is in charge, really should be helping with. I mean, I feel, I feel very strong, strongly about this, but it paint.
Sam Gerdt:It pains me to see how we've kind of left A generation behind, and you know, to watch as an example, to watch our grandparents try to navigate social media so that they can see, you know, family pictures that they would have had other ways of seeing, you know, 1520 years ago, to expect them to adopt a platform that they're very unfamiliar with, and then and then all of the wolves that exist on that platform, it, we do a disservice to them. And then the flip side of that is children to you know, to hand a child a piece of technology like a phone or a tablet, without that education that comes alongside of it, understanding, like you said, what happens when you download this app, what exactly is happening when you download this app, and then having those conversations to where you say, listen, you may not be thinking about this right now, but what you do on this device will come back to you in 10 years, 15 years, 20 years, because, because they're remembering the people that you're dealing with, the companies, the devices that you're dealing with.
Kristi Hoffmaster:Right the data. Yeah, I think that I totally agree with you. I mentioned cyber security and awareness month. It is coming up. There are posters and flyers and reminders about those types of you know statements reminding you.
Kristi Hoffmaster:But I think, to go back to a parenting analogy, when you whether it's a person or an entity, an organization when you have the responsibility to protect another party that is, you know, less able and maybe has less insight, or just you're keeping that promise to protect that person or that entity and that party, you have to realize the responsibility. And then, like you're saying, you know we should take more ownership, you should lay out what are the expectations. So it just comes down to basic expectations. For example, you would tell a three-year-old child in a parking lot my expectation is that you hold my hand as we make this journey into this place and I'm not gonna let go of your hand. And if someone else were to come up, you know hypothetically, and ask to take your hand, you know you should never do that. You should never expect that someone wanting to do that has your best interests in mind.
Kristi Hoffmaster:So, laying out to the elderly this is what you should expect to see here. And if you don't see that. Or if you see such and such, you know it's malicious most likely. So just people understanding what's to be expected. That's where people who are own a business don't own a business, been to school for cybersecurity or not. That's when you know people who have a little bit more awareness. That's our responsibility to communicate that. I definitely agree there.
Sam Gerdt:And so moving forward. What we would like to see, what I would like to see, is companies, especially small businesses, taking this seriously and inviting professionals in. Not necessarily in a business capacity, where they're being invited in for, you know, a professional audit, but inviting them in and saying hey, listen, we're going to buy lunch, you know we'll pay you for your time, but we want you to just talk to us about these things and bring our people up to speed.
Kristi Hoffmaster:Yeah.
Sam Gerdt:Those kind of like lunch and learn environments. I would love to see more of that on the smaller scale. And then on the larger scale, I think there's this need for larger companies to recognize that not every employee is on the same page with this, and there needs to be this, this conscientious effort to make sure that you're not leaving someone behind, especially as you think about, like, all of the innovation happening around AI. There's a lot of people who are just really insecure about all of this and most of that, most of that's coming from ignorance. I think They've not been brought along.
Kristi Hoffmaster:Exactly, and we talk about diversity and inclusion from a. You know something that we business owners are more and more aware of as well One way that you can have include people that work for you and your conversations is combine training with fun. You know you want to boost your employees' morale. You want them to stay engaged, you want them to enjoy working for your company. My suggestion would be combine some of that bringing experts in and, you know, combine it with an outing or a fun activity where you have not just someone talking to your workforce but having an actual engaging conversation where all questions are welcome, all ideas are welcome. You know, curiosity is really something that can boost morale in your company. So the more you allow healthy, curious debate and conversation and inquiry, the more that you have productivity and that training just kind of happens organically. You can have that coupled with formal. You know formal training as well.
Sam Gerdt:Yeah, I agree. I think it's. It's so needed. It will become very helpful for the companies who do adopt a culture of this education.
Kristi Hoffmaster:Yeah, we have to because we're in this interim generation and in time in history. You know the White House just pushed out a strategy for enhancing cybersecurity in the workforce just very recently I think it was about a month ago or so. So you're going to see the impact of that directive coming from the US government. You're going to see that residually happening where cybersecurity is normalized and just talking about it's going to be like we don't, we don't refer to the phone as a smartphone anymore. It's that language is kind of passed as we just say phone and we all know it's a smartphone. So normalizing safety classes about digital safety and privacy and security those are going to be coming into, you know, high school and middle school curriculum over the next decade. So that's going to be something that's advantageous for that generation because they will grow up with that mindfulness. But we're in this interim phase where we have to step back and say not everyone grew up around this and not everyone understands the importance of keeping information safe and how it could impact your business if you don't.
Sam Gerdt:We're coming to this point too, and I'll be curious to hear your thoughts on this.
Sam Gerdt:We're going to get it more into the realm of speculation here, but we we've seen some scary stuff with the capabilities of artificial intelligence to do things like you know just passive learning, where it's just constantly churning data behind the scenes.
Sam Gerdt:There's no directive, it's just a machine processing these points of data and coming up with these insights that are unbelievably accurate.
Sam Gerdt:And then the flip side of that is we're giving we're giving more eyes to these systems, more inputs, more sensors, and I feel like we're getting to this point, to where even our like you were saying we've shifted from a bolted on approach to security to more of an integrated approach to security. Even there, I feel like we're so far behind that now we've got agents that, in particular tasks, can act with superhuman intelligence to to analyze data and produce insights that could produce malicious attacks on individuals and then also could do things like you know, brute force, but but brute force in creative ways, where it's not even necessarily just trying a million passwords, it's, it's listening, you know, on your phone, on your, on your device, it's using those sensors that it's been given to try to break its way into your life. These are things that we can't necessarily protect against with single sign on, because the approach is so, it's so human. How do we, how do we adapt to that?
Kristi Hoffmaster:Wow, I would never presume to be the expert voice on speaking on how to address this. There are many voices out there and it is that question and asking that is kind of the golden question right now. For the world.
Kristi Hoffmaster:You know NIST has put out an AI risk management framework recently in an AI resource and trust center that people and organizations can go to and kind of get the most recent questions and guidance from hundreds of private sector and federal contributions. So I would highly recommend everyone check that out. I would say the challenge is inferring from what you're getting at. The challenge is we don't know. And when you don't know, as a TPRM professional, when we don't know the presence or absence of something, we assume the worst or we assume the highest risk is involved. So cybersecurity terminology that covers that would be zero trust. So there's the concept of when you are looking at something or when data is moving, when systems are interacting, you assume the worst. So there's zero trust. The gate is closed. Everything needs to be tightened up. So from a technical control aspect, what you would want to do is have as much monitoring as possible. When the eyes and the inputs are myriad and just out there exponentially you have no idea. There's thousands or millions of data flow, inputs and connections you would want to be monitoring that activity as much as possible. From a small business perspective, that's not always easy to do, but the number one, primary way that you can address authentication handshakes in those gates where that data is coming and going in transit. Is single sign on, is phishing resistant, multifactor authentication. So you can, for example, say every system that our business uses must have this enabled. If the vendor cannot, you know, provide that single sign on function and that MFA function, then we won't do business with them. That's just a requirement these days because we don't want that data leaking.
Kristi Hoffmaster:Another thing that organizations can do is create an AI policy that's appropriate for your workforce. You know you could say the scope of this policy applies to everyone in the company and everyone in the organization and everyone who contracts with us to do services for us. And then you could say we are only going to allow this type of data to be processed from any system that uses AI. It could be anything that's publicly available to our company or our customers, or it could be. You know this kind of information is off limits and you train your workforce to say you know you have.
Kristi Hoffmaster:If you're going to work here and be an employee, you've got to promise and commit to not putting such and such type of data into these systems, not sharing this type of information because we don't know yet and then having those resources to be able to technically look at what's happening. You know, every technical software company these days should have experts who understand APIs and understand what kind of permissions and what kind of data is flowing with those APIs and what are the settings, what are the configurations for them. So, yeah, we're there. We're at a day where we look at the unknowns and we have to kind of assume the worst and understand more about what systems are doing and opt out where you can. You know, it's just reading understanding those terms and understanding the terms of service for applications that your companies are lying on.
Sam Gerdt:That's actually a really good answer to the question and I know that was a hard question.
Kristi Hoffmaster:That's okay, thank you. It is a very big question right now.
Sam Gerdt:It is. It's so big. If we're going to talk cybersecurity, we have to talk about it, because I feel like the cybersecurity industry has done such a great job of responding to the pressure of five years ago, just in time for us to see this new existential threat. And I don't mean, you know, existential threat in the sense that AI is going to wipe out humanity, but existential threat in the sense that, all of a sudden, we're facing intelligence you know, computer intelligence that is incredibly capable when acting maliciously, just like it's incredibly capable when acting for our good.
Kristi Hoffmaster:Yeah, and getting your arms around that is a huge challenge. Just like I would make an analogy to social media. You know, some of the CEOs of the most prominent AI companies have faced Congress very recently saying we don't want to see a repeat of social media revolution happening with AI. In other words, we're asking for partnership with government to form regular you know legislation and regulation around this industry, but it's a global and that's another aspect of it is a global aspect of importance that we understand and this is something we need to teach the most vulnerable as well is that we do not live in our very narrow scoped society, local culture, anymore. This is a global world that we live in and we are globally dependent on each other and we are globally connected and the threats are global. So it is really important to understand that as we go forward.
Sam Gerdt:Do you feel optimistic that that's going to be the case, that we will be able to control, to regulate the explosion of these technologies, or is it going to be the Wild West, like it was with social media?
Kristi Hoffmaster:I think that it's an exciting dance of caution and innovation that's happening. Leadership in large tech companies we're all looking for the competitive edge and to see how this plays out and who the key players in these spaces are and how AI can innovate and help foster innovation. So, on one hand, I'm very optimistic healthcare technology security. I think that AI is going to bring a tremendous amount of innovation. I do also think, like social media, there's going to be more accountability. You look at the way that human beings operate now versus a decade ago.
Kristi Hoffmaster:With social media, there is more accountability. If there is an altercation happening in a public square and someone is live streaming that to a social media platform, there is accountability where there used to not be. That I heard on the news the other day. The IRS either has or is stating that they will have the capability to rapidly investigate and analyze tax return information and data with AI in order to foster more accountability to the taxpayer. So there will be more accountability across the board as well. But there will be accidents and bumps along the way. Hopefully they're not tremendously harmful to society, but who's to say? It's an exciting time to be a human being on this earth and in outer space.
Sam Gerdt:Yes, we're not just on the earth anymore, are we Kind of getting right into that as well? We talk about this generation being a generation of transition and looking at initiatives that are going to be better for the younger generation coming up. We are going to leave them with a very different world, and so what are the ways in which we prepare the younger generation so that, as kids are getting into that career age, they're choosing a path that's going to be both beneficial for them but also beneficial for the world? And I think, specifically with regards to things like cybersecurity, what are the ways that we can foster the right attitude?
Kristi Hoffmaster:That is such a great question. That kind of gets to the core of what I'm passionate about at this point in my life. Yeah, what a weighty responsibility we have in this generation. Like I said, I am a mom. I have children who are very much growing up in a culture that can be very frightening. There's a lot of unknowns. My son said to me the other day we were having dinner, maybe it was last night even, mom, this is a crazy world to grow up in. It's just crazy.
Kristi Hoffmaster:So I think I mentioned our government. Our culture is trying to foster a quick pivot Nothing happens quickly in government but a pivot to an attitude of, by design, conceptually educating humans as they grow up in primary and secondary education to understand the importance of keeping information safe and understanding how it impacts your personal safety with infrastructure and considering just the larger aspect of keeping systems safe. So we have a cyber force, a space force arm now in our military branches that is looking at satellite technology, securing everything above and around and below us, so encouraging people to understand that there are so many opportunities for them to work and do this work. And then, stepping back, there's that viral meme about disasters where people say it's Mr Rogers and he says look for the workers. Those are the ones in a crisis that will be, those are the ones doing the good.
Kristi Hoffmaster:And so, stepping back and saying, which side do you want to be on? Do you want to be on the helper side or do you want to be on the side creating harm? And so I know it sounds cliche, but To me there's a lot of work to be done in protecting human life and protecting organizations and systems. There's a ton of work to be done and there's a lot of, you know, paths that you could take to do that work. And it's way more exciting, in my opinion.
Sam Gerdt:We talked a little bit about normalizing some of this stuff, and we have. I think the stigma is dying away finally, but there was a time when I was growing up this was the case where there were the computer geeks and everybody else, and now it seems like what we need is an entire generation of computer geeks if we're going to get through this safely. Is that something that you agree with? I'm assuming the answer is absolutely yes.
Kristi Hoffmaster:Yeah, I mean there have been publications from multiple agencies in our government about the dire need for increasing cyber workforce. But yeah, I think, since practically everything has gone digital in the last decade, this generation of students, you know it makes complete sense that things are out there and need to be kept safely secure. But there's so many fields that one person could go into and the beauty of cyber especially TPRM that I'm in, or any GRC role in cybersecurity is that you don't have to try on one hat and stay there. You know you could work in pen testing, you could work in vulnerability management, you could work in networking and you could even work in engineering and then pivot across the landscape. There's so many paths. So I don't think it's nerdy anymore. I think it's kind of really cool.
Sam Gerdt:And I don't even mean that we necessarily need a full generation of people who are working in IT or cybersecurity or any of it, but there just needs to be this computer literacy so that even the guy you know who's building houses has a computer literacy to the point that he can protect himself against ever increasing, increasingly capable systems, these intelligent systems who are, you know, for better or worse, going to be looking at him.
Kristi Hoffmaster:Yeah, and I think that I personally I don't know if you do this, sam, but every December I sit down and I create a word and I hone in on a word for the following year. That it's my word and I want to see and challenge myself and everything out there. You know, I do a little personal retreat and meditate and I think about like what do I want my word to be and how am I asking it and inviting it to come into, like all my interactions in my work life, my personal life, everything. And it's so interesting, I've been doing it for about seven years and I see like how crazy, in amazing ways it's, this word plays out. But I chose last year my word to be freedom and I think you're hitting on my word.
Kristi Hoffmaster:There is just the concept of everyone wants freedom. Everyone, no matter what they do for a living, no matter how much they get paid, what their salary is, what their net worth is, what their family looks like, where they live they want freedom. So you know the company I work for, our part of our motto is freeing people to safely use any technology. So when you look at that the person who's owning or working with a small business you know, in South Carolina we have I-85 going from South Carolina to North Carolina. There are men out there building that highway. That's what they do sun up to sun down.
Kristi Hoffmaster:They may not care about the app they're using out there and they may not. It may not matter to them, but once something happens with that application or that data that affects their freedom, that's when people's attention perks up, you know. So, I think, when you can tie cybersecurity and tie privacy to freedom and frame it in such a way that this is why this is important to us we would like to have freedom to get into the things we need to get into, to wrap up the things we need to wrap up at the end of the day, to walk away from things we don't have, you know, a need or interest in. That's why we care. We want to be free to use that technology.
Sam Gerdt:It's a shame that we don't act more proactively when it comes to freedom. We do have that, you know, reaction to when it's taken away, but we don't proactively protect it all the time. And I think you know business we've been talking about business also. Individuals absolutely have to realize that just the mere existence of the majority, of the majority of the technology today, it's not meant necessarily to make you more free. If you want freedom freedom is your word then you've got to understand that. Just blindly adopting a technology because maybe it, you know, maybe it frees up five minutes of your time per day, or maybe it makes you feel like yeah, you've gained convenience.
Sam Gerdt:That doesn't equate to freedom, and in many cases, what we're seeing these days is it actually equates to less freedom, because you are handing over so much information and that information is being used in ways that are not necessarily easy to recognize.
Kristi Hoffmaster:Yeah, that's a great point. Humans are, we have data, and data is the commodity of you know. So that is the biggest consideration really, when it comes down to it is, we're all interacting with technology and we are the consumer at the end of the day.
Sam Gerdt:We saw that with social media. We saw, you know, these platforms that were, you know, free. They didn't cost money. But then you ask how is this, how is this company valued at billions of dollars and their product is free? You know the any any thinking person's going to look at that and recognize I'm the product like. I'm, I'm the, I'm the value, not you know, not my, my fee, not my wall.
Kristi Hoffmaster:Yeah, there's some great books out there on that on, about you know the social the, the whole phenomenon of us being the product in this data commodity.
Sam Gerdt:And we're going to see this again with AI. There are certain things that AI will not be able to do because it's not human and humans. There's going to be the possibility, there's going to be the attempt to commoditize humans, to augment AI, and it should be the other way around. Ai should augment the human experience, and so we need to be aware of that, I think, and resist it wherever we can in the name of that freedom that you're talking about. Recognizing and I think this has come up in every interview I've had so far recognizing that AI is a tool and people are where the value is.
Sam Gerdt:And there's going to be that attempt to flip it around and say, oh no, people are the tool. Ai is where the value is, and for companies especially. I really want to see this conscientious rejection of that and I want to see it play out.
Kristi Hoffmaster:I think that you know, as we are trained in cybersecurity, in that field, the best practice mindset to have is that security needs to enable business. Security doesn't need to get in the way of business. So I think that full circle to what you're saying. When we can secure technology, we free up what really needs to happen, which is people being people, people interacting. You know business operating. So security is often perceived as getting in the way. But really, when security by design is followed in a business, operations and in systems development and in assessing it, looking at it, purchasing it all of that, the whole life cycle security can enable what needs to happen instead of getting in the way.
Sam Gerdt:Absolutely so. One last question before we wrap this up considering all that we've talked about, if you were to sit down with small to mid-sized business owner let's say, small business owner today what's the next step? We've talked about a lot here, but what's the practical next thing that this person needs to be thinking about?
Kristi Hoffmaster:Looking at your resources, what is your budget? What do you have available to yourself to invest in an internal resource, an advisory or legal guide, whether that's hiring someone or consulting with or outsourcing so getting your arms around, how can I secure what I have and how can I keep better promises to my customers that I'm going to keep their information safe? Making that investment before you need to is going to pay off. In my opinion. That would be my one next step guidance and then, of course, on a technical level, every point in your business where you need to have a credential and a login. Secure that with MFA.
Sam Gerdt:That's a good, practical one, because you can do that today.
Kristi Hoffmaster:You can do that over the weekend, for sure.
Sam Gerdt:One more thing building trust. How do we build trust when we're talking about communicating the value of trust? How do we do that when it comes to data and security?
Kristi Hoffmaster:That's great. Trust and transparency go hand in hand, so openly stating what you're doing, why you're doing it and how you're doing it is really important. Every business could stand up a page that says businessnamedomain slash trust. Explain what you're doing with your customers' data, why it's important to running the business From a technical standpoint. Software companies can actually produce an SBOM a software bill of materials that shows what is in this software product, what vendor products, what libraries, what open source libraries are in this product. That came from an executive order from the US government, I think in 2021, which is asking companies to provide that software bill of materials from any private company, any company that's doing business with the government. But you can do that proactively. If you're a startup creating technology products, make an SBOM would be my practical advice as well. That promotes trust and transparency, saying here's what's in our stuff. Here's you can take a look at it and analyze it and see it, and also just managing your vulnerabilities.
Kristi Hoffmaster:Looking at not just technical vulnerabilities with software, but looking at all your vulnerabilities. How are you managing those? That doesn't have to go on a public trust page, but that's something you can do internally and keep track of.
Sam Gerdt:This has been such a good conversation.
Kristi Hoffmaster:Thank you, I've enjoyed it.
Sam Gerdt:I feel like I'm only halfway through, but I'm absolutely going to end it here. We may have to just have you back. There's so much that we could talk about here, but, , this is an excellent start. I'm glad we got to focus on cybersecurity from an individual level, cybersecurity from that small business perspective, because I feel like these are the people who most need to be paying attention and I think once we get the ball rolling on this, there's so much more to talk about. That may be on the more technical side, but for right now, this has been excellent.
Kristi Hoffmaster:Thank you. Thank you for having me.