why recovering from a cyber attack is particularly hard, and that much harder than say recovering from your data center or cloud region, losing power or being flooded like a typical ITDR scenario, why is it more difficult under a cyberattack? Yeah. So I think the the big issue here is identifying boom. Right? So, boom is the time of the event. I think in a cyber event or a cyber attack unless somebody is immediately claiming, ownership of it. You see things progress as normal incidents. So if you if you overlay the NIST framework, which the first block there is identify, you may not be able to know exact what you're contending with. So the path you travel to go ahead and cure from that event becomes a bit cloudy. The other piece of this is whether it be, if you look at the other items on here, covering from a data center cloud, losing power being flooded. Again, identifying boom, those are availability events. Right? So if you think of the the the triad of of CIA's and confidentiality integrity and availability, Those are availability event events. Boom is known. It's relatively well rehearsed in, at least in the financial sector. Playbooks that I'm sure a lot of us have stored on on cutover are are immediately available. But, to be, to reiterate, from a cyber event, if you're dealing with a an availability issue, boom, baby, known, that it's an availability issue, but the the the vector that it took to travel there may be unknown. So you may may not know that it's, an nefarious actor play. So identifying that. Coupling that with, now that you know and you know how to recover from it, there may be other permutations that you've gotta go through to a protect audit trails because, you've got to go ahead and, be able to show what you've done is the right thing to do. You may be asked to protect evidence in some instances. By whether it be regulators or law enforcement, if it is a sizable, it's just called a breach for now. So that's an issue, but that's really still in the availability part of the triad. When you get into integrity or confidentiality, many other things come at play. So from an integrity point of view, what's been altered? My favorite adage with the integrity pieces the Superman movie with Richard Prior when he goes in ahead and moves the decimal point and steals fractions of pennies. You may have to go through a forensic process to go ahead and find out what code has been altered. To go ahead and go back to a clean version of that code in order to go now recover using that clean version and be able to move forward. On the confidentiality piece, whole other set of elements there. Right? You've gotta go ahead and stem the flow of blood. Right? You've gotta go ahead and ensure that not more things are leaking out. You've gone ahead and patched that hole Now, you've gotta go ahead and and and do an analysis to figure out, hey, what's been exfiltrated? So there's there's different elements and there's the again, the the boom piece becomes harder and harder to go ahead and delineate from a cyber point of view, a, because of the triad and the mixture there, and then couple that with, if it's a good nefarious actor, they're trying to protect their, the pathway in. So there may be blockades along that, along that recovery path. So in my mind, that's that's where I see the differentiation coming into play. I think, David, you certainly, went, very well across the the gamut of things there. Sent it on the the the piece so rightly said that it is a, it is a bad actor, whereas, hopefully, flood or losing power, it doesn't have an intelligence behind it to make things worse and not want to be detected. So they're absolutely right. In in calling those out. I I loved using that tried framework, and the reference is the list. Those these practices and frameworks I know I've personally found very useful. And I wanna see if if you had thoughts to, to add to that, as well to, to bring around the question. Yeah. I think David has has has really gone through extensively those reasons. I just want to bring in an angle, of, of the sheer pressure. So if it's a cyber attack of, and a bad actor who wants to be really malicious and and and it's it's big then, you know, your your name's gonna be on the papers. You know, and and there's going to be customers and and and the whole ecosystem worried about, you know, what is the exposure here? And it adds an angle of pressure that that adds a data center or a, you know, being flooded, etcetera doesn't really add. You know, it's it's there. You get, like like what David mentioned. In the recovery manual. You know what to do and hopefully you've got backup procedures so you can come from an alternate center or whatever it is. But but in the cyber attack, this this added pressure of really a million nice, you know, looking at you and and and kind of, you know, worrying about about what's that and on all the extra pressure you're gonna get because that makes it extremely hard to, to operate. And and it's a different kind of pressure than what you would feel like, like, if you data center lost power, for example. I don't know David if you you would agree with that. Yeah. Yeah. You bring you bring in an an interesting element to it. Right? It it's so it's their perception element. So, in in in our in my world, at least, I I've I'm not that intelligent, so I've broken things down into three pieces. Right? You've got extreme, you've got extreme applause when you've got extreme but implausible. For for some reason, from a downward or or a, a perception point of view from the outside, if something went down because of a flood or there's power outage northeast power out, you know, the the the grid that went out and whatever that was two thousand and two or so. That's an expectation, but for but the the outsiders don't view a, a cyber attack or the results of a cyber attack they don't expect that. Right? So there's this downward pressure and this this, even sideways pressure of that adds to public perception of, well, why weren't you prepared for that? Whereas it's it's frankly, if you go ahead and and you look at incidents, there's probably far more incidents on a on stemming from, a cyber, let let's see. We'll use the generic term cyber attack. Then there are physical, physical, events within an organization. So it's it's still not it's still not common place where people, people feel it shouldn't have happened. Even though my my my my friend Kevin Mandy from from Mandy until now from Google has been seeing for years, expect that you're attacked, expect that your hacked, expect that your stuff's out there just expected. Still hasn't really permeated people's gray matter to where that that should be an understood commonplace. And do you think, not to build too much out, David, but do you think all sets that's been a move that we've seen, over a number of years where it used to be a lot of the time that there was a big focus on prevention is fine. I'm gonna build all this preventative stuff, and don't worry about recovery because that would never happen. Obviously, organizations are really focus on prevention, and doing a fantastic job at it, but the the the the potential, like you say, your your colleague contact mentioned that that focused on recovery as well. Prevention is very important. Yeah. I think that there's a split. And and, Paul pun intended, cut over wouldn't exist without this sort of split. Right? So meaning the, I, like, the need to have these recovery plans and things like that is because bad stuff happens. How you bucket that bad stuff, again, whether it was extreme or extreme, but implausible, and and then you've got the the middle ground extreme, it's it it it just people don't expect it. And, I I think that people should be aware of, of, and maybe we're not doing a good job because we wanna protect our brand. And publishing statistics and things like that. And and, and maybe it's not maybe people wouldn't understand many of those statistics, but, you know, moving towards a a a more transparent view where a general set of statistics, I know that, Verizon publishes their report every year. I'm sure there's a million other places that publish their reports and say, listen, this is how many events that the sectors are dealing with on a constant basis. Maybe it'll be better understood, as how frequent these things are occurring and how often we're repelling them versus how often we have to recover from them. Very, very well put. There are a lot of cheap knocks at the door to for insecure ways in all the time. Fantastic. Really appreciated those insights. Dive in three, in perhaps session, we want the the next question. So the next question is what sort of mandate or driver? Is that a board level? To take a look at cyber and drive to close those gaps and have a have a good solution in place. Like how how focused is the the board on this or is it or is it left to the security teams, and operational resilience teams look at at this. The second component in terms of how can communication stakeholders be enhanced to towards board members or others, to ensure resilience. And perhaps three, you could kick us off, on this one. I can tell you that, for any major organization. And I I would have to scratch my head to find if there are, any exceptions. Cybersecurity is a board level ninety. And and the reason for that is, organizations are more connected than ever. I mean, it's a simple, we're connected to our suppliers, corrected to our customers. We're connected to regulators. We're corrected everywhere. Right? So I think, cybersecurity can has the potential to cause huge financial harm. A huge reputation on. And I think as as David alluded to, it can be extremely hard to recover from. So, this is this is a this is a key mandate information, risk management, insider security, plus there's a huge compliance angle to this as well, where organizations can be held liable if as the security is is not dealt with in a proper way. So I would say that, this is clearly board level mandate and and there are various assurance, mechanisms, you know, risk controls, internal audits, external audits, supplier audits, etcetera that make sure that, you know, this this is indeed the fact I mean, to your point to your earlier point to make sure that there's enough prevention, but also that there are there are clear recovery processes that are are documented. So how can, I mean, that that's my view? I mean, I would have to scratch my head and and and and and and really talk to any board member that can put up their hands and say that's not a board member. Yeah. I mean, I think you'll you'll be hard pressed to find one. How can you enhance communication? That's an interesting piece. Right? I mean, with things like cyber security, it's it's important to have a a a constant communication level and a constant sense that you need to keep your right and, you know, up for something like this because it's very easy to null into a sense of competency. Right? Oh, nothing happened in the last month. So let's forget or nothing happened in the last six months. Oh, this is no longer a threat. I mean, It's it's very easy. Right? I mean, so I I I think about it like safety. I mean, we always say, you know, in in organizations that are that safety is a hearts and minds thing. I think cybersecurity is is is is the same. So you've got to make sure that people make it a part of their awareness when they come to work. I don't care what level you are. Your board member, your senior leader, your your your someone that's just coming in to work on the laptop and do even no matter what you are, you've got to have a heightened awareness of cybersecurity. And, organizations can really try to do that by by ensuring that there are various campaigns that that make sure that this is skipped, in front and center of people, but also the other assurance mechanisms that we talked about, like, like, the different audience and and and assurance purposes. And and really, I think leadership communicating from upfront that this this indeed a big priority from various forums, you know, because communication in in things like cyber security has to be constant and it it has to employ various means, Yamapores, campaigns, etcetera. So there's there's no one size fits all. Right? I mean, you just have to employ whatever it is that that makes sense for your organization to that frequency. That that would be my view. That's really good point, sir. This is really the importance of communication. Sorry, David. Go ahead. Yeah. Sorry. I I my I'm I apologize. So I I was going to, on the first part of this question, it's, I agree one hundred percent that everything that she had to say In fact, in the financial sector, it's it's really one of those audible items from the regulators and internal. It's going to be I'm sure every I'm sure you've both saw, seeing what the, the solar winds, CISO is getting charged by the SCT. That's gonna play into it in interesting way. Maybe not today, but, in the near term, my guess would my guess would be that, boards are gonna the the the makeup of boards, will start changing if they haven't already to ensure that they have some sort of expertise in the cyber space or the opera space. That, they can go ahead and put the appropriate pressure on the CIS. Again, probably not today, but there's an eventuality to it, I would bet. And as far as the communication piece goes, without a doubt, it's it's it's a piece of resilience. I think that, Shree hit on on exactly those things who your, you know, your, your end users, your, as well as your, you know, employees, in this, in this financial sector, and and actually also I I I I disclosure, I sit on the board of what's called the Global Resilience Federation. It's across sector group that I lead called the Business Resilience Committee. Actually, there are, I don't know if shells on it, but there are a bunch of, energy producers on it. But the information sharing that we get from those forums. The financial sector was, one of the early adopters of these cross this, cross firm, information sharing in a very structured way, starting with the, physics, the financial sector specific warning council and the FSI SAC, SIFMA, all of those groups, we do a really good job at sharing information across those, the individual entities. And we do a really good job of not only communicating just across the, you know, the largest firms, but, pushing that information down in those and and and advice down to some of the smaller firms because, you know, from a supply chain point of view, sir, you you know this, I mean, it's It's the weakest link, and you've got this extended footprint because you have all of these suppliers these days. So that's another way from a communication point of view. I think that's enhanced resilience over the over the past two decades, I guess, now. I think you you give me to, to good thoughts, there, Dave. I think, I completely agree with you that, I think the of attack vector assumption is that folks won't collaborate so I could repeat this endlessly, and that collaborating is a fantastic, force for the good of share of sharing that data, anybody's bad day is everybody's bad day on a cyber attack. And so the the ability to share, this is how this was conducted. This was the vulnerability tester tried get that. I love the collaboration, across industries in that manner that is, that is so good. And those organizations you mentioned are all fantastic. We'll make sure that there's some way or folks attending can get get good links to go and read read up from those organizations. I do really like the collaboration, there. And the second point, really is think with the let's see the solar winds point. It gives the CSO seat as a hot seat, and we have to take care, devote to protect there because it's, fantastically important role. How much do you think within that, David, the, I suppose the, the need, coming from this and probably to agree, degree now anyway, for the CSO to be really clear on any potential gaps and, that the board has really good understanding if there was an acting on them. I I I wish you think that focus is coming more and more important reports. So, I think you have to have the capability at each level above, you know, from a step point of view to be able to question Jinn, at least at the minimum with the statement, have you thought about? Okay. So I I think that that capability at the very minimum needs needs to be there. Whether or not you need a past CSO, on your board who then has no other ability from, you know, doesn't have a financial acumen doesn't, has never run a business before. I think you've gotta go ahead and and and pick your your your some of your poisons here. I I've been on you know, I I've been in in two financial utilities in my life, and I've been lucky to see, that we've had people, board members who have had that capability to go ahead and push down on the CSO on the, you know, with this, on the CSO, on the opera's person to go ahead and say, again, the simplest statement, have you thought about x? And I think you're gonna see that. Now the bigger question is gonna be who in their right mind is gonna wanna sign up to Viasiso That's that's certainly gonna be the biggest question. What what this just did was raise the price of CISO is going forward. So or and and and probably, you know, everybody's agreement's gonna, you know, gonna contain insurance policies and things like that. So I think it's an interesting, I think it was an interesting step. I do think it's going to be an interesting vector forward. Completely completely great. And on that note, perhaps I shall, move on to the next question. Question three, which is what are the most common challenges that organizations face when recovering from a cyber attack? And maybe again, sweet. I could start with your good perspectives on this. Yeah. So I I think, organizations, but also ecosystem of organizations. So I'm committed more from a supply chain perspective. And and, you know, there are supply chains are connected and there are several levels through. So a malicious actor can can get in in one part of the of supply chain and, you know, the I mean, that could then quickly spread way across. I mean, it's probably one of the reasons why I think in report after report, I think in in twenty twenty three at least. Every major report I read on resilience calls out cybersecurity and cyber attacks is one of the biggest threats that our supply chain space. And that's going to make it so much harder in terms of recovery because I think, in the first question David pointed out, you know, just just the hardness. These are malicious actors. If they don't want to be, deducted, the extent of their proliferation remains unknown. And when you look at it from a chain perspective. It could be multiple organizations that that have been infected. So just just finding out, all of this containing the impact and then and then very very quickly putting putting defenses in place that that works not just for one particular organization but works across the ecosystem to me is a is a huge challenge. And and, and one that that that that can be the Cesar's nightmare, you know, that'd be very difficult to, confirm. The other thing is, you know, in terms of recovery, again, the the speed of recovery is is is really important. Right? And when you go for speed, there's always this nagging thing. Oh, did I just just leave one thing? It's a chronic unease that Did I actually solve the problem or is there something else that's looking that needs to be fixed here? Because the the most important thing is I've got to fix this and I've got to get my network up for business operations. Right? And and then things like a cyber attack unlike, I mean, initially we discussed about floods and, other type of threats you you kind of know that when you're up, you're really up. It's the unknown factor in the in the in a cyber attack that makes it that much more harder and that gives that much more unease that have you actually plugged all the leagues here and and are we actually good to go? You know, that's a that's a very difficult question. Answer. Yeah. So, to me, these are the the the two most important things that that comes to mind in terms of, you know, a a challenge. Yeah. Yeah. Yeah. I think that we do four point three. I like what you did there, Shree, with flood, and and have I plugged all the holes? I I saw I got that one. And I think what you said about the supply chain is really important because, it's it's what what the tiers of supply chain I've got this important component in my supply chain, and they've got these important components, and they've got these important components. It's, it's, can go on and on on, and it unlikely so all of those can be, a vulnerability to you and your capability to recover. So, yes, send folks. So we just think they're they're all, but the the wider org, and, and supply chain recovering is very important. And, yeah, a super important point. Perhaps, yeah, sorry David. Didn't mean to interrupt you, Papp's hand over to to get your perspective as well in this question. I interrupted you. I apologize. So I'm gonna this this this this part of the conversation usually works better with a whiteboard, but I'll try to do without it. So in recovery, I'm going back to CIA. I'm gonna deal with I in this point. So again, simple person, I look at things in, you know, as a data point of view as business data configs and bits of code, firmware, and an operating system. Okay? If you've got an integrity play here or integrity attack that now you have to move back courts. You've either gotta go to an older version of code. You've either gotta go to an older version of data or you've gotta go to an older OS or firmware that's not diseased. Just take it step forward. So older version of OS or firmware, you're not gonna know how your system's gonna react. Right? You can only go back so far. Functionality may be lost. In doing that, you may be opening up new vulnerabilities. K? That patches have then since have have then since, plugged the holes. Move into bits of code. Kai, how many versions do you think you could go backwards on your cut over platform and bits of code and still have functionality? Maybe two probably not two. Maybe one not even maybe two, you know, partials, but maybe not even one full version. So I think going backwards on that is is automatic also on bits of code. Now you get into business data. And so, I'll use an example about in July or June. One of the exchanges opened up the day. And ten stocks open the day at their fifty two week low. There was a glitch in the system. Okay? They repaired the glitch, but trades had already happened. Against that fifty two week low. Again, we're moving at speed of light for all of this stuff. Right? So they didn't reverse those trades. The exchanges didn't reverse take out those trades because the trades had happened subsequent instruments were focused on those. They couldn't- the knock on effect of pulling those trades back would have been enormous and it was just only ten stocks. Think about that in terms of going to clean versions of business data, right? Let's say you've gotta go ahead and recover from an integrity attack. And you say, well, we're gonna go backwards, e even a day. The world has moved on. So you're going this way. Sorry, you can't see my fingers. You're going this way. The world has moved on going this way. So, again, those knock on effects of backing up to clean versions of business data if you even can tell what those are, it is not really feasible, especially in in in my mind in the financial sector. I don't I don't know how you do that because, you know, the clearing and settlement cycles we backed up from t three to t two. We're trying to get to t one. Eventually, we'll get to real time, which there's no way you can back out anything at that point. Right? So, but each day, something is being cleared, settled, matched, cleared, and settled. There's no way you can back that data up without having a knock on effect that moves everything that that that that starts negating other instruments that have been, tied to those traits. So I think that the recovery, especially in the integrity world or the integrity threat vector, is problematic because of things like that. I've been wearing this sort of sandwich board for about a, I guess, it's about about fourteen or fifteen years now, which is I think one of the paths forward on this is to actually what I call fail forward, under the concept of Failing backwards isn't feasible. You can't negate all these trades and all the knock on effect. Can you go ahead and re baseline and fail forward and start dealing with book entries and things like that. It hasn't received much traction. Maybe it will by the time I'm ready to retire. But, I don't I don't see that this is one of the this is one of the issues, I think, with recovery, especially an integrity attack, that you have because known good state may not be feasible to go back to you because of either functionality introducing new risk because patches may not be there or that that world has moved forward and going backwards on business data is not does it really doesn't work? I I think you you don't know, a key spot there that business data component is so hard. I think from your spectrum that you you you went you mentioned earlier, David, I think the the ability to sort of rehydrate the application although it takes time is is is fairly simple. I think, the the sort of pernicious nature of of these attacks where as you say, you're not quite sure which data set you can rely on, causes all kinds of problems. And I think that problems you highlight a day. And I often think they're multiplied again if you think of like all the important business service that you want don't wanna call causing tolerable harm to the consumer on. Maybe there are choose a number between five and twenty applications supporting that. And then you've just multiplied the problem you've talked about by twenty because each of them, when was their data snapshot and it's not in sync for the process, and, you might be able to recover new transactions, and then there's a period, where you'd recover previous, and all these things become become very difficult. And yes, there's clever people thinking about them and got ways forward on them, but, that that just makes the challenge here, even so much harder to, to, to, to, to, the, the data integrity is supported. The best way to fix it is time travel, I think. You know, flux capacitor and delorean from back to the future. That's the best way to go ahead and Yeah. Well, I think it's just the awareness of that complexity that folks know about it. It's it's so important. So thanks for Thanks for highlighting highlighting that. So, perhaps if I I now move forward to to question four, where, So question four is we talk a lot about the technology component of a cyber attack and yes, the technology in the enterprise supports all the business processes just as we talked about but how should an organization think about cyber resilience recovery in terms of people customers in the non technology dimension that would often be a way we'd look at these things from a wider operational resilience, lens for some other things that maybe aren't cyber related but in the cyber component, how should we think of the the non technology dimension and maybe if I could start with you, David, this time. I think they're inextricably linked. I mean, I I don't know that at this day and age, you can separate those two. I think it depends on where the attack comes in on, what layer and who's affected. But this is no longer the day. So the first place I, worked at, was the clearing house. So literally, I just called the Temple of Money. I was down on Broadstreet, and people would bring gold. Like, that's where if JP Morgan and the internet or the New York Tanner Bank owed each other money, they would settle it there with with gold. And then it went to bare bonds and things like that. That's not how it exists anymore. I mean, yes, there are, there are still some certificates floating around, but ultimately those things have been demi what's called dematerialized. And, there's electronic versions of it. So even on the customer end, It's it's not clear to me that people would know how to react in a non technology way to go ahead and go about their day if something major happened. And I I mean, upstairs in my room, there's probably a couple thousand dollars. Right? I have no idea what to do with it. I mean, I probably should bring it to a bank. It should go in my sick. But but, you know, I if I give my kid if my kids get cash, they go, can you just I don't know what to can you just take this and give you then know me or whatever, you know? So I I think that these things are, inextricably linked. I think from a HMI human machine interface point of view, you know, essentially, we we become cyborgs. And whether you're on the consumer end of it or you're an FTE or consultant working on something, that keyboard or that screen is is now part of you. And, I think getting people to understand I think they understand it, but, in the sense of a cyber attack, what they do, I think it depends on whether it's the end use whether it's the, you know, the internal, whether the FDA or consultant working on something. How do you work around it? Is there is there a I don't know if there's gonna be a non technology dimension in many instances to go work around things. But is there a, I'll I'll I'll you it this way. A alternate technology dimension where things can be. I I I typically use this. I'm gonna use this. You know, I typically am interfacing with, this program or this this set code, I'm going to go over here and use this set. So I I don't know that we're gonna go backwards in time. And by the way, if we go backwards in time, long periods of time, it's gonna be problematic. But I don't know. We're gonna go backwards in time to, to a point where people can navigate their lives, without that technology dimension, which exists on us at all times right now. There's I know that while we're on a screen, even if the screen went dead, you are both within arms reach of your phone, which has your banking on it, your communication, your schedule, everything else. So, I don't think we move away from that any soon. And if we do, we've got much bigger problems. I agree with you, and and and the way they are inextricably linked, can lead to technology driving the people component to be a method of attacking the system through social engineering and wider, which becomes more and more problematic so we appreciate those those perspectives there, David. I wonder if she can get your perspective also. No. I I kinda would agree with with, I mean, I love the example of, J. P. Morgan and the counterparty settling in. You know, it's lots of gold. I mean, that that's really interesting. I also started my career in a in a manual stock exchange back in India where they had paper slips that you had to go and some reconcile that people would pour over it. He had files and files and files of stuff. But anyway, let's not belabor the point, but but yeah, I agree that it's going to be hard. I guess an area where it's not a technology dimension, but it is. I mean, I know I'm I'm I'm now it's it's a bit of an oxymoronus in the resilience piece. And that goes back to training your organization and a customer to have heightened awareness of cybersecurity with. So I think many organizations run the things secure campaigns and, you know, stop fishing campaigns and, cyber fundamentals training and and be aware of attacks and recognize bad actors. So I guess people are your best defense. When it comes to prevention and lots of children in recovery. It it it it it's got to be technology. But in terms of prevention and in terms of, you know, the hearts and minds of people instilling a heightened awareness of of cybersecurity through multiple means and campaigns, it probably builds resilience. It also has a technology component, by the way, because you've got to run these campaigns on something. So it display technology based, but that's the big, people component. And that's got to happen both within your own organization, but also within the wider ecosystem that you deal with to to build this heightened awareness. Yeah. I remember that once, I I got an email and, and despite my heightened awareness, I ended up clicking on it, and it happened be a a a a a fishing test to see if I would I would buy it and I got this ugly bill and I was like, oh my god, you know, this is so well disguised that, even I couldn't find it. And it was like, I felt bad and I was like never again, you know, so this time when when something like that comes through, I I'm checking ten times to make sure that, you know, I I report everything that I possibly can. So, yeah, but but people are your best defense. And I guess, these type of campaigns that creates a heightened awareness awareness but build resilience in the sense that you are now it it reduces your organization's threat, of exposure, to cyber attacks. Yeah. Because most attacks come through through people, not not not being having their antenna up, you know, clicking that zip file or or clicking something where they inadvertently expose the numbers. I mean, that that's possibly a vast majority of how cyber to get in, to your organization. No. Very useful folks. I just wanted to say at this point, in the discussion that we're seeing some great and interesting questions coming through from the audience. Really appreciate that you submitting those. We'll see how many we can get through in the time allotted. So please keep suggesting those, and, further ado, I shall proceed to question five, which is what regulations and requirements should organizations be aware of, in relation to a cyber event and our panelists aware of new and upcoming regulations, that people should bear in mind, and perhaps, David, that could get your perspective first on this one? Yeah. I I there's there's a lot. And and so there's there's a lot that are explicit. There's a lot that are implied. And I and I think, metting those out is is or vetting those out, I should say, is is is sometimes difficult. On the more explicit side, you have things like, Door that's coming out in, in Europe, on, on, on, in the United States, you had reg SCI, put out by the SEC, There were elements in there for cyber resilience there, but it was a broader operational resilience and technology resilience, but there's they're they're definitely elements in there. I I think that you're seeing modifications, the FFIC handbook to go ahead and and and be more and more explicit with, what examiners should look for and therefore what you've got to go ahead and look for. I I think that the new frontier, in fact, I think I spoke at a panel on another Marcus event, Marcus Evans event, but is the street area, which is, you know, the, the supply chain element. And, the, you know, the, the buyer of the service is now, it's incumbent upon them to understand practices like cyber resilience and like cyber security, from their third party. And frankly, it's bleeding over into the fourth party. I don't know eventually where this ocean ends, but, there there's there's a there's a lot of requirements that are coming down the pipe. NAS, the monetary authority of Singapore came out with something a couple years ago underneath there. I think it was in their business continuity, segment, which really focused on third party and, and, and that type of resilience. So I think you're gonna see more and more focus on the supply chain? Yeah. I have to agree with that. And and and like what David mentioned. It's a myriad of migrations. It's coming up. So it's hard to keep up with, you know, what's, what's coming out on a day to day, basis, which is kinda why I think, ink reasonably you, there is a lot of reliance on resilience type cyber, resilience supply chain resilience software to actually come up with, you know, hey, are you really aware of this? And, you know, have you have you actually thought about it, especially in global organizations that tend to operate in multiple geographies and areas. Yeah. Yeah. I think it is tricky, three. I think that as you say, where does that, where does that defend, on supply chain, and also with the, the regulators being very aware of the, the cyber risk, the, the increasing focus. I think David mentioned some that are really focused on financial services, but it it goes wider and wider than financial services now, because the risk is very apparent. From supply chain and and the core organization, but I appreciate you appreciate you sharing that. So what I, suggest, we, we move to now is to answering, some of those, Q and A questions and and see if we can, go through those. So if I just So I wondered, maybe if I could, start with yourself three on the, the first one of these, which is, what would you want to see in a cyber incident in terms of recovering services, would you expect live dashboards that you could look at to show you which services are recovering? You could self serve how to get that information, on the technology services recovering all sort of manual updates and open bridges where you're on the telephone a lot. Once an hour, you get an update. And how would you, like to sort of consume and understand a recovery, if you're in the middle of an incident like this? Yeah. So I don't think it's, this or that. I think, recovering from a cyber attack is going to call upon your situation management processes, which automatically triggers the bridges and and and and you know the the regular updates and and and the various level of bridges. Right? So there'll be the the the kind of the the management bridges, but there's also the operational bridges. So, that is that is just simply gonna happen because that's been ingrained in our situation matching processes. At the same time, I think I would love to see, live dashboards where you can actually see what is happening. Because, you know, there's got to be multiple bridges that you need to be in and and if you're at one, you want to quickly have a view on the other, having those dashboards would, would definitely help. Yeah. So I think it's a combination. And then, in in terms of you know, updates in terms of frequency, etcetera. I think more or less you know, if you are managing these these incidents or if you're a business leader that's been exposed to this, you're gonna get extremely frequent updates at least. At a minimum, and and hourly updates while I don't think there's any getting away from that either. But I would love to see if this is streamlined so that you get you get one update that that gives you, okay, here's what's here's what's on the recovery parts. Here's what we're still not sure about. We're still working on, and here's the agreed actions, here's the communication plan, here's what you need to say. And and by the way, here's what you need to do next year. So the all that is concise, and and and well, in a easy to understand format, I think that would be highly appreciated. That's very sweet. And, I wonder if I could get your perspective on this, David, about what you would want to see in a cyber incident in terms of recovering services, how would you like to get your updates? Would you like sort of self service dashboards so you can understand when services are recovering, open bridges with manual dialogue, dialogues and manual updates, How how do you sort of see this world and what would you like in that situation? Yeah. I think all of those are are the right things. I I the the what I've what I've sort of, a new mantra that I've come up with recently has been recently in the last three years, probably time of day, day to week, week of the month, month to year all matter. Right? So, being able to see, what is the next thing that can be prevented in the recovery, whether it be let let's just let's do it simple and keep it as an availability issue. But seeing what the next critical street time for the financial sector is or processing time, and how we can go ahead and marshal resources in that direction. That's that's the thing that I think, it would be the best is is is that dynamic view, not just a static view that, you know, we rely on some treasure map to get there, but that dynamic view and to see how, time to cure versus what the next impact level would be. Well, thank you for that. I think, again, very good insights, for me both on that. And perhaps, let's move on to to another question. Which would be, how important is the audit trail after such an event and and learning from it And maybe this time I start with yourself, David? I mean, that's an interesting one. I mean, I've been part of CIKR for a really long period of time. So, critical infrastructure key resource. And and part of it, I'll go back to I'll add the part of it is speed to recovery. Now it's speed to recovery in a safe manner. But, I, in my past, it's kind of been Listen, we need to go ahead and get things going because of the knock on effects potentially, globally here. So in in doing that, maybe ask questions, even maybe maybe maybe you, you know, you take the rod later in in in terms of of of, not following a particular trail or, or, or, or, or, or, you deviated from what your standard practice is. I do think that that's probably not the right way. But it's it's a it's a way that given, again, where, you know, the places I've worked at fall in the ecosystem. It's it's sort of been, a way that I viewed it. I do think that audit trails are important, and I think they're important for one main reason. I think lessons learned are a huge part of the life cycle. And learning from them is a huge part of life cycle to improve where you ultimately, wind up. So I do think that that's, a a really key element in in protecting your audit trailers. What can you learn from it? Yeah. I think that's a very good point. David, I think that I I certainly found we're involved in similar things that in the middle of the moment, fighting to fix forward or whatever, that, if you asked me a couple of days later, what we actually did very hard for me to have an objective memory of those things. We kind of work really hard, for forty eight hours, and it ate some pizza and, kind of, the job job was done, but I couldn't tell how to move that afterwards, that lessons learned into of an emotive discussion and more of a sort of objective discussion over an audit trail. I I've certainly found that, a key benefit, but, I wonder if it's free. You've got some other components that you want to add to that. Yeah. So I think I agree that it's it's important to to note exactly what happened, but also the and why did it happen? The whole five eyes, root cause analysis, and and and and learning. So you have to build a learning culture in your organization around cybersecurity. You know, because the the only way that the bad actors are keeping ahead of the game is by constantly remitting themselves. So I think the the best defense against that is us, as organizations constantly learning and and and and having a view of what exactly are they up to so that can aid both your recovery and and your prevention activities. So I think the the learning aspect is is is very critical. Very good. And then perhaps we've got time for one more question. And, maybe three I could start with you this time about how organizations can test their cyber recovery plans to ensure they're effective and not just, yeah, just writing a document to tick a box. No. This has got to be a live testing. I think how many organizations are, familiar with the disaster recovery testing and they have protocols in place to actually test those situations. There's also business continuity testing that happens. So cyber security, and and and recovering from cyber cyber attacks is is is exactly the same. Yeah. So you put a test protocol in place. You have a live situation happening and you activate the whole, your, your, your business continuity process so that, you know, you can actually test from it. Now in terms of test service and things like that, it will have to be, based on the business that is wanting to test it. Like, organizations like ours, we have multiple businesses. So we'll have to isolate, like, one part of the business, or or it can be the whole organization that depends on the ability to of the organization to actually pull off, such a test. But, to me, it's very similar to what you would do for business continuity testing or disaster recovery testing. Thanks three for that. And I wonder if David, do you want to add to that? It it's tough. I mean, you're talking about if you're gonna do it the the right way that's gonna mimic, your environment, you could scale it down. And say we have x amount of boxes, we're gonna do one percent of x amount of boxes, and we're gonna put it in a air gap area, and we're gonna disease those things. And in fact, you'll you'll find like, folks that have come up, they probably have a twenty u rack in their basement of old equipment that they go in disease on their own at home, right, to go ahead and practice this stuff. But when when you when you think about it doing it at scale, that's really difficult. And, I think that it's the best way to do it, to have live fire There's nothing like the threat of live ammo, right? But it's, it's it's fairly difficult to do it. And I think it's fairly difficult to do it in a safe way. Now containers and cloud and things like that, maybe provide that extra capability. But, you know, legacy tech and and and and data infrastructure, data center infrastructure. It's, it's risky. But I think it's, it's ultimately the, the only way you can do it is, is through live fire. I I did certainly agree. And I think it as you say, it's it's you can maybe do some staged things of a bare metal recovery of an application. But but to understand what it would be like if it was a pervasive attack across a number of services or some horizontal components that are, a lot of services rely on, then you'd almost have like a full copy of your production environment, which, yeah, how do you maintain that? But as you say, the practices are very useful to do that application, even so to to learn some things, but, yeah, that sort of, the folks that really get it, who as you say are, taking things down and learning from it as much as possible, sort of a train easy fight, feel feel well that's the, the sort of best way forward. There's, there's no simple panacea to this stuff again for the complexity of the data integrity as well as the application code. But, doing those sorts of things that we've said there across what you've all said. It's really, and, Dave. I think that, that's the best you can do. I think that, it draws to the conclusion, the Q and A section, all we've got time for today. I really do want to thank, the opportunity to talk to Stream and David our panelists that shed some really good insights there. Certainly learned a lot and was scribbling notes myself, during the the webinar, and and can't wait and hope that, the audience you all feel that that was a informative, and you you learned a lot. And, yeah, thanks again to our guests, and really enjoyed the the opportunity to have this discussion. Thank you both very Thanks for having us. Adding back. Great. Thank you so much, Kai. Special thank you to amazing, today for your great insights and being so generous with your time. I really believe it was an interesting discussion. I'm sure everyone, benefited from it one way or another. And on behalf of myself and Marcus Evans, we just like to thank you all so much for the collaboration. To turn things back to the audience quickly. I reminded to look out for an email within the next two hours with links to view today's material. We'd like to thank you for submitting any questions. If we didn't get a chance to, address all of them, we'll make sure to send you an email after the broadcast. And we'd love to hear your feedback about what you thought about today's webinar. A brief survey will pop up on your screen in just a moment and would really appreciate your comments. On behalf of Katover and Marcus Evans. We'd just like to thank you all so much for joining us today, and we do hope to see you again in the future of it. Thank you very much, everyone. Have a wonderful day further.
.webp)
.webp)
