Cybersecurity in an Economic Downturn
Informal chat with our host Reece Guida, CTO Jasson Casey, and VP of Product Strategy Husnain Bajwa on what security technologies are most and least impactive by recent layoffs across many industries, and what threats are being overblown or under-looked as a result.
Hello, and welcome to a holiday episode of "Cybersecurity Hot Takes." I'm just calling it that because I'm wearing a white sweater and there's a red background behind me. This is going to be one of our last episodes for the year and a very interesting one. So gather around the Christmas tree, and listen to me your host, Reece Guida, talk about today's hot take with our CTO, Jasson Casey.
Say hi, Jasson.
Hi, Jasson. When you introduced us, I thought you said hotcakes.
I want a hotcake now. HB, what about you? You in the mood for a hotcake?
Sure. Sounds good to me.
I actually don't know what a hot cake is, guys. So, to kind of deflect from me not knowing what a hot cake is, other than maybe a food item, I'm going to go right into this week's hot take, which is actually really more of a question. You know, we've seen a lot of layoffs happening. And that definitely has an impact on security. So, I'm going to ask you guys this, what security technologies are most and least impactive by recent layoffs across many industries, and what threats are being overblown or under-looked as a result?
So you guys kind of got to juggle both sides of the spectrum there.
So, it's kind of... I don't know if I would say what technology is most affected by layoffs, other than the obvious thing like technology that requires people that no longer exist. Honestly, I think it shines more on, like, process and quality of an organization than anything. Like, a well-run organization has process and institutional learning in place and it can survive the loss of people.
And as opposed to either a poorly run organization, and a poorly run organization that can perform well usually performs well through heroic effort, and just having the right people with the right encyclopedias in their heads. And they may or may not be affected, depending on who got their tickets punched. So, I don't know, it's kind of hard to answer from a technology perspective on my side as opposed...
I mean, I can use some specific examples, right? Like, maybe let's think about social engineering. You get an email in your inbox that says you've been laid off, it's quote, you know, from your CEO, and you have to click on a link to begin the offboarding process. And that link is a phishing link, stuff like that.
So maybe phishing attacks, DLP.
There's always those sorts of things going on in any company, right? There's always, like, fears to play off of. So, yeah, I don't know if I buy it.
I think the turmoil definitely does introduce some interesting elements. Like, I think, to Jasson's point, well-run companies have a lot of processes around them. But I would say that well-run big companies have processes around them or at least mature companies, I think, for the startups of the world. If you dig much below the surface of any initial compliance certifications that someone might achieve, the organizational management pieces and the organizational resilience pieces, whether or not someone's doing, like disaster recovery, tabletops, and appropriate reviews across the entire surface of people who might be involved in those types of exercises, it generally isn't happening as much as we'd like it to happen.
I do think that a lot of products that were sort of falling into this default bucket of defense in depth are going to struggle. I think the newer categories where more and more products are coming in with just adding on an additional layer, and to Jasson's point, they increase the alert surface.
And there's no one in these, like, SOC organizations, the security operations centers to really take those alerts, and the technologies that were supposed to help the AI and machine learning, technologies that were supposed to improve filtering. What they've done is they've really given us, like, an overwhelming amount of anomaly alerts and created challenges.
And to your point, like, on the prevention side... So, I think a lot of the detection response products will have an uphill battle in terms of proving operational effectiveness and sufficient deployability to add real value and not having a net impact of requiring more staffing.
I think on the prevention side, your points are well-taken that social engineering. Any kind of turmoil impacts you, right, like, the whole thing where the Singapore police sent out a notice because there were so many Singaporeans impacted by the FTX collapse. And there were all of the SBF deep fakes and special websites set up to look like law enforcement trying to support refunds where they were really just trying to get access to people's FTX credentials.
That kind of stuff is just going to creep more and more into situations, like, you know, when you're doing mass layoffs, people don't know who's active. If you're in token marketplaces and able to access messaging platforms, if people aren't attending to appropriate hygiene on removing users quickly and consistently across the board, you're going to have a lot of issues there.
I think it does definitely call into question people who have long-lived token lifetimes, and weak security practices, and environments that are prone to phishing attacks.
Yeah, I think the off-boarding piece is especially problematic.
Yeah, I'm going to take the contrarian view, right? It doesn't matter whether you're a startup or a large company. You either perform security operations or you don't. And security operations is like joining an athletics team, right? A team that never practices is not a team, right? A team that never practices never wins a game, never does anything.
Security operations is a team sport, and it's driven by people, right? It's not driven by... Well, yeah, it's not driven by anything other than the people, right? So, if there is a team that practices, if there is a team that organizes, it's going to have institutional knowledge, right? Whether it has X number of employees or X minus some other number of employees, right?
If we're talking about building out things for the future, I think that's a different discussion. And as kind of the fear environment ebbs and flows, yeah, I'm sure you can change the noise floor, and maybe change the incident rate. But remember, an incident is not a breach. An incident is not an outcome.
An incident is something that a team essentially responds or doesn't respond to. And so, yeah, I don't think the... When an organization has a layoff, unless it's eliminating a function, if that function truly existed before, from an operations perspective, it still exists.
So, that is to say that you're excluding Twitter, and layoffs involving more than half of your organization.
Well, so I think Twitter is different in a couple of different ways, right? It's not obvious that Twitter had a company-wide operational cadence on a lot of things. There's a lot of things that we don't... There's a lot of optics that we can see and there's probably a larger part of it that we just don't know what's going on.
So I do think it's kind of hard to comment. But just think about it from a common sense perspective, right? Like, any security operations team that does not practice is not a team. It doesn't matter if it's a startup or a big company, plain and simple. A team that practices is a team that institutionalizes plays, right? A team that doesn't practice, A, is never started. So, whether there is a layoff or not, you're not really changing much.
That's the crux of the argument.
Teams also have bye weeks, right? I think that hackers... I mean, we certainly saw this, this summer with a lot of the phishing attacks. When security teams are out of the office, hackers exploit that. So, it's not the same thing as layoffs, right? But we are coming up on the holidays, people are going to be more lux or away from their desks.
I feel like the likelihood of an incident does get higher in those environments, and maybe layoffs kind of exacerbate that problem as well. I don't want to make any kind of predictions like that but it is a pattern that has played out before.
That's one of the reasons.
I was just going to say I could see it making someone's life harder in the operations team. I don't see it withdrawing the operations function.
I don't think that that's a big reason why organizations that do practice, to Jasson's point, and do, like, have relatively well-defined security practices. They're disinclined to make changes in December. So, like, you tend to see organizations recognizing that these are times that limiting your change windows and instituting stricter change controls, is generally a good idea.
This is a big time for cybersecurity, right? Like, at the end of the year, during this break period, it's one of the only times when people focus on sort of legacy models of infrastructure, key rotation, so, moving to archival keys, introducing new keys, going through, and retesting all of your data environments to make sure that you have continuity.
So, there's a lot of that stuff that goes on. I do think that a lot of the changes that we're seeing in organizations, the desire to be more efficient and less lumpy, and sort of take a look at this, like, increasing threat surface.
I think from a detection response standpoint, there's definitely a lot of noise in motion that seems to be emerging in the manage detection and response space. And I think that's a reflection of sort of how messy detection and response-based strategies are.
You end up spending an enormous amount on tooling. And then you have... If you do want to essentially use all of your players and run through these exercises, it becomes much harder when you have a team of 200 and not 12.
I can't help but come back to, like, scale doesn't make something go. Scale just makes it go faster, right? If I'm scaling something down, I'm not removing its core function generally, right? I'm just letting it do less, right garbage in, garbage out.
A team either existed before it changed size or it didn't, right? Like, and a body of people is not a team. And to some of your points, I think that's really just an indictment that people buy stuff and don't deploy it and don't actually incorporate it in the fabric of their operations. It's not an indictment of having fewer people.
It's an indictment of them never actually having done anything with it useful, to begin with.
But to that point, like, I feel like there's an element of that where these shifts and changes are acting as a mirror or a magnifying lens on those operational problems that you're describing.
Oh, for sure.
But, you know, these changes that we're seeing in Twitter, like, you know, aside from sort of the daily bombast of tweets from the chief twit or whatever, the whistleblower report was really illustrative, right? Like, the idea that there were so many fundamental security controls that weren't in place, anything to make sure that the endpoint devices were properly tracked.
When backups of endpoints began to fail, they simply stop considering the backups a critical function. And I think a lot of organizations are in the situation where, when the tide was helping all boats, lift all boats, a lot of these, like, practices sort of went to the wayside.
And I think a lot of people will spend time revisiting this, and really thinking through what their real risk surface is, and what they're willing to put in jeopardy from a compliance and brand reputation standpoint.
So, I feel like that kind of... So, when the whistleblower report came out, it was really before any sort of cuts, right, or before the impact of any real cuts. And in my mind, it's kind of a... Isn't it confirmation that essentially there was no real thing in place to begin with? So, if I change the size of the organization, is it really gonna have that much of an impact?
Maybe it could make things easier to build back up with fewer complexities. And it sounds weird to say, I don't want to be the Twitter apologist. It's like the things going on there are best-case entertaining, worst-case horrifying, but I don't know, if it was that broken before, how does scaling down impacted it that much.
And maybe it could give them an opportunity to actually build back better, right? And that was a weird, like, coincidence of that phrase, too.
I do think, like, if you look at these situations and the gaps that exist, it seems pretty obvious to me that identity will be a major part of the conversation. And my biggest fear is that the absence of a lot of these, like, institutional methods will lead people to do what we often do in times of fear is, like, resort to what seems like or sounds like a decent solution but still requires those underlying operational principles.
So, like, I think, focusing on IGA, and GRC, or PIM and PAM versus fundamentally your identity processes, and your identity strength, and what you can do to improve that prevent surface. I think it's going to be an interesting next year to see how people encounter that.
When you said what people do in a case of fear, my mind immediately went to movie theater nachos.
Comfort. Comfort food/garbage.
Yeah. And defensively looking for products and vendors that can absolve you of responsibilities of comfort and sort of at least the appearance of safe choices.
Well, if nachos are real or if they're a metaphor, they're still very comforting. Thank you for tuning in to this episode and all the other episodes this year. Why don't you cozy up by a fireplace and, you know, give some of the old ones a rewind, or at the very least, give me the gift of smashing the Subscribe button?
We've got a lot more exciting topics cooked up for next year. Thank you for tuning in today, and we wish you a happy holiday season.