Protect Business-Critical Data with CRS

November 21, 2022

Jessica Hetrick, Optiv’s Cyber Resilience Leader, sits down with the hosts of Cyber Security Matters to discuss the security of business-critical assets and what resilience means for enterprises in the digital transformation era.

 

Dominic Vogel: Hello, everyone. Welcome to a new, fantastic edition of the Cyber Security Matters podcast. I'm your host, Dominic Vogel, and joining me, as always, is my jolly, old co-host, Christian Redshaw. Christian, how are you doing today?

 

Christian Redshaw: Thank you so much for that Santa-Claus-like description of me. I appreciate that You're talking about a fantastic episode, we better deliver on this. Who do we have as a guest today?

 

Dominic Vogel: Well, we have the high-energy Jessica Hetrick. She is the Cyber Strategy and Resilience Leader at Optiv, based in Phoenix, Arizona. Really looking forward to having her on the show. I think this will be an absolutely fantastic conversation.

 

Christian Redshaw: Let's bring her on.

 

Dominic Vogel: Jessica, thank you so much for joining us on the Cybersecurity Matters podcast. How are you doing today?

 

Jessica Hetrick: I'm doing very well, thanks for having me.

 

Dominic Vogel: Well, I know Chris and I are really looking forward to this conversation. And I thought maybe we'd start with you, sharing a little bit about yourself, you know, sharing your personal career narrative, just so our viewers and listeners can get to learn a little bit more about you.

 

Jessica Hetrick: Absolutely, no, I'm very excited to be here. A little bit about me, though. So I actually went to military school. I have a very unique college experience, in that I went to the Citadel. I played volleyball, it's a D1 school. Not super big D1, but I played volleyball. So you'll hear the kind of team sports part of me come out a little bit, that coach side, just a little bit throughout the conversation. Apparently, it's a pretty normal thing for me. But no, I played volleyball in college, D1. I went straight from The Citadel into the FBI. I had some really great points of contact, and I got the opportunity, to not only intern while I was in school, and then started my career with them, more on the analytics side. And I got asked by my boss, she said, "Hey, you wanna do cyber?" I said, "I don't know that means, sure." And that's where actually my career in cyber started, which is well more than a decade now. I did cybersecurity investigations, for both the criminal and the national security side of the house at the Bureau. From there, I really wanted to hit something proactive. I saw the adversary, you know, all the bad guys out there. We focused on strategic threats out of the field office that I worked in. And I really wanted to do something more proactive. And so I actually started to talk to some of the law enforcement officers, my coworkers, and started to really get a good feel for what the intelligence community could actually give you. And so I joined the CIA. And I actually went and supported operations as the Director of Digital Innovation. I got to do all kinds of really fun things. And maybe over a beer, I'll share some stories, but only maybe. No, I thoroughly enjoyed my time with the agency, and then life happened. And I wanted to be back in sunny Phoenix, Arizona, which is where I'm currently located. I got married. I joined a Fortune 200 organization. Did the whole white picket fence thing. I have two wonderful dogs, who may or may not make an appearance on the show. And I decided to join a Fortune 200 organization, and got to sit on the client side. I got to support management of a third-party provider. I got to do all kinds of things, set up a threat hunting program, threat intelligence, worked incident management. Got to do a lot of different, really unique things. And I was fortunate enough to have a very forward-leading CISO. And then I realized I wanted to have more of a broad understanding. So I joined Cisco Talos, where I was a senior global incident response commander, and I helped Cisco's clients on their worst days. I got to see some really bad ransomware cases. I got to, you know, help clients and partner with them, and think a little bit different about how to solve their really big problems that they were dealing with at that time. And of course, everybody's hair was on fire, so it wasn't so much solve the problem, it was fix it. And it wasn't necessarily methodical all the time. So I really went back and forth, between reactive, and proactive in my career. I really wanted to get back to proactive, and so I joined Optiv, almost two years ago now to really sit more on that proactive side. And I get to help lead our cyber resilience practice here.

 

Dominic Vogel: First of all, you have the most amazing energy, Jessica. That's absolutely fantastic.

 

Christian Redshaw: That's actually the best career narrative I think we've ever had.

 

Dominic Vogel: Yeah, we've ever had. We've asked that question for so long, and I'm certain we've never had someone who's been in the FBI and CIA. So, you know, you get that kudos as well.

 

Christian Redshaw: Suddenly, we have reason to be super intimidated in this conversation.

 

Dominic Vogel: These two Canadians are suddenly a little more nervous, so.

 

Jessica Hetrick: Oh no, I'm so excited to be here. I was actually in Canada in Toronto at SecTor. I got present at SecTor, it was like two weeks, three weeks ago now. And I'm gonna be in Ottawa this next weekend. I'm super excited, I love Canada.

 

Dominic Vogel: Well, we're out in Vancouver.

 

Christian Redshaw: Just about a five day drive.

 

Dominic Vogel: From the other side of the country. So if you're ever out out west here, you you let us know.

 

Jessica Hetrick: My grandfather in-law was in the RCMP, so I'm sure I have contact somewhere along the way. I'll just trek across Canada.

 

Christian Redshaw: That is so crazy, small world.

 

Dominic Vogel: That's awesome.

 

Christian Redshaw: So our show is called Cybersecurity Matters, and you've just done actually a great job, in your story, of explaining some reasons why it matters, with these crazy ransomware situations. When we're talking about defining the threat, like why are we even having this conversation, what are cyber criminals after, and how do they go about getting what they're looking for?

 

Jessica Hetrick: Yeah, great question. So there's lots of different motivations. I'm gonna chunk them by probably the most common ones. You could have a lot of, there's a lot of sub motivations but I'll give, give the broad strokes. The big one, and I think the most blaring one, is that financial gain. Adversaries, the bad guys, they love money, everybody needs money, right? And so they're going financially after targets. They might be also doing it from a political motivation perspective. Espionage can very heavily be driven politically. It could be to steal information, data, processes, or different types of, you know, industry information. They're gonna look to just steal that information, so then they can have it, and ultimately capitalize on it. Or it could be political motivation, and ultimately deterrence, disruption, even destruction of information online, to, you know, in the case of the Russias of the world, there's like this tit-for-tat mentality, and it might be to directly impact in a different way. You also have, then of course, the anonymouses of the world that are sometimes doing things for recognition, or popularity and notoriety. So you have some of that, you know, wanting to have that presence. You'll see that a lot, with like online fake webpages and spoofing, et cetera. And then there's of course, the insider risk. And the insider risk is also broken down into really the purposeful insider risk, disgruntled employee, that person who wants to impact the organization that they were from, or are from. And then there's the incidental, or accidental, which is probably more, more common than not. The second part of your question though, has to do with how they do it. I'm gonna go actually to that human error thing, right off the bat. Adversaries are typically gonna take advantage of two things. It's gonna be the human error piece, or the technology error piece. The human error piece is about 90% of the time, where they're taking advantage of the behavioral, or social, or ethical factor. You know, phishing, spearfishing, smishing, I mean phishing. You keep going with the letters in front of ishing, and you're pretty much there, from social engineering perspective. And all of those components are taking advantage of the human behind the keyboard. On the flip side, the technology component, you're gonna have legacy tech, or vulnerabilities that might exist within the environment, that the adversary is gonna try to exploit to gain access to the system. But it's really those two components that they're gonna try to break down, take advantage of, in order to accomplish that motivation that they're after.

 

Christian Redshaw: Really well put. Thank you so much for that. All right, onto the next question, and probably the most important question, Thinking about companies that you have worked with, and that you work with. So, Optiv obviously provides this host of solutions that are very well integrated into, connected with one another. But solutions imply that there are problems to resolve. So what are, what is the predicament of your clients, before you help them? What are some of the challenges that they have when it comes to their cybersecurity?

 

Jessica Hetrick: Yeah, that's a great question. And I can tell you that it's a huge range. So at Optiv, I sit in the services side of the house. I ultimately help build programs for clients. I'm able to provide custom, or bespoke services, for my clients, based off of where they're at and where they wanna go. And so I see a range of, I see range of capabilities, everything from the infancy of programs, and building from scratch, needing to understand not only how to start with a vision, or identify and define the vision, build the policy, and the roadmap, behind the program overall, initiate cybersecurity awareness training. I can see things that start in that very, what would be probably considered relatively basic category. Then you move to the intermediate clients, who have capabilities, and have some maturity, but are looking to grow, and evolve, where they're gonna do a lot of identification of key gaps, to understand how to leverage their resources better, take advantage of opportunities. They're gonna look to prioritize their environment, and overall reduce risk, and communicate that to the board on a more regular basis. And then we'll see clients in the heavily advanced, or much more mature space, where they are identifying not only possible areas for investment, but how to prioritize different technologies within their environment. They might be pulling together key elements associated with most probable or likely, whichever term you prefer, versus most impact. And so, there's gonna be weighting factors, from a risk quantification perspective, that more mature clients will go through. And we see that range. And ultimately, you know, my job at Optiv, is to help clients take wherever they're at, whichever three of those categories they fit into, and build where they wanna go. Some organizations are gonna look to invest more heavily in cybersecurity, because they wanna be more mature. But that does come with a monetary component, whereas other organizations are not gonna make, necessarily, as big of a monetary investment. And rather they're going to look to identify the key risk areas that they can reduce, and weigh how much money they do or don't spend in the cybersecurity space. Again, my goal is to help meet clients where they're at, and get 'em to where they wanna go. So we do see that range.

 

Dominic Vogel: Jessica, I'm curious now, with with your clients, do you find many of them are becoming more proactive, in terms of their investment in cybersecurity? Or is it still during primarily by reactive measures, whether it be, you know, regulatory measures, or they got hit by a data breach, or ransomware? I'm curious in terms of what you're seeing.

 

Jessica Hetrick: Yeah, that's a great question. So, I actually, believe it or not, have seen both sides of that, a lot lately. A lot of organizations, and I know we're gonna talk a little bit about this today, a lot of organizations who are looking at resilience, and recovery, tend to sit a little bit more on that proactive side, where they're wanting to get ahead of the adversary. And I really appreciate that space. Obviously I'm very passionate about it. But I think innately, most organizations, and I would say a good majority right now, which you know, I would say greater than 50% of the clients that I deal with, have something that occurred, or has occurred in the past, or may be occurring, or they're worried about occurring in the very near future, and they're reacting to something of that nature, right? There's, like you said, there's a new policy. In the US we have, you know, the SEC guidelines coming down the pipeline, new changes in that world. And that will drive a lot of shift. On the other side of the house, you know, it could be they were actually impacted by ransomware, and so they're gonna stand up, what a resilience program would look like, and enact different policies and procedures, to make sure they're able to recover next time. So I would say it's a little bit of both, and it really does depend on kinda how you look at it. The proactive versus reactive mindset, there's a fine line between the two components. So you could argue that something is proactive, if you're getting ahead of, you know, a guideline that's coming down the pipeline, even though you're technically reacting to knowing the guidelines coming. So it does depend on how people define those two terms, but we are starting to see a little bit of a shift towards more of that proactive space. Again, because I sit in strategy, I get the opportunity to strategize with my clients, on that more proactive basis. So I'm excited about that, and really glad to be seeing that.

 

Dominic Vogel: That's a very interesting answer. Appreciate that insight and wisdom. One last question, before we let you on with your day. I'm curious, you know, I love how you have the word resilience, you're resilient leader, in your title. When it comes to cyber risk resilience, and getting organizations to understand that concept, I'm curious sort of how you get them there. 'Cause there's still a lot of organizations, and business leaders, who view success in cybersecurity as the absence of any incidents, right? If you have a security incident, then you failed at security. How do you sort of bring your clients to that journey of understanding that cybersecurity should be measured more so from a resilience perspective, rather than the absence of any security incidents?

 

Jessica Hetrick: I love how you said that. I am 100% aligned with that thought, because in today's day and age, it's not an if, it's a when. And I think a lot of clients are now saying that phrase, but not necessarily taking that, and contextualizing it. And resilience as a term, and as something in the cybersecurity space, as a concept, has been around for a long time. But it's actually a huge mindset thing. We talk about people, processes, and technology, in the resilience spectrum, but we tend to only do the technology piece of the resilience angle. And resilience is all about understanding your preparedness, and your ability to recover. So how do you harden your environment? How do you strengthen your defenses, proactively? How you can get ahead of the adversary activity, but also, how you reduce impact when something occurs? And so I actually really like the phrase, "Weather the storm." You know, you can ebb and flow, and I imagine, you know, those blow up , the car signs or whatever. That's what I imagine. I imagine like literally blowing in the wind, but never having that valve shut off, and you're always able to weather the storm. And I think resilience needs to be not only more important than ever, but because adversaries continue to advance, because backups are being targeted, because of the entire threat landscape, is exploding with IoT, and oT devices, we have to be willing to shift our mindsets, shift our culture, to take a more programmatic approach to what resilience is, and understand how to implement a truly resilient strategy, which goes into, you know, looking and prioritizing your systems, your data, your applications, understanding the business that you work for, right? Cybersecurity is a business enabler. It's a team sport through and through. But it also has to enable the business. And ultimately, when you're talking about resilience, you need to look at that kind of evolution of supporting the business first. And I think that that one's a really important piece. You have, you know, resilience has a weathering the storm component, but it's the business weathering the storm, and how we can ultimately in cybersecurity, enable that weathering.

 

Dominic Vogel: That was a fantastic way to wrap up our conversation for today, Jessica. Chris and I are very grateful for joining us on the show today. I know our viewers, and listeners, are gonna absolutely enjoy it. I have enjoyed every single minute of this. So thank you again so much for joining us on the Cybersecurity Matters podcast.

 

Jessica Hetrick: My pleasure. Thank you guys for having me.

 

Christian Redshaw: Thanks Jessica.

 

Dominic Vogel: Awesome. And Christian and I will be right back, to wrap up today's episode. The word wow comes to mind. The wisdom, the energy, the intensity, the fact that she worked for the FBI and CIA, like it's just an absolutely incredible conversation. I was blown away by A, her experience, the candor, and the level of depth, that she was answering those questions. But I'm curious as to your takeaways.

 

Christian Redshaw: Yeah, on that point, I mean it's crazy, the blend of experience there, and how it seems to work so perfectly well, when it comes to cyber, which so something that, you know, Jessica did not have a history in before, until it was introduced to her. You know, for me, even her title, and I think you touched on this during the conversation, the strategy, and the resilience piece coming together. That so resonates with me. And also how Jessica delineated between the basic, and the intermediate, and the more advanced, and mature organizations, the different approaches, when you're at those different levels.

 

Dominic Vogel: Absolutely, and we're very grateful to Jessica, for joining us on the podcast today. And as always, we want to extend a very special thank you to our sponsors, Telus, and Optiv, for sponsoring the Cybersecurity Matters podcast. If you happen to have missed a previous episode, do check out the Cybersecurity Matters YouTube page, and/or check out old episodes on your favorite podcasting platform. Until next time, be well be safe, and we'll see you again sometime in the near future, on the Cybersecurity Matters podcast. Optiv is the cyber advisory, and solutions leader, delivering strategic and technical expertise, to nearly 6,000 companies, across every major industry. We partner with organizations, to advise, deploy, and operate complete cybersecurity programs, from strategy and managed security services, to risk, integration, and technology solutions. At Optiv, we manage cyber risk, so you can secure your full potential. For more information, visit optiv.com.

 

Dominic Vogel: This week's episode of Cybersecurity Matters is brought to you by Telus Business. The 2022 Telus Canadian Ransomware Study highlights, and busts, some common myths about ransomware, like the myth that some organizations are too small to be a target. The study data shows that in the past 12 months, 61% of businesses, with 50 to 149 employees experienced a ransomware incident. The reality is, if you have data, you are a target for ransomware. To manage your risk, proactively invest in ransomware controls, and develop an incident response plan. This ensures you can conduct business with confidence, knowing that even if you're targeted, you have the protections and processes in place to limit the impact to your organization, employees and customers. To learn more, about how ransomware is affecting organizations like yours, visit telus.com/ransomwarestudy, to get your free copy today. Telus Business, cybersecurity that works for you.