Episode 2
10 Burning Questions about the Cyber Security Industry, with Jonathan Victor, from Insurity
There's a lot going on in the tech world. A huge skill gap, Log4j vulnerabilities, how your cloud strategy is making your security strategy more difficult. It's a lot.
In this episode, we invited Chief Information Officer of Insurity, Jonathan Victor, to discuss the most pressing questions in the field.
Co-founder of Assurance IT, Luigi Tiano, and Jonathan Victor discuss:
- How Jonathan became CIO
- What happened when John needed surgery during an important project
- How a cloud strategy makes a security strategy more difficult
- What is cyber resilience mean?
- How Log4j affected Insurity
- Why companies are still being affected by Log4j
- Why enterprises should try security by design
- how to improve your cyber resilience with this one thing
- How to overcome the skillset gap
- Discussion about how we are becoming desensitized to online security
Resources:
Watch the episode: https://youtu.be/5XIN-VttSdk
Jonathan Victor's LinkedIn: https://www.linkedin.com/in/jonathan-victor-65b2b5a/
Insurity website: https://insurity.com/
Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/
Assurance IT Website: http://www.assuranceit.ca/
About Jonathan Victor:
Jonathan Victor is the Chief Information Officer of Insurity. He oversees all of Insurity’s SaaS implementations and manages the build, run, and evolution of the company’s cloud platforms. He came to Insurity as part of the company’s acquisition of Oceanwide, where he began in 2005, and assumed the role of Chief Operating Officer in 2014. Before Oceanwide, Jonathan worked as a consultant at Accenture. Jonathan is a graduate of McGill Desautels Faculty of Management with a major in Management Information Systems and Finance.
About 10 Questions to Cyber Resilience:
Twice per month, learn about how Tech leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.
About Assurance IT:
Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.
Transcript
This is 10
Voiceover:questions to cyber resilience
Voiceover:brought to you by assurance
Voiceover:it released twice per month.
Voiceover:Every episode brings you one
Voiceover:step closer to cyber resilience
Voiceover:by hearing how it leaders are
Voiceover:practicing cyber security.
Voiceover:Resources mentioned in the episode
Voiceover:can be found in the show notes.
Voiceover:If you are ready to take your
Voiceover:cyber resilience to the next
Voiceover:level, be sure to subscribe
Voiceover:so you can catch every episode
Luigi Tiano:to start.
Luigi Tiano:I want to know, you know, who
Luigi Tiano:you are, your role, your, your
Luigi Tiano:responsibility at Insurity
Luigi Tiano:and maybe mention some of
Luigi Tiano:the career highlights there.
Luigi Tiano:Cuz I know you've been there for
Luigi Tiano:a while, so maybe let's start off.
Luigi Tiano:Absolutely
Jonathan Victor:so
Jonathan Victor:happy to be here.
Jonathan Victor:It's been a while, so
Jonathan Victor:it's good to get back.
Jonathan Victor:Uh, so I'm Jonathan Victor,
Jonathan Victor:chief information officer at
Jonathan Victor:Insurity you and I know each
Jonathan Victor:other from my days as chief
Jonathan Victor:operating officer at ocean line.
Jonathan Victor:So how do I get here?
Jonathan Victor:I get asked that question a
Jonathan Victor:lot as, as where you work.
Jonathan Victor:With partners and with prospects
Jonathan Victor:and with acquisition targets today.
Jonathan Victor:So it's a good story.
Jonathan Victor:I've now been Anur for 15 years.
Jonathan Victor:Um, I was acquired into insured in
Jonathan Victor:2015 where I was chief operating
Jonathan Victor:officer of Oceanwide all the,
Jonathan Victor:while I've been running cloud and
Jonathan Victor:SAS and driving insured's cloud
Jonathan Victor:strategy or ocean wides cloud
Jonathan Victor:strategy at the time, as it relates
Jonathan Victor:to growing in the insurance space.
Jonathan Victor:What started out was
Jonathan Victor:commercial insurance now
Jonathan Victor:is commercial and personal.
Jonathan Victor:We help enable carriers,
Jonathan Victor:brokers, agencies run their
Jonathan Victor:insurance front office and
Jonathan Victor:drive the business of insurance.
Jonathan Victor:And I'm, uh, fortunate to
Jonathan Victor:be a big part of making
Jonathan Victor:that happen on a SA basis.
Luigi Tiano:Fantastic.
Luigi Tiano:Interesting.
Luigi Tiano:Yeah.
Luigi Tiano:And you're, you're right.
Luigi Tiano:We've known each other
Luigi Tiano:for several years.
Luigi Tiano:So it's been an honor.
Luigi Tiano:You've mentioned a couple of
Luigi Tiano:accomplishments, actually,
Luigi Tiano:several what's the biggest
Luigi Tiano:accomplishment that you've,
Luigi Tiano:you've done throughout your
Luigi Tiano:journey at Oceanwide into Insurity
Luigi Tiano:maybe talk about one of those.
Luigi Tiano:Yeah, I'll, I'll pick one
Jonathan Victor:that,
Jonathan Victor:that comes to mind.
Jonathan Victor:It's an interesting story when
Jonathan Victor:I think about it, but the way
Jonathan Victor:that it played out, it, it really
Jonathan Victor:brings a lot of pride for me.
Jonathan Victor:So when I look back, as, as, as
Jonathan Victor:I look at some of the early days
Jonathan Victor:as the insured cloud took shape,
Jonathan Victor:we were in the midst of moving
Jonathan Victor:one of our largest workloads
Jonathan Victor:up into our current cloud.
Jonathan Victor:This one at the time was a
Jonathan Victor:private cloud environment and we
Jonathan Victor:were rolling out our enterprise
Jonathan Victor:grade disaster recovery solution.
Jonathan Victor:So we were going fr to a, uh, a
Jonathan Victor:redundant geographic, always on
Jonathan Victor:environment with very aggressive
Jonathan Victor:SLAs and RTOs and RPOs, um, really
Jonathan Victor:industry leading at the time.
Jonathan Victor:And it still is today.
Jonathan Victor:We've been working on this
Jonathan Victor:project for the better part.
Jonathan Victor:Every year, my entire operations
Jonathan Victor:team had been focused on like
Jonathan Victor:letting the business, but
Jonathan Victor:then delivering this major
Jonathan Victor:initiative, which was really
Jonathan Victor:gonna keep us at the cutting edge.
Jonathan Victor:And two weeks before the cut over
Jonathan Victor:the go line, I suffered an injury
Jonathan Victor:playing football that required
Jonathan Victor:emergency surgery and ended up
Jonathan Victor:being completely out of commiss.
Jonathan Victor:Effectively unconscious
Jonathan Victor:during the cut over weekend.
Jonathan Victor:That's when the surgery was so all
Jonathan Victor:that to say it was great to see my
Jonathan Victor:team be able to execute completely
Jonathan Victor:and cut this over successfully
Jonathan Victor:with no impacts to clients, to a
Jonathan Victor:completely new environment, totally
Jonathan Victor:on their own and without me.
Jonathan Victor:So it was just great to see the
Jonathan Victor:team step up, execute on a year
Jonathan Victor:of planning, really smooth, and
Jonathan Victor:it was a huge win for journey.
Jonathan Victor:And when I came back at
Jonathan Victor:the other side of it, you.
Jonathan Victor:Everyone was very
Jonathan Victor:happy and it went well.
Jonathan Victor:And it proved to me that
Jonathan Victor:all that hard work ate off.
Jonathan Victor:And I think it proved to the team
Jonathan Victor:how confident they could be in
Jonathan Victor:their skills and their expertise.
Jonathan Victor:So it was really a great
Jonathan Victor:outcome all around.
Jonathan Victor:I recovered in the end
Jonathan Victor:too, which was nice, but
Jonathan Victor:thankfully, yeah, it was great.
Jonathan Victor:It was good for the business and,
Jonathan Victor:and it was great for the team.
Jonathan Victor:It was great to see
Jonathan Victor:the team be successful.
Luigi Tiano:That's amazing.
Luigi Tiano:That's a good story
Luigi Tiano:of leadership, right?
Luigi Tiano:So you, you had all the
Luigi Tiano:planning done beforehand.
Luigi Tiano:Obviously had done your risk
Luigi Tiano:mitigation beforehand, and
Luigi Tiano:obviously you couldn't ask
Luigi Tiano:for a real life scenario like
Luigi Tiano:that one actually coming to
Jonathan Victor:the
Jonathan Victor:planning could not have been
Jonathan Victor:better or worse or both.
Jonathan Victor:Exactly.
Jonathan Victor:Yeah.
Jonathan Victor:It was really top not.
Jonathan Victor:And, uh, you know, still to this
Jonathan Victor:day, it, it sticks out in my
Jonathan Victor:mind as a big success and one.
Jonathan Victor:In the end that wasn't even there
Jonathan Victor:to see, but all the hard work,
Luigi Tiano:you know,
Luigi Tiano:it really made off.
Luigi Tiano:I'm sure.
Luigi Tiano:I'm sure.
Luigi Tiano:Yeah.
Luigi Tiano:Yeah.
Luigi Tiano:That's a, a proud moment for sure.
Luigi Tiano:You got, you get to see the
Luigi Tiano:team deliver something that you
Luigi Tiano:had a vision for, regardless if
Luigi Tiano:you were sitting there or not.
Luigi Tiano:It still happened, which is good.
Luigi Tiano:It's very good.
Luigi Tiano:Exactly, exactly.
Luigi Tiano:Right.
Luigi Tiano:Um, so you mentioned cloud, I'm
Luigi Tiano:actually gonna skip over one of
Luigi Tiano:the questions I have and I'll
Luigi Tiano:come back to it later, but.
Luigi Tiano:Obviously cloud is a big
Luigi Tiano:part of your, your strategy.
Luigi Tiano:There it's been for a while.
Luigi Tiano:How does, how does a cloud
Luigi Tiano:strategy pose a challenge
Luigi Tiano:when it comes to security?
Luigi Tiano:Obviously we're, we're
Luigi Tiano:a security organization.
Luigi Tiano:This is, you know, all about
Luigi Tiano:security podcast, keeping
Luigi Tiano:the organization safe.
Luigi Tiano:So how does that cloud strategy
Luigi Tiano:pose a challenge when it
Luigi Tiano:comes to security and how
Luigi Tiano:does your team overcome it?
Jonathan Victor:Right.
Jonathan Victor:So our cloud strategy in
Jonathan Victor:particular, I think is both very
Jonathan Victor:beneficial to AUR as a business
Jonathan Victor:to our clients, but also.
Jonathan Victor:Creates a challenge as
Jonathan Victor:you phrased it for the
Jonathan Victor:operations of our business.
Jonathan Victor:In that we have, we decided
Jonathan Victor:and still do view the
Jonathan Victor:world as being multi-cloud.
Jonathan Victor:We made this decision several
Jonathan Victor:years back when we were originally
Jonathan Victor:running private cloud workloads,
Jonathan Victor:then we felt the public cloud
Jonathan Victor:was really where our future
Jonathan Victor:was and not just one public
Jonathan Victor:cloud, but two, we felt that
Jonathan Victor:being able to run workloads
Jonathan Victor:in different clouds and offer.
Jonathan Victor:A variety of capabilities around
Jonathan Victor:data, residency, data privacy, as
Jonathan Victor:well as public versus private was
Jonathan Victor:a real strength in our market.
Jonathan Victor:And, uh, that has, that allowed
Jonathan Victor:us to create a very significant
Jonathan Victor:competitive advantage for us
Jonathan Victor:to showcase our enterprise
Jonathan Victor:grade SaaS capabilities as a
Jonathan Victor:differentiator in our space.
Jonathan Victor:Now, all of.
Jonathan Victor:Good.
Jonathan Victor:And it was a big
Jonathan Victor:part of our growth.
Jonathan Victor:It also created some significant
Jonathan Victor:challenges from a security
Jonathan Victor:respect because it wasn't one
Jonathan Victor:environment that needed secure
Jonathan Victor:and it wasn't one security
Jonathan Victor:plane that needed managed.
Jonathan Victor:It was multiple.
Jonathan Victor:So even today we run private
Jonathan Victor:cloud workloads in us and Canada
Jonathan Victor:and public cloud workloads
Jonathan Victor:in AWS and Azure across 20
Jonathan Victor:different insurance products.
Jonathan Victor:So it has forced us to put security
Jonathan Victor:in the forefront of everything we.
Jonathan Victor:Both in terms of hiring training,
Jonathan Victor:partnering, as well as the
Jonathan Victor:planning of how we execute
Jonathan Victor:and operationalize all of the
Jonathan Victor:SAS offerings that we have at
Luigi Tiano:insured.
Luigi Tiano:Okay.
Luigi Tiano:Very, very nice.
Luigi Tiano:Yeah.
Luigi Tiano:And, and you're, you're
Luigi Tiano:actually touching on a lot
Luigi Tiano:of different questions that,
Luigi Tiano:uh, that I had planned here.
Luigi Tiano:So it's just good.
Luigi Tiano:So.
Luigi Tiano:Continuing along that, that
Luigi Tiano:security vein here, we hear a lot
Luigi Tiano:of, you know, we hear the words
Luigi Tiano:often cyber resilience, right?
Luigi Tiano:Cyber security has kind of like
Luigi Tiano:been around for a while, but
Luigi Tiano:now we hear cyber resilience.
Luigi Tiano:Let me ask you, are you
Luigi Tiano:hearing this more often
Luigi Tiano:in your organization and
Luigi Tiano:what does it mean to you?
Luigi Tiano:I do hear it
Jonathan Victor:and it it's, uh,
Jonathan Victor:something that we've seen coming
Jonathan Victor:over the past, say five years and,
Jonathan Victor:and really accelerating the past
Jonathan Victor:two years where, you know, at one.
Jonathan Victor:Doing say a SOC one or a
Jonathan Victor:SOC two audit was adequate.
Jonathan Victor:Now it's become table stays.
Jonathan Victor:And to be cyber resilient
Jonathan Victor:organizations are expected to have
Jonathan Victor:a cyber risk governance program
Jonathan Victor:to track performance against N and
Jonathan Victor:identify where the gaps are across
Jonathan Victor:the organization to ensure that
Jonathan Victor:in the event of an attack in the
Jonathan Victor:event of vulnerability that can
Jonathan Victor:really affect the organization.
Jonathan Victor:Like, you know, we, you and I were
Jonathan Victor:talking before about log four.
Jonathan Victor:Can the organization survive?
Jonathan Victor:Is it, will it be resilient
Jonathan Victor:to that type of event?
Jonathan Victor:And that's where we really
Jonathan Victor:focus our organization.
Jonathan Victor:So for us here at UR, having a
Jonathan Victor:full-time highly skilled chief
Jonathan Victor:information and security officer
Jonathan Victor:officer, and having a, a dedicated
Jonathan Victor:enterprise security team, a
Jonathan Victor:specialization across multiple
Jonathan Victor:domain application security network
Jonathan Victor:and infrastructure security,
Jonathan Victor:including cloud and, and, and
Jonathan Victor:our, uh, corporate perimeter
Jonathan Victor:as well as compliance and.
Jonathan Victor:Has allowed us to have a
Jonathan Victor:multidisciplinary enterprise
Jonathan Victor:security team that
Jonathan Victor:focuses Onur holistically.
Jonathan Victor:And that's really from the
Jonathan Victor:front end to our clients.
Jonathan Victor:So all ours work looks to the back
Jonathan Victor:end and our corporate footprint.
Jonathan Victor:We look at our corporate
Jonathan Victor:edge, our cloud edge.
Jonathan Victor:And look to apply security
Jonathan Victor:policies and best practice
Jonathan Victor:and bring partners to the,
Jonathan Victor:to the table, to work with
Jonathan Victor:us, to support that process.
Jonathan Victor:And it it's challenging
Jonathan Victor:because it's an ever evolving
Jonathan Victor:environment, especially for us.
Jonathan Victor:It's challenging as we've been
Jonathan Victor:highly acquisitive over the
Jonathan Victor:past, uh, 24 months, we've
Jonathan Victor:added eight different assets to
Jonathan Victor:be insured family, some large,
Jonathan Victor:some small, some with vertical
Jonathan Victor:specialization, some horizontal,
Jonathan Victor:some private, some public.
Jonathan Victor:All of those need to be
Jonathan Victor:rationalized against the
Jonathan Victor:Insurity cloud standard.
Jonathan Victor:And that, that is a very
Jonathan Victor:challenging task that myself
Jonathan Victor:and our CISO and our enterprise
Jonathan Victor:security and, and operations
Luigi Tiano:teams are
Luigi Tiano:continually focused on.
Luigi Tiano:Interesting.
Luigi Tiano:Okay.
Luigi Tiano:Well, thank you.
Luigi Tiano:And you, you said a lot
Luigi Tiano:there and I appreciate that.
Luigi Tiano:And you mentioned something
Luigi Tiano:that I'm, I'm kind of reluctant
Luigi Tiano:to ask clients sometimes
Luigi Tiano:is the log 4g conversation.
Luigi Tiano:You, you're not sure if you wanna
Luigi Tiano:bring it up or not just because
Luigi Tiano:some people are sensitive to it.
Luigi Tiano:Some people are impacted,
Luigi Tiano:some people are.
Luigi Tiano:Given your role and
Luigi Tiano:responsibility of your team.
Luigi Tiano:Of course, like you just
Luigi Tiano:mentioned, you got a whole
Luigi Tiano:bunch of different players on
Luigi Tiano:the team, making your, making
Luigi Tiano:sure that your OSS are patched,
Luigi Tiano:your applications are updated.
Luigi Tiano:And so on was log four J and
Luigi Tiano:maybe, you know, if you don't
Luigi Tiano:wanna talk about it, totally fine.
Luigi Tiano:But was log four J an issue
Luigi Tiano:or a huge challenge for you?
Jonathan Victor:Uh, no, no problem
Jonathan Victor:talking about, look it, it was.
Jonathan Victor:A string of complicated security
Jonathan Victor:vulnerabilities that have been
Jonathan Victor:identified in the public sphere.
Jonathan Victor:You know, whether that was
Jonathan Victor:solar winds or the Intel source
Jonathan Victor:code leak or log four, J we've
Jonathan Victor:built a practice to respond to
Jonathan Victor:enterprise level threats in a
Jonathan Victor:formalized fashion, such that
Jonathan Victor:it's directed through our CISO,
Jonathan Victor:uh, who reports into me an
Jonathan Victor:individual by the name of Foltz.
Jonathan Victor:And at some point he could for you
Jonathan Victor:to meet, maybe there's a continued
Jonathan Victor:conversation or to be had with him.
Jonathan Victor:We.
Jonathan Victor:Take this based approach
Jonathan Victor:to assessing the problem.
Jonathan Victor:So whether that's looking at, from
Jonathan Victor:an identified, protect, detect,
Jonathan Victor:respond, recover perspective,
Jonathan Victor:and for us having a very clear
Jonathan Victor:inventory of our workloads, where
Jonathan Victor:they reside and on what technology
Jonathan Victor:they run to have great clarity
Jonathan Victor:as to, okay, when log four J or
Jonathan Victor:Intel defector, solar winds hack.
Jonathan Victor:Once those became clear.
Jonathan Victor:We spin up that task force to both
Jonathan Victor:go through that inventory, leverage
Jonathan Victor:our CMDB, leverage our logging and
Jonathan Victor:our BS O capability to zero in on
Jonathan Victor:where is action required and how
Jonathan Victor:quickly do we take that action?
Jonathan Victor:And that often can often
Jonathan Victor:is, or, or can be defined
Jonathan Victor:by the incident itself.
Jonathan Victor:While in, in all of those,
Jonathan Victor:there were steps we could
Jonathan Victor:take to, um, Logging or take
Jonathan Victor:additional security, um,
Jonathan Victor:steps to tighten our edge.
Jonathan Victor:We've needed patches
Jonathan Victor:from third parties and
Jonathan Victor:we had to wait for them.
Jonathan Victor:So we had to coordinate the
Jonathan Victor:installation of those patches
Jonathan Victor:or work with our partners
Jonathan Victor:to, in a private and, and
Jonathan Victor:public cloud environment.
Jonathan Victor:There's different responses
Jonathan Victor:that we had to put in place.
Jonathan Victor:So in some cases, AWS and Azure
Jonathan Victor:were responsible for those updates.
Jonathan Victor:And we just had to manage
Jonathan Victor:through those and, and
Jonathan Victor:coordinate the timing.
Jonathan Victor:In other cases, it was on our
Jonathan Victor:teams to go and respond and.
Jonathan Victor:Would assess the criticality of
Jonathan Victor:that response and the timeliness
Jonathan Victor:of that response based on the
Jonathan Victor:criticality of the vulnerability,
Jonathan Victor:how well known the exploit is
Jonathan Victor:and how readily available a,
Jonathan Victor:uh, resolution from a third
Jonathan Victor:party is that's the case.
Luigi Tiano:Yeah.
Luigi Tiano:You mentioned a lot of
Luigi Tiano:management there, management
Luigi Tiano:of, of, of, of different
Luigi Tiano:environments or measurements
Luigi Tiano:of people and processes.
Luigi Tiano:So I can see how that,
Luigi Tiano:that becomes a challenge.
Luigi Tiano:And, and you think some, some
Luigi Tiano:companies actually had a huge,
Luigi Tiano:uh, challenge when it comes
Luigi Tiano:to log four J and, and you've
Luigi Tiano:touched maybe upon it here.
Luigi Tiano:Can you, can you just elaborate
Luigi Tiano:on why a company would've been
Luigi Tiano:more impacted than obviously
Luigi Tiano:you guys were ready for it?
Luigi Tiano:So, you know, why is it,
Luigi Tiano:why are some companies still
Luigi Tiano:struggling with it months?
Luigi Tiano:I think the biggest challenge with
Jonathan Victor:log four J and
Jonathan Victor:it's the challenge for AUR too, is
Jonathan Victor:that it was direct and indirect,
Jonathan Victor:or is direct and indirect.
Jonathan Victor:It was directly in libraries
Jonathan Victor:that you might be using and
Jonathan Victor:indirectly on the platforms that
Jonathan Victor:you support and run, because it
Jonathan Victor:was in libraries of your partners,
Jonathan Victor:uh, a saw or embedded software.
Jonathan Victor:So it made it a very large web
Jonathan Victor:and it also forced development
Jonathan Victor:teams and security teams.
Jonathan Victor:Drive upgrades to address the log
Jonathan Victor:core J problem on components or
Jonathan Victor:platforms maybe that hadn't been
Jonathan Victor:touched or hadn't been upgraded
Jonathan Victor:or seen as vulnerable in the
Jonathan Victor:past, because it was so deeply
Jonathan Victor:embedded and it forced us really
Jonathan Victor:to circle the wagons at a much
Jonathan Victor:deeper level to ensure that we
Jonathan Victor:had a good view as where it was,
Jonathan Victor:what the impact was, both behind
Jonathan Victor:the firewall and outside the
Jonathan Victor:firewall, so to speak and then
Jonathan Victor:what steps we needed to take.
Jonathan Victor:So it was challenging.
Jonathan Victor:I think it was challenging for all
Jonathan Victor:organizations, those who didn't.
Jonathan Victor:Good data on, on what
Jonathan Victor:their footprint looks like.
Jonathan Victor:Good clarity on who their partners
Jonathan Victor:were or what software was embedded
Jonathan Victor:open source, or otherwise it
Jonathan Victor:made it even more challenge.
Jonathan Victor:But it, it definitely has been an
Jonathan Victor:exercise that we've run through
Jonathan Victor:now, as all of these public
Jonathan Victor:breaches that's taken place and
Jonathan Victor:we've formalized along the way to
Jonathan Victor:make the next one, you know, when
Jonathan Victor:it happens, cuz it's gonna happen.
Jonathan Victor:Absolutely.
Jonathan Victor:Right.
Jonathan Victor:We know that hopefully our
Jonathan Victor:execution will be that much
Jonathan Victor:cleaner and we'll be able to.
Jonathan Victor:That much more direct fashion
Jonathan Victor:to secure the enterprise.
Luigi Tiano:Yeah.
Luigi Tiano:And I think you touched upon
Luigi Tiano:it like the inventory, right?
Luigi Tiano:Knowing what you knowing, what
Luigi Tiano:you own internally, like you
Luigi Tiano:said, directly and indirectly.
Luigi Tiano:I think that's one of the
Luigi Tiano:issues where I think a lot
Luigi Tiano:of people were cut off card.
Luigi Tiano:There was, you know, not knowing
Luigi Tiano:what you, what you own and manage
Luigi Tiano:can lead to not protecting it.
Luigi Tiano:And if you don't protect it,
Luigi Tiano:that's where you're vulnerable.
Luigi Tiano:You guys are obviously heavy when
Luigi Tiano:it comes to software develop.
Luigi Tiano:You've been this part of your DNA
Luigi Tiano:for a long time in the software
Luigi Tiano:world, we hear often security by
Luigi Tiano:design and that's kind of made its
Luigi Tiano:way into the infrastructure space.
Luigi Tiano:Is that something that
Luigi Tiano:you guys adopt when you
Luigi Tiano:deploy your services?
Luigi Tiano:It
Jonathan Victor:is not so much
Jonathan Victor:when we deploy our services,
Jonathan Victor:but when we, uh, build our
Jonathan Victor:software, the approach is we
Jonathan Victor:look to embed members from our
Jonathan Victor:enterprise security team, uh,
Jonathan Victor:into our development organization.
Jonathan Victor:And that could be challenged cuz
Jonathan Victor:there's only so big of a security
Jonathan Victor:team and there's, you can.
Jonathan Victor:Pretty large development team.
Jonathan Victor:So it's a combination of
Jonathan Victor:embedding those resources and
Jonathan Victor:training experts for security
Jonathan Victor:champions across our development
Jonathan Victor:organization and doing it
Jonathan Victor:in a consistent fashion.
Jonathan Victor:And that's where the challenges
Jonathan Victor:for a large heavily acquisitive
Jonathan Victor:organization can come into play.
Jonathan Victor:Cuz as we add new assets, as
Jonathan Victor:we bring workloads online or
Jonathan Victor:migrate them to the insured
Jonathan Victor:cloud, if they're coming
Jonathan Victor:from a smaller company or a
Jonathan Victor:startup security may have not.
Jonathan Victor:As their security may have not been
Jonathan Victor:as mature or their capabilities may
Jonathan Victor:have not been as prevalent or from
Jonathan Victor:a security by design perspective.
Jonathan Victor:It may have not been part
Jonathan Victor:of the process as opposed
Jonathan Victor:to an afterthought.
Jonathan Victor:And it's that shift that our shift
Jonathan Victor:left, that we have looked to drive
Jonathan Victor:really across the organization
Jonathan Victor:and different products or at
Jonathan Victor:different stages of maturity.
Jonathan Victor:And that's where we, myself
Jonathan Victor:and our CSO and our CTO are
Jonathan Victor:continually focused to ensure.
Jonathan Victor:We're investing right resources
Jonathan Victor:at the right times on the right
Jonathan Victor:products and platforms that
Jonathan Victor:really will benefit from it.
Jonathan Victor:And some are more
Jonathan Victor:mature, some are less.
Jonathan Victor:So it's a, it's a
Jonathan Victor:fine balance to get.
Jonathan Victor:Right.
Jonathan Victor:But certainly the more we
Jonathan Victor:shift left, the more we drive
Jonathan Victor:a security by design culture.
Jonathan Victor:At Insurity I believe the
Jonathan Victor:stronger we will be, and it it's
Jonathan Victor:an ongoing evolution for us.
Jonathan Victor:And one that will continue
Jonathan Victor:as we move the future.
Jonathan Victor:And as we continue
Jonathan Victor:to, to acquire assets,
Luigi Tiano:I know you guys are
Luigi Tiano:heavy in the softer world and,
Luigi Tiano:and AC acquiring new companies
Luigi Tiano:and organizations that, that,
Luigi Tiano:that could pose at the huge
Luigi Tiano:challenge, especially when
Luigi Tiano:you're bringing in stuff that
Luigi Tiano:you don't know right about.
Luigi Tiano:So, uh, yeah, I can, I can see the
Luigi Tiano:challenge that I can appreciate.
Luigi Tiano:If you were to recommend other
Luigi Tiano:organizations, obviously you
Luigi Tiano:recommend it to yourself,
Luigi Tiano:but other organizations
Luigi Tiano:become cyber resilient.
Luigi Tiano:What's the one thing that you
Luigi Tiano:would like needs to be done, like
Jonathan Victor:one thing.
Jonathan Victor:So one thing is, I think you have
Jonathan Victor:to have a strong security leader,
Jonathan Victor:and I think if you try to task,
Jonathan Victor:I see this mistake regularly.
Jonathan Victor:And sometimes it's a
Jonathan Victor:function of size of business.
Jonathan Victor:Sometimes it's a function of,
Jonathan Victor:of culture or mentality cost.
Jonathan Victor:There's a variety of, of reasons.
Jonathan Victor:If you try to have someone
Jonathan Victor:be a head of it or a product
Jonathan Victor:leader or CTO or CIO, and
Jonathan Victor:also wear a security hat it's,
Jonathan Victor:it's often a losing battle.
Jonathan Victor:It's just, it's such an important
Jonathan Victor:area, especially today in the,
Jonathan Victor:uh, software world, in the SaaS
Jonathan Victor:world to not have a dedicated.
Jonathan Victor:Chief information and security
Jonathan Victor:officer, not a dedicated enterprise
Jonathan Victor:like security team focused with
Jonathan Victor:real specialized expertise.
Jonathan Victor:It makes the, um, challenge of
Jonathan Victor:securing the enterprise, driving
Jonathan Victor:security by design, staying in,
Jonathan Victor:in compliance with the evolving
Jonathan Victor:info sec and compliance world.
Jonathan Victor:Very, very difficult.
Jonathan Victor:And that there's one thing
Jonathan Victor:that our organization could do.
Jonathan Victor:I would say.
Jonathan Victor:Is invest in that person,
Jonathan Victor:bring that expert on board,
Jonathan Victor:make it a dedicated practice,
Jonathan Victor:have them at the senior
Jonathan Victor:executive level to ensure that
Jonathan Victor:they're not buried inside some
Jonathan Victor:operational organization cuz
Jonathan Victor:its security then gets lost.
Jonathan Victor:And what can then follow is
Jonathan Victor:applying things like the ni
Jonathan Victor:framework, driving the secure
Jonathan Victor:SDLC, using a security by design
Jonathan Victor:methodology, implementing set
Jonathan Victor:DevOps across your DevOps and,
Jonathan Victor:and development practices.
Jonathan Victor:All those things can follow.
Jonathan Victor:but it's hard to do if you don't
Jonathan Victor:have that centralized person
Jonathan Victor:who who's won an expert and two
Jonathan Victor:focused day in day out on just
Luigi Tiano:that, that's
Luigi Tiano:an interesting answer.
Luigi Tiano:And I like that.
Luigi Tiano:And sometimes we, we, we find
Luigi Tiano:a lot of organizations have
Luigi Tiano:individuals wearing different hats.
Luigi Tiano:And it, it comes back to bite them.
Luigi Tiano:And that it's, it leads
Luigi Tiano:me to a question that I
Luigi Tiano:wanted to kind of ask.
Luigi Tiano:And this is one that I'm, I'm
Luigi Tiano:careful of asking as well.
Luigi Tiano:Uh, it's not one that a lot of
Luigi Tiano:people like to address head on, but
Luigi Tiano:it, it is one that's really coming
Luigi Tiano:up as a huge challenge right now.
Luigi Tiano:There's a current skill gap in
Luigi Tiano:the market today when it comes
Luigi Tiano:to labor, uh, a skill set,
Luigi Tiano:especially when it comes to it.
Luigi Tiano:And more specifically security
Luigi Tiano:again, you don't have to answer.
Luigi Tiano:But, I mean, how is insured
Luigi Tiano:addressing that skillset gap?
Luigi Tiano:Is it, is it, is it
Luigi Tiano:posing a challenge?
Luigi Tiano:Is it, you know, hindering
Luigi Tiano:some of the innovation
Luigi Tiano:that you have planned?
Luigi Tiano:I'm just curious, cuz that's
Luigi Tiano:why I, I speak to individuals
Luigi Tiano:on a daily basis and it's, it's
Luigi Tiano:just something that's getting,
Luigi Tiano:you know, more difficult to,
Luigi Tiano:to find great talent out there.
Luigi Tiano:And you just mentioned it
Luigi Tiano:in your last point where,
Luigi Tiano:you know, you gotta focus.
Luigi Tiano:So how, how do you overcome that C.
Jonathan Victor:I think the first
Jonathan Victor:step overcoming the challenge
Jonathan Victor:is getting commitments at the
Jonathan Victor:executive level, that this is
Jonathan Victor:gonna be an area to invest in
Jonathan Victor:once that is there, the practice
Jonathan Victor:or security as a practice can
Jonathan Victor:grow within the organization.
Jonathan Victor:And that can be small scale
Jonathan Victor:with one person in this small
Jonathan Victor:organization or large scale
Jonathan Victor:with team much bigger than, than
Jonathan Victor:what I currently have today.
Jonathan Victor:But it's that commitment
Jonathan Victor:to making security a
Jonathan Victor:pillar of the organization.
Jonathan Victor:And when you're a SA provider,
Jonathan Victor:To me, it's, it's hard to not
Jonathan Victor:do that and not have a dedicated
Jonathan Victor:security function that reports
Jonathan Victor:up into executive leadership
Jonathan Victor:and, and it really plays that,
Jonathan Victor:that central role, as far as
Jonathan Victor:the people go and, and, and
Jonathan Victor:keep it finding and keeping the
Jonathan Victor:people, I think you're right.
Jonathan Victor:What you're hearing is something
Jonathan Victor:that we're seeing as well.
Jonathan Victor:It's a challenge, depending what
Jonathan Victor:market you're in and it varies,
Jonathan Victor:uh, like geographically speaking.
Jonathan Victor:There has been a huge demand for
Jonathan Victor:highly skilled resources from a
Jonathan Victor:cloud DevOps security perspective.
Jonathan Victor:Security is no different
Jonathan Victor:to me than, than those, at
Jonathan Victor:least from what we've seen.
Jonathan Victor:Right.
Jonathan Victor:Uh, so for me, it's ensuring
Jonathan Victor:that you find the right people.
Jonathan Victor:So take the time to source
Jonathan Victor:and, and interview and,
Jonathan Victor:and make sure that the, the
Jonathan Victor:individual candidates really
Jonathan Victor:fits well with the organization.
Jonathan Victor:The culture of the organization is
Jonathan Victor:well aligned with the candidate and
Jonathan Victor:that person, and then make sure.
Jonathan Victor:Those individuals really understand
Jonathan Victor:their value to the enterprise.
Jonathan Victor:You know, it's, it's hard to be
Jonathan Victor:in a role if you're continually
Jonathan Victor:looked at as, as just a cost
Jonathan Victor:or part of a cost center.
Jonathan Victor:So for, for us, SaaS is
Jonathan Victor:central to insured is, and
Jonathan Victor:security sits right beside it.
Jonathan Victor:It's something that we go
Jonathan Victor:to the marketplace with.
Jonathan Victor:It's something that, you
Jonathan Victor:know, I talk to clients and
Jonathan Victor:prospects about day in, day out.
Jonathan Victor:And it's why clients
Jonathan Victor:trust in insured or would
Jonathan Victor:trust any SaaS company?
Jonathan Victor:So to me, being central to the
Jonathan Victor:organization to the success of the
Jonathan Victor:organization is a good place to be.
Jonathan Victor:And that in itself, I
Jonathan Victor:think is a good way to keep
Jonathan Victor:security professionals engaged
Jonathan Victor:and, and happy in their
Luigi Tiano:that's
Luigi Tiano:a great attitude.
Luigi Tiano:If you can get your team to
Luigi Tiano:feel valuable in what they
Luigi Tiano:do on a day to day, I think
Luigi Tiano:it's just gonna make for a
Luigi Tiano:better organization, long term.
Luigi Tiano:I agree.
Jonathan Victor:And, and
Jonathan Victor:for me, that's critical.
Jonathan Victor:Like if we're gonna invest,
Jonathan Victor:I wanna invest in people.
Jonathan Victor:Are gonna stay for the long term.
Jonathan Victor:And that will be part of the
Jonathan Victor:success of Insurity for the future.
Jonathan Victor:So they should feel rewarded
Jonathan Victor:as such, understand their value
Jonathan Victor:of the organization and see
Jonathan Victor:the success as, as it builds.
Jonathan Victor:You could
Luigi Tiano:well,
Luigi Tiano:as a company evolves.
Luigi Tiano:Right.
Luigi Tiano:And I think that's one of the
Luigi Tiano:biggest allures is like, if
Luigi Tiano:you're demonstrating the company's
Luigi Tiano:evolving and growing, and I
Luigi Tiano:think that's where that's the
Luigi Tiano:attractive factor right now,
Luigi Tiano:the attraction is to, to find
Luigi Tiano:individuals who wanna be part of
Luigi Tiano:something that's growing and, and.
Luigi Tiano:and more and more, I think that's,
Luigi Tiano:that's the, the biggest, compelling
Luigi Tiano:reason that individuals are
Luigi Tiano:joining our organizations today.
Luigi Tiano:They wanna feel that
Luigi Tiano:they're part of something.
Luigi Tiano:Right.
Luigi Tiano:So great.
Luigi Tiano:Great.
Luigi Tiano:I like, I like the attitude
Luigi Tiano:that's, that's, uh, very, very
Luigi Tiano:spot on to, you know, what we,
Luigi Tiano:what we kind of do here as well.
Luigi Tiano:We, we, we try to find individuals
Luigi Tiano:who want grow and are not
Luigi Tiano:comfortable just staying with
Luigi Tiano:the status quo so that that's,
Luigi Tiano:that's really good to hear.
Luigi Tiano:One last question before I
Luigi Tiano:let you go, this one's more
Luigi Tiano:of a philosophical one.
Luigi Tiano:It, it's hard to, it's hard
Luigi Tiano:to, uh, to answer this one,
Luigi Tiano:but maybe, you know, you
Luigi Tiano:have a, a perspective on it.
Luigi Tiano:So yeah, we have like this ever
Luigi Tiano:growing connected world, right.
Luigi Tiano:With more and more right.
Luigi Tiano:You know, uh, things coming online,
Luigi Tiano:you know, more devices coming
Luigi Tiano:online, more people coming online.
Luigi Tiano:And it seems as if we've kind of.
Luigi Tiano:A little bit more aware, but
Luigi Tiano:complacent at the same time,
Luigi Tiano:like our guards are down on
Luigi Tiano:a daily basis, more and more.
Luigi Tiano:We just think that security's gonna
Luigi Tiano:be there and do the job for us.
Luigi Tiano:Do you think we're
Luigi Tiano:becoming more vulnerable?
Luigi Tiano:You know, do you think we'll
Luigi Tiano:become more vulnerable or are
Luigi Tiano:we gonna, self-correct just
Luigi Tiano:knowing what we know more of.
Luigi Tiano:So
Jonathan Victor:my sense is
Jonathan Victor:the complexity with which the,
Jonathan Victor:like our Insurity, uh, for me.
Jonathan Victor:The, the environment with which
Jonathan Victor:we live in is going to increase.
Jonathan Victor:And as a result, the need for
Jonathan Victor:more mature security practices,
Jonathan Victor:a focus on resilience is even
Jonathan Victor:more important and will continue
Jonathan Victor:to grow and be more important.
Jonathan Victor:My sense is that as the world
Jonathan Victor:to your, to your question
Jonathan Victor:becomes more interconnected
Jonathan Victor:as more services move online.
Jonathan Victor:Like we've seen over the past
Jonathan Victor:24 months, I've heard a quoted,
Jonathan Victor:you know, we saw three years
Jonathan Victor:of it developed three months.
Jonathan Victor:We saw processes that would never
Jonathan Victor:digitize, digitize overnight.
Jonathan Victor:Right, exactly.
Jonathan Victor:Which just brings with it,
Jonathan Victor:the need for added cyber
Jonathan Victor:resilience and security
Jonathan Victor:practices that come with it.
Jonathan Victor:I think that's only gonna continue
Jonathan Victor:to accelerate the need for
Jonathan Victor:maturity in the security realm
Jonathan Victor:will only continue, uh, as a.
Luigi Tiano:Okay.
Luigi Tiano:Yeah.
Luigi Tiano:I mean, it's, it's interesting to
Luigi Tiano:see how things are gonna evolve
Luigi Tiano:over the next, uh, 1824 months.
Luigi Tiano:Like you said, we've, we've
Luigi Tiano:seen such a huge growth
Luigi Tiano:in, in technology and
Luigi Tiano:in, in interconnectivity
Luigi Tiano:over the last 24 months.
Luigi Tiano:And I think it's only gonna
Luigi Tiano:continue to exponentially grow.
Luigi Tiano:So I think we just need to be a bit
Luigi Tiano:more VI, a lot more vigilant, not
Luigi Tiano:a bit more, but a lot more vigilant
Luigi Tiano:in terms of how we're connecting
Luigi Tiano:and you know, what we're doing with
Luigi Tiano:that, that, that those connections
Luigi Tiano:and how we're exchanging data
Luigi Tiano:and how we're interacting.
Luigi Tiano:So, um, yeah, I mean, this is,
Luigi Tiano:uh, this is exactly why I want to
Luigi Tiano:sit down with you, John, to really
Luigi Tiano:get your perspective, obviously,
Luigi Tiano:given your, your role at Insurity.
Luigi Tiano:I mean, you have a lot
Luigi Tiano:of responsibilities.
Luigi Tiano:I know you wear a lot of
Luigi Tiano:hats, although you're the CIO.
Luigi Tiano:I know you wear a lot of different
Luigi Tiano:hats in that, in that role.
Luigi Tiano:So, I mean, before, before I let
Luigi Tiano:you go, do you have any questions
Luigi Tiano:for me or are we good here?
Jonathan Victor:No, I'm good.
Jonathan Victor:This has been great.
Jonathan Victor:It's good to catch up.
Jonathan Victor:And I appreciate you
Jonathan Victor:including me in this series.
Jonathan Victor:This has.
Luigi Tiano:John, I appreciate
Luigi Tiano:you and your, and, and time I
Luigi Tiano:appreciate the team and I wish
Luigi Tiano:you and the team all the best.
Luigi Tiano:Jonathan Victor:
Luigi Tiano:Thank you very much.
Voiceover:Thank you for
Voiceover:listening to 10 questions to
Voiceover:cyber resilience brought to
Voiceover:you by assurance it assurance.
Voiceover:It is in the cybersecurity
Voiceover:space, specializing in data
Voiceover:protection and compliance
Voiceover:since 2011, they primarily help
Voiceover:mid-sized enterprises in Canada.
Voiceover:If you have questions
Voiceover:about protecting your
Voiceover:data, reach out to us.
Voiceover:At
Voiceover:info@assuranceit.ca or
