Introducing Illumio Insights — breakthrough AI-powered observability, detection, and containment.
Read more

Experienced a Breach?

|
Contact Us
|
+1 855 426 3983
A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Resilience Over Prevention
Season Three
· Episode
6

Resilience Over Prevention

In this episode, we dive deep into the critical intersection of cybersecurity, resilience, and organizational strategy with the renowned Dr. Larry Ponemon, founder of the Ponemon Institute and a pioneer in privacy and security research.

Transcript

​​​Raghu N  00:12

Hi, Larry, how are you this morning?  

Dr. Larry Ponemon  00:14

Doing very well. Nice to see you again.  

Raghu N  00:16

Fantastic. Likewise, likewise. Larry, so I guess let's get going. Welcome everyone to another episode of The Segment. And today it gives me great pleasure, and it's an absolute privilege to be able to have a conversation with the legendary Dr. Larry Poneman, Chairman and Founder of the eponymous Ponemon Institute. And if I may say, I think it's the Ponemon Institute, is the organization that technology vendors, security vendors, go to when they want research that is respected, well done and with great insight. So Larry, it's a privilege to have you on The Segment.  

Dr. Larry Ponemon  01:00

Thank you. I am absolutely delighted to be here and participate in conversation and in terms of being a leader, the real leader is my wife Susan, sitting next to me, but she's here spiritually.

Raghu N  01:14

Hi, Susan, even though we can't see you on screen. Lovely to have you here. Yes, fantastic.  

Dr. Larry Ponemon  01:25

We're great partnerships. Yeah, we're definitely a partnership.  

Raghu N  01:30

Fantastic, fantastic. Well, it's lovely to hear that. So Larry, I know that sort of everyone's familiar with your name and the work of the Ponemon Institute, but let's just start with the evolution of Larry Ponemon and how you came to be what you are today.  

Dr. Larry Ponemon  01:40

Okay, well, I'll give it a shot. Talk a little about me. So, so basically, the people that know me know that I'm actually an accountant. I hate to admit it, but my background, I have a PhD in accounting, and some of the research we do, especially financial or cost related research, actually draw upon that background. It's very, very helpful. In my previous position at PwC, where I was a senior partner, I became aware that organizations need guidance on critical issues affecting the management security of their sensitive and confidential information. I found that our research institute 24 years ago, some days, 24 years ago, with the goal of conducting high quality empirical studies on privacy and security that would help organizations to better understand or be better prepared to reduce the risk of both insiders and cyber criminals. So that was kind of the starting point for us. The most memorable study the work we're doing for with Illumio is fantastic, but the most memorable study that we did, and continue to do over 20 years is The Cost of a Data Breach. And this is sponsored by IBM. The first research who we did this 20 years ago was a company called PGP. Do you remember PGP? So the founder, one of the founders of PGP, Phil Dunkelberger, asked if we could come up with a measure, metrics to measure the activity based cost accounting, that could be quantified so you have borrowed legitimate results. And with this research has been used, and it's amazing.  

Raghu N  04:28

the IBM cost of data breach report, like very familiar with it, I'll say that it's one of those studies that I look forward to its publication every year, and I'll let you on a little secret. Larry that at Illumio, we actually the some of our headline stats that we, that we use as part of sort of conversations that we have in the field are sourced from the IBM cost of data to reach report. So we're grateful to you, and of course, our wonderful partners at IBM for that every year. But I'd have to ask about that. So you've been doing that for now 20 years plus. When you started off that study around The Cost of a Data Breach, was your expectations that over time, the situation would be significantly improved, where the trends you were showing were towards the positive, or did you expect what has generally been a largely negative trend over the years.  

Dr. Larry Ponemon  05:22

Absolutely thought that over time, companies would figure out how to be better at managing cybersecurity risk and managing their data resources. And what we found is that it doesn't change, or it change tends to work in the opposite direction. The results actually become more costly to organization. So, you know, we get, we present to boards of directors and people, we say, “Why would that be? It doesn't make sense.” You know, things should improve, and actually, things are improving. But we're also introducing a whole bunch of things that didn't exist, what, you know, 20 plus years ago, like IA, you know, in 10 telekin programs and things that were science fiction, you know, 20 years ago. So those have actually resulted in increased costs in some cases. So there's a bunch of things that have happened over time that are facing pretty interesting.  

Raghu N  06:25

Larry I watched in preparation for this. I watched an interview that you did along with IBM for the Silicon Angle, the cube, I think, around 2017-2018 and there that sort of, that the conversation was, was sort of centered around that we've been spending a lot of time and a lot of effort, and that was back in 2018 on prevention. But prevention, it's feels like we still haven't come to the realization that we're not doing any better at preventing the bad actors getting in and compromising in our environments. Do you agree with that still? Do you still see that trend?

Dr. Larry Ponemon  07:05

Absolutely, I think that a lot of organizations think they're preventing, you know, preventing something really bad. And they do identify these things in advance. But you know, for everyone that's caught, they're probably 10 or 20 or some huge number of things that are just not even known to the organization until so it's too late. We see that all the time. Maybe I remember early on where companies would hire us and we say, you know, “Our result is to be perfect at prevention. We want to make sure that everything is absolutely superb.” And they can't get to that result. That result is virtually impossible. The bad guys are bad and getting worse. And they have tools, you know, AI and things that become very, very difficult to manage in a way that results in huge changes.  

Raghu N  07:54

I mean, just quoting you back, you just said here that for every one thing that we are able to prevent potentially like 10 things have made their way onto the and that's eye opening and shocking and is indicative of itself. So like, what should we be prioritizing? If prevention only gets us so far, and we're not going to get much better at it, what should we be prioritizing?

Dr. Larry Ponemon  08:16

Yeah, I think we could basically look at things like, is the time to contain the data breach? It's not prevention, exactly, but you want it. Once you have it, you want to get you have to fix the problem and move to the next potential problem. So prevention is probably the wrong thing to think of because it's not practical. And what we basically will see is a lot of the organizations that just gave up on prevention, and they look at things like time to contain, going to restore, time to do the things that get out of the problem. And potentially, you had the big problem, but you may have, you know, another 20 problems that you have to fix. So this, but that prevention mentality is dangerous because you get people can't, the management can't actually achieve the goal of, you know, 00 tolerance, or whatever analogy of the day happens to be, it's a, it's a crazy thing.  

Raghu N  09:21

Yeah, you mentioned sort of the time to contain, and the focus on containment and sort of the like, I think there are sort of different, like, many different words that express the same thing. This move, this very primacy of cyber resilience these days, is a key part of it. Do you see, and I know, sort of the state, I guess the state of ransomware and the cost of data breach are going up. But do you see that the state of cyber resilience is in a positive trend? Are we not moving the needle there?

Dr. Larry Ponemon  09:52

We've done quite a bit of work on resilience. This goes back probably more than 10 years ago. We know that company. Are becoming more resilient. They're developing tools and technologies that didn't, as I mentioned before, didn't really exist, or were like a science fiction, really good science. But the end result is, I think resilience becomes very important, not just for cyber related issues, a whole bunch of issues, environmental and all sorts of things that you would expect an organization to handle with care and obviously reduce the risk, the risk of these, these variables, you know, becoming a huge problem. So anyway, I appreciate your questions. Very, very good.  

Raghu N  10:39

Thank you. I would have come on to the specifics about ransomware in a second, but just on cyber resilience. How do you advise sort of organizations when you're talking to CISOs, how are they connecting sort of cyber resilience with then some of the more tactical programs that they're executing? Right? How do they connect these two?  

Dr. Larry Ponemon  11:03

Well, when you look at the issue of resilience, it requires an organization to have people who are smart. It will replace the people thing, probably, over time, you know, we'll have robots and all sorts of gadgets that we can rely on. But the resilience factor is very important. It's your ability, not just strategically, but from a tactical perspective. You build systems that will result in that will not result in huge attacks, things that would prevent your organization from being its mission and so forth. We believe that resilience is hugely important. But what happens with resilience is like one of those keywords or phrases and organizations think that they're doing the right thing, but if you study it, you take it apart, you basically start to see if there are things that are not working very well for an organization. You know we definitely see that in our research, that things require flexibility, resilience, become something that allows organization to achieve all sorts of good things, but it's not going to get there if organizations don't have the right people, the leadership and boards need to be involved, boards of directors or high level advisory personnel, people who are have credentials that allow them to have cloud and when they need a technology or need to do some kind of project, they have the background to get it done. But there are all sorts of issues that I think resilience and a little bit of redundancy, another variable is important build systems that are redundant. So it sounds like a negative thing, but it's actually very important. To be able to switch on, you know, like a power generator, so you don't lose any data. There's a whole bunch of issues that we have we've been studying, but resilience is definitely an important characteristic.

Raghu N  12:55

And do you see that resilience and security are very hand in hand, they're complimentary, like better security improves resilience. Like on the whole?

Dr. Larry Ponemon  13:06

I think so. I definitely think that organizations that are truly resilient will have better technology and control systems that would include controls over data, assets and intellectual property and just things that you expect an organization had in place.

Raghu N  13:23

yeah, and I guess, the importance of resilience, and this has actually came out in thinking one of the cost available breach reports, I think it was the 2023 one, where I think one of the stats was, 25% of cyberattacks are now directly targeting, sort of operational resiliency. And that number was on the increase, where attackers are now sort of shifting focus from purely like a monetary objective to actually focusing on, how do I disrupt operations?  

Dr. Larry Ponemon  13:50

Yeah, it used to be. The big problem was when ransomware is the money issue, where you have to pay. And we found that over time that that number is not really that meaningful, because a lot of organizations aren't really spending a lot. So have, you know, a huge payoff to the bad guy. But I think what we're seeing it over time, we've seen organizations being much, much more practical and much more efficient in dealing with all sorts of things, not just financial, that these things could be more important. A good example, one project we worked on was the reputation of an organization that did, you could lose funding some companies. This happened to a major company. I can't mention the name, but, you know, huge company. They basically said, you know, “You have these problems, why are we paying the company budget allocation”, whatever that would allow an organization to, you know, brilliant staff and all sorts of things, and in general, a lot of these things don't affect the organization's performance and resilience is also affected by that. But the whole issue is, over time, we would see reputation variables, whole sorts of variables, and a non-financial that organization in ways that are even more costly and meaningful.

Raghu N  15:13

Yeah, absolutely. And I think we're definitely seeing that shift in conversations when, when we speak to, to customers and prospects, and sort of a lot more of this sort of resiliency vernacular that is entering the conversation, things like sort of minimum viable operations and ensuring that, like franchise critical applications are properly protected, like these things are taking sort of a level of importance that maybe didn't exist previously.

Dr. Larry Ponemon  15:39

Exactly, very good point issues that were kind of interesting. When we first did some of our studies, we looked at the cost effect, but when you look at the biggest problem for organizations from a security point of view, it normally involves intellectual property, things that you can't necessarily quantify using dollars, but you can quantify it in terms of look at, you know, a big impact on the quality of the organization, the ability to meet certain objectives. Sometimes by implementing the wrong controls, you lead to huge other problems that have to be considered in advance. But in general, it's not about financial issues only. It's about other factors that have an effect on the organization.  

Raghu N  16:23

And I think that's a really interesting and important point, right? It's, it's, how do we construct the sort of the impact of a data breach, right, the impact of an attack and be able to essentially abstract away from just purely looking at in terms of, we lost X amount of dollars, right? Or we spent this much to restore and recover, right? All of these sort of unquantifiables are almost more important.  

Dr. Larry Ponemon  16:47

Absolutely reputation issues, and it is just so unbelievably important you don't want to have an organization that doesn't meet your security and privacy requirements. And you see this ensuring ​​industries that we studied pretty extensively, the airline industry years ago, and we did the trust study, privacy trust, and we found that organizations in certain industries, and again, transportation, but others have a very hard time being able to deal with real issues, big problems. You know? I mean, next time we get an airplane, there's a probability that that plane is going to crash, and we certainly don't want to see that happen. And the same can happen from a security perspective, which we're flying our computer, versus that, you know, airplane call. Bunch of issues that we can look at from a security perspective that are really cool. We've been at this for a long time. We got to over the years, meet some of the true luminaries, wonderful people. And we see this field change so rapidly. I mean, 20 years ago, the idea through the, you know, artificial intelligence and just about everything is a little bit daunting and scary or scary. So, you know, it's very interesting being in this field, because every day there's a new challenge, and where today isn't the biggest problem. But I predict that over the cycle, that over the next, you know, 224, months, it will be the largest and most costly ransomware attacks. That's what I believe, you know, of a, you know, artificial intelligence built into these technologies.  

Raghu N  18:25

I mean that's quite a statement, because if we look at the last 10 years, we'll say, well, we've seen some absolutely massive ransomware attacks. And if you're saying that, we maybe haven't even scratched the surface of those yet, that's quite scary. So actually, I'd love to ask you, what would you characterize as the current state of ransomware?  

Dr. Larry Ponemon  18:44

Current state is things are happening, but not fast. Things are kind of mellow. Things are potentially getting better because their technology, Illumio, as a provider of your technologies, are helping organizations meet the status quo and pretty well beyond. So I think that the big issue will be things that affect people, families, workplace, things that collectively, if not handled correctly, can be a disaster. I think we starting to see, I mean, we have interesting friends, and some of these organizations were for the three letter audience organizations, and they already predicting the smart computer is kind of taking over, potentially taking over. It sounds like a science fiction. I apologize, but making choices for organizations without input, human input. And it's kind of scary to believe that that's the case, especially the state now, it seems its embassy but think they're changing very quickly. It's a little bit like, you know, I feel a bad example, but it's like UFOs. It's trying to think that maybe there's something to this, especially if you live in New Jersey, as it was, that weird thing happened a few months ago. But it's like technologies, and really smart technologies, without the human intervention, is very risky, and some of these technologies will actually be used to cause an organization to have a very significant breach. And that was in our calculus. That's what we believe that big, big problems are going to happen down the road, that we're just seeing it in this early stage. And we'll call it like trillion dollar, not billion dollar, a trillion dollar effects.

Raghu N  20:32

And I think I actually, I don't think what you're saying is science fiction or hypothetical at all, because I I've at least sort of read of, I mean, I know that things like AI are being used, like, there's the obvious use cases from attackers perspective, around, sort of generating, let's say, huge volumes of, like, phishing emails, etc., like that. That's kind of like, that's GenAI. That's, I would almost think of that. That's like the 101, use case from attackers' perspective. But I've already also seen where, where security researchers have essentially been able to create sort of GenAI, generative malware, right? Generative adaptive malware that is able to sort of benefit from access to essentially an LLM, right, and feed it real time information about a target environment and adapt. So that I absolutely see sort of the potential there. But what, I think, what you were interesting, that you mentioned, was that we're currently, it feels like we're in a bit of a, not in a snoozing state, but like we're in this sort of, this sort of interim state where nothing much seems to be happening, but there's probably a lot of development happening behind the scenes, right? So, I mean, do you feel that we're kind of in many ways, unless it's a massive attack and there's, there's been a significant data breach or there's been a significant outage? Do you feel that, like, now, run of the mill ransomware attacks are just sort of noise, and we're not, we're not really bothered about them, because it's like, oh yeah, another one.  

Dr. Larry Ponemon  22:01

It's not exactly noise, but it's things eat you at night, when you have to worry about something you're probably not worried about, brands where you're probably thinking about something else that's big, bigger. But ransomware is a gateway to huge problems, right? It starts as a small issue, but then it starts to grow, and it becomes insidious. It becomes something you start to worry about, you know, at night, before you go to sleep with your hot cocoa or an adult beverage.  

Raghu N  22:31

I think what you said, I think we're kind of, in a way, we are, we are accepting of the financial losses, right? So whatever numbers they are, if they're 10s of millions, hundreds of millions, we're like, that's bad, but okay, but I think that the point you made was that when we're not far, and we've seen it already, is the impact of that actually touching people, right? Not being able to get access to a medical service, for example, right? Not being able to access like your savings account, that's when we start to get very scared.  

Dr. Larry Ponemon  23:05

Yeah, things like you're right, like going to your bank and finding out that the balance is zero in your checking account. That's a very scary thing, and it happens to lots of people you know, so or do your tax return and find out that someone has completed your return a couple of months before you did. It's your return, but probably some low-level cybercriminal created a real noise. It could be small dollars, but huge impact on where it's of risk and control. It's an interesting issue, because it used to be that, you know, the actual ransom was a small number. Probably they have something like $25 or $100 whatever. And most people didn't think about it. They just paid the ransom. But the number has been growing pretty increasing at a good clip. It does cost more. Some of those costs are in the report. Yeah. Susan mentioned the average amount of currently demanded equates to $1.2 million so it's not cheap, yeah? To a company that, you know, multibillion dollar company, it's a small change, but it's just the start of these things really accelerating, becoming a version number.

Raghu N  24:24

So let's talk a bit about the report that you've just worked on with Illumio like from your perspective, and because you've been so close to certainty ransomware impact research over the last two decades plus, in this report, what are the data points? What are the new bits of insights that you found as part of doing this research?

Dr. Larry Ponemon  24:47

Sure, these are some highlights. And you know, we will, we do provide a report to anyone interested in hearing is seeing this, we have a lot of detail, probably a pretty much detail. We get carried away sometimes, because we have so many backs. But it's really looking at the data. It's really cool, very interesting. So here are some numbers. An average of 25% of critical systems were affected by ransomware attacks experienced the past 12 months. These systems were down an average of 12 hours. These are not small numbers. When you currently walk across the company, the average amount, 51% of respondents paid the ransom. However, only 13% of these respondents say all the impacted data was recovered, which is a big question, because a lot of these bad guys don't really care about cubic you the data that they saw, and it took an average of 132 hours and 17.5 staff and third parties to contain and remediate an organization's largest ransomware incident in 2021. It took an average of 190 hours and 14 staff and third parties. And there's a rich in key findings, but those are the highlights where there are differences as we have results against earlier studies.  

Raghu N  26:09

Yeah, and I think that first stat right about the number of organizations that pay a ransom, but then the very small proportion that actually expect to essentially get all their data back and confidence that the attacker isn't going to do anything more. You're basically paying the attacker to keep quiet for a bit. I mean, that that's effectively just buying silence for a bit of time before they say, “Oh, my money's run out. Let me, let me bribe you again.” So, I mean, I know it's, it's not, it's very difficult to say, unless you're in the situation, having to deal with it, making that decision. But like, what's your I'm sure you're involved in lots of conversations, like, what's your advice around how organizations should first best prepare themselves to be able to withstand ransomware attacks, but also in the midst of an incident, like how to make effective decisions, like, what's your advice when you get asked for your feedback?  

Dr. Larry Ponemon  27:10

Okay, well, here's some written comments if it might be relevant to our conversation today. And the question is, what strategies do you recommend as organizations can become more proactive in detecting and responding to ransom activity within their environment, and so in this research, we carefully screened to ensure that they are knowledgeable. Visits of respondents are knowledgeable and involved in addressing ransom at risk in their organizations, their expertise reveals certain practices that organizations should consider adopting, such as focus on insider negligence, your training programs that create awareness on how users can make better decisions about the content. If they receive an email, what they view or click in social media, how they access the web and other common practices. So I think there are all sorts of things that organizations can do. And keeper, I think, provides a pretty good list of those factors that organizations should consider, implementing an app, implementing already.

Raghu N  28:15

That's awesome, right? And then anyone, anyone who's interested in that kind of download the research from illumio.com so as organizations think about sort of how to improve their security posture against threats like ransomware, what is the role of a Zero Trust approach in this?

Dr. Larry Ponemon  28:34

​​​We've done quite a bit of research in Zero Trust, and if implemented correctly, it can be very effective into across not just ransomware, but across the security domain. But a lot of organizations think that it's zero, but it's not truly zero, it's a much larger number. Sometimes it gives you a sense of comfort that, well, our Zero Trust program generates very, very small probability of a very serious attack. But the reality is that there could be something out there that's just going to kill you and you just have this false sense of security. Is kind of interesting. We see that who's responsible for setting that tone, the Zero Trust tone, when the sea show is the starting point, but also CIOs and CTOs, especially smaller sized organizations, they have a voice. And so a lot of companies, that's your job. Clearly, an organization, need to look at people different skills that can be very effective in managing, creating a secure Zero Trust type environment.

Raghu N  29:39

Yeah, it's about, very much about that. I think the Zero Trust programs require collaboration across multiple parts of the organization in order to be done, in order to be done successfully, right? And what are the like in the in sort of the, again, right, in the engagements that you've had and the research you've done, what are you seeing is sort of the uptick. Take of Zero Trust and the progression of Zero Trust programs in terms of the number of organizations or the percentage of organizations that are that are on this path today.  

Dr. Larry Ponemon  30:10

Yeah, as I mentioned, we have done quite a bit of work on Zero Trust, and the “trust” is a keyword. That's a zero the idea is creating enough trust where you don't have to worry at night or worries much. So I think what we're seeing is live organizations have implemented Zero Trust, and the real benefit is that they'll have an ability to manage risk, see risk, understand the interrelationship between process and resolve, you know, things like the cost of data breach, integrating that technology very helpful to create a Zero Trust environment. But it's still one of those issues that we think we're good and we have everything managed properly, but particularly could be a big surprise at the end of this. But Zero Trust is something we've been looking at for a while, and if implemented correctly, can be pretty effective and helpful to folks in this the security domain or the IT domain within a company.

Raghu N  31:02

So just on, sort of on that point, right, it being effective. Like your advice when they say, Hey Dr. Larry Poneman, like, what is your advice for organizations that are really struggling to align their security strategies with the growing sophistication of cyber criminals? What is your sort of, Hey, these are the most important things that you should do?

Dr. Larry Ponemon  31:21

It is important that accountability and overall responsibility for detecting and responding to ransomware attacks should not be dispersed throughout the organization. So the key variables words should not be a positive trend is that 92% of respondents say one person or function is most responsible for making their organizations more resilient to ransomware attacks, and is most likely to be the CISO or the CIO, CTO, and this will enable or ensure that strategies that applied or are applied consistently throughout the organization, and any gaps in security policies that practices are related. This goes against common idea that we have managed by committee. Yeah, and that's going to work as well as having some central voice with accountability and responsibility from sure that a company meets its goals it's and getting a Zero Trust gets you to some really good results if it's implemented correctly. And that normally is owned by the CISO, if your organization has it fully dedicated, CISO or CIO.

Raghu N  32:42

I think that's a really important point about sort of having an individual that is accountable for essentially managing and owning that risk across the organization. And as part of this, do you also see a shift from organizations moving even the CISO function evolving into much more of a chief security officer function. So it's beyond just a focus on information security, but the overarching security, all aspects of security in an organization. Do you see that shift?  

Dr. Larry Ponemon  33:13

Absolutely.​ ​It used to be that the CISO was a technical middle management level person. Now we're seeing organizations moving that role to maybe even to the CEO or to the Board of Directors, very high level. And that person could have all sorts of background. So it could be people with a technology ability, but or management capabilities, or, you know, have different even IT even personnel. You know, make sure that you add hiring the monster, a monster. We see people with different skill sets. And so the key variable is what seems to work in a small organization, you can have that functionalization, people who are middle met level management, but we get to a very high larger organization you want to make sure people have they're not just in a technology where all they have other schemes. It could be very important.

Raghu N  34:11

Yeah, no, no, no, I agree. I think that that trend is, again, it's tying it back to your earlier comment about the unification of responsibility, right? And, and as a result of that moving, sort of, that ownership, sort of, at the board level, at the leadership level, is essential, right? Because it, this is not just relevant to the technology function, it's relevant to the business as a whole.  

Dr. Larry Ponemon  34:35

Yeah, it's really a business issue. When you think about ransomware, for example, it's a security issue, but it's also a management or lack of management. Organizations maybe not thinking about grants are as an issue. You know, if they have a background in it that would be embarrassed by that result, but if the person running the process has kind of skills and. They're not deep, but they're enough to understand the problem. Then we start seeing kind of the movement to having people without the site, only the IT folks. It was interesting, an organization hiring CSOs, who are really CSOs, and I see ISOs. They have role, a bigger role.

Raghu N  35:21

So a few things before we before we wrap up, right? And, of course, right, the quantum Institute is, sort of, as I said at the top, is just world renowned for the quality of security research. So if, if someone, if I had to ask you, like, what's still on your wish list, on your bucket list of research that you'd love to do?  

Dr. Larry Ponemon  35:40

Oh, gosh, I could say we a dream about studies. I think an interesting study is metrics. What moving beyond the cost issues, what metrics the organizations could use as benchmarks? I would, I'm very interested in looking at trust again, the trust studies that we did 10 years ago, the privacy trust, kind of expanding to not just privacy but looking at security related issues. I think that could be very helpful. You know, the privacy trust studies were interesting, by the way, because it gave the organization the ability to compare themselves against other companies. And it was, from a business point of view, amazing if companies would say, How do I get on your list? And we obviously don't take orders, but it's about but I think that would be a, definitely an area I would be interested in looking at from a trust perspective. I think another area that we actually are working in very interesting, the whole issue of artificial intelligence and certain metrics that can be used to make sure that that's being implemented quickly. I think that is just unbelievably interesting, because the things that we think exist out there are really chump change in terms of being developed now, especially universities like Stanford MIT and some interesting places where, you know, we hang out. Yeah, so I'm getting old, I admit, is white beard bouncing around. So, you know, from my point of view, the Institute will continue, but I made my wife loves me and she wants to make sure that I just take some time and enjoy life.  

Raghu N  37:13

Absolutely, absolutely you're hanging out at all the cool places like Harvard and Stanford. I'd love to be able to do that. So you said about your interest in sort of getting into the metrics of of security, and I think this is a really interesting place, because I, I've kind of long held this belief as a as an industry, I don't think we are really good at communicating or demonstrating how effect, how quantitatively, how effective a control or a capability is, or how much it's actually improved our security posture. I think we're really bad at that. Is that your perspective?

Dr. Larry Ponemon  37:52

Absolutely! We've done some interesting studies looking at not cost, but cost savings. We actually found out that people, companies have a terrible time, horrible time coming up with to savings. Because, you know, the sense that everything's a savings. And we want to demonstrate, you know, show a report to the CEO of our company that if they implement this technology solution, bingo, they're going to have huge amounts of savings. And happens, it's always a surprise. You know, a year later, we invested millions of dollars, and yeah, the savings hurt $5 you know, we really haven't mastered that process, but I think we're going to see better estimation, and that's going to be health very helpful. And also, the other thing is the US dominates security industry, but I hope that changes, and I think there's evidence to suggest that the best and brightest people may not be in North America, maybe in another world. And we think, I think, from a research point of view, that's very interesting, because we've been building, you know, databases of all sorts of interesting folks in different countries, even Central Africa. You know, very interesting. The quality of the data is questionable because we're dealing with people 1000s of miles away. It may have the cultural perspective that we have, but it from a research point of view. I think it could be very interesting. Who would love to do that?

Raghu N  39:12

Amazing, amazing. Love to see it, because I'm sort of very much around, like, like, security technologies and security professionals being able to, like, very accurately say” I did, I took X, or I implemented this control”, and it made me this much two times more secure. And here's the data to show that that's actually the case. The final thing, and hopefully a fun question, if you look back of your, of your very storied career, and you look back and say, right, “Many years ago, I thought X or Y would be drastically different in 2024.” What is it that actually, when you look back, it's not really changed that much over the years?  

Dr. Larry Ponemon  39:51

Oh, great question! I would say that the whole area of cyber security and guidance using organizations that could demonstrate. Rate that they are reading a fiduciary requirement, things like that, where, you know, organizations still have a very hard time measuring the quality of the services they provide to organizations. That hasn't really changed all that much. I think the whole area of big changes is around in things like AI. I keep on saying, AI, there's a technology that is pervasive has the ability to be huge cost savings and could be wonderful if implemented correctly again, if not. The warning label is that these smart technologies can actually cause a lot of damage if not implemented correctly. You know, an angry computer or an angry robot. I'm joking, but is it there isn't a potential for those kinds of things to happen. But the big change is that there's little change. You know, the said at the beginning of our conversation, things are getting better, slow moving train and is there are things on the horizon that could be having a huge impact. And as I mentioned before, the trillion-dollar cost, it's just, you know, the Gross Domestic Product of the UK. I mean, it's a number that's huge. Yes,

Raghu N  41:08

Absolutely. Well, let's hope that slow moving train continues to move in the right direction. That's all we could do. Larry, I mean, any final thoughts from yourself or words of wisdom to our listeners.  

Dr. Larry Ponemon  41:21

Sure, well, you know, we work with a number of wonderful companies that want to make sure that you get a copy of our latest and greatest report. We can entitle The Global Cost of Ransomware study, and it is sponsored by Illumio. Again, it's not a private endorsement, but we think you guys are great. You have a wonderful technology and consider it from the heart.  

Raghu N  41:44

That's very kind of you. Larry, it's been such a pleasure to speak to really a legend of the industry. I hope you don't mind me saying that, and thank you so much for taking your time and being on our on our podcast. Really appreciate it. Thank you.  

Thanks for tuning in to this week's episode of the segment for even more information and Zero Trust esources, check out our website at illumio.com you can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.

Back to top
Read more