The Resilience Factor Podcast
Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?
Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.
Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.
The Resilience Factor Podcast
S1 E1 The Foundations of Resilience with Marc Lueck
CISO in Residence Marc Lueck defines resilience as a strategic business approach to cybersecurity and networking. In this foundational discussion, you’ll understand how to become Resilient by Design to ensure business continuity: no matter what.
In today's world, businesses face unprecedented challenges to their smooth operation. The possibility of cyber attacks, natural disasters or economic slumps causing businesses to flounder is very real, and so we have to prepare ourselves. And that's what this podcast is all about. I'm Kate Baker, and in the Resilience Factor, we'll be hearing from some of the people at the forefront of cyber resilience. Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. We'll hear from cyber security experts, pioneers and industry leading experts at the top of their game. We'll look at real-life case studies, give you practical advice, tools and strategies to build business and personal resilience into all areas of cybersecurity and networking. Welcome to the Resilience Factor. As this is the first episode in the series, we're going to explore what resilience means and why you should care. So today we're joined by Mark Lewick, cso, in residence here at Zscaler, with almost 30 years of experience, to kick off the series. Hello Mark, how are you doing?
Speaker 2:Hello Kate. Thank you for bringing me on the show.
Speaker 1:Yeah, it's brilliant to have you on the podcast, so tell us a little bit about yourself.
Speaker 2:I have been in this industry since before the evolution of mankind. No, I'm kidding, but I have been in this an awful long time and I've been able to watch this industry change. So I started. It's almost as you said, it's almost 30 years for me. I started as a real technical security person. I've probably deployed more firewalls than I'd care to admit and through my career progression and through changes in what I was focused on went into security leadership, security improvement, and have ended now in a vendor, which was not an expected destination for me.
Speaker 2:But, it's really. It's kind of been an interesting circle for me where I'm now in the position of helping people really achieve the view of where cybersecurity has gone and where it can go, and looking at it from a very interesting perspective.
Speaker 1:And it's such a fast kind of moving industry right now.
Speaker 2:It is an incredibly fast moving industry, and I always say this to people is that we work in the cybersecurity industry. We work in a really interesting space because we do not control the pace of change. The pace of change is controlled by somebody else, and guess what? They're not doing it for us, they're doing it against us, and that means that we have a really pretty unique challenge.
Speaker 1:So we're hearing a lot about resilience at the moment. I'm sure this is something that you're working on a daily basis in terms of how you can help customers, but we're hearing that this is being tipped by Gartner as an important focus area for businesses in 2025.
Speaker 2:So why do you think resilience is such an important topic right now? Well, let me back up a tiny bit and talk about what I think of when I hear resilience. 30 years ago, the term didn't exist right, it has existed for quite a while now. Resilience is all about looking at the challenge holistically rather than looking at it as a fire and forget. And, in particular, cybersecurity used to be hey, if we put our controls in place, I'm in the IT space, I put this control in place, and then my job is done, wash my hands, I'm good. Resilience says no. The challenge is bigger than that.
Speaker 2:Now we have had frameworks, et cetera the NIST cybersecurity framework. The CSF, for instance, was great at saying, hey, security exists in these other domains. It's not just stop things from happening. You got to respond and recover were the terms they used. Resilience is taking that a step further and actually looking at this as a philosophical challenge rather than necessarily a technical challenge. How do I ensure I'm prepared and can respond quickly and how do I keep the lights on? So, yes, it's a good term and I think it's a positive change for our industry, but I guess it's not exactly new.
Speaker 1:And so, in terms of if we put this in the context of Zscaler and our approach to resilience, how do we go about tackling the issue?
Speaker 2:Well, I think it's really interesting that we started almost 20 years ago in our stealth mode I mean, we're not a young company right now, right, and we've had a lot of labels over the years. We were that proxy in the clouds I use it facetiously we were a networking company. We were a networking company, we were a security company, but I think, more than any other company in this space, we are a resilience company at our core. Why? Because we are not just throwing those controls out there. We are actually trying to help our customers shift to an architecture which is resilient by design. Were those the words that were used 20 years ago to describe us? Probably not, but it doesn't matter. That is actually what we're delivering, what we're able to help our customers achieve the vision we're aiming towards, and therefore I do think it's interesting.
Speaker 2:Yes, there are plenty of security companies out there, but the key here is that we are not just throwing those controls in place. We are replacing an aging architecture that was based on a set of fallacies, which never really made sense and was certainly not delivering resilience. As a really interesting aside, the networks we all love and work with, the TCPIP stack, invented in ARPA 40, 50 years ago was, by its nature, intended to be resilient, but it was intended to be resilient for a very specific reason fundamentally atomic bombs. That's not what we have to be resilient to anymore. Yes, that exists and yes, we can rely on the underpinnings of the network to help us with that. But that's not the end state of resilience. There's far more.
Speaker 1:That's an interesting point, then, in terms of, like that end state and what that means for an organization. I mean, you captured it in a phrase resilient by design, but what do you think that that really means for a business in you know, 2024, heading into 2025 and beyond?
Speaker 2:Well, I said that before, there's one part philosophy, one part architecture and one part capability, and there's probably another part few parts as well, but let's just start there. The philosophy is that the ability to prevent an attack, withstand an attack as it's going on and recover from an attack after it's happened is not a challenge that can be met by one group in one area or particularly one technology in one area. Your firewalls are not going to to do most of those things I've just described, but they will maybe do an element of one of them. So it's looking holistically across your organization and ensuring you have this deep ability to prevent, withstand and recover from these attacks. Now, like I said, there have been words of uh and words and frameworks that have driven this behavior.
Speaker 2:But, as a business leader, understanding and asking that one question am I resilient? So, by design means that you have ensured that as you're extending and building business capability, extending IT uses, that resilience is part of that thinking process before you've established it. Now, that's not necessarily that easy is part of that thinking process before you've established it. Now, that's not necessarily that easy and of course, that is always going to be. There's going to be a push me pull you relationship between business agility and resilient thinking. However, it doesn't have to be, because resilient by design can be part of business agility as well, because changes in architecture aren't necessarily going to slow things down. In fact, I'd argue it could be opposite. Now these new changes in architecture could speed things up. It's about thinking about the challenge before you establish business changes. That's really resilient by design.
Speaker 1:And the analogy that comes to my mind. It sounds like it's like preparing for a storm.
Speaker 2:I love this analogy. I mean, as a storm is coming in, if all you had was an umbrella, you're not resilient. You've got protection against one thing, but there's so much more. I mean, we've had a terrible hurricane season in the West Atlantic this year. We're all aware of what's going on, but, as that is forecasted, forecasting is one element, yeah, of your resilience by design.
Speaker 2:If you didn't have forecasting, you would be absolutely out of luck. So there's one element. Another element is the tools that we have. An umbrella is one of them. Maybe there's a portion of the storm where an umbrella is an appropriate control right, preventing you from getting wet. But there's more and there's ability to be able to call on governmental assistance to fix things afterwards. So the storm is a perfect example the ability to predict, to prevent as much damage or as much impact as possible to be able to withstand.
Speaker 2:Are your building codes set up in such a way that your buildings are built in a way to withstand the winds, the sustained winds, and are you able to clean up afterwards and be able to keep those essential services? Have you even declared what those essential services are? What do I need? I need ambulances to be able to get down the roads to people who might be injured. Well, that means I need those roads to be prepared and to be cleared first so that I can get those ambulances down. Those ambulances have to be ready. Those people have to be ready and near those ambulances so they can be driven along. This is all resilience by design, and the storm is a perfect example. A cyber attack, a major cyber attack is not that much different from that storm.
Speaker 1:And I think if we weave that into our thinking from the ground up, then businesses are going to be much stronger in light of an attack right, not just much stronger, but actually have the ability to have some competitive advantage.
Speaker 2:There is an old joke that talks about two guys sitting at around a campfire in the American West and the campfire is burning down and they're singing some cowboy songs and then they hear some rustling on the underbrush and the huffing unmistakable huffing of a very angry grizzly bear. And the two of them know that this is it. There's a grizzly bear attacking and one of them. He gets on his knees and starts thinking about his wife at home and his children and praying for, you know, eternal salvation. And the other one's strapping his tennis shoes on, getting ready to run. And the first one says to the other he says what are you doing? You can't outrun a grizzly bear. And he says I don't have to outrun a grizzly bear, I only have to outrun you.
Speaker 2:Now, pretty cruel joke, but the point is that business advantage can be found by being people to do the right thing first, and this is an example. Being resilient when others aren't resilient could give you some very significant competitive advantage in the marketplace and certainly the ability to withstand, especially if these attacks are becoming more and more common, more and more prevalent, which they are If we're all going to experience some level in attack. Resilience might be your competitive advantage to keep your business going quicker, keep your business going with more profit, keep your business going with more agility just to keep your business going.
Speaker 1:I remember someone gave me the phrase once around clarity exceeds momentum. So it's like that kind of concept of like, once you've kind of got the bricks, you've got things sorted, you can start moving because you don't have to worry about those things right? So I think that's kind of what you're saying. It's that agility that you get from having your organization set up in such a way that you don't it kind of is taking care of itself. Yes, you need to look after things, you need to monitor what's going on and all the rest of it, but if you factored that into your thinking, you've got more speed.
Speaker 2:Basically, One of the advantages I have of 30 years in this industry is I can remember when the board didn't even know what security was right.
Speaker 2:And then I can remember when every CISO I knew was trying so hard to get their 15 minutes in front of the board and the board still kind of like, okay, security, slot, 15 minutes, and then completely forgotten it. Security is now, of course, a board level topic. There are, you know, either there's a non-executive director or a director responsible security in most businesses. There is a vision, there is import, there is investment. I get all these things. The key, of course, is that changing the year that we're running, that in making sure we're leveraging this visibility and investment and capability in a way which is actually driving forward, yes, to protect us, yes, to allow us to recover, but all in all to ensure that the business is successful. That is a first for security, and it's only been really in this past couple of years where security has actually become the enabler we always dreamt it might be.
Speaker 1:Yeah, and I think it's interesting right, because in the past few years we've heard of the BISO the business CISO right, and the elevation to the board and the requirements for CISOs, their skillset, needing to be a lot more strategic and thinking about these things right. I mean that's placing a massive change on the role of the CISO.
Speaker 2:It has.
Speaker 2:My first BISO was actually a significant number of years ago.
Speaker 2:Maybe we were ahead of the time, but when I was at Pearson we had BISOs and those BISOs had an interesting one-to-one sideways relationship with our CISO in that they were representing a specific business unit and those business units' needs, wants and we're extremely close.
Speaker 2:Units needs, wants and we're extremely close. So there was almost trying to get around the combative attitude that security has had with the businesses and saying, hey, I'm your security advocate, I get where you're coming from, I get what makes you tick and what doesn't. You know what you struggle with. I will carry that torch forward and have these conversations to try to get ourselves heard, and that for me, is positive. I'm hoping that actually our modern CISO is able to do that for them anyway and that the BISO may have been a temporary measure as we still had this combative attitude inside of businesses. But I'm probably being overly optimistic. It's probably necessary because we still have to have someone in that role of saying, hey, you got to do things a little bit more safely and I'm going to be looking at overall and pure risk rather than just risk against the business advantage.
Speaker 1:One point you made around. You know the business advantage and if businesses focus on this, then that is where they potentially have a game changer. Do you think businesses are getting it?
Speaker 2:I have, in my current role, exposure to a huge number of organizations, how they operate, how security in particular operates. I have one-to-one relationships with quite a number of global 2000 CISOs and understanding what their position is in their roles. I wish there was one simple answer. But one clear example is that the direction forward is there. We are maturing as an industry, we are getting better at this and the evidence is everywhere. So that's a positive message that I want to share. But there's no one answer to that question.
Speaker 1:There's no one answer. Yeah For anybody that is starting to think about how they can put these measures in place, if they're kind of evolving their approach, what would your advice be?
Speaker 2:Like I said before, it is a philosophical challenge. First, if you move away from the old school thinking of controls as isolated and as applied to a business this is the control friction approach. This is the way we applied security for so many years and you start to look at how to achieve overall resilience and use that philosophy of saying, using that storm analogy if you wanted to, it should change the way you look across the business. Now a lot of this is in place. The respond and recover rallying cry that's been existing in the CISO world for the past couple of years is a part of it. But the CISO banging on about resilience isn't necessarily what needs to happen.
Speaker 2:We need that board member banging on about resilience and that's why resilience is such a handy title, because it's not mired in the jargon of cybersecurity. You know that identify, detect, respond and recover of the NIST CSF is great and it's a great way of visualizing the resilience philosophy across the business. But it doesn't flow well to a board member, does it? Or it doesn't flow well to somebody who's not in the cyberspace. Resilience is that way we can shoehorn this conceptual change, this narrative of doing better, into a different audience. The ideal situation your board member says show me how resilient we are to an attack is so much better than what they used to ask is how protected against ransomware are we?
Speaker 2:That is a wholly different question and a wholly different answer can come from it as well, and it's what I relish the chance of answering. What's my protection against ransomware? It's got very hard, solid boundaries around it and it's fundamentally going to be a set of technical tools, really, and that's about it. Maybe you threw backup in there to have a good wider conversation, but it's still bound by those technical responses and bound by the technical challenge. Whereas resilience is a question, I can start talking about storm prediction. I can start talking about how the ambulances are getting from point A to point B. Who I might need to rescue first?
Speaker 1:Yeah, it's powerful right to be who I might need to rescue first. Yeah, it's powerful right and it kind of elevates the role and the function into a completely different territory, I guess within an organization.
Speaker 2:Isn't that an interesting point, kate, you make? Because is the CISO the person that drives resilience? Is there a head of resilience that's going to drive resilience, because it certainly is larger than that one role? Of course it is. Is the CEO the champion of resilience? I don't know. I don't know the answer to these questions, but I find them really interesting questions to ask.
Speaker 1:Absolutely, and I think you know there's cyber risk, obviously, but then there's the wider catastrophe right. So it's like there's so many factors in play here. So I think it's a very interesting kind of future that we're navigating. Who?
Speaker 2:would have thought that we'd be talking about how do I maintain resilience through to a war in Europe. Who would have thought that three well, three years ago it would have been maybe five years ago. Who would have thought about that? But the same challenge applies to that specific issue as to a cybersecurity attack. The same thinking should apply. How?
Speaker 1:do I maintain my resilience? Yeah, and you know, obviously, the last kind of six months and all of the political situations that are happening all across the world as well. Right, it's like having to adapt to all of these different things that are happening.
Speaker 2:I don't have a single customer saying here's my resilience program because, like I said before, this is a philosophy.
Speaker 2:However, every customer we have which starts actually absorbing and implementing not Zscaler as a set of controls, but Zscaler as a change of architecture and a change of philosophy. They are starting to build resilience into their business by hook or by crook. It is getting there when we start to think about, you know, reducing their attack surface by shifting it over to us so that they don't have you know, you've heard the expression before if it's reachable, it's breachable, and that's been in the cyber news quite a lot recently. By shifting that, you are now starting to ensure that you aren't building homes in the path of the storm. Something as simple as looking at and managing your external attack surface, looking at consuming threat intelligence. You're starting to predict the storm, predict where things may land next by ensuring that you have the appropriate controls and the connectivity into response. You are starting to build that connectivity into figuring out how to clear up afterwards. This is happening and it is the architecture and philosophical shifts I'm seeing, rather than specifically a program of resilience.
Speaker 1:One of the pieces that I've read recently from Gartner is that it's something that SRM so security risk managers are facing. It's a challenge they're facing Like how do they embed a resilience program into their organization, and I think it is starting to gradually be being spoken about more as a program, which is quite interesting, I think, in the industry.
Speaker 2:And look the tools. We've already got all of those tools. We have, and what I mean by tools? I mean tools that we can draw on as an enterprise. We have the preventative controls, we have the visibility tools, we have recovery and response tools.
Speaker 2:Drawing them together is the challenge right, and I hate to say this, but one of the most important elements to ensuring resilience is functioning is, of course, the testing, the tabletop testing, the ensuring that we know what's going to happen in a time of crisis, and we are a lot better at this than we used to be.
Speaker 2:I mean, in my own career, I can remember having to, you know, make it up on the fly when we had serious, significant incidents. Hey, it always came out all right in the end, but I was flying by the seat of my pants and figuring out what I had to do, who I had to communicate, what that communication looked like. And those, hopefully, are mostly done those times of unpreparedness, because preparedness is something we're getting much better at. But that's a huge element of resilience making sure that we test and test effectively and understand what's going to happen when that data center goes down, when we can no longer use the compute from that regional location. When we have encrypted drives because of a ransomware, how do we get past it? How do we get around it? Let's test it.
Speaker 1:Yeah, and I suppose in terms of that resilience kind of muscle and you said about flying by the seat of your pants, compared to your past experiences, do you feel like boards and management are listening to cybersecurity experts more these days?
Speaker 2:I mean, there is absolutely no question that we have an active voice now, maybe not a direct voice, but our messaging is being heard and being replayed and being reflected back to us from the board. We do have to flex and exercise and build this resilience muscle and it is not an instant thing, just like any good training and any good gym goer will know. It's not going to happen overnight. It requires repetition, it requires increasing the capability, increasing what we're trying to do, widening the scope, technical debt, which is going to be difficult to shift, difficult to apply resilience to. But I still am hopeful that because we have the audience now, because we have this powerful voice that's being heard, that we have the investment, that that is a soluble challenge.
Speaker 1:If you could say that you have one resilient superpower, what would you say? That is, what's your resilient superpower?
Speaker 2:My resilient superpower would be I don't say I have it, but I'd say it would be ultimate visibility.
Speaker 1:Ultimate visibility.
Speaker 2:If I can see, I can respond. So for me that underpins a huge amount. And what I mean by see I'm not just talking about oh, I see the network traffic. I'm talking about seeing relationships between business units and applications, seeing the relationship between business applications and the people who run them, seeing, of course, the intelligence that suggests what might be attacked and how it might be attacked and what that will be. So there's a huge amount of visibility. If I have visibility as much as possible, then I have my superpower.
Speaker 1:So thank you so much for your time today, Mark. It's been a great conversation to kick off the series.
Speaker 2:Thank you, Kate, for allowing me on the show. It has been a really great conversation. I agree completely and I am really looking forward to hearing the rest of the speakers on your show and really looking forward to seeing the progression that we're doing as an industry. Thank you.
Speaker 1:So let's reflect on that conversation with Mark Lueck of Zscaler. Resilience, he says, is a new approach to cybersecurity.
Speaker 2:Resilience is all about looking at the challenge holistically rather than looking at it as something we as a fire and forget. Resilience is taking that a step further and actually looking at this as a philosophical challenge rather than necessarily a technical challenge.
Speaker 1:At Zscaler. He believes the central focus on resilience is changing the game.
Speaker 2:We are not just throwing those controls in place. We are replacing an aging architecture that was based on a set of fallacies which never really made sense, and we're certainly not delivering resilience.
Speaker 1:Which brings us to a new concept resilient by design.
Speaker 2:By design means that you have ensured that, as you're extending and building business capability, extending IT uses, that resilience is part of that thinking process before you've established it.
Speaker 1:And resilient by design can bring real benefits to businesses.
Speaker 2:If we're all going to experience some level in attack, resilience might be your competitive advantage to keep your business going quicker, keep your business going with more profit, keep your business going with more agility just to keep your business going.
Speaker 1:And if businesses are to be alert to threats, they need an understanding of resilience at board level.
Speaker 2:Resilience is such a handy title because it's not mired in the jargon of cybersecurity. You know that identify, detect, respond and recover of the NIST CSF is great and it's a great way of visualizing the resilience philosophy across the business, but it doesn't flow well to somebody who's not in the cyberspace.
Speaker 1:So in today's volatile world, being resilient by design isn't just a nice to have, it's your ticket to get a competitive advantage and unlock the resilience factor. Join us next time when we'll be speaking to Tony Ferguson, a seasoned CISO and champion of risk hunting, here at Zscaler. Thanks for listening.