On Aon Podcast: Building Cyber Resilience

Intro:
Welcome to “On Aon,” an award-winning podcast featuring conversations between colleagues on, well, Aon. This week, we hear from Joe Martinez and David Damato for a discussion on cyber resilience. And now, this week’s host, Kate Kuehn.

Kate Kuehn:
So, thank you today for joining episode 58 of our podcast. This one is on Aon’s cyber resilience. I'm Kate Kuehn, and I've been a colleague for Aon for the last year. I'm currently the chief trust officer in Cyber Solutions, and today we're going to talk about cyber resilience. Aon has just released its 2023 Cyber Resilience Report, and what we found is that there's a lot of trends and focus on some of our biggest concerns for companies globally, including, not what we've done from a supply chain perspective, looking at the attack factors, thinking about what's happening from a commercial risk perspective, but the reality is, is that cyber threats are evolving constantly, and risk mitigation continues to pose a really ongoing challenge. Today, we're going to talk about the report and the focus and the view of it from a C-suite perspective. I'm really excited to have Joe and Dave on with us, and I'd love them to introduce themselves. Joe, would you like to begin?

Joe Martinez:
Hi Kate, and thank you for the invite, it's always great to talk with other professionals in this industry, like yourself. I'm Joe Martinez, I am the chief security officer here at Aon and have been with Aon for a little over seven years, going on my eighth year overall, and happy to be here partnered with my cohort, Dave, in terms of protecting the firm and doing our best that we can for both our clients and our colleagues.

David Damato:
Thanks, Kate. Good to see you again. So, I'm the chief information security officer, so I work with Joe. I'm responsible for all our cybersecurity technology, so you think about things like application security, cloud security, and identity access management. And so, I get to play with all the really fun technologies and deal with all the fun threats and vulnerabilities out there. It's a really interesting job, and I'm constantly challenged. I started my career out in the Department of Defense, worked as a consultant for a number of years, and I worked at a company called Mandiant for a bit, and then wrapped up with both Tanium and Gemini. So, I've had a long career in, both consulting and startups, and excited to really take that experience and apply it here at Aon.

Kate Kuehn:
So, I'm really excited about this podcast today because it's so much fun to have colleagues like yourselves in a room. But I'd love to get to know you and do a little warmup question before we really get into things. And so, you talked a little bit about your role with the firm, but what I'd love to understand is, what is it about your profession that really inspires you most? Joe, I'm going to pick on you and ask you to go first.

Joe Martinez:
Sure, no problem, Kate. I think what's great about our job, or at least my job for sure, is that it's always different every day, and you're into almost all aspects of both, not just technology, but as well as operations, the business functions, front office, back office, legal, compliance, regulators, external, different industries. And basically, it's a continuing conversation that you're having in our space, always trying to figure out what is happening out there, being dynamic in our response, making sure that we're meeting where those risks are and where they lie. But more importantly, it's just partnering with a lot of different stakeholders across our business, across our company, across our enterprise, and even talking to clients and getting those perspectives. And there's very few jobs that really give you that wide berth to have really the strong latitude across an organization, and I think that's really helpful to stay on top of things, of how things really run, and here at our company Aon. So, that's what inspires me, it's always different, it's always new, and that always keeps things flowing really well.

Kate Kuehn:
I love what you say about always new and always different, because I think that's one of the reasons that I'm so inspired by my career in security as well. It's a community, and it's a constantly evolving and changing community. And I always laugh at what's new is old and what's old is new, and we have to come together holistically, whether it's from startups and partners... Dave, I love that you come from startups, because I have a pedigree in that as well. And then also thinking about enterprise, government, the holistic nature of cyber community is really just I think inspiring in general across everything we do. Dave, what inspires you?

David Damato:
Yeah, I'm certainly never bored, similar to what Joe mentioned, there's so many things to work on and so many problems to solve, and I think so many of the security professionals in the industry are motivated by that. The fact that there's just endless problems, and it's an endless game as well. It's pretty interesting. In what other field can you track criminals, global criminals? Can you defend against the tax? Are you constantly battling against an adversary that's changing? And that's what makes this role so interesting, and sometimes also frustrating as well.

Kate Kuehn:
Or what keeps us up in the middle of the night at different points too, right?

David Damato:
That's right.

Kate Kuehn:
Okay, we're going to jump right in. So, the theme of this report this year is cyber resilience. And I'm really interested, Joe, I'll start with you, from your perspective, what does cyber resilience mean to you, from your perspective? Why is it important?

Joe Martinez:
Yeah, this is the question. I think for us, at today's point in our industry, the threats are ever-changing and inclining, one minute. They used to be where there were seminal changes in the threat picture once a year, then once a quarter, once a month, and now it's like once a week, once a day. Something's changing that we have to readdress and think about how we're managing these overall. And so, what I've learned spending a long set of history in both financial industry, Wall Street, and with the big banks as well, is usually it happens to the best of firms, it's not a matter of if, it's a matter of when, and when it occurs, how resilient are you to be able to take the lick, take the hit, but more importantly minimize material damage to either your constituents, your stakeholders, your clients, your customers, your company, and then be able to get back up? And get back up in a timely fashion. And then notify the people and the folks that you're required to notify, with as much transparency as possible, and then get the business process back to restoring its function.

In resilience, resilience is really on the recover and response spectrum of NIST, is really where we weight things really heavily. But of course, you still got to do what you get paid to do, in the blocking and tackling, preventing and detecting things overall, but overall, it happens to the best of firms, but you got to be ready, you got to be ready to get back up.

Kate Kuehn:
I think also, the work I do is looking holistically from the governments and the clients and how we bring it together from a risk perspective, that's my role, and I think about resiliency in that exact format, of, how do you assess the risk, mitigate, transfer it, and recover and respond in a way that's meaningful and understands not only from a technical and a security perspective, but how cyber impacts across the risk tower from a board perspective as well? And that's very different. Dave, I'm going to pick on you when you tell me what you think about resilience, because I actually heard you say once that you think it's an overused term. So, I'm interested in how you view resilience, so I'm going to pick on you a little bit, because it was one of my favorite comments from you a while ago.

David Damato:
Yeah, we often use it in a security context, I think it's actually more of an engineering context, and the way I think about it is, if we're engineering resilient systems or engineering systems correctly, they are resilient. They're meant to withstand failures, both operationally and from a security perspective as well. So, to me, it's about, in that design phase, thinking through all the potential risks, like you mentioned, and addressing them through different controls. And many of them are not related to security, many of them are related to other things. So, for me, it's more holistic, I try not to look at things from just the security lens, although that's what I'm responsible for, I try and look at it as how do we build things correctly so that as a result, security is also satisfied. And for those of us who get to design new systems now, it's great, it's much harder to bake that in for a lot of the tech debt and other issues that most organizations are challenged with.

Kate Kuehn:
I love that, from an engineering lens. And I think you're exactly right. I was with some of our clients earlier this week and we were talking about that, if we engineer resilience from a cyber lens correctly, at the front of a journey when you're looking at new technology and new business initiatives, it becomes a lot easier to create a sustainable model. And we do have tech debt, and we do have issues, but it's a question of bringing everyone on that journey, from an engineering perspective, a planning perspective...Joe, you mentioned at a communication perspective. So that we're thinking about things with a lens of not just our version, but everything.

And that brings me to the next question is, cyber is an enterprise risk, full stop. There isn't any other way to look at it. And we're seeing even a fundamental shift, where many CISOs and people from a security perspective are getting pushed into being a chief risk executive. But the reality is, is that all the leaders have to work together if we're going to achieve actual resilience. How should companies help those leaders work together? Like working with your CHRO, your general counsel, your CFO, your CEO, how do you guys work to collaborate, and how do we, from a holistic leadership perspective, to make sure everyone understands why our firm and why clients should think about cyber resilience? Dave, I'm going to pick on you first this time, let's start with you.

David Damato:
Yeah. I don't think it's much different from how other organizations are already positioned in most enterprises. So, you think about finance, the security team does finance, HR does finance, everyone does finance, we all have a role in that. It's trying to extend that same perception and understanding to the entire organization about security. And the best way to do that is a couple of different ways. One is we've done some really great programs where we do fun presentations with different executives . So, earlier this year, maybe it was last year at this point, we had a chance to host a number of our CFOs in the organization and do a really fun ransomware game with them, sort of a choose your own adventure. And it's fun, and it's interesting, and everybody learns something about it, about the topic, and those types of things are really great to educate and bring everyone up to speed.

The other thing we have, which is fantastic, and had been stood up before I even got here, was our BISO. It's basically an organization that is an outreach organization into our product lines and business units, to make sure that all of those individuals have a place, or an intake, to come and ask questions, also, has a voice that's communicating out about emerging threats and new technologies and new processes and policies that we're launching to make sure that we stay very connected. And then, finally, it's myself and Joe, just meeting and talking with individuals, understanding their challenges and problems a. So, those are some of the key areas that I've been involved with recently.

Kate Kuehn:
Joe, I'm going to shift the question a little bit when I ask it to you is, what Dave was talking about as far as inclusion and trying to bring everybody together. And I love the fact of choose your own adventure with ransomware, I want to see that back, I want to be a part of the next one you do, that's amazing. But Joe, when you think about it, the impact of a cyber attack on an organization's brand reputation and business operations can be catastrophic. I always think about risks in three zones. There's the zone of routine, what keeps the lights on, the zone of surprise, the things that catch you, and then the zone of catastrophe. And Dave gave a really good example of choose your adventure from a ransomware perspective, but how can we better educate [inaudible] our boards and their stakeholders about these issues and get them to really understand the magnitude of catastrophic risk? How do you work with the board on that?

Joe Martinez:
Yeah, it's a great question. I'd love the snippet, because honestly, if the first time you're talking to any of the leaders or the board is during an incident, you may have to think about revisiting your engagement approach, right? You don't want to be the first time having this conversation saying, hey, I have something really terrible to tell you and here's how we're going to manage it.

It's not just, here's the problem and let's commiserate on the problem, let's admire the problem, but they really hear is, here's the risks that are relevant for our business, here's where I think, the things that we can do today, and then here's the resources or the ask of what I need tomorrow to help manage that. You're on a journey, and that journey, you have to articulate that journey to these leaders, so they understand where you are and where you're going to go. And then get that alignment and direction to make sure that where you're going is where they want you to go as well. And then, along the way, help to be somewhat of a bridge builder, to let them know that, hey, when things happen, sometimes our posture will change, but we're going to continue to move that posture forward to make sure that we're defending the firm and our clients and customers in the best way possible.

Kate Kuehn:
So, one of the biggest threats that a lot of organizations are facing today is insider threat. I want to hear your perspective on insider threat, because there's getting a lot of attention and questions around how much of it is malicious, how much of it is accidental, how do you start to think about it? So, what's your point of view on insider threat?

Joe Martinez:
Yeah, this is one of these tricky areas because it's a balance. You want to breed a culture where all the folks are part and parcel of helping you deliver a great security and risk outcome. Your colleagues are the first line of defense in any security program, and you want to be able to empower them with the right set of tools and awareness and education, to know what to do and to spot things and to help essentially be your eyes on the road, in terms of what's occurring in the landscape. At the same time, you always have to make sure that all risks are not truly external, some of them also internal as well too. And then, do you have the right set of controls where you can monitor folks to keep honest folks honest? Nothing helps more than guardrails, when folks know what the guardrails are, and then they know how to stay within those guardrails, and when they fall outside of them, do you have an appropriate level of accountability?

Do you have a consequence model to help folks understand, get them right on the right path? And that could be through a stoplight program or a traffic school program, where, first time, warning, second time, manager, third time, hey, maybe you don't do that kind of work here, at this enterprise or this company. Or if the risk is really egregious. But nonetheless, I think you have to do your diligence, you just, of course, you always presume the best of intent for your colleagues and the folks that serve your clients, but at the end of the day, you also have to make sure that you're doing your appropriate level of diligence.

Because sometimes it may not just be a malicious mistake, it could be an honest mistake too. Errors happen, right? Configuration issues happen as well too, but they lead to risk as well too. It isn't always just a fraudster or some insider that has mal intent to do you harm, you have to be on the guard for those too, but the most prevalent items that tend to be a lot of risk is a lot of errors and omissions sometimes, unfortunately. But covering both and balancing that is really the trick.

Kate Kuehn:
Yeah, I love the fact, I think we pay a lot of attention to insider threat from a malicious perspective, but there's a huge inside threat as far as just unintended. Dave, you have a really interesting background, and so I'd love your opinion too on insider threat. When you think about it, from an industry perspective, market sector, given where you've come from, I think you've got a very unique lens on just the impact and some of the differences you can see from an insider threat perspective. What do you think?

David Damato:
Yeah, I definitely agree that I think errors and omissions is a much larger one, but when most folks talk about insider threat, I think everyone's mind gravitates to the individual that's inside your company stealing trade secrets and planting malware. And in my past experience, hundreds of incidents, that's pretty much never the case. There are very few cases where there's a malicious insider, and it's usually restricted to certain types of companies. So I think in most organizations it's understanding what actually is the risk, and what you'll find is, the risk of a malicious insider stealing information or modifying information that makes a material difference is typically restricted to very specific sets of data, and placing really strong controls around that data tends to be the most effective way to deal with it. Otherwise, to Joe's point, it's really difficult to balance the concept of openness and collaboration and quick access to things you need, as opposed to locking everything down, so it's a very careful thing. But that's generally what I've seen in the past.

Kate Kuehn:
I also think, to your point, if you end up trying to lock everything down and put locks and keys on every single thing, you're going to have people buck the system, and that creates an even bigger issue. So, there's a balance between being a security enabler and a cyber disabler, when you think about how you approach insider threat. And I think it's a question, as we think about the cross-pollination between some of the risks that we're facing, think about supply chain, think about some of the new types of malware, the concept of how insider threat plays into that holistically is something I think we need to pay attention to because I think there's more unintentional than intentional there that causes some concern.

I want to turn the conversation to takeaways. When we talk resilience, when I think about resilience, I think of it as a client journey, and again, there's insertion points. Are you trying to assess the right areas to focus on from a cyber risk perspective? Are you looking at controls and how you're going to approach financial transfer? Are you thinking about mitigation, and do you have the right solutions in place? Or are you trying to recover and respond? What I'm interested in is from your perspective, Joe, what are some of the key takeaways you would tell colleagues?

Joe Martinez:
Yeah, I tell you, in this space, I think over my long career, it's not that practice makes perfect, but practicing does really sharpen your response and your ability to be essentially on point in terms of managing some of the more serious issues that happen in our space. Again, if you're an industry that doesn't have, you're not at the tip of the spear of some of these more novel attacks, or even the drive-bys, but we're all suspect to even the opportunistic attacks that happen in our space, or if you are, but really, when you practice these things and you simulate them, you really start evolving and maturing how you can better respond. And you get to things where questions you may not have to have answered before, but then they pop up. it's not so much about the small phishing items and ransomware, malware items that have to pop up, we have to manage those, but you really have to think through your business and then determine what are the key decisions we have to make, because you don't want to make those in the middle of the firefight.

You want to be able to practice these, ask these tough questions, figure out who gets to make the decision. Is it a collaborative consensus type model, or is it, hey, the CISO or the CSOs in power to make this on behalf of the firm? Those are the kind of things you want to identify ahead of time, but practice is really the core advice overall. The more you do it, the better you'll be overall.

Kate Kuehn:
Dave, you've got a lot of different lenses, from a startup perspective, from a technology vendor perspective, and now your role here, what are some of the key takeaways you would give? What is some of the advice you would give if someone else was in your shoes?

David Damato:
Yeah, I think it's really understanding your business, is the first key. So, the things that I was focused on working at a crypto, a retail focused crypto exchange, is probably much different than what I'm focused on at Aon. There are definitely different challenges to deal with. And so, understanding those key challenges, and then, to Joe's point, thinking about how your controls and technologies align against a balanced set of controls. So, across, just take the NIST domains for example. You do identify, protect, detect, respond, recover, and you just align all your different capabilities across those, and make sure you're not front loading or back loading certain capability areas.

So, making sure that's balanced and definitely aligned at the threats that you're most worried about, is really a key area that I don't think most organizations do. And then, to expand on Joe's part, one of the most valuable things that I've seen across all the organizations I've worked at is that simulation. And one of the simulations I think people overlook sometimes, everyone talks about penetration testing. And penetration testing is great for mature organizations, where you think you have all the holes, and there's very few of those organizations that exist, in my opinion.

Most organizations are really looking for an adversary simulation, or a purple team, where you have all the stakeholders in the room to really understand an attack from start to finish. And what's great about that is you have, it's not just your SOC that's involved, it's not just your AppSec team, but you have your IAM team, or your network team, and then they start to understand how attacks actually work, so that when they start configuring systems and building things, when IT starts to think about any new architecture, they remember in the back of their mind, oh, this is how this attack works, these are how attackers think. And now you enable the rest of the organization to do some of that upfront thought process, or you embed security into some of the work that they're doing as well. So, to me, that's been probably one of the most important aspects when you think about resilience and assessing that risk upfront.

Kate Kuehn:
I love what you have to say, and I'm going to take a little bit of a different lens. So, from a takeaway perspective, one of the things I coach all the time is to help educate across the entire executive team or board the difference between risk and threat. And so, I always say, if you're going to start to think about what the true threats are to the organization, you need to look at two things. One, a corporate threat assessment of who actually are you appealing to? So, what adversaries actually are interested in what you're doing and why? If you think about it from a geopolitical perspective, a hacktivist perspective, a financial criminal gain perspective, who's actually going to pay attention to you? The second piece of that is then, what are the key business initiatives? What are the key things the business is trying to do this year, and where is the alignment of that?

So, then you can start to really think about the cyber threats that would actually impact. So that's the first key takeaway, really to your point, and Dave, you said it as well, understand your business, and understand also why that business would be appealing from a cyber perspective when we think about a threat. The second key takeaway, and I always get laughed at when I'm in security sessions or whatever else, is I always say, understand and have a strong financial transfer mechanism within your resilience program. Lovingly, have you hugged your broker today? And what I mean by that is, we can do a lot, and you've talked a lot about it from a proactive and reactive standpoint, whether you're looking at a red team, purple team, blue team, pink team, whatever team you want to have today, but the reality is, is that, and we know it, you could buy every tool under the sun and we still may not be 100 percent protected from risk.

And so, leveraging financial transfer and understanding the controls that will have good maturity and posture to help with that journey, and to help us enable ourselves to have a better conversation about resilience with board, is something I always talk about. That it's not just the teams and the technology, but also, we buy insurance for other things in our life. Why are we not doing it in a more holistic manner of how cyber impacts all towers of risk, not just an industry standpoint. The third takeaway I always have is, spend time, and Joe, you talked about it, with your board. Spend time with your executive team, get to know them. I loved what you had to say about, don't let the breach be the first time you meet them face-to-face. Understand how their role would play in your world, how your world plays in their world, and have good dialogue around the holistic areas of the business because that helps build trust and resilience, better collaboration and resilience.

And Dave, goes to your point of engineering resilience on the front end, versus tacking it on the backend or dealing with tech debt that you don't want to have to deal with. So those are the three takeaways I've been trying to wrap up, all of the threads we had today. But, before we end, I want to ask one more question, more on a personal level, so that our listeners and our viewers can get to know you a little bit better. So, my question is, one, either what was the last book you read? Tell us what you did last weekend. Or what would be an insider tip to someone looking to join Aon? So, I'll let you have a bevy of choice. Joe, you want to go first?

Joe Martinez:
Let's see. I'm trying to match my oldest, because he's freshman in high school this year, and so he has a long laundry list of summer readings. So, I'm always the, don't ask anybody to do something that you were not willing to do yourself, so I'm having to reread Ready Player One with him, even though we watched the movie plenty of times, but that's his assignment. So, that's been fun. And then, really for anybody interested to join Aon, I think, we're a global company, we're 120 plus countries globally, all over the world, 50,000 colleagues, we serve almost every industry across all spectrums, whether it be retail, manufacturing, healthcare, you name it. We have gamut's of all those customers everywhere. And I think getting that visibility across such a wide spectrum is really what you tend to really get over here overall.

And to your point, insurance, as much as everyone likes to think that that is an old school model, is actually quite novel and innovative, about how we actually protect things across the globe. And it isn't just cyber. You would never hire a worker without workers' compensation. You would never build a building without property insurance. You would never build a widget without some sort of product liability insurance, right? Because you'd be negligent if you did. So that means, the world runs on being able to backstop risks and manage those. And I think here, you get that more than anywhere else. So that tends to be exciting for folks when they come over here and see what it is to work at Aon.

Kate Kuehn:
I love that. So, a little bit more about me, I am a mama of five. What did I do last weekend? I drove from Illinois to Arizona because the kids start school next week. So, I hopped in my minivan and did 1,900 miles. And so, the last book I read was, because I always force the kids to do books on tape. They talked me into, The Summer I Turned Pretty. So, my advice to people joining Aon, I'm the new kid on the block, I am just a year old. And what I love to say is that we are a 200-year-old startup. The innovation and the absolute spirit of can-do around professional services, and how do we help our customers think about risk holistically excites me every single day. So, I would say, think about how you can, in essence, help us write that story. How can you raise your hand and be part of that journey of looking at professional services and risk holistically across all lines of business, because that's really who we are. Dave, what can we learn about you, my friend?

David Damato:
Oh my. Yeah, so I'll go through all of them as well. So, my previous weekend was also spent with my two children. So, I have two daughters, they're five and six, they give me lots of joy and other things as well. But I spent the weekend with them swimming, and I was pretty exhausted after that. So, it was a good time. The last book I read, I'm almost wrapping it up, it's Fire and Blood by George Martin, and I'm hoping that the last book will come out someday before we lose him. It's been a while, but that's been one of the books I've been reading.

And then, in terms of joining Aon, to what you mentioned, I haven't been here yet for a year, it's almost a year and a couple of weeks here. And I'm right front and center, and part of that transformation of building that startup within this organization. And we've got a ton of really fun engineering projects going on, and so, if individuals are really interested in helping to transform an organization and implement some of these amazing engineering processes and automation that we're building, they can reach out to me on LinkedIn.

Kate Kuehn:
I love that. I think it's awesome. And I love that you were swimming with your kids, I'm jealous. I wish I were swimming; it's going to be 107 in Tucson today. That's it for our show today, I think we're at time. So, first of all, Joe, Dave, thank you guys so much, this has been an absolute blast. I'm really glad we got to talk about resilience and get to know a little bit more about each other.

Joe Martinez:
Yeah, thank you, Kate, for hosting, I really appreciate the camaraderie. And of course, we'll see each other on Zoom, WebEx or Teams, somewhere here in the near future.

Kate Kuehn:
Absolutely. And with that, that's all for our show today. Thanks for listening and look out for our next episode coming soon.

Outro:
This has been a conversation “On Aon” and cyber resilience. Thank you for listening. If you enjoyed this latest episode, tune in soon for our next edition. You can also check out past episodes on Simplecast. To learn more about Aon, its colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com.