The Human Component: Vulnerabilities and Leadership with Patrick Benoit of Brinks

John Vecchi:

Well, hello everybody. You’re listening to the IoT Security podcast live on Phosphorus Radio. I’m John Vecchi.

Brian Contos:

And I’m Brian Contos. And we’ve got an amazing guest today, Patrick Benoit. Welcome to the show, Patrick.

John Vecchi:

Welcome, Patrick.

Patrick Benoit:

Hey, it’s good to be here. Thanks for having me. Yep.

Brian Contos:

So we’re real excited to get down into our questions. But before we start, Patrick, could you give our listeners a little bit of background about you, how you came up in cyber, and what it is that you do today?

Patrick Benoit:

Yeah, so I mean we’ll start with today. Today I’m the global CISO at Brinks, and that’s Brinks, guns, guards and trucks and cash, not home security. That got spun off back in 2012. So prior to that I did some work with some other brands like CBRE, and Experian, and Dell and so forth.

But unusually, I came up through the cyber ranks a little bit differently. I’d been in technology doing software development, project management, infrastructure management, network everything. From the early ’90s, early ’80s up to now. And in 2015, I looked up and decided that the marketplace for CIO type and for VPs in IT was very, very saturated. And so I needed to be different.

And so I said, “Well, look, I’ve owned security for years and years and years. Maybe I should actually focus on security.” And so I did. Did my CISSP and then just jumped into the community, jumped into the process, and took numerous certifications afterwards. And here we are seven years later and I’m CISO at Brinks.

Brian Contos:

Oh, that’s awesome. What’s it like being the CISO for a security company like Brinks? Compared to maybe some of the other companies that you’ve been with?

Patrick Benoit:

Well, the thing that’s super interesting about Brinks is it’s 165 year old company. And so security started out as steel stagecoach kind of things, and that was the armored car of the day. It’s a little bit different than what people would think because they are a security company, but remember the vast majority of their security up to this point, it’s physical.

And it also has a very different view than what even most cybersecurity folks, if they do have a CSO type role, they’re focused on physical for a facility, a building, and that’s kind of it. They don’t have to teach and train guards. They don’t have to train drivers with respect to armored car and things like that.

So that is still a very separate thing because it is so unique and different. That means that my role in information security is not that much different than any other company, any financial institution that’s going to have that type of data that we have to deal with.

John Vecchi:

Got it. Well, you mentioned you kind of got started in the early ’90s. That works pretty well because we’re going to be talking about xIoT and Brian and I always say when we talk about this and the state of xIoT, and it feels like we’re back in the ’90s from a security perspective. So you’ll be right at home, I think with this discussion there, Patrick.

Patrick Benoit:

It could very well be, and I promise not to remove any vacuum tubes while we’re chatting.

John Vecchi:

Perfect. How about your team? And what are some of your … I mean obviously we talk a lot about what we call XIOT, Patrick. And that includes, it’s the expanded internet of things, which is all the IoT and the OT and the IoMT if you have medical and industrial IoT, and all those things.

But tell us a little bit about your team. What’s it like, your priorities? All the things that you’re kind of focusing on today relative to this crazy threat landscape that just seems to change almost by the minute around here?

Patrick Benoit:

Yeah, I mean to me, team dynamics for me is the same, regardless of whether it’s this current team or any other team that I’ve had. The vast majority of the time, what I have found is that I’m walking into scenarios where the team has maybe had more of a old school kind of command and control approach to things over the years.

CISO says, “Do something.” Somebody goes and does it and they come back and say, “We can’t do it because of this.” And CISO clears the roadblock and they go do it. Very command and control oriented. And I just don’t buy into that except in emergency situations. If the house is on fire, I don’t need to have a discussion about how we do it. We just need to get it done. That’s command and control. Otherwise, I ascribe more towards Steven MR Covey’s idea of trust and inspire.

And so my focus always with a team is building this trust and the trust has to come from both directions. I have to trust them and I have to exhibit to them that I have a trust in them. But then they have to trust me and I have to give them a reason for me to be trustworthy.

And when you look at trust, you look at both the character or the intent of the person, how the person deals with you and can you understand and trust their character on what they’re doing? But then also trust is built on the flip side, which is their ability. So the example that Mr. Covey uses this idea that if I needed surgery, John, I might trust you implicitly. I might think you have the greatest character, that you are absolutely 100% honest, you have the highest integrity and that’s wonderful.

I trust you implicitly. However, if I’m asking you to do surgery on me, you don’t have that ability, so I can’t trust you. So it takes both. It takes the character side and it takes the ability side. And you got to … So when you’re building that trust relationship, you have to focus on both of those.

The team has to understand that I’m going to take care of them as much as I can. We have to get the mission done first. Coming from the military, it’s mission first, not at the expense of people, but keeping people in mind. And then the other side is I have to prove to them that I have the ability to help them make decisions and help set direction and strategy and guidance and things like that.

And so you put those two things together and to me, you have to build that team trust first. And by doing that, they’re going to hopefully be inspired to want to accomplish what you said in front of them from a strategic point of view. Which you’ve built, keeping in mind what the company strategy is. And so that’s the way I approach team dynamic.

Brian Contos:

Yeah, no, that’s a great framework that you’re using. And I’m wondering as you’re going through that, does that same approach apply to your peers on the executive team as well as your board and other senior stakeholders?

Patrick Benoit:

It does for the way I deal with them. But remember, you’ve got two people in the relationship, and so it’s kind of the hearing and listening difference there. So hopefully they’re attuned to that idea, and if I show them that I’m trustworthy.

And then hopefully they are trustworthy, and so we can build that trust. And then they let you have enough autonomy that you can then move on to this push for the strategic success. But it depends. It takes two in that relationship. And so sometimes you have to mentor up, right?

Brian Contos:

Yeah.

John Vecchi:

Yeah. And it’s interesting. I mean, do you find, Patrick, that the other side of that coin is the skillset? Obviously today there’s so many types of technologies, there’s so many things you have to go do. And the skills gap, obviously we hear a lot about that.

Is that a challenge? And what do you do when you look at your team and they have tremendous skills, but most across all of them might not have a specific skill in something you kind of need today? How do you deal with that?

Patrick Benoit:

Well, I mean you just kind of opened the can of worms in my most recent soapbox that I’ve been preaching to, which is this idea that frankly I’m a little over hearing about the talent gap over and over and over again. And here’s why. We created it. And when I say, I mean, we all collectively created it.

We started down this path 10 years ago, however many years ago, and said, “Oh, got to have best in breed. Everything’s got to be best in breed.” And then we started slicing up functionality into smaller and smaller and smaller and smaller pieces and specialty areas for best in breed. Some things still make sense to be specialty areas, but not every little thing.

So what happened was we had 1000s of startups create 1% solutions, and then they went and hired all of our talent at higher than market rate because they needed to train them on their 1% solution. And so now when those people are trying to come back into the marketplace for a company that stayed below 10 billion, I can’t hire 20, 1% solution people. I need people that are 50 or 80% solutions that they can work across all the tools that I have.

And so we created our own situation and the prices are driven up. I can’t afford the same kind of prices that a vendor can afford in most cases because they have a different agenda, a different focal point. So is there a skill gap? Yeah. We could probably always use more people, but I think we’re focused on the wrong thing.

Instead of focusing on how do we get the people, let’s focus on how do we train, teach, grow, and develop the people we have and not lose them. Because in the end, people don’t leave companies, they leave leaders. So how do we keep them? It’s always easier to keep somebody, cheaper to keep somebody, train them, develop them, grow them, promote them, than it is to go find a new resource.

Brian Contos:

That’s a great point. I like that point about they leave leaders and that’s so true. And the analogy that popped into my mind as you were talking about how we keep on segmenting and segmenting and specialize and specializing in this space.

When you go to a mechanic these days, it used to be if you had a set of standard and metric wrenches, you were kind of good to go. But now every car manufacturer has specialized tools and processes and training that you need to do that. And it’s just absolutely crazy. It’s so specialized and it’s so hard to find these individuals. I see that.

Patrick Benoit:

And it depends what the market will bear. And it also depends. Everything is historically cyclical. The pendulum swings both ways, and we need to figure out what the balance point is.

But right now what I’m seeing is that some of the larger vendors are swinging the pendulum closer to the center again, moving more towards integrated platforms. So instead of having 20 products that are bolted together in some way, shape, or form, you maybe have one integrated platform that does 80% of everything you need to do, and then you just have some products to fill in the gaps where you don’t have functionality.

And we’re moving back that direction. Now unfortunately, a lot of big companies tend to be so focused on driving market and profitability and such like, that I think eventually that’s going to swing too far to that side again. And we’re going to have integrated platforms that try to be everything to everybody, which is not the answer either.

So somewhere in the middle there, and we’re moving in that direction. We have big companies putting billions of dollars into integrated security suites now. There’s no, I won’t say no. Very few companies, unless they’re Fortune 100 or so, can spend the money in the neighborhood of billions for R and D for their security. And if these big security companies or big IT companies are doing that, we need to hope that they bring it to the right place in the balance.

Brian Contos:

And you’re right, from a vendor’s perspective, that constant build versus buy versus partner and all the complexities, there isn’t one of those that’s a panacea. And you’re absolutely right. It just keeps on reinventing itself.

I’m wondering, let’s look at it from a threat perspective. Again, being someone like yourself that’s just been in the industry for quite some time, what are some of the key threats that you’re concerned with? And you and your team are sort of tasked with addressing these days?

Patrick Benoit:

At the risk of oversimplifying, breaches only happened for two reasons. Somebody did something they weren’t supposed to do or somebody didn’t do something they were supposed to. That’s the only two reasons.

So there’s ultimately in my mind, always some human component to a breach. And so did somebody not patch? Did somebody make a decision that we weren’t going to patch? Did somebody click on something? Did somebody leave a port open? Did somebody not change a configuration item that should have been changed? Did somebody tell somebody information about our environment that they shouldn’t have?

So I still am always focused on how do we build this, again, at the risk of using the overused words, zero trust kind of scenario. How do we build this philosophy of zero trust in? Meaning that I’m not going to let anybody have access to what I’m doing unless I can prove who it really is. But then I’m also going to have the capability to quickly isolate.

Because the hack is inevitable, the exploit is inevitable. Somewhere, some way, some shape, some form. So how do I quickly isolate? So if you focus on those kinds of things. And then how do I recover? Obviously because of the ransomware scenario, that’s a different level of recovery. Even though the attack, the exploit’s the same as a number of other exploits, but the recovery is very different.

So I focus on those things, always keeping in mind that if I find something, find a place where if I can identify where that person is doing something they shouldn’t or didn’t do something they should have, then I probably have reduced risk.

John Vecchi:

I love that simplified approach, and it’s a perfect time to kind of take that, Patrick, and take that lens and that approach and shine it on this whole attack surface we call xIoT. All these smart devices, they don’t have a keyboard, they’re purpose built. They’re basically these, like Brian and I say, many people see the types of devices we talk about, but we see a Linux server, right?

Can’t put Endpoint. You can’t put Tanium or CrowdStrike and throw them on there. And hard to manage them like traditional IT assets. So when you think of those and apply that very powerful yet simple kind of clear approach, how do you think about that for those types of devices?

Patrick Benoit:

Well, and any time that you bring a third party into the picture, whether it be product or service, there’s a dependency on the third party as well. So you have to split between what are we doing and what are they doing so to speak? And what has up until the recent years, been most terrifying with respect to IoT for me, whether it be IoT, OT, whatever, is that there was not very much focus on security at the manufacturer level. And so you almost had to find a way to bolt on some kind of control that mitigates outside of the device itself.

And I think we’re starting to see more of the manufacturers, because they know they’re playing in a security space more and more, they’re starting to at least take it a little more seriously. I think we still need some standardization to ensure that they’re doing the right things with security.

And then once you have that, it becomes a matter of the old whack-a-mole patching game. Are you patching everything? Or do you have the most current available out there? And are they updating and staying ahead of that security curve?

And that’s the thing that even though it sounds the same as what we do with other endpoints, it’s very different because we don’t have the same touch control over those endpoints. And oftentimes they’re so far out on the end of the arm here that you don’t see that, but every once in a while when something goes wrong.

Brian Contos:

Yeah. When John and I first started getting involved with XIOT and sort of looking at how do you manage credentials? And how do you update firmware? And how do you harden or manage certs? And there’s all these pieces that we were thinking about. One of the ones I think we just took for granted was just the discovery process. Actually determining where are all these assets within my environment?

And organizations have a pretty hard time today in almost every case, trying to track devices or cloud applications or on-prem apps or identities, and all these other asset types, let alone xIoT. What do you think organizations can do to get their arms around that? Because it seems like we’re still missing that foundational component, which is kind of know what you’ve got. Know what you’ve got, and then you can kind of take that next step.

Patrick Benoit:

Which is the 101 hygiene that we all overlook while we’re chasing the shiny objects, is that know what you got first. You can’t secure what you don’t know. I think with IOT, it becomes interesting, especially because of the way it connects.

The vast majority of endpoints, especially in an internal infrastructure, are going to connect through a twisted pair of wire. You’re going to plug in a network cable. You do have obviously the access point connection for wireless. And oftentimes that’s pretty well secured too, because ultimately that access point is wired into your network.

With IOT, a lot of them may be wireless. And so if you segmented your network so that you can identify off of there, at least you could see stuff attaching and it’s IP based and everything. But with IOT, there’s so many devices, you could just USB into whatever you have, and you can’t see that. You don’t see it as a network device necessarily. And that’s where I think it becomes very, very difficult to find, track, and discover.

Brian Contos:

Yeah.

John Vecchi:

Yeah, I mean, look, as we always say, these devices, they speak their own language. And the simply put, you can’t really find them unless you can go talk to them and talk to them in their kind of protocol, and in a way that they expect to be communicated with.

We talk a lot about some of the risks of trying to go out and use traditional IT solutions to find these things or go scan for them, and I call it waterboarding. They’ll just slam these things over and start scanning 1000s of ports and protocols. They don’t like that, many of these devices, and will just fall over. And that’s difficult.

I mean, a lot of the technologies you have traditional endpoint security, even the NextGen firewall is kind of blind to these. So it’s really important to actually be able to go find these and talk to them and then be able to identify them, of course. But also do some risk assessment so you don’t understand what’s the state of these things.

I mean, again, we see well over 50% of all of these xIoT assets deployed with default credentials, right? Firmware six, seven years old, has never been patched. If it ever has been, once. Certificates are expired, loads of insecure ports and protocols open. I mean, they’re just a mess.

Brian Contos:

Security cameras, mining crypto. We’ve definitely seen it all.

Patrick Benoit:

Well, and if you could do, much like you would do with software security software to say, if you try to connect your phone to the network or your laptop, you try to plug it into the network. There’s tools to say, “Oh, well, hang on, we got to do a security check first. Let’s go run all of our security checks on it. Oh, no, no, no, you’re not a current version and you don’t have this, you don’t have this, et cetera, et cetera, et cetera.”

By and large, that’s not available from a lot of sources for IoT, for the IOT environment. There are not a lot of people that can put something in and say, “Oh, I see what this is, and we’re not going to let you talk until.” And we don’t necessarily know what the until is because it’s not like you can generally push a piece of software down there to say, “Oh, we got to push this next gen virus scanner or whenever down to the device.” It’s, “We know what the device is, but there may not be anything we can do to secure it any further depending on what type of device it is.”

Brian Contos:

Yeah. And do you think that business leaders, so not the CISOs or CIOs, folks like that, but other folks on the executive team, do you think that they get some of the inherent risks of these types of devices? And just the sheer volume of these devices and the velocity which they’re added?

I mean, we’ve heard from so many people that it’s that secret threat. It’s the one that’s been kind of encroaching on organizations over the last few years. Then they wake up one day and they’ve got 50,000 Linux servers with no passwords. Is that something that, and I know they’ve got millions of other things to consider, but are they starting to consider this now?

Patrick Benoit:

I mean, only as much as the CIO might be bringing that to their attention or the CISO might be to their attention. Otherwise, I think generally, until somebody calls out an issue with a technology, they would look at a technology like that as benign. Oh, it’s just-

Brian Contos:

It’s just 20,000 printers.

Patrick Benoit:

Yeah, it’s a printer, all it does is print. There’s nothing you can do with that. And we all know that that’s not the case. But yeah, I think by and large, most executives, unless they’ve gotten to be security savvy or they built their own devices and stuff.

Like my house, when I had it in Plano, I had 50 devices in my network. So I knew what was there and I controlled it, and I had private VPN for everything, and I had segmented networks. But unless they do something like that as a hobby, I think they look at IOT devices as just a benign plugin.

Brian Contos:

Yeah, it’s almost like they’re waiting for that incident, that front page kind of thing that’s hurting their partners or their competitors, where they’re like, “Yikes, we better address this.”

Patrick Benoit:

I do think most executives though, that are non-technology executives, are getting better at not only focusing on what they read in The Wall Street Journal or see in the American Airlines Magazine. For a long time, you could literally read the airline magazines or look at The Wall Street Journal or Forbes and know that this was going to be the next hot topic in the board meeting.

Brian Contos:

Yeah, you’re going to get an email.

Patrick Benoit:

Yeah, you’re going to get an email.

Brian Contos:

Because the CEO just took a trip.

Patrick Benoit:

My observation has been that’s less and less happening. Their executives, by and large are getting much more savvy. I think boards are getting much more savvy. They’re still not experts in the area, but I don’t think we have the same tendency to look at stuff as benign that we used to. Except with IOT because well, that’s just something I use at home.

And that’s why I think we miss the opportunity when we do security awareness and we don’t teach security awareness as it pertains to protecting you and your family personally. Because that, people bring what they do at home into the office. People generally do not bring what they do at the office to their home.

So we’re teaching security from this awareness, from this business point of view, and as soon as they shut off at 5:00 o’clock and they go home, they’re like, “Whatever, no security.” If we teach them 24/7, how do you protect your family? How do you protect your kids and your personal environment, your house and things like that, when they walk into the office at 8:00 in the morning, they’re still in the mindset. They bring that with them to work. And so I think we’ve missed that opportunity over the years to teach security from a personal point of view to bring that to the office.

Brian Contos:

And I’m wondering if some of these new regulations, like these new SEC rules that came out and said, regarding disclosure. If you have an incident and it has material impact, you have 96 hours to report it and it has to be listed in your 8K.

Now there’s a lot of devil in the details. Well, what’s material? And what’s the 96-hour clock start? But is that sort of forcing a bit, or encouraging, I should say, is that encouraging these executives to really say, “Hey, let’s go have lunch, CISO. Let’s really understand what’s happening here before we have to fill out an 8K issue report.”

Patrick Benoit:

Yeah. And a lot of CISOs may be feeling a little bit off the hook in that respect, and here’s why. Because very few CISOs actually make the decision to call something a breach, or to decide if it’s reportable. Always at legal, it’s always with the CEO, president, whatever. CISO might have a seat in having a discussion about that, but the decision is always coming from somebody else.

And so the fact that they said, “Hey, four days, 96 hours,” that’s great, whatever. But then they gave everybody an out by saying it’s material, and you get to decide if it’s material or not. And the definition is vague. It’s material if a reasonable investor would think it’s important to make an investment decision. Okay, that’s great. And the clock doesn’t start until we decide it’s material.

Brian Contos:

Yes.

John Vecchi:

Yep.

Patrick Benoit:

There’s a lot of ambiguity there that I don’t think, I mean, I want to be aware of it, I want to know it, and everything like that, but ultimately I won’t make that decision anyway. Because I won’t make the decision about materiality.

John Vecchi:

Yeah.

Patrick Benoit:

It’ll be out of my hands.

John Vecchi:

Exactly. Yeah. And I don’t know if things like, I mean, obviously we hear a lot about ransomware that I’m guessing, Patrick, that the whole kind of fear and everything around ransomware attacks, maybe that’s also increasing some, a bit more mind share at the executive level.

But we think about a lot of these xIoT devices, like I said, and so many of them are deployed with default credentials that if you’re a ransomware gang, I mean, this is an easy target. I have the password, I can just go in, log in, change all the passwords. I’ve now locked you out.

So fairly easy to launch a ransomware attack. And is an attack like that a little bit different than the standard breach where you have to decide if it’s material? Do you think that’s a little bit different?

Patrick Benoit:

I think there’s still a question of materiality because it depends where the IoT is supporting the company. So if your whole business is being able to see entry points at a building, and that’s your whole business, you’re providing security service to the entry point, and you lose all your camera, that’s material.

But if you have cameras on your buildings and your business is you’re a bank, and you lose your cameras for a day, is it material if you still have security guards there and stuff? I don’t know. I don’t get to make that decision, but it seems to be that would be a lot less material.

John Vecchi:

Yeah.

Brian Contos:

I mean, you’re right. I think of printers for example, if it’s a set of printers at a law firm that got access and somebody stole the data, because a lot of these times they’ll keep a copy of what’s printed or scanned. Well, if that’s for a law firm with every client’s a sensitive client, but let’s say sensitive VIP clients, there’s a lot of rich, sensitive, personal information in there.

So that’s a lot different than a printer that you have in the back of a gas station, which is probably not doing too much. So yeah, having those levels right. It’s almost like we need a severity gauge for these types of events.

So I’m wondering for you, and what you’re doing now, and maybe some of your previous companies, do you have any interesting stories from the trenches? In terms of an incident that occurred, whether xIoT related or otherwise? And sort of a unique incident or a unique way that you had to respond or mitigate that threat?

Patrick Benoit:

I know stories of things, but they tended to be more around availability kinds of things. Like stories of backup environments back in the day, where maybe out California and the night operator was coming in every night and just throwing at certain times of the year, he would just throw the label on it and then put it aside.

And never really spend the time to attend and run the backups back in the day when you had to attend them because the surf was really good. And so he was getting out early to go hit the beach. And so they would go months without, a month or whatever without a good backup. Just hung empty tapes because there was no validation of what was going on there.

So those kind of things, lots of disaster recovery kinds of stories. Hey, we don’t need the backup because we have raid type drives or redundant drives, stuff like that. So we don’t really need the backup. And then something happens and you lose two out of a set instead of one, and now what do you do? Those are always interesting.

I think the social engineering ones are always fascinating. And I think that’s where we’re going to also see, we get asked all the time about, “Oh, generative AI is going to change everything,” et cetera, et cetera. And yes, it will allow hackers to execute attacks more rapidly, but where I think the real challenge is going to be is it’s going to allow hackers to execute social engineering on people much more effectively and much quicker than we do right now. Light years different kind of thing.

And so if I can get to everything that Brian knows right now in one 10th the time, then I can execute 10 more attacks than I was before. So now you get a volume and you start getting into probability of, if I execute 100 attacks, 10 of them will get through and three of them will have some kind of return, and one of them will be a jackpot. And I think that’s where generative AI, ChatGPT, and stuff like that’s going to be huge. It’s going to allow them to execute social engineering attacks so much quicker.

Brian Contos:

Given your military background as well, do you feel that the generative AI and the sort of internet of military things, and everything from drones and other devices and things that soldiers are wearing, that are essentially, again, little Linux servers. That are enabled to tracking things. And maybe they’re already being attacked and I just don’t know about it. But are these going to be a primary target, do you think, when it comes to nation state actors? Or even maybe minor actors going after these types of groups?

Patrick Benoit:

I mean, I would think so. Of course, there’s also a whole lot more money spent to defend those things than what we would probably spend in private industry. So we’ll see if anybody ends up owning up to. Does the DOD have the same reporting responsibility? No, they don’t under SEC. So do they have to report it four days with material? Well, no, because they’re not in the SEC. So I don’t know if we’ll even know about it if that happens because that could be set aside as a matter of national intelligence.

But think about even if you go back to civilian and you say, “What would happen if somebody was able to attack all the body cams in a major city police department?” What could you do with that, especially with AI? Because what would happen now if you had a disgruntled traffic stop, and the person that was stopped is smart enough to now hack into the body cam storage facility, the data storage, and alter the stop’s webcam, body cam footage for what happened.

And now all of a sudden you have a scandalous incident that never really happened. But how do you prove or disprove that it did or did not? Without going through an extensive amount of forensics to get to that point?

Brian Contos:

That’s not my license plate.

Patrick Benoit:

I think those are very real. Very real scenario, I think.

Brian Contos:

Yeah. Why is there a kangaroo driving the car in all these incidents?

Patrick Benoit:

Exactly, exactly.

Brian Contos:

And all the license plate, just say hop.

Patrick Benoit:

Yeah.

Brian Contos:

Yeah.

John Vecchi:

I mean, especially with cameras, Patrick, you’re right. I mean, we talk about these things right there. They are the worst of the worst, and a lot of these are actually prohibited devices. As you know, the FCC banned a lot of these devices manufactured in China.

You plug them in and, man, they just start going. They’ve got end map built in. They start streaming everything. They’re listening to audio. So these things are, some of them are pretty powerful Linux servers, they’re about as powerful as a typical laptop.

Brian Contos:

Social media accounts, all sorts of interesting things.

John Vecchi:

Exactly, right. Yeah. I mean, you could do some damage on this thing and you could combine that with AI.

Patrick Benoit:

We saw the uptick in audio faking very early on because it was very, very easy to slice up audio and piece it back together and get sufficient words to make it sound natural. That somebody is saying, “Oh yeah, this is the CEO, can go ahead and get that check and get it approved and get it out, please.”

Well, the next step though is the video. So what happens when you somehow get man in the middle on a team’s environment or something, and you jump in the middle and you deep fake that the CEO, and you’re looking at the person. And you’re having a conversation with the person you think, what do you do with that?

Brian Contos:

Yeah. “Mom, why do you need my password?”

Patrick Benoit:

Yeah, exactly.

Brian Contos:

Yeah. So, Patrick, we could talk about this for quite literally hours. This is really interesting stuff and we’d love your feedback. But as we wrap up here, one final question. What words of advice would you give to anybody running a security organization, CISO or otherwise, in terms of trying to maintain their sanity and stay ahead of the threats and trends and changing business priorities? What can they do to be successful?

Patrick Benoit:

Well, so I tell everybody that we’re in the evolution of the CISO role now, where I think we have the opportunity to refocus what the CISOs are focused on. Most CISOs, by and large came up through a technical field because it’s a nascent sort of career path, all things considered.

And so there’s a tendency to want to keep focusing on, I need to know technical, I need to know technical, I need to be up speed on all the tech stuff. And it’s good to be aware and to have a full view of everything so that you can work strategy and so forth. But hire those deep skills.

And instead focus your skill building on how am I a stronger business leader? How do I work strategically with the business? And how do I be a thought leader so that I can say, “If we do this, then there’s a value and benefit to the business.” Not just, I just need this technical, I need to secure everything.

I put a mission and value statement out all the time that says, “There’s only two things that the security program is good for, and the team, it’s reducing risk. So mitigating or reducing that residual risk and helping to enhance or drive revenue.” If you’re not focused on both sides of that equation, then you’re doing a disservice to the company as a whole.

John Vecchi:

Profit center. You need to kind of be more of a profit center than a cost center, right?

Patrick Benoit:

Exactly.

John Vecchi:

And that’s fantastic. I mean, and obviously word to remind all the security vendors and all of us on the vendor side, that that’s how we need to talk to you about the value proposition. That how are we going to help you do what you just said, right, Patrick?

Patrick Benoit:

Right, exactly.

John Vecchi:

I mean, that’s ultimately what it’s all about. It’s fantastic. What a great discussion, Patrick. We loved your input and all your stories, and our listeners will love this a lot. So we really, really appreciate you joining us and come again, Patrick. We appreciate it. Thanks so much for joining us. And, Patrick, any social channels or anything that you are active on for our users who might want to follow you? Or do you do much social?

Patrick Benoit:

Yeah, I mean LinkedIn, of course, I’m on LinkedIn. And virtually everything I do speaking. I don’t do as much writing anymore just because I have that writer’s block that says when I try to write something down, I go, “Ah, everybody knows that already. Why would I write it again?” And so I kind of stick to the speaking and podcasting, but all of that that’s connected to me on LinkedIn. So yeah, that’s the best place to see anything that I’m doing.

John Vecchi:

Wonderful. Well, thanks so much again, Patrick.

Patrick Benoit:

Thank you.

John Vecchi:

And remember, everybody, the IoT Security podcast is brought to you by Phosphorus, the leading provider of proactive, full scope security, and breach prevention for the extended internet of things. Thanks again to our guest Patrick, and until we meet again, I’m John Vecchi.

Brian Contos:

And I’m Brian Contos.

John Vecchi:

See you next time on Phosphorus Radio.