Presenter:
Transcript:
Today, I have the distinct honor of introducing our keynote speaker for the morning, Scott Howitt. Our industry is dominated, and I don't think I have to tell you all this, but we're dominated by thought, leadership and passionate technologists who operate in a world of protect and defend. As a cyber leader and executive. Most of you in this room are also familiar with the burden not only of protecting your company, but defending your budget, your organization, and your policies to PR executives and to a board of directors.
Corporate politics and cyber defense are not easy bedfellows. My first experience with Scott was many years ago when he was a CIO. So a JCPenney and I was just a puppy in this business, so to speak, trying to sell him something. At the time, Scott struck me as a CSO who was very focused on delivering a cyber defense strategy that protected the business while operating under the challenging edict of a retailer like JCPenney.
Protect, but on a tight budget, as if six years of Jcpenney's constraints weren't enough to challenge a strong CISO. Scott literally doubled down and spent the next five years at MGM resorts, the largest casino operator in the world. That's some serious 24 by seven pressure. Yeah, we all think about it, but, that's a lot. I can't imagine protecting the piggy bank on a 24 by seven basis for a global casino.
In my mind, if any organization is going to have a literal bucket of money to throw at cyber, it would be a casino. But at dinner last night, Scott course corrected my thinking and told me that MGM was actually his NBA in finance. He had to defend every dime of his budget relentlessly, and was challenged to manage the business through the lens of a balance sheet and a pal.
Something that I think all of us in cyber are increasingly pushed to do and mandated by our boards. Scott has carried the title of CIO, CISO, CTO and CDO chief Digital Officer and is currently an advisor to Night Dragon and many startups in our industry, and a friend to a lot of people as well. This morning, Scott will be sharing some of his perspective and experience managing the often competing priorities of CIO and CISO.
Please join me in welcoming Scott to the stage.
All right. It's great to be in Houston. I was talking at dinner last night with John and Michael and Karen, who's going to do the closing keynote. So stay for that because it's going to be awesome. What I thought would be a two hour dinner turned into a four hour dinner because there's great conversation. But Houston is where I got my start.
So I work five blocks over in Fannin Street at the First City Financial Center. So I have a fondness for Houston, and I'm excited to be here. But
as John talked, I've. I've held both roles, both as the CIO and the CSO. And it's interesting you get to hang out with groups of CSOs and talk about what's going on in the CSO space, and there's a lot of rumblings about what a pain in the butt dealing with the CIO and all those guys are.
They just don't understand my point of view. And then as a CIO, I hear a whole lot of rumblings about me. And those pieces are just a pain in the butt, like they're stopping me from getting all my work done and all that. And so as I looked at it, it's like, actually there there are two sides of the same coin, and they need to come together better.
But I think they don't recognize in a lot of cases. So I'll take you through a little bit of the history of the role. Talk a little bit about what I've seen from my perspective. Maybe give you some thought starters to kick off the day and then we'll do some conclusions around it. But, you know, I think John did a good job of outlining my experience.
But I think what you see with a lot of CSOs, they started in the infrastructure side and I didn't I was an application developer for Citibank down here with EDS. Then I worked in Puerto Rico for a few years at Banco Santander. And so, you know, I learned the business from the application side and working with the business directly.
And so, while I was in Puerto Rico, I was, I'm an avid football fan. There's not a whole lot of news on American football when you're in Puerto Rico. And it was when the internet was just kicking up and going. And so, you know, if you remember back in the windows three one days, you had to download the TCP IP socket and put on your PC and you had a mosaic browser.
And so I would get my news that way. And I decided when I came back to the States, I would go ahead and open up an AI ISP out of my house. I don't know how bright that was, but I dropped a T1 into my house in Plano, Texas and I sold dial up, had a DG board, I had 36 modems.
I sold dial up in my neighborhood, and that parlayed itself into I met a guy who said, hey, I need you to help me build a website. And so we created the company jobs.com, and we did online job postings. And so from there I moved to another company after we sold jobs. Dot com is called Benefit Mall. We did online insurance for people and I got hacked twice.
Once when I was at jobs.com a guy came in and defaced. Our site is actually pretty minimal, but we went ahead and realized like, wow, security's probably pretty important. And then when I was at Benefit Mall, we got hacked again, but it was by Chinese hackers and they took us down for a few days. And then when people couldn't get their insurance, they were very upset with us.
And so I realized, like, if I was ever going to be a CIO in a big company, I mean, we should learn security. So I went over to Alliance Data, which is now Brad Financial. I was the deputy CSO there for a few years. Then I was the first CSO, JCPenney, after they suffered their breach, target made a lot of news.
JCPenney didn't, but it was the same set of hackers. Alberto Gonzalez. And then after that, I went to MGM resorts and I was at CSO for three years. And then finally in the fourth year, they asked me to be the CIO as well. And it was because back to what John was alluding to, we had a lot of conversations about how security impacts the business and how we should think about security and really turning it from a risk conversation into a business enablement conversation.
And so, one of the other things, which is I was much slimmer, man, before I started work in Vegas, is at night, you would get to go sell all the guys that you bought software from on convention space. So there would be a lot of late night dinners of like, hey, I just bought $2 million worth of software from you.
Like, your SCO is going to be at our property, right? Or like, hey, your user conference is going to be at our property. So I became good friends with Chris Young, who is the CEO of McAfee, and he asked me to come over there and help him go public. We did that and then the Trillick split. What a mess.
So I left there and then I became the Chief Digital officer. Ukg. And again back into the CIO space again. And the CSO, the chief data officer, chief risk officer and CIO reported to me. And so, you know, I've kind of seen the evolution that I've seen what happened with both sides of it. And again, it's interesting when you get both points of view.
So let's go back to history a little bit. So for those of you in the room that are are getting along in age like I am, when you used to have an inbox that was actually wooden and you used to be able to go to your wooden inbox and pull out these little scholastic fliers that they had, and you could order computer books and learn about computers and so in 1981, one of those books came out and they coined they're the first ones that coined the term, chief information officer.
And so at the time, you know, the first all the banks that I worked in in the late 80s, early 90s, there was no CIO. There were application leaders, but there was nobody who was really strategizing about how do we drive technology forward. Right. And so what we have is they, you know, came up with the idea of a chief information officer, but they weren't really strategists and they weren't on the level of the CEO or CFO or CFO.
So they're really, you know, the person that led application development and in the infrastructure architecture and enterprise architecture. And so it took quite a few years before businesses realized that technology was really key to their strategy. And that person should elevate in to I think you saw the evolution of the CIO got a lot smarter about learning how to talk to the business and talking business terms.
Right. But I will say, I think one of the things and one of the reasons the role was invented is companies realize that they are spending more and more money on technology, but they weren't necessarily realizing all the benefit from it that they thought they would realize. And so this way, they saddled somebody with a fiduciary responsibility of making that happen.
So then if we look at the CSO fast follower in the 90s, and so Steve Katz is credited with being the first CSO in 1994, Russian hackers got into Citibank. They stole the whole bunch of credit cards. I'm not sure that Citibank handles credit cards any better than they did before. Hey, it seems like I get reissued a new credit card every few few years.
But anyway, you know, Steve was asked to take this role as CSO and manage security for the organization. And so, you know, again, harkening back to the days and and I've talked to Steve about this, as you know, it used to be in the mainframe days. The guy was a rack f administrator, the top secret administrator. You'd run down to the data center, you'd knock on the door and say, okay, here's a form I filled out.
I need this access to these data sets. Could you please give them to me? Right. And so the CSO role really evolved out of the infrastructure side. And so it didn't really have a lot of key ties right into the business. It was really thought of as an infrastructure role. And as the role evolved in a lot of cases.
And we talked about this a lot at dinner last time, too. They became almost a compliance check box instead of really a business strategist. And that's not always the case. So let me let me stop right there and take a breath on that. Like I'm making a gross generalization. I'm sure some of you are doing great jobs in this enablement function and all that, but I've seen it in places where it is just the compliance check the box function.
Right. So what's the state of the CIO today. Right. And I think we talked about it for some reason companies now or having chief digital officers or chief AI officers or chief data officers and why is that? I think it's because a lot of companies are getting a little disenfranchized of, why does technology move so slow, and does the CIO want too much control, or does the CIO have, you know, are they not being nimble enough and moving at the speed that I need my business to move?
And so I would say it's a role is in a crisis right now. That being said, I will say, organizations view the CIO is a peer now in most cases, in some cases not, but to the CFO or the CIO and all that, and they expect them to understand the business as well as they do the technology.
In, in when I was in the role, you know, I had to be able to speak financial to the CFO and then get to the CRO and talk about, you know, CRM systems and in pipelines and in, you know, cpq systems and stuff like that. And so, you know, the expectations. You understand the business very well. And then we really moved away from a lot of app dev to where mainly the CIO was just doing integrations, right.
They're tying systems together. They're not really writing systems. And then lastly, we're talking about venture capitalists as well in if if you have a company that works for private equity or venture capitalists, I guarantee you every meeting that they're having with the venture capitalists, the CEO is there saying to them, why aren't you getting rid of 30% of your staff?
Because didn't you hear that? With AI, you don't need 30% of your staff. And oh, by the way, if you're a public company, when he's going to other CEO conferences, he's hearing the same message or she's hearing the same message. And so it is always the problem of, yes, that's actually a great statement. If you started from the premise that you built on an AI base to start with, but unfortunately you're still saddled with a lot of that legacy technology.
Right? So the state of the CSO today is for years, I think a lot of us sold on foot. Right. And so I actually think I was like, for those of you that know, doctor Chase Cunningham or Doctor Zero, trust is he now refers to himself as, he said the best time to buy a stock is when a company has a breach.
Because within 90 days, they'll be back to where they were and probably above that. And so I think most boards have recognized that, you know, what we preach for years and years and years of, oh, the reputational damage you just won't overcome it. You'll overcome it for the most part. Right? There's some that it's affected and poorly, but for the most part you'll overcome it.
Right. And so, you know, now with that role you're seeing that you definitely have to be more fiduciary, more responsible, which is a challenge for some. However, a lot of cases, the CSO is now elevated, at least in reporting position over the CIO, where before and a lot of times it slotted in. When I was at MGM resorts as a CSO, I reported directly into the CEO.
The CIO reported it to the president of operations. And you're seeing that more and more, and you're also seeing that the CSO meets with the board, usually on a quarterly basis. Now, because it's the number one board risk in the CIO is only meeting maybe once a year with the board. So they have a lot more time to spend with the board.
Right. But those budgets are starting to shrink. And also the infrastructure that used to protect where I was on the advisory board of Palo Alto in Palo Alto is saying, well, we're going to stop doing Pcap. And you would have thought we were throwing puppies in the river, right? Like people were losing their mind that you're getting rid of pcap and it's like, what is pcap even mean anymore when you're in a multi-cloud going through multi, you know, load balancer like it doesn't mean anything anymore.
It's all about containers and application performance and all that. Yes, I get it. Depending on the system. Yes, that can be an important thing. But we always relied on the network in that walled garden a little bit to be what we examined. And that world is going away. And so there's a crisis of they have enough people that are container savvy, cloud savvy and all that to pull into this security organization, to be ready for where we're going.
So I think, you know, just reinforce I do think that there's a little bit of it, you know, misaligned expectations with the business, you know, where before if you want to implement technology, you always involved I.T in most cases. Now the business feels free to run without it in the front. And so in fact, I advise a company that does a pipeline prediction for salespeople.
And whenever I talk it's like do not get the CIO involved, you know, get sales operations or get the CRO involved. He's the one who's going to care or she's the one who's going to care. Right. And so and we all know you can put technology on a card. So you know, we see that happening. And then I think what's also happening in why use the Star Trek analogy here is what used to be super cool about being a technologist is you always got the newest, latest and greatest technology before everybody else.
You got the laptops before everybody did all that. Well, I think what we're delivering now to the organization is they feel like we're giving them Star Trek The Original Series technology, where they really want next generation technology right in. So consumer technology now outpaces business technology. And I mean, if you've ever just run anything as simple as a helpdesk, how many times you hear is like, how come my laptop is so crappy, you know, why can't I get a new one?
And they see all these new gadgets come out at home and they can't use them in the workplace? It's frustrating, right? So we got to figure out how to keep up with that technology. And I would say if we're not perceived as enablers back to that role of the CIO eroding is because he's not seen as an enabler.
She's not seen as an enabler. So they're coming up with other ways to enable that within the organization. And so we have to embrace the change. And I get it. A lot of AI right now is snake oil, but it will become the thing. It's the inevitability of just so we're again talking dinner last night I remember it seems so logical now, but I remember we went into a semiconductor manufacturer in Dallas and said, hey, we're going to do these things are called electronic job postings.
You post them online, so only $100 a month, as opposed to $25,000. In the Dallas Morning News. But hey, we got open up this port on the firewall in order for you to enable the upload and download it in is in the CIA. Let me straight lines, said number one. I will never open a port on my firewall in number two, we will never connect to the internet.
That's the dumbest thing I've ever heard in my life, which seems so stupid now. And by the way, they're no longer in business. But it is. It was. It was change and it was hard. Right in. So, you know, I think you see a lot of people's going, we're not allowing AI in the organization until I get my arms around it.
And it's like, I'm not saying you should let it run wild, but I think Andreessen said it best. He said in the speech he was giving that, sure, the Nvidia's in the open. The eyes of the world will make tons of money, but the guys who are really going to make tons of money are the guys that figure out how to use an AI to enable their business to move in new ways that they were never able to imagine before.
Right? And lastly, this does come at a cost. And so again, learning the lessons of the past, how much legacy technology do you still have in your organization that you're still managing, that you're still dealing with? If you don't start to get ahead of it with really good asset management and really good fin ops, then you're going to be behind the eight ball again.
Visibility is going to be the key to moving forward. So maybe we need to rethink our control paradigms a little bit. So I will use the roundabout and intersection conversation to drive this when last company is that we opened up two offices in Ireland. If you've ever been to Ireland, there are roundabouts everywhere, and even in the city center of Dublin, it's all driven off of roundabouts right.
And so I think when most Americans encounter a roundabout, it freaks them the hell out. They don't know what to do with it. It's just weird as hell. Like I'm totally freaked out because we love our traffic lights, right? That's the control model that we're so used to. We've always used it and all that. Well, they did a study on the effectiveness of roundabouts and the effectiveness of traffic lights, and they did it a four way intersection.
A roundabout has 16 points of conflict. A traffic light has 56 points of conflict. So, well, maybe that's not that important. But then you look at the throughput of it and guess what? The throughput is 89% better. At a roundabout. You don't stop if you don't have to. How many times do you find yourself at a stoplight going, why am I stop?
Like, what's going on? Fatalities at a roundabout 90% less. Which seems odd for a lot of people, but it's actually you're allowing people to make smart decisions around what they do, and they're not giving up their control thought to a light. They're less. They're less the main team only, about $10,000 less on a roundabout compared to a traffic light.
And lastly, in a, you know, I think, most importantly, how many of you, especially in this lovely hurricane and rain city that we get, what happens when the traffic light goes out? People lose their minds, right? Like, I don't know what to do. There's nobody telling me what to do and all that. So why do we love traffic lights?
And should we be reexamining our control models and saying maybe the control models that got us to where we are today aren't the control models that we should be using forward? How should we start to rethink them?
So I'll use a business example, and I like it because it's a containerization example. Play on words, right, of, individuals who totally set the business on his ear. Man by the name of Malcolm McLean. He was an Irish or a Scottish immigrant who came to the U.S.. Anybody truck. 20 years later, he had the largest trucking industry in the South.
And as he's looking at ways to make his business more efficient, when he realized, and I think back to those old bags, many cartoons where they showed people loading and unloading ships with people hanging off ropes and all that is when the ships would get to the dock. Sometimes they would sit there for 2 or 3 days while the stevedores would come and say, hey, I need a box about this big to go in this space in the cargo hold, because that would be about right.
And they would play this Tetris game with all the boxes until they got the cargo ship loaded to what they thought was an efficient amount. And so he's like, this is crazy. So what I'd like to do is just drop my container at the dock and move on right in. So he did. He came up with the ISO container and he took it to the dock and he dropped it.
And the stevedores said, no freaking way. There's no way you packed that container is efficiently is we're going to pack it on the ship. So screw you. We won't take any of your containers. We're not going to do that. So he decided to buy a ship and he bought his ship. And he started putting his ice through containers on a ship.
And he took the shipping costs that were nearly $6 a tonne, down to $0.16 per ton, because it was just a much more efficient method. And now I saw containers go on railroad cars. They go in airplanes. It's just a much more efficient way to ship. Even what you give up a little bit that you give up in space, you make up an efficiency day in, day out.
So again, the guy who kind of thought a little bit out of the box. And so I would say, if you're ever going to start thinking outside of the box, now is the time. So I'll use the Lilypad analogy. You guys are all tech nerds, so more of you will get this than most people. But there's a there's an old analogy that if you had a pond and you went to cover it with lily pads and you dropped one lily pad in the pond, and it would double every day, and you could cover it in 30 days.
And what day would half the pond be in? About 60 to 70% of people get it wrong. It's on day 29 because the force multiplier of the doubling effect, right. You don't even have a quarter of the pond covered on day 27. Right. And so this is the speed of thought and change that we're starting to encounter in the human brain.
You know, I I'm a physics nerd, right? That was my major. It's very easy to get the Newtonian frame of reference because it's what our reptilian brain grew up with that I only had to do the calculus of throwing a spear to hit the buffalo. Not very hard to do that math, you know. You do it instinctually, but the numbers that we're going to be dealing with going forward are very different.
So if you think of IPv4, it has about 4 trillion IP addresses. It's pretty easy to get your brain around right. Like you've got $4 trillion. It might be tough to spend it, but like our economy is $4 trillion. It's like you can get your brain around it. When we have IPv6. And I had to look this up.
I did not know it. Over the top of my head, you will have 340 dudes until you have numbers. So what does that mean? It's a lot of numbers to the, left of the decimal point. But to put it in scale, scientists believe there's ten to the 19 grains of sand on the earth. Every grain of sand could have an entire IPv4 address on it.
Or if you wanted to take it one step further, which way? You know, you hear all this hype about blockchain, that it will finally arrive where you're tracing everything. You could put an IP address on every atom on Earth, and you would have enough left over to do it 100 more times. So is scale moves. We're going to move scale in a big way in.
So another example of a crew thinking outside of the box is, the World Health Organization had a real big problem of when they go into countries in Africa and they were trying to determine who needed malaria medicine. By the time they did the blood test, got the results back. A doctor interpreted the results. It just took too long.
They would have to spend too long in a village. So what they end up doing is giving everybody in the village a malaria indoctrination just so that they could move on. Right? And so some students at UCLA said, well, like, how hard could it be to read these blood tests? Right. And what is a doctor need to do it.
And so they created a game where they go to the village the day before. They take blood samples, upload them into a game that people played on their mobile phone. They figured they found out that students could be within 1.5% accuracy of doctors. So it was a good standard deviation, right? And so then they were able to just go in the village and spend two days, one day taking blood in the next day.
They knew who they were giving the inoculation to. So totally change a paradigm, totally change of thought in, you know, different ways to solve problems that seem like we knew what we were doing with them right? So I would be remiss if I didn't use a Vegas example. And so, my parents used to love going to Vegas because they would talk about, oh my God, my mom had like 200 free ashtrays.
Number one. I don't know why that was a big theme. And and when she stopped smoking, it was really hard to convince her to get rid of them all. But, you know, it was, hey, the free food buffets, free rooms, you got all these free shows that you go to like. It's awesome. And that's because 70% of the revenue came from gaming.
So they knew they were going to be at the tables. So like go ahead and eat away. Drink away, because I'll make it all up. When you go to the tables then is that generation started dying off and the millennials came. Millennials think about their money a lot differently and they don't want to gamble it away. But boy do they love to pay for experiences.
So suddenly they invented things like table service and figured out that, hey, you can take your $50 bottle of Gray Goose and sell it for $10,000 at Hawkinson at a Calvin Harris, you know, concert. Right? And so that's why people complain all the time. It's like Vegas isn't cheap anymore. It's like, yeah, that's not where they make their money anymore.
They make their money in the venues. They make it at the casinos. I mean, at the conventions, they, you know, make it in the high end experiences that you can get there that you can't get anywhere else in the world. Right. And so they totally changed their paradigm. So imagine we've just gone through this whole paradigm shift. And then Covid hits.
So now you've invested all this money into bringing all these people out to Vegas and whoops, nobody's showing up. And so I give you an example, a hotel like this, any week where they can average over 50% occupancy, they're doing great. All the casinos on the strip in Vegas averaged 92% occupancy every night. So when you take that away, that's a big piece of the revenue just went offline.
So sat down and strategized through it and they said, hey, here's what we'll do. We got really nice rooms with really nice conference rooms and all that. We know we won't fill up all the rooms, but we'll, you know, as we see all these digital nomads going off to Barbados and all that, why not have the digital nomads come to Vegas and do work from Vegas?
But what I'll offer is, you know, now I've got high speed internet built for 6000 people. I don't have 6000 people in there anymore. So for sure it's going to be really high speed internet, right? And I have a bunch of people who were office managers or customer service reps or whatever who are offline. I'll make them personal assistants.
So everybody who comes to Vegas gets a personal assistant, and then what they did is, well, nobody wants to have contact with the front desk. So we create keyless entry and rekey 6000 doors. You know, Aria is a great example. 6000 doors reaching 6000 doors in about a month. And then they also said, well, well also help people game where before the physical casinos were very reluctant to take people away from Vegas to go game.
So they resisted things like draft kings and price picks and all that, and they decided, I guess it's time for us to get in the game too, because if people can't put their bets in Vegas, we can at least have them gamble away. And now that everything's back to normal in Vegas, you see Jamie Fox on TV all the time talking about Bet MGM, right.
Because it's a great another new revenue stream they created out of it. They're better off than they were before the problems started because they were able to reinvent, invent themselves. And so I say the one thing that we really saw out of Covid is before, I think, is we think about our control models, especially as Caesars. It's all about how do I put up good restrictions so people don't hurt themselves.
And I would argue we need to think about it maybe a little bit differently of like the car manufacturers do. Well, if I put in any lock brakes and I put in side curtain airbags and I put in crumple zones, I can actually increase the speed on the highway. I build the security into the design I get in early in so the business can go faster, not slower, and it can be more flexible as it moves along.
So. I'll use this area. We're talking about our lessons of the past. Somehow to us, cloud adoption became a business objective and it never was right. So Microsoft and Amazon and Google were very good at telling you it was in that, hey, you're going to save all your money as you move everything into the cloud. And what we found out is, oh, crap, guess what?
I remember all that old technology that we keep on talking about. It's still there. And when I move my bare metal oracle ERP to GCP, it's just me running in their data center. Right. And by the way, that won't be cheaper. Right. And so I don't think we thought about the problem. Right. And so this is the reality of what happened for most organizations.
What happened at the top was Microsoft Azure or whoever saying, man, I'm going to reduce your costs like just what the business wants, right? And what you end up is and I would argue nobody ever gets to the third bar graph on the bottom one. They just increase their cost because they have cloud costs and they never fully get rid of their data center because they realize there's either applications in there that aren't worth the effort of refactoring and moving to the cloud, or it's just too hard.
There's not enough institutional knowledge to move it, so they end up with the oh, I still got my data center costs and I still have my cloud costs. And so. One of the ways to maybe think about it a little bit differently is it should never have been called a digital transformation. It's a business transformation. And I in fact, I had this conversation at my last organization because they had failed at their digital transformation twice.
It's like you made this and IT run product project. It has nothing to do with this. You're trying to bring two very different companies together. You're going to have to change all your business processes, and so you're going to have to lead this effort with me. Right. And so what you see is you should maybe think about the systems that you have within your organization and put them in the three buckets.
The systems of record, the Oracle's your ERP systems, your HR systems and all this. This gives you zero competitive advantage over your your competitor. In fact, I used to is conversations you have with my team all the time. Nobody ever walked into one of our casinos and said, Holy crap, I bet you they have the coolest team ever running this place.
That thought is never been had. I promise you. They also never thought wow, I bet you the information security running here is awesome, right? The data. And by the way, like, if you want to call me for a drink later, we'll talk about, you know, how secure a casino really is. And I'll give you a different point of view on on how they really work.
But anyway, where we really should have been spending our time is the green one and the orange one, where a system of differentiation is a system that you write or create, that makes your business different from your competitors and gives you the competitive advantage. That's the stuff that you move to the cloud. Or you should look at hyper automation, or you should look at AI and all that, because that's what makes you different.
Nobody gives a crap about your H.R system, so why do we spend so much time on it? I get it, the CRO is loud and whatever, but if you come in and you make the argument that let's relabel our business, not worry about like, who cares what our H.R system is, I guarantee you they'll listen and then also leave a little bit of room for the systems of innovation.
Like not only what should I be doing technology wise to make my business cooler than my competitors, but what should I be doing three years from now to make it cooler than my competitors in? And we have a hard time leaving space for that. In in is a technology leader. You need to figure out how to make that space.
That's that's your role in the organization is a CIO. I've never walked into an organization and not been able to immediately in the first year, take out 10% of the cost, and none of it had anything to do with personnel reduction is just I'd rather, you know, I say it all the time. I'd rather fire software than people.
Right. And so we need to be better stewards of the money. And so. I offer up, hey, here's the top technologies for, you know, 20, 25. And beyond that, if you're not thinking about any organization, somebody is so obviously cloud based in a generic AI. Yeah, ChatGPT is cool and all that. But when you figure out how to make one AI component model talk to another a model, talk to another one, and you really get a really good glide path of hyper automation out of it.
That becomes super important, that becomes a distinguisher. It was great. Hearing about the OT con is funny. I was in a, CSO knowledge share meeting and I said, hey, you know, we I know a lot of businesses think they won't ever have to worry about IoT, but every business will have to worry about IoT because it'll enable all the businesses and, sure enough, John and Karen were talking last night at dinner about the sensors and how they track everything they do through their health monitor.
I had a CSO in that group say I work for an insurance company. I'll never worry about IoT. It's like now all of you are. Either one is going to talk to the API in your car. And no, by the way, almost all new cars have an API exposed. Or you're going to stick one of these, you know, things in your in your driver console so they know how you drive.
And if you don't think that's coming for your health care, two you're crazy. Of course they will. It blends the experience better, right? And so you have to worry about that quantum. It's not hype anymore. It's coming. It's coming quickly. And so if you're redoing your encryption strategy, you might have some post-quantum considerations that you need to think through.
We talked about hyper automation. I'm sure in the oil and gas industry we all know AR, VR is a huge thing. Why carry the manual out to the field? Just let me go to my Google glasses on the QR code and I pull up the manual. Makes tons of sense, right? Zero trust security in six g penetration.
You know, five G will be blasé, six G will come along and surpass it. And then two in all the AI companies I advise I don't think they think about this. Enough technology will become headless. So I will give you two examples. The first one is back to the HR system working for Ukg. For those of you that don't know Ukg, it's all human capital management, human resource management.
Who in here loves logging into the HR system? It sucks the navigations horrible. It's hard to find whatever you're looking for because you only go into it once or twice every year. Why don't I just go into slack or teams and I say, hey, let's pay for one key contribution. Oh, it's 7%. Go ahead, make it 8%. Okay.
Done. Like, why do I ever have to go into the HR system? That's just dumb right? And so if you're not thinking about the technology that you're implementing.
How do you work technology at home. So you know, it's talking with my 22 year old and it's like, well, you know, it used to be you got the newspaper and they told you what the weather will be today. According to yesterday's point of view. And so then we got smarter because at least you could call the bank and get time and temp.
And then once you got dial up, you could log in to weather.com and do it. Then when you got your mobile phone, I didn't even have to get off the couch. I could just pull out my phone and type it up. And now what I do, I just lean over and say, Alexa, what's the weather like outside? So if you're not thinking about how to make the technology headless is I advanced is more voice will be it.
Why would you use a keyboard. And so you got to think of ways that you're going to enable that going forward. So in summary I think transformation for the CIO and the CSO is the number one. Before you start casting stones across the organization, go get your own internal house in order. Like I said, every organization I've been to the first year, 10 to 20% cut because technologists are really good about buying new technology, and they're really horrible about getting rid of old technology.
And so if you expect everybody else to be fiduciary responsible, so should you two, you know, back to when you're thinking about new technology. How do you leverage it not to redo an old business process or control? How can you leverage that to get innovation into the organization so that they see you as a business enabler, not a business stopper?
And again, that ties right into focus less on technology strategy and more on business strategy. And, you know, it can be achieved by. So I talked to John last night like work like a venture capitalists run your budget. Every conversation that you have, especially with the CFO and the CEO and the CEO, you should lead with a balance sheet of here's how I'm solving the problem and here's why it's important to our business right.
And, you know, really, when you have those conversations, they know your efforts are addressing business priorities. And again, lastly. The businesses that survive during the pandemic, the businesses that survived, when we hook things up to the internet for the first time, all those things were the ones that had speed and flexibility and were able to change their business model and their business processes.
Maybe not on a dime, but on a quarter for sure. And then, you know, what should the CIO appreciate about the CSO? Well, number one, for 15 years running cyber security has been the number one board risk. Even though we've proven that reputational damage, it's not as bad as it should be. So again, every place I've been as a CSO, I met with the board for sure, every quarter, every place I've been as a CFO.
Sometimes if we had a big transformation going on, it was quarterly, but most often it was annually, right? I also find that CSOs do have a much deeper technical acumen because they have to understand how to secure every technology. So, you know, it forces you into understanding all technology. And, you know, hopefully the CSO knows where all the bodies are buried.
They understand the assets of the organization. What the CSO should appreciate about the CIO is the CIO is likely to have a better grasp on financials and business challenges. So take advantage of it and make sure that as you create new projects, say, is this really addressing where the business cares? Or is this something that the business will have no care for?
Right. I also think, you know, the CIO is perceived to be a better business partner more often than the CSO. Nothing. Again, nothing against recovering the CSO myself. Right. And so maybe become buddies with the CSO. And when she goes in to talk to the CRO, you go with her and you go through these items and get to understand the business better.
And they perceive you as a friend as well. And so but I say both need to realize that they need to be in lockstep in order to innovate more quickly, get that speed and flexibility. And two, there were often times when I was able to help the CIO get projects through under the guise of security and technology enablement.
If two of you come to the table instead of one, it's a much more powerful message and whoops. And then, you know, parting thoughts. So I'll do three quotes. So since we're in Houston, I'll use a Gene Kranz cruise. For those of you you don't know who Gene Kranz was. He was, the mission lead for all of the odd number of Apollo missions.
So he is the guy who said, Houston, we have a problem. And an Apollo 13, or he was a man responding to it. And I think this is right, is we think about technology is, you know, the greatest is not to have tried and failed, but then trying. We didn't give our best effort. And I see this a lot with technologists of I don't believe in the new technology.
So I'm kind of half POC. And then I'll show you that it failed and then we'll move on and we'll never have to talk about that technology again. You got to lean all the way into it and see that you can get the most out of it, and make sure you give it the best effort. And then the Einstein quote, Because I'm a physics nerd, I'll give that out.
Is that you? We can't solve problems by using the same kind of thinking we used when we created them. I think that's highly true. We keep on trying to solve the problems with the same old ways of the past. We were talking at dinner last night about, I said, you know, I think everybody should go reread The Grapes of Wrath.
And what was the Grapes of Wrath about? Is, like, they invented tractors and, like, subsistence farming went away and sharecropping went away. And it was like it was the end of the world. It's like, would any of you go back to sharecropping and subsistence farming? I don't think so. Like it's it's obvious that we need to make this transition, but we want to we're stuck in the past.
And then lastly, I would say, you know, the best way to predict the future is student in it. And so is leaders. We've got to get really good about leaning. I know we got a million things. I know the priorities are hard. I still, I have never been happier to be out of an everyday operational role. Like I can breathe every once in a while, but it's technology leaders.
You really have to think about, how am I going to drive that new innovation into what we do going forward? So with that, I got five minutes to have time for questions. Or do we. Yeah. Where's there Mike go there.
Questions. Time for 1 or 2.
So thank you for the presentation. I know that I noticed you mentioned, this dynamic of control, but maybe we should be flipping the script and talking more about decision making. So when we talk about stoplights versus roundabouts, we're giving people the opportunity to make decisions for themselves versus telling them what to do. And so when we talk about old school business, it's been focused mostly on improving, business efficiency through taking away the decision and giving people direction without actually letting them own or have agency.
Wouldn't this be more appropriate when we start talking about the future of security CISOs and CIOs working together? I yes, I believe it is in and I, I will tell you, I think, as you look at it, I think what I see happen too often. And so, for example, why is it when organizations like we can't allow RTP, it's like, well, why why don't we allow RTP?
Oh, because it says in the standard that we can't allow RTP. It's like, well, it used to be RTP. The credentials were passed in the clear, so that's why we stopped it. But now that they're passed in the clear, like it's okay to use like, do you understand the control. And so I think what happens too often is like miter and ISO and all that ISO, there's this much better than then, why am I having such a nice thank you.
The first conversation you go and have is a risk conversation with a business and sit down and say, okay, here's here's all your threats and vulnerabilities and all that, like, what are the Crown jewels? What do you care about? Let me clearly understand it. And then you build your control framework around it and you can justify away controls.
I think in this we get too caught up into well, I have to have control, you know, 3.1.2 in this is what we're going to go do. It's like, you know, in some businesses you don't. And so the example I would give you is a maybe a dumb example, but it's an example is if, you know, if the casino remember, it's like if my boss came to me, we did 10 billion a year in EBITDA.
And if he came to me and said, shut down all the firewalls and leave it wide open and I can make 10 billion more dollars, what would you do? It's like I would go unplug the firewalls myself because even if we're breached, there's no breach. That's the TJ Max breaks is supposedly the most costly breach in history. It's $1 billion.
Oh, and by the way, MGM had that huge ransomware event. And guess what? They're still up and operating and they didn't go out of business. And they were down for 30 days. So I think it's a is a is a security practitioner is you go and implement the controls, think about who is going to be most affected by the control.
You go implement and go have a conversation and see how arduous this control is going to be on their business process. And then two, they might brainstorm some ways that they could make it more secure that maybe you don't know and you don't understand about what they do. So I encourage you to go have those conversations.
