Shade Vaughn (00:03):

Hi everyone. Thank you for joining us today for our event on New Truths in Cybersecurity. This was born out of an original series of events that we held called Navigating Disruption that was helping clients across all industries think about next steps and coming out of the COVID-19 event, across people, performance operations, and customers. And because of the strong attendance and engagement that we had with that content, we now have moved into a second phase of this and taking some deep dives. Today, we will go deep in cybersecurity and helping you achieve cyber resiliency.

Shade Vaughn (00:44):

I am joined by three esteemed colleagues: Joe McMann, Mike Nawrocki, and Drew Morefield. I will let each of them introduce themselves. My name is Shade Vaughn, I’m the Chief Marketing Officer for North America for Capgemini. I will play the role of moderator and ensure that as these three gentlemen present some content with a point of view from Capgemini on how you should be thinking about the next few months and achieving a resilient business in cybersecurity. We’ll do a roundtable discussion around some key questions that we’ve pre-populated. And if you have any questions that you’d like us to dive more deeply into, please feel free to enter them into the chat window, and we will answer those, or as many of them as we can get to.

Shade Vaughn (01:31):

So, with that, Joe, why don’t I turn it over to you to make a brief introduction and we’ll go to Mike and then Drew?

Joe McMann (01:37):

Yeah, sure. So, my name’s Joe McMann, I’m the Chief Security Officer and Strategy Lead for Capgemini Cyber North America. So, really I just work across all of our solutions and services. I work with a lot of our critical clients. And I’m really focused on practical, efficient, and effective delivery and application of cybersecurity into large enterprises. Very much concerned with conducting the mission and keeping these enterprises safe and secure and protected.

Shade Vaughn (02:09):

Mike?

Mike Nawrocki (02:11):

Hi, I’m Mike Nawrocki. I lead the cyber-sales organization. Came over from the Lockheed Martin/Leidos team, have been with them since early 2015. And basically, have a lot of the same team members as well. We cover North America, we’ve got four other separate distinct sales groups that are aligned very closely to all the market units and the clusters. So, certainly cover all the verticals out there with roughly a four- to five-person team covering each vertical.

Drew Morefield (02:48):

Thanks, Mike. And my name’s Drew Morefield, based out of Dallas, Texas. I have responsibility for the North American cyber C of E (Center of Excellence), which is where our SME talent exists across our converged cyber portfolio focused on pre-sales, delivery support, and thought leadership/training and enablement, both internally and external to the market, and have operational responsibilities in North America as well.

Shade Vaughn (03:15):

Thank you, Drew. Joe, if you want to take over, let’s talk through our point of view.

Joe McMann (03:21):

All right, perfect. So, I think right now cybersecurity has become a topic of discussion. It always seems to be, but right now it’s definitely high on people’s list of things that we’re concerned about and the challenging times in which we’re in, so we wanted to talk a little bit about that, and maybe talk about some of the shifts in what the reality and the landscape might be, but also talk about how some things may have stayed the same and really, it’s just a minor tweak to how we need to go about things.

Joe McMann (03:54):

So, right now, the focus is really on resiliency, just meaning: can we keep things running, can we provide capacity, and can we conduct our mission in today’s operational reality where resources are spread thin in those types of things? So, one of the big things that everybody’s dealing with obviously is the work-from-home. It’s the remote workers. This really is truly the new normal at this point in time. So, there’s been a lot of public acknowledgement of this. Some major corporations have actually come out and proactively said that they’re now going to be permanently implementing work-from-home capability and capacity, [and] that a lot of organizations are realizing that they’re able to conduct business in this manner, in this fashion, and by making that declaration, by making an intentional change, they’re actually able to adopt and benefit from some of the perks of that.

Joe McMann (04:54):

One of the things that we are faced with right now, though, is what I’ll call the diversion of resources, let’s say. So, for instance, a lot of people within cybersecurity, from executive leadership on down to the day-to-day cybersecurity analysts, there’s a lot of expertise, there’s a lot of history within the IT organizations with a lot of these people and a lot of these resources. So, for instance, everybody’s being tasked to go support other objectives, whether that’s business continuity, whether it’s disaster recovery, whether it’s providing additional IT support to enable the remote workforce. Everybody’s effectively stretched thin right now and we’ve also seen some budgets shift around obviously, as the financial impact from this issue is felt. But it’s not a drastic reversal of fortunes, necessarily. It’s just things moving around, and we’ll talk about that a little bit as we move forward today.

Joe McMann (05:56):

The real issue has been here for a long time in cyber – it’s nothing new, but it’s definitely rearing its head right now – is expertise and experience are obviously in short supply. There’s no easy answer to this problem, but as people are being asked to wear multiple hats and support other duties, that experience and expertise is stretched thin, so I think this is an area where really being able to leverage your cybersecurity partners is key to mission success.

Joe McMann (06:27):

And then, one of the last things is really just the speed and change at which we’ve entered into this particular reality, I think has caused some potential for problems anyway, right? New challenges and new risks. It’s not so much, and we’ll talk about this a little bit, that VPNs aren’t new, remote workforce isn’t new, but a lot of organizations have had to move there very, very rapidly and expand the scope past maybe what they were prepared to do, and I think that presents some risks. So, go ahead. Next slide. There we go.

Joe McMann (07:08):

So, one of the questions I would ask: “Are there new truths in…” (Oop, back) “…are there new truths in cyber?” And this is what I was alluding to in some degree, is that the mission has stayed the same. We need to protect our enterprises. We need to be able to conduct our business in a safe and secure way. We need to be able to complete our mission to get our services and products and solutions to the public, to our customers, be they individuals or governments or what have you, right? So, what we need to do right now though in some cases, is rebalance the resources, rebalance and shift around maybe where our resources are allocated, so that we can support the new realities of the business without damaging our mission. And it’s possible  – that’s the real key, is you can do this. This is not a losing scenario. This is not a losing proposition at all.

Joe McMann (08:10):

A couple things that we’re seeing right now that I think are key and critical to being able to do this. So, one is obviously understanding your current posture today. Having that baseline, knowing where your strengths are, knowing what your weaknesses are, and then having a plan to go mitigate those gaps in your capabilities. This is definitely not a time to shoot from the hip. Now is a time to make data-driven decisions, and to do that you really need to have that solid assessment and baseline in place.

Joe McMann (08:41):

The other thing is understanding the foundational protections and controls that you can leverage and put in place, so that is things like just simple network segmentation. It’s not the most fun thing to do. Frankly, it’s pretty difficult to do, to do it the right way, especially in some of the environments in which our customers operate. Manufacturing and critical infrastructure, energy and utility, and those types of things. But network segmentation there is absolutely key and absolutely critical, and now I think is a really good time to double down on that fundamental control, leveraging some of the zero-trust principles that we’re starting to see in the marketplace in terms of understanding privileges and roles and accesses, and that really dovetails nicely into identity and access management. Making sure that those fundamental foundational controls are in place really gives you the platform then to start to implement some of the more advanced cybersecurity capabilities that you need.

Joe McMann (09:38):

The other thing is, how do you enable your cybersecurity team to operate remotely? And we’ll talk a little bit about, and this is one of my soap boxes, if you will, is collaboration and communication among your cybersecurity organization. Making sure that everybody is understanding where they fit in the mission, what their role is, and how they play, how they interface and feed and handoff from one team to another, and I think the communication and collaborations platforms and methodology and processes are really key to that.

Joe McMann (10:13):

Another thing is obviously making sure that your partners can support this mode of operation as well. I don’t know that too many organizations are tackling the cybersecurity challenges alone. Most everybody has a partner or multiple partners in how they go about this, so really figuring out how to communicate and collaborate and work hand-in-hand so that it still maintains and it’s still a true partnership is really important right now.

Joe McMann (10:37):

And then the last thing is, like I said, this isn’t a losing proposition. A lot of organizations had strategic plans in place before these challenges and before the pandemic, but maintaining – they may require some tweaks and tuning and some optimization to keep our eye on the target, keep our eye on the long-term objectives – is to establish that foundation, fill those gaps, and then we can keep maturing and evolving over time. Go ahead, next slide.

Joe McMann (11:08):

So, real quick, wanted to end on two case studies, and then we’ll tackle some questions kind of round-robin here. So, this first one was a case, a large Fortune 100 client who effectively relies on Capgemini for a large portion of their cybersecurity organization, and our staff is involved in day-to-day defense of their enterprise. And typically, our staff is badged through the client, sitting shoulder-to-shoulder with the client teams. Their mission is our mission. Their job is our job. We are deeply embedded in their environment. And obviously, just like most corporations in North America, they dissolved and closed their offices and everybody’s working remotely, but we still had a job to do. We still had to provide that coverage. We still had to conduct that mission.

Joe McMann (12:01):

So, the good thing is that we were largely prepared for this ahead of time. We had already, based on certain disaster-recovery and business-continuity plans, had already put capabilities in place so that we knew how to operate remotely. We made sure that all of the accesses and capabilities and tool sets and platforms that we could access onsite, we were able to access remotely. We made sure that the communication and collaboration rhythms were in place, and that the processes were already tested, basically, when we had to move to this mode of operation. It wasn’t a shoot-from-the-hip scenario. We had run these situations and solutions before and knew how they would work.

Joe McMann (12:44):

In this particular case with absolutely no interruption to the services and capabilities, we were able to move to a remote mode of operations and really keep operating and keep defending this client as they’re supporting a critical piece of infrastructure right now. Go ahead.

Joe McMann (13:06):

So, the second one is not an existing project. This one was actually a large-scale, kind of multi-pronged effort for a large insurance provider in the U.S. where we were effectively kicking off what we call a cybersecurity transformation, which is a large-scale effort to implement concepts of operations and processes and procedures. It’s working with their teams on the engineering side and the operations side for mindset and skillset, and tuning and optimization and all of these types of things at the same time that we’re provided our managed detection and response capability.

Joe McMann (13:49):

And this initiative was to kick off effectively a few weeks into this challenging time. And so, normally, we would have done this with a heavy presence onsite, we would be face-to-face with the client, we would be meeting and collaborating on a daily basis, and clearly that’s not the case with this. There were some significant challenges but, in partnership, and that’s the key word, in partnership with the client in terms of understanding how they wanted to operate in this remote fashion, we really started to leverage some of the unique solutions that are out there in terms of communication and collaboration platforms. We really tried to structure a lot of our workshops so that they were still very interactive in that format, that even though we couldn’t be face-to-face we still wanted to set clear expectations, encourage maximum participation, excuse me, sorry, do all of those types of things.

Joe McMann (14:50):

One of the cool things was that I think we’ve proven now very successfully by keeping this project on target and meeting our initial objectives, that we now know that we can do this in this mode of operations, and the client does too. And I think that’s been very illuminating and a very positive outcome for this. So, with that, I think I’ll kick it over to Shade, and we can start to run through some questions.

Shade Vaughn (15:13):

Thanks, Joe, yeah. Let’s start with you, Joe, and then I’ll ask Drew, Mike, chime in as you want to. So Joe, how has the cybersecurity landscape changed, and how should businesses be operating today?

Joe McMann (15:27):

Yeah, it’s the foremost question that we get right now. I think, as I alluded to earlier, that for a lot of our customers in some of the industries and verticals, there’s actually been very little change for some of them. Remote operations, like I said, are nothing new. We’ve always had employees scattered across the globe. We’ve always had mobile assets. We’ve always had VPNs. A lot of organizations have already been operating in the cloud or at least have some sort of agility from an infrastructure perspective.

Joe McMann (16:00):

And then some customers are already engaging [with] their customers and delivering their services and solutions in a largely digital way. Now those organizations, it’s somewhat business as usual. Maybe the financial perspectives might be a little bit different, but really from an operational perspective it’s the same thing.

Joe McMann (16:18):

Now, that’s not true for everybody. Obviously, there are certain industries and verticals where remote work has presented a challenge, where I talked about the scope and scale of the transition from an IT perspective has been a little bit more than they could bear, and that’s probably introduced some new risks and challenges. But I think the important thing to keep in mind is this is not necessarily a massive, drastic about face. The threats, the bad guys, they’re still the same people doing the same bad things with the same motives, so the threat landscape isn’t drastically altered.

Joe McMann (16:54):

Their risks have shifted a little bit, and I think the impacts right now are where we’re seeing the most change. In some cases, the impacts from a cybersecurity event could be magnified based on what the particular company… what their role is in society today.

Shade Vaughn (17:12):

Right. Drew, let’s go over to you. What are the new risks, and how should business leaders be thinking about offsetting them in the new business models?

Drew Morefield (17:23):

Yeah, thanks Shade. So, as Joe just touched on, the rate and scope of change for some businesses or verticals have varied. The fact that we have folks working from home is something that’s certainly not new, but the volume and scale of that for some organizations and the stress of that reality on internal systems, processes, transactions has certainly increased.

Drew Morefield (17:53):

There are opportunities associated with that rate of change but, as Joe just alluded to, I would argue that the risk level is directly correlated to the amount of change that an organization has had to go through, and the dependency of operational rigor, the ability to define policy and enforce that consistently and with scale, looking at different risks across the organizations that are being identified and being able to mitigate those effectively on an immediate and consistent basis is obviously key. And to home in on what Joe just mentioned, it’s really threat, risk, and impact, right? As Joe mentioned, the bad actors, the malicious intent, the avenues in which they’re trying to breach or compromise the enterprise have stayed relatively static.

Drew Morefield (18:50):

The risks obviously have changed in some capacities, not only the need for the enterprise to basically morph in some instances overnight in the way they’re conducting business, interacting with customers and partners, the way in which they’re able to recognize and generate revenue, even the manner in which they’re prioritizing the allocation of resources and human capital to face some of these challenges, has increased significantly.

Drew Morefield (19:21):

And then, the impact is the real key to that chain, right? So if you look at HR or fleet management and transportation or even critical infrastructure, the impact to the enterprise has changed substantially and being able to ensure that these operational or business-model changes are recognized, that there can be some balance or equitability between risk tolerance and risk posture of the organization is obviously where we’re focused in helping our clients today.

Shade Vaughn (19:59):

Joe, back over to you, all right sorry, you had something to add?

Joe McMann (20:02):

No, I was going to say one thing real quick from a current mode of operations, as Drew was just talking about, I think it’s not the most exciting way to operate because it’s not necessarily buying a shiny new technology and plugging in a new platform or something like that. But it’s very much doubling down on that procedural and programmatic rigor around cybersecurity and how that interfaces with IT that’s really important right now.

Joe McMann (20:33):

And the second thing is, you know, we talked about the assessments that you can do, understanding your posture, but go validate that. Don’t just assume that your questions and answers are 100% correct. There’s a lot of testing and technical validation that I think needs to happen right now from an IT and cybersecurity perspective. As these changes are being implemented or have been implemented, let’s go back and make sure that all of those controls that we assume in place are still valid.

Joe McMann (21:03):

Like I said, it’s not exciting. It’s a little bit of hard work, but it’s the type of thing that I think will pay massive dividends right now. Sorry, go ahead, Shade.

Shade Vaughn (21:11):

I was going to call on you to answer this next question that’s on the screen. Has the definition of critical infrastructure changed for… I mean, in your conversations with clients and AEs [account executives], has that come up?

Joe McMann (21:23):

Yes, definitely. You know, critical infrastructure has expanded, and I know CISA and DHS and a couple of other organizations put out some guidance around what is truly critical infrastructure and what’s not in that textbook definition, but we’re certainly seeing things like some of the collaboration tools, like the story around Zoom and some of the other collaboration platforms is really interesting right now in just such a massive shift in the role they’re playing in society in terms of how we connect and communicate and collaborate with each other. Not just at the individual family level sometimes, but at the enterprise and business level.

Joe McMann (22:05):

So, really making sure that those organizations probably haven’t thought about their threat model a whole lot in terms of what the risks and impacts may be to their operations, but I think they’re certainly doing so now. We talk about this triad of confidentiality, integrity, and availability, so CIA in cybersecurity. And a lot of attention, [from] myself included, has been paid over the last couple years to the confidentiality aspect of it. But I think right now integrity of operations and availability of operations are absolutely critical too.

Joe McMann (22:39):

You look at somebody like maybe pharmaceutical, where they have always wanted to protect their recipes, for lack of a better word, protect their proprietary information, but I think right now as we’re marching towards testing and potentially a cure and those types of things, integrity of that information is really critical, and then making sure that availability of manufacturing of medical devices and those types of things are not interrupted are absolutely huge right now.

Joe McMann (23:14):

So, I think a lot of organizations have shifted in terms of how critical they are to society during this tough time.

Mike Nawrocki (23:23):

And Shade, if I could add one thing. It’s Mike here. The other thing not to pass up is the people, right, particularly from critical infrastructure. In some ways, these workers are in a completely different world not having been in the situation where they’ve ever worked remotely. So, take someone like a plant manager for example where, in all likelihood, he’s never had to work in a remote setting. You can imagine how difficult that transition is, without a doubt.

Mike Nawrocki (23:48):

I was joking with the team yesterday about my neighbor who’s an engineer at a big plant, and he knocks on our door once in a while and asks for one of my kids to go over and help him get on the “Zoom thing,” for example. It’s certainly a major adjustment for the people themselves within critical infrastructure.

Shade Vaughn (24:06):

Mike, let’s stick with you. What types of cyber priorities are we seeing across industries right now?

Mike Nawrocki (24:13):

You know, it’s funny, I wouldn’t say that we’re seeing very many specific priorities by industry. Much of what we do spans all industries, as many of you know. You take something like SOC transformation or insider threat or identity access management, certainly things like that cross a variety of verticals, a variety of industries, and certainly I don’t see them as being something very specific or separate to any specific industry.

Mike Nawrocki (24:45):

That said, when you look at things like manufacturing, for example, with zero-trust and network segmentation, certainly that’s something that’s very relevant now and out in the forefront. Control systems, process-control network environments, they become very, very connected and, I call it security by obscurity, is no longer an adequate strategy, so certainly that seems to be at the forefront.

Mike Nawrocki (25:11):

There’s no doubt our retail markets have been hit very, very hard. I think the need to shift remote support is critical. Not only, I guess, energy, but almost cross-industry, cross-vertical. Many organizations are exploring hybrid MDR approaches, significantly reducing staff and relying on remote support, so we have a very, very large customer right now who’s come and asked us for, “Look, I need some money back. I need a discount. Times are tough.” And we are talking to them about, “Look, okay, maybe what you need is a discount, but what you also might want to look at is how you’re going about your day-to-day work.” We have solutions that can help you do what you’re doing now if not more, for less with less people. So there are lots of different approaches that we take out there in the market.

Mike Nawrocki (26:10):

Again, cyber crosses all verticals. Cyber is everywhere, so really I don’t see it as something that is very, very industry-specific. I don’t know if you want to add to that at all, Joe, but…

Joe McMann (26:23):

Yeah, I mean, I think one of the big keys is right-sizing. It’s efficiency. That’s something that has been a big principle of ours for a long time. It’s fun and it’s exciting to go build these massive organizations, to buy every tool in the marketplace and plug in it, maybe you’re going to get lucky and it’s going to work, but it’s certainly not going to be efficient, and it’s probably not going to be… The business units aren’t going to be your biggest fans at that point.

Joe McMann (26:55):

So, I think for us, it’s really taking a pragmatic approach. What is realistic in terms of the business, the risks that they’re faced with, the potential impact to their solutions and services, and then how do we structure the right cybersecurity framework around that. Mike already mentioned this hybrid approach where we’re able to really right-size the embedded organization that provides that business context and that last mile of cybersecurity, if you will, but at the same time reinforce that, with a globally scalable solution like managed detection and response that’s delivered in kind of a multi-tenant 24/7, 365 global basis, and leverage all of those things together, and all of a sudden you’re conducting the mission, but you’re doing so in a way that is effective, efficient, and right-sized for your particular business.

Shade Vaughn (27:49):

Joe, how have SOC delivery models changed?

Joe McMann (27:53):

This one’s fun. So, you know, having spent many years myself in basements and windowless rooms, that’s always been a pain point for me, to be honest. Some of the views, I think, of cybersecurity are a little bit antiquated at times in this notion that the room is more important than the people or the processes that they’re working with.

Joe McMann (28:21):

You know, this center within a cybersecurity center, I think right now is largely operating virtually, and that’s the way it should be, frankly. As part of the business operations, there’s no reason that cybersecurity needs to necessarily be segregated from the rest of the business. There are obviously still some concerns around privacy and security and access to certain information and capabilities, but I think there’s a way to do that. There’s a way to enable all of that to happen so that we can do it remotely, but we can still do it securely, effectively, but the most important thing is to not handcuff your cybersecurity organization by putting in Draconian protections and controls, and rules around how they operate and tying them to a physical location.

Joe McMann (29:10):

And I think some of the things we talked about earlier, knowledge management, collaboration platforms, and the processes around that, I think are absolutely critical, and to me, that’s one of the biggest differentiators between what I’ll call a brute-force cybersecurity approach and something that is really evolved, and mature, and effective. And it’s really having knowledge management in place and having the processes around how the cybersecurity team is operating is really the force enabler.

Shade Vaughn (29:43):

Mike, how do you see customers leveraging cybersecurity in 2021 and beyond in the business?

Mike Nawrocki (29:49):

Yeah, I mean look, the way I see it is cyber is not really taking a backseat to anything currently as far as I can see. And if cyber’s not a huge part of your plan, I think you need a new plan. It’s time to come up with one. There’s no question.

Mike Nawrocki (30:04):

Even in these uncertain times, we really aren’t seeing any slowdown, as of maybe other parts of the organization are, within the cyber group here. When COVID-19 hit, we immediately came up with a series of bad-weather offers and we made, I mean, close to 50 remote presentations and so on and so forth. What we’re finding was, there was a lot of interest, but the interest wasn’t so much in the reduced solution, it was the full offering versus the subset created for the bad weather.

Mike Nawrocki (30:34):

So, again, I think there’s still a lot of activity, there’s a lot of interest. It’s very important. We have a larger project we’re working on right now, although slightly delayed, there’s still a huge need for cyber. Proper planning, proper execution has to happen. We’re not seeing… If deals are moving to the right, if deals are being pushed off a little bit, it typically isn’t a result of COVID or anything like that, it’s more they’re just being extra careful right now. Again, very, very close planning, especially in critical infrastructure. So, companies like that are looking at opportunities, and again, we’ve got a few right now that are very large and they seem to be pushing to the right a little bit.

Mike Nawrocki (31:25):

And it isn’t, we’re not losing them or anything like that, it’s more, “Look, let’s take a closer look at this. Let’s not worry about execution immediately. Let’s worry about proper planning, so that this is done right, done on time, and done on budget.” So, I’m not sure, Joe, if you have anything to add to that…

Joe McMann (31:43):

Yeah, and Drew, jump in here too, because I know you and I have talked about this I think, but [this] borderline might sound self-serving I think, but a lot of organizations are really taking a look at how they leverage their partnerships from a cybersecurity perspective. We have a lot of expertise and experience, and it’s all consolidated in one focused area for us, and that’s: how do we help large enterprises protect and defend themselves?

Joe McMann (32:12):

So, I think organizations have taken a really hard look at, are they leveraging their partners in the most effective and most efficient way? How do they do that, not in a transactional manner, but at the strategic-partnership level? Like I said, it’s not just about buying some technology platforms, it’s not just about procuring some small services, it’s really taking that holistic look at cybersecurity and how can I leverage that expertise and that partnership that may exist somewhere else outside of my organization to really move my mission forward.

Drew Morefield (32:44):

Yeah, I think the current scenario has driven home the realization that we cannot drive all critical outcomes and imperatives internally alone just by the organization doing it themselves. They have to really parse out what is it we do really well, what should we be doing internally as an organization, and then where do we need strategic supplementation and partnerships, doing more with less? Not calling everyone a strategic partner, but really engaging with a few that directly and mat