Join us for the kickoff of the ART of Security Summit 2025, featuring an exclusive discussion on contemporary security challenges and solutions with industry experts.
In this video, Savannah Peterson, principal analyst and host at SiliconANGLE Media Inc., joins Jackie McGuire, principal analyst at theCUBE Research. They delve into the insights explored during the ART of Security Summit, focusing on making security accessible and practical for professionals at all levels of expertise.
Peterson and McGuire discuss the intricacies of risk management within the security landscape, examining strategies to avoid, reduce and transfer risks. They emphasize the importance of effective communication of security protocols across different organizational levels. The hosts also touch upon key themes from the summit, including partnerships with managed service providers and the evolving nature of threat landscapes.
Key insights highlighted by McGuire include the importance of realistic risk assessment and the value of engaging with external partners for continuous security monitoring. They underscore the need for early education in data classification and the role of multi-factor authentication in security frameworks, illustrating practical steps to enhance organizational security posture.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For The ART of Security Summit: Strategic Risk Management for CISOs
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for The ART of Security Summit: Strategic Risk Management for CISOs.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
The ART of Security Summit: Strategic Risk Management for CISOs. If you don’t think you received an email check your
spam folder.
Sign in to The ART of Security Summit: Strategic Risk Management for CISOs.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to The ART of Security Summit: Strategic Risk Management for CISOs
Please sign in with LinkedIn to continue to The ART of Security Summit: Strategic Risk Management for CISOs. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
ART of Security Kickoff with Savannah Peterson
Join us for the kickoff of the ART of Security Summit 2025, featuring an exclusive discussion on contemporary security challenges and solutions with industry experts.
In this video, Savannah Peterson, principal analyst and host at SiliconANGLE Media Inc., joins Jackie McGuire, principal analyst at theCUBE Research. They delve into the insights explored during the ART of Security Summit, focusing on making security accessible and practical for professionals at all levels of expertise.
Peterson and McGuire discuss the intricacies of risk management within the security landscape, examining strategies to avoid, reduce and transfer risks. They emphasize the importance of effective communication of security protocols across different organizational levels. The hosts also touch upon key themes from the summit, including partnerships with managed service providers and the evolving nature of threat landscapes.
Key insights highlighted by McGuire include the importance of realistic risk assessment and the value of engaging with external partners for continuous security monitoring. They underscore the need for early education in data classification and the role of multi-factor authentication in security frameworks, illustrating practical steps to enhance organizational security posture.
>> Hello CUBE community and welcome back to an exclusive CUBE Summit, the ART of Security. My name's Savannah Peterson, excited to be kicking off the day here with you with your show's host, Jackie McGuire. Jackie, hello.
Jackie McGuire
>> Super.
Savannah Peterson
>> Exciting.
Jackie McGuire
>> Great to be here.
Savannah Peterson
>> First Summit.
Jackie McGuire
>> Yes.
Savannah Peterson
>> I am personally really excited as a newer member to the security community and I love that you always find ways to make this conversation really accessible no matter where anybody is on their security journey. You titled this The Art of Security for a Reason.
Jackie McGuire
>> Yeah.
Savannah Peterson
>> Tell me what the art is.
Jackie McGuire
>> Yeah, so when I came into security, I found that there were a lot of people living in the future. So talking about how things are going to be in two, five years and what we should be ready for. There are a lot of people living in the ideal of zero trust and everything's locked down. And then there are people who live in reality. And so when I came back into the analyst community, I wanted to live more in reality. And I think there's opportunity to examine the future, but when I talk to CISOs today, it's silly things like I can't get my firewall logs all in UTC. I don't have a policy that says that this needs to be logged. Why is it that my sales teams can just spin up a database and store stuff in it? So when I first came into finance, so when I was 20, I accidentally applied for the wrong job on Fidelity Investments website, didn't even know what a mutual fund was. I was not that far from homeless. Three months out of being homeless, and I got a job as a stockbroker. Very, very glad that I was able to be at the interview. But one of the ways that they teach you risk in finance is art. So you can avoid risk, you can reduce risk, and you can transfer it. And when I came into security, the first thing I noticed is a lot of our security leaders don't have the language they need to talk about these problems in a non-security way. And so what I would find is that if I would walk into... I was a financial consultant for CFOs, and so you would think that CFOs, they're the money people they know how to talk about... But when I would start talking to them about money market funds and are we going to use treasuries, are we going to use... All of a sudden they would go blank and it's because their background didn't necessarily encompass all things to do with money. I see something very similar in security. And that security, the attack surface is everything, everyone, everywhere. Everything has gotten really complex. And because we live in this environment day to day, sometimes I think we use words that don't necessarily correlate to something people outside of security can understand. So like you, I came in as a data scientist and I was like, there's 10,000 acronyms in security and all I really want to understand is where does the risk come from? How do people manage it? And what happens to the risk they can't manage? And so hopefully, by taking things back to avoiding risk, reducing risk and transferring risk, we can help our security teams start to shape messaging for the non-security people in their organization to really understand why they need to do a phishing email test, why they're being asked to use multi-factor authentication, why they can't just spin up a database when they want to. So I think a lot of it for me is more of a marketing for CISOs, but that's actually what achieves results because it's not your CISO that determines whether you get breached or not. It's what people do with the end point.
Savannah Peterson
>> I think you bring up such a good point because security really is something that affects every single part of the organization. It doesn't have to be your area of expertise or your job function. All of us are constantly at risk of a lot of different types of threats that could be out there on the internet as well. And I do, I totally agree with what you're saying in terms of reducing the acronyms or at least making the acronyms when news makes sense. Because when you're explaining this to someone, it's not like any of us get paid any extra to go through security protocol, it's not like a lot of security protocol at first glance makes us more efficient. It's usually an extra step or an added time. And so in order to work that into our workflow, especially in an AI time period where we're trying to do everything so fast, I think you're spot on there to say, hey, this is actually how it's going to keep working. And make sure that all the sensitive stuff that you work with isn't getting compromised and the data of our customers isn't as well. So let's talk through the ART there a little bit. Talk to me, I can only imagine, I mean, the threat landscape's never been more complex or a larger surface, quite frankly than it is right now. How do you avoid risk?
Jackie McGuire
>> Yeah, so avoiding is the first step. And in finance, avoiding is actually usually doing nothing. So that's like staying in cash instead of investing, assuming that cash is a safe invest.
Savannah Peterson
>> We don't have to go down that path today.
Jackie McGuire
>> Assuming cash is a safe investment, that's how you do nothing. But doing nothing in security may mean a few different things. So it may mean we just don't take this project on. So I think we're all dealing right now with we want to get as much leverage out of new technology, I'm not going to say the word, as we can. And to do that we have to assess the risk of every program. And for some things like introducing additional technologies into HR or finance or places where the information is sensitive, even if they really wildly succeed, the ROI is not worth the risk. In security though, there's also a number of other ways you can manage risk. So the primary one, and we're going to talk to, know before later today is training. And I really think that it used to be we would just give security training to security people or technology people. But at this point, again, the attack surface is everybody, anyone who has access to your corporate information, whether it's a contractor, an employer, a vendor, a partner, they all are in attack surface. And so training and knowledge is the first step. And I've actually been talking to some state CISOs about we should be teaching kids data in middle school. My kids are smart enough to understand data classification. It's also things like avoiding risk has a lot to do with identity and access management. Things like multi-factor authentication that, I hate to admit it, but I'm sure there's at least one sensitive platform that I log into on a regular basis that I probably don't realize doesn't have MFA, because so many things do now that I don't notice the exception, if that makes sense?
Savannah Peterson
>> Yeah. Makes a lot of sense.
Jackie McGuire
>> That's the other thing that we're seeing is that avoiding risk a lot of times also involves finding the spots between all of the good work that you've done. And the more good work you do, the more you can cover up those spots. So that to me, that's one of the things. And then obviously, just also posture management. You can't protect what you don't see, what you don't understand. So just having good senses. We're going to talk to a company later today, Infoblox, who does like DNS. So even just understanding the subdomains on your website can help avoid a lot of risk.
Savannah Peterson
>> I think that's a really good point. I heard this analogy initially from PwC in terms of how they do their accounting, but I think of it like Swiss cheese and you layer Swiss cheese on top of Swiss cheese on top of Swiss cheese and then eventually there's no holes that can go all the way through the bottom. And it's kind of like what you're talking about, it's making sure that you're looking at these pieces and optimizing the best because there could always be evolving things that then create a risk. Just because somewhere was secure six months ago doesn't necessarily mean that that's secure today. Gosh, security people have a lot on their plate. I really admire the cognitive load. So now that we've avoided as much risk as we can, how do we reduce it once we identify there is a big risk?
Jackie McGuire
>> And so this is where I probably tipped my hand a little bit and that there's actually kind of a motivation behind this summit in general, which is that a lot of reducing risk has to do with understanding where your capabilities end. And I think if we change the way we think about partnering with managed service providers, managed security services providers, managed detection and response providers, that is one of the best ways to reduce risk, is to partner with people who 24 hours a day, seven days a week can provide the resources you don't necessarily have. Believe it or not, a lot of hackers are on the other side of the globe, so they're working while you're sleeping. And I don't think having someone on call is always a good solution. And so-
Savannah Peterson
>> Those people would agree with that.
Jackie McGuire
>> And I was at a ThreatLocker and talking to their CEO about how they used to be on call and sleep on the... They literally had a thing where they all lived in the same house that would wake them up out of bed with their first couple customers. And while that's great, if you're a small company and you're dealing with global cybersecurity issues, the first step in reducing risk is probably being realistic about where your capabilities start and end. And the extent to which you should be partnering with a services provider or managed services provider. Continuous security monitoring falls under that because without an appropriate partner who has the resources to 24 hours a day be monitoring, you're not going to be able to accomplish that. So I don't want to say that every company should be using an MSP, an MSSP, MDR, but we are seeing dramatic like 3000% growth at some vendors in their managed services offering. And I think we're starting to get to a place where we understand that we can't do this alone. And the hackers aren't doing it alone. So the hackers are all helping each other. They're open sourcing their stuff. And so I think some of the other things in terms of reducing risk are to prevent lateral movement, better visibility. So we're going to talk to Abstract security later. They give you great ways to pull all of your data in and actually have, I hate saying a single pane of glass because I think it's overused, but actually see all of your data because a lot of time risk occurs just because we can't see everything we have or we've forgotten about the database. We spun up for that generative project. And so I think one, be realistic about your capabilities and then it ask for help, which is always the hardest thing for us, super independent people to do, but it's one of the most important steps in the process.
Savannah Peterson
>> Well, and we're stronger together, I think, I think. And we see that. I mean you mentioned the open source community. If the open source community has taught us nothing, it's precisely that. So I think that's a great point and we all need a little help sometimes. It's okay.
Jackie McGuire
>> Yeah. So one of the reasons I was really excited to talk to Abstract later is they just published this phenomenal ebook with all of this wonderful information and they didn't gate it. It is one of the things that I've been hammering for the last several years. All of the hackers are working together. None of them ask for your email address before they give you an exploit.
Savannah Peterson
>> God.
Jackie McGuire
>> Don't make you-
Savannah Peterson
>> Or secretly. Maybe that's why we get So many email spam.
Jackie McGuire
>> I think there's a lot, Art of War, there's a lot to be learned from studying your adversaries. And I think that's where managing risk comes in the same way that they magnify the risk they pose to you. You can reverse some of those techniques to manage it yourself.
Savannah Peterson
>> Absolutely. No, I think that's a great point. Even if we're being cheeky. So now that we've avoided as much as we could, we've reduced as much as we can with our partners and strategic services. There's still risk.
Jackie McGuire
>> Yeah.
Savannah Peterson
>> How do we transfer it?
Jackie McGuire
>> Yeah. So transferring again in the finance world, this generally means either using a registered investment advisor or financial advisor or insuring. And so cyber risk insurance is one of the first places where we're transferring risk that comes in here. And it's another place where, I hate to harp on the services provider thing, but cyber risk insurance is not cheap. It's not easy to qualify for. And if losses over the next couple of years continue to compound the way they have historically and even more so with less regulation and attention paid, it's going to get more expensive. So I, coming from a finance background, having been 50 state insurance license and done underwriting, I really feel like for most small and midsize businesses who are not using service providers or managed security services providers, it will become almost impossible to qualify for or afford cyber risk insurance. So insuring against risk is one of the best ways to transfer it. But if you can't do that because you don't have the money to pay for cyber risk insurance or you're not eligible to be covered, the next step is, again, let's go back to those service providers. So where are your SLAs and contracts with your service providers? Because it's not enough just to hire a managed security services provider, you also have to understand where their liability ends and yours begins. Because insurance comes back into this, but so does incident response. So is your security services provider, do they also cover responding to an incident if it was happened under their watch? Because incident response can be in the millions. It also comes down to all of your service provider policies. So again, the contract needs to be there, but you also need policies that tell you how to hold those service providers accountable. And some risk transfer also involves, instead of managing a tool ourselves, we're just going to pay that company to manage it for us. So I think a lot of risk transfer and security is to other people. The reality is the reason that we're going through this whole process is that at the end of the day, there will be risk that you can't avoid, reduce or transfer. So this is just a process to make sure that you're maximizing every step of the way before you get to the other end of that funnel, which is accepted risk, which is the part that if we focus on that, the risk we're accepting, I think that's where we actually get to better outcomes.
Savannah Peterson
>> I think that's a really good way to summarize it. And so talk to me a little bit about what the audience can expect to learn today. I know you previewed some of the guests in your ART description there, but I'm curious, what do you hope they take away?
Jackie McGuire
>> Yeah, so I think we're going to learn a few things. One, I was shocked by some of the statistics that some of our guests are bringing with them in terms of what effective security training looks like. The magnitude by which you can reduce risk just by effective training, predictive. So some of the stuff that you can do with DNS, there's some predictive threat actor modeling that they can do with DNS. That's really interesting. We will be talking about cyber risk insurance and what that looks like. We'll be talking about managed services providers. So we're going to be talking about where the security theory or the rubber of security theory meets the road to use a really silly cliche, but where we're actually seeing success. And I think coming from, went from the analyst side of the business to the vendor side, back to the analyst side. And a lot of my friends are CISOs and a vendor usually comes in and says, geez, you're on the one yard line and you need to be all the way at the other end zone. So we're going to sell you all of the playbooks and players you need to get there, but then it's up to you to figure out how to use them. So you just became the coach of a football team that you didn't even build. As a sports person, I know you appreciate this. And so what I'm trying to do is say, how do we help CISOs get to the next set of downs or figure out they need to punt? And that punting is not a bad thing. In a football game, punting can often be one of the most strategic things you can do. And so that's how I look at managed services providers is there's always this kind of like, oh, you're admitting defeat. It's like, no, I'm making a strategic decision that I will get better leverage and better outcomes by partnering with a services provider. So I'm really excited to hear more of the real world impacts of how these things go and how CISOs are putting this risk management process in place at the end of the day, achieving better outcomes internally. Because what we find is that a CISO can buy into a product and really understand that it's what's best. It's their ability to tie that to the dollars cents revenue... How that makes sense with revenue and the company that actually makes or breaks most of those decisions. So hopefully by bringing this up a couple 20, 30,000 feet and talking about it as risk rather than security issues, we'll actually get to where better outcomes happen.
Savannah Peterson
>> Well, I like that hypothesis, and I agree. I'm very excited to learn from all of your fantastic guests, and congratulations on your first summit here at theCUBE.
Jackie McGuire
>> Thank you.
Savannah Peterson
>> We're all very, very proud of you.
Jackie McGuire
>> Thank you. You have personally been one of my champions here and you have helped my onboarding quite a bit. You're also a heck of a lot of fun to work with. And I am really excited for the summit. We've had great success for our other summits, customers, vendors. Everybody has really enjoyed them. So this is exciting. It's an exciting time to be here.
Savannah Peterson
>> It is. It very exciting. We hope that all of you are excited as we are over here in Palo Alto, California kicking off the ART of Security Summit here led by Jackie McGuire. My name's Savannah Peterson. You're watching theCUBE, the leading source for enterprise tech news.
>> Hello CUBE community and welcome back to an exclusive CUBE Summit, the ART of Security. My name's Savannah Peterson, excited to be kicking off the day here with you with your show's host, Jackie McGuire. Jackie, hello.
Jackie McGuire
>> Super.
Savannah Peterson
>> Exciting.
Jackie McGuire
>> Great to be here.
Savannah Peterson
>> First Summit.
Jackie McGuire
>> Yes.
Savannah Peterson
>> I am personally really excited as a newer member to the security community and I love that you always find ways to make this conversation really accessible no matter where anybody is on their security journey. You titled this The Art of Security for a Reason.
Jackie McGuire
>> Yeah.
Savannah Peterson
>> Tell me what the art is.
Jackie McGuire
>> Yeah, so when I came into security, I found that there were a lot of people living in the future. So talking about how things are going to be in two, five years and what we should be ready for. There are a lot of people living in the ideal of zero trust and everything's locked down. And then there are people who live in reality. And so when I came back into the analyst community, I wanted to live more in reality. And I think there's opportunity to examine the future, but when I talk to CISOs today, it's silly things like I can't get my firewall logs all in UTC. I don't have a policy that says that this needs to be logged. Why is it that my sales teams can just spin up a database and store stuff in it? So when I first came into finance, so when I was 20, I accidentally applied for the wrong job on Fidelity Investments website, didn't even know what a mutual fund was. I was not that far from homeless. Three months out of being homeless, and I got a job as a stockbroker. Very, very glad that I was able to be at the interview. But one of the ways that they teach you risk in finance is art. So you can avoid risk, you can reduce risk, and you can transfer it. And when I came into security, the first thing I noticed is a lot of our security leaders don't have the language they need to talk about these problems in a non-security way. And so what I would find is that if I would walk into... I was a financial consultant for CFOs, and so you would think that CFOs, they're the money people they know how to talk about... But when I would start talking to them about money market funds and are we going to use treasuries, are we going to use... All of a sudden they would go blank and it's because their background didn't necessarily encompass all things to do with money. I see something very similar in security. And that security, the attack surface is everything, everyone, everywhere. Everything has gotten really complex. And because we live in this environment day to day, sometimes I think we use words that don't necessarily correlate to something people outside of security can understand. So like you, I came in as a data scientist and I was like, there's 10,000 acronyms in security and all I really want to understand is where does the risk come from? How do people manage it? And what happens to the risk they can't manage? And so hopefully, by taking things back to avoiding risk, reducing risk and transferring risk, we can help our security teams start to shape messaging for the non-security people in their organization to really understand why they need to do a phishing email test, why they're being asked to use multi-factor authentication, why they can't just spin up a database when they want to. So I think a lot of it for me is more of a marketing for CISOs, but that's actually what achieves results because it's not your CISO that determines whether you get breached or not. It's what people do with the end point.
Savannah Peterson
>> I think you bring up such a good point because security really is something that affects every single part of the organization. It doesn't have to be your area of expertise or your job function. All of us are constantly at risk of a lot of different types of threats that could be out there on the internet as well. And I do, I totally agree with what you're saying in terms of reducing the acronyms or at least making the acronyms when news makes sense. Because when you're explaining this to someone, it's not like any of us get paid any extra to go through security protocol, it's not like a lot of security protocol at first glance makes us more efficient. It's usually an extra step or an added time. And so in order to work that into our workflow, especially in an AI time period where we're trying to do everything so fast, I think you're spot on there to say, hey, this is actually how it's going to keep working. And make sure that all the sensitive stuff that you work with isn't getting compromised and the data of our customers isn't as well. So let's talk through the ART there a little bit. Talk to me, I can only imagine, I mean, the threat landscape's never been more complex or a larger surface, quite frankly than it is right now. How do you avoid risk?
Jackie McGuire
>> Yeah, so avoiding is the first step. And in finance, avoiding is actually usually doing nothing. So that's like staying in cash instead of investing, assuming that cash is a safe invest.
Savannah Peterson
>> We don't have to go down that path today.
Jackie McGuire
>> Assuming cash is a safe investment, that's how you do nothing. But doing nothing in security may mean a few different things. So it may mean we just don't take this project on. So I think we're all dealing right now with we want to get as much leverage out of new technology, I'm not going to say the word, as we can. And to do that we have to assess the risk of every program. And for some things like introducing additional technologies into HR or finance or places where the information is sensitive, even if they really wildly succeed, the ROI is not worth the risk. In security though, there's also a number of other ways you can manage risk. So the primary one, and we're going to talk to, know before later today is training. And I really think that it used to be we would just give security training to security people or technology people. But at this point, again, the attack surface is everybody, anyone who has access to your corporate information, whether it's a contractor, an employer, a vendor, a partner, they all are in attack surface. And so training and knowledge is the first step. And I've actually been talking to some state CISOs about we should be teaching kids data in middle school. My kids are smart enough to understand data classification. It's also things like avoiding risk has a lot to do with identity and access management. Things like multi-factor authentication that, I hate to admit it, but I'm sure there's at least one sensitive platform that I log into on a regular basis that I probably don't realize doesn't have MFA, because so many things do now that I don't notice the exception, if that makes sense?
Savannah Peterson
>> Yeah. Makes a lot of sense.
Jackie McGuire
>> That's the other thing that we're seeing is that avoiding risk a lot of times also involves finding the spots between all of the good work that you've done. And the more good work you do, the more you can cover up those spots. So that to me, that's one of the things. And then obviously, just also posture management. You can't protect what you don't see, what you don't understand. So just having good senses. We're going to talk to a company later today, Infoblox, who does like DNS. So even just understanding the subdomains on your website can help avoid a lot of risk.
Savannah Peterson
>> I think that's a really good point. I heard this analogy initially from PwC in terms of how they do their accounting, but I think of it like Swiss cheese and you layer Swiss cheese on top of Swiss cheese on top of Swiss cheese and then eventually there's no holes that can go all the way through the bottom. And it's kind of like what you're talking about, it's making sure that you're looking at these pieces and optimizing the best because there could always be evolving things that then create a risk. Just because somewhere was secure six months ago doesn't necessarily mean that that's secure today. Gosh, security people have a lot on their plate. I really admire the cognitive load. So now that we've avoided as much risk as we can, how do we reduce it once we identify there is a big risk?
Jackie McGuire
>> And so this is where I probably tipped my hand a little bit and that there's actually kind of a motivation behind this summit in general, which is that a lot of reducing risk has to do with understanding where your capabilities end. And I think if we change the way we think about partnering with managed service providers, managed security services providers, managed detection and response providers, that is one of the best ways to reduce risk, is to partner with people who 24 hours a day, seven days a week can provide the resources you don't necessarily have. Believe it or not, a lot of hackers are on the other side of the globe, so they're working while you're sleeping. And I don't think having someone on call is always a good solution. And so-
Savannah Peterson
>> Those people would agree with that.
Jackie McGuire
>> And I was at a ThreatLocker and talking to their CEO about how they used to be on call and sleep on the... They literally had a thing where they all lived in the same house that would wake them up out of bed with their first couple customers. And while that's great, if you're a small company and you're dealing with global cybersecurity issues, the first step in reducing risk is probably being realistic about where your capabilities start and end. And the extent to which you should be partnering with a services provider or managed services provider. Continuous security monitoring falls under that because without an appropriate partner who has the resources to 24 hours a day be monitoring, you're not going to be able to accomplish that. So I don't want to say that every company should be using an MSP, an MSSP, MDR, but we are seeing dramatic like 3000% growth at some vendors in their managed services offering. And I think we're starting to get to a place where we understand that we can't do this alone. And the hackers aren't doing it alone. So the hackers are all helping each other. They're open sourcing their stuff. And so I think some of the other things in terms of reducing risk are to prevent lateral movement, better visibility. So we're going to talk to Abstract security later. They give you great ways to pull all of your data in and actually have, I hate saying a single pane of glass because I think it's overused, but actually see all of your data because a lot of time risk occurs just because we can't see everything we have or we've forgotten about the database. We spun up for that generative project. And so I think one, be realistic about your capabilities and then it ask for help, which is always the hardest thing for us, super independent people to do, but it's one of the most important steps in the process.
Savannah Peterson
>> Well, and we're stronger together, I think, I think. And we see that. I mean you mentioned the open source community. If the open source community has taught us nothing, it's precisely that. So I think that's a great point and we all need a little help sometimes. It's okay.
Jackie McGuire
>> Yeah. So one of the reasons I was really excited to talk to Abstract later is they just published this phenomenal ebook with all of this wonderful information and they didn't gate it. It is one of the things that I've been hammering for the last several years. All of the hackers are working together. None of them ask for your email address before they give you an exploit.
Savannah Peterson
>> God.
Jackie McGuire
>> Don't make you-
Savannah Peterson
>> Or secretly. Maybe that's why we get So many email spam.
Jackie McGuire
>> I think there's a lot, Art of War, there's a lot to be learned from studying your adversaries. And I think that's where managing risk comes in the same way that they magnify the risk they pose to you. You can reverse some of those techniques to manage it yourself.
Savannah Peterson
>> Absolutely. No, I think that's a great point. Even if we're being cheeky. So now that we've avoided as much as we could, we've reduced as much as we can with our partners and strategic services. There's still risk.
Jackie McGuire
>> Yeah.
Savannah Peterson
>> How do we transfer it?
Jackie McGuire
>> Yeah. So transferring again in the finance world, this generally means either using a registered investment advisor or financial advisor or insuring. And so cyber risk insurance is one of the first places where we're transferring risk that comes in here. And it's another place where, I hate to harp on the services provider thing, but cyber risk insurance is not cheap. It's not easy to qualify for. And if losses over the next couple of years continue to compound the way they have historically and even more so with less regulation and attention paid, it's going to get more expensive. So I, coming from a finance background, having been 50 state insurance license and done underwriting, I really feel like for most small and midsize businesses who are not using service providers or managed security services providers, it will become almost impossible to qualify for or afford cyber risk insurance. So insuring against risk is one of the best ways to transfer it. But if you can't do that because you don't have the money to pay for cyber risk insurance or you're not eligible to be covered, the next step is, again, let's go back to those service providers. So where are your SLAs and contracts with your service providers? Because it's not enough just to hire a managed security services provider, you also have to understand where their liability ends and yours begins. Because insurance comes back into this, but so does incident response. So is your security services provider, do they also cover responding to an incident if it was happened under their watch? Because incident response can be in the millions. It also comes down to all of your service provider policies. So again, the contract needs to be there, but you also need policies that tell you how to hold those service providers accountable. And some risk transfer also involves, instead of managing a tool ourselves, we're just going to pay that company to manage it for us. So I think a lot of risk transfer and security is to other people. The reality is the reason that we're going through this whole process is that at the end of the day, there will be risk that you can't avoid, reduce or transfer. So this is just a process to make sure that you're maximizing every step of the way before you get to the other end of that funnel, which is accepted risk, which is the part that if we focus on that, the risk we're accepting, I think that's where we actually get to better outcomes.
Savannah Peterson
>> I think that's a really good way to summarize it. And so talk to me a little bit about what the audience can expect to learn today. I know you previewed some of the guests in your ART description there, but I'm curious, what do you hope they take away?
Jackie McGuire
>> Yeah, so I think we're going to learn a few things. One, I was shocked by some of the statistics that some of our guests are bringing with them in terms of what effective security training looks like. The magnitude by which you can reduce risk just by effective training, predictive. So some of the stuff that you can do with DNS, there's some predictive threat actor modeling that they can do with DNS. That's really interesting. We will be talking about cyber risk insurance and what that looks like. We'll be talking about managed services providers. So we're going to be talking about where the security theory or the rubber of security theory meets the road to use a really silly cliche, but where we're actually seeing success. And I think coming from, went from the analyst side of the business to the vendor side, back to the analyst side. And a lot of my friends are CISOs and a vendor usually comes in and says, geez, you're on the one yard line and you need to be all the way at the other end zone. So we're going to sell you all of the playbooks and players you need to get there, but then it's up to you to figure out how to use them. So you just became the coach of a football team that you didn't even build. As a sports person, I know you appreciate this. And so what I'm trying to do is say, how do we help CISOs get to the next set of downs or figure out they need to punt? And that punting is not a bad thing. In a football game, punting can often be one of the most strategic things you can do. And so that's how I look at managed services providers is there's always this kind of like, oh, you're admitting defeat. It's like, no, I'm making a strategic decision that I will get better leverage and better outcomes by partnering with a services provider. So I'm really excited to hear more of the real world impacts of how these things go and how CISOs are putting this risk management process in place at the end of the day, achieving better outcomes internally. Because what we find is that a CISO can buy into a product and really understand that it's what's best. It's their ability to tie that to the dollars cents revenue... How that makes sense with revenue and the company that actually makes or breaks most of those decisions. So hopefully by bringing this up a couple 20, 30,000 feet and talking about it as risk rather than security issues, we'll actually get to where better outcomes happen.
Savannah Peterson
>> Well, I like that hypothesis, and I agree. I'm very excited to learn from all of your fantastic guests, and congratulations on your first summit here at theCUBE.
Jackie McGuire
>> Thank you.
Savannah Peterson
>> We're all very, very proud of you.
Jackie McGuire
>> Thank you. You have personally been one of my champions here and you have helped my onboarding quite a bit. You're also a heck of a lot of fun to work with. And I am really excited for the summit. We've had great success for our other summits, customers, vendors. Everybody has really enjoyed them. So this is exciting. It's an exciting time to be here.
Savannah Peterson
>> It is. It very exciting. We hope that all of you are excited as we are over here in Palo Alto, California kicking off the ART of Security Summit here led by Jackie McGuire. My name's Savannah Peterson. You're watching theCUBE, the leading source for enterprise tech news.
