This episode of Code to Cloud features a discussion with the EY Consulting Partner in Cybersecurity, Koen Machilsen. There, Koen is responsible for delivery and innovation of the EY Consulting Cybersecurity and privacy service offering, and has been with the company for over 16 years. Prior to joining EY, Koen held various roles in IT operations. Koen and host Tim Chase, Global Field CISO at Lacework, discuss the significance of integrating cybersecurity into business resilience strategies. The conversation covers how to respond to cybersecurity incidents, the importance of preparation and regular training, and the necessity of understanding business impact when developing cyber crisis management plans. They also delve into the European Union’s NIS2 and Cyber Resilience Act regulations, explaining how they aim to enhance cyber resilience across organizations by mandating stringent cybersecurity practices and reporting requirements. The discussion underscores the need for local transpositions of these directives and the challenges they introduce. Finally, they emphasize the importance of cyber resilience as an integral part of overall business resilience in the digital age.

Key Quotes

*”In today's digital world, you cannot have decent business resilience without having cyber in there. And why is this? Because technology is embedded in the heart of many organizations. That technology is interconnected with clouds and based on internet technology. So it makes it inherently vulnerable to cyber attacks. So if you want to have a good business resilience strategy, to me, cyber is a vital part of that.”

*”The overall objective of incident reporting is not to get organizations fined. It's to be able to do early sharing of those incidents or those indicators of compromise potentially to other organizations within or across different member states. All again, to make sure that whatever impact there is, that it does not get bigger from a member state or from a European Union perspective.”

*”A lot of organizations are prepared to handle crise -, the traditional ones - but do not really fully understand yet what it takes to handle a cyber crisis specifically. I think one of the biggest benefits that NIS2 will bring is creating that awareness and making sure that decent cyber crisis management is adopted.”

*”The key question here is to really understand the impact of an incident from a few angles. I think understanding the impact of that incident is, is that really in the area that falls in scope of NIS2 for that organization? In what local European market is this impact cost? And to what extent is this impact significant? Because that's again at the discretion of the organization to determine. And I feel that those three elements really can help you decide how and where and when you need to report those incidents. So capturing all that information as part of your Security Incident Management process is key.”

Time Stamps

[0:30] Meet Koen Machilsen, EY Consulting Partner in Cybersecurity

[1:00] Handling a Cyber Incident: First Steps

[2:03] Understanding the Impact of an Incident and Communication

[3:45] The Importance of Regular Exercises

[6:26] Threat Modeling and Business Impact

[8:27] Regulation Insights: NIS2 Explained

[11:05] Incident Reporting Challenges

[20:24] Cyber Resilience Act Overview

[26:39] Rapid Fire Questions with Koen Machilsen

[30:13] Conclusion and Final Thoughts

Links

Connect with Koen on LinkedIn

Learn more about EY

Read EY’s article on how to prepare for NIS2

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.

This episode of Code to Cloud features a discussion with the Global CISO at Church and Dwight Co., the parent company of brands like Arm & Hammer and OxiClean. And at Church & Dwight Co., David transformed the global enterprise-wide information security program key areas of strategy, risk management, and compliance, among others. Prior to joining the company in 2020, David spent over 22 years in security at Bed, Bath & Beyond. David and host Andy Schneider, Field CISO EMEA at Lacework, discuss the primary cyber threats facing the manufacturing sector, with a specific focus on ransomware, and the strategies utilized by Church & Dwight to mitigate these threats, including a robust third-party vendor assessment process. Ortiz highlights the importance of adaptability in cybersecurity, the role of leadership qualities such as empathy, accountability, and urgency, and underscores the significance of identity management, preparedness, and swift response in enhancing cyber resilience. The conversation also covers the benefits and considerations of moving services to the cloud, reflecting on the necessity of collaboration between cybersecurity teams, manufacturing units, and other stakeholders to safeguard against an ever-changing threat landscape.

Key Quotes

*”Technology is getting more and more complex every single day. What we may have viewed years ago as a simple firewall rule has become much more complex with our connected ecosystems across multiple clouds, multiple sites, multiple networks. So the complexity is going to continue to grow, but our mission hasn't really changed with what we need to do to protect it. We just need to adapt and keep up with the changing threat landscape.“

*”Everybody has a role in cyber and protecting our people, our technology, our processes. I want to instill that mindset of accountability and ownership so that everybody understands that they have a part in reducing cyber risk.”

*”From the vendor community, my ask would be: Help us install foundational cybersecurity, help us understand where we're potentially oversharing data. And let's have a little less hype on AI in general. Let's really surface all the good that's going to come out of AI and derive it from that conversation versus a hype conversation and I think that would really benefit everybody substantially so that we could get ahead of the bad actors out there and really use AI to its full potential for good.”

*”You can teach technical skills. You can't teach drive and passion. And that sense of urgency that I mentioned early on, Those are some of the characteristics that you need in this field. So, as a company is interviewing and looking for people in the cyber or the IT risk management field, look past the certifications, look past some of those requirement bullet points that you may see on a job description and really get to know the person and explain the role that they're interviewing for to them and see if they're really a fit for that role. And again, knowing that you could teach people technical skills, but you want to really hire the person, not what's on their resume.“

Time Stamps

[0:32] Introducing David Ortiz: Global CISO at Church & Dwight Co.

[1:05] Transforming Cloud Security in Manufacturing

[1:15] Ransomware: The Persistent Threat

[1:58] Vendor Assessment and Cloud Adoption Strategies

[3:44] Cybersecurity Incident Response in Manufacturing

[6:15] Leadership Qualities in Cybersecurity

[7:58] Building Trust and Accountability in Teams

[11:04] The Role of Technology in Cybersecurity

[15:51] The Future of Cybersecurity and AI

[18:47] Career Insights and Advice in Cybersecurity

Links

Connect with David on LinkedIn

Learn more about Church & Dwight Co.

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.