WEBVTT 1 00:00:07.470 --> 00:00:09.930 Anna Delaney: Hello and welcome back to the ISMG Editors Panel. 2 00:00:09.930 --> 00:00:13.230 I'm Anna Delaney, and this is our weekly editorial overview of 3 00:00:13.230 --> 00:00:16.590 what's hot and what's not in the world of cyber and information 4 00:00:16.590 --> 00:00:20.190 security. The ISMG editors joining me today include Tom 5 00:00:20.190 --> 00:00:23.640 Field, senior vice president of editorial; Marianne Kolbasuk 6 00:00:23.640 --> 00:00:27.000 McGee, executive editor for HealthcareInfoSecurity, and 7 00:00:27.000 --> 00:00:30.420 Michael Novinson, managing editor for ISMG business. Very 8 00:00:30.420 --> 00:00:31.170 good to see you all. 9 00:00:31.000 --> 00:00:32.470 Tom Field: Good to be seen. 10 00:00:32.830 --> 00:00:33.760 Marianne McGee: Thanks for having us. 11 00:00:34.360 --> 00:00:35.110 Michael Novinson: Thanks for having us. 12 00:00:35.980 --> 00:00:40.810 Anna Delaney: Michael, you're with the penguins. Zoo ... love 13 00:00:40.810 --> 00:00:40.990 it. 14 00:00:41.950 --> 00:00:44.170 Michael Novinson: Absolutely. I took a walk on the wild side of 15 00:00:44.170 --> 00:00:47.440 the Detroit Zoo last month. They reopened their penguin exhibit a 16 00:00:47.440 --> 00:00:49.690 couple of months ago. My daughter who's three was a big 17 00:00:49.690 --> 00:00:52.780 fan of pretending to waddle like a penguin. Not as much of a fan 18 00:00:52.780 --> 00:00:55.840 of the really wild shipwreck movie. So things she like, 19 00:00:55.840 --> 00:00:56.590 things she didn't. 20 00:00:56.980 --> 00:00:58.210 Tom Field: Time for Happy Feet. 21 00:00:59.440 --> 00:01:00.820 Michael Novinson: That's probably true, she would like 22 00:01:00.820 --> 00:01:01.090 that. 23 00:01:02.200 --> 00:01:04.540 Anna Delaney: And Happy Feet, Marianne, you're the concert. 24 00:01:05.020 --> 00:01:10.720 Yeah, my husband and I went to a Billy Joel/Stevie Nicks concert 25 00:01:10.720 --> 00:01:13.090 at Gillette Stadium in Massachusetts over the weekend 26 00:01:13.090 --> 00:01:17.350 where it was pouring for four hours. This photo actually is 27 00:01:17.950 --> 00:01:20.590 one of the few where you don't see a lot of rain. But it was 28 00:01:20.590 --> 00:01:24.550 during Billy Joel's 'We Didn't Start the Fire,' which if you 29 00:01:24.550 --> 00:01:28.540 know the song, it's all the sort of historical and cultural 30 00:01:28.540 --> 00:01:31.840 references from the time he was born in 1949 to the time the 31 00:01:31.840 --> 00:01:35.830 song was written in 1989. So I was thinking this morning that 32 00:01:35.830 --> 00:01:38.230 if he was to update the song, I'm sure there'd be some 33 00:01:38.230 --> 00:01:39.670 references there for ransomware. 34 00:01:40.930 --> 00:01:47.620 And AI. And, Tom any penguins in where you are? 35 00:01:47.610 --> 00:01:50.436 Tom Field: Not in clear view. Just a bad travel day. I was 36 00:01:50.496 --> 00:01:53.803 coming home from Houston yesterday and was in Dallas on 37 00:01:53.863 --> 00:01:57.050 the plane, when you got that announcement about minor 38 00:01:57.110 --> 00:02:00.537 maintenance issue. Words you never want to hear. And they 39 00:02:00.597 --> 00:02:04.025 resulted in sitting on the runway for an hour and a half, 40 00:02:04.085 --> 00:02:07.572 getting off the plane, sitting in the terminal for another 41 00:02:07.632 --> 00:02:11.360 hour, waiting for another plane to arrive. And ultimately, the 42 00:02:11.420 --> 00:02:14.908 minor maintenance issue took longer than the actual flight 43 00:02:14.968 --> 00:02:18.696 would have. But salvaging that on the flight from Boston up to 44 00:02:18.756 --> 00:02:22.304 Maine was a beautiful sunset. And I was at a window where I 45 00:02:22.364 --> 00:02:26.152 had the opportunity just to turn around. Take some photos along 46 00:02:26.212 --> 00:02:29.760 the way. So this is leaving Boston and heading up to Maine. 47 00:02:29.990 --> 00:02:33.680 Anna Delaney: Yeah, the little things. Well, last week, I 48 00:02:33.710 --> 00:02:37.880 visited the very quaint medieval city of Bruges in Belgium, also 49 00:02:37.880 --> 00:02:40.340 known as the Venice of the North with its cobbled streets and 50 00:02:40.340 --> 00:02:44.870 canals. And this is a snapshot of the main square at night, 51 00:02:45.170 --> 00:02:48.950 which is home to the Belfry Tower, the Bell Tower, which is 52 00:02:48.950 --> 00:02:52.640 one of the world's most iconic landmarks, so it's gorgeous. 53 00:02:53.180 --> 00:02:55.370 Tom Field: You've the coolest getaways, Anna, you really do. 54 00:02:55.700 --> 00:02:58.610 Anna Delaney: You know, two hours from London, you got so 55 00:02:58.610 --> 00:03:03.410 many different countries and cultures and languages. So do 56 00:03:03.410 --> 00:03:10.070 you, Tom. States, I mean, America's so big. So well, you 57 00:03:10.070 --> 00:03:14.270 got to come here more often. I got to say. Tom, you moderated a 58 00:03:14.270 --> 00:03:16.340 roundtable earlier this week - that's why you were on this 59 00:03:16.340 --> 00:03:20.540 plane in Houston - on the topic of OT security. What are some of 60 00:03:20.540 --> 00:03:23.780 the current trends challenges for security leaders that you 61 00:03:23.780 --> 00:03:24.350 picked up on? 62 00:03:24.000 --> 00:03:27.054 Tom Field: Well, you noticed I went to Houston, I didn't come 63 00:03:27.115 --> 00:03:30.781 back with any iconic photos. There you go. It was a terrific 64 00:03:30.842 --> 00:03:34.263 discussion, because it was talking about OT security and 65 00:03:34.324 --> 00:03:37.989 how to have a more proactive incident response. And this was 66 00:03:38.050 --> 00:03:41.777 a session that was sponsored by Mandiant, which, of course is 67 00:03:41.838 --> 00:03:45.564 now part of Google Cloud. And it featured as a subject matter 68 00:03:45.625 --> 00:03:49.046 expert, Paul Shaver, was actually the global head of the 69 00:03:49.108 --> 00:03:52.406 OT practice for Mandiant. And for Google, so excellent 70 00:03:52.468 --> 00:03:55.705 expertise there. We had participants in the room from 71 00:03:55.766 --> 00:03:59.676 financial institutions, from oil and gas, from manufacturing, so 72 00:03:59.737 --> 00:04:03.097 a great mind share of OT interests, and they found that 73 00:04:03.158 --> 00:04:06.824 there were some common concerns among them, and probably not 74 00:04:06.885 --> 00:04:10.672 surprising to any of us here. One is just the legacy equipment 75 00:04:10.733 --> 00:04:14.521 within their OT infrastructure, particularly when you get into 76 00:04:14.582 --> 00:04:18.370 oil and gas and the devices that are out there, managing these 77 00:04:18.431 --> 00:04:21.852 huge rigs out on the ocean. But even in trucking, and in 78 00:04:21.913 --> 00:04:25.701 manufacturing, there's so much legacy equipment, extremely low 79 00:04:25.762 --> 00:04:29.427 visibility into the equipment to be able to see if there are 80 00:04:29.488 --> 00:04:32.482 issues within these environments, you always come 81 00:04:32.543 --> 00:04:36.086 across the cultural issue, IT vs. OT. And that was evident 82 00:04:36.147 --> 00:04:39.996 even as we went around the table because I have one participant 83 00:04:40.057 --> 00:04:43.600 saying, well, we've got this OT culture and they're always 84 00:04:43.661 --> 00:04:47.143 saying, hey, stay out of our stuff, keep away from us, we 85 00:04:47.204 --> 00:04:50.809 take care of our own. And you went up to people and someone 86 00:04:50.870 --> 00:04:54.718 raise a hand and say yeah, I'm one of those OT people that says 87 00:04:54.779 --> 00:04:58.445 stay out of our stuff. What is do our own. So the culture is 88 00:04:58.506 --> 00:05:02.049 always an issue there. And the human factor, the idea of - 89 00:05:02.110 --> 00:05:05.837 rather a malicious insider, or a compromised insider making a 90 00:05:05.898 --> 00:05:09.258 costly mistake within the OT environment came up in the 91 00:05:09.319 --> 00:05:12.740 conversation. I think one of the bigger themes, and it's 92 00:05:12.801 --> 00:05:16.528 something we don't talk about nearly enough, often when there 93 00:05:16.589 --> 00:05:20.437 is an OT incident is something has to go down or be taken down. 94 00:05:20.498 --> 00:05:24.225 That impacts production. You impact production, suddenly, you 95 00:05:24.286 --> 00:05:27.890 impact revenue. And that's an issue that a lot of people in 96 00:05:27.951 --> 00:05:31.678 the room were grappling with in terms of being able to detect 97 00:05:31.739 --> 00:05:35.527 fast enough and respond quick enough when the pressure is just 98 00:05:35.588 --> 00:05:39.436 get back online, forget what the cause is, and what's happened, 99 00:05:39.497 --> 00:05:42.980 get us back online. And the other sort of wildcard factor 100 00:05:43.041 --> 00:05:46.889 that was brought in particularly from Paul Shaver with Mandiant 101 00:05:46.950 --> 00:05:50.555 is the threat landscape. And that adversaries, particularly 102 00:05:50.616 --> 00:05:54.037 nation states, are paying a lot more attention to the OT 103 00:05:54.098 --> 00:05:57.702 environment now in targeting it partially because of legacy 104 00:05:57.763 --> 00:06:01.551 equipment, lack of visibility and the cultural issues. And the 105 00:06:01.612 --> 00:06:05.277 notion that you take down OT, you take down an organization. 106 00:06:05.339 --> 00:06:08.943 It's more than just a shot across the bow. You're crippling 107 00:06:09.004 --> 00:06:12.914 an organization. So some of the common concerns that were raised 108 00:06:12.975 --> 00:06:15.480 in the discussion, eye-opening, honestly! 109 00:06:16.080 --> 00:06:18.330 Anna Delaney: And obviously since you spoke with ... what's 110 00:06:18.330 --> 00:06:21.750 their appetite for implementing emerging technologies such as 111 00:06:21.750 --> 00:06:27.030 AI, machine learning? Is there appetite for those sorts of 112 00:06:27.030 --> 00:06:27.720 technologies? 113 00:06:28.050 --> 00:06:30.450 Tom Field: You know, it only took 25 minutes before 114 00:06:30.480 --> 00:06:33.510 generative AI came into the conversation. Yes, I do time 115 00:06:33.510 --> 00:06:36.840 this now. So yes, there's an appetite there. But you've got 116 00:06:36.840 --> 00:06:42.690 an issue with being able to get the board's attention for this 117 00:06:42.690 --> 00:06:47.790 and to get the resources necessary. And OT just doesn't 118 00:06:47.820 --> 00:06:51.180 have the attention that it deserves. Even in the room that 119 00:06:51.180 --> 00:06:53.520 we were in, I would say didn't have the attention it deserved. 120 00:06:53.520 --> 00:06:56.490 We had an executive participating who said okay, can 121 00:06:56.490 --> 00:06:59.940 you define what OT is. And we'll surprise we're having that 122 00:06:59.940 --> 00:07:05.730 conversation in 2023. But I even see instances of one of our 123 00:07:05.880 --> 00:07:09.750 participants talked about the local municipal transportation 124 00:07:09.750 --> 00:07:14.310 system, the bus system, their payment system, runs on Windows 125 00:07:14.310 --> 00:07:20.940 NT. We heard about another municipality, where brand new 126 00:07:20.940 --> 00:07:25.080 buses were delivered in their video screens, or these brand 127 00:07:25.080 --> 00:07:30.990 new buses are built on Windows NT. There is so much end-of-life 128 00:07:30.990 --> 00:07:34.170 technology that's out there still being used on legacy 129 00:07:34.170 --> 00:07:37.200 equipment, that this just becomes almost an impossible 130 00:07:37.200 --> 00:07:39.870 task to reckon with. And yet, it's something that we have to 131 00:07:39.870 --> 00:07:43.620 pay some attention to, because critical infrastructure runs on 132 00:07:43.620 --> 00:07:47.010 this. So I'm afraid I don't have any solutions for you. There was 133 00:07:47.010 --> 00:07:49.560 an appetite within the room to address this. But I think we 134 00:07:49.560 --> 00:07:54.870 need a greater appetite within the boardrooms around the world 135 00:07:55.290 --> 00:07:57.690 to tackle this, to the degree it needs to be tackled. 136 00:07:58.350 --> 00:08:02.190 Anna Delaney: Actually, the OT aspect or, you know, sort of 137 00:08:02.190 --> 00:08:06.690 focus came up in a recent interview I did with ... which 138 00:08:06.690 --> 00:08:08.970 actually, we just posted the other day or actually yesterday 139 00:08:09.270 --> 00:08:15.660 with Ali Youssef, who is the person in charge of medical 140 00:08:15.660 --> 00:08:20.400 devices at Henry Ford Health System in Michigan. And, you 141 00:08:20.400 --> 00:08:22.560 know, OT is one of the things that keeps them up at night, you 142 00:08:22.560 --> 00:08:24.960 know, besides the medical devices, which you know, are 143 00:08:24.960 --> 00:08:29.220 getting, you know, fortunately more attention, but, you know, 144 00:08:29.250 --> 00:08:32.760 hFax systems, lighting systems, all these critical systems that 145 00:08:32.760 --> 00:08:36.690 are OT that, you know, doctors depend on in the operating room. 146 00:08:36.720 --> 00:08:39.360 Everything has to be a perfect sort of temperature for 147 00:08:39.360 --> 00:08:42.180 patients. And, you know, these things are safety issues as 148 00:08:42.180 --> 00:08:43.830 well, you know, especially in health care. 149 00:08:44.440 --> 00:08:48.250 Tom Field: They are, in fact, it was an obvious loss in the room 150 00:08:48.250 --> 00:08:50.980 that we didn't have anybody in there participating from 151 00:08:50.980 --> 00:08:52.330 healthcare. So I would have loved to have had that 152 00:08:52.330 --> 00:08:54.640 perspective. We talked about it within the group but didn't have 153 00:08:54.640 --> 00:09:00.460 anyone there representing. So it just a huge issue that doesn't 154 00:09:00.460 --> 00:09:03.250 get nearly enough attention when we're talking about generative 155 00:09:03.250 --> 00:09:08.650 AI in it and other things. OT is one that I mean, Colonial 156 00:09:08.650 --> 00:09:12.250 Pipeline, should have been a warning, couple years back. OT 157 00:09:12.250 --> 00:09:14.620 is one we've got to pay a lot more attention to just in 158 00:09:14.620 --> 00:09:16.060 regards to critical infrastructure. 159 00:09:17.920 --> 00:09:20.830 Anna Delaney: Well-said! Well, Marianne, the FDA has recently 160 00:09:20.830 --> 00:09:23.920 issued final guidance on how medical device makers should 161 00:09:23.920 --> 00:09:27.070 address cybersecurity in their products. So can you provide an 162 00:09:27.070 --> 00:09:30.970 overview of the guidelines and why they are considered crucial 163 00:09:31.000 --> 00:09:32.050 for the healthcare sector? 164 00:09:32.680 --> 00:09:36.610 Sure! Well yeah, as you say, the FDA issued this final guidance 165 00:09:36.610 --> 00:09:39.940 this week pertaining to the cybersecurity of pre-market 166 00:09:39.940 --> 00:09:44.140 medical devices. And the guidance finalizes draft 167 00:09:44.140 --> 00:09:50.110 guidance that the FDA issued in April of 2022. And this new 168 00:09:50.110 --> 00:09:54.460 guidance also replaces earlier medical device cybersecurity 169 00:09:54.460 --> 00:09:58.570 guidance for pre-market products that the FDA issued almost a 170 00:09:58.570 --> 00:10:04.540 decade ago in October of 2014. And as we all know, you know a 171 00:10:04.540 --> 00:10:07.660 lot has changed on the cyberthreat landscape over the 172 00:10:07.660 --> 00:10:12.040 last 10 years since that first guidance was issued, including 173 00:10:12.040 --> 00:10:15.160 the surge of ransomware and other hacking incidents that 174 00:10:15.160 --> 00:10:18.400 could affect the safety and security of connected medical 175 00:10:18.400 --> 00:10:24.610 devices. This new guidance from the FDA also comes as the FDA is 176 00:10:24.610 --> 00:10:28.690 sort of officially kicking off its new refuse to accept policy 177 00:10:28.900 --> 00:10:33.400 for pre-market medical devices and their cybersecurity. Under 178 00:10:33.400 --> 00:10:37.720 this new Refuse to. Accept Policy, which again kicks in on 179 00:10:37.720 --> 00:10:42.460 October 1. The FDA says it will immediately reject a 180 00:10:42.460 --> 00:10:47.260 manufacturers pre-market medical device submission if it lacks 181 00:10:47.290 --> 00:10:52.300 newly required cybersecurity details that the makers now have 182 00:10:52.300 --> 00:10:56.650 to submit as part of their application to the FDA for 183 00:10:56.650 --> 00:11:01.030 approval for these products. Those details include a vendor's 184 00:11:01.030 --> 00:11:04.990 plan to address post-market vulnerabilities, a method for 185 00:11:04.990 --> 00:11:09.520 coordinated disclosures of exploits, and a software bill of 186 00:11:09.520 --> 00:11:12.970 materials that includes commercial, open-source and 187 00:11:13.000 --> 00:11:17.020 off-the-shelf software components. Now, the FDA has 188 00:11:17.020 --> 00:11:21.370 Refuse to. Accept Policy has existed for many years for 189 00:11:21.370 --> 00:11:25.690 various other medical device products. But the policy 190 00:11:25.690 --> 00:11:29.260 previously did not apply to the cybersecurity of medical 191 00:11:29.260 --> 00:11:35.140 devices. The policy for medical devices actually went into 192 00:11:35.140 --> 00:11:40.180 effect on March 29. But the FDA essentially gave sort of a grace 193 00:11:40.180 --> 00:11:45.220 period for device makers to prepare for the October 1 date 194 00:11:45.220 --> 00:11:49.000 when it said it would begin rejecting submissions that lack 195 00:11:49.030 --> 00:11:55.000 cyber details. Now, the FDA was granted this enhanced authority 196 00:11:55.000 --> 00:11:57.580 over medical device cybersecurity by the U.S. 197 00:11:57.580 --> 00:12:01.810 Congress as part of an omnibus funding bill that was signed 198 00:12:01.810 --> 00:12:06.370 into law last December by President Biden. Meanwhile, the 199 00:12:06.370 --> 00:12:10.750 recommendations in the new FDA guidance are just that they're 200 00:12:10.750 --> 00:12:14.740 non binding suggestions for how medical device makers should 201 00:12:14.770 --> 00:12:18.670 approach cybersecurity in their products. But regardless of 202 00:12:18.670 --> 00:12:23.350 whether a device maker follows the FDA recommendations or takes 203 00:12:23.350 --> 00:12:27.430 other approaches, the vendor must still provide those cyber 204 00:12:27.430 --> 00:12:31.240 details to the FDA as part of the agency's review process. 205 00:12:32.020 --> 00:12:35.440 Now, some of the experts I spoke to this week about the guidance 206 00:12:35.440 --> 00:12:40.210 and this new policy going into effect, including Phil Englert 207 00:12:40.240 --> 00:12:44.110 who heads medical device cyber issues for the Health 208 00:12:44.110 --> 00:12:48.250 Information Sharing and Analysis Center, said that it'll take a 209 00:12:48.250 --> 00:12:51.850 while for the healthcare delivery organizations that use 210 00:12:51.850 --> 00:12:55.480 these products to see an impact of these new requirements. 211 00:12:55.900 --> 00:13:00.280 Englert tells me that healthcare organizations in the near term 212 00:13:00.400 --> 00:13:04.420 should not read too much into that Refuse to Accept Policy. He 213 00:13:04.420 --> 00:13:08.500 says it's mostly a screening process for the FDA to more 214 00:13:08.500 --> 00:13:13.360 effectively use their own staff resources, and time to evaluate 215 00:13:13.360 --> 00:13:17.860 complete submissions from medical device makers. He also 216 00:13:17.860 --> 00:13:21.340 said that the review process is not really a qualitative 217 00:13:21.370 --> 00:13:24.790 assessment of the adequacy of the submissions involving 218 00:13:24.790 --> 00:13:28.450 cybersecurity controls that are applied to the devices. But 219 00:13:28.450 --> 00:13:31.750 nonetheless, in the long run, healthcare organizations can 220 00:13:31.750 --> 00:13:35.380 leverage the fact that medical device manufacturers have 221 00:13:35.380 --> 00:13:39.520 produced cybersecurity artifacts for their submissions to the 222 00:13:39.520 --> 00:13:43.900 FDA. And these documents should be helpful in healthcare 223 00:13:43.900 --> 00:13:47.170 organizations understanding the cybersecurity profile of a 224 00:13:47.170 --> 00:13:52.360 device, and its cybersecurity lifecycle requirements. Englert 225 00:13:52.360 --> 00:13:56.950 also says that this information should be helpful to medical 226 00:13:56.950 --> 00:14:01.480 device users to deal with the various cybersecurity aspects of 227 00:14:01.480 --> 00:14:05.620 the technologies as they look for ways to provide better and 228 00:14:05.620 --> 00:14:08.110 safer ways to care for patients. 229 00:14:09.190 --> 00:14:12.760 Just thinking about smaller or say less established medical 230 00:14:12.760 --> 00:14:16.330 device manufacturers, are there any considerations or even 231 00:14:16.330 --> 00:14:18.910 specific challenges that they should keep in mind when 232 00:14:18.910 --> 00:14:21.460 implementing these cybersecurity measures, accordingly? 233 00:14:21.910 --> 00:14:23.950 Yeah, that's a good point. Because, you know, when I talk 234 00:14:23.950 --> 00:14:28.240 to people about these policies and the guidance, and FDA has 235 00:14:28.240 --> 00:14:31.480 been talking a lot about like software bill of materials and 236 00:14:31.480 --> 00:14:35.050 things like that, you know, even prior to this Refuse to Accept 237 00:14:35.050 --> 00:14:39.220 Policy prior to this new guidance, and some of the more 238 00:14:39.280 --> 00:14:41.620 established medical device makers have been, you know, 239 00:14:41.620 --> 00:14:45.760 taking this to heart but as you say, some of the smaller, maybe 240 00:14:45.760 --> 00:14:50.950 more sort of specialized companies, if they've got an 241 00:14:50.950 --> 00:14:53.380 advantage and then they've got a disadvantage. Their advantage is 242 00:14:53.380 --> 00:14:55.540 that they're newer, you know, they probably are more well 243 00:14:55.540 --> 00:14:59.350 aware of some of these issues that the legacy medical device 244 00:14:59.350 --> 00:15:03.220 makers have kind of ignored for years. But if they're a smaller 245 00:15:03.220 --> 00:15:05.830 company, they might have less resources to sort of, you know, 246 00:15:05.830 --> 00:15:09.130 dedicate to some of the cybersecurity issues that the 247 00:15:09.130 --> 00:15:13.210 FDA is concerned about. So we will have to see what happens, 248 00:15:13.240 --> 00:15:16.030 you know, again, it could take years sometimes for these 249 00:15:16.030 --> 00:15:18.460 medical device products to get approval. You know, they have a 250 00:15:18.460 --> 00:15:21.460 lot of other things they have to show, you know, how effective is 251 00:15:21.460 --> 00:15:25.990 it and is it dangerous for using with patience, all sorts of 252 00:15:25.990 --> 00:15:28.870 things. And, you know, the cybersecurity aspect is just 253 00:15:28.900 --> 00:15:33.400 now, a small but formal part of that whole process. 254 00:15:34.330 --> 00:15:37.570 Yeah, just quickly, Marianne, you mentioned that the FDA is 255 00:15:37.570 --> 00:15:42.460 enhanced authority granted by Congress. What change has this 256 00:15:42.460 --> 00:15:46.150 introduced? I mean, how's this change impacted the FDA's role 257 00:15:46.540 --> 00:15:49.180 in regulating cybersecurity and medical devices? 258 00:15:49.210 --> 00:15:51.760 Well, again, you know, like, going back to the guidance, 259 00:15:52.000 --> 00:15:56.620 these are recommendations are not required. But now, you know, 260 00:15:56.620 --> 00:15:59.410 it's not just up to the manufacturer, if they want to 261 00:15:59.710 --> 00:16:02.800 ... let's focus more on cybersecurity. What Congress 262 00:16:02.800 --> 00:16:09.790 did, basically, was amended the Federal Food, Drug and Cosmetic 263 00:16:09.790 --> 00:16:13.240 Act, I think I'm getting that right. Which added, you know, 264 00:16:13.240 --> 00:16:20.080 it's a long-term sort of, legal document that the FDA operates 265 00:16:20.080 --> 00:16:25.660 under and they edit or amendment in this formally to ensure that 266 00:16:25.690 --> 00:16:29.680 cybersecurity is addressed by medical device makers. So now 267 00:16:29.680 --> 00:16:32.200 it's, you know, part of law, so you got to do it. 268 00:16:33.760 --> 00:16:37.480 Very good. Well, progress, I think. Michael, it's been 269 00:16:37.480 --> 00:16:40.600 another crazy week in the cybersecurity marketplace. Cisco 270 00:16:40.600 --> 00:16:43.600 last week announced its intention to acquire Splunk for 271 00:16:43.600 --> 00:16:48.250 about $28 billion. Chunky amount! What do we know so far? 272 00:16:49.080 --> 00:16:50.430 Michael Novinson: Absolutely. And thank you for this 273 00:16:50.430 --> 00:16:53.910 opportunity, Anna. So the announcement somehow came as a 274 00:16:53.910 --> 00:16:56.610 surprise, even though it feels like it shouldn't have. So there 275 00:16:56.610 --> 00:17:00.090 was a lot of media reports about a Cisco-Splunk deal back in 276 00:17:00.090 --> 00:17:03.810 February of 2022. To that point, the Wall Street Journal reported 277 00:17:03.810 --> 00:17:05.430 it, the New York Times corroborated that there were 278 00:17:05.430 --> 00:17:08.610 talks. The acquisition at that point would have been north of 279 00:17:08.610 --> 00:17:13.170 $20 billion, then really radio silence for about 19 months. And 280 00:17:13.170 --> 00:17:16.500 then on 21st day of September, I don't know where $28 billion 281 00:17:16.770 --> 00:17:19.560 deal. So the first thing is that's kind of remarkable, 282 00:17:19.560 --> 00:17:23.370 because Splunk is worth 40%, more than it was in February 283 00:17:23.400 --> 00:17:26.130 2022, when the market was humming along. There aren't many 284 00:17:26.130 --> 00:17:29.430 companies who are 40% more valuable today than 19 months 285 00:17:29.430 --> 00:17:31.890 ago, other than maybe an early stage showed up like Wiz. So 286 00:17:32.220 --> 00:17:34.440 shows that they've done some work riding the ship there at 287 00:17:34.440 --> 00:17:38.670 Splunk. They got a new CEO Gary Steele in April of 2022. He was 288 00:17:38.670 --> 00:17:41.040 the founder and longtime CEO over at Proofpoint and his 289 00:17:41.310 --> 00:17:44.880 candor operations in order to help to continue that transition 290 00:17:44.880 --> 00:17:47.670 from licenses to subscription on-premises to cloud-based that 291 00:17:47.670 --> 00:17:50.790 they've been undertaking the past couple of years. And it's 292 00:17:50.790 --> 00:17:54.300 gotten them focused on moving into ancillary technology areas. 293 00:17:54.840 --> 00:17:58.470 So this is an enormous feat for Cisco. And it's really, really 294 00:17:58.470 --> 00:18:01.500 different than most of the M&A activity we see from 295 00:18:01.500 --> 00:18:04.440 cybersecurity vendors. If you were to look at how 296 00:18:04.530 --> 00:18:06.840 UltraNetworks or CrowdStrike that they really love going 297 00:18:06.840 --> 00:18:10.020 after these early stage startups and adjacent technology 298 00:18:10.020 --> 00:18:14.010 categories. So browser isolation, enterprise browsers, 299 00:18:14.010 --> 00:18:16.560 application security posture management, data security 300 00:18:16.560 --> 00:18:19.380 posture management. The idea is they take these early stage 301 00:18:19.380 --> 00:18:21.840 companies, and then they essentially take the technology 302 00:18:21.840 --> 00:18:24.600 and consolidate into their existing customer base and use 303 00:18:24.600 --> 00:18:29.940 their Salesforce to take this promising technology global. The 304 00:18:29.940 --> 00:18:32.520 start was Cisco's very different one. Everybody's heard of SIEM, 305 00:18:32.520 --> 00:18:37.050 it's been around for a couple of decades. And yeah, it's really 306 00:18:37.080 --> 00:18:40.530 an effort to try to bring together security operations 307 00:18:40.950 --> 00:18:43.950 with everything that Cisco does already from their network 308 00:18:43.950 --> 00:18:47.910 firewalls to their work and identity and authentication. And 309 00:18:47.910 --> 00:18:50.130 then in particular, to the investments that they've made 310 00:18:50.130 --> 00:18:53.640 recently around extended detection and response, XDR. 311 00:18:53.640 --> 00:18:57.810 They rolled out a brand new XDR offering, generally available at 312 00:18:57.810 --> 00:19:01.290 the start of August of this year. They really want to align 313 00:19:01.290 --> 00:19:05.070 that XDR piece that they have with the SIEM capability that 314 00:19:05.070 --> 00:19:09.750 Splunk had for a couple of decades. So really two notable 315 00:19:09.750 --> 00:19:13.260 bets here. So the first is that enterprise organizations are 316 00:19:13.260 --> 00:19:16.470 going to be interested in consuming both XDR and SIEM 317 00:19:16.830 --> 00:19:19.830 rather than using one or the other. And certainly we've seen 318 00:19:19.830 --> 00:19:23.310 a lot of XDR vendors position themselves as a SIEM replacement 319 00:19:23.310 --> 00:19:27.120 saying that SIEM is clunky and really expensive and all of 320 00:19:27.120 --> 00:19:31.200 that. But Cisco is betting that SIEM is not going anywhere that 321 00:19:31.200 --> 00:19:36.930 at least in the large enterprise that the robustness of SIEM - 322 00:19:36.930 --> 00:19:40.170 the ability for it to be customized and to handle large 323 00:19:40.170 --> 00:19:42.810 volumes of data that XDR can't replace that that yes, that's 324 00:19:42.870 --> 00:19:46.170 XDR is likely in the next year is flexible. But if you have 325 00:19:46.170 --> 00:19:48.780 highly customized, highly specific needs that XDR isn't 326 00:19:48.780 --> 00:19:52.800 sufficient to address those. So in that way Cisco's making a 327 00:19:52.800 --> 00:19:55.560 really big bet that SIEM is going to be around for a long 328 00:19:55.560 --> 00:19:59.400 time or else why buy a SIEM vendor? And then secondly, that 329 00:19:59.400 --> 00:20:00.840 they're making a bet that they're going to be able to 330 00:20:00.840 --> 00:20:03.900 bring all of this together. And this is really hard to do. I 331 00:20:03.900 --> 00:20:07.680 know I had spoken to Allie Mellen over at Forrester. And 332 00:20:07.680 --> 00:20:10.710 she had put out a separate piece saying the Cisco-Splunk deal is 333 00:20:10.710 --> 00:20:13.740 good for Cisco. But is it good for Splunk customers? And 334 00:20:13.740 --> 00:20:15.990 certainly there's a fair amount of concern in the Splunk 335 00:20:15.990 --> 00:20:19.110 customer base, given Cisco's track record with major 336 00:20:19.110 --> 00:20:22.170 acquisitions in the past, the perception that Cisco is where 337 00:20:22.170 --> 00:20:25.290 innovation goes to die or a perception that Cisco is really 338 00:20:25.290 --> 00:20:28.560 a hardware vendor, given their heritage in the network 339 00:20:28.560 --> 00:20:30.960 firewall, and routers and switches, and what do they 340 00:20:30.960 --> 00:20:34.020 really know about software? So I think there's going to be a lot 341 00:20:34.020 --> 00:20:37.620 of negative perceptions to overcome on Cisco and reassuring 342 00:20:37.620 --> 00:20:39.690 Splunk customers, I think something a lot of people are 343 00:20:39.690 --> 00:20:42.300 watching for is - is Splunk going to be allowed to run 344 00:20:42.300 --> 00:20:45.450 independently? Will it just be a separate operating division 345 00:20:45.450 --> 00:20:47.790 within Cisco the way that really a rubra run separately of 346 00:20:47.790 --> 00:20:51.120 Hewlett Packard Enterprise is not going to happen? And if so, 347 00:20:51.330 --> 00:20:54.090 how can they make Splunk more profitable because it's losing 348 00:20:54.090 --> 00:20:57.270 money now, and that's something investors want to see. And then 349 00:20:57.270 --> 00:20:59.610 yeah, there's SIEM marketplace, finally, here, it's just getting 350 00:20:59.610 --> 00:21:03.180 really competitive that and I mean, you have to start with 351 00:21:03.180 --> 00:21:06.720 Azure Sentinel, that was only introduced in 2019, it was the 352 00:21:06.720 --> 00:21:09.690 highest rated SIEM offering by Gartner just three years later, 353 00:21:09.690 --> 00:21:12.600 which is remarkable. And they're certainly smiling blood in the 354 00:21:12.600 --> 00:21:15.660 water here with all these Splunk customers. Are looking to 355 00:21:15.660 --> 00:21:18.780 switch? They probably already use Microsoft OS. So there's 356 00:21:18.780 --> 00:21:23.190 some synergy there. So that and then obviously, you also have 357 00:21:23.280 --> 00:21:26.910 Chronicle from Google, which may see an opportunity to try to 358 00:21:27.090 --> 00:21:29.820 poach lung customers, plus all of these pureplay security 359 00:21:29.820 --> 00:21:33.270 operations vendors who can promise dedication and focus 360 00:21:33.270 --> 00:21:35.790 that may be Splunk seem to get lost in the messiness part of 361 00:21:35.790 --> 00:21:40.590 Cisco. So there's going to be a lot of displacement, or 362 00:21:40.590 --> 00:21:43.320 acquisition that they are taking a year and a close. So their 363 00:21:43.320 --> 00:21:45.900 competitors have a lot of time to stir up fear, uncertainty and 364 00:21:45.900 --> 00:21:49.590 doubt. There's a question of really how much Cisco can say 365 00:21:49.620 --> 00:21:51.480 because there's always antitrust concerns. The Biden's 366 00:21:51.480 --> 00:21:53.550 administration's been much stricter on antitrust than 367 00:21:53.550 --> 00:21:56.640 nearly scuttled Thoma Bravo's acquisition of ForgeRock on 368 00:21:56.640 --> 00:21:59.850 antitrust grounds. So I don't really know how public Cisco or 369 00:21:59.850 --> 00:22:01.710 Splunk are going to be in talking about this acquisition 370 00:22:01.710 --> 00:22:06.330 until close. So there's going to be a lot to digest here, and 371 00:22:07.410 --> 00:22:11.460 really a sense of our Splunk customers confident that there's 372 00:22:11.460 --> 00:22:15.480 going to continue to be a lot of innovation in the technology, as 373 00:22:15.480 --> 00:22:16.260 part of Cisco. 374 00:22:17.140 --> 00:22:20.650 Given them this significant investment in Splunk by Cisco, 375 00:22:20.680 --> 00:22:24.400 how might this acquisition impact the overall cybersecurity 376 00:22:24.400 --> 00:22:27.370 market? You said that we might have a year or a few months of 377 00:22:27.400 --> 00:23:48.220 FUD? But what are the thoughts? 378 00:22:30.500 --> 00:22:33.696 Yeah, so there's always this talk, are we going to see this 379 00:22:33.751 --> 00:22:37.002 wave of consolidation, and this is meaningful consolidation, 380 00:22:37.056 --> 00:22:39.982 because you have the almost certainly the market share 381 00:22:40.036 --> 00:22:43.342 leader in security operations, it's them coming together with 382 00:22:43.396 --> 00:22:46.539 one of the top two or three market cheerleaders in network 383 00:22:46.593 --> 00:22:49.898 security technology. So are we going to see other folks doing 384 00:22:49.952 --> 00:22:53.366 this, there's still, there still are questions that I think I'm 385 00:22:53.420 --> 00:22:56.563 in kind of a pessimist by nature. So everybody's said this 386 00:22:56.617 --> 00:22:59.760 is what, consolidation is going to happen. And I mean, the 387 00:22:59.814 --> 00:23:03.282 interest rates are really high, the Euro free money is over. And 388 00:23:03.336 --> 00:23:06.696 it's going to be a question of who has deep enough pocketbooks 389 00:23:06.750 --> 00:23:09.730 to do this with the cash on hand, because nobody really 390 00:23:09.785 --> 00:23:12.927 wants to borrow money right now. So could Microsoft, could 391 00:23:12.982 --> 00:23:16.341 Google, could IBM, could Oracle, could AWS make a multibillion 392 00:23:16.395 --> 00:23:19.646 dollar security acquisition? Absolutely, they have the money 393 00:23:19.701 --> 00:23:22.681 on hand. But for ... and obviously private equity firms 394 00:23:22.735 --> 00:23:25.986 do as well. But in terms of other companies, in terms of the 395 00:23:26.040 --> 00:23:29.346 pure plays the Palos, and the CrowdStrikes, and the Zscalars, 396 00:23:29.400 --> 00:23:32.380 nobody really wants to borrow money right now. It's too 397 00:23:32.434 --> 00:23:35.252 expensive, investors would hammer you for it. In the 398 00:23:35.306 --> 00:23:38.395 market, I mean, Okta never recovered from the money spent 399 00:23:38.449 --> 00:23:41.755 Auth0, back in 2021. So maybe some of the deep pocketed folks 400 00:23:41.809 --> 00:23:44.843 will make some big bets in cyber. But I think the market 401 00:23:44.897 --> 00:23:48.419 environment makes it tough. So I think to me, this is going to be 402 00:23:48.474 --> 00:23:51.400 an exception, I think we're going to see more of those 403 00:23:51.454 --> 00:23:54.488 Series A, Series B type acquisitions for in the ballpark 404 00:23:54.542 --> 00:23:57.956 of a half a billion, quarter of a billion because I think those 405 00:23:58.010 --> 00:24:01.153 are easier to digest. And I think there's at least the big 406 00:24:01.207 --> 00:24:04.730 security players have the money on hand to easily pull those off. 407 00:24:04.000 --> 00:24:07.030 Anna Delaney: Very good. Excellent insight. Thank you, 408 00:24:07.030 --> 00:24:10.780 Michael. And finally, and just for fun, if you could interview 409 00:24:10.780 --> 00:24:14.170 an AI-powered chatbot that had access to the world's most 410 00:24:14.200 --> 00:24:17.080 classified cybersecurity secrets, what's the first 411 00:24:17.080 --> 00:24:18.460 question you'd ask it? 412 00:24:19.960 --> 00:24:25.000 Who shot JFK? I'm kidding. For me, I would be, you know, 413 00:24:25.000 --> 00:24:28.360 looking for some juicy healthcare breaches that I don't 414 00:24:28.360 --> 00:24:29.020 know about. 415 00:24:30.850 --> 00:24:33.220 Tom Field: I'd start with what is Vladimir Putin's password. 416 00:24:34.060 --> 00:24:35.050 Might open some doors. 417 00:24:37.760 --> 00:24:39.260 Michael Novinson: I was just thinking about all the smart 418 00:24:39.260 --> 00:24:43.130 devices, the Nest and the Ring, and all of those and the 419 00:24:43.130 --> 00:24:45.350 features, and how much do they really know about us? How much 420 00:24:45.350 --> 00:24:47.420 are they are listening into the conversations and who are they 421 00:24:47.420 --> 00:24:48.680 feeding that information to? 422 00:24:50.660 --> 00:24:52.340 Tom Field: You suddenly start getting ads for penguins, won't 423 00:24:52.340 --> 00:24:52.490 you? 424 00:24:52.540 --> 00:24:57.070 Anna Delaney: Yes. I'm going to have to ask them, you know, what 425 00:24:57.070 --> 00:25:00.040 are the top threats that they think organizations and 426 00:25:00.040 --> 00:25:04.240 governments should be focused on and let's compare. Are they 427 00:25:04.240 --> 00:25:06.550 similar to the ones we're actually focusing on our sites? 428 00:25:07.990 --> 00:25:09.790 An interesting question. So these are great! 429 00:25:09.820 --> 00:25:11.110 Tom Field: Putin's password would help you too. 430 00:25:14.260 --> 00:25:16.990 Anna Delaney: Well, thank you very much, Michael, Marianne, 431 00:25:17.020 --> 00:25:19.360 Tom. It's been a pleasure and as always great fun. 432 00:25:20.050 --> 00:25:21.070 Michael Novinson: Thanks for speaking with us. 433 00:25:22.060 --> 00:25:22.600 Tom Field: Until next time! 434 00:25:23.710 --> 00:25:25.480 Anna Delaney: Thanks so much for watching. Until next time!