WEBVTT 1 00:00:07.260 --> 00:00:09.900 Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm 2 00:00:09.900 --> 00:00:13.050 Anna Delaney. Today, we'll discuss the evolving disclosure 3 00:00:13.050 --> 00:00:16.320 responsibilities of CISOs, yet another ransomware attack 4 00:00:16.320 --> 00:00:19.890 targeting the healthcare sector and Mimecast's latest strategic 5 00:00:19.890 --> 00:00:22.710 acquisition as part of its broader expansion efforts. 6 00:00:22.980 --> 00:00:26.670 Today's star panelists include - Tom Field, senior vice president 7 00:00:26.670 --> 00:00:30.420 of editorial; Marianne Kolbasuk McGee, executive editor for 8 00:00:30.420 --> 00:00:33.360 HealthcareInfoSecurity; and Michael Novinson, managing 9 00:00:33.360 --> 00:00:36.630 editor for ISMG business. Brilliant to see you all. 10 00:00:37.200 --> 00:00:37.680 Tom Field: And you. 11 00:00:37.950 --> 00:00:39.660 Michael Novinson: Good morning Anna. 12 00:00:40.260 --> 00:00:43.680 Anna Delaney: Good morning! So, Michael, you're with some 13 00:00:43.680 --> 00:00:45.210 company. Tell us about them. 14 00:00:45.930 --> 00:00:48.870 Michael Novinson: Yes I am. I'm coming to you from 100 acre farm 15 00:00:48.870 --> 00:00:52.410 in Swansea, Massachusetts. Every year in the summer, at least 16 00:00:52.410 --> 00:00:55.410 when the weather's nice, they do week or two of pick your own 17 00:00:55.410 --> 00:00:57.870 sunflowers. So, brought my daughter out there, got some 18 00:00:57.870 --> 00:01:01.200 sunflowers, got to hang out with the cows, got some homemade 19 00:01:01.200 --> 00:01:02.910 lemonade. A fun time. 20 00:01:02.000 --> 00:01:06.230 Anna Delaney: Very good. Marianne also has company. 21 00:01:07.680 --> 00:01:11.070 Marianne McGee: Actually, I picked this background for you 22 00:01:11.070 --> 00:01:14.010 Michael, because I know your daughter likes animals. This was 23 00:01:14.130 --> 00:01:17.730 taken down at the World Trade Center, what, during our 24 00:01:17.730 --> 00:01:21.660 conference a few weeks ago. They have a display of these bronze 25 00:01:21.930 --> 00:01:26.550 animals. And I, like I was telling Anna and Tom earlier, I 26 00:01:26.550 --> 00:01:30.060 didn't bother walking across the street to see what the display 27 00:01:30.060 --> 00:01:32.760 was about, but I was looking it up yesterday, and I think these 28 00:01:32.760 --> 00:01:39.450 are all endangered animals. So yeah, it was pretty cool. 29 00:01:40.380 --> 00:01:41.880 Anna Delaney: Tom, any animals where you are? 30 00:01:42.330 --> 00:01:44.040 Tom Field: You can't see them, but there are a lot of fish in 31 00:01:44.040 --> 00:01:47.970 the water beneath me here. And this is from the dock at my 32 00:01:48.150 --> 00:01:51.240 summer camp in Maine, Central Maine; great place to get away 33 00:01:51.240 --> 00:01:53.820 from cybersecurity on the weekends and the occasional day 34 00:01:53.820 --> 00:01:54.120 off. 35 00:01:54.600 --> 00:01:57.270 Anna Delaney: Very good. It's beautiful. I've also got an 36 00:01:57.270 --> 00:02:01.410 animal here. I've got an elephant. So, there you go. 37 00:02:01.440 --> 00:02:02.550 There's a theme this week. 38 00:02:03.270 --> 00:02:04.050 Tom Field: If you're aware Anna. 39 00:02:05.430 --> 00:02:08.401 Anna Delaney: Well, it was taken last week in the courtyard of 40 00:02:08.463 --> 00:02:11.991 the Royal Academy of Arts in London, founded in 1768. So, 41 00:02:12.053 --> 00:02:15.767 it's been there a while. I am just enjoying the final summer 42 00:02:15.829 --> 00:02:19.295 days in the city. So Tom, last week, you shared some key 43 00:02:19.357 --> 00:02:22.452 takeaways from your conversations at the Black Hat 44 00:02:22.514 --> 00:02:26.105 conference, and this week, you're diving into one of those 45 00:02:26.166 --> 00:02:30.128 conversations in particular with Jennifer Lee on CISO disclosure 46 00:02:30.190 --> 00:02:31.800 obligations. Tell us more. 47 00:02:31.000 --> 00:02:34.300 Tom Field: Yeah boy, is there a hotter topic these days for our 48 00:02:34.300 --> 00:02:38.350 core audience, and she's a partner with Jenner & Block, a 49 00:02:38.350 --> 00:02:42.190 law firm that represents lots of these CISOs. And, you know, 50 00:02:42.190 --> 00:02:48.400 she's tight with the SEC lawsuit and the action going on in 51 00:02:48.400 --> 00:02:51.640 courts right now. And so, the discussion was all about, okay 52 00:02:51.640 --> 00:02:58.240 in today's environment, what is the CISO's disclosure obligation 53 00:02:58.270 --> 00:03:01.360 when it comes to cybersecurity? What do you put your name on? 54 00:03:01.360 --> 00:03:03.580 What do you have to agree to? What do you communicate to your 55 00:03:03.580 --> 00:03:07.510 partners as well as to your customers? So, lots to talk 56 00:03:07.510 --> 00:03:10.480 about there, and it's a terrific interview. Just got posted the 57 00:03:10.480 --> 00:03:15.070 other day. One of the points that I asked her about was, you 58 00:03:15.070 --> 00:03:20.170 know, what is the CISO's responsibility in signing off on 59 00:03:20.170 --> 00:03:23.890 the company's own cybersecurity statement. So, I want to share 60 00:03:23.890 --> 00:03:26.020 just an excerpt of this conversation with her. 61 00:03:26.000 --> 00:03:30.230 Jennifer Lee: I think they need to be cognizant that the SEC is 62 00:03:30.230 --> 00:03:34.100 going to be looking at CISOs as a subject matter expert, and so 63 00:03:34.100 --> 00:03:36.890 what CISOs need to do is have clarity on what is it that 64 00:03:36.890 --> 00:03:39.140 they're being asked to approve, what are they being asked to 65 00:03:39.140 --> 00:03:43.730 review? And they can no longer be passive. This is the time to 66 00:03:43.730 --> 00:03:46.400 be active and ask those questions. If you're a CISO and 67 00:03:46.400 --> 00:03:49.610 you're being ... if you're on an email, and you're CC'ed and 68 00:03:49.610 --> 00:03:52.100 there's some kind of cybersecurity statement that's 69 00:03:52.190 --> 00:03:55.310 attached in that email, now is your chance to say, "Are you 70 00:03:55.310 --> 00:03:58.970 asking me as a CISO to approve this for accuracy?" Because in 71 00:03:58.970 --> 00:04:01.370 the absence of anything to the contrary, the SEC is going to 72 00:04:01.370 --> 00:04:03.860 look at that email and say the CISO was responsible for that. 73 00:04:04.130 --> 00:04:05.810 Tom Field: Does that sound familiar to you at all Anna? 74 00:04:06.650 --> 00:04:07.400 Anna Delaney: Totally does. 75 00:04:07.730 --> 00:04:10.400 Tom Field: And I asked because so many times we've had the 76 00:04:10.400 --> 00:04:14.240 conversation with CISOs about them trying to get their 77 00:04:14.240 --> 00:04:17.720 business executives to sign off on the risk that they're 78 00:04:17.720 --> 00:04:20.600 accepting within the organization if they agree to or 79 00:04:20.600 --> 00:04:24.020 disagree with any cybersecurity recommendations. Tables have 80 00:04:24.020 --> 00:04:26.600 turned a bit now. Now, the CISO is the one that needs to make 81 00:04:26.600 --> 00:04:29.060 sure their name is on that security statement that's 82 00:04:29.060 --> 00:04:30.950 representing them in their organizations. 83 00:04:32.180 --> 00:04:34.460 Anna Delaney: And, how do you think this case might influence 84 00:04:34.490 --> 00:04:37.310 the relationship between CEOs and CISOs? 85 00:04:38.950 --> 00:04:42.310 Tom Field: Yes, and you know it's put CFOs in there as well. 86 00:04:42.460 --> 00:04:46.300 You know, it's still unknown whether the SolarWinds CFO could 87 00:04:46.300 --> 00:04:50.140 have some responsibility, or at least, you know, be taken to 88 00:04:50.140 --> 00:04:53.860 court over some potential responsibility. But it makes the 89 00:04:53.860 --> 00:04:58.240 CISO be a lot more reflective on what they're getting into, what 90 00:04:58.240 --> 00:05:02.170 they're taking on, what they are communicating to customers, to 91 00:05:02.170 --> 00:05:05.050 partners, and even over social media statements they might be 92 00:05:05.050 --> 00:05:07.960 making or when they're at their various conference appearances. 93 00:05:07.960 --> 00:05:11.920 Now, I will tell you one interesting piece of advice from 94 00:05:11.920 --> 00:05:17.380 Jennifer Lee to CISOs was - Do Not Get Your Own Counsel. You've 95 00:05:17.380 --> 00:05:20.320 got to be on board with your general counsel, and this is the 96 00:05:20.320 --> 00:05:23.140 time to make sure that you've got that relationship there and 97 00:05:23.140 --> 00:05:26.200 you're being represented as you need to be. Really what it comes 98 00:05:26.200 --> 00:05:28.930 down to is there are a lot more questions CISOs need to be 99 00:05:28.930 --> 00:05:34.300 asking before they accept these roles to understand ... kind of 100 00:05:34.300 --> 00:05:37.480 like a marriage. You want to understand the good and the bad 101 00:05:37.480 --> 00:05:40.600 in sickness and in health, and you better be getting a lot of 102 00:05:40.600 --> 00:05:41.950 these questions answered upfront. 103 00:05:42.310 --> 00:05:44.020 Anna Delaney: Lots of conversations being happening 104 00:05:44.020 --> 00:05:47.410 this year on this very topic. So, I think there's a lot more 105 00:05:47.440 --> 00:05:49.750 awareness coming through. 106 00:05:49.000 --> 00:05:52.330 Tom Field: And P.S., we couldn't bring up Joe Sullivan's name 107 00:05:52.330 --> 00:05:54.700 because she also works with Joe Sullivan, so couldn't ask her 108 00:05:54.700 --> 00:05:54.820 that. 109 00:05:57.630 --> 00:05:59.880 Anna Delaney: Very good. Well, I implore everybody to watch that 110 00:05:59.880 --> 00:06:03.930 interview, and many more. I know lots of the Black Hat, the DEF 111 00:06:03.930 --> 00:06:07.830 CON interviews that you took; you were in charge of Michael as 112 00:06:07.830 --> 00:06:10.260 well. So, lots of great content coming on our sites. 113 00:06:10.300 --> 00:06:12.040 Tom Field: Yeah, they're all coming up now. So, please stay 114 00:06:12.040 --> 00:06:12.400 tuned. 115 00:06:13.600 --> 00:06:16.660 Anna Delaney: Brilliant. Well, Marianne, another ransomware 116 00:06:16.660 --> 00:06:19.600 attack has struck the healthcare sector. This time impacting 117 00:06:19.690 --> 00:06:23.860 McLaren Health Care, which is facing extended IT disruptions 118 00:06:23.860 --> 00:06:26.980 after an attack earlier this month, forcing patients to bring 119 00:06:26.980 --> 00:06:30.760 paper records and causing delays and services. Tell us about this 120 00:06:30.760 --> 00:06:33.760 latest setback for McLaren, because I know it's not the 121 00:06:33.760 --> 00:06:34.660 first time, is it? 122 00:06:35.620 --> 00:06:38.860 Marianne McGee: No, it's not. And that's sort of what makes 123 00:06:38.860 --> 00:06:44.170 this interesting. As you said, McLaren Health Care in Michigan 124 00:06:44.170 --> 00:06:48.430 is still suffering an IT disruption from a cyberattack 125 00:06:48.430 --> 00:06:52.780 that was first detected earlier this month, and the organization 126 00:06:52.780 --> 00:06:57.220 says it'll take at least until the end of August before it 127 00:06:57.610 --> 00:07:02.110 expects it'll have full recovery of its IT systems, which include 128 00:07:02.110 --> 00:07:05.170 electronic medical records that have been down now for almost a 129 00:07:05.170 --> 00:07:10.660 month. In the meantime, McLaren says most of its 13 hospitals, 130 00:07:10.780 --> 00:07:15.400 dozens of cancer care centers, clinics and other facilities are 131 00:07:15.400 --> 00:07:20.560 open and operational. But again, because IT systems are down, 132 00:07:20.800 --> 00:07:24.940 patients need to expect delays, postponements and the 133 00:07:24.940 --> 00:07:29.230 workarounds that their clinical staff has to do. And that also 134 00:07:29.230 --> 00:07:32.620 means that patients, as you've mentioned, need to bring copies 135 00:07:32.650 --> 00:07:36.130 of their paper records if they have them, as well as empty 136 00:07:36.280 --> 00:07:40.690 medication bottles, you know, that sort of thing with them. So 137 00:07:40.900 --> 00:07:44.470 now, clinical staff who work at the organization tell me that 138 00:07:44.530 --> 00:07:48.940 nurses and other frontline workers are being stretched thin 139 00:07:48.970 --> 00:07:53.170 during this whole episode with heavy workloads that include 140 00:07:53.170 --> 00:07:57.850 manual charting and medication record keeping. Patient 141 00:07:57.850 --> 00:08:02.170 encounters are taking many times longer than usual because the 142 00:08:02.170 --> 00:08:07.270 EMRs and other critical IT systems are offline. One nurse 143 00:08:07.270 --> 00:08:11.890 told me that she and her fellow nurses are double and triple 144 00:08:11.890 --> 00:08:16.210 checking their patients' medications before they give 145 00:08:16.210 --> 00:08:20.590 them to the patients to ensure that the information is correct 146 00:08:20.590 --> 00:08:25.660 and to avoid potential patient safety mishaps. Now, of course, 147 00:08:25.660 --> 00:08:29.140 we've seen these kinds of long IT disruptions before at other 148 00:08:29.140 --> 00:08:33.460 large U.S. hospital systems like Ascension in June and 149 00:08:33.460 --> 00:08:39.010 CommonSpirit in 2022 and those incidents also involved 150 00:08:39.010 --> 00:08:42.820 ransomware. But, what stands out about McLaren, as you mentioned, 151 00:08:42.820 --> 00:08:46.180 is that this is the second ransomware attack on the 152 00:08:46.180 --> 00:08:50.950 organization within the last year. The first attack last year 153 00:08:50.950 --> 00:08:55.360 was allegedly carried out by ransomware group BlackCat, which 154 00:08:55.360 --> 00:08:59.050 claimed to have stolen sensitive information of 2.5 million 155 00:08:59.050 --> 00:09:02.650 individuals. And now, this latest attack supposedly was 156 00:09:02.650 --> 00:09:08.260 carried out by Inc. Ransom - another cybercrime group. Now, 157 00:09:08.290 --> 00:09:12.460 clinicians who worked at McLaren through both incidents say that 158 00:09:12.460 --> 00:09:15.490 this latest attack has been a lot more disruptive than the 159 00:09:15.490 --> 00:09:21.280 first attack. McLaren last week publicly confirmed that, yes, 160 00:09:21.280 --> 00:09:24.820 indeed, this incident does involve ransomware. But beyond 161 00:09:24.820 --> 00:09:28.570 that, the entity hasn't said much else about the attackers or 162 00:09:28.570 --> 00:09:33.190 whether it paid a ransom or details such as that, including 163 00:09:33.580 --> 00:09:38.260 the fact that McLaren is looking to see if patient data was 164 00:09:38.260 --> 00:09:42.310 compromised again. But, the fact that McLaren has fallen victim 165 00:09:42.310 --> 00:09:46.330 to an attack twice in one year raises a lot of questions, 166 00:09:46.330 --> 00:09:49.480 including whether or not all the vulnerabilities that were 167 00:09:49.480 --> 00:09:53.650 exploited by the attackers in the first incident were fully 168 00:09:53.650 --> 00:09:59.410 remediated. Last year, BlackCat attackers claimed that its black 169 00:09:59.410 --> 00:10:03.640 ... that its back door was still running on McLaren's network. 170 00:10:04.120 --> 00:10:07.810 Now, some security experts say that it is unfortunately 171 00:10:07.810 --> 00:10:11.170 becoming increasingly common for some organizations to fall 172 00:10:11.170 --> 00:10:16.450 victim to one threat group and then another. Raj Samani, who is 173 00:10:16.450 --> 00:10:21.040 the chief scientist at security firm Rapid7, told me that a key 174 00:10:21.040 --> 00:10:23.890 consideration will always be whether the vulnerabilities that 175 00:10:23.890 --> 00:10:28.120 allowed initial access were addressed. He also said that 176 00:10:28.120 --> 00:10:33.670 over the last 18 months, his firm has seen a trend for fluid 177 00:10:33.670 --> 00:10:36.850 activity between ransomware groups, including sharing of 178 00:10:36.850 --> 00:10:41.020 code and affiliates, moving freely from one group to 179 00:10:41.020 --> 00:10:45.460 another. So, all this means that organizations that are hit by 180 00:10:45.460 --> 00:10:49.300 ransomware attacks not only need to put in a lot of hard work to 181 00:10:49.300 --> 00:10:53.950 recover their IT systems and to deal with any data breaches but 182 00:10:53.950 --> 00:10:57.940 they really need to put that much effort into the aftermath, 183 00:10:58.150 --> 00:11:01.990 including ensuring that any security weaknesses that were 184 00:11:02.080 --> 00:11:07.060 exploited or actually fixed so that more attacks don't happen. 185 00:11:07.090 --> 00:11:09.880 We don't know if that's the case here, but you know, it's 186 00:11:09.880 --> 00:11:12.550 something that, you know, really needs to be looked at by these 187 00:11:12.550 --> 00:11:13.690 organizations. 188 00:11:13.990 --> 00:11:17.380 Anna Delaney: Marianne, how does this attack fit into the broader 189 00:11:17.380 --> 00:11:20.920 trend of ransomware targeting healthcare? And do you see any 190 00:11:21.070 --> 00:11:24.010 emerging patterns in how these attacks are evolving? 191 00:11:25.020 --> 00:11:28.050 Marianne McGee: Well, you know, if anything, this attack was a 192 00:11:28.050 --> 00:11:31.650 yet another reminder for the healthcare entities themselves 193 00:11:31.650 --> 00:11:35.310 that, you know, they are also targets. Because you know this 194 00:11:35.340 --> 00:11:38.640 list last year, you know, and I wouldn't say it's just this 195 00:11:38.640 --> 00:11:41.520 year, it's been sort of a trend. But, you know, the third-party 196 00:11:41.520 --> 00:11:45.900 attacks on the vendors, on software vendors, on IT services 197 00:11:45.900 --> 00:11:49.620 vendors, on supply chain partners has been a big focus, 198 00:11:49.800 --> 00:11:53.790 you know, and attacks on those critical third parties in the 199 00:11:53.790 --> 00:11:57.330 healthcare sector has, you know, a wide impact on many 200 00:11:57.330 --> 00:12:01.050 organizations. But, you know, these organizations need to 201 00:12:01.050 --> 00:12:04.440 realize, you know, again, they themselves are potential 202 00:12:04.440 --> 00:12:08.730 targets. And you know, if they've got vulnerabilities that 203 00:12:08.730 --> 00:12:13.230 have been identified during risk analysis, you know, and they 204 00:12:13.230 --> 00:12:15.510 haven't patched those or addressed those. That's a 205 00:12:15.510 --> 00:12:19.050 problem, and particularly if you've been hit once you really 206 00:12:19.050 --> 00:12:22.560 need to make sure that you're addressing whatever went wrong 207 00:12:22.590 --> 00:12:26.130 so that you know at least attackers won't use that again 208 00:12:26.160 --> 00:12:28.110 as another way to get into your systems. 209 00:12:28.500 --> 00:12:31.800 Anna Delaney: Thanks Marianne for that update. Michael, email 210 00:12:31.800 --> 00:12:35.430 security vendor Mimecast has added yet another acquisition to 211 00:12:35.430 --> 00:12:39.330 its string of recent purchases, acquiring the company Aware to 212 00:12:39.330 --> 00:12:42.720 enhance collaboration security. So, can you just explain this 213 00:12:42.720 --> 00:12:46.440 recent wave of acquisition activity and its impact on 214 00:12:46.440 --> 00:12:47.700 Mimecast's strategy? 215 00:12:48.650 --> 00:12:50.630 Michael Novinson: Of course, thank you for the opportunity 216 00:12:50.630 --> 00:12:53.480 here. Want to talk about this at two levels. First, I want to 217 00:12:53.480 --> 00:12:56.570 talk specifically about what's going on at Mimecast. Then, also 218 00:12:56.570 --> 00:12:58.910 want to talk about what's going on more broadly in the industry, 219 00:12:58.910 --> 00:13:03.230 and how Mimecast's activity fits into who we're seeing acquired 220 00:13:03.290 --> 00:13:08.360 and what the thought process is behind these acquisitions. So, 221 00:13:08.360 --> 00:13:10.700 as you had alluded to, Mimecast has made a string of 222 00:13:10.700 --> 00:13:13.670 acquisitions this year. They've made three acquisitions in the 223 00:13:13.670 --> 00:13:17.000 first, I guess, approaching eight months of the year here. 224 00:13:17.000 --> 00:13:20.120 So quickly, to talk you through those. They bought Elevate 225 00:13:20.120 --> 00:13:23.180 Security in January, which is focused on identifying high-risk 226 00:13:23.210 --> 00:13:28.490 users. In July, bought Code42 to expand their capabilities around 227 00:13:28.520 --> 00:13:32.330 insider risk and data security, and then Aware was the most 228 00:13:32.330 --> 00:13:35.780 recent acquisition focused on risk around collaboration 229 00:13:35.780 --> 00:13:39.860 platforms like Slack and Teams and Zoom. So, what's interesting 230 00:13:39.860 --> 00:13:43.160 about this is first, the company got a new CEO in January, right 231 00:13:43.160 --> 00:13:45.440 before doing the string of acquisitions. They had been 232 00:13:45.740 --> 00:13:49.400 Mimecast for about 20 years, had been run by Peter Bauer, who is 233 00:13:49.400 --> 00:13:53.690 their founder, and he decided to step back. He's still on the 234 00:13:53.690 --> 00:13:58.190 board, but decided to after 20 years, he's a little tired. So, 235 00:13:58.190 --> 00:14:02.060 they brought in Marc van Zadelhoff, who's had run Devo, 236 00:14:02.060 --> 00:14:05.060 which was a startup for a handful of years, and he jumped 237 00:14:05.060 --> 00:14:08.690 over to Mimecast. A bit unusual to see somebody jump from a CEO 238 00:14:08.690 --> 00:14:10.970 of a startup to CEO of a more established vendor like 239 00:14:10.970 --> 00:14:14.120 Mimecast. But, certainly had been more aggressive on the M&A 240 00:14:14.120 --> 00:14:17.540 front this year. And to put that M&A into context, I mean, it's 241 00:14:17.540 --> 00:14:21.350 the first M&A Mimecast had done since 2020. So, or about mid 242 00:14:21.350 --> 00:14:24.050 2020 was the last M&A. So, they went three and a half years 243 00:14:24.050 --> 00:14:26.960 without doing any M&A and then do three deals in seven months. 244 00:14:27.320 --> 00:14:32.660 So, it's interesting to me why that's happening. And during 245 00:14:32.660 --> 00:14:37.820 that dry spell in M&A, the company changed hands. So, 246 00:14:38.090 --> 00:14:40.550 Mimecast was publicly traded for a number of years. Permira 247 00:14:40.580 --> 00:14:44.930 private equity firm bought them for $5.3 billion that closed in 248 00:14:44.930 --> 00:14:48.710 the spring of 2022, kind of just before the economic downturn 249 00:14:48.710 --> 00:14:53.210 happened. So yeah, a couple of things going on. One more on the 250 00:14:53.210 --> 00:14:56.180 technology side. One more on the economic side. I do want to get 251 00:14:56.180 --> 00:14:58.850 into each of them here. Some of ... from a technology 252 00:14:58.850 --> 00:15:01.820 standpoint, there's been this push to broaden the platforms 253 00:15:02.120 --> 00:15:04.970 that you had a couple of these legacy secure email gateway 254 00:15:04.970 --> 00:15:08.480 vendors - Mimecast, Proofpoint, notably. And I think Proofpoint 255 00:15:08.480 --> 00:15:11.720 is almost certainly is more aggressive in terms of trying to 256 00:15:11.720 --> 00:15:15.230 broaden beyond email security. They've made a number of 257 00:15:15.230 --> 00:15:18.440 acquisitions over the years in areas like deception technology, 258 00:15:18.440 --> 00:15:22.730 and in particular, have focused on data security and it's built 259 00:15:22.730 --> 00:15:27.830 out a pretty extensive DLP business, one that rivals 260 00:15:27.830 --> 00:15:30.890 the size of what Symantec or Forcepoint or what Digital 261 00:15:30.890 --> 00:15:34.610 Guardian have. So, that has been a big area of investment. And 262 00:15:34.610 --> 00:15:37.760 essentially, you see this as well with newer entrants into 263 00:15:37.760 --> 00:15:40.130 this space, like abnormal security, which has a bit of a 264 00:15:40.130 --> 00:15:42.740 different approach. It's more of this, what's called CAPES, or 265 00:15:42.770 --> 00:15:46.760 cloud-based API email security. There's not a ... it's not a 266 00:15:46.760 --> 00:15:51.110 gateway. There's no gateway technology. But, you've seen 267 00:15:51.890 --> 00:15:54.890 Abnormal do the same thing that they really started by on email 268 00:15:54.890 --> 00:15:57.890 and then are trying to focus more on human risk management, 269 00:15:57.890 --> 00:16:01.310 or human risk behavior, which is a branding we've seen Proofpoint 270 00:16:01.310 --> 00:16:03.560 do, and now we're seeing Mimecast really rebranding 271 00:16:03.560 --> 00:16:06.800 themselves as a human risk management provider. I think, 272 00:16:06.800 --> 00:16:10.670 with the idea that if there's going to be that, especially 273 00:16:10.670 --> 00:16:12.770 with this talk about platformization and all these 274 00:16:12.770 --> 00:16:16.550 emerging technologies, that the idea of getting just email 275 00:16:16.550 --> 00:16:19.220 security from a vendor isn't going to be as appealing. But, 276 00:16:19.220 --> 00:16:22.430 if you're able to more broadly address human risk, you're able 277 00:16:22.430 --> 00:16:26.570 to do security awareness training, you're able to also 278 00:16:26.600 --> 00:16:31.490 focus on safeguarding data and collaboration tools, in addition 279 00:16:31.490 --> 00:16:35.990 to email. That if you can address more needs that if a 280 00:16:35.990 --> 00:16:39.260 company is focused on really trying to consolidate around 281 00:16:39.260 --> 00:16:42.140 whatever 6-8 platforms that maybe there is a space for a 282 00:16:42.140 --> 00:16:45.440 human risk management platform. So, we're certainly seeing that 283 00:16:45.440 --> 00:16:48.620 move from a technology standpoint. And certainly all of 284 00:16:48.620 --> 00:16:51.500 these, the three acquisitions Mimecast have done, have all 285 00:16:51.500 --> 00:16:56.180 been kind of outside of that core email piece. And also 286 00:16:56.180 --> 00:16:59.810 you're just facing. As well you've seen some of the broader 287 00:16:59.810 --> 00:17:02.660 platform players get into email security recently. Notably, you 288 00:17:02.660 --> 00:17:05.990 had Checkpoint buying Avanan couple years back and then 289 00:17:06.590 --> 00:17:10.370 Cloudflare buying Area 1. So you have ... if customers are 290 00:17:10.370 --> 00:17:13.040 looking for this cloud-based API email security, they can also 291 00:17:13.040 --> 00:17:16.160 get it from a broader technology platform as well. So, I think 292 00:17:16.460 --> 00:17:19.340 certainly try and move by Mimecast, perhaps a bit later 293 00:17:19.340 --> 00:17:22.700 than Proofpoint, to expand their total addressable market. So, 294 00:17:22.700 --> 00:17:24.770 that's point number one. Point number two is really what's 295 00:17:24.770 --> 00:17:27.830 going on economically here, which is that you've just had a 296 00:17:27.830 --> 00:17:30.890 lot of companies hit a dead end, and these were especially those 297 00:17:30.890 --> 00:17:34.580 companies that were kind of mid- to late-stage startups that had 298 00:17:34.580 --> 00:17:39.410 reached at least Series C, and there just really isn't much of 299 00:17:39.410 --> 00:17:43.010 a way for them to exit that the public markets now you need $500 300 00:17:43.010 --> 00:17:46.310 million in annual occurring revenue to be a viable candidate 301 00:17:46.310 --> 00:17:49.700 to go public. Similarly, private equity, because they need to 302 00:17:49.700 --> 00:17:51.470 figure out how they're going to exit their investments, are 303 00:17:51.470 --> 00:17:54.920 looking for bigger companies. You see Thoma Bravo, who's 304 00:17:54.920 --> 00:17:57.440 certainly probably the most active PE firm in this space, 305 00:17:57.800 --> 00:18:00.020 that they're really taking public companies private. That's 306 00:18:00.020 --> 00:18:02.510 been almost all their moves recently. And the types of 307 00:18:02.510 --> 00:18:05.120 companies that are getting acquired by PE are pretty large, 308 00:18:05.120 --> 00:18:09.230 and if they're not large enough today to go public, these PEs 309 00:18:09.230 --> 00:18:11.690 feeling is within a couple of years, they'll be large enough 310 00:18:11.690 --> 00:18:14.180 to go public. But then, you have this whole other contract 311 00:18:14.180 --> 00:18:18.860 companies; they often raise well north of $100 million but really 312 00:18:19.130 --> 00:18:23.120 have no reasonable, viable path to getting to that half a 313 00:18:23.120 --> 00:18:26.720 million ... half a billion in annual recurring revenue. So, 314 00:18:26.720 --> 00:18:28.490 what we're starting to see is some of the ... instead of 315 00:18:28.490 --> 00:18:30.650 exiting to a financial buyer that they're exiting to a 316 00:18:30.650 --> 00:18:33.740 strategic buyer. But, if you look at some of the acquisitions 317 00:18:33.740 --> 00:18:37.070 Mimecast did here. They bought Code42, which had raised 318 00:18:37.070 --> 00:18:39.920 hundreds of millions, shaved their head counts down about 50% 319 00:18:39.920 --> 00:18:43.640 since mid 2022 and it raised a lot of money, but just really 320 00:18:43.640 --> 00:18:46.040 weren't going to get big enough that they're going to be 321 00:18:46.040 --> 00:18:48.680 appealing to a PE firm or going to be possible for them to go 322 00:18:48.680 --> 00:18:51.650 public. Aware's head count was down significantly over the 323 00:18:51.650 --> 00:18:54.800 past couple of years, and these are companies that maybe had 324 00:18:54.800 --> 00:18:57.560 decent technology, maybe that's the bet that Mimecast is making 325 00:18:57.560 --> 00:19:00.110 as we think could be some of their technology components are 326 00:19:00.110 --> 00:19:04.910 strong. But, the business case didn't work. And if we take that 327 00:19:04.910 --> 00:19:08.810 technology and plug it into our channel, into our go-to-market 328 00:19:08.810 --> 00:19:13.190 engine, and we align it with some of the pieces that we have, 329 00:19:13.190 --> 00:19:16.550 that we can extract some value from this, especially at a deep 330 00:19:16.550 --> 00:19:19.040 discount. It's similar to the strategy we've actually seen 331 00:19:19.070 --> 00:19:22.850 from Fortinet, which tends to be extremely conservative when it 332 00:19:22.850 --> 00:19:26.960 comes to M&A. We saw them buy Lacework just a couple of months 333 00:19:26.960 --> 00:19:29.630 ago here. That Lacework at one point was worth more than $8 334 00:19:29.630 --> 00:19:33.680 billion. Fortinet bought them for $150 million. Pretty much 335 00:19:33.680 --> 00:19:36.830 just took the technology, not keeping very little of the team. 336 00:19:37.310 --> 00:19:40.070 Or they are just going to try to plug it into their sassy engine. 337 00:19:40.310 --> 00:19:43.010 Fortinet similarly bought a DLP provider who had kind of 338 00:19:43.010 --> 00:19:47.180 flatlined from the headcount perspective. So, we're seeing 339 00:19:47.180 --> 00:19:52.250 kind of this bargain shopping now from companies that 340 00:19:52.250 --> 00:19:54.350 historically have been more conservative when it comes to 341 00:19:54.350 --> 00:19:57.440 M&A and the Fortinets and the Mimecasts of the world and are 342 00:19:57.440 --> 00:20:00.110 just essentially looking for good value. Some technology that 343 00:20:00.110 --> 00:20:03.740 they can plug into their stock and their pay maybe a fraction 344 00:20:03.740 --> 00:20:07.220 of what this would have cost a couple years ago. So, definitely 345 00:20:07.220 --> 00:20:09.110 expect to see more of that, because there's just a whole lot 346 00:20:09.110 --> 00:20:12.680 of companies that raised money when the economy was better and 347 00:20:12.680 --> 00:20:14.750 don't really have a viable path forward. 348 00:20:15.470 --> 00:20:18.050 Anna Delaney: Yeah. Very nice analysis there Michael. Thank 349 00:20:18.050 --> 00:20:23.000 you. With increasing reliance on cloud-based collaboration tools, 350 00:20:23.000 --> 00:20:26.150 as you just said there, how do you foresee the balance shifting 351 00:20:26.150 --> 00:20:30.290 between email security and the security of other platforms, 352 00:20:30.290 --> 00:20:31.610 those collaboration platforms? 353 00:20:31.000 --> 00:20:33.272 Michael Novinson: It's a good question. I mean, I think what 354 00:20:33.326 --> 00:20:36.572 we're seeing, and I know Martha and Zadelhoff talked to me a 355 00:20:36.626 --> 00:20:39.710 little bit about it, is that we are seeing these internal 356 00:20:39.764 --> 00:20:42.306 communication shifts that, obviously, if you're 357 00:20:42.361 --> 00:20:45.444 communicating with external stakeholders, it's usually, I 358 00:20:45.498 --> 00:20:48.690 mean, I don't want external stakeholders blowing up my cell 359 00:20:48.744 --> 00:20:51.990 phone. So, I'm usually going to be using email. But, if it's 360 00:20:52.044 --> 00:20:54.966 people within our company, I know, yeah, we use Teams, 361 00:20:55.020 --> 00:20:58.050 mostly. Certainly, in a whole lot of other companies use 362 00:20:58.104 --> 00:21:01.566 Slack, and that more and more of communication within people who 363 00:21:01.620 --> 00:21:04.866 work within the same company and increasingly even with like 364 00:21:04.920 --> 00:21:08.329 third-party partners is coming through these internal ... going 365 00:21:08.383 --> 00:21:11.629 through these collaboration tools rather than through email. 366 00:21:11.683 --> 00:21:15.145 So, it's certainly been an area that people just haven't thought 367 00:21:15.199 --> 00:21:18.391 about as much, that people are cognizant of what a phishing 368 00:21:18.445 --> 00:21:21.583 email looks like or a strange attachment, but people don't 369 00:21:21.637 --> 00:21:25.045 apply the same level of scrutiny to a Team's message or a Slack 370 00:21:25.100 --> 00:21:28.454 message from somebody who they think is their teammate. So, if 371 00:21:28.508 --> 00:21:31.700 an adversary is able to take over an account and is able to 372 00:21:31.754 --> 00:21:35.000 send malicious links, malicious attachments through Slack or 373 00:21:35.054 --> 00:21:38.354 Teams, that you're going to get much greater buy-in than from 374 00:21:38.408 --> 00:21:41.816 email where they're just people have the guard up a little bit. 375 00:21:41.871 --> 00:21:44.954 There's a little bit more skepticism at this point. So, I 376 00:21:45.008 --> 00:21:48.417 certainly think that's part of it, and I think that we're going to 377 00:21:48.471 --> 00:21:51.879 and, yeah, I think there's just a feeling that more and more is 378 00:21:51.933 --> 00:21:55.179 happening that way, but also that. And this is what Marc van 379 00:21:55.233 --> 00:21:58.587 Zadelhoff talked to me about, that it's just the look and feel 380 00:21:58.642 --> 00:22:01.888 of messages on Slack or Teams is going to be different. That 381 00:22:01.942 --> 00:22:05.025 they're just more informal. And if a lot of this is about 382 00:22:05.079 --> 00:22:08.217 detecting behavioral patterns, that things that might look 383 00:22:08.271 --> 00:22:11.355 fishy in an email might be normal in a Team's message and 384 00:22:11.409 --> 00:22:14.709 vice versa. So, the hope with buying Aware is that they could 385 00:22:14.763 --> 00:22:17.901 really kind of calibrate that technology in terms of being 386 00:22:17.955 --> 00:22:21.093 able to more accurately detect unusual patterns or unusual 387 00:22:21.147 --> 00:22:24.610 communication behavior in a way that they couldn't on their own. 388 00:22:25.210 --> 00:22:27.970 Anna Delaney: Very good. Thank you Michael. Okay, finally, and 389 00:22:27.970 --> 00:22:30.760 just for fun, if you had to explain the importance of 390 00:22:30.760 --> 00:22:35.230 cybersecurity using a cooking metaphor, what dish would best 391 00:22:35.230 --> 00:22:36.940 represent a secure system? 392 00:22:36.000 --> 00:22:53.122 Anna Delaney: Don't know if we have that in the U.K., but okay. 393 00:22:36.920 --> 00:22:38.784 Michael Novinson: I'll give a really weird one. And I was just 394 00:22:38.826 --> 00:22:41.284 really thinking about this software bill of materials, and 395 00:22:41.327 --> 00:22:43.657 this idea of needing an ingredient list that we need to 396 00:22:43.700 --> 00:22:46.200 know what's in everything. So, I'm going to say something that 397 00:22:46.242 --> 00:22:48.785 doesn't require a stove at all, which is a peanut butter and 398 00:22:48.828 --> 00:22:51.243 jelly sandwich. And could be ingredients. You have peanut 399 00:22:51.285 --> 00:22:53.870 butter, you have jelly, you have bread, you can look down the 400 00:22:53.472 --> 00:23:10.594 It's also got the layering effect, which is quite 401 00:22:53.913 --> 00:22:56.583 label you know exactly what's in them, and more so you know, at 402 00:22:56.625 --> 00:22:59.252 least with the peanut butter and jelly that they're completely 403 00:22:59.295 --> 00:23:01.795 sealed. You're taking a seal off in order to get the peanut 404 00:23:01.837 --> 00:23:04.507 butter and jelly off. So, there wasn't any way for an adversary 405 00:23:04.549 --> 00:23:07.177 to tamper with it before it was sealed. So, I don't know if we 406 00:23:07.219 --> 00:23:09.720 call peanut butter and jelly cooking, but that's my answer. 407 00:23:10.944 --> 00:23:19.680 cybersecurity. Very good. 408 00:23:20.400 --> 00:23:21.720 Tom Field: Are you saying there's not peanut butter and 409 00:23:21.720 --> 00:23:22.590 jelly in the U.K.? 410 00:23:23.130 --> 00:23:25.440 Anna Delaney: Well, there are but do we put them together? I 411 00:23:25.440 --> 00:23:30.000 mean, that's another question. Tom? 412 00:23:30.000 --> 00:23:34.380 Tom Field: I am going to come to the U.K. because, you know, I I 413 00:23:34.380 --> 00:23:39.570 enjoy visiting your pubs, and I enjoy a good pie. And to me, a 414 00:23:39.570 --> 00:23:43.590 good pie is emblematic of cybersecurity. You want a nice, 415 00:23:43.590 --> 00:23:48.810 strong outer crust to protect the ingredients within, so that 416 00:23:48.810 --> 00:23:52.560 they cook properly and so that they don't get out as well. So, 417 00:23:52.560 --> 00:23:57.600 you think of your meat, your vegetables, etc., as your data 418 00:23:58.020 --> 00:24:01.950 protected by that crust so that it's able to cook as 419 00:24:01.950 --> 00:24:05.160 appropriate, but not leak out and not have anyone get access 420 00:24:05.160 --> 00:24:06.870 to it until it's time to have access to it. 421 00:24:08.820 --> 00:24:11.010 Anna Delaney: Perfect! And no insider threat of course. 422 00:24:11.010 --> 00:24:12.180 Tom Field: I hope not. 423 00:24:12.240 --> 00:24:14.340 Anna Delaney: Love that. Marianne? 424 00:24:15.170 --> 00:24:17.810 Marianne McGee: Well, I'll set up with a disclaimer that I'm 425 00:24:17.810 --> 00:24:25.250 not much of a cook, but souffle. Souffles are supposed to be 426 00:24:25.280 --> 00:24:30.080 particularly finicky in terms of, you know, technique, you 427 00:24:30.080 --> 00:24:33.290 know, the ingredients. And you think you did everything right. 428 00:24:33.320 --> 00:24:36.890 You put it in the oven and then somebody slams a door across the 429 00:24:36.890 --> 00:24:40.310 house, and then the whole thing collapses, which is sort of, you 430 00:24:40.310 --> 00:24:43.790 know, typical for what goes wrong in cybersecurity. You 431 00:24:43.790 --> 00:24:46.490 think you're doing everything right and then some unexpected 432 00:24:46.520 --> 00:24:50.210 factor from maybe outside your organization comes in and 433 00:24:50.210 --> 00:24:56.180 decides to disrupt and ruin your meal. So, that's what I suggest. 434 00:24:56.600 --> 00:24:58.730 Anna Delaney: I'm with you there. I went for souffle as 435 00:24:58.730 --> 00:25:03.620 well. Not that I am any expert in souffle making. But one small 436 00:25:03.620 --> 00:25:07.250 mistake, skipping a security update or leaving out 437 00:25:07.250 --> 00:25:10.460 encryption, and everything is doomed to collapse. So, 438 00:25:10.460 --> 00:25:13.010 everything has to be very precise in souffle making. Love 439 00:25:13.000 --> 00:25:15.550 Tom Field: You can also source it to an outside party. 440 00:25:13.010 --> 00:25:13.310 that. 441 00:25:16.510 --> 00:25:20.500 Anna Delaney: Yes. So, thank you so much everyone. This has been 442 00:25:20.500 --> 00:25:23.320 informative, educational. Thanks for all your insights. 443 00:25:23.890 --> 00:25:24.430 Tom Field: We'll do it again. 444 00:25:25.420 --> 00:25:25.930 Michael Novinson: Of course. 445 00:25:26.590 --> 00:25:27.280 Marianne McGee: Thanks Anna. 446 00:25:27.610 --> 00:25:29.920 Anna Delaney: And thanks so much for watching. Until next time.