ISACs, Information Sharing, and Building Cyber Resilience

Tune in to this episode of Ask A CISO to hear:

• ISACs, genesis of Global Resilience Federation (GRF) and how it works
• How OT-ISAC encourages information sharing and why some organizations don’t share
• The Traffic Light Protocol (TLP) for information sharing
• How GRF facilitates sharing between ISACs and realizes economies of scale
• Top 3 things to consider when formulating your business resilience strategy
• The need for more ASEAN-focused threat intelligence
• How to gain membership into an ISAC & ISAC activities for members
• How cybersecurity companies can work with GRF

About The Guest: John Lee

John Lee is the Managing Director at Global Resilience Federation Asia-Pacific, a non-profit provider and hub for cyber, supply chain, physical and geopolitical threat intelligence exchange between Information Sharing and Analysis Centers (ISACs), organizations (ISAOs) and Computer Emergency Readiness/Response Teams (CERTs) in various sectors around the world.

John is also the Managing Director (Asia Pacific) of the Operational Technology Information Sharing-Analysis Center, or OT-ISAC, and President of Singapore’s Chapter of the Project Management Institute.

He has more than 20 years of experience in Information Security, OT cybersecurity, Project Management, Governance, Risk Management and Operations, and has had led cross-cultural teams in Asia Pacific and the Middle East that successfully executed business transformation projects and managed global services in InfoSec, Infrastructure, and Integration.

John was also the past President of ISACA Singapore and has spoken at cybersecurity conferences like RSA, Blackhat, IMDEC Asia, Cloud Security Asia, Govware, Interpol World, etc. is the Managing Director at Global Resilience Federation Asia-Pacific, a non-profit provider and hub for cyber, supply chain, physical and geopolitical threat intelligence exchange between Information Sharing and Analysis Centers (ISACs), organizations (ISAOs) and Computer Emergency Readiness/Response Teams (CERTs) in various sectors around the world.

John is also the Managing Director (Asia Pacific) of the Operational Technology Information Sharing-Analysis Center, or OT-ISAC, and President of Singapore’s Chapter of the Project Management Institute. 

He has more than 20 years of experience in Information Security, OT cybersecurity, Project Management, Governance, Risk Management and Operations, and has had led cross-cultural teams in Asia Pacific and the Middle East that successfully executed business transformation projects and managed global services in InfoSec, Infrastructure, and Integration.

John was also the past President of ISACA Singapore and has spoken at cybersecurity conferences like RSA, Blackhat, IMDEC Asia, Cloud Security Asia, Govware, Interpol World, etc.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Mark

Hello out there and welcome again to another episode of Ask A CISO podcast, brought up to you by Horangi Cyber Security.

I am your host for today, Mark Fuentes. I'm the Director of Cyber Operations at Horangi Cyber Security, and today I have with me a really interesting guest who works out of Singapore as well. His name is John Lee.

He's the Managing Director at Global Resilience Federation Asia Pacific. It's a nonprofit provider and hub for cyber supply chain, physical and geopolitical threat intel exchange between information sharing and analysis centers and organizations, as well as CERTs, in various sectors around the world.

John is also the Managing Director for the Asia Pacific for OT-ISAC, and the President of Singapore's Chapter of Project Management Institute, which are both huge organizations, which I'm sure a lot of you are familiar with. He has more than 20 years of experience in Information Security, OT cybersecurity, project management, governance, risk management, and operations.

And he's led many cross-cultural teams in the Asia Pacific and Middle East that successfully executed business transformation projects and managed global services in InfoSec infrastructure and integration. Formerly, John was also the President of ISACA Singapore and he's spoken at cybersecurity conferences like RSA, Black Hat, IMDC Asia, Cloud Security Asia, GovWare, Interpol World, and a lot others.

Great, great resume, John. Welcome. Welcome to the podcast.

John

Thank you, Mark. It's pleasure to be here.

Mark

Thank you. Thank you.

It's a pleasure to have you as well.

There's a lot that we can really pick your brain about and I'm sure as everyone can see from your bio, but one thing I really wanted to talk about today just to kick it off was I wanted to talk about Global Resilience Federation Asia Pacific and the kind of work that you guys are doing over there. Maybe you can give our listeners a quick rundown of what's going on over there?

John

Sure, I mean, it's a pleasure to be here.

And, well, I'm working for Global Resilience Federation and I think a lot of people may not have heard of it before. I joined Global Resilience Federation in 2019. That was when I was recruited to start the first Information Sharing and Analysis Center (ISAC) for operational technology in Singapore.

So many of us have heard of Financial Services Information Sharing and Analysis Center FI-ISAC, especially if you are in the ... yeah, see? Especially if you're in the banking and the financial institutions and the insurance industry, you are part of the ISAC and if you are in healthcare, then you probably have heard of the H-ISAC, healthcare ISAC.

And OT-ISAC, it's formed out of a need along the lines of financial industries. and healthcare to share information because sharing information is actually a very low-hanging fruit. We help each other to be more resilient, you know, to get early warnings. And GRF was actually set up out of the financial services ISAC back then. In the late 1990s, we just had the financial services ISAC set up in the USA, and over the course of the decades, the last two decades, there were a lot of demand for ISACs that are sector-specific, not only financial institutions.

So we have the water ISAC, the energy ISAC, the healthcare ISAC. and there was no ISAC that caters for operational technology.

So in 2019, back then, the CEO from FS-ISAC came to Singapore in 2017 and there was interest to set up a ISAC in Singapore that caters for the operational technology, especially supporting the Critical Information Infrastructure, as you know, that if, at the, they are impacted, there's no lights or water, it's not just only that your households, but in fact, the whole of economy and the community will be impacted.

So Global Resiliency Federation is actually a collection of ISACs. I use the word loosely because we are non-profit organizations and we collaborate. So we don't really, we have a very loose way of collaboration, meaning there are no hard lines, mainly soft lines where we don't really report into, you know, one central organization.

So you can, you can view it as a network, like a cell approach where, you know, everyone is contributing to the community to be cyber resilient, and also in a circle of trust.

So Global Resilience Federation was set up in around 2017, you know, spun off from the FS-ISAC, and it formally became a entity within the, supporting the collaboration among the ISACs. So within that are about 17 ISACs, out of which OT-ISAC, Operational Technology ISAC is one.

Mark

You know, I think this is something that's super, super understated when it comes to defending ourselves, right, against cybercrime. And I always remember when, I'm from America and, and when 9/11 happened, I was in high school, but I remember that, after 9/11, one of the biggest things that we learned was that things like that are able to happen when information is compartmentalized and it's not shared across various interested parties.

And so as I grew up and I grew up in the cyber field and Information Security, one thing I noticed was a lot of people like to hoard knowledge and hoard information, or even when you see an organization gets breached or, or they get attacked. They like to hold off on disclosing vulnerabilities or things that they found ... exploits that they found inside their organizations.

What are the things that organizations like OT-ISAC are doing to encourage that sharing of information between interested parties?

John

Yeah, for one, we operate in a circle of trust so we are membership driven.

So on the one side, there are member communities, companies, organizations that belong to Critical Information Infrastructure, and also the non-critical Information Infrastructure. So these are your OT asset owners and operators, your power plant, your water utilities, your healthcare, your supply chain, distribution, companies, your manufacturing companies, and land transport aviation and maritime as well, and emergency services.

So we operate in a circle of trust and we realize that, I think you're right, people like to hold off on information sharing because I think, number one, there's confidentiality reasons, because you don't want to disclose about the incident that has happened.

Mark

Sure.

John

Or any vulnerabilities of your products to the public till you have actually fixed it, and certainly you don't want to report of any hacking incidents within your company.

So we help them by anonymizing the threat indicators or the information so that there's no attribution. What I mean by attribution is that you could not even attribute it to single company. So we are just reporting on the incident itself, the threat itself to help other organizations to stay safe.

So for example, if there's an aviation incident and if the attribution is not possible, meaning that from the threat itself, you can infer that a certain entity or whether there's airport that's been breached, then probably that is not anonymized. That information should not be shared because it can lead to attribution.

So we have, on one side, the member who is sharing information, and on the other side, our partners who are providing information. Our partners are subject matter experts that have a very deep and wide knowledge about the verticals, whether it's aviation, whether it's healthcare, whether it's maritime.

So we sit in the middle, we are like a hub and spoke. So we encourage information sharing between the two parties and across, we have certain protocols, we call it a traffic light protocol, whereby information is shared according to that protocol. And if you really want to maintain a confidentiality that's TLP Red, meaning two parties share information, whether there's two members or partner and member, and that information cannot be shared outside of that sharing in, it cannot be shared within, with your organization as well.

Then we have a TLP Amber, where information is shared between two parties can be shared with members of the recipients' organizations, so that you can use it to help your organizations to stay safe and secure.

Then we have TLP Green where information is shared, can be shared with the OT-ISAC community and TLP White is open source intelligence.

Mark

I see, I see, I always wondered, I mean, I have run across the intel before and I've seen the labels, but I guess I never really put much thought into, okay, what does TLP green mean? What does TLP white mean? That gives me a little bit of, you know, you learn something new every day.

John

Yeah, Mark, in this line we are always learning because you can never say that, you know everything about cybersecurity, cyber threats, or even ...

Mark

Too vast. It's too vast. It's definitely too vast.

So what you're saying, so with Global Resilience Federation, a lot of the work that you do is facilitating the sharing between different ISACs, right? Would you say that if Global Resilience Federation didn't exist, how would any of that sharing happen between an FS-ISAC and an OT-ISAC?

John

Well, Global Resilience Federation was created out of a need to provide a support to the ISACs but the ISACs have been around since the late 1990s. And so we recognize that there's economy of scale if you have an organization like Global Resilience Federation, so that you did not replicate most of the best practices across the ISACs, because the ISACs do come up with good stuff like health ISAC, or FS-ISAC.

And so we want to learn from the ISACs in supporting the members, organizations within our own specific ISAC. So the cross-sector sharing within Global Resilience Federation and the centralized support that Global Resilience Federation provides in some areas will help the ISAC to concentrate on their mission, which is to ensure the cyber resilience of the sector that they support.

So I, I would say that it is essential to have an organization, but to oversee, to support, not to oversee, as I said, it's not a hard line, but it's a soft line.

Mark

So I mean, all of the sharing that we're talking about, we're actually talking about, probably a lot of threat intel and just intel on vulnerabilities, exploits, et cetera, right?

But I'm sure that these ISACs also come up with really great best practices, really great standards. Does that come into play at all with Global Resilience Federation? Do you guys publish any best practices or, or work with any other, you know, how, external standards organizations or, or like, anything like that?

John

Yeah, we created a Business Resiliency Council that they were looking after the standards, operational resilience framework. So in, in there it actually uses, certain standards like the NIST cybersecurity framework and other standards like ISA 62443, depending on the needs of the particular community, so that we can actually help the community, organizations in that community to be more cyber resilient.

And that operational resilience framework is a guide to organizations, because we know that the risk is probably not, it's a business risk and operational risk.

You know, cybersecurity is an operational risk.

Mark

Yeah.

John

So it is needed to have very robust or healthy or holistic outlook, view. So, we start from the top, meaning that you need to have a cyber risk management, cybersecurity framework, and operational resilience framework, so that you can actually take the steps when the incident happens. Of course, following the NIST cybersecurity framework, you would put in steps to identify the threats, if you can, and next to protect it after you identify as well as to detect, so in case you cannot do it, you need to respond and recover.

And, and so it's, it's more of a holistic framework. It's not just specifically to any systems or equipment, but any framework is generic. So the beauty of the framework is that it allows you to use it, to contextualize it to your environment.

So if you are a port, if you're hospital, if you are a healthcare, manufacturers, so you have to contextualize that framework to your environment.

Mark

All right. So I noticed there when you were listing it out, you listed out Identify, Detect, Respond, Recover, right? And a lot of times, and this is just a personal thing.

When I talk to a lot of people about resilience, right? Actual resilience, just personally, I've kind of already, almost already abandoned the prevention part, the prevent.

John

Yeah.

Mark

Did you leave out the prevent on purpose or was that just, you forgot to put it on the list or? I was just wondering if you if someone else was along the same thinking as myself.

John

Yeah.

Yes, I think prevention is always there. So I mentioned, protect, so prevention is under the Protect pillar, but, however, you are right because you've heard that some professionals says "assume breach" "assume breach" - you will be breached.

Mark

Yeah.

John

But my, my take on it is that you have to do your due diligence. So you can't assume that you'll be breached and then just prepare to respond so you need to take some steps to protect and detect the threats so that, out of 1,000, maybe threats that can actually flow through your networks, maybe you have maybe 10 of that, only active threats because you have blocked the 999 threats, 9, 990 threats.

So I, I, I guess it's across the five pillars, so that NIST cybersecurity framework, I think is a framework.

Mark

Yep.

John

Okay. But we have to use it and we have to use it effectively and efficiently within our own organizations.

Mark

Yeah. I think that's the keyword. I think efficiently is the keyword. I think, strategically is the keyword.

When I started in the industry, I think a lot of, a lot of cybersecurity dollars get spent on prevent, on protect, on the protect pillar. I think we're starting to move into the more respond and recover pillars in this day and age. And I think the people who are a little bit more new to the game, they try to say, Hey, we wanna prevent it before it starts, right?

But seasoned folks like you and I are always like, we, the word is resilience. Actually the word is resilience. The word is to be able to withstand the attack and keep going, right? Keep operations up and running.

What would you say are the, if you had like a top three things for people to focus on when they wanna worry about resilience, What's the top three things, like ...?

John

Yeah, there are many, but I can just list the three of the top of my head.

I think you need to know your, basically your environment or your assets because you need to know what you're protecting. What is of value to you? What do you want to protect? And part of it is about aligning to your business requirements or business strategy because the business uses the assets for the operations to achieve their business strategy. So you need to understand what is important for the business, which asset are key, so that it provides the continuity, business continuity for the business. And they should be protected first.

So you, knowing what you need to protect. Secondly, how are the assets connected, the architecture? So I use the word security architecture because that is also part of security engineering. How do you actually do the integration? Connectivity. How does data flow from one to the other, that you have a picture, right? If you are trying to protect your, your power station which is your critical assets that you know that, what are the inputs, outputs, and within there, what are the people, process, technology you need to protect? What are the controls? Do you use third-party?

So the architecture security architecture, which includes knowing your risk in the supply chain, your internal risks, your equipment, risks, vulnerabilities, you mentioned, and also your insider threats.

Thirdly, it's having a roadmap, because you cannot protect everything.

Mark

That's right.

John

So, you know, your assets, your critical assets that are important for your business, you know how these assets are connected, but what do you really wanna do?

You mentioned strategy, strategic. So what do you really wanna do in the short term which is tactical, or operational, and then in the mid to long term, which is strategic. So then you have a roadmap, then you can prioritize it.

But of course, easier said than done. There are a lot of challenges. You talk to 10 different people, they have different ideas. But for me personally, because I, I come from a practitioner background, so I was working for engineering companies and maritime companies doing security operations, Information Security policies, governance, risk compliance, and information technology as well, applications, so the need to actually know what you want to protect and align it to your business. Stakeholders are important.

So I mentioned aligning to your business strategy, your objectives, and then knowing what you have, your current stage, which is your security infrastructure. So you are here, but really do you want to move from here in the maturity model to here?

Mark

Yeah.

John

Then that's important. Then the gap is where you have the, thirdly, the roadmap, you know, how do you, because you need to spend dollars, you need to invest money. You need to invest time. You need to invest, and

Mark

You need to do it smartly because, you know, it's a finite resource.

We have finite resources and, you know, you picked the top three right out of my brain as well.

John

Well, thank you so much, Mark.

I think they say great minds think alike.

Mark

Yeah. You picked it right outta my brain.

What I like to tell a lot of my clients when I'm consulting is that, let's just say that you got breached today, right?

You're in this bad spot and you know, your CEO puts you in front of all the press and they're all, you know ... Everyone's gonna ask you three main questions, right?

The, the first question they're gonna ask is what assets are involved, what data is involved, what parts of your infrastructure are involved in this, in this incident?

The second thing that they're gonna want to know is, do you know what the risk is involved with those assets that are involved?

And the third is, do you have a plan? Do you have a strategy?

John

Yes.

Mark

And I tell people, okay, when you start building your capabilities, these three capabilities are the first ones you want to build is identifying your assets and your data and your data flows, and identifying your risk. And then coming up with a strategy for when things go bad, right?

So, picked it right outta my brain. So that was very, very exciting for me to hear.

So you seem to, you know, you're, you're very seasoned. You've been doing this for some time. How do we get to, you know, I think, when I go out to a lot of my clients, a lot of the organizations I see, when you talk about maturity, right? They're basically at this stage where they have maybe some stuff, but it's not very standardized, but everybody wants to get to this ideal state where they're this they're optimized like in CMMI, they're optimized, they're using data to, to feed back into their, their controls.

How far away do you think we are from that? From the majority of our companies, organizations getting to that kind of maturity? Is that something that we're gonna see in the next five years or 10 years? What do you think?

John

A lot of organizations do not even know what, where they are, their current state.

I think the first step is to look at, really, where you are and then base your projections into where you want be based on your business growth, business objectives, because your business uses assets that are connected, and there are risks involved in the interdependency or interconnection of these, these assets.

And we really need to look at the areas where the threats to those assets, looking at the, just not, the threats, but also the vulnerabilities. So we need to protect the assets from being breached. And a lot of it starts from having a good security roadmap or security program that involves a good cyber governance, cybersecurity governance, because to actually put in place a roadmap, you need to know what you want to achieve, and that organization is important.

So you have an organization where people are comfortable and responsible, and also then they go out to actually secure those assets so you have probably heard that a lot of the Critical Information Infrastructure, they hold their top guy responsible and accountable for any breaches. And that's probably right. But it's not a good place to be, especially if you're leading a company and you do not know anything about what is being connected.

Mark

It's quite terrifying actually.

John

It's, it's like fighting with some unknown and that unknown is like, you know, when will hit you.

Mark

Yeah.

John

So, but, all is not lost because there are things that you can do to reduce the risks, to do, for example, cyber hygiene, you know, that's actually, what are the top areas where you can actually beef up and we know that in Operational Technology, safety has been the greatest concern, because the numbers of accidents happening at the work sites.

So nowadays I think the incidents have been reduced because our need of awareness that you need to actually have considered safety. If you are actually in manufacturing or your operations. Now, cybersecurity is something that people do not understand, because they may think that it's just a IT thing.

It's a IT problem. So let the IT resolve it, and IT would think that an operation problem... I don't understand the operations. I don't understand the engineering, so I don't, I will just buy probably systems and then that's it.

Mark

Yeah.

John

You know, I ... hopefully we will not be breached. So a lot of this starts from the top, the tone from the top is important. So I'm borrowing some of the terminology.

Mark

No, no, definitely.

John

So, I think ... so making, making the, Chief Executive accountable, the Chief Executive will be part of the conversations on how to secure the assets or the company operations, meaning that there are communications top down and bottom up.

So you really would consider all the risk scenarios that can happen because IT by itself or OT by itself, they're not really connected to the senior management or the strategies, so you need to cascade down using a top-down threat or risk scenarios, and then you need to get the bottom-up as well, because you need to have the buy-in from the operations, the people that are doing it and from the mid-level, the supporting functions.

Mark

Yeah, I think what's key there is to get that buy-in, that executive buy-in, to get that top-down approach. I think where we've always been, I think, historically, a lot of us, like you said, a lot of us come from the practical side of things, right?

So, I myself was a network engineer, you know, all of us are quite technical and we had to learn their language is what we have to do, right?

And that's why I think the, the thing that we've been running into for years and years and years in trying to get that top-down approach is that we are trying to get them to understand cybersecurity on our terms. And I think the key to getting that top-down approach is to put it from their perspective and speak to their language, which is quite a challenge for a lot of us because we're coming from that technical side and then now we have to learn that business language and what's important to the business.

So I think we're starting to shift into that side, but I think it's still a long road to get to that understanding between the two sides, right?

John

It's definitely a continuous journey, and I think organization needs to be proactive to drive it from the top and from the bottom, so that awareness of risk needs to pervade through the whole entire organization. Management, I think they are busy like the CEO, the C-suites are in growing the business so the bottom and the middle layer also needs to highlight the risk of certain key areas where they can bring it up to the conversations with the top management.

And there must be a willingness to collaborate between all levels of the organization.

So it's not just I'm working on my area and I'm doing well. I meet all the KPIs. There's no risk so I'm okay. So, so I've done my part right?

Mark

We need to be working to figure out how we can turn our part of the business into a business driver as well. I think that's where we will get a little bit more appreciation from the top, right?

John

A key thing in my job in running the Operational Technology Information Sharing Analysis Center is to build a community of like-minded cybersecurity professionals. So I talk to a lot of people, member organizations, as well as the public, and I foster collaboration with organizations, whether it's the equipment manufacturers or standards or the government agencies, or even the CERTs. And also most importantly with the member organizations, because they do have a, a depth of subject matter expertise which I can tap on to help other member organizations.

So we organize events where we bring members together in a closed community. Sometimes it's a closed door and we get the members to talk to each other, to share best practices, to say, for example, one member at a fusion center, you know, then how does that help?

What is, what exactly is the fusion center? How does concept helps other member organizations.

So as you see that, I'm pretty excited in what I'm doing,

Mark

Oh, okay.

John

because I don't really get to do this when I'm working for organizations. You always have to follow the policies, the KPIs that is set for you and also the roadmap.

Mark

Yeah. Well, actually, yeah, let's, let's talk about that a little bit.

So essentially, you're dealing in threat intelligence, right?

And you're dealing here in this region.

I've been here some time, but I'm still quite new to this region. I'm coming from the West, and the problem that I found coming out here and trying to ingest threat intelligence is a lot of it tends to be Western-centric or American-centric, right? And I've been lamenting the lack of more ASEAN-based threat, threat intel feeds. Is there any work that you're doing at the Global Resilience Federation to produce such a feed that would be more useful for organizations in this region?

John

We are talking to a lot of organizations like the CERTs. So the CERTs will see things, incidents in their countries in ASEAN and so, probably they can give us some information and we can further enrich the information through research, working with our partners in certain areas to get more information about that event or the threat or that incident, to fine-tune the intelligence so that we can reshare back to the community.

And it's been, as you said at the start, that nobody wants to share.

Mark

Yeah.

John

Security through obscurity. I think it's a thing of the past. And then in NIST, I think, says that, you know, it's gone, There's no longer security through obscurity, so you need to actually share and it's not a matter of how you do it, you know, the template itself but it's the contextualization. So you can have a security by not sharing that information that is pertinent to your organization. How do you set up the Security Operations Center?

I think that those are based on best practices.

Mark

Yeah, most definitely, and I think you're exactly right.

I think security through obscurity and acting as lone operators here and in the wild, it's just not working anymore because we're all watching the adversary evolve, and the adversary is sharing knowledge as well, right?

And it's getting harder to fight. And I think the best way forward is together and I think this is something that's quite understated in our industry. I think, I think not a lot of people are talking about information sharing. I think ISACs should be more prominent than they are today, so it's a lot, it's very important work that you guys are doing to raise that kind of awareness.

How about, you said it's membership, right, for all about membership?

Is it a strenuous process to gain membership into an ISAC?

John

Well, there's a vetting process where you need to qualify, meaning that you must belong to that particular sectors, for example, health ISAC, you need to be in healthcare.

So for Operational Technology ISAC, as long you are Operational, OT asset owners and operators, then you can actually be part of the ISAC and, number one. Number two, you must have a legitimate business. So we do some business check, I mean, it's easy enough to do these days from the public domain. So, and if your company is not known or not registered then probably, we should not actually accept because it may be a front for some other malicious activities.

It's not a very strenuous process but once they're in, I think it's when they're onboarded, it's coming out with the activities, you know, to engage them, to, to make them see the value of the information sharing, not just by consumption, but by sharing.

So we do have two portals. Contributing. And also interaction with members through the forums, the closed door discussions, so that we can help other members and help ourselves as well, themselves to further the cyber security resilience for their organizations. So we do training workshops to raise the awareness of the member organizations.

So we bring in subject matter experts, trainers. Sometimes they provide, you know, as part of their service. Sometimes, it's a paying workshop, right? So, but through the ISACs, probably we will get better rates than to get it from the trainers. And best practices, like threat modeling, risk assessments, we do all that as well, but of course we don't do that in a commercial way.

So we do that mainly as a practitioner, we get subject matter experts. We facilitate the conversations or the activities between the member organizations and the volunteers.

Mark

That's pretty cool actually.

My next question actually is, it's quite self-serving, it's quite a self-serving question.

So Horangi, we're a consulting company. We're a cybersecurity company, but we're, again on the outside. We're not probably able to gain membership into an ISAC, right?

Is there a way that we can play with you guys?

Is there a way that we can get some of that, you know, sweet, sweet, right in

John

Action?

Mark

Yeah.

John

Part of the action.

Mark

Yeah.

Is there a way that organizations like mine can be involved or we can share in, in the threat intelligence?

John

Yeah, sure.

I think we do. If you look at our partner portal, we do have partnerships with OT cybersecurity vendors or solution providers, the original equipment manufacturers, the CERTs and the agencies as well.

So we believe that there's no one source of truth. You know, in order to verify intelligence, probably you need to speak to two or three, look at two or three sources so that you can form a triangulation.

Mark

Right.

John

But of course, we value the subject matter expertise of our partners, companies like Horangi that can provide a lot of insights to our members. And our partners, they share out of passion to contribute, you know, to increase the cyber resilience.

And of course, to put themselves as a subject matter experts indirectly to say that, okay, they are the subject matter expert, and we provide the portal. And no one knows everything, so it's through the collaboration with the partners, I think we get better intelligence because it's not one way, so there's you know, going back to partners or going back to their members because if intelligence is just a single direction or bi-direction, I think there are a lot of things that are missing in there that we could probably tap on the conversation, if it's bidirectional and it's flowing bidirectional of course, in the circle of trust, right?

So, yeah, certainly, we like to have that conversation with Horangi.

Mark

Oh man, definitely, I think that's probably what we're gonna do right after.

So, we'll try and get involved in that stuff because it's, it's actually something I noticed, like I said, when I came out here, I was really looking. I really felt a lot of the value would be with the sharing of this kind of information with the production of threat intelligence that's more specific to here and where we do business and what's important to our geolocation.

Yeah, so just kind of coming up at the 40-minute mark, which is kind of where I like to have it. So maybe just one last thing from you, John, if you were to leave our listeners with one very important takeaway for today, what would it be?

John

I think off the top of my mind, I think, you really need to get going, meaning that I've heard this term before, call to action.

So regardless of your level of cybersecurity, you need to take the first step and coming up with that first step and that program, right? Top-down or middle up or bottom up.

So, generally, you need to have a sense of what you want to achieve in terms of cyber resilience and then tie it to your business objectives, because cyber resistance is not just about protecting your assets from being breached, but it's about enabling your business to continue operations.

Mark

That's right.

John

Even through the bad times when you are down with an incident. So it's a cyber, you know, it's is more than that. It's a business enabler. So cybersecurity is the business enabler, and it must be part of the whole thought process or consideration by the top management that they need to have this as one of the component. There are many areas. I mentioned safety as one of them in innovation, digitalization, cybersecurity.

So take all these and put it together in the puzzle, right? And talk to experts like you and me. Hopefully I can say that.

No, I, I think I, I can't say that, because I'm always learning, as I said in the beginning ...

Mark

it doesn't mean you're not an expert, John. It doesn't mean you're not an expert.

I think we're all lifelong learners, but you're definitely

John

Lifelong learners.

Mark

You're definitely an expert in my book.

But there you have it folks. The journey of a thousand miles starts with one step and John is telling you to take that first step.

John

Thank you everyone. Thank you, Mark.

Mark

Yeah. It was such a pleasure having you, John.

Thank you so much. You definitely have a wealth of information that we can all enjoy.

So, everyone check out John. You can find out more about him at Global Resilience Federation Asia Pacific.

Thank you again, John. I really appreciate it.

John

Thank you, Mark.

Thank you audience.

Thank you everyone.

Have a great day.

Mark

All right. Everyone else out there, you guys can check us on the next one.

Thank you.