Why Effective OT Security Hinges on Visibility

Kirsten Turnbull: [00:00:00] I think that one of the biggest challenges that we see when we go into these environments is with critical infrastructure availability is all we care about, really. When we're going in there, we do not want to interrupt process. So, the tools that we've gotten really used to using that are effective and very powerful in IT, we can't use those tools.  

One of the common challenges that I do run into when working with customers, especially when it comes to getting visibility in OT. essentially, think of it as turning the lights on in a room that's been in the dark for a very long time. So, we turn the lights on, now you can see everything, and there might be 5,000 new assets that you didn't know about that we're sitting in the dark room. one of the common responses we get is that immediately management is like, "We don't have the the staff to handle this amount of resources." And then I always kind of challenge and say, "Well, is the answer to turn the light back off?" [00:01:00] Visibility is everything, right? Once you have the lights on, you can start making better decisions about what you're gonna do, and you can validate your controls as well.

One of the things that keeps me awake at night isn't the vulnerabilities. It's not the known ones. I am way more worried about the unknown ones, right?

Mike Reeves: This is Solving For Change the podcast where you'll hear stories from business leaders and technology industry experts about how they executed bold business transformation in response to shifts in the market or advances in technology.

In every episode, we'll explore real world strategies and technologies that fuel successful evolution. I'm your host this month, Mike Reeves.

I'd like to welcome Kirsten Turnbull of Dragos to the podcast today. She's a Principal Solutions Architect at Dragos and today I'm really excited to have this discussion with you.

We'll talk about some industries. You know, my mind when I think of you folks goes to [00:02:00] critical infrastructure. Certainly kind of a place where you spend a lot--and we spend a lot--of time with you and your teams. Certainly here in Canada. And so, what I'd like to do is maybe if you could just take a minute, introduce yourself, and then maybe introduce Dragos to everyone please.

Kirsten Turnbull: Yeah, for sure. Thank you so much for the warm welcome, Mike.  

Hey everyone. My name is Kirsten Turnbull and I'm a Principal Solutions Architect here at Dragos. I've been in cybersecurity for the last 23 years, which is pretty much, I feel like sort of the majority of the lifespan of cybersecurity.

When I first started out, firewalls were just coming out, so it was a new technology and I'm grateful that I got to grow up in this career and in this industry itself and just really proud to be working at Dragos.  

Really our mission statement at Dragos is to safeguard civilization. And our founder, Rob, and the whole company, we really believe that everybody deserves the right to critical [00:03:00] infrastructure, such as clean water and power. So, we are on a mission to safeguard civilization. So, we look at securing operational environments or critical infrastructure and this could be anything from manufacturing to mining to oil and gas and energy. Those are the types of networks that we're looking to secure here at Dragos.  

Mike Reeves: That's great. Thank you for that. We will spend a lot of time talking about some of these industries today and I'm just thinking in terms of the Canadian view, but if you have a broader one, please by all means, share it just because of the nature of Dragos and who you are as an organization and where you work around the world. Maybe if you don't mind sharing a macro view of what the primary issues are as it relates to critical infrastructure today.  

Kirsten Turnbull: That's a great segue into, you know... And it's all, I don't wanna say a blanket [00:04:00] statement but, when we enter these different environments, obviously they're gonna look a little different based on what industry we're in. But there are some common characteristics, that we see across these environments and that's down to the basics.  

So, from an architecture perspective we're looking at a lot of organizations that aren't properly segmented. So, they don't quite have their OT carved off from their IT. And so, there's holes between where their two very different networks are communicating. I think that one of the biggest challenges that we see when we go into these environments is: with critical infrastructure availability is all we care about, really, when we're going in there. We do not want to interrupt process. So, the tools that we've gotten really used to using that are effective and very powerful in IT, we can't use those tools in OT. So, the challenge becomes how do we look at this network and start trying to secure it without introducing [00:05:00] any packets to disrupt the process. A lot of that ties back, and I'll mention this throughout, Mike--I am a strong believer in the five SANS ICS Critical Controls--and I'll bring them up throughout our podcast just as to how they can help organizations. If I had to kind of do a blanket statement, I would say, we have an issue with segmentation and an issue with visibility. And I think if we were to talk about lessons learned from our IT journeys, I think it's time that we start applying those when we look at trying to secure critical infrastructure. So, taking the knowledge of how to secure corporate environments, but then pivoting and using those tools and the techniques to help get that visibility that you need to secure critical infrastructure.

And I think it's great that you asked me from a more centric Canadian opinion because I have seen organizations and networks worldwide.  

And when we [00:06:00] talk about Canada, it's a challenge. Everyone globally understands just how large we are, right? We are a humongous country that does not have fiber to the door everywhere. We have this giant slab of rock up north that--I don't think there's ever gonna be fiber up there, not to crush anyone's spirits. But our issue is, we're very much a resource-based country and we're gigantic in nature. And so when we talk about those challenges, the communications is definitely one of the challenges that we do run into in Canada. So, lots of field remote sites with very basic security configurations that are ready for kind of that next phase of security controls.  

Mike Reeves: And if you look at that, so a couple questions for you. One is, you talk about, and I'd love your perspective on: so you've got IT and OT security and [00:07:00] you talk to some companies and they're like, "Our strategy is we're going to bring those together--and we're gonna respect any sort of regulatory and compliance that we need to--but we want to consolidate for efficiency, for cost, whatever it may be the elements are. And maybe it is from a posture perspective or whatever. But there's vastly different cultures between IT and OT and I'm wondering if maybe you could spend a couple of minutes talking about that and compare and contrast, if you can, the cultures. But also, how much are you seeing of the consolidation or integration of the IT and the OT networks, or maybe it's just an industry that's kind of leaning more in that direction versus not.

Kirsten Turnbull: That's a great question beause I have seen a change.  

So, this is positive. I've been doing this for almost a decade now and [00:08:00] when I first started out in OT, there wasn't even the topic of OT/IT convergence at the time because the teams were just so separate. I was in charge of building firewalls at some of the oil and gas companies that I worked for and I just got put on a project where I happened to be building firewalls for plant sites. And that's how I started really starting to understand that there's different networks out there that I'm probably in charge of, no one's actually said it out loud, but these networks are part of a company owned network, so somebody's in charge of monitoring them.

And, back in the day that was, all done by hand. There wasn't tools out there that kind of helped us map OT. And the real challenge, I think is, in these organizations, because typically the OT is considered to be more seen by the business whereas the IT team is more of the service or support that goes alongside with it. And what I've seen is this creates kind of a divide [00:09:00] between the two teams. Even though there's technical skills on both sides, they're not working towards the same goal. And so, one of the things that I've seen be successful is organizations looking internally to see who's interested in this, because there's a good chance that there's people currently working for you that would be very interested in learning more from a security perspective. And I think that's the one area that I'm seeing change and growth is that these kind of dream teams, I call them, or unicorn teams, are being created where they're subject matter experts from both sides of the house and they meet weekly to discuss sort of the threats that are in the landscape right now or architecting something to provide additional visibility. So seeing these teams collaborate, I'm getting pretty excited because I think we're finally getting to a place where we can apply the skillset, which is what I would call what the security analyst is trained to do, we can use [00:10:00] those skills in OT. And I'm starting to see a change, so positive on that front.  

But I do think that they do at some point have to have conversations with each other because there's a large set of skills on the security side of the house, but there's also a large set of knowledge on the OT side of the house that needs to be transferred. Both teams have valuable information that the others will find. And I think one of the biggest things that I've seen in my travels is just that that trust has to be built. At some point, the trust was severed. And I'm smiling because I come from IT and I know why the trust was severed. Someone decided to run Nmap or Nessus in the critical infrastructure network, took out some PLCs, caused millions of dollars of damage. They have issues with how the tools work in IT and I totally understand that when their entire job is to keep everything available. So, they don't want interruptions and this is what I'm talking about is building that kind of trust foundation where both teams are working [00:11:00] for the greater good.

Mike Reeves: Yeah, I really love that commentary. Thanks for sharing that.  

The question or follow on for that that I would have for you is: so based on your experience--and maybe it's part of a methodology or an approach. I know we try and do similar things with our consulting when we're talking about the theme of topic we're on right now and that is: a blueprint, an approach to try and bring the two parts of the organization together. And like I say, there's a cultural component to that because IT engineering and whether it's engineers in the utility space or oil and gas, whatever it may be, manufacturing, it's a different culture as well. And so, how do you start to create that awareness, that understanding, that alignment to build a roadmap or a plan to look at trying to create homogeny and bring the groups together? I'd [00:12:00] love to hear if you've kind of got a framework or an approach as to typically, how you would come in and try and establish that and build on that.

Kirsten Turnbull: That's a great question. So, I'm a big believer in knowledge is power. So training I find, having worked in security for as long as I have. One of the things that happens is, we tend to fall behind. And that's just because there's so much on our plates to do every day.

And so what I think is best is when everybody receives the same training and maybe it's like an intro to OT security. In fact, this is absolutely no plug towards SANS, but I did notice that they've offered a new course that's actually quite reasonable in price that covers basically ICS from the 400 level. So something that ITcan take, OT can take, everybody could take this course. And I think it starts there, Mike.  

It starts with knowledge. Instead of being told what you have to do, [00:13:00] why don't you understand what it is that the organization's trying to do and then figure out how you can bring your skills to help solve that problem?

Mike Reeves: I appreciate you sharing that because I know when we go in and we talk to companies, there's always this consternation or "We're not a hundred percent sure," or trepidation or, "We've tried to have discussions and we just can't get alignment there to be able to establish a plan or start to build a community to work together to be able to do this integration and build the collaboration to bring IT and OT closer together, to work together."

So, that's great. Great insight that you shared there.  

And, next question I have for you, it's more about--and I think we talked about this previously, before the podcast today. You look around and it comes up in conversation all the time where you're in talking to a company and you say, [00:14:00] "Okay, how's your posture over in this part of the business?" Maybe it's on the retail side, maybe it's on the OT side, maybe it's a management, wherever it may be. And, customers have this false sense of security that, "You know what, we've got a great posture," or "You know what, that's part of our PCI and we're good." And then you find out about, you know: hacks occur, bad things happen.  

I'm wondering if you could talk about that. Because there's probably a number of anecdotes or things that you see when you're out talking to customers and they think, "No, we're good here." And then when you actually start to peel some layers back, you're saying like, "You're actually, you're not good there." So let's talk about that.  

Kirsten Turnbull: Yeah, I'm smiling because you've reminded me of one of the common challenges that I do run into when working with customers, especially when it comes to getting visibility in OT.

So, essentially think of it as turning the lights on in a room that's been in the dark for a [00:15:00] very long time. So, we turn the lights on. Now you can see everything and there might be 5,000 new assets that you didn't know about that were sitting in the dark room. And one of the common responses we get is that immediately management is like, "We don't have the staff to handle this amount of resources." And then I always kind of challenge and say, "Well, is the answer to turn the light back off and just pretend those devices didn't exist? Or, do we see how we can attack this problem with the mindset that, if you could leverage your internal skills or maybe this is something that you're looking to get done externally, but just acknowledging that you don't have full visibility."  

We look at a lot of programs within IT and OT and I think one of the most common ones is the top 18 CIS controls or top 20 CIS controls. I always think of that one because the very first item on that list is [00:16:00] asset inventory. And as you start to go down the controls, everything that you see is really gonna be based on what is in that first point, your asset inventory. So your vulnerability management program, your patch management, everything that follows that list is gonna be based on the assets that you've identified. And if you don't understand all the assets in your environment, then all the controls that you're putting in place are really just for a subset of the assets that you have in your environment that you know about.

And so I'll stand on the hill--you know, I've been in this industry for 23 years--visibility is everything, right? Once you have the lights on, you can start making better decisions about what you're gonna do and you can validate your controls as well. But as we architect networks, much like as we architect applications and programs inside organizations, we tend to wanna put security at the end.

And this is a really good example of where, as we're building out network [00:17:00] infrastructures, we should be building out visibility. Slash, we definitely take care of redundancy when we're building networks, but why don't we have that third component of security? Why are we stapling that on at the end and then having issues with security controls working when it was never part of the blueprint in the first place.  

Mike Reeves: Yeah, good. Oh, go ahead, please  

Kirsten Turnbull: I know that maybe that's a controversial statement, but as I go into all these networks, the commonality is they're lacking visibility.

Mike Reeves: To layer onto that, if you look at the customers that you're out speaking to in the marketplace, what is a good baseline? Where should a customer be at a minimum? And then is there, if you look at, I try and look at everything as a continuum. So, you have a baseline and then you're trying to move up the continuum and continue to improve and get better at things. And I'm wondering if maybe you have a perspective on that. Like what is the good [00:18:00] baseline and then what are the steps and how do you look at and what do you do to continue to grow and move up the continuum?

Kirsten Turnbull: I would say every single organization is a snowflake when it comes to its level of maturity. And I think a lot of it has to do with what you were talking about earlier, where an assumption is made that a certain posture is good. But without visibility, there was never validation, and maybe it's not as good as we think. But at Dragos we really like to just meet customers where they are in their journey.

They could be well, well advanced, and looking for custom tabletop exercises with executives, or they could just be turning the lights on. A good baseline really is, I'm always gonna go back to those SANS Controls, but like: do you have an incident response plan for OT? Like, let's maybe start there because at least we have something to put in place should an event occur.[00:19:00]  

After that we look at architecture: are we architecting this for defense in depth? Again, those layers of security that we apply and really understanding the context of the environment, right? Because as soon as you turn the lights on, sure there's gonna be, maybe a thousand new assets, but there's also gonna be vulnerabilities with those assets.

And understanding the context of those vulnerabilities in the environment, and the criticality or the risk that's introduced by them, is also key. Because otherwise, we know that there's legacy systems in these environments--of course, there's gonna be vulnerability. So managing and understanding which of those vulnerabilities is critical for you to remediate now, and which of them do you never have to worry about based on the context of your environment.

Mike Reeves: Great explanation.  

Kirsten Turnbull: So yeah, it could be anywhere from very, very immature. Like, "Okay, we're just gonna turn the lights on. We haven't even segmented from corp yet," to the custom tabletop [00:20:00] scenario that I was discussing with regards to bringing in executives and getting very creative.

So all different spectrums.  

Mike Reeves: Two additional questions for more perspective to layer in further on that.  

You mentioned executives. Usually, you've got kind of operational level folks--everyone's kind of, they're in theater day to day. Everything's palpable. They feel it, they're living it. And you try and raise this up to get more executive support to, maybe it's to address certain structural issues the customer may have or they don't have good executive sponsorship or support. Is there a way that you can help customers build a plan to take to the executive team to get more sponsorship and support to be able to have them understand where the customer is in their current state and things [00:21:00] they need to do to continue to improve that. Because IT, OT, it doesn't seem to matter. Oftentimes there's a--less so now--there's a lot of, I guess, it's more from fear executives are involved in trying to understand: hey, what's going on with cybersecurity inside our organization? But really they don't have the depth of knowledge to say, is that good or bad when they're presented with the information. So, is there kind of an information process or a way that you can help customers build a communication plan to be able to have the executive understand: here's where we are, here are the things we need to do, this is why we need capital investment--or whatever it may be--to help continue to improve things or get us to a good spot if we're not in a good spot.

Kirsten Turnbull: For sure. I think an assessment of some sort has to be done, whether it be a cybersecurity assessment, some sort of marker to say, "Here's where we're at." And then, honestly, I really am a big fan of tabletops just because they bring up situations that don't occur on the day [00:22:00] to day. And they grab the attention usually--or the results of the tabletop will grab the attention of the executives, one of the two--whether they're involved or not.

And I think that's the real process that I have seen be successful in engaging executives. Although, I will say that there's a... I don't know who's educating boards these days, but I feel like the boards are becoming quite savvy when it comes to controls versus IT and OT. So I think 10 years ago, I don't think that was maybe even discussed at the budget level that these are two separate networks that also both need to be secured. I think that that conversation has changed at the board level because I'm hearing more and more buy-in, from the board level for OT security and support. And I think that is reassuring somewhat, but I don't think it erases the challenge that you mentioned earlier: how do we bring about or bring to light [00:23:00] the posture or the concerns that there may be with a specific environment. Again, knowledge is power, and tabletops can be really valuable for these specific scenarios.  

Mike Reeves: I was talking to a director of IT last week about tabletops and they're struggling to get a good level of visibility and support from the senior leadership team. And in a way, to try and expose where the organization is and try and start to build some collaboration in the organization to use tabletops as that platform--I'm sorry, I guess pun intended--to be able to get support and show where the customer is without having to make a big investment. Because a lot of people will just knee-jerk and go buy tools, where in my perspective is, if you can do tabletops, it's a very inexpensive way to really [00:24:00] start to build a culture, build the openness that you need.

There's a lot of mistakes, there's a lot of gaps, and people are kind of scared to expose themselves and share those things. And I think tabletop exercises are a good way to start, do a ground-up, fundamental build of starting to build that culture that you need and that collaboration that you need.

So, I love having this discussion around the tabletops. If you have any more comments on that, I'm happy to dive in there.  

Kirsten Turnbull: I love your attitude and how I read that was, let's create a safe place to test our abilities. Because every day a security analyst goes to work, they've got worry on their shoulders because their job is to literally find a needle in a haystack every day.

And so when you have that pressure on your shoulders and you're also dealing with incidents at the same time, it can be a lot. So to have a place where you can rehearse, if you wanna call it that, what a brilliant idea because it allows [00:25:00] everybody in the room to feel comfortable. It's not the feeling of being in an incident where you've got that feeling in your tummy and you have people breathing over you. You know this isn't real. But at the same time, you're about to uncover a whole lot of things that are gonna go wrong in a real incident.  

And the lovely part about it is, like you said, from a cost perspective, we're not looking at like spending millions of dollars on a new tool. We're looking at just testing our abilities. So, I'm a big fan of creating safe places like that for testing how our systems react because there is a lot of human involvement in a cyber incident. I know we'd all love to think it's just computers and bits and ones and zeros, bits, and bytes, but there's a lot of human emotion involved as well. So, I'm a big fan of empowering users to make better security choices than I am of testing users and making them maybe not feel adequate.  

Another thing I think about too, when we're talking about culture is: I came [00:26:00] from Microsoft before I was at Dragos. And, in the last year, something I never thought I would see in my entire career happened. Satya, the CEO of Microsoft decided to make security everybody's concern. So every single employee gets evaluated as part of their performance review every year, how they contributed to a more secure workforce. And so that's saying to the employee, "Now, security is also on your plate as well." And, there was a lot of pushback for sure, because a lot of people are like, "Look, I'm not, I'm not in cybersecurity." But at the end of the day, we go back to the knowledge is power. And making everyone aware, I think, creates a culture where you're not scared and it is safer. So I'm a big fan of that.

Mike Reeves: You're right. Everyone's one click away, right? So, that level of awareness is wonderful to hear about.  

Just continuing on this theme in [00:27:00] terms of the landscape of the various customers and industries that you work with, do you find some industries--and you don't have to call them out specifically--but are more mature than others?

Kirsten Turnbull: I'd have to say, the more regulated ones. They tend to follow rules and they tend to have quite a bit of structure. Now, I'm not saying that that means they're all not insecure. Just when you have regulations, you at least have a measure to move towards. Whereas, I feel in other industries, the lack of regulation is sort of why we're all employed here is because it's sort everybody does what they want and so it's way more fragmented.

I will say they all have their unique challenges. One thing that we're seeing a lot of... And if anyone's paying attention, we're seeing a ton of ransomware towards [00:28:00] manufacturers, and I think that has to do a lot with the segmentation that I talked about earlier. Just, having the network segmented, better. But it's also opportunistic, right? Hackers are going to go where they can likely get paid. And so what they've been noticing, a trend in the history, is that manufacturers of goods that are critical tend to pay out quickly. So, that is why I think we're seeing an uptick, it's just it's just opportunistic at this point. And, disrupting the supply chain, usually is kind of a critical event. And so, if they're looking to make a payday, they're probably more likely to get it from something that everybody needs.  

And unfortunately, I think you could be very, very well segmented. I think you could be very mature in your journey. If you're a target at the end of the day by attackers, I think you're gonna have to [00:29:00] get ready. That's because if they've decided that you're their target, then you're gonna wanna make sure that you have your layers of defense ready.  

Mike Reeves: And I assume from a manufacturing perspective, because that's kind of where my mind was going when I asked the question, there's so much modernization of manufacturing lines, distribution and warehousing, kind of that whole supply chain through a manufacturer and there's a lot of automation quickly being brought into manufacturing. And, to your point, I'm assuming one of the issues that they have there is they just don't have enough time to be able to do the security reviews and look at the new infrastructure they're putting in place and build that plan out properly to make it as robust as possible to be able to support it from a cybersecurity posture perspective.

Kirsten Turnbull: Yeah, just the rapid [00:30:00] digitalization, I think, of manufacturing where everything was serial, right? Now, everything has an IP address and that is compounding the problem. So, we're advancing technology, which is exactly where we wanna be. But at the same time, we're also increasing our attack surface while we're advancing our technology because we're adding devices that now need to be routable. And in that case, I see the challenge of keeping up with that. So yeah, not only are you modernizing your technologies, but there's security concerns coming out.  

There are issues that we didn't deal with four years ago that we're dealing with today. And so, being able to kind of predict what does the future look like for this plant, in terms of capacity, but also trying to understand from that perspective. So again, I always say standing on that hill of visibility, like get visibility. You're not gonna regret it because it allows you to make better decisions at the end of the day. And I think there was one thing I wanted to add to [00:31:00] that. Just in the expansion--so, seeing all those vulnerabilities. I know we touched on it just a little bit ago, but one of the things that keeps me awake at night isn't the vulnerabilities, it's not the known ones. I am way more worried about the unknown ones.

So, show me a screen, show me your dashboard with all the known vulnerabilities in an OT environment and I'm, "Yeah, that's, that's okay." But I'm really much more focused on the attacker that's gonna be inside of this network that wants to do something bad. Because their skillset isn't going to be that of like a low-level script kitty, right? They're not gonna make a lot of noise. They're gonna try to go undetected. So, those are the kinds of things that keep me up from an OT perspective.  

Mike Reeves: It's so true, it's so true. I appreciate you sharing that.  

I'm gonna change gears a little bit here and move back to the theme of, [00:32:00] as you just said, like everything's getting an IP address now. And networks are way more diverse and way different than they've ever been and they continue to move that way. And AI is certainly nurturing and facilitating scale of everything. You look at the people factor, because everyone's always resource constrained, whether it's financial, but it's clearly a lot lately about people and having the right skills.

And then you look at cybersecurity and there's a dearth there. I'd love to hear your commentary in terms of people. But also people from the perspective of, and one of the things we try and do with customers is really help them build plans around striving toward automation and bringing automation to the table. Because there's great leverage there. And now you throw AI in there and you have another order of magnitude of ability if you can bring that in and introduce it properly [00:33:00] into your cybersecurity posture and how you're doing your analysis and managing things.  

And so, if you don't mind, talk about that for a little bit. And we talked about it specifically when you and I chatted earlier. It was about, people and fatigue. So there's a lot to kind of dig into there. And I think that'll be our final segue or discussion for today. I'll pause and let you chat about it.  

Kirsten Turnbull: Yeah, I was thinking back to this quote that I read where it says, "I don't want AI to do..." I wish I had it set out. I think where we're gonna see the greatest benefits, and I did get to see this when I was at Microsoft last year, in the ability to use AI as an assistant to free you up to do the stuff that you enjoy doing at work. And I'll take the security analyst role, just since I know it so well, and let's apply that kind of mentality.

So, I'm in a day-to-day job where I have certain activities that I have to do every day that are [00:34:00] extremely boring and extremely manual and don't require my human brain whatsoever. It's just a function that I have to do. That is what I want to pass off to my Copilot, to my AI assistant. I want to be able to focus on the things that require my critical thinking abilities, and I wanna be able to offload all the crunching and the sifting. I always think of it like panning for gold. So the sifting through all the ones and zeros to find the needle, I wanna offload as much as that to AI.

There's parts of an an analyst job that take up a whole lot of time that are completely brain numbing. Those are what we need AI for at this current juncture. I think it's really important to understand that there will never be a day where AI can take over the human aspect of comprehension when it comes [00:35:00] to looking at logs, right? So I know I brought up context before. I see AI really kind of coming in, I don't see it replacing security analysts, I see it augmenting the team so that the analysts can become better faster. Because now they don't have to do these long tasks that take hours at a time and are not interesting or creative to them.

Anyone who's been in security analyst roles knows that what I'm saying is true. Not all of it is exciting. There are exciting parts, but there's also a lot of manual, sifting is the right word, sifting that has to take place. And this is where I see AI really coming in to augment, to help.

But replacing? I don't think we're anywhere close to that yet but what I do definitely think is that we have a grunt on the team that you could tell to do the worst jobs [00:36:00] and not feel bad because they're not a human and they're not going to resent you for giving them that job that you hate doing.

So taking things off of your plate to make you a better analyst is where I see AI really empowering teams. I don't see it replacing, especially in security, just given all of the context that we have to take into account when we're analyzing data. I just don't know how we could replace that quite yet.

I'll pause there, Mike, because I'm very curious.  

Mike Reeves: I would agree. It's a tool. It's there to help, to augment. And to your point, it's like let's get the mundane low-value tasks off people's plates and let them focus on higher value work. There's no shortage of things to do.

And again, if you look at it from a cybersecurity perspective and analyst burnout, if you can do things that are going to take a lot of that burden off their plate and make them feel better about their work, their job, [00:37:00] and higher value tasks, and evolving their skillset rather than the keep the lights on approach that always seems to be the case that really causes the burnout in people. I see great opportunity and it's very exciting to consider what that looks like in the future. And, I kind of look at that, again, as we're getting to the end of our time here and what you folks do at Dragos and how you provide value in that equation.

Since we're here and we're talking analysts and you're talking about how we're leveraging technology, maybe let's take a minute and let's do an advertisement for Dragos here and and how you help customers. I'd really like to unpack that because it's pretty powerful.

Kirsten Turnbull: Yeah, for sure. So, I know I mentioned this earlier but we'll meet customers where they are in their journey. They could be at the very beginning, they could be halfway through. We are really specialized in OT security, so south of the firewall is where we play [00:38:00] and we have a variety of teams that are very eager to help customers in their journey.

So, whether it's from a services perspective, you wanna do a tabletop or some type of an assessment. Maybe you're interested in platform and you wanna see what that looks like in your environment. Maybe you're ready to create the OT-enabled SOC and you want to start ingesting your OT data into your IT SIM. These are all conversations we have all the time with customers and this is something that is part of our mission for safeguarding civilization.  

This is exactly what we're looking for, especially when it comes to customers that aren't sure where to start. This is exactly what we do. And, I think that, we're gonna see AI play into this, as you said, as really an enabler, an augmenter. [00:39:00]  

I always hesitate to talk about automation in OT from a security perspective because it sounds a lot crazier than it is. But the kind of automation I'm talking about is awareness and visibility. So leveraging tools within your ecosystem, like Microsoft Teams, to act upon an event that happens in OT. Say a new device was plugged into the network, you could have Teams send a message to the site plant supervisor saying, "Hey, a new device was added to the network."

All of this happened in a time span of 30 seconds. But that awareness and that visibility is now available to those guys at the ground level. And this is definitely an area that I think we're gonna see grow, is starting to leverage tool sets in our environments to distribute the information so that everyone's more aware.

Mike Reeves: That was a great summary and I just wanna put a fine point on the level of knowledge and maturity that Dragos has to be able to support [00:40:00] customers around critical infrastructure. Because a lot of customers try and they do a roll your own, build your own. How you can come in and provide assistance and help them, it's order of magnitudes of greatness that you can offer. So, I appreciate you sharing that summary today and I'd love to have a follow on podcast with you maybe just get more into a technical discussion. This was a much higher level discussion, but I wanted to use it to set the stage for future discussions.

I really appreciate you taking the time to join me here on the podcast today. I enjoyed the discussion and Learned a lot as well. I look forward to having you back on a future session. If there's any way you want to leave with a message or contact, whatever you feel is best, I'll give you an opportunity to do that right now.

And before we finish there, I'll just say thanks so much again for coming on the podcast today, Kirsten.  

Kirsten Turnbull: Mike, thank you so much for inviting me. I really appreciate our chat and I will absolutely hit you up on a [00:41:00] second offer.  

If you're looking to reach out to Dragos, we're obviously in Canada. We are a United States based company, but we're global. I'm on LinkedIn, reach out to MOBIA as well as they're a trusted partner of ours and I can't say thank you enough, Mike. I really appreciated that.  

Mike Reeves: Thanks for your time today. Take care.  

Thank you for listening to Solving for Change. If you enjoyed this episode, leave us a rating and review on your favorite podcast service.

Join us for our next episode. Thanks very much.

‍