#548 AI, Threats, and the New Cyber Resilience Playbook With Gerald Beuchelt & Subu Rao

[00:00:00] 

Mehmet: Hello and welcome back to episode of the CTO Show with Mehmet today. I'm very pleased joining me, two guests. Uh, and this is, you know, one of the moments that I usually like to have on the podcast. So I have with me the team from Acronis, I have Gerald Beuchelt [00:01:00] and I have Subu Rao. And, um, as the audience know, I don't like to spend much time on the intros.

I keep it to my guests quickly. Gerald. A little bit about you, you know, your journey and what you're currently up to, and then I'll move to you bu So by the way, his second time with me on the podcast, so we'll come back bu So Gerald, I'll start with you. 

Gerald: Thank you so much, VIN. Thanks for having me. I really appreciate this.

My name is Gerald Beuchelt, like I am the Chief Information Security Officer for a Acronis. I joined the company earlier this year. It's like, uh, actually at the beginning of the year. Um, taking ownership of the overall, um, security as well as corporate it, um, responsibilities at the company. I've been doing this CISO role for, oh my gosh, it's like close to, close to 14 years at this point in time in, uh, various kind of companies.

Um. It's been, uh, a pleasure and an honor's like to be called to, uh, surf at Acronis. I think what's very interesting about what we're doing here [00:02:00] is that it's, uh, very close to security. It's like what we're doing is very close to, uh, what, what I'm generally interested in. So from that perspective, it's wonderful to, uh, to be able to work with, uh, such a, uh, great crowd of people and a wonderful ecosystem to really look at how we can bring.

Uh, security, um, availability, backup, disaster, recoverability, et cetera, et cetera, to everyone. It's like, 'cause if you look at this, uh, in the past it's been very, um, much a difficult enterprise and I, what I loved really about a krons and coming here is to see that, uh, we, we have a mission to bring this to, to everybody and democratize it.

Mehmet: Great. Great. And thank you again, Gerald, for being here today. So you've been here before, but you know, tell us what you're currently doing at Acronis. 

Subu: Sure, yeah. Thank you for having me. And, uh, yes, we have, um, spoken before and, um, you know, as you, um, have already. Captured some of my history in the previous episodes.

I've got around about 15 years [00:03:00] of, uh, cybersecurity experience and, uh, similar to Gerald. I joined a Kronos this year and it's an absolutely fantastic company. It's gone so quickly and, uh, they have a, a nice. Breadth of portfolio with regards to cybersecurity, data protection, and a very interesting proposition.

Uh, and it's, uh, refreshing in a sense that I used to work for, uh, sort of cloud security and, um, identity security providers. But this is more catering towards the MSP world. Uh, it's a different line of business, but a very interesting proposition. A much needed one. So yeah, happy to be here. And with regards to my role in Acronis, I am, um, a senior manager doing cybersecurity solutions strategy, uh, especially focusing on cyber resilience.

Mehmet: Great and welcome again, Sue. And you know, thank you very much for being here with us today. Now, um, you know, the way I love to do it, you know, is to frame things right. So, uh, [00:04:00] and you know, go see the, sometime they call the bird view, sometime they call the 30 some feet view, whatever you want to call it. So the big picture, Gerald, like, I'll start with you for me.

Pure perspective as a ciso, right? So we hear a lot. There's, it's, it's a hot topic as we know. Um, so what does the threat landscape looks like today? We, we hear that a lot. And what do you think businesses. Are struggling. And as a cso, what do you think, like fellow CSOs in companies? Mm-hmm. Uh, you know, they, what, what's keeping them awake at night?

I would say, 

Gerald: oh, there's so many things. It's like, I don't even know where to start. Um, so I think the, the general threat landscape is, is, uh, obviously evolving, but it's, uh, at the same time, it's not. There, there is not revolutionary change, uh, that, that we're currently seeing in, in many ways. Um, it, it obviously always depends a little bit on the company, on your company.

It [00:05:00] depends a little bit on your, uh, vertical, on your geography. It's like what specific threats you're facing. And, uh, it's one of the things we're, we're trying to make very clear in our cyber threat reports, which I really would recommend people take a look at. Um, it's like where, where we really break it down by region, by, um.

By, uh, geography and by, by other things. Um, how the various types of threats that we are seeing in the internet are actually, um, working against, um, uh, work, working against regular industries, against all of us. Um, when we look around, it's like particularly in the, uh, um, small and medium business space, it's like, I think ransomware is one of those kind of like things that has been of the top of mind for pretty much everybody.

Now because it's, uh, becoming the standard kind of way of delivering malware and then executing, uh, payloads on, uh, um, on, on, on victim systems in order to, to affect, um, [00:06:00] crime. It's like, um, which is, includes, uh, theft of, uh, data, theft of information, theft of, uh, um, it's like monies, et cetera, et cetera. So, um, what should be really on top of mind for everyone at this point in time is to ensure that we, uh, get first the basics right?

Because even if you look around today, it's like you still see so many situations where, um, the initial access, the initial vector of entering into a particular type of, uh, environment comes from. Uh, avoidable mistakes. This is unpatched systems. This is very weak passwords, reused passwords. Um, we've recently seen the Louvre, uh, um, uh, yeah, issue was like where they had to louv as a password, just like at least some time ago.

Uh, we've published, uh, ourselves the Sidewinder attack, which was was a nation state, le nation state level attack against other nation states, uh, which [00:07:00] exploited a vulnerability that was more than, uh, eight years old. So, um, as you can imagine, it's like if you have issues with, uh, keeping systems alive, keeping, uh, um, uh, it's like keeping systems patched and up to date.

Both from a, uh, um, patching perspective as well as from a configuration perspective, you're really opening yourselves up to, uh, to issues. There are other things that are really important. It's like, uh, if you look around just like then, um, social engineering, um, without initial exploitation of, uh, vulnerabilities, is that still one of the number, that one concerns and, um.

While we do have various types of solutions to protect ourselves against email threats and others, it's like at the end of the day, it's like, it is really, really important to ensure that, um, we also enable the human. In the loop, it's like to be as proactive as possible. There's this horrible adage that I really abhor, which is like, uh, your [00:08:00] employees or your humans are the weakest link in the chain's.

Like, and I totally disagree with that. Untrained humans and, uh, uninformed humans are definitely a weak link That, uh, is, is a huge concern. But if you have a, uh, um. An employee base, A user base that is uh uh, getting regular security awareness training, who are alert and who are participating actively in trying to find issues, then that's probably one of your best defenses.

Mehmet: Great. So anything you want to add on this, because I have a follow up question to Gerald. No, please go on. Sure. Now, general, like you, you mentioned bunch of things, which makes a lot of tha sense, and it looks like the things are getting complicated by the day. So, um, like for example, the ai, right? So, so are, are you seeing it like as, as a more risk opportunity?

What, what's your point of view? 

Gerald: Well, AI in reality is, is here, right? It's like, and it has been here [00:09:00] for a while. It's like we've been already starting to see that, um, that the adversaries like, uh, the criminals have been using AI very successfully in, uh, creating new malware. Creating, uh, um, uh, spear phishing attacks at scale, et cetera, et cetera.

So it's like, uh, it's like ignoring, ignoring, uh, AI happens at your own peril. What I do think is that we have, in it in general and in, uh, security in particular, a great opportunity right now to really. Start going above and beyond the basic ta uh, tasks that we have been fighting with on a daily basis. I was talking about routine tasks, right?

Such as, uh, patching, et cetera, et cetera. It's like, uh, vulnerability, uh, assessments, vulnerability scan assessments, et cetera, and those kind of things. Those are sometimes very, uh, labor intensive tasks. They require specialized, uh, knowledge. They require people to, um, go in and, um. [00:10:00] And, uh, it's like scan large amounts of data, all of which can be done much more efficiently with appropriately trained agents.

One of the things we really believe at a Chron's and what we're building out right now is a comprehensive, uh, um, uh, system, which really leverages, uh, our long experience in ai. In such a way that we are putting together agents, that we're putting together, um, everything that is needed in order to further and further automate the soc At the end of the day, it's like, uh, the, the, the goal promised by probably everybody on the industry at this point in time is you'll have a fully autonomous soc.

It's like, I don't know really whether I want to have a fully autonomous sock. There are certainly some situations where, um, uh, a. Um, a fully automated AI agent could be and should be acting independently of, uh, human interactions. It's like their script, their, excuse me. There, um, situations where, where it's like it becomes very [00:11:00] clear that certain act, uh, actions need to be applied, but then there are others which are not, which are higher risk.

And it's like, um, I think the. The, uh, um, the goal for making AI as useful as possible and as productive as possible is finding the right BA balance on the one side, automating and, uh, um, um, just like, just like relying on, uh, AI capabilities as much as possible, but at the same time, making sure that the, uh, risk implications are still being assessed by someone who's ultimately responsible for it.

'cause um, you cannot sue an ai, at least not yet. And it's like, I think that's really where, what it comes down to. 

Mehmet: Right. You mentioned also Gerald, something about in the threat si uh, cyber state, uh, you know, espionage, you know, all the things from your perspective. And this is really a, a question that sometimes, you know, I think people, they think like only these certain regions, they will be, you know, we are living, let's say in, in X region.

So we [00:12:00] don't have to care because why these guys even will think about attacking us, right? In your opinion, is there a difference in geography or is it like same globally as in the us as in Europe, as in the Middle East, where I am based as in apac. What you can tell us about this, these regional nuances, if there are any?

Gerald: Well, there there's certainly differences in the region, right? It's like, um, western industrialized countries like, uh, the US or, um. Like Europe have, um, fairly interesting and juicy targets, uh, from a industry perspective, from a, uh, uh, capital perspective, et cetera, et cetera. So there, there's definitely, uh, a huge interest in being able to, to execute, uh, attacks against those kind of like targets.

At the same time, it's like, I would argue that, uh, especially those kind of countries have over the last couple of years. Significantly improved cyber defenses across the board. Uh, that doesn't mean that every company is, uh, there, but it's like [00:13:00] there's definitely a, uh, a significant, uh, an increase in awareness around security related topics, uh, various regulations both in the US as well as, uh, in.

In Europe have contributed to that. There are actually now situations where you are required by law or regulation to provide, uh, uh, or to, to maintain a certain level of, uh, uh, security and report on that. So, so those kind of like activities have really hardened those kind of targets considerably.

Leaving some of the, uh, other regions in the world less well defended, and now we all know it's like that, uh, um, it's, it's, uh, you, you cannot have perfect security, but it's usually good enough to have a level of security that, uh, allows you to be better than others if it's really, really hard to break into.

Um. The house on the right side of the street and the house on the left side of the street is like halfway open. It is like, has, has unsecured windows. Guess what the uh, uh, burglary is [00:14:00] gonna do? It's like he's gonna go to the house on the left side of the street, even if there's not quite as much money in there.

Sorry, if looks smaller. So, um. I would say that everyone who is, uh, who ha who owns information systems in some form or another, everyone who has data has something that is valuable and that can be exploited for further attacks or for other activities. Um, we've seen large botnets. Built out of, uh, uh, home routers.

Those are not high value targets that by themselves, but at the same time, it's like they're valuable tools for a cyber criminal to build a botnet. And then it's like ultimately rent this out. Um, often enough come, uh, what comes along with an exploit like that is also a compromise of the local machine.

This may include credential stealing. Uh, this may include access to sensitive, uh, uh, accounts from, from individuals. So it's like the, the notion that it's like you're, you're not really affected by it because you're in a different region or in a different ver vertical don't really apply. It's [00:15:00] like there is, unfortunately for every type of target, there is a criminal out there who's interested in you.

Mehmet: Absolutely. A hundred percent. Yeah. Like, uh, and you know, this, uh, analogy that you just did, uh, Gerald makes a lot of sense. Like if you keep something open so you, you're inviting literally people to come and break in Now, in technology in general, and I think in cybersecurity in general terms. Get used.

People start to mix things up. And I'm talking here about cyber resilience, which people sometimes they think it's cybersecurity. Now, from the expert yourself, Gerald, I would like to hear, you know, you breakdown of these two terms and why they are not the same. 

Gerald: Oh boy. It's like opinions, opinions, divide. I would say it's like, it's, uh, it's.

It's basically one of those areas where you really, uh, have, have, um, sometimes [00:16:00] marketeers, sometimes, uh, it's like, uh, thought leaders. Sometimes just people, it's like coming up with ideas and it's like then, uh, popularizing them whether they make a lot of sense or not. I. I, I wanna give you just a, a personal, um, way of like how I think about those things.

Sure. It's like cybersecurity really, uh, describes a discipline of, uh, security that is particularly involved with the information domain, right? So it's like we're, we're, we're applying security principles which date, back to basically ancient times. It's like in terms of defense, in depth, in terms of, uh, uh, various other, uh, kind of things just like that, uh, that are.

Relevant such as people, process, and uh, uh, organ, uh, technology. So, um, all of those, um, principles that we have learned from. Various types of security, uh, setups such as military security and otherwise are being applied to the, uh, information domain, which is separate from [00:17:00] the regular world that we have around us.

The how that gets done and how that gets optimized with the kind of technologies that we deploy in the information domain. That is what I would call cybersecurity. So it's like that is really the application of the security principle of long established principles, uh, into the, into the information domain.

Cyber resilience is a term that has become popular is like, and what I typically associate with that, and I'm sure there I will have many detractors, uh, as I say this, uh, but it's um, to me essentially. Ability to fight through. So it's like, let's say you are under attack. Let's say there is an incident that is unfolding in some form or another in your en environment.

If you have built a program that I implements solid cybersecurity principles, you should be able to have a high degree of cyber resilience during those attacks by employing multiple layers of defense, by [00:18:00] having redundant systems, by having the ability to recover very quickly in case a system gets degraded or um, destroyed in, uh, during an attack.

So I think the, the, um. Dis call it a discipline or call it the principles of cyber resilience would really look a little bit more aggressively at mitigating or like having appropriate plans in place to mitigate the impact of a event, post event. Does that make sense? 

Mehmet: Absolutely makes sense. And I, you know, again, when you know, the, your, your definition of resiliency made a lot more sense to me because, uh, you know, again, like when, when, if you are, and cyber, cyber attacks act like war, right?

So if you are, you know. Uh, you know, fighting in, in the battlefield. So the resilience is like how you go through that attack, right? And how far you can stand there. Now, some of the question for you, and, uh, you know, I, I know like you work closely with, uh, [00:19:00] with your, uh, channel, like your partners and the MSPs.

Um, what, what's your take on, on cyber resilience and how you're seeing that resonating with, uh, uh, MSPs managed service providers and enterprises alike? 

Subu: Yeah, sure. Um, like Gerald mentioned earlier, the way I would sort of split cybersecurity and cyber resilience as equal to halves. So everything that you do up until an incident would all be cybersecurity.

So that will be detect. Uh, protect, mitigate an incident that will be cybersecurity meshes and anything that you would do from an incident onwards. So let's assume the inevitable happens, the incident happens, or the attack happens, how do you respond, recover, and adapt? So that would all be cyber resilience.

And with regards to MSPs, um, it gives them a very unique, um, sort of, um, target area to sell their business. Um. If you think [00:20:00] about it, five seconds of downtime for a finance or a, um, or, or, or a, um, healthcare industry is not the same as five seconds of downtime for a logistics company. So service continuity and business continuity is extremely important for these businesses.

And what MSPs have started doing is not just monetizing on the cybersecurity. Uh, portion of things, which is to fortify the environment, work on cloud security, work on perimeter security, use a security device security, but also monetize on the resilience bit. So if the inevitable happens, how quickly can you bring, bring you back to normalcy?

So that's where I see, uh, the two. Sides of, uh, monetization techniques that MSPs are in using at the moment. Uh, and again, like you mentioned earlier, it also depends on the exposure factor, which is literally the geography, right? So the exposure factor for downtime in Japan is [00:21:00] maybe you are more prone to earthquakes, right?

The one in us, maybe you're more prone to hurricanes and tornadoes. Or if you want to avoid, um, blackouts, you might wanna avoid South Africa. So these are the exposure factor. So what MSPs have started doing is just, um, going through these exposure factors. Do, uh, looking at risk assessment strategies. How prone are you for this risk and how, what is your response strategy?

And then doing business impact analysis. So let's say if you're down for five seconds, how do we quantify that? What does it mean both in, um, tangible. Uh, sort of monetary loss as well as intangible brand reputation loss. So all of this combined could be a consultative, sort of auditory package that MSPs have started leveraging, which used to be, um, an offering from the large consulting companies like MBB, but even MSPs now, they've set up their small sort of lifestyle businesses wherein they do this auditory service.

And, um, for this, you don't need a soc, you don't need a technical team. You [00:22:00] just need the wisdom and uh, uh, the knowledge to perform this. 

Mehmet: Right. Talking about MSPs and general, this question for you, so like if I want to flip the question a little bit. So what do you think, uh, you know, organization are failing short today and what, uh, you know, managed service providers can do to address these, uh, short, uh, shortcomings in your opinion?

Gerald: So, so this is for specifically for cyber resilience? Yes. For, for cyber resilience. I think, uh, uh, one of the key elements and uh, um, so was already mentioning that, is like, is to have a good understanding of, uh, your own processes of the crown jewels that you employ in those processes and, um, what the impact of losing them would look like.

So basically business impact analysis. I was like, this is, if you look at this from a theoretical perspective, a very complex. [00:23:00] Difficult, uh, uh, um, exercise. This is not easy. Doing a full business, uh, impact analysis, doing a full crown jewel analysis of, of your environments takes a lot of effort, is usually very expensive and, uh, um, time consuming, but that's not really necessary.

I think what's really important, uh, for, for, for businesses that do not necessarily have the, uh, capacity of, uh, hiring large consultancy consultant firms and implementing multi, uh, month projects around this. Is to really understand and realize what is ultimately important in their day-to-day operations.

Right? It's like what systems, what, uh, um, processes are critical for executing the mission or executing, uh, the, the, the, the, the business, uh, um, goals. And it's like, um, that is typically something that a, uh, um, a, uh, head of it. Or a, uh, good, uh, partner manager from, from a, from a, uh, MSP [00:24:00] will be able to, to answer.

Once you have an understanding what those things are, you really need to start thinking about. It's like, what would happen if I lose this or if it gets degraded, or if you, if, if it gets completely destroyed at that point in time. It really, um, then turns, uh, the, the business impact analysis turns into, uh, disaster recovery, uh, planning or business continuity planning.

If it's more comprehensive and uh, goes into what do we need to do in order to be able to, um, have those kind of services that we identified as absolutely business critical back up and running as quickly as possible. And what, what is it gonna cost us? So it's like really, it's like defining for yourselves the uh, uh, recovery time objective, recovery point, objective, uh, of those kind of like, uh, um, respective processes and systems.

And then starting to implement this, uh, accordingly. What we offer from Acronis is a couple of really helpful and useful tools. We obviously have our various kind of like [00:25:00] backup. And restore capabilities. I want to emphasize this here. It's like, uh, restoration should be part of every backup, uh, product. We are testing this on a regular basis and it's like, I would also recommend everyone else test this.

It's not guaranteed. It's like, so it's like, make sure that you have the exercises in place to really validate that you can restore your backups, but, um. In in, in the case of really time critical systems, it's like a simple restore may not be sufficient. So I was like, you would really have to have some disaster recovery.

Uh, capabilities, and I think that again, is something that, uh, we, we can offer from Aron's in a very nice way where we do offer recovery from catastrophic failures into, uh, cloud-based kind of like operations on a, on a, on, on, on short notice, allowing customers to really have restoration times of, depending on the size of the system, of course, like an hour or less in order to be able to get back up and running quickly.

[00:26:00] And I think that is really, that really understanding. It's like number one, understanding what it is that you need, and then number two, having the, um, the correct kind of, uh, tools in place in order to drive this is really what makes, makes this makes the difference. 

Mehmet: Absolutely, a hundred percent. I agree you Gerald, like, you know, uh, especially I can claim, you know, uh, also the, the, uh, the, their business, uh, model also, and, you know, the, the way they, they try to target, you know, the, the.

Uh, their, their customers also as well. But this is, I want to ask maybe Vu here, because you work with MSPs also a lot, what do you think, you know, one of their main things that they can start doing today, um, regarding, you know, what, what Gerald has mentioned and also like, uh, uh, some opportunities, maybe they have.

Subu: Sure. So the one thing like Gerald mentioned earlier would be data and asset classification. 'cause not every piece of data, every piece of asset would [00:27:00] require equal sets of, um, security measures. So if you look at data and asset classification, it goes all the way from private. Sensitive, confidential, top secret, public proprietary.

So there's lots of different datas. So what MSPs can do is start working with their end customers to understand, you know, what's the level of security that's required for each of these classifications. And then go through the business impact analysis, and then go through the risk assessment, and then look at their security measures, and then do some sort of a gap analysis to say, look, this is your current state.

This is your desired state and what's the delta between these two? How do we move from your current state to a desired more secure security posture? So that is another thing that MSPs could do quite easily without, um, a lot of security, muscle power or knowledge. Um, but the other thing that I also say is, um, now we've got AI.

And it's opened up a huge market. [00:28:00] So like, um, Gerald mentioned earlier, uh, asynchronous, um, is open to AI agents. So we already have our MCP server, which is the communication protocol, which enables agents to speak to CROs. So that's made available for MSPs to sort of create and craft their own agents. To interface with us to talk with acro and build their own, um, sort of agent AI toolkit.

So it gives them a, um, a chance, uh, a market that is still, um, untapped, I would say to at least to a certain degree. So there is this early mover advantage, and I would encourage MSP to look into this area. 

Mehmet: Great. Now, Gerald, I'm gonna put you in a position. Imagine you joined, uh, a, a board, right? And, um, you are, you're advising them, right?

Um, so where do you think they should start with the whole best practices and frameworks that they should implement in their organization? [00:29:00] 

Gerald: Well, it depends as always. Right. So it's like, it's, um, there is no singular blueprint, there is no singular silver bullet or whatever you wanna call it. It's like, oh.

It's like I do those three steps and then, uh, I'm done. Mm-hmm. With um. With my security program, I think what's really, really important is to understand the overall objectives of the business and how security fits into this, right? It's like, um, generally speaking. Most modern companies do rely in significant ways on, uh, their IT systems, on their information technology systems.

So protecting those is gonna be very critical. But, um, there's a huge difference in terms of, uh, your sensitivity to this. If you are a, I don't know, it's like a, a corner shop that is, uh, operating a cash register and some, some back office software versus, um. A, um, say a, a attorney's office [00:30:00] versus a medical facility that actually has, uh, maybe even a, a OT environments on premise that, uh, are serving patients.

So really understanding your, um, risk tolerance and your risk appetite, which you also should have in order to make sure that you can grow your business. Um, so, and understanding that corridor between risk, risk, uh, uh, tolerance on the one side and risk appetite on the other side. Is probably the first step to, uh, to really, um, come to terms with how you should start.

The second step is obviously then it's like, as you, as I was saying, it's like you may be operating in regulated industries such as healthcare, so understanding what the legal framework looks like. Do you have specific obligations? Um, many. Many companies, almost all companies I would argue, uh, are doing some form of business with Europe, and as such have already, uh, obligations under GDPR and other European um, regulations.

Uh, similar things are true for other parts of the world. With, with [00:31:00] respect to doing business with them and, uh, um, the applicable law. So understanding the regulatory environment and how that already affects what you need to do is very critical as well. And once you have those two things in place, the, um, your, your, your risk, uh, uh, profile.

On the one side as well as the regulatory requirements. On the other side, you can start putting together a plan in terms of like how to implement this. By then, it's like you already know, uh, roughly what kind of, uh, controls you need to put in place. What kind of things, 'cause they're. There are tons of frameworks out there.

I'm not advocating right now for the cybersecurity framework per se, or iso or any of the other ones. It's like all of those, uh, frameworks have their place and that, uh, um, their, their time, they are, they tend to be very useful for making sure that you're not forgetting something. But, uh, I also wanna warn people, it's like not to start with a compliance framework, but instead start with the.[00:32:00] 

The notion of, it's like, how can I build a secure system? The compliance frameworks are gonna be extremely useful to make sure that you're not forgetting something. But if you just go line by line in compliance, uh, environment and like tick off the box. Oh yeah. It's like I installed antivirus. Alright, I'm done.

Oh yeah. I installed a backup, uh, uh, piece of software. Okay, I'm done. Ultimately, it's like they're not gonna do you any good. So it's like the goal here really is to start thinking about your environment. Start thinking about what kind of like. Business environment you're in. Match those things together and then put together a plan.

And I think MSPs and, uh, MSPs, uh, or, or, or security professionals in general can really be very helpful in that. 'cause it's like, this is something we do on a, uh, on a, on a day-to-day basis. And that is where we, uh, can come in as, as experts and really assist. Business decision makers in terms of like, making those decisions and that's how it should be.

'cause, um, often enough, well security is like, what do you [00:33:00] approve security people? What do you approve for doing X, Y, or Z? The answer is always gonna be, it depends. It depends on how you wanna run your business. So it's like, uh, it's like finding that fine balance between what is needed on one side and what is uh, um, is, is can be, can be, uh, compromised on, on the other side in order to drive the business is critical, important.

Mehmet: Uh, it's, you know, uh, reminded me and what you mentioned, uh, Gerald, we, we've, we've seen it like even in areas outside the cybersecurity, in technology in general, where people they think, okay, for example, digital transformation, you know, and I, I always had these discussions with, you know, CIOs and, you know, consultants and everything.

Like, yeah, we, we moved to the cloud. That's it. We, we, we did the thing. So I think in cybersecurity is the same thing, and it's not like a one time thing Now. Because you mentioned about, I'll not go ask about specific frameworks, uh, as you said, because it depends, but you know. [00:34:00] Similar to what's happening with the ai, so cybersecurity, cyber resilience.

I think it, it, it, it start to be more and more discussed in the board and majority of the board members are non-technical. You know, they are business people, right. It's not a loaded question per se, but, you know, I, I thought like I can merge it in into one question. So translating these frameworks, if someone like maybe, you know.

I would imagine a ac, CO, sorry, a AC level, uh, you know, board member sitting with another C level board member in another company and say, Hey, like we, we've implemented this framework. Uh, and, and the guy is like saying, okay, so how can I translate this into business language? Right? So where, where the CSO can add value here in your opinion or into the organization.

And this will also kind of relating on that. And we know this, people will say, Hey, I don't have budget for [00:35:00] this. Like, we have bunch of things coming. So how this discussion should go, Gerald, in your opinion, for any CSO who might be listening to us now, 

Gerald: it, the, the, the decision is like just in general should be driven by, um, business needs and risks.

It's like, and that's it. It's like there, there, there's security really. Enters the, uh, discussion only, only at a later time. To be honest with you, what I'm, uh, what I like to do is like really, um, uh, talk about, um, how certain types of decision, whether you make them or don't make them. Influence your risk profile for your company from various types of like angles.

And that's really important. It really needs to be an enterprise risk management approach. I can go in and, um, advocate for measures to make our company the safest company on the planet. It's like that's gonna cost a huge fortune. It's gonna slow down [00:36:00] innovation, it's going to, um, make sales incredibly hard.

But we're gonna be a really secure company. Is that ultimately what our customers, our investors, uh, and we are as, uh, as, as company want, probably not. We want a good compromise that really allows you on the one side. To achieve your business goals, which is in Theron's case to, uh, um, be, uh, the most successful company when it comes to, uh, supplying it environments to small and medium businesses and MSPs, as well as our corporate customers to be, um, commercially successful and to make money for our investors.

That's what we want. And we want, we understand that we can only do this if we have a very secure environment because we're a security company. So, but it's like there are trade-offs to be made, right? It's like, uh, of course. And it's like, um, the, the most extreme case is always how do I secure a, uh, uh, a server?

It's like I shut it off, put it in a vault, lock it up and put, uh, uh, 50 guards around this and make sure it never [00:37:00] connects to the, to any kind of network. That's a relatively secure system. It's not perfectly secure even then, but it's utterly useless. So, uh, it's like, uh, um, the, the, the, the goal here really then becomes, is like really understanding and going through the grunt work of looking at the various types of assets you have, the various types of processes you have, and how their, how the availability or non-availability or compromise without ul, excuse me, would ultimately affect your, um, envi environment.

And then based on that, it's like devise the right kind of controls that allow you to, uh, um, effectively protect them to the, to the extent that you need them to protect them. And that is really the right approach. It's like it needs to be looked at from, from the perspective of risk to the business. And based on that, it's like the investment needed in order to do so.

And then obviously the counterbalance is like, if I invest so and so much money into security, what am I [00:38:00] not investing money in? What am I foregoing. And those kind of decisions cannot be made exclusively by security. Actually, I think they should never be made by a security team or a compliance team. But instead, it's like they security and compliance need to become the trusted advisors that help the business decision makers, the CEO, the board, um, to, to understand implications of.

Going down one path or another and then figuring out what the right, right approach is. If you are an early stage company and um, a market share and growth is most critical, you may want to compromise a little bit on security. It's like that is a fair and valid decision. 'cause if you don't have a product, uh, or if you don't have a, uh, um, a, a a market share, it's like, then it doesn't really matter.

It's like quite that much. It's like if you're the securest company or not. At the same time, it's like if you do have a large. A customer base, you wanna make sure that you're not risking that business. So I was like, that kind of balance becomes important. [00:39:00] 

Mehmet: Very logical, I would say. Uh, so from your perspective, like, and your experience in, in the domain, like anything you, you would advise maybe, you know, through MSPs or through the, the, the, the child partner for, uh, any frameworks, maybe any specific, uh, you know, best practices, uh, that, uh, you know, their customers can start to with.

Subu: Sure. Absolutely. So with regards to frameworks and uh, compliance, I would always go back to this analogy, seed belt analogy. Okay, so think of compliance as seed belts. So 20 years ago or 15 years ago, seed belts were more sort of advisory, but now it's mandatory. There is no escape. Similarly, I see a trend wherein you've got compliance.

Which feels like advisory is getting more and more mandatory. For example, so there is GDPR in Europe, which is a mandatory compliance regulation, and HIPAA in the US is a Manda mandatory regulation. And [00:40:00] then we've got something called CRA Cyber Resilience Act. That's also coming up. So the, it seems like the government regulations are becoming a bit more stringent.

Uh, and then I would broadly sort of classify them into two versions. So one which is mandated, and then the other ones like Gerald mentioned, like frameworks, which is more. Just helping the company set up a security posture. So that would be ISO 27,001, or in the case of AI would, it would be ISO 40 2001 or the NIST frameworks.

Uh, but if you look at it, if you peel these regulations as general mentioned, the underlying component gives you a sense of, um, security baseline. It might have a different check boxes in different orders, but it gets you up to a good posture. So in that sense, it's really good to go through. You know, one of these, uh, regulations, but the way I've seen MSP handle this is, you know, a business, especially an SMB business, wouldn't want to go through the hassle of an ISO certification [00:41:00] unless they really have to.

'cause let's say you wanna do a government business, or you, you have a contract that, um, you really want to win, then those certification becomes mandatory. Um, so what MSPs can do is, um, specialize. In some of these frameworks or regulations, it could be geography based and just rinse and repeat. So once, when you keep doing this again and again and go through the checklist and get your clients certified, that in itself is a monetization strategy, right?

So that is something that I would say. And the other thing that I would say with regards to risk is, uh, like Gerald mentioned, there is lots of risk response strategies. So one is risk avoidance, simply not setting up a data center in, in South Africa to avoid blackouts or, uh, US to avoid tornadoes. And then there is risk, um, transfer.

So you wanna buy a cyber insurance wherein you don't care about the security measures, but you're happy to claim your losses from an insurance company. And then there is risk mitigation, which is where security companies like US acro is come into play. And then there is risk acceptance. [00:42:00] You simply accept the risk.

'cause like Gerald mentioned, if the, if the cost outweighs the benefit, uh, then there is no point of, uh, having a security measure. The entire data, let's say it's $10,000. And if you have, you have, if you're spending $20,000 on the security product, then that makes no sense. So MSPs needs to methodically go through the risk response strategy and understand what would work for their end customers.

So yeah, that's, that's my way of looking into this. 

Mehmet: Yeah. You know, like maybe, I'm not sure if it's a accurate analogy. Also, it's like when you, you want to order something from abroad and you know the shipping cost is higher than, you know, the product itself, if you ought to get it, and then you do the compromise like.

Or like, for example, you ask for a, uh, policy, insurance policy for your car. And your car, like, I don't know, it's maybe 30 years old and they give you a price. Maybe if you sell the car, you would get more money on that. So, uh, absolutely these, like, these, these samples are like really, um, it should resonate, I would [00:43:00] say.

Now, Gerald, you kept mentioning about Acronis and, you know, uh, what you're currently doing, and back to the full story, the big picture between threats. And AI and cyber resilience, like what's the forefront that, you know, Acronis, uh, you know, get to the market to differentiate? Because to be very frank with you, we, we, we, we hear and you said like there's a marketing bubble about, you know, the whole thing.

So what makes, you know, occurrence approach this whole thing in a different way? 

Gerald: I think what's what's really important is, is like we, we understand, we understand the threat landscape. We have the Chron's true security team, which is, uh, uh, really a research unit that, uh, analyzes very closely. It's like what the threat landscapes.

Specifically for smaller companies, specifically for MSPs look like, [00:44:00] and, uh, um, fine tune essentially our strategy to meet those kind of things. It doesn't make a lot of sense for many of our customers to defend against some of the most arcane zero days in OT systems that are, have been surfaced. It's like, or not surfaced or what have you, because they don't have those systems, so why bother?

Right. So it's like, I think we, we've taken a very p pragmatic and practical approach. To bringing the best kind of cybersecurity that is relevant for our customers, for our partners, uh, at a, uh, at an extreme cost advantage. So it's like, uh, I think we're, we're very scalable. We are already, or have already had a lot of experience deploying AI, both in our development practices as well as in our products.

We are. Um, we are, um, offering a very comprehensive roadmap that includes AI capabilities for scaling. And I think that's really ultimately what it [00:45:00] comes down to is like productivity of, uh, the employees both at the MS at the partner level, as well as the. Customer level are critically important, and that is something where AI can be incredibly helpful.

It's like if you are managing as an MMSP today, uh, maybe 200 to 50 or 300 endpoints per technician, you can scale this up with AI easily to 400 and more, 500 and more. And I think that goal is really what we're after is like to enable our customers and our partners to be much more productive with the kind of AI technologies we are providing.

And it starts really contributing to, to the bottom line in, in meaningful ways. 

Mehmet: Right. So what you're seeing from your side, like what, what's, what's resonating, um, with your, uh, partners and in the market in general? 

Subu: Sure. And also from my experience, I work for, um, enterprise security for a while now. So if you look at resilience, it's built on several levels, right?

So let's take a simple [00:46:00] device. It starts with dual power supply. So that in itself is resilience. So if you plug out one power it, you know, it still works on the other one. So that's a circuit level resilience. And then you've got device level resilience, which is like. Ha pairs, they call it high availability pairs.

You've got active standby setup. So if one fails, it automatically fail, fails out to the other one. And then on the network level, um, traditionally we've used MPLS, we've used, um, IP multicast and there is SD WAN software defined, um, van, which automatically reroutes traffic to the working site. And then if we go one layer up.

That's DNS. So if you have your, um, uh, you know, mems.com, if your, uh, servers in Dubai is down, you could literally host another server in the US and the DNS will take care of it. So, resilience could be built up in so many different levels, but what comes down to the MSPs and the end customers is the choice and the cost of it, and all of these sort of duplication techniques.

Or the redundancy techniques are often really expensive, [00:47:00] you know, at least for the SMBs. And then you've got the standby unit, which basically just staying there and doing nothing and waiting for a failover or a or for an incident to happen. What? Fundamentally different with Acronis is that we don't have resilience on a uh, component or a product level, but on a solution level.

So what I mean by that is that we literally protect servers and applications and the business in itself, which then fails over into Acronis Cloud. So it's more sort of the tech, the technology is zoomed out to the business resilience as opposed to a product resilience, and that IE. See, and you know, I've, I've, um, had like firsthand, uh, field feedback from the MSP saying that this is really refreshing.

Uh, and it also offers an alternative for traditional resilience methods. Uh, and that's where I think we are getting really popular in the whole, the backup and the DR market, uh, uh, Dr. Meaning disaster recovery. 

Mehmet: Cool, uh, uh, uh, really, you know, the conversation can go for, you [00:48:00] know, hours and hours. Uh, it's, it's always nice to, uh, to, to also hear from, from the experts.

And, um, but before I leave you today, Gerald, and, and to like each one of you, like maybe final, you know, advice thought that you would give Gerald from your side to, to, to fellow CSOs. And so I'll ask you later to, to to to your MSP. So Gerald, I would start with you. 

Gerald: Yeah, I would, I would, um, say the one thing that's probably most important to me is engage with a business very aggressively and engage at a non-technical level.

'cause that is what the business is about. The business is not about bits and bytes. The business is not about, uh, specific vulnerabilities, exploits, or. Or particular defensive controls. The business is about like making things move forward, understand what drives the business, understand what is supporting the business that you're in on the one side, and then, um, develop plans [00:49:00] that are cost effective in supporting those kind of like overall business goals.

Like, I think that is really ultimately the, the, the holy grail. And once you start really talking about, um, your, with, with your peers and with your partners inside and outside the company, um, about these types of topic in a language they can understand instead of like, uh, referencing CVEs and uh, and other, um, security vernacular that is completely arcane to anyone outside of our field.

Once you start doing this, it's like you, you'll see that, um, they respect you much more as a, uh, uh, as an equal partner and as a trusted, uh, advisor in this kind of field, you have to be really to do that translation. Going through risk as a common language is much easier than anything else because that is something that people generally understand.

And, um, it definitely has helped me, uh, and it's like I'm sure it would help everybody else as well. 

Mehmet: [00:50:00] Great. Fantastic. Uh, bu what, what's your final advice maybe to, to you, to your audience? I would say, uh, the MSPs, 

Subu: what I've been telling, what I've been telling my MSPs is to don't forget the basics. The absolute basics of cybersecurity is the CIA triad.

So it's a triangle where you've got C for confidentiality, I for integrity, and a for availability. And you need all three of these to make a strong, robust SEC security posture. There is tons of tools and MSPs often they want the best of firewalls, the best of security solutions, the best of identity and access management, which all sort of falls into confidentiality and integrity.

But availability is like the forgotten cousin. You need your services to be able to. Be available in the first place. That's where resilience comes into place. And then if you look at the opposite of CIA, so confidentiality would be disclosure, integrity would be alteration, and um, availability would be disruption.

So I say, look, be a CIA, don't be a [00:51:00] dad. 

Mehmet: Nice. It's, it's, it's a nice, uh, um, way how you have put it, bu uh, Gerald, uh, you know, bu thank you very, very much. You know, like I'm, I'm sure like people, they can learn more about the latest and the greatest from Acrost going by to your website. I'm, I'm sure, like they can reach out to someone and someone will, will get in touch with them.

Uh, this was very important with Gerald and to Gerald, you know. If I want to wrap it up, what my takes from you today, especially with what you ended up with, and actually it's how we started the discussion about how, you know, cybersecurity and cyber resilience, which now we understand, you know, difference.

Uh, it's, it's, it's, it's like, uh. It's here and we need to take care out, uh, of it. And as executives, we need, as you said, to talk the business language. We need to let them understand why it's important. And also, one of the important things I think from this [00:52:00] discussion today is about how it depends from industry to industry and how you assess your own risks.

And then you take the. Decision to invest what it matters, like if I want to take this. So, but what I took from you is like about, you know, this opportunity now for MSPs, better service providers and resellers to change the game with the AI and all the things that are coming with the ai, how they can add the value there, how they can take this consultative approach also as well.

And of course, you know, utilize. Acronyms, technology to, to offer, you know, this full platform, as you mentioned, it's not like point solution, it's end-to-end, uh, cyber resilience. So thank you for sharing your thoughts with us today. Uh, I really enjoyed, and this is how I end my episode. This is for the audience.

Uh, if you just discovered this podcast by luck, thank you for passing by. I hope you enjoyed it. If you did, so, give me a favor, subscribe and share it with your friends and colleagues. And if you are one of the people who keeps coming again and again, thank you for the [00:53:00] loyalty. Thank you for the support.

Thank you for keeping the podcast this year, the whole 2025 in the top 200, uh, apple Podcast charts across multiple countries. So we keep jumping from one country to another each week. Um, and this cannot happen without you. So thank you very much for the support, and as I say, always stay tuned for a new episode very soon.

Thank you. Bye-bye. Thank you, ma. 

Gerald: Thank you.