Arve Kjoelen, CynomIQ (former CISO, McAfee)
Host Andy Ash (CISO at Netacea) is joined by Arve Kjoelen, who recently left a six-year stint as CISO of McAfee to join startup CynomIQ as Chief Solutions Officer.
In this episode they discuss differences in how CISOs are compensated across both sides of the Atlantic, how the role is shifting to account for increased governance and regulations, and the ‘left of boom’ approach to preventative security.
Andy and Arve also compare notes on how they first become fascinated with security and their own paths to the position of CISO.
Host
Andrew Ash
Guest
Arve Kjoelen
Episode Transcript
[00:00:00] Andrew Ash: Hello, and thanks for tuning in to the Cybersecurity Sessions podcast season three from Netacea. I'm your host, Andy Ash, CISO at Netacea. In today's episode, we're delighted to welcome Arve Kjoelen, who is CSO at CynomIQ. Arve, do you want to introduce yourself quickly?
[00:00:21] Arve Kjoelen: Yeah, certainly. thank you for having me.
[00:00:23] And it's, great to be here today. So I'm, CSO at CynomIQ. That stands for Chief Solutions Officer, not, not Chief Security Officer. I recently joined CynomIQ after having spent nearly six years as CISO at McAfee. And, prior to that, I spent my career, half of it in industry and half of it as a, as a consultant, but always in the cyber world.
[00:00:48] Andrew Ash: Thanks for joining us. We've got a few topics that we want to go through today. First one is Arve's journey through cyber, obviously, an incredible career, CISO at McAfee and now in a startup. We'll talk a little bit around the role of the CISO and geographic differences from US to UK or EU.
[00:01:11] And then a really interesting concept that was introduced to me by Arve recently, which is "left of boom", protective strategies and all of the interesting parts around that. But before we actually start, we always ask this icebreaker question. On a scale of one to 10, what is the logical end game for AI in human society?
[00:01:31] One being that we succumb to our robot overlords and then through the age of servitude, and 10 being humanity is freed from the shackles of earth and goes off to explore the universe in peace. Now, Arve, we generally only ever get very middling answers on this. So where do you stand on the, in the growth of AI?
[00:01:50] Arve Kjoelen: I'm probably around a three.
[00:01:53] Andrew Ash: Oh, Okay.
[00:01:56] Arve Kjoelen: Yeah. I, think there are a lot of risks that we need to take seriously. I think theoretically AI might not be a problem, right? If we, AI doesn't become a problem until we connect it to something else. But the minute we connect it to some output or actuator, we connect it to weapon systems and we connect them to, the internet, right?
[00:02:21] Which allows it to reach out and reach other systems. So if you put your security hat on, that may be risky as well. So if you believe that the risk is related to somehow AI system beginning to protect itself, right? And if you're doing things that it shouldn't, then I think it's all about the connections that it has to the outside world and the actors.
[00:02:43] So that's probably what concerns me.
[00:02:46] Andrew Ash: The three, so on the, lower side, I'm a little bit more positive. I swing between a five and a seven. So I'm quite in the middle as well. I. Sorry, Arve.
[00:02:58] Arve Kjoelen: No, I think, but if you focus just on cyber, I think we've been a little too negative on AI.
[00:03:08] So I think, especially if you're in the roles that I've always been in, if you're a CISO, I think a lot of times we said, "Oh, this is going to be so hard. AI is, helping the attackers, what are we going to do?" So I think we probably need to improve our mindset there because in that area, just strictly attacker defender, I think AI has the potential to help the defender much more than it does the attacker.
[00:03:32] Andrew Ash: I completely agree there. I've just come back from the Gartner security risk conference, the, UK EU version of that. And literally every talk was, had some form of AI in it. People have now stopped doing the first slide using ChatGPT. That was last year's trick and got a few laughs at the beginning of a talk.
[00:03:56] But I said this last year, it is, it's still true. AI is the most emotive issue that I've come across in 25 years of working in technology. It invokes fear, panic, innovation, hope, in equal measure. And I, for, me, there's... so Netacea formed as an ML, AI company. So we couldn't do what we do without Spark and machine learning.
[00:04:28] The data that we take is not human readable. It's too big. We couldn't do what we do without having those systems in place. So I know that defensive AI, ML in our case, I know that has a benefit. You couldn't do the job that we do without. How far do you think we've got to go to make defensive AI stand up to, there are AI attacks out there now.
[00:04:53] So phishing, a big one, isn't it at the moment?
[00:04:56] Arve Kjoelen: Oh, this is a great question. So I have, I actually, I spoke at the U. S. version of the Gartner Securing Risk Management Summit this year, and I gave my positive view of the potential for use of AI for defensive purposes. I actually think some of the problems that we have are regulatory.
[00:05:18] Or, they're related to the fact that many providers of models are really focusing on "how do I limit abuse of that model?" And when we do that, I think we've rolled out defensive capabilities much more, right? So there are many examples, for instance, in commonly available commercial AI products where you will ask, you'll ask questions of the GenAI model.
[00:05:49] And you'll get back, "oh, no, I'm not telling you that," right? One common one for office productivity, for instance, if you install that and you say, "hey, tell me across all my SharePoint installations, where do I get data such as, salary information?" It will tell you, "no, I can't answer that question.
[00:06:12] That's not an appropriate question." And I understand not making that capability available to anyone or to everyone, but when it's not available to anyone, it's not very helpful to me, right? And so I think that goes for a large swath to that because AI in theory should be able to model, for instance, an attacker's entire attack chain, right?
[00:06:33] There is no reason in the technology that we have today that we should not be able to say, "target company X, Y, Z, start with, doing the standard methodology, start with a footprinting, once, do scanning, once you find potential vulnerabilities, locate exploits," all of those things should be possible, even if you had to have a little bit of manual intervention along the way, and it's not fully automated.
[00:07:00] But those capabilities are just not available in any commercial product or any product that I'm aware of. And it, it reminds me of very early on when the first vulnerability scanners came out. This is probably in the late nineties and, this vulnerability scanner called SATAN came out. And that of course was, stood for "System Administrator's Tool for Analysis of Network.
[00:07:23] This was, Dan Farmer, Wietse Venema, great Dutch researcher. And they made this tool publicly available and the doomsday predictions were significant, right? There was such a concern that you could now sit in one spot and tell what the vulnerabilities were on multiple systems on the other side of some network.
[00:07:45] And I think we're there with some, some of the alignment efforts with AI. And I think we have to be really careful that we don't limit ourselves. Because the attackers are not going to put these restrictions on themselves.
[00:07:57] Andrew Ash: No, I agree. I'll go back to, for me, it's the, size of data that needs to be processed.
[00:08:06] I know that isn't necessarily LLM. I know that isn't necessarily GenAI, but just the scale. So we take in about a trillion records a year. So as we're sitting here, there'll be billions of records, certainly millions of records to be processed. You can't catalog that quickly enough to act on it in near real time without the tools that we actually use.
[00:08:31] And obviously when you have those tools, you can then make the actions off the back of that, to mitigate any threat that is acting on your estate. If you then limit that action, then it becomes much less effective. And there's something that we talk to our customers about a lot is, how much will you let us do?
[00:08:52] And there is a journey of trust from the initial deployment right through to basically the services just running in the background and doing exactly what it's supposed to be doing. But that is a journey of trust. And I think the communication along that, along that journey is really important,
[00:09:11] not so we don't end up limiting the capability that we have. So Avi, I don't wanna say you've had a long career 'cause , that sounds terrible. But you've just been referencing researchers from the nineties, which slightly predates me. Do you just want to give us a rundown of why you got into security in the first place, and what kind of drove you to become that CISO in a global organization?
[00:09:39] Arve Kjoelen: Yeah, I'll, maybe I can start in the nineties. And so I went to school for electrical computer engineering back when you had a Windows, Windows 3 NT, 311, or when, let me see, Windows NT 3, and then Windows NT 4.0, then Solaris Systems. And my first job out of college was really just as a system administrator at the university where I went to school, but I recall administrating, administering all of these lab systems, some of the computers were NeXT computers.
[00:10:15] And we would have fun with each other. And so we would sit, let's say there were, there was a student there late at night, alone in a computer lab studying, and it was midnight. We would go and play little sound files of Pee-wee Herman screaming and play them remotely on their computers.
[00:10:34] And it would really scare them because it was, it's dark and they were alone. I started to reflect a little bit. I'm like, how is it...? That can't be right that I should be able to sit really anywhere in the world and execute like a scream on somebody else's computer. So that really started my interest a little bit.
[00:10:53] And, as sysadmin there, I was able to do a little bigger research on the types of vulnerabilities that were available or that existed at the time. And then, I looked at job postings and actually realized I saw a job posting for a job at E&Y that was actually around security, around information security, and I didn't think that those existed, right?
[00:11:21] I didn't think anyone got to have a job where all you do is security work all day. I did, and so I applied for that and got that job and spent the next several years just doing what we call pen testing today. I suppose we called it that back then as well. And so the vulnerability landscape was completely different back then, right?
[00:11:42] But that was, that was really fun portion of my career. And, I think then with time you move and you realize if you want to have an impact, you want to be in a management type of position, right? So even though I still enjoy the technology, I felt like I needed to be in a position where I can help make changes because as a technologist is you can make changes to the technology, but it's harder to influence process and people and governance and organization, all those things. That eventually led me to, to a couple of CISO positions at CyberGRX in Denver, and then, and then McAfee after that.
[00:12:23] Andrew Ash: In terms of wealth of experience that you've brought from places like McAfee, and from the 1990s, I think my opening gambit in security work was either summer job working with a local council on their service desk, or it was a help desk, actually, it was called the help desk.
[00:12:44] Cause I was always messing with computers and the, one of the IT bosses... I came in the morning and nobody could log in. And one of the, one of the senior managers had, that evening or the evening prior, decided to arbitrarily delete all of the groups in Active Directory.
[00:13:07] And he had no reason to have any access to that whatsoever. So I spent a very confused morning trying to piece together the directory. And I managed to do it and I was pretty pleased with myself, but I had the same kind of inkling, which is "why on earth was that possible? How can it be that somebody who doesn't know what they're doing and with the best of intention could just wipe the network out?"
[00:13:30] So that was my kind of opening opening gambit into cyber. But yeah, from all of those amazing experiences that you've had, what is it that you are bringing to your current role at CynomIQ?
[00:13:45] Arve Kjoelen: I think it's that recent experience as the CISO, right? Like that practical experience.
[00:13:50] So CynomIQ is a very young company. We are building solutions for preventive security, right? So for, vulnerability, posture management, those types of things. And it's important to connect the solution that you think that you can build to the reality that CISOs are experiencing, right? I think the reality that CISOs are experiencing is that their posture management data, their vulnerability management data, exposure management data, from phishing, data from controls, it's all siloed, right?
[00:14:28] It's the way that all your detective logs were siloed before, were before the age of the SIEM. And when the data is siloed, you have separate analytics, if you have analytics at all. You don't have workflows that go across that can work with all the data that you have. In order to build a solution that, that improves that, and that really gets all the workflow analytics and data integrated, you really need to understand what the problems are that they were fixing as well.
[00:15:02] So bringing some, recent experience with the types of improvements that we wanted to have at McAfee, right? And enjoying it so far. It's still, it's still a very young company, as I said. But, excited about stepping away from the role as a CISO where you're always defending, and trying to improve your, you're trying to prove what you have with what's available in the market.
[00:15:30] So actually being one of the providers in the market and trying to provide better products and better defenses to a CISO.
[00:15:36] Andrew Ash: Is it fair to say you're building a product that you needed in previous roles?
[00:15:42] Arve Kjoelen: Yes. Yes, absolutely.
[00:15:44] Andrew Ash: I think we're doing some of that here in Netacea as well. Yeah, I've got a long history in web hosting, and understanding website performance and web traffic.
[00:15:55] Now that's my background. Yeah. I think it gives you a unique perspective if you have been on the receiving end of not being able to fix problem in your specific area. So yeah, it's interesting that the kind of experience and the, knowledge that you gained through, through, like I say, defensive career, basically trying to stop the bad guys and actually putting that into practice in a, product is actually cathartic.
[00:16:28] It's, it's... I really enjoy it personally, that's for sure. So moving on to the next topic, we wanted to talk a little bit about the evolving role of the CISO. I think in discussing this earlier, there's a, there's a, a theme that you pulled out of this, which is the difference of expectations or the difference in the, role of CISOs in the United States versus the European Union, UK.
[00:16:57] Do you just want to set the scene with that? Arve, where your mind is with this?
[00:17:01] Arve Kjoelen: Yeah, I, so, I'm originally from Norway. I was born and raised there, been an American citizen for many years. But when I talk to connections on the European side of it, of the Atlantic, their view is sometimes different than the CISOs in the US.
[00:17:20] And so one of the areas where things seem to be different is around, is around incentives and compensation. And in Europe, it appears to be frowned upon for you to be a CISO and to have a large portion of your compensation be bonus based on the financial performance of the company. And I think the theory, is that, as a CISO, what you do is not always aligned to, "let me figure out how to maximize revenue," right?
[00:17:50] Or "let me figure out how to maximize profit." Often it is, whether it's, straightforward, the fact that you were a cost center, or it is the fact that we need these processes in place. We need this type of scanning in place. That's really, say, slowing the development of a product or making business process more cumbersome.
[00:18:08] So because the CISO role can sometimes conflict with profitability, I think it's viewed, at least the people I talked to in Europe, there shouldn't be a large portion of your compensation that's tied to the performance of the company. Because now you have this conflict and, you're incentivized to perhaps choose solutions that, that come at the expense of security.
[00:18:35] And that's something I see quite often there, but I rarely see that debate or that conversation in the UK.
[00:18:43] Andrew Ash: In terms of your, own opinion, what, should, CISO remuneration be based on obviously the basic salary? What, should be the drivers? What should be the, levers for that?
[00:18:56] Arve Kjoelen: I actually think in some cases that the European view goes too far, but, it's an absolute and it's nice because it's the safe view, right?
[00:19:08] So it has that going for it. I think the US you can work and convert can work better for a couple of reasons. One would be, it... because in many cases, security can be an enabler. A, we're getting single sign on in, we are enabling this process that you have to do anyways. Now you can do it faster and more securely.
[00:19:30] So I think that's, one argument for building in some sort of incentive compensation that's based on how well the company does. And, and I also think, but I think almost a prerequisite for it is you have to have the right governance structure. In the U. S., the more regulated industries are financial services, healthcare, and so on.
[00:19:51] And so there, I think you could have a situation where you can incentivize the CISO quite a bit and still not get that conflict of interest because you have the appropriate governance. I do think there are some industries where there is the potential for conflict in the U. S. I'm torn. I don't know that I can say one is better than the other.
[00:20:13] I think, the U. S. model can work with the right safeguards.
[00:20:17] Andrew Ash: And, it's absolutely true. A good example of strategic differentiators was the pre pandemic, if you had a company that was well suited to be able to move out of an office very quickly, and it was something that we, the whole world had to do, there were lots of opportunities for a company like Netacea at the turn of the pandemic.
[00:20:42] we weren't ambulance chasing or anything like that. But, a lot of the big supermarkets needed the type of products that we sell. If we'd have had three weeks offline while we rebuilt our network and enabled our developers to implement, we wouldn't have won that business.
[00:20:59] And, thankfully we did. So yeah, the, it's just one example, but there are many. Single sign on was a really good example, especially if you're building SaaS product. Having that as part of the, it's, basically table stakes now, isn't it?
[00:21:17] But yeah, it can differentiate. Just a kind of general question on the role of the CISO. What qualities should a CISO look for when building a team?
[00:21:30] Arve Kjoelen: I think complementary qualities. So I think there's a, there's a saying, I think I've heard Stuart McClure say this multiple times.
[00:21:39] He's the founder of Cylance, founder, done a lot of successful stuff in cyber and he said only about 10 percent of CISOs are technical, right? And so the remainders are, they're program types of CISOs, they know how to build a program. They communicate well with executives and so on, but they may not have that technical knowledge.
[00:22:02] And I think you have to recognize the type of person that you are and types of skills that you have, and then surround yourself with people that, that complement those areas where you are not strong. Our CEO, Pat Gorman, has built a model for personality types. And it's similar to, there's a Briggs Meyer test, right?
[00:22:23] And so these are personality tests for personality types for CISOs or for security executives. And they focus on, are you proactive versus reactive, strategic versus tactical and a few other parameters. I think you just have to have a structured way of thinking through that, like who am I and what am I, and just make sure that you have complimentary capabilities.
[00:22:48] I think you need to consider the... The types of functions that you need as well, right? And you still need, a good picture of, this is what I, my governance group needs to look like. And this is what my architecture and engineering group needs to look like. This is my operations group that needs to look like, and so on.
[00:23:11] So a little bit of both.
[00:23:13] Andrew Ash: Yeah. For me, analytic mind is, really at the top, obviously. You've built very large teams, my assumption is you've built very large teams at McAfee because it's a global leader kind of thing. For a company like Netacea and companies I've worked in previously, analytic mindset, the, what if, why, all of the, how, all of those questions at the forefront of the person's, the team's mind at any given time, whether that is preparation.
[00:23:52] Whether it is planning and putting strategies in place or whether it's incident management. It's really important that thorough analytic piece comes through. And hopefully, most of the teams I've built have had that. It's certainly, certainly true today. But yeah, without that, I think there is too much unknown and there is too much... even, you can train for incident management, for example, you can train teams to respond in a certain way.
[00:24:22] When an incident, a security incident comes in, however, it's only when the rubber hits the road that people need the presence of mind and the calmness to be able to work through the problem, and do everything, incident scribes, my favorite type of people, actually, people who actually write everything down that happens, without being that... everything's perfectly ticketed.
[00:24:46] Everything is, where all changes are documented, while the fire's going on. I think that's a really important feature of security professionals. It comes from the NOC. It comes from, putting out fires on networks. It comes from putting out fires in other places.
[00:25:06] Arve Kjoelen: Yeah. And, I think, so we're on the topic of kind of changes in the CISO role over time. And I think what you're mentioning is a really interesting feature of it. So a few years ago, I think in many industries the job of the CISO is just improve, improve, improve. "We are not in great shape today, how do we get in better shape as quickly as possible?"
[00:25:29] And I think many CISOs are of that, "I'm an improver" mentality. "I'm a fixer" mentality. So that's what I want to go and do. But I think now with, if you think about the U.S. And the regulations that are there, it's becoming more and more important to document "why are you doing that?" And so CISOs I think are less and less able to rely on instinct or even formal experience.
[00:25:53] They're having to document, "this is what I'm doing and this is why I'm doing it. Here's the risk management process that I used, here are the outcomes." And even document, "here are all of the potential issues that have been brought to my attention in my environment. And here's what I'm doing about each of them," right?
[00:26:14] And so that, that stuff takes time. And I think it's still an open debate in some industries, to what extent does that take away from what you're actually trying to do as a CISO?
[00:26:24] Andrew Ash: Yeah, it's true. I think the first time that you go for any kind of compliance, you immediately find whether you've been doing that correctly or whether you have a gap which is going to keep you working all night, creating process docs that you just, you didn't have, or like you say, have you got how you categorize risk written up properly?
[00:26:45] Cause we all categorize risk every day. Every time we step onto the street, we categorize risk in our minds. Human beings are really good at categorizing risk, generally. But, in terms of, having that written, yeah, I think I've been in a few businesses now where that first pass of either PCI or SOC 2 or ISO 27001, suddenly, you're confronted with a whole raft of documentation that you need to produce.
[00:27:12] Having people who would, who do that naturally, who want to do that is really important. Like I say, along with the, "why are we doing this? How, what's the best way of actually collating this information?"
[00:27:26] Arve Kjoelen: And I think it even extends to, let's say you have an incident process or it's not an incident process.
[00:27:32] Let's say you have vulnerability management. I think in the past, perhaps you were able to say, "Oh, I found a really high risk vulnerability," or "I found an exposure on an external asset. I fixed it, looked around a little bit, things look fine." I think you have to be more stringent about what you do now.
[00:27:53] So if you find it, you really need to be able to say, this is the date range when that exposure was present. This is the data that I had available to search. I did a thorough search of that data, so that, you're able to really show that you've taken all the steps that you could to make sure that your environment is still like that.
[00:28:12] Andrew Ash: Yeah. Exactly. Okay. let's move on. So the really interesting concept from CynomIQ, the one that just immediately stood out to me was left of boom, which I had to look that up cause it's not, I'd never heard of it. A boom to me is something on a sailing ship, that swing about.
[00:28:35] And if you get it wrong, it hits you in the head. So I was thinking, is it a sailing metaphor? But no, I did a bit of reading. So do you want to explain the left of boom concept that CynomIQ took?
[00:28:48] Arve Kjoelen: Yeah, it's not, a concept that we came up with, but it's a, it's a concept that I start to hear more and more, and it's really an attempt to differentiate, let's say you, you have an attacker and the attacker performs certain steps, and then at the time that they compromise and maybe exfiltrate data from you, that is the boom.
[00:29:08] That is the explosion. That is the bad thing that happens. And then everything that happens after that is about responding and about remediating. But what happens before that is about preparing for it and about preventing it from happening. And that's where really, if you look at the type of maturity and the type of solutions that are available, that's where I think there's a lot of room for improvement today.
[00:29:36] It's more complex, I think, in some ways than, than looking at detect and respond. Detect and respond is about aggregating... aggregating the data that you see and then building response actions to, to what there's correlation, there's analytics, there are a lot of things that happen there, so I don't want to minimize that. But on the front end, I think it's time that we focus on that a little bit more, on what happens before that boom.
[00:30:04] And that's where you have to think about, not just the vulnerability management, but the exposure management. What about, if I can look at all of my, all the people that are either targeted during phishing, or maybe that's, like phishing tests, what assets do they have access to?
[00:30:24] What should that tell me? Do I want to do something about that? How do I correlate the data from my exposure management system with my vulnerability management system to make sure that I have a process for building, if there's a new external asset that I, that is not properly protected, I would say with a vulnerability management agent that I can do that quickly, do that effectively.
[00:30:48] So many of these processes now either do not exist at companies or they're very manual. I think there's a lot of improvements potential there, and so it's something that we're focusing on making as easy as possible for companies.
[00:31:02] Andrew Ash: Yeah. The, phishing examples are really, a really good one.
[00:31:06] The standard playbook for someone who fails a phishing test is generally send them some more training, some more computer based training. And you're absolutely right. The playbook should be that, that's fine. That should happen, but also what do they have access to? Are they privileged users?
[00:31:25] I, we've seen this in different businesses, where... what is at risk if that hadn't been a simulation? How do we protect those assets? Should they have access to those assets? And when you start to do this and you start to put two datasets together, you tease out a lot more actionable insight.
[00:31:49] You tease out a lot more things that you could actually just go and change. So it might, in that case, it might lead to review of their permissions in which you might find out, actually they're a little bit over provisioned. It shouldn't happen, but it can. And that's a really, there's a better way of checking every sort of three months, which, the compliance standard would have you do, we've got to do access management checks every three months.
[00:32:13] It might be that doing it at the point that somebody has shown they are at risk is, is, it is a better way of doing it. I suspect compliance would still need you to do a check every three months, but, but yeah, it feels like those calls to action from on the back of the, on the back of the joining of that data is really valuable.
[00:32:35] In terms of kind of threat landscape, the area we work in is bot management and the way that we look at the kind of left of boom is through a threat lens. We don't have direct access into customers' estates. We don't set their security posture. We provide that one tool.
[00:32:58] So essentially what we do is we mine data off the attackers, across lots and lots of different deep and dark web forums, Discord, et cetera. So we have a good picture of what exactly is happening, and when customers are likely to be attacked. And we feed that into the systems we use to detect them.
[00:33:21] In terms of threat, I presume the left of boom is quite new to me, obviously. So does threat research, threat intelligence fit directly in here?
[00:33:31] Arve Kjoelen: Yeah, I think it does because the threat research ultimately is not useful if you are not applying, or if you can't, if you can't use it to change a control, then it's not that useful.
[00:33:42] So I, so threats or threat knowledge informs your controls and, it can help you prioritize vulnerabilities, right? Based on what type of threats are out there and it really can help you prioritize anything within the control space.
[00:33:58] Andrew Ash: In our case, we, look at what tools are in use. So there's a lot of automation of bot attacks. We look at what tools are in use. In some cases, we actually reverse engineer. So we can, when we see that pattern in the traffic, we can stop it. We look at overall noise coming out of these groups as well and we know that certain customers are going to be attacked by certain groups.
[00:34:25] So we can, I'm going to say it, we're trying to use AI to predict. But we haven't got there yet, but it's quite, it's good. It's a good use of, that kind of, that kind of AI where you just give it a load of completely unstructured data and say, "make out what they're actually, their intention is."
[00:34:44] This is a really good use for this.
[00:34:47] Arve Kjoelen: Yeah, I think, I, would expect, the next few years to be good for companies like yours. I just think that the size of the underground economy and just the fraud space is just so enormous that it's hard to fathom. And, the number of people that are engaged with it. Anything from large call centers to, it's really, difficult to tell them how large it is.
[00:35:12] Andrew Ash: We try and put numbers around it. We know that... one of the things we think... but it is such a large industry and it's so well documented in terms of the... these are businesses that are running these systems.
[00:35:28] The attack tools have been sold as services. We know that from a ticket drop, and I don't know ifyou know, the last podcast we did was on the band Oasis and their reunion and the absolute scandal, the national scandal that we had in the UK about the inability for what felt like everybody to be able to buy a ticket.
[00:35:47] And obviously it's something that we're really interested in because it was scalper bots that were buying them up. But we know that people make it half a million pounds in a day when those events drop. We know that because they love telling you. The perfect crime has to be described, right?
[00:36:04] So yeah, they love saying just how much money that made and make it very easy to work that out. So yeah, the economy, the... that dark economy is a very real thing. Okay. So thank you to Arve from CynomIQ for joining me today. If you have any questions for Arve and myself, please either leave a comment if you're listening via Spotify, or you can mention us on our X account @CyberSecPod or email podcast@netacea.com. Please do make sure you subscribe wherever you get your podcasts. Finally, thank you once again to Arve for joining me today and thank you for listening. We'll see you next time for more Cybersecurity Sessions.