Jose Seara Podcast Transcript
Jose Seara joins host Brian Thomas on The Digital Executive Podcast.
Welcome to Coruzant Technologies, Home of The Digital Executive podcast.
Brian Thomas: Welcome to The Digital Executive. Today’s guest is Jose M. Sierra. Jose M. Sierra is the Founder and CEO of DeNexus, a leader in cyber risk quantification and management for operational technology and industrial control systems. Jose was previously the president and CEO of NatureEner USA and NatureEner Canada from November 2006 to January 2018.
During his time at NatureEner, Sierra led the company through a leadership transition, working to ensure a smooth transition for the new team.
Well, good afternoon, Jose. Welcome to the show.
Jose Seara: Thank you, Brian. Thank you for having me.
Brian Thomas: Absolutely. Best part of my day, jumping on a podcast with a great guest like yourself, Jose.
Hailing out of the great state of Massachusetts there in Boston. I’m in Kansas City. So, we just got 1 hour time difference today, but love you making the time Jose. We’re going to jump right into your 1st question. You’ve had a remarkable journey from leading renewable energy companies, like nature, enter to founding to nexus.
Which focuses on cyber security for operational technology, what motivated this significant shift in your career and how have you, your experiences in the renewable energy sector influenced your approach to cyber security.
Jose Seara: Actually, Brian, a few things are probably not at the top of the list, but back in the days, I was living in California when I built that company and most of my network was building tech projects, and I was the guy building an energy company and I became intrigued about technology over time. And also, more specifically in that company that I spent, 10, 11 years building, we had a significant exposure to these cyber risk. And I learned over time that the market was underserved and when I sold that company.
I decided to turn that problem into a business opportunity. And that is the Nexus. In the Nexus, somehow, I’m building the tool that I wished was already available to me back in the days. The caveat to all of that is that I didn’t anticipate how hard that was going to be. So, I’m learning that building technology is, is quite a project, but I’m super happy doing it.
Brian Thomas: Thank you. I appreciate the story, the backstory on that. We all wish we had the tool that we needed back in the day. Right. And, and which, which really cool though, is. You did find a solution to a problem you were trying to address. And that’s where you’re at today. So, thank you. And Jose, could you explain the difference between mitigating cyber risk versus cyber threats?
Jose Seara: Yeah, let’s begin with cyber threats. Actually, you do not control. The threats for the most part, so there is not efficient way to mitigate threats because again, you do not control them, but you need to understand the threats that you are exposed to, and you need to try to protect yourself against those threats.
And that is hardening or enhancing your cyber security how those threads and your cyber security measure that you had deployed translating to cyber risk that takes us to cyber risk. And that is what we try to solve at the Nexus combining threads that for the most part come from the outside world.
With vulnerabilities that usually live in your network and with the cyber security controls that you implement, deploy, enable to mitigate a risk and combining all of that into cyber risk quantifiable units dollars. And how you manage the risk is by mitigating and transferring the risk. The trick is how much you should invest, how much effort money you should invest in mitigating versus transferring the risk and how much you, how much risk you retain at the end of the process, because there is no perfect hedge.
And no matter what you do, you always keep some risk and you need to understand the risk that you’re keeping and eventually you need to accept that level of risk.
Brian Thomas: Thank you for breaking those apart. I do appreciate that. Obviously, the threats is something we just can’t control. But there’s a level of mitigation around the risks that we can, and again, appreciate your insights.
So, Jose, tell us a little bit about the increase in cyber risk for companies in the critical infrastructure sector. Why are they particularly susceptible to attacks and what framework needs to be in place to ensure they maintain control over these risks?
Jose Seara: There are a number of critical infrastructure sectors. We are focused mostly, or actually exclusively in physical critical infrastructures. And those physical infrastructures think on transmission electricity transmission systems. They are big F footprints, big infrastructures. In some cases, they are legacy infrastructures with technologies that were developed when the threat landscape was totally different and using what is known as operational technology, technology at the end of the day that was built thinking on operating resiliency and not thinking on cyber threats and those infrastructures are now more and more connected.
With the rest of the world, which increases the footprint, which increases the risk, they result on a big disruption if they are compromised, which means that they are an attractive target for the attackers, especially for state sponsor attackers that have big budgets and big capabilities. The framework to control that, in my opinion, is not only mitigating risk, but building resiliency.
You cannot avoid or eliminate all the risk and for these. Critical physical or not, but critical infrastructures. It’s important that they keep up and running. So, you need to be resiliency and you need to understand the risk, as we said before, be efficient, mitigating and eventually transfer the risk, but also make sure that you can react to attacks when you are compromised.
And that you can react both physically and financially. We need these infrastructures and the companies behind that. In some cases, are the backbone of things that we do every day. This podcast is being wired through the Internet, so we need those infrastructure being there to support most of the activity that we do nowadays.
Brian Thomas: Thank you and you’re right. We’ve I think everybody’s talked about obviously the critical infrastructure sector, which includes the power grid and that stuff was designed many decades ago. In fact, some of that stuff hasn’t really been upgraded. So, it’s, it’s important to tease that those 2 things apart and what is designed for in the past.
Definitely just will not survive. Cyber-attack in the future. So, there’s a lot of planning and resiliency that would need to be built into that. So, thank you for sharing and Jose. The last question of the day, the newly effective rules on cyber risk disclosure require public companies to regularly report how they manage and quantify cyber risk.
How do these new regulations further the need for cyber risk, quantification, management, or see CRQM tools for both compliance and accurate reporting?
Jose Seara: Yeah, these publicly traded companies now, they need to report on incidents and they need to do that fast. Every time something happens, they need to report it relatively quick, but they also need to report periodically.
In their quarterly and annual reports about the risk that they carry, and they need to share that that information with their investor with their shareholders. And the only way to report the risk. That you carry is to quantify that risk. So, so that makes for the CRQ part of the acronym. So the cyber risk quantification component, they also need to report in governance and risk management and that makes for the M management.
So, the whole, let’s say, chain cyber risk quantification and management is now something that these publicly traded companies need to meet those compliance obligations and cyber risk is a complex risk. And understanding modeling, quantifying the risk requires complex platforms and that is what is known in the market as the cyber risk quantification and management platforms that in essence model quantify the risk and provide these publicly traded companies with information. They need to remain compliant with this new regulation.
Brian Thomas: Thank you and I appreciate you breaking that out for us. You know, I was familiar with the SEC’s effective rule, but I didn’t really know all the details around that. And I know that’s been a kind of a topic of discussion. I’ve seen it quite a bit out there on LinkedIn and so forth.
So I appreciate you again, breaking that down for us here on the podcast and for our audience. So, Jose, it was such a pleasure having you on today and I look forward to speaking with you real soon.
Jose Seara: Thank you so much, Brian. Likewise, here.
Brian Thomas: Bye for now.
Jose Seara Podcast Transcript. Listen to the audio on the guest’s podcast page.