Skip to main content

Perspectives Home / SECURITY

Subtle Ransomware Tactics, More Regulation on the Horizon for Security Leaders

Today’s security leaders are facing technical challenges, including a shift to specified, “surgical” ransomware tactics. But as the CISO’s role moves into the spotlight, business-level concerns — like effectively communicating with the board — rise to the top of the priority list.

A standing woman looks out the window of a board room

The “C” in CISO is rising in prominence. 

For years, CISOs have dealt with increased complexity in their environments, more data and evolving threat tactics. But as organizations realize the financial and business impact of a cyberattack, CISOs are stepping into the spotlight in the boardroom and learning to navigate the new business relationships that accompany it. 

At .conf23 in Las Vegas, Splunk’s Kirsty Paine, Field CTO & Strategic Advisor, Technology and Innovation (EMEA) and Ryan Kovar, Distinguished Security Strategist and SURGe Founder, sat down with analysts Daniel Newman and Patrick Moorhead from the Six Five to share what they’ve learned from CISOs. Ransomware will always keep CISOs up at night, but added to the list of concerns is how generative AI will handle organizations’ data and what new regulatory demands are on the horizon. Paine and Kovar also share how the smartest CISOs are using incentives to nail down the basics of cybersecurity hygiene.

Note: This is an auto-generated transcript, which may contain errors. 

Patrick Moorhead: Hi, this is Pat Moorhead and we are live here in Las Vegas and Splunk’s .conf2023. Dan, it’s great to be here. We’re having great conversations about data, about resiliency, about AI and even OT and IT. That was a surprising adder here for the show, but given how hard it is to get data at the far edge, it makes perfect sense here.

Daniel Newman: Hey, look, the proliferation of data at scale, exponential at the edge. Of course, the data centers are growing and AI is going to create a whole new wave of data centers, but is there anywhere that there’s more data? In fact, those sensors outside here are saying it’s really hot.

Patrick Moorhead: It’s 118, I think, today. That’s why we’re wearing short-sleeved shirts and stuff like that.

Daniel Newman: Tank top, shorts and flip-flops, just like all our other tech friends.

Patrick Moorhead: That’s right. Not vests out there. No, in all seriousness, though, it’s been great conversations. One of the conversations we haven’t yet had is workforce resiliency. And as we found all throughout technology, workers obviously matter and at an age of AI, some interesting dynamics, some interesting things being done here, and I’d like to introduce, with that said, our special guest here, Petra. Nice to meet you. Thanks for coming on the Six Five.

Petra Jenner: Nice to meet you. Nice to meet you.

Patrick Moorhead: Yes.

Petra Jenner: Nice being here.

Patrick Moorhead: Excellent, thanks.

Daniel Newman: So we’re going to talk about workforce resiliency. In digital transformation a lot of people like to say people process technology.

Patrick Moorhead: Right.

Daniel Newman: People wrote seven books and in every research study I did on digital transformation, culture was the biggest indicator of whether a company would successfully adopt new technology.

Patrick Moorhead: Interesting.

Daniel Newman: It was never the technology itself. So Petra, you lead a pretty important dynamic region in the EMEA for Splunk. Talk a little bit about how you are building a resilient workforce and how you’re thinking about that in order to help the company. Because as we know, Splunk’s growing significantly outside the US and you must be one of those people leading the charge.

Petra Jenner: Absolutely. I can only say I’m super excited to lead a growing region and a very strategic region for Splunk because it is indeed, as you said, it’s a dynamic and it’s a very diverse region. And to your point earlier on, I can only say yes, culture is what eats strategy for breakfast, as Peter Drucker said many years ago.

Daniel Newman: I love that.

Petra Jenner: However, I could say the resilience element of how to divine a resilient workforce is super relevant. How do we do this? First of all, it starts with every single leader. Right? If we are not leading by example, how can we build and set the right tone? So we have to also live in an environment and nurture the environment by leading by example. That’s the first thing we need to do. So all managers also need to find ways to be more resilient. So, to focus on themselves, to take time off, to really work on workouts, make sure you prioritize your own health and your own development over others. So that’s important. That’s the first step. The second step is then, of course, to make that a constant discussion with all employees. It’s nothing you switch on or off. It’s something which is a continuous improvement over time. So that means we need to have ways of educating our people with, let’s say, some subject matter experts who should give us thoughts on how to build a better resilient life, lifestyle. And based on that, we may have to adjust here and there on how we operate as a company. It starts with small things. That’s what I have learned in my experience.

Patrick Moorhead: I was in senior management at a company, and this was a long time ago. The great part is this discussion has evolved.

Petra Jenner: Yes.

Patrick Moorhead: Right? And I think a lot of this has to do with happy employees, it means more motivated employees, more motivated employees means better outcomes for your customers and your customers’ customers.

Petra Jenner: Absolutely.

Patrick Moorhead: So we’re all kind of in this together. And it’s interesting, you talked about leadership, you talked about, I’ll just characterize it as work-life balance. Then the third thing I think was more about coming up with a process of self-improvement and learning how to do that. Is there a certain priority that you would put to these? Or maybe you could talk about where do you start if you were doing this?

Petra Jenner: I think the first start is always the rules of engagement. How do you engage with your employees? How do you communicate? For example, whenever I start and build a new relationship with any employee, I start with setting the expectations on, first of all, how they should respond or not respond. For example, I work in my own rhythm sometimes, and that means that because I’m a night person, I send emails quite late at night. But I have made very clear to my people that I don’t expect an immediate response and I have set the framework of how to work together. So that’s very important to set the rules of communication and expectations from the beginning. If you don’t do this, there’s a lot of misunderstanding happening which could cause stress, and that is not very fruitful for a resilient workforce. So it’s the small things, like setting clear expectations and also set clear objectives. So that’s the other one. Then the second thing is if you set clear objectives, is to also constantly check in with your managers, your employees, to make sure what is the progress we have accomplished and then appreciate the behaviors we would like to see. So that means if I see there’s constant progress as a certain behavior, a manager or an employee is showing to really reward that in public. That’s the way you build a resilient culture. As I said before, it is nothing you do once, it is a continuous effort and it’s something which has to come from the top and the whole management. If it’s only from the top, it doesn’t work. So it has to be installed into the whole management and the whole management has to live accordingly.

Daniel Newman: Excellent.

Patrick Moorhead: So there’s one thing that can throw a culture off balance, though, it’s going to be the rapid onset of disruptive tech.

Petra Jenner: Yes.

Patrick Moorhead: Right? For instance, automation of industry, whether it’s been industry one, two, three, four. In every case there was this panic moment. Remember when there was gas lighters, it wasn’t what we means today, they actually lit the gas lamps and then people say, when electricity came, like, “what will these people do?” Then there was the horse and then there was the car, and then there was the assembly and all these great anecdotes. Of course, we’re seeing that the periods between these great disruptions get shorter. But AI, okay, nothing in my career has been as disruptive in such a short period of time as AI. Now again, AI is not new and Splunk’s been at it a long time. So I feel like you almost have to talk about it in two contexts, Petra, because the first context is AI that tech has been focused on for like three decades now, maybe even a little bit more.

Petra Jenner: Exactly, yes.

Patrick Moorhead: Then there’s generative AI, which was the release of OpenAI ChatGPT in November of last year, which suddenly was like the iPhone moment of AI. So we have a global disparity in how we’re thinking about it and workforces are a little nervous, they’re a little scared. White collar knowledge, that’s never been a disrupted group before.
Petra Jenner: No, that’s right.

Patrick Moorhead: So EMEA’s had some fairly strict immediate responses. We saw what happened in Italy. We’ve seen some of the EC and some of the passages of regulation to slow down.As a leader of a US-based company in the EMEA, I’m really interested in how you’re seeing the conflict or differences of opinion as it comes to AI and its distribution and proliferation.

Petra Jenner: So it’s a broad question, first of all- let me just start with probably sorting the AI topic a little bit. AI exists, as you rightfully said, for many, many years and Splunk has been in AI and machine learning, in particular, since eight or nine years now. So that’s nothing which is news to us. And it has been used consequently for consumers, right?

Patrick Moorhead: Right.

Petra Jenner: If you take all the assistance on your mobile phones, that’s also AI so that has existed.So what has changed? As you rightfully said, this iPhone moment of AI, which is a generative AI element, which is really shifting the thoughts around AI. So to respond to the first part of the question, I believe that Europe has a long history of being very reflective on data security, on regulations, which are probably more strict than in the US. And I think to be fair, all the people who invented ChatGPT finally also went to Europe and they did a tour across Europe and actually socialized that we should have clear rules and regulations around AI to a certain extent. So I think that’s something which I believe Europe is at the forefront of it. So you can say to the extreme, AI to be regulated will be as such, will be very, very difficult. I think what we have to regulate is the usage of data, which is something we probably have been also very successful in Europe. So I think there are some recent trends to do and go deeper on this AI regulation piece. From Splunk’s perspective, we do have the belief that we should have always, AI should serve the humans to simplify the way they do their business. My personal point of view is that we need to work with AI in a way to augment our skills in the best possible way. So I believe it will require a deep shift in the workforce, meaning additional qualification will be required in order to do so. But then I hope, with everything we can see, it will hopefully augment our work so that we can get rid of these repeatable tasks, which are somehow not very compelling and can think about more, let’s say, things which are more into the inspiration. It’s about motivation or even creativity, because creativity is something which I believe is still very human. So I think our focus is clearly to augment the human-machine interaction in a way that still requires a lot of human contribution, but elevate the work which is done.

Patrick Moorhead: I think those are great insights, particularly to your region. I think sometimes in technology, we are way too US-focused as well and don’t comprehend the global landscape. I like to read, I like history. And if I look at it historically, as Dan mentioned, there’s been a lot of… People said, “Hey, this new technology,” whether it’s the cotton gin, the wheel, but I remember 30 years ago when we were moving to more structured programming languages, it was going to be the demise of the programmer. Then C came out and it was going to be the demise of the programmer, and then integrated development environments was going to be, but actually still 30 years later, there are not enough programmers to go around. But we do need to be very mindful that if we are shutting down a certain type of role that we do have re-skilling that goes into that.
In the United States, in the Midwest, we took a lot of manufacturing out of the Midwest, and those cities lost their jobs and it’s still in a very depressed state probably 25 years later and we need to make sure that doesn’t happen. Industries don’t always catch people unless there’s a motivation. I think the good thing that I see though is that the companies that are benefiting the most from this AI will have to do the re-skilling, if nothing else, to get enough people in the workforce. So we’re here talking about building resilient workforces in the age of AI so I have to ask you, will AI improve worker resiliency? Will it just be this massive headache and not add the benefits or maybe a little of both?

Petra Jenner: I think it’s in the beginning it will probably become a bit of a challenge to adjust the knowledge. It’s like in any innovation, the first part is always a bit painful if this gets into a global rollout. But I think over time, it will really simplify the way we do work. And as you said before, I think the responsibility we have as a company, and not only Splunk, but all companies, is to make sure that we support the augmentation of skills because we will still need skills. We just need different skills, potentially, moving forward. And I think that’s the part I think we need to plan for. And not to forget, we also have the challenge of a shrinking workforce, especially in Europe. The aging of the workforce is something, which is really a dilemma.

Patrick Moorhead: Oh, China, United States, Western Europe, I mean. It’s almost becoming a global reality now.

Petra Jenner: Exactly.

Patrick Moorhead: Japan as well. Yeah.

Petra Jenner: So I think we need to probably reprioritize what the scope of work is going to look like in the future? What are the critical industries we need to have our workforce being targeted to versus what is the work we can offload to AI, right?

Patrick Moorhead: Right.

Daniel Newman: Yeah.

Petra Jenner: I mean, I’m just speaking hypothetical at the moment, but that’s what I believe we have to do.

Patrick Moorhead: Yeah.

Daniel Newman: Have a lot of rethinking to do about education. I mean, you have a son that works, interns in high tech, he’s doing incredibly interesting things as you’ve shared. I won’t share details, but things he’ll never learn in college by going into the workforce. And by the way,

Patrick Moorhead: Interning never learned in his high school either. Correct.

Daniel Newman: Yeah. But my point though is, but yet we still have a system. I have one daughter that’s in grad school. I have one that’s about to head to college. And the question about even university, is it a rite of passage or is it something that kids still need to do in order to move into certain fields? And maybe in some cases, but I’m saying the institution’s been very set for a long way and now, all of a sudden, you’re looking at it going, well, if you were going to get a comms manager, do you need to learn how to write press releases and stuff? I think gen AI is going to take that out. And so the point is what are you going to do? What are you going to go learn? Where’s AI going to impact and do the traditional learning mechanisms… I’ve become a doctor in like 10 things because of YouTube, but I mean how much do we learn every year? If you went to school, when you went to school like a hundred years ago and you did computer science, nothing you learned would be relevant today. No, but if you literally left school right now, 
when you said, I have a choice, I can go get a CS degree at university, or I can go work for Google or Splunk or one of these companies and just start right now, in four years, it wouldn’t be like this. It would be like this would probably be the difference even in, and it’s only getting worse. And so we can spend a whole time talking about that. I want to flip to one more topic while we have you here Petra, though, you’ve been a big champion of women in technology. Yes. I think during the pandemic, there was a really interesting inflection that took place. You saw a lot of focus on not just women in the type of diversity, equity, inclusion. You saw a lot of sustainability, a lot of effort. And there’s been a bit of a debate about the difference between sort of the marketecture of doing these things and really being a company that believes, focuses and lives these things. And I’d say as the economy got tougher, you saw companies that talked a lot got quiet, and then you heard about the rifts that took place in this year. And companies, a lot of them laid off, some of those hires that were supposed to be the progress hires, but we still need to make these movements. What is your whole thinking about the conflict between really executing on the potential and helping build and support women in tech and companies’ shorter term thinking about making numbers and hitting quotas?

Petra Jenner: I think we have no alternative, but to be successful with this, with diversity in general. Because of the shrinking workforce, coming back to this, we have to do this. I mean, you can say, “do we have to do it?” Yes, we have to do it. So the question is how do we get better at it? And I agree to you that I have seen really scary trends during the pandemic. You could see that many women stepped out of their roles because they were overloaded with workloads, managing the family and the business. Then now what we see is they come back, but they come back in a different way, right? So I think I would add one thing. We have diversity, equity, inclusion is much more relevant these days. I think everyone knows that’s important with the aging workforce, that we have to focus on diversity and equity, but we have to focus on inclusive workforce, including our workforce, and define a belonging culture. Because with the work we do today, we have a lot of people who are still remote and they are not able to travel all the time to meet their colleagues. So we need to create not only a resilient workforce, but also a workforce who feels the notion of belonging to each other, because that’s what the human beings are interested in. They want to belong to something broader. So as a company, it’s just a huge effort. We have to pay attention to really create this culture of belonging. I think that’s the latest I have seen. And that’s also the positioning of Splunk on the global level, which has been initiated by Sharyl Givens, our chief people officer. And I think that’s the right thing to do because many women have decided deliberately to leave the workforce, the work because it was too much of stress for them, and they want to go back to part-time jobs, but we can’t really implement this. So from that perspective, I can only say we need to have flexible work models. There is no discussion around whether we need or don’t need diversity. We need it. And the other thing is we need to create an inclusive and a belonging culture in order to make sure that all the people with diverse opinions and different genders and different backgrounds feel welcomed in the organization.

Daniel Newman: I think that’s a great way to wrap it up, Petra. Yeah, I want to thank you so much. There’s been a lot of fun. I mean, these are tough conversations, but they’re conversations that need to continue to be had. And of course, whether that’s AI and its impact on workforces, creating resilient workers as a company, having that balance between pushing productivity and having people in life work-life balances, these are great things. And obviously you have a big challenge and a big opportunity. And with the announcements here, it’s an exciting future for Splunk. So thanks for joining us here on the Six Five.

Petra Jenner: Thank you for having me. It was a pleasure talking to you both. Thank you.

Daniel Newman: All right, everyone hit that subscribe button. Join us for all the episodes here from .com in Las Vegas. This is Daniel Newman, Patrick Moorhead, signing out for this one. We’ll see you all soon. Bye-bye.

Read more Perspectives by Splunk

September 5, 2023  •  3 Minute Read

The Top 3 Challenges Threatening a CISO's Agenda

More than 1,500 security and IT leaders weighed in about potential threats in our recent research report, The State of Security 2023. Here’s what they’re worrying about the most.

exec orders

JULY 11, 2023  •  5 Minute Read

Strategic Investments CISOs Should Make for Long-term Success

Philadelphia’s new deputy CISO shares tips on cyber hygiene, training the next generation of security leaders and more.

AUGUST 22, 2023  •  7 Minute Read

4 Surprising Lessons Technical Leaders Can Learn From Pit Crews

Discover how the high-octane strategies of Formula 1 pit crews can fuel your technical teams’ performance, rev up precision and drive collaboration.

Get more perspectives from security, IT and engineering leaders delivered straight to your inbox.