Episode One: Aron Ain

[Music: Futuristic, airy tone.]

FBI Assistant Director Bryan Vorndran: Welcome to episode one of ahead of the threat. My name is Bryan Vorndran, I'm the current assistant director of the FBI's Cyber Division. And joining me is Jamil Farshchi. Jamil.

FBI Strategic Engagement Advisor Jamil Farshchi: Bryan, I'm excited to be here with you today. I will kick off our top three headlines of the day that we're going to cover. Number one I have for you is election security. There's a whole ton of reports, [The] New York Times, you know, you name it, that are talking about the threat that we're all under as we're going through the U.S. election cycle right now. I know you're in the in the thick of things. Can you give us a little bit of color on what's going on?

Vorndran: Yep. We are in that season for sure. Right? And I mean, when it comes to election targeting by adversaries, whether that's foreign malign influence, whether that's cyber attacks, the FBI also has responsibility for threats to election workers. Obviously, keeping them safe. But what I'll touch on today is the recent unsealing of the indictment against the Iranians for the compromise of the Trump campaign.

Very, very aggressive techniques by the Iranians to essentially steal information from the Trump campaign and trying to pass it right to a political opponent. And so, I mean, it just goes to continue to show everybody out there the depths that our adversaries will go to sow discord. It's just, it's just a really, really challenging time for us as a country, a time for all of us to come together and really understand what our democracy stands for.

But, from an FBI perspective, we're kind of right in the middle of it right now. And that indictment is very detailed. I'd encourage our audience to read it, to understand what our adversaries are trying to do to the underpinnings of our society.

Farshchi: Isn't this just the next? I mean, this is like an extension of last time, too. I mean, the last election cycle, it was, I don't know, remember, was it Russia and China doing similar things?

Vorndran: We seen this in the last—this is the third consecutive election cycle we've seen this. You know, certainly, there was activity by the Iranians in the last—in the 2020 time frame. But this type of activity goes back long before that. But we are seeing it at scale, right? It’s very aggressive. And it's very purposeful. And I think it's important for our audience to remember that: It is very purposeful by our adversary what's being done.

Farshchi: And one of the things that I hear we all talk about all the time, the advanced nation-state actors and the sophistication that they have and things like that. Are they employing that in these attacks, or is it, I mean, are there things I guess, you know, that we could apply that it would apply to, you know, companies like mine or other CSOs [chief security officers] and other organizations out there that are they're using some of the same mechanisms they use against us for these things? Or are they way more advanced?

Vorndran: So, I mean, I think reading the indictment is going to be helpful for the audience. But what I would say is this: We do see sophistication of attacks. Right? Because all of the nation-states care about this space and this topic. But, in the particular matter of the Iranians, what I would say there is it is tried-and-true techniques, right, of phishing and smishing that really are what catalyzed the forward capability of the Iranians.

So, you know, we would consider those basics. But the reality is they still work. And, you know, with the advent of AI [artificial intelligence] and Gen AI [generative artificial intelligence] and ML [machine learning], right? Phishing attempts have gone up 4,500% over the last year. Because it's easier for non-native speakers to craft very finely tuned and precise, phishing campaigns.

Farshchi: Yeah. Be careful what you click on. I guess. The other one, this hit the news, and this is a big one: Salt Typhoon. Salt Typhoon. It's taking the world by storm here. Yeah, yeah. Telecommunications, the wiretapping network. I mean, this this one, this one blew my mind. And it’s—feels really, really worrying. What's the what's your color on this one?

Vorndran: I mean, Salt Typhoon is blinking red right now. As we're recording this, right? It is a very, very significant concern for the United States government and for many major providers in the United States. You know, taking this back just a little bit to Volt Typhoon from about a year ago, Volt Typhoon was all about pre-positioning and IT [information technology] networks, essentially access in furtherance of attacks. By the way, Volt Typhoon industry odd names Vanguard Panda, Bronze Silhouette. They did target comms, energy, transportation, water, and wastewater. They very much use living off the land techniques, right? Which are really, really hard to detect. And, with the Chinese being behind this, it is a sophisticated adversary.

Vorndran: And those living-off-the-land techniques makes it more challenging to discover their activity within infrastructure. And, so, with Salt Typhoon a little bit different. It's cyber espionage campaigns, really targeting North America, as well as Southeast Asia. Other names for the industry or for the industry term are "Famous Sparrow" and Mandiant actually calls it "UNC2286."

You know, obviously, heavy reporting on the comms sector right now being targeted. And, you know, when we think about sector impact, right? The big three really are, right, comms, finance and energy. Because, without any one of those three, the world really doesn't go the way we expect it to go. So, super sophisticated activity by the adversary. And a real, real challenge that we're trying to navigate right at this moment.

Farshchi: Yeah, it's tough for sure. I'll be interested to see how this one plays out and what we're able to discover as you guys go through this thing. And, I got to say, one of the pet peeves of mine in this space is how many freaking names we have that we dub for each one of these threat actors.

Vorndran: Yeah, I know.

Farshchi: It is impossible to keep it all straight. All right, last one. Supply-chain security, just announced, I think it was yesterday that, what was it, ADT got popped again. This one also a third party. I mean, man, look, we whether it was SolarWinds back in the day or then Kaseya, and then just a slew of other organizations.

Since that time, it just it feels like we're not advancing, we're not improving in this space. And these third parties, the supply-chain risks just continue to mount. And I can speak for myself. It's just tough. I mean, how many—we have hundreds or thousands of vendors, and making sure that you've got orb, and then you add on things like open source and all of the components there. It is really, really tough. I mean, what are you seeing on that front? Do you feel like we're making any progress at all in terms of being able to defend against that threat?

Vorndran: Yeah. So progress is a tough one for me to comment on. It's really, really challenging because, obviously, all of these intrusions continue to remain a problem. With supply, specifically, I think it's important to bring in third-party risk into this conversation. I think sometimes that gets left out, and I think you and I both know that that is 100% part and parcel to the broader conversation. And when we look at third-party risk, I tried to talk about it in this way, right? Imagine that you are a part of an industry-leading business, and you have one or two competitors that dominate the United States economy in your space.

Well, undoubtedly, you're using some type of niche software or niche application. Or from an adversary perspective, right? They're trying to figure out what those niche software packages are, what those niche applications are. Because, if they do that effectively and they target it effectively, right, they're going to have an outsized impact in your sector or in your industry. And so, yes, it remains an absolute problem.

It's probably going to remain a problem. The best thing that I can tell people is this. Right. You know, we often talk about who our competitors are in the industry, but we also have to understand that those competitors are going to be targeted by cyber adversaries in the same way. And so sharing amongst your competitors—or perhaps those who are partners in your space—is a really, really good best practice. And really one of the main reasons the ISACs [information sharing and analysis centers] have been stood up. So, those are my thoughts on supply chain right now, Jamil.

Farshchi: Yeah. And it's, you know, my point of view is there's a few basic things to do. You know, we talk a lot about things like software, building materials to help reduce the risk on third parties. I think that helps from the visibility standpoint, but just having some basic knowledge around who are the suppliers that I have, just having a meaningful inventory of them, how do they access my environment and then what access to data of mine do they have?

Farshchi: That sort of the checklist that I use in my head around this stuff. I think this is a good segue for our for our keynote speaker here for this episode, Aron Ain: CEO, former CEO of UKG and, now, the chairman of the board. They went through a major cyber event a few years ago that had a meaningful third-party component in it as well. I'm really excited about it.

Vorndran: Yeah. I mean, I think the audience, our viewers and our listeners, are going to really enjoy hearing from Aron. Having been part of that conversation, just, obviously a tremendous human being, a tremendous leader. And, even if you don't listen to the episode from a cyber perspective, from a humanity perspective, I think that our listeners and our viewers are going to get a lot out of listening and hearing from Aron. So, at this time, we will go to Aron Ain, to help us get ahead of the threat.

***

Vorndran: Hello, I'm Bryan Vorndran from the FBI Cyber Division. Welcome back to Ahead of the Threat. As always, joining me is Jamil Farshchi, the chief technology officer from Equifax. And we're very, very pleased to welcome Aron Ain to our conversation today. And we're going to talk about what it is like to be in a leadership position as a CEO during a major cyber incident. Aron, specifically, was the CEO and chairman of the board at UKG Kronos during their recent ransomware attack. Jamil, I'll go to you for a few opening thoughts.

Farshchi: Well, first off, Aron, thank you so much for taking the time to be with us today. I remember, you know, I think it was a year ago, you and I were on stage, and you told this story about what happened to UKG as it relates to the cyber incident. And it was, to me, it was so impactful because you got to see from firsthand view of a CEO and what they went through and the impacts and the response and the culture.

And, so, just to kick off, I would love it if you could walk through that story, what you experienced, and just give the audience your point of view on what transpired and how you navigated it.

Aron Ain: Thanks, Jamil. Nothing came good out of the cyber incident with one big exception. The one big exception was I met Jamil, and Jamil joined our board and has helped us do so much better since then. So thank you, Jamil, for making that possible. I wish we could have done it in a different way, but it made a difference. Just going through quickly.

Short version: It was Saturday night, December 11, and I was coming home from dinner about 9:30 at night with my wife, and I got a text from our chief technology officer that we had a problem. And, so, I that was unusual to get that on a Saturday night. I called them, and it appeared that we had been compromised. And through—it wasn't clear who it was, what it was, but we brought all of our systems down for a small subcomponent of our customers who were on this one platform to learn later to, you know, minimize the blast zone, if you will, until we figured out what was happening.

So for those 2,000 or so customers, their system became unavailable. And we worked throughout that night and got together that Sunday and tried to figure out what happened. And it was clear that we were going through a ransomware attack. All the typical things that you experience, I had never experienced before with that, with that, the messages came up and here's what you need to do.

So, we immediately kicked into gear and did what we had prepared for to do. And that meant trying to determine what was going on. Could we get our systems back up, what our choices were, etc., etc.. It was awful because our customers needed their systems. Our systems helped our customers schedule their employees, pay their employees, keep track of when people were coming and going.

Some of the biggest companies in the world were on this system. It represented millions of employees who were potentially impacted. We didn't know at that point whether the information, the customer information was compromised. We thought we were okay because we had spent so much time with our cyber readiness. Protecting all the data, can talk about that in more specific.

I remember one of the big things that happened on that Sunday. We got together with some cyber experts who we had on retainer. Anyway, we also got together, introduced to some third-party legal groups that help organizations go through this. And I remember that the lead attorney from the outside counsel asked me how we were going to communicate to our customers what was going on. And I said, “Well, I don't know. It seems like an odd question. Tell me more.” He said, “Well, in most cases, organizations like yours, you know, won't share much until they know more.” And I said, “Well, I'm not doing that.” I said, “I want to treat our customers the way I would want to be treated in a similar situation.” Hard stop. And that meant tell them everything that we knew at that point that we could.

So, I split it into three categories with our customers. We were going to tell them what we could tell them, what we knew, if there were questions they asked us that we knew the answer for, but we weren't prepared to share with them. I would tell them we know the answer to that right now or we don't, but I'm not prepared to share that. Or, most often early on, we told them we don't know the answer to that, but we were going to based this based on open less transparency, being truthful every step of the way as we went through this process. It took us four to five weeks to bring our customers all back up.

What's interesting is we had followed all the guidance that we had received through our SOC [security operations center] audits or third parties to have. We had disaster recovery centers that were located in multiple locations that were mirroring what was happening in the production system. We had all of the customer data backed up, encrypted, stored offsite.

But the problem was that we learned that what the bad actors did, by the way, I learned all these new words like threat actors, and I said, “What's a threat actor?” And they said, "They're the guys who did it." I said, “Can you speak English to me?” You know, I can’t remember. I erased it. How we were compromised. I remember the words they used and I had kick, I have a whole translation dictionary for myself with this. What they did was they came in, they encrypted our whole services layer. They made it so that, even though we had all the data, we had nothing to restore it to, nothing to restore it to. And so that led to frustration, quite frankly, anger later on, months later, why we didn't get the advice about how we were going to back up our services, layer, our active directories and things like that.

And I took 250 myself of those 2000 customers, and we split them up and I talked to each of them like three to four times a week, some of the biggest companies in the world. And I told them what happened and I explained what we were going through and always basing it on the truth, giving them the answers in those three categories.

And most of our customers extended us incredible grace, some because they had been through this before. But, more importantly, they told us later on or during it, you're being more open, more honest, more direct with us than we've had with any vendor we've been through this before. If you just keep doing that, we'll continue to work with you on this.

And that just came back to a basic principle that Sunday I was going to treat our customers the way I wanted to be treated in a similar situation. So let me stop there and see if there's a specific question I can go on and on about it.

Vorndran: And I'm fascinated to know, to the best of your ability, what was the pressure like on you and your leadership team in those initial moments? I really, really appreciate the commentary about openness and transparency because it's been our experience, as we deal with victims, that the more transparent they are with their downstream customers, the better off they fare. And what you're sharing is exactly in line with what I'm hearing from others. But, like, what is the pressure feel like? Do you feel the organization was well-prepared? Or is the pressure so overwhelming? The media is obviously part of it. Can you just take us back to those early moments?

Ain: The pressure was excruciating. My family was worried about me. I didn't sleep for like a week, literally. I couldn't sleep. I was on bridge calls around the world every two hours. We were doing it to get updates. We were working so hard. I felt incredibly guilty what we were putting our customers through, and it didn't matter to me, at that point, why. It just mattered to me what was going on.

So, the pressure was just horrible. You know, I don't know how else to say that. My kids were worried about me, and my wife was in a different state then because, and I came back to where our corporate office was, and my daughters in their early thirties. They, like, moved in with me to like, look after me. They were married with their own kids and same because I could tell what was going on with it and were we prepared? We were prepared to go rather, rally around, but we weren't prepared enough, or else, it wouldn't have happened. But we had 1,300 people stop everything they were doing to work on this 24/7. Christmas Eve, Christmas Day, New Year's Eve. New Year's Day.

People just lean forward, and the rest of the company backed and filled what those 1,300 people do for their jobs every single day. And so, yeah, I was so proud of the team. Amazing. Remarkable. Just incredible. But prepared? No, not fully prepared, or else we wouldn't have had it happen. And, afterwards, I told our people, Bryan, I don't want to know that we back the data up anymore. I don't want to know that we have disaster recovery anymore. I want to know how fast we could recover if something like this happened again. And I want to know why we know that we could recover in one or two days instead of three or four weeks.

Farshchi: Well, first, I can attest to that comment there at the end, because he still does it to this day. It's been sort of built into the DNA of the company that it's got to, we've got to make sure that we've been able to test and everything is resilient as possible. I'd like to ask you, Aron, I mean, you're big on culture and you've built a fantastic one at UKG. And you['ve] even written a book that's largely about culture, WorkInspired.

What was the sentiment amongst the team as they were going through it? It sounds like they rallied hard, did what needed to be done. What was the sentiment amongst them as you went through this very meaningful crisis?

Ain: Thanks. The team was fantastic. Part of it was because all of us at the executive level, starting with me, they could see how we were right in the mix. I didn't tell them they had to talk to my list of 250 customers. I talked to those 250 customers. I went and took the, you know, frustration, concern, the yelling, the abuse.

And, from there, I would tell customers, "I'm really sorry." I said: "How you feel, I would feel the same way. We're working really hard to fix this." But the team was great, and I think it's because we leaned into each other and we supported each other, and people wanted to know who was at fault and why this happened.

And I said, "You know what? We'll have lots of time to figure that out. Can we just focus right now on solving the problem and getting our customers back where they need to be? I'm not interested in putting people in a penalty box right now. I'm only interested in taking care of our customers and solving the problem." So they were great. They were great. And, look, I believe and I know you know this, Jamil, we've talked about it: That trust is this magic glue that holds together organizations. Quite frankly, holds together personal and professional relationships. And, because we trust each other, they trusted me. I trusted them. It got all of us to lean in and do what we needed to do.

Farshchi: Are there, I mean, clearly, you learned about a bunch of security acronyms that you would have probably never, never been interested to pick up before.

Ain: Exfiltrated! Jamil That was the other one. Exfiltrated. What the heck does exfiltrated mean?

Vorndran: Common language in our world, Aron. Common language.

Ain: Well, I didn't know what it meant!

Farshchi: What—so, outside of outside of that, those things, are there any other really, really meaningful lessons learned that you had? And I guess an extension to that question would be there are company after company has to go is nowadays going through major incidents like this. And it, what I've struggled with is that it oftentimes takes a company to go through a situation as impactful as a cyber breach to truly take it seriously. And I'm curious, based on the lessons learned, like, what do you think would help to drive more motivation behind, whether it's investments or prioritization or bolstering your culture to get other organizations to recognize that, hey, this is this is a big deal and it is massively impactful and, so, do the needful up front to potentially avoid this fate on the on the back end otherwise?

Ain: Yeah. Fantastic question. Look, we were traditional, where we had our audit committee made up of mainly financial people—fantastic financial people—providing the oversight on our cyber readiness and they would have the CISO [chief information security officer] or the technology people come and present to them twice a year. The fact of the matter is I learned that that's a failed strategy, and we should have never been doing it that way.

And, as a result of this, I convinced our board I wanted to create a new committee of the board called the Cyber Committee. And the Cyber Committee did not fall under the auspices of the Audit Committee. It was a separate committee that reported to the board, and that included recruiting some world-class expertise to lead that Cyber Committee, because the Audit Committee—good people, but they just were stamping what our people who work for us were asking. They weren't bringing in their own expert oversight like they did with the CFO [chief financial officer].

That was a big learning for me that I now tell any CEO, any board who will listen to me: "If you don't have it set up that way, you're doing it wrong. You're doing it wrong from that point of view." So that was a big one. I also realized. in just terms of how we allowed third parties access to our applications and what we did, that that had to change and we had to, even though they were trusted partners, we didn't force them to have the same level of diligence as our own employees had.

And, in fact, we when we did the forensics later, we found out that the bad people—I don't call them threat actors—bad people, they got in through a compromised credentials from one of our partners in that way. So, I learned that we needed to provide the same vigilance with anyone who used the application or had access to it as we did with our own staff and our own employees. And it was beyond just multi-factor and those type of things. Look, I learned lessons about what EDR [endpoint direction and response] was all about and how we needed to have better coverage and how we needed to have our Security Operations Center.

By the way, why don't we call the Security Operations Center, SOC? And why do we call what the third parties do with SOC? I was getting so confused in those early days, which one was which.

Farshchi: And I never even thought about that. You're right, SOC one two.

Ain: As someone who's not an expert, trust me: I didn't know which one they were talking about and how we went and analyzed these alerts and threats that came in. We had people doing multiple jobs within the Security Operations Center, and we went and segregated that and had that done now with dedicated groups of people. I could go on and on.

But these were big, important learnings for us. You know, that platform that was compromised was a 20-year-old platform that we only had 2,000 (at the time) of our 70,000 customers still on it, but they loved it, and we didn't want to go force them to go upgrade to the new, modern version of what we had. And that application really wasn't built for a modern world. We did our best to do that. So, since then, we went in and said, "We need to get you transitioned off this because it just wasn't built in the same way." So, those are examples.

Farshchi: I just got to say, Bryan, the things that that Aron just highlighted—cybersecurity at the board level, supply-chain security or third-party security (however you want to characterize it), some of the basic hygiene, you know, patching, talking about EDR coverage, things like that—I mean, this is, I think, music to any, Aron, any security practitioner's ears. These are the things that that genuinely matter most and, oftentimes, bite organizations. To hear you speak as thoughtfully about them and called them out as lessons learned is, I think, it's a really powerful message for everybody.

Vorndran: Yeah, I'm making notes here on my in my scrap paper. Same thing, Jamil. You know, the interesting thing about what you said, Aron, to me, is this common conversation that EDR, right? And we're not too far on the heels of, you know, what happened with CrowdStrike. And one of the conversations I now know is present is should we have multiple versions of EDR throughout the organization, because if one is compromised, all your endpoints really suffer. Right? And, so, it's a single-point-of-failure conversation. But yeah, I was making a list here of your top things to include, the questions you're asking, because they're very, very helpful. I was interested to know press, media—how helpful or harmful or problematic was it during the conversation during this challenging time?

Ain: Honestly, I ignored them. I let other people deal with that. My number-one priority for 24 hours a day, no sleep, was on our customers and our people. And we hired outside experts. I said, “You go deal with that. I trust you.” They were more conservative than I was. And, so, I just was so focused on, you know, attacking the problem and taking care of our people so that some people want to talk to me. Yeah, but I just said, "I'm not going to talk to them."

Vorndran: Okay. And, then, interested to just know your thoughts to the best of your ability, right, with what you're willing to share–engagement with the U.S. government during that time, right? Who was party to that conversation? Did you wind up engaging with the government? Did you not? We did. Yeah, just some thoughts behind how you went through that process I think is going to be really helpful.

Ain: Yeah. So that that Sunday, the third party, the legal team said, "Look, here's what we need to do before we go start talking to these, you know, bad guys, threat actors. And, you know, we need to bring the FBI in." And I think they said the Treasury Department. Is that possible?

Vorndran: It's possible they could have recommended Treasury to vet whether there's a sanction entity.

Ain: That's what it was. That's what it was. And, so, that took a couple days. And they finally said, "Okay, we have an idea who it is based on the characteristics of what happened and and you can talk to them honestly." It didn't come to this, but I said, in the end, look, you know, they said, "If you talk to them and they're, you know, the wrong kind of people, you may not be able to do something."

I said, well, at some point, because you risk legal action against you personally, I said, “Well, if we don't get an answer in the next day, I'm prepared to accept the responsibility. We need to get our customers back going here. I can't deal with this." Now, it didn't come to that. I wasn't talking to them directly. Our third parties were and the third parties were fantastic. I don't know what I would have done without them, but I have nothing but praise for the authorities, how they helped us. They responded really quickly. They jumped right on it with us. Maybe I feel that way because they gave us the answers that I was looking for: what we could go do and how we would do it. But I don't think that's what they did. I think they did it honestly and taken into account. So, I was pleased that they were partnered with us and I'm glad they were there.

Vorndran: You know, on the OFAC [U.S. Department of the Treasury's Office of Foreign Assets Control] Sanctions piece, you know, just a PSA [public-service announcement] for those listening, right? This engagement with the FBI for this purpose of determining whether, you know, whether it's UKG or any other victim is dealing with the sanction entity, we're happy to fulfill that role is the bottom line, because it does give peace of mind back to the true victims. Right? So I appreciate your comments on that.

Jamil, I'm stealing a lot of time, so I don't want to take your thunder.

Farshchi: No, no, no. Aron, you've talked a lot about partners, whether it's with the government or it's with communications. Were these relationships established in advance of this event, or did you have to go through and identify and then establish those relationships in the midst of the crisis?

Ain: Good question. So we, Mandiant—we were a Mandiant customer—and, so, we had them on retainer. So, it was easy to engage them quickly. The only difference was we were working with some really wonderfully talented people. But like on that Sunday night, I said, "Well, who's the guy in charge there?" And they said who it was, Kevin. And I said, "Well, I want to talk to Kevin."

And, so, Kevin got on the phone with me that Sunday night, and I went through with him, and he made me even more like anxious at how long this was going to take and to get it back going. But he joined our calls like every day for a week, and he leaned in with us and he became a good friend for a crazy reason because of this. And I'm grateful for him partnering with us.

As far as the negotiators, I didn't know they were dedicated cyber negotiator who do this for you. How would I know something like that? You know, I learned all those things and the third-party legal team and they were security experts who were the lawyers there. So they were a big help with us bringing them in. We could not have done it without the guidance.

By the way–the people from Mandiant and the people from the law firm—they helped us talk to our customers. They represented a third party and they leaned in, and we said, I said, “No, I want you to talk to the customers. I want you to tell them what we're going through. I want you to tell them how we're working on this. I want you to share with them what happened is more of an independent group,” to go talk to us. And we went and said, "You can talk to the team from Mandiant." These big customers said, "Really, you'll let us talk to them about." I said, “Of course we will.” And they did that. So, huge help, Huge help with that. We were a team, Jamil. We were a team on this.

Farshchi: And I think, I think that's, you know, I've heard this time and again and I've experienced it myself where you can have the best team in the world within your organization, but it takes, you need more than just your own team to get through these things successfully. So, another question for you. Look, you have a storied career and you built Kronos into a multibillion dollar company. You spearheaded an acquisition and to now turn it into UKG. So you've gone, you've now got a hugely successful, very large company. But you were there early on, as well. Where I’m at with this question is: There's always a balance between the risk, and, oftentimes, it depends on the, obviously, the risk-reward or the dynamics of the business itself, and smaller mid-size organizations oftentimes don't have the resources. They don't have the time to spend to be able to pull in the third parties or to invest in security. Well, where do you see the balance there? And has it changed in your mind as your company has grown the way it has from from where it was to where it is today?

Ain: Yes, sure. Look, I don't know how you deal with it, as you described, if you're a small company, but if you're going to be in the software business—the enterprise software business, the mission-critical enterprise software business—you have to be prepared to support your customers, particularly if it's going to be you're going to run it in a public cloud. But under your data-center oversight. And, so, you have no choice. Is it easier for us to deal with this one more bigger? Of course it is, because we can invest in more resources and world-class CISOs and team members on that from that point of view.

But, if you're going to be in the business, you have to go deal with it. You have to go focused on it. And I think some of the things are obvious and they don't require as much money. I think I believe, you know, how you set up your DR systems and how you and what you specifically back up—it wouldn't have been that much more difficult for us to go back up all the services layer in the active directory. We just didn't do that because we were so focused on the unique data that we had, if that makes sense. So, but, yeah, it's harder, but you have to do it. It's part of the cost of being in business to do this if you're going to run this.

Now, look, I think the public cloud makes it easier. Almost all our systems run in the public cloud. The reason I wanted to go to the public cloud (we did it before this happened; remember, this was just the last vestiges of some of our legacy platforms) is that I wanted to ride the back of the public cloud organizations because, I said, they have tens of thousands of people working on security. When we were running on—and this was when we were running in our own private cloud—we were responsible for the infrastructure layer and the application layer. When it runs in a public cloud, we really are leaning in most of the application layer and we get the advantages of what the public cloud companies do on the infrastructure layer. So, that makes it a lot easier for us. So, I knew that before we did this, but this system wasn't on that.

And, so, now look, we still pay for an EDR provider. We use one of the public cloud companies. We get their EDR tools. I told our customers. They said, "How are you comfortable that, you know, this won't happen again?" I said, "I can't guarantee it won't happen again, but I can tell you with where we're going is, we got, like, guard dogs watching guard dogs watching guard dogs. You know, we have our own watch and their own watch and everybody's doing this. So I'm thinking, you know, bad guys are going to come through the neighborhood. They're probably going to go after somebody else's house first." Right now, I don't want to jinx myself because it's always a risk there. But we leaned in with it.

Vorndran: Aron, on the cloud piece, you’re starting to sound like an expert there, by the way.

Ain: What's that?

Vorndran: I said: "On the cloud conversation there, you're starting to sound like an industry expert a little bit."

Ain: Bubba, this is what I learned! I had no choice.

Farshchi: I also think we need to change the term, though, because we all in the industry, we call it defense in-depth, but I think it should now be "guard dogs watching guard dogs watching guard dogs." So, we're coined a new term there, as well.

Ain: I'm a simple guy. Jamil, you've met me. You know: Just keep it simple.

Farshchi: I love it. Oh sorry, Bryan, go ahead.

Vorndran: No, no, no. I've really enjoyed the conversation. My only, really, other question for you, Aron, is we've talked about these like, primary takeaways. I'm just looking at my notes, like, how long to recover? How do we know that that's our timeline? Jamil had some of the others about board construct. What are what else would you really recommend to people in your position to really think about planning for in advance?

Ain: I would tell, I presented to a group of 250 CEOs a year after this happened—no, no, within the year of when it happened—and I got up there on the stage and I had other experts with me. I had Kevin Mandia sitting next to me and Luke from Debevoise [& Plimpton LLP] sitting next to me. They were our partners.

And I told them—was right after lunch, I remember this—and I looked out and I said, “I know all of you guys are tired. You have, you know, dessert high right now. And you're probably saying, 'I've been sitting in meetings all morning.' But, I'm begging you to stop what you're doing. Put your phones down and just listen to me for 10 minutes because, if you don't, you will be me—a year from now, two years from now, three years from now.” And I told them, as the CEOs, they need to lean in on this. They need to, they don't need to go to every cyber committee. One, although I try to go to them still, but they need to go tell their organization this is really important.

Farshchi: And now you know why–

Ain: Lead by example.

Farshchi: Yeah. And now you know why I really, really wanted Aron to be here. Like, such a huge champion of cybersecurity. But I think, more than that, to me, it's doing the right thing: doing the right thing for your organization, doing the right thing for your customers, being transparent, being honest. These are all things that I found to be absolutely instrumental in successfully navigating not just cyber crises, but but any type of crisis.

And, so, I can't think of a better place to close this out. But, Aron, huge, huge thanks for joining us today, and just for your continued support and leadership in this space to really raise the bar for everybody else. Thank you.

Ain: Yeah, you're welcome. Thank you for the opportunity.

Vorndran: Thanks, Aron. And good luck to your Celtics on a two-peat, as we say. Right.

Ain: Thanks, Bryan. It's nice meeting you. And, by the way, thank you for everything you're organization does to help people like me and other organizations be more effective of what we do going forward. So I don't take it lightly what you do and how you do it and how you partner, and, so, thank you for that. Grateful.

Vorndran: Of course. That's why we all signed up to do what we do. Happy to.

Ain: Okay, good deal, guys.

***

Vorndran: That concludes our episode-one interview with Aron Ain. What a fascinating conversation with him for our listeners and our viewers. For me, the primary takeaway is the amount of time and energy and care Aron put into communicating with his customers and with how much emphasis he put on for the entirety of this organization to communicate with his customers and how that paid just tremendous dividends. Jamil, what was your primary takeaway?

Farshchi: Man, there were so many of them, Aron is such a stand-up guy. I think that was that was really enlightening. But I think the number-one thing that I took away from it was the fact that that it had such an impact on him—that this was something that was just catastrophic. and he was going to do absolutely everything possible to make things right thereafter. And all of the steps that he has taken—whether it's around the board of directors, it's the third-party risk component diving into resiliency, and many of these aspects thereafter—really, really profound.

And I think, at the end of the day, with him trying to push this narrative to make sure that everyone is aware to the best degree possible—all of his peers—that this is what can happen, "Do your best to learn from me so that you don't have to repeat the same same situation that he had to go through," I think is really, really impactful and something that we should all take away.

Vorndran: Yeah, sounds great. Well, to our viewers, to our listeners, we're looking forward to getting this process underway and to being here for you, as you know, twice a month for the next six months. And, so, today marks the end of episode one. But we're asking you to subscribe to the Apple podcast Ahead of the Threat, as well as to our YouTube channel.

And we'll look forward to the next time. Thank you.

Farshchi: Thank you.

[Music: Futuristic, airy tone.]