WHAT DOES IT TAKE TO LEAD A CYBERSECURITY PROGRAM
About this episode
In this episode, we discus the book, “Fire Doesn’t Innovate” written by our own Kip Boyle. This book has become the textbook used by Professor Kevin Cooney in his cybersecurity courses. In the book, Kip discusses cyber risks and how they are managed by senior decision-makers in an organization, and how cybersecurity professionals can have risk conversations with those leaders since they are the ones in control of the budgets.
It is important to understand that we don’t do cybersecurity for the sake of doing cybersecurity. Instead, we do it to meet a business goal and protect the organization. Kip discusses his middle-ground approach to handling cyber risks, since it is impossible to protect against all risks 100%. To setup up the decision-makers for success, they need to use both quantitative and qualitative approaches when handling cyber risks and select the level of protection needed based on their business needs.
What you’ll learn
- What the NIST cybersecurity is
- How cybersecurity decision-makers can understand the impact of a cyber-attack on their organization
- The goal of cybersecurity
Relevant websites for this episode
- Your Cyber Path (https://www.yourcyberpath.com/)
Other Relevant Episodes
- Episode 31 – All The Jobs in A Large Cybersecurity Organization
- Episode 43 – Threat Intelligence
- Episode 51 – What does it take to lead a cybersecurity program Part 2
Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m an experienced hiring manager of cybersecurity professionals. This episode is available as an audio-only recording in your favorite podcast app and as a video on our YouTube channel. Just go there and search for Your Cyber Path Podcast.
Now, whether you work in cybersecurity or you just plan to, you’ll be part of an organization cybersecurity program, or it might be called an information security program. Now, as a chief information security officer, I’ve helped to build and run many programs for different types and sizes of companies. And from those experiences, I wrote my book, Fire Doesn’t Innovate. And I recently found out, and I was really glad to hear this, that a professor who teaches both graduate and undergraduate classes in cybersecurity management has been using my book as the primary textbook for his courses.
Well, I didn’t write that, my book, to be used as a textbook, but I feel really great that it’s happening. Well, this professor, Kevin Cooney, is his name. He just asked me to be a guest lecturer, and I agreed. We recorded the session, and I want to share it with you now, so that you’ll get a better idea of what it takes to lead a cybersecurity program. If you want to be a CSO one day, or if you just want to support your boss, you need to know this stuff. All right, the session’s pretty long, so we split it into two parts. There’s the lecture itself, and then we had a separate question and answer session. We’re going to share it with you that way as well over two podcast episodes.
Okay, before we get to the training, I want you to consider getting this free guide that I made for you, and it’s called Play to Win: Getting Your Dream Cybersecurity Job. And it’s a really helpful 20-page visual guide, and it describes how taking a Capture the Flag approach is going to help you compete and win in your job hunting. If you want to check it out, go to yourcyberpath.com/pdf, and grab yourself a copy, and let me know what you think. And remember, you’re just one path away from your dream cybersecurity job.
Okay. Everybody, welcome. We got about 150 of you logged on so far. And I imagine we’re going to get… Oh, we just lost somebody. We’re [inaudible] 149. Well, the thing is, what we’re going to do is we’re going to get started, as I said, on time yesterday. A few more people will log in up to the full class load that’s here. But today, we have a special guest with us who is Mr. Kip Boyle, who is an expert in cybersecurity. And you know that because you have his book yesterday, which sells for, as I pointed out to you, ¥545, which is about five bucks on Amazon Kindle, Japan on that.
That’s good. But he’s served as chief information security officer, CISO, on that acronym there for insurance companies, credit card processors, banks, IT services providers. His background, he was at active duty in the US Air Force on the F-22 stealth fighter. He worked at Stanford Research Institute, and his clients included the US Federal Reserve, NTT DATA, Mitsubishi Electric, Boeing, Visa International, DuPont among, and NASA.
Today, he is the virtual chief information security officer for several companies and helps senior decision-makers manage unlimited cyber risks through rigorous prioritization and applied technology to increase the reliability of critical controls. And he has, finally, extensive experience leading strategic initiatives to modernize security functions, so that they deliver maximum business value.
And so, I’m welcoming Kip here. Some of you who’ve been hit listening to our chit-chat here as we’re going along, I would like to remind you of the bonus. If you get your question chosen, please submit your questions through Raj, our TA, as Kip gives his talk, if you want to do that. And then when we open up for question and answers, of course, you can add in your questions and go from there. But thank you very much for giving up part of your Sunday evening here in the US to come speak to the class. I normally would say, “Give a round of applause,” but that’s [inaudible]. You’d have just a little clap, clap of me. Everybody’s here, but welcome, Kip.
Thank you, Professor Cooney. I really appreciate the invitation to spend some time here with your class. Thank you very much. I really enjoy the opportunity to share what I know with others. I’m very interested in feedback. Not only would I encourage you to submit questions, but you will have my email address. And I would invite you to email me directly later on. If you have other questions, or perhaps your question didn’t get answered during class time, you can feel comfortable sending it to me. I would be glad to get it.
I’m going to share my screen now. And I just want to know… Ah, good. Thank you, Raj. Appreciate it. Now, I’m a practitioner and an educator. And so this means that I do work for customers, customers pay me, and then I share what I’ve learned with others. And so today, both in my book, and also today, in our time together, that’s what I’m going to be doing with you, is I’m going be sharing what I know from my work with real customers in the real world. And then as we wrap up our time together, I’ll also tell you different things that I’m doing that you could choose to participate in if you want to continue to hear the things that I’m learning as I’m doing all of this field work.
I find that by being this way, by being a practitioner, and by being an educator, I’m simultaneously a realist and also an idealist. And that really gets in the way sometimes because there are just some lines that I don’t think people should cross, like the paying of ransom to get data back, but the realist in me says that sometimes you don’t have any other viable choice. And I think if an organization is facing utter bankruptcy versus the payment of ransom, all I can say is I just hope that I, myself, never find that I’m in that situation because it would be difficult.
But yeah, let’s move into the material here. And I tend to go pretty quick. And so, I hope that I won’t go too quickly for you. But, Raj, if I am going a little too quick, if somebody should happen to say that during the presentation, please let me know, [crosstalk] and then that way I can slow down a little bit, but there’s a lot to say.
And I’d like to start by telling you why I wrote my book. And it was because I noticed that most organizations that I was working with and reading about in the news were not managing their cyber risk very well. And I have been spending a lot of time trying to manage cyber risk in a number of different situations. And I felt like I had something to share. And so, I wanted to help. And that was really the genesis of my book, Fire Doesn’t Innovate.
Now, one of the biggest problems in the sphere of cybersecurity management is that you have to have an ongoing conversation about cyber risk and how to manage it. And you need to do that with senior decision-makers because they’re the ones that control the allocation of resources in an organization. And almost everywhere I go in my work, I find that this conversation is lacking. It’s either lacking in its ability to produce useful decisions, or it’s lacking in its ability to even establish a common vocabulary for the participants to even have a conversation. This is, by essence, a multidisciplinary conversation.
And so you’ve got people from all kinds of different backgrounds, and legal, and finance, and operations, and technical, and they need to have a common language. And so that’s one of the goals that my book strives to achieve, is to provide that common language, and then also a structure around, how do we identify our top cyber risks? And then how do we mitigate them in a business-savvy way? And so, I’ve been doing that a lot. And so, I thought I would toss my hat out there and let folks make their own judgment about whether anything I had was useful.
Now, another complication with the conversations in organizations about cybersecurity is that most senior decision-makers don’t really understand their situation. They spend almost all of their time thinking about their own operation, but they don’t spend very much time thinking about what’s going on outside of the walls of their organization. And the reality is that we’re badly outgunned right now, awfully, terribly, badly outgunned. And I think that should be obvious to anybody who is studying in this space or practicing in this space, or even just watching the news. You should be able to clearly see that the cybercriminals and the cyber soldiers are having a very easy time with us by and large.
And most people just don’t understand this. Most cyber… I’m sorry, most senior decision-makers just don’t seem to understand that they are, in fact, a target. And I find a lot of denial among them as to whether they are a target or not. And I also find that they don’t really understand the true nature of cyber as a risk item. And I’m going to talk about that in a moment, but I just want to say that not only are we badly outgunned now, but I don’t see any reason why this is going to change anytime soon. If you look at the governance structures in most countries, whether they are judicial, whether they are legislative or executive, law enforcement, and so forth, courts, they’re not really able to mount an effective response to what’s happening.
And I just don’t see… As far as I can see, in all the conversations that I’ve had, I don’t see an effective response on the horizon. And so what that means is that if we’re going to be on the internet, and we must, because I think that’s where business happens, then we’re on our own, and we cannot rely on government or other institutions to protect us. And we really have to protect ourselves. And that’s just going to be the way it is for a while. We’re going to have to figure this out, or we’re going to have to suffer the consequences of not figuring it out.
And there are some very specific things that we can point to. For example, the annual cost of cybercrime and data breaches is currently approximately $6 trillion annually. And in case you didn’t know, at $6 trillion, if you aggregated all that, it would be the third-largest economy behind the United States and China. And that is an enormous sum of money because I’ve never seen 1 trillion of anything, let alone $6 trillion. And by 2025, that’s going to go up to 10.5 trillion, is the estimate. Back in 2015, it was 3 trillion. If you can imagine what this looks like in a bar chart, it’s rising rapidly and with no end in sight, as I said.
And so you must acknowledge, and I tell this to senior decision-makers, something really serious is going on for that amount of money to be at stake. And now, of course, it’s not just about money. In 2020, the University Hospital in Düsseldorf in Germany was struck by ransomware. And as that code locked up all the computers in the hospital, there was a patient in a life-threatening situation, in an emergency that was being brought to that hospital by ambulance. That ambulance had to be diverted to another city, and that patient died in route to the alternate hospital.
Now, we don’t know for sure if that’s the first death directly connected with a cyber attack, but it certainly was the first one that was publicized, and that could be so clearly attributed to the consequences of a cyber attack. And it’s awful. And unfortunately, I have every reason to believe that this will continue. And so it’s not just about electronics, and it’s not just about ones and zeros anymore, it’s actually affecting people in a real-life and death situation.
What a lot of my customers don’t understand is that cyber has become a generalized business risk. And it’s not just a technological problem. In the past, I think you could argue successfully that it was, by and large, a technology issue exclusively, but it isn’t anymore. In fact, what I’ve noticed is that it’s on par with other major risks to organizations and their ability to be successful, whether that includes things like its ability to sell products because of its reputation potentially being damaged, or its computers being unavailable to serve customers, or its ability to fulfill the orders that it receives because whatever it is that they sell can’t be produced, because everything that everybody does these days is dependent on computers. Even fruit and vegetable farmers operating at any scale whatsoever is, in fact, computer-dependent and cannot fulfill orders without the computers.
And cyber is also equal to collecting money that an organization is owed by its customers. Now, in as much as it’s a business risk, it’s also different. It’s not a static risk. In fact, it’s a dynamic risk. And that’s one of the main points that I am making in my book. And so it needs to be managed differently. If you manage it as a risk where it is immutable, such as fire, then you’re going to be missing out, and you’re going to unnecessarily handicap yourself. And so what I tell my customers is you need to manage cyber as if it were a competitor, as if it was a competitive risk, because really, that’s what’s going on here, is we’ve got people, cybercriminals, cyber soldiers, are the ones that are creating the vast majority of the cyber risk that we’re seeing now.
And so they are, in effect, a competitor. And so, I challenge my customers to think about an organization that would set up an operation in their city or in their market space to begin to sell exactly what you sell, but to sell something that’s twice as good as what you sell, and for 30% less than what you sell it at. And that really helps get their attention. Now, this is a good approach to take, not just because you’re respecting the fact that you’re dealing with a dynamic risk, but also because it acknowledges that cyber risk isn’t all downside, that there’s actually some opportunities inside of the cyber risk that you experience, if you can recognize it, that you can actually use your good cyber risk management practices to create business value and to actually create some competitive advantage for yourself. It’s a management opportunity in as much as it is, in fact, a risk management challenge. And this is in my book as well. It’s another reason why I wrote my book, because I wanted to bring attention to this fact.
My book, if you haven’t read it yet, is divided into two parts. And the first part is designed to provide a way to talk about, to understand the nature of cyber risk, and then to be able to have a productive conversation with it, no matter what your background might be. And so in part one, I describe what the risks are in plain language, and I tell stories about real companies that have suffered real material harm because cyber risks had manifest for them. And I use germ theory as a metaphor because everybody really in the modern world understands germ theory. And so it makes a good analogy for cybersecurity.
Real germs and digital germs are both invisible, for example, until you start to feel sick. Nobody can see a biological germ without the aid of a microscope. And you can’t see a digital cootie, if you will, before it actually shows up and causes a reaction with your systems. And sometimes even your systems, while causing no tremendous ill effect to you, can be used as a launching pad in order to attack other customers. And so, just in the way that some people are not stricken by a disease, but do, in fact, carry it and transmit it to others, we see that also sometimes in the field of cybersecurity.
In my book, I talk about some of the things that you need to do to both personally, and also at an organizational level, minimize cyber risk. And some of these things only need to be done once in a while, like an annual flu shot. Some of the things that you need to do are designed to protect other people from being attacked from your systems. And this is analogous to wearing gloves during the preparation of somebody else’s food, or by wearing a mask when you’re sick and you don’t want to infect anyone else. And of course, there are some things that you need to do many times every single day, just like hand washing. And I believe that this idea of personal hygiene is a really important element in educating people to understand that there’s a cyber hygiene regimen that we all need to take up because that’s the world we live in, and I believe that that’s the world that we’re going to continue to live in into the future.
And so, just a couple of things, for example, that I believe are important for cyber hygiene would be the use of two-factor authentication wherever and in every place you can actually turn it on. And it’s becoming pervasive in a way that it hasn’t been in the past, which I think is fantastic. And when you can’t use two-factor authentication, you should be using a passphrase. You should use one that is strong and easy to remember. And we even have websites now that will help educate you on what is considered to be a passphrase versus a password, and what’s a good one.
And I have an example of a good one on here. It’s just three nonsense words that don’t mean anything, but if you can remember them, then this is very strong, 53 years for a brute force attack against something as simple as what you see on the screen now. And so this is marvelous, because now, we can tell people that they can create a single passphrase that’s memorable, but that they also really never need to change unless somehow that passphrase is exploited and becomes known. And of course, that happens from time to time. That’s part one.
And in part two of my book, what I’m trying to do is share simple practical methods for cybersecurity management. I’m trying to demonstrate that we can create an approach to the problem space that is biased towards action and still delivers real business value, because what I found in my conversations with senior decision-makers, that is a big concern of theirs. “A dollar spent on cyber risk management will get me what, Kip?” Because a lot of traditional security approaches are going to create invisible benefits, and invisible benefits are difficult for most senior decision-makers to find value in.
In part two, that’s really what I’m trying to do, is provide a structure. And that structure can help to create this ongoing executive management conversation about cyber risk, very, very important. If the risk you’re trying to manage is dynamic, which means it’s changing all the time, then you have to keep up with it. And an ongoing conversation, I think is a wonderful way to do that. In part two, you’ll find, and what I think is an approachable way to discover your top cyber risks, and then to create and implement a business-savvy mitigation plan.
And also another thing that I’m doing with my book is I’m trying to create a middle ground between what I observe are two extreme approaches for doing risk management, and that is qualitative risk management on one end of the spectrum and quantitative risk management on the other end of the spectrum. And in my experience as a practitioner, I’ve come to the conclusion that neither one of these approaches are, in fact, practical or productive. I’ve tried them both in different situations.
I don’t favor a qualitative approach because it’s just too simplistic, red, yellow, green, high, medium, low, and I just don’t find them to be very meaningful. And any meaning you try to pour into them quickly becomes diluted because you’re… It’s just too simplistic. I find that these qualitative approaches consume a lot of time, a lot of money. They’re very gameable. And really, they’re not that much better than spending a few minutes making some back-of-the-envelope calculations. A quick and dirty method, if you will, seems to produce about as much value as any structured qualitative method that I’ve been exposed to, or have actually tried.
Now, the other extreme is a quantitative approach, perhaps a statistical-based approach. And I don’t have any problem with a highly quantitative approach to cyber risk management, except that it is often impractical because the senior decision-makers are not set up for success with it. If you are part of an engineering firm, or perhaps maybe a manufacturing firm that uses a lot of statistical quality control methods, and so forth, then a quantitative risk management approach may be perfectly suitable. But other than that, I find that senior decision-makers are really uninterested. They don’t want to deal with the jargon. They don’t want to try to understand technical vulnerabilities or probability estimations. All of that requires more time, money, and energy than they either can devote or will choose to devote to the task. I haven’t had much success with a quantitative risk management approach either.
And so what I’ve done is I’ve tried to develop a middle-ground approach that blends the best parts of these two extremes. And so in my book, you’ll learn about a score key, for example, that I think is kind of ground zero for this approach that I’m advocating, where it’s attempting to use numerics, a little bit of quantitative approach, but blending it with the qualitative, the more simple approach, but not so simple that it actually doesn’t produce value. If you haven’t seen this yet, I just want to take a moment and say, this is how real security works. You experience it on a continuum, everything from no security whatsoever to different shades of not enough security, the zero through four.
Then you can also have the experience of being in a minimum security environment, which is a five, and an optimized environment, which is an eight. And of course, I’ve experienced… I assume everybody here has experienced, at one time or another, excessive security, which I put in the nine or a 10. Excessive security means I can’t get my job done because the barriers to doing my work is so great that I either can’t even gain access to the systems that I need, or the friction is so intense that I’m pouring the vast majority of my energy into just navigating the security controls.
Now, notice on here that I never talk about perfect security because there isn’t any such thing in my experience. And also another thing I want to point out to you is that optimal security, where you’re accruing all the benefits of the money being spent on security is indistinguishable from zero security. If you think about it, that makes a lot of sense, but it gets in the way of a cybersecurity manager’s job, because a senior decision-maker, since they can’t tell the difference between fully-optimized security and zero security, it’s very difficult for them to understand that you’re actually doing your job, and you’re doing it superbly well, but they can’t tell. So, just a professional issue, that if you go forward and become practitioners in cybersecurity management, I think you’ll encounter this sooner or later.
Now, at the end of these measurements that I described how to take, you’re going to be able to visualize. And these gaps here in this radar diagram, I will tell you that as I studied this problem space, and as I tried to come up with this middle ground between purely qualitative and purely quantitative approach to risk management, I studied the types of reports that the different senior decision-makers were regularly receiving from other domains, whether it be sales, or operations management, or so forth, finance. And I studied them because I wanted to make sure that whatever I created for them would challenge them in the least way in terms of approachability and in terms of their ability to get traction, to really grasp what it is that I’m trying to talk to them about. And so gap assessments were very, very common. And radar diagrams like this were very, very common. And I have found that this is extremely useful.
Here, what you’re seeing is a radar diagram that’s based on the NIST cybersecurity framework. Yes, most of my book is going to talk about this. And I’ve even released a free cyber risk workbook that helps you to follow along with part two of my book, and actually automates many of the steps that I described in part two of my book. If you’ve read my book, hopefully, that adds a little extra understanding as to why I wrote it, why I have put in there, what I have put in there. If you haven’t read my book yet, then I hope this motivates you to actually read it. And also, I want to make clear that there’s an audio version of my book as well. If you like to listen to books, you can do that. I narrate my own book. I felt like that was really important.
All right, now, what I’d like to do is I’d like to transition, and I’d like to spend some time answering some very common questions that I get about this space, cybersecurity management. And so, I wish if we had… If we were in a highly interactive space, this is the time when I would actually be challenging you with some of these questions to actually give you an opportunity to answer these questions before I answer them for you. But unfortunately, this particular format isn’t very good for that, but I would love to hear your thoughts about it. And if they’re different than mine, in particular, I would love to hear.
What’s the goal of cybersecurity? Well, I believe that the goal is to make yourself a more difficult target, not to have perfect security, not to have even world-class security necessarily. Now, if you’re working in a government situation, or a military situation, or a national security situation, that may be the exception to the rule, but if you’re working in private industry, then you really need to think carefully about what your goal is. And I believe that the correct goal is to become a difficult target.
Now, I don’t know if any of you have ever seen this product called The Club. What you do is, you lock it to your steering wheel when you’re going to leave your car for any length of time. And it’s this highly visible security device. And I want to be clear that the idea of The Club, yes, it’s a sturdy device, and it takes effort to defeat it, it is not undefeatable. You absolutely can defeat this device, but it takes time to defeat it. And if you’re going to steal a car, you want to steal that car as quickly as you can, and to get away from the scene as quickly as possible. And so this device is good, not only for its practical value, but also for its deterrence value. A thief seeing The Club is going to continue to another car because this is just too much of a hassle.
And what I find is that cybersecurity is very similar, that the cybercriminals that are out there, they are seeking easy targets. If you make yourself a slightly more difficult target, then you’re going to substantially decrease your cyber risk without having to aim for a goal that quite frankly, I think is too high, costs too much, and for the most part, frustrates senior decision-makers a great deal. And that is not a space, as a cybersecurity manager, that you want to be in. The goal is, be a difficult target.
Now, I’ll take a little sip of tea before I continue. Think about this. This is a big question. Think about this for a moment. You would think, I certainly do, that a senior decision-maker that’s watching the news would, in fact, take cyber threats seriously. But my experience is that many of them do not, or they’re just… They have a highly skeptical demeanor, either on the threats themselves, or sometimes it’s about what to do with them. They may acknowledge that there are threats, but they’re very skeptical about what’s the best way to mitigate them, or if you even should mitigate them.
But here’s what I’ve learned by working with a lot of senior decision-makers over the years. The idea that you’re going to prevent bad things from happening in the cyber realm is not appealing. And as somebody who believes a lot in prevention, personally, I believe a lot in prevention, this is very frustrating. It took me a long time to understand, why is prevention so unappealing? Why shouldn’t they spend money and resources to decrease the chance that something bad is going to happen because they use the internet?
And what I finally realized came from my study of marketing. And I like to quote a passage from a book called My Life in Advertising. And it was written by a master marketer whose name was Claude Hopkins. In the 1930s in the United States, based on his ability to successfully understand consumer buying behavior, he actually convinced Americans to brush their teeth. In a substantial way, he actually increased daily toothbrushing from about 7% of the population to 65% of the population. And he did this by taking a toothpaste, which had been seen as a type of medicine, and he turned it around, and he marketed it as a product that would deliver beautiful smiles and would open a door to greater success in life through better relationships, either better personal relationships or better relationships on the job.
And so here’s a quote. “Folks give little thought to warding off disasters. Their main ambition is to attain more success, more happiness, more beauty, and more cheer.” That’s the quote. And if you think about it, and if you think about yourself and about how you spend your money, and where you put your time and attention, I think you’ll have to agree that this is is true. Even somebody like me, who does like prevention, who does invest in prevention, I have to admit that this also describes a lot of my ambitions in life as well. The thing to take away here is that to the extent that you can do that as a cybersecurity manager, that you can position your mitigations in the form of not warding off disasters, but as a way of creating value to help senior decision-makers find more success and more happiness, and so forth.
I don’t know about beauty. I haven’t figured that out yet, but certainly, success, and happiness, and cheerfulness. If you can do that, then I think you’re going to have a lot better result. And in my book, I talk a lot about business value. And business value makes senior decision-makers happy, is what I’ve noticed. Now, why else would senior decision-makers not respect cyber threats? A lack of vision would be another reason that I’ve observed. They give a ton of attention to the happy path that they’re trying to follow. They have goals, plans. They want to grow their business. They want more profitable business. They want new customers. And they always think about, what’s the way that that’s going to happen? What are the marketing campaigns? What are the sales campaigns? How are we going to enter new markets, joint ventures?
They don’t spend as much time thinking about, what could go wrong? And on page 76 in my book, I talk specifically about this in the form of a practice called negative visualization. And it’s very difficult for executives or senior decision-makers to do this, is what I’ve noticed. They won’t do it on their own. If I lead them in an exercise, they’ll typically participate, but it’s very difficult for them to believe in these invisible threats until they strike. And so you might wonder if they wash their hands after they use the washroom, because maybe they have a hard time believing in germs as well, I don’t know. But a lot of them sure do think that they’re never going to die, and that nothing truly bad is ever going to happen to them. And so that’s, in my experience, another reason.
Another possibility is that they misunderstand the threat. And I’ve talked about this a little bit already, that the threat is quite severe, but it is also invisible and difficult to detect until something happens. But I’ve noticed that a lot of senior decision-makers tend to think about cyber in the way that they think about tax authorities. In the United States, our tax authority is called the Internal Revenue Service. It’s a big bureaucracy with a limited budget, and they tend to focus on the bigger organizations, because a dollar spent providing an audit for a bigger organization is more likely to reveal unpaid taxes. And so a lot of senior decision-makers think about cyber in this way, and they say, “Well, I’m too small, or I’m too obscure to justify any effort on behalf of cybercriminals. I’m just not that interesting.”
And I think in terms of tax authorities, that might be a reasonable way to think about tax authorities, as I certainly don’t think that this is a reasonable way to think about cybercriminals because they don’t work like that at all. Cybercriminals are not operating in the same way that a traditional bureaucracy works. They’re instead mastering and applying both technological and capitalistic approaches to finding and victimizing companies of all sizes. It is economical to attack anybody who is using the internet because of the way that they’re applying the technologies and this capitalistic approach to it.
And I encourage my customers to think about Amazon, and how Amazon has risen to challenge Walmart, and has done so primarily through their expert wielding of technologies in the market space. And so that’s really what cybercriminals are doing to us as well. And I thought I’d show you a picture of a cybercriminal wanted by the Federal Bureau of Investigation. A $10 million… No, a $3 million, sorry, reward for information leading to his arrest and capture. But it’s unlikely that he ever will be. This is Bogachev. I call him the millennial mobster because he was born in 1983, and he has stolen no less than $100 million from US banks. But because he lives in a jurisdiction that has no extradition treaty with the United States, the likelihood that he’s going to be apprehended and brought to justice is extremely low. And this is true on a broad scale. And so that’s part of the problem.
Here’s another part of the problem. I talked about capitalistic approaches. And this is a screenshot of a website, where with a modest amount of money, you can actually purchase a cyber attack. You don’t even need very many technical skills. You just need to understand that a distributed denial-of-service attack is the correct attack if you want to bring somebody’s website down, and then you can probably steal a credit card. It doesn’t even really cost you any money. And if you can use Netflix, then you can go to many different websites on the internet, and on the so-called dark web, and you can participate in this cybercriminality, and you don’t need to know really anything about it at all.
Now, there are real-world consequences for this crime, and here’s one example. You can research this yourself on the open internet, but I’ll just mention them in passing. It’s a company called Colorado Timberline. It was a $100 million manufacturing company based in the United States. And the bottom line is they went out of business in 2018 due to a very intense ransomware attack. And that has a lot of economic consequences. There were customers that went unserved, who had spent money with this company. There were employees who needed to find new jobs, and executives who were no longer leading an organization, who probably had a tremendous amount of their own personal wealth invested in this company. And it was rendered worthless because of a cyber attack.
Now, I mentioned cybercriminals, but of course, there’s also cyber soldiers. And we’re starting to see the United States government name them, and actually sanction them. This has been going on for a long time, since at least 2009, when these advanced persistent threats, APT, you’ve probably read about these, were first discovered and tracked by US law enforcement. And so here, the Chinese Ministry of State Security is actually on the internet, and is actually conducting cyber attacks. And then you even get organizations like North Korea, the Lazarus Group, who is motivated, not so much by political goals, although certainly, those are part of their agenda, but really what they want is hard currency because they have a nuclear program that they’re trying to pursue. They’re under terrific economic sanctions. And so they have to raise money in whatever way they can. And it turns out cyber attacks are a phenomenal way for them to generate hard currency.
Now, again, why do some senior decision-makers not take cyber as a credible threat? Well, it’s because they misunderstand the threat, but also because some of them think that the cure is worse than the disease. When you talk to senior decision-makers about cybersecurity, this is one of the things that they tend to think about, long, sweaty lines at the airport, trying to travel to another destination. And they think cybersecurity is going to do a similar thing to their organization at great cost. And I don’t blame them for thinking that, because quite often, this is an outcome when people are trying to manage cybersecurity, and it’s an awful outcome.
Again, what I encourage people to do is to try to tell them that this is what happens when cybersecurity goes wrong, but when it works well, what you actually have is a completely different sensation. And so, I ask senior decision-makers, “Here’s a very speedy car, maybe you have one like this. How fast would you dare to drive it if this car didn’t have brakes on it?” A wonderful cybersecurity program that is well-optimized is going to perform like brakes on a fast car. If you didn’t have brakes, you wouldn’t dare to drive this car at any speed, but because you have great breaks, you can take a lot of risk by going fast. And when you don’t want to take that risk anymore with your car, then you can just step on the brake pedal and your risk will go down. And it’ll go down quickly. And then when you release the brake pedal and step on the accelerator again, well, you can start to take risk again. And this is a wonderful analogy to talk about, what is it like when cybersecurity management is doing very, very well?
Some practical questions that you could ask is, how would you know which emails to open up if you didn’t have spam filtering? How would you know which ones were phishing attacks if you didn’t have some kind of filtering to screen those out? Another question you could ask is, how quickly, or how easily could you recover from a massive customer data breach, or a severe denial-of-service attack, or a loss of intellectual property if you didn’t have a great cybersecurity program?
And so that’s what is really great when cybersecurity management is doing its job, and is doing it very, very well, is that you’re actually providing a competitive advantage. Customers are… Sorry, companies that have good cybersecurity management programs don’t get hacked often. When they do, it’s infrequent, it’s quickly contained, and they bounce back fast. When a competitor that doesn’t do cybersecurity very well gets hacked, what happens to them is very different. They run off the road, they bleed cash, and they’re distracted for months and months.
As I come to a close with the remarks that I came to share with you today, I think it’s only natural to now wonder, “Well, with all of those barriers to communicating with senior decision-makers about the benefits, the business value of great cybersecurity, what do you do when they don’t take cyber threats seriously?” And I have some suggestions for you. You could try to understand them a little bit better, and you could possibly do that with the help of my book. What I recommend is that you… After reading my book, is that you should give a copy of the book, possibly, even the one that you read to the senior decision-maker that you want to try and have a productive conversation with, and ask them to read part one.
And after they’ve done that, then I would say that you should then go to them and say, “Do you remember in the book where the author talked about X, Y, Z?” Maybe it was phishing, or some other cyber attack. You could then say to your senior decision-maker, “You know, when I read the book, I thought that we were probably vulnerable to that kind of an attack. And I’d like to talk with you about, what could we do in order to decrease the chance that we’re going to get exploited? But could we do it in a way that doesn’t slow people down very much?”
Now, that helps you to begin what I expect would be a more productive conversation on the topic. Now, that doesn’t always happen, unfortunately. But as long as you can get some initial traction, then you can start talking about business value. And page 219 in my book talks about a business value model that you could use in order to propose mitigations, and to explain how that mitigation will both reduce risk, as well as deliver tangible business benefits.
Now, you could talk and talk and talk, and you could get to a place where nothing works, where the senior decision-maker just is not engaged with you in a productive conversation at all. What do you do then? And I’ve seen lots of people continue to try, to try, to try, to try, and unsuccessfully make any difference whatsoever. And really, if you find yourself in that situation, you’ve only got a couple of choices in my experience. One is that you just have to accept the situation as it is, that the organization is just going to suffer cyber attacks and exploitation, and your job is going to be to clean up those messes as best as you can. Another choice that you might make in that situation is to search for a different job at a different employer. But I would not spend a tremendous amount of time trying to convince a senior decision-maker that they should pay attention and should mitigate cyber risks. If you can’t get them to respond to you in the ways that I’ve suggested, I believe it’s really a waste of your time.
As I wrap up my comments, I have some suggestions for what you could do to help yourself stay up with what’s going on in the world, and how cyber risk is changing over time. I want to be clear that I work in two problem spaces as a practitioner. Of course, the first one is in cybersecurity management. And so if you want, if you find yourself in a situation where you want to work with me on a practical cybersecurity problem, I would love that, and I would invite you to reach out to me, and I would be pleased to go deeper with you on any aspect of cybersecurity management, cyber risk management.
If you’d like, I have a podcast. I’m the publisher and the co-host of the Cyber Risk Management Podcast. And I’ll make sure that you get a copy of these slides after we finish today so that you can access this URL that’s on the screen, or I would invite you to take a screenshot right now. And I’m the co-host of the Cyber Risk Management Podcast. I make each episode with Jake Bernstein, who is a cybersecurity and privacy lawyer. And so what you have is a chief information security officer talking with an attorney about modern cyber risk management, and what does it take? And you can find our podcast on Apple, or Google, or Stitcher, or any of the popular outlets. I would encourage you to try it out. If you have access to LinkedIn Learning, I have several courses there that you can go ahead and give a try.
Now, there’s another problem space that I work in, and that’s the gap between cybersecurity employers and the people who want to work for them. And so, I’ve got a separate podcast. It’s called Your Cyber Path. And in this podcast, I help job-seekers find out, what do they need to do to either get into cybersecurity or to get the next job that they desire in the career field? And if you find yourself actively looking for your next job, and you’re not having success, then you might want to try this online course that I’ve published. It’s called Hired in 21 Days. And what you’re going to do if you take this course is you’re going to learn the ins and the outs of the hiring process from an experienced hiring manager, and that’s me.
I’m going to tell you all the secrets that hiring managers use to identify candidates, to screen those candidates, and then ultimately, to choose the best candidates that they’ve confined. This course is about resumes, it’s about interviews, and it’s about salary negotiations. I focus on North America and Canada primarily, but even if you’re working in another country, I still think that you’ll find some value in this course.
That’s what I came here today to share with you. I hope that this was helpful. And thank you so much for your time and your attention. And I’m now would like to turn it back over to Professor Cooney, or to Raj, whomever would like to take over.
Cyber Risk Opportunities