"If you can plan for the zombie apocalypse, you can probably face just about anything," said  Tim Callahan, Senior Vice President, and Global Chief Information Security Officer, Aflac during a talk in my Master's level class on cybersecurity readiness at Duke University. In this podcast, Tim describes the key elements of an effective crisis management framework and shares several best practices. Some of the highlights of a robust business resiliency and recovery posture include -- a) well thought-out and rehearsed plan that takes into consideration different scenarios; b) world-class forensics team; c) strong partnership with Legal, HR, Law Enforcement (local FBI and Secret Service), Department of Treasury, and independent agents; d) highly trained in-house teams focused on response and recovery; e) leveraging open-source and paid intelligence; f) CEO led strong commitment throughout the organization; g) honest and candid communication; h) rewards and incentive programs such as the Global Security Challenge Coin; and j) building a caring and empathetic work culture.﻿Time Stamps00:49 -- Please share with listeners some highlights of your professional journey. Share with them how this journey of yours has shaped your views of cybersecurity, and cyber risk management.05:55 -- So, Tim, during your talk in my Master's level class on cybersecurity readiness at Duke University, you made a very poignant statement, you said, "if you can plan for the zombie apocalypse, you can probably face just about anything." Please share with the listeners the key elements of an effective crisis management framework and related best practices.11:15 -- As we all know, ransomware attacks are rampant, and many organizations are underprepared to deal with such attacks. Based on your experience, what advice do you have for your peers in other organizations?17:16 -- It's not good enough to just have backups, and that they're properly secured both offline and online. It is equally important to have read-only backups. Would you like to add anything to that? 19:45 -- Given the variety of ways in which the ransomware attackers put pressure on the organization, and the unfortunate reality, that it is hard to keep up with the evolving attacks and techniques, it must be a very unnerving feeling that if your organization gets attacked, if your organization gets compromised, the battle against the ransomware attackers is hard to win, because they have the data and you have to depend on them live up to their promise that if the ransom is paid, they won't share the stolen data, or they won't do anything more with it. That's a very difficult kind of situation, isn't it?24:56 -- I'd love to hear your reaction to some of the CPD (Commitment-Preparedness-Discipline) framework success factors. For instance, how does an organization create and sustain a We-Are-In-Together culture? What are some key elements of a best practice to do that?34:20 -- I was just speaking with another group before this discussion, and they were talking about how important empathy is when it comes to cybersecurity governance. And I'm sure you will agree that it plays a huge role. Because, unless you're empathetic to people making mistakes, even though they use their good judgment, they trained sincerely, but they can make mistakes. But as long as they're owning up to it, and enabling organizations to react quickly to the consequences of their mistakes, instead of punishing them, be encouraging, and maybe celebrate their candor and honesty. It has been done by some companies. So I'll let you speak to that as well. 38:59 -- We can end on that note unless you have any final thoughts, Tim. Memorable Tim Callahan Quotes"If you plan for the zombie apocalypse, you can handle just about anything.""You can't do a good job in post-recovery if you don't do a good job in the response process, and in those stages leading up to that.""I think it's very important that you exercise with different scenarios before the event happens. And you put yourself in continuous learning and improvement mode. When we generally have our exercise, we bring in third parties, we also call on law enforcement, our intelligence partners, intelligence we paid for, and intelligence through FS-ISAC (Financial Services Information Sharing and Analysis Center). All of these things help us prepare for different attack scenarios.""I mean, when employees enjoy coming to work, or enjoy their workplace, because of empathy, because of humor, because we care, obviously, they're going to do a better job, they're going to feel a sense of ownership to that company. It's not kind of the working in the coal mine attitude, it's, I want to be there, I want to be there. And because I want to be there, I want to protect it.""I think the public and our customers would have a lot of sympathy for a company if we're doing the right thing, we've done the right thing, and we're communicating honestly, openly, and transparently. They'll realize and we've seen this in other companies, the customers realize that we're a victim too and we're doing our very best to protect them.""One thing that we do is three or four times a year, we actually host a shred day. So people can bring their personal information that gets piled up in the corner someplace and bring it to the shred they can bring their computer disks, they can bring hard drives, we sponsor that. And we use that opportunity as people bringing things to just reinforce the principles of good sound security."﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

"If you can plan for the zombie apocalypse, you can probably face just about anything," said <a href="https://www.linkedin.com/in/tim-callahan-4b39241/" rel="noopener noreferrer nofollow" target="_blank">Tim Callahan, Senior Vice President, and Global Chief Information Security Officer, Aflac</a> during a talk in my Master's level class on cybersecurity readiness at Duke University. In this podcast, Tim describes the key elements of an effective crisis management framework and shares several best practices. Some of the highlights of a robust business resiliency and recovery posture include -- a) well thought-out and rehearsed plan that takes into consideration different scenarios; b) world-class forensics team; c) strong partnership with Legal, HR, Law Enforcement (local FBI and Secret Service), Department of Treasury, and independent agents; d) highly trained in-house teams focused on response and recovery; e) leveraging open-source and paid intelligence; f) CEO led strong commitment throughout the organization; g) honest and candid communication; h) rewards and incentive programs such as the Global Security Challenge Coin; and j) building a caring and empathetic work culture. ﻿Time Stamps00:49 -- Please share with listeners some highlights of your professional journey. Share with them how this journey of yours has shaped your views of cybersecurity, and cyber risk management.05:55 -- So, Tim, during your talk in my Master's level class on cybersecurity readiness at Duke University, you made a very poignant statement, you said, "if you can plan for the zombie apocalypse, you can probably face just about anything." Please share with the listeners the key elements of an effective crisis management framework and related best practices.11:15 -- As we all know, ransomware attacks are rampant, and many organizations are underprepared to deal with such attacks. Based on your experience, what advice do you have for your peers in other organizations?17:16 -- It's not good enough to just have backups, and that they're properly secured both offline and online. It is equally important to have read-only backups. Would you like to add anything to that? 19:45 -- Given the variety of ways in which the ransomware attackers put pressure on the organization, and the unfortunate reality, that it is hard to keep up with the evolving attacks and techniques, it must be a very unnerving feeling that if your organization gets attacked, if your organization gets compromised, the battle against the ransomware attackers is hard to win, because they have the data and you have to depend on them live up to their promise that if the ransom is paid, they won't share the stolen data, or they won't do anything more with it. That's a very difficult kind of situation, isn't it?24:56 -- I'd love to hear your reaction to some of the CPD (Commitment-Preparedness-Discipline) framework success factors. For instance, how does an organization create and sustain a We-Are-In-Together culture? What are some key elements of a best practice to do that?34:20 -- I was just speaking with another group before this discussion, and they were talking about how important empathy is when it comes to cybersecurity governance. And I'm sure you will agree that it plays a huge role. Because, unless you're empathetic to people making mistakes, even though they use their good judgment, they trained sincerely, but they can make mistakes. But as long as they're owning up to it, and enabling organizations to react quickly to the consequences of their mistakes, instead of punishing them, be encouraging, and maybe celebrate their candor and honesty. It has been done by some companies. So I'll let you speak to that as well. 38:59 -- We can end on that note unless you have any final thoughts, Tim. Memorable Tim Callahan Quotes"If you plan for the zombie apocalypse, you can handle just about anything.""You can't do a good job in post-recovery if you don't do a good job in the response process, and in those stages leading up to that.""I think it's very important that you exercise with different scenarios before the event happens. And you put yourself in continuous learning and improvement mode. When we generally have our exercise, we bring in third parties, we also call on law enforcement, our intelligence partners, intelligence we paid for, and intelligence through FS-ISAC (Financial Services Information Sharing and Analysis Center). All of these things help us prepare for different attack scenarios.""I mean, when employees enjoy coming to work, or enjoy their workplace, because of empathy, because of humor, because we care, obviously, they're going to do a better job, they're going to feel a sense of ownership to that company. It's not kind of the working in the coal mine attitude, it's, I want to be there, I want to be there. And because I want to be there, I want to protect it.""I think the public and our customers would have a lot of sympathy for a company if we're doing the right thing, we've done the right thing, and we're communicating honestly, openly, and transparently. They'll realize and we've seen this in other companies, the customers realize that we're a victim too and we're doing our very best to protect them.""One thing that we do is three or four times a year, we actually host a shred day. So people can bring their personal information that gets piled up in the corner someplace and bring it to the shred they can bring their computer disks, they can bring hard drives, we sponsor that. And we use that opportunity as people bringing things to just reinforce the principles of good sound security."﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Global Security and Post Breach Management Best Practices

Security Operating Center (SOC) staff members are often consumed with tedious manual tasks that lead to burnout and can cost organizations millions of dollars in losses due to human error. Thomas Kinsella, Co-Founder &amp; Chief Operating Officer at Tines discusses at length the challenges faced by SOC team members and makes actionable recommendations on how to decrease burnouts, increase retention, and create a better work environment for the security analysts.Time Stamps01:26 -- So, before we get into the Voice of the SOC Analyst report details, Thomas, I'd like to give you this opportunity to provide some highlights of your professional journey.03:54 -- What led to the study. What's the purpose of the study? 06:39 -- Would you like to add anything about the methodology for the study?08:53 -- So would you say that it's mostly mid-market organizations that you all were able to tap into?09:18 -- Let's go through each one of the findings. The first one says 71% of the analysts experience some level of burnout. This could be due to the fact that 69% are understaffed, and 60% have seen increased workloads over the past year. Was this surprising to y'all?11:27 -- Referring to another finding which states that 64% say they are likely to switch jobs in the next year. So the turnover is going to be very high. What do you recommend organizations do to deal with this challenge?14:05 -- Why hasn't this automation aspect been addressed yet?19:39 -- When organizations make the decision of investing in an automation platform, what does it take to make the implementation a truly successful experience?22:19 -- What do you think about job rotation and job enrichment? Is that done well enough to make make it a little more interesting for the staff?24:52 -- So, talking about job rotation job enrichment. Yeah, I think this creates a great opportunity for an organization to get the security people outside their comfort zone, and expose them to other company operations. And also get people from the other business operations and bring them into the SOC center. Does that gel with you?34:29 -- One of the first actionable takeaways from the SOC report is --  "improving time spent on reporting." What do you mean? Because I would think that you want to reduce the time that is spent, the manual hours that is spent in delivering different types of reports. Can you clarify?36:49 -- Moving on to the second recommendation, which is: "making triage, enjoyable," how do you do that? And if you could clarify for the audience, what do you mean by triage?41:36 -- So moving on to the third recommended takeaway or actionable item, which is -- "increasing retention by measuring and minimizing burnout." Can you expand on that?47:53 -- Let's talk about the fourth actionable takeaway -- it's time for no-code automation. What does that mean?50:49 --Do you have any final words for the listeners?Memorable Thomas Kinsella Quotes"It seems to me they (SOC team members) enjoy the work, they feel respected, but that you're just spending their time shifting from screen to screen investigating alerts that are not high enough fidelity.""People (SOC team members) don't mind working hard if they feel like they're adding a ton of value and feeling like they're productive.""Purchasing a tool is often equivalent to purchasing weights, or purchasing an exercise bike, they actually just look good in the corner unless you're prepared to use them.""If you generate some challenges, and get people thinking creatively, and get people digging deeper, they remember the parts about security they really love.""Shame is the exact opposite of what we should be doing in security, we have to be encouraging people to report and knowing that people are gonna make mistakes. That's why we have defense in depth."﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Security Operating Center (SOC) staff members are often consumed with tedious manual tasks that lead to burnout and can cost organizations millions of dollars in losses due to human error. <a href="https://www.linkedin.com/in/thomas-kinsella/" rel="noopener noreferrer nofollow" target="_blank">Thomas Kinsella, Co-Founder &amp; Chief Operating Officer at Tines</a> discusses at length the challenges faced by SOC team members and makes actionable recommendations on how to decrease burnouts, increase retention, and create a better work environment for the security analysts. Time Stamps01:26 -- So, before we get into the Voice of the SOC Analyst report details, Thomas, I'd like to give you this opportunity to provide some highlights of your professional journey.03:54 -- What led to the study. What's the purpose of the study? 06:39 -- Would you like to add anything about the methodology for the study?08:53 -- So would you say that it's mostly mid-market organizations that you all were able to tap into?09:18 -- Let's go through each one of the findings. The first one says 71% of the analysts experience some level of burnout. This could be due to the fact that 69% are understaffed, and 60% have seen increased workloads over the past year. Was this surprising to y'all?11:27 -- Referring to another finding which states that 64% say they are likely to switch jobs in the next year. So the turnover is going to be very high. What do you recommend organizations do to deal with this challenge?14:05 -- Why hasn't this automation aspect been addressed yet?19:39 -- When organizations make the decision of investing in an automation platform, what does it take to make the implementation a truly successful experience?22:19 -- What do you think about job rotation and job enrichment? Is that done well enough to make make it a little more interesting for the staff?24:52 -- So, talking about job rotation job enrichment. Yeah, I think this creates a great opportunity for an organization to get the security people outside their comfort zone, and expose them to other company operations. And also get people from the other business operations and bring them into the SOC center. Does that gel with you?34:29 -- One of the first actionable takeaways from the SOC report is -- "improving time spent on reporting." What do you mean? Because I would think that you want to reduce the time that is spent, the manual hours that is spent in delivering different types of reports. Can you clarify?36:49 -- Moving on to the second recommendation, which is: "making triage, enjoyable," how do you do that? And if you could clarify for the audience, what do you mean by triage?41:36 -- So moving on to the third recommended takeaway or actionable item, which is -- "increasing retention by measuring and minimizing burnout." Can you expand on that?47:53 -- Let's talk about the fourth actionable takeaway -- it's time for no-code automation. What does that mean?50:49 --Do you have any final words for the listeners? Memorable Thomas Kinsella Quotes"It seems to me they (SOC team members) enjoy the work, they feel respected, but that you're just spending their time shifting from screen to screen investigating alerts that are not high enough fidelity.""People (SOC team members) don't mind working hard if they feel like they're adding a ton of value and feeling like they're productive.""Purchasing a tool is often equivalent to purchasing weights, or purchasing an exercise bike, they actually just look good in the corner unless you're prepared to use them.""If you generate some challenges, and get people thinking creatively, and get people digging deeper, they remember the parts about security they really love.""Shame is the exact opposite of what we should be doing in security, we have to be encouraging people to report and knowing that people are gonna make mistakes. That's why we have defense in depth."﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

How to Tackle Burnout in Cybersecurity

In a recent news release, Reuters reported that "United States has offered a $15 million reward for information on Conti ransomware group. The FBI estimates that more than 1,000 victims of the Conti group have paid a total in excess of $150 million in ransomware payments."  Victoria Kivilevich, Director of Threat Research at KELA Group, describes the cybercrime ecosystem and provides guidance on how to gain and leverage actionable intelligence from dark and deep web resources.Time Stamps00:41 -- Let's begin by providing listeners an overview of the Dark Web. So Victoria, what is the Dark Web?04:09 -- What are some good practices for organizations to leverage intelligence from Dark Web type resources to proactively prevent potential attacks? What are your thoughts? What are your recommendations?07:02 --  Let's say, I am representing the security team of my organization. Obviously, I would not want my organization to be a top target. But I would like to know if it is. Shed some light on what makes for a top target? 11:13 -- From an organization's standpoint, how is the relationship between the Initial Access Brokers and say the ransomware attackers significant? 13:27 -- What is the profile of an ideal ransomware target? Is it different from the top targets of Initial Access Brokers?17:29 --  What advice do you have for organizations from the standpoint of avoiding becoming double victims?22:54 -- Now, let me present you with a scenario. An attacker approaches an organization and says that they have the organization's data. Obviously, they're asking for money. How should the organization evaluate the genuineness of the threat?26:53 -- It almost seems that an organization needs to have a team that solely focuses on monitoring the cybercrime ecosystem. What are your thoughts and advice?30:42 -- What are your final thoughts?Memorable Victoria Kivilevich Quotes"I believe one of the important steps is to evaluate the genuineness of the information that you see on the Dark Web and other cybercrime sources, connect the dots, and also have in place an established process of passing on the intelligence to people who make decisions.""An ideal ransomware victim is based in the US, has more than $60 million in revenue, and most likely is not from education, government, or the nonprofit sector, because it's just not valuable for the ransomware attackers.""From the moment the access credentials are listed for sale, it takes on average one month to attack the company, try and have negotiations, and then publish the company name on the ransomware blog if the negotiations fail.""So unluckily for us, the cybercrime ecosystem will unlikely disappear. But luckily for us, we can have almost the same visibility into the attack surfaces as potential attackers."﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

In a recent news release, Reuters reported that "United States has offered a $15 million reward for information on Conti ransomware group. The FBI estimates that more than 1,000 victims of the Conti group have paid a total in excess of $150 million in ransomware payments." <a href="https://www.linkedin.com/in/victoria-kivilevich-348786b5/" rel="noopener noreferrer nofollow" target="_blank"> Victoria Kivilevich, Director of Threat Research at KELA Group</a>, describes the cybercrime ecosystem and provides guidance on how to gain and leverage actionable intelligence from dark and deep web resources. Time Stamps00:41 -- Let's begin by providing listeners an overview of the Dark Web. So Victoria, what is the Dark Web?04:09 -- What are some good practices for organizations to leverage intelligence from Dark Web type resources to proactively prevent potential attacks? What are your thoughts? What are your recommendations?07:02 -- Let's say, I am representing the security team of my organization. Obviously, I would not want my organization to be a top target. But I would like to know if it is. Shed some light on what makes for a top target? 11:13 -- From an organization's standpoint, how is the relationship between the Initial Access Brokers and say the ransomware attackers significant? 13:27 -- What is the profile of an ideal ransomware target? Is it different from the top targets of Initial Access Brokers?17:29 -- What advice do you have for organizations from the standpoint of avoiding becoming double victims?22:54 -- Now, let me present you with a scenario. An attacker approaches an organization and says that they have the organization's data. Obviously, they're asking for money. How should the organization evaluate the genuineness of the threat?26:53 -- It almost seems that an organization needs to have a team that solely focuses on monitoring the cybercrime ecosystem. What are your thoughts and advice?30:42 -- What are your final thoughts? Memorable Victoria Kivilevich Quotes"I believe one of the important steps is to evaluate the genuineness of the information that you see on the Dark Web and other cybercrime sources, connect the dots, and also have in place an established process of passing on the intelligence to people who make decisions.""An ideal ransomware victim is based in the US, has more than $60 million in revenue, and most likely is not from education, government, or the nonprofit sector, because it's just not valuable for the ransomware attackers.""From the moment the access credentials are listed for sale, it takes on average one month to attack the company, try and have negotiations, and then publish the company name on the ransomware blog if the negotiations fail.""So unluckily for us, the cybercrime ecosystem will unlikely disappear. But luckily for us, we can have almost the same visibility into the attack surfaces as potential attackers." ﻿Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Actionable Threat Intelligence and the Dark Web

How do you make security a first-class citizen of the software development process? According to an industry report, “many information security engineers don’t understand software development—and most software developers don’t understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure.” Harshil Parikh, CEO and Co-Founder Tromzo, shares best practices for reducing the disconnect between software development and information security engineers. One such practice is the establishing and automation of security guardrails for application development. Time Stamps00:41 -- Talk a little bit about your background, and then we can proceed with the discussion.02:15 -- According to an industry report, "many information security engineers don't understand software development, and most software developers don't understand security. Developers and their managers are focused on delivering features, and meeting time-to-market expectations, rather than on making sure that the software is secure." What are your thoughts and reactions?04:10 -- Security personnel are incentivized to ensure the product is highly secure. Developers are incentivized to make sure the product has all the functionalities and gets to market on time. So, the incentive systems are often not aligned. That's one of the reasons why there exists a disconnect. What do you feel? 06:36 -- What practices, what structures, are in place to achieve the dual goal of quality software that is also very secure? 08:18 -- Why is it that these teams (software development and information security teams) must be separate? Why can't they be fused and work as one team towards the delivery of a particular product? 12:49 -- Share with the listeners some best practices for reducing the disconnect. What would be certain things that folks could do in their organization within their sphere and scope of influence?17:14 -- What are some best practices for building and scaling a modern application security program?24:55 -- How do you empower AppSec teams so they can focus their time on more high-level strategic work?27:43 -- I'd like to give you the opportunity to put it all together and wrap it up for us. So, what are your final thoughts?Memorable Harshal Parikh Quotes"The unfortunate reality of our current world is that most engineering leadership does not measure developers or does not incentivize developers on building high-quality code that is also secure, to a reasonable extent."" I doubt if most companies are in the business of building the most secure software ever. That's just not the reality of the world. So, how do you find that balance of being agile, being fast, but also being able to incorporate security to a reasonable extent that works for the business.""Our world is nowhere close to being automated by bots because it is complex.""If development is continuous, deployment is continuous, then security should also be continuous."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

How do you make security a first-class citizen of the software development process? According to an industry report, “many information security engineers don’t understand software development—and most software developers don’t understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure.” <a href="https://www.linkedin.com/in/harshil/" rel="noopener noreferrer nofollow" target="_blank">Harshil Parikh, CEO and Co-Founder Tromzo</a>, shares best practices for reducing the disconnect between software development and information security engineers. One such practice is the establishing and automation of security guardrails for application development. Time Stamps00:41 -- Talk a little bit about your background, and then we can proceed with the discussion.02:15 -- According to an industry report, "many information security engineers don't understand software development, and most software developers don't understand security. Developers and their managers are focused on delivering features, and meeting time-to-market expectations, rather than on making sure that the software is secure." What are your thoughts and reactions?04:10 -- Security personnel are incentivized to ensure the product is highly secure. Developers are incentivized to make sure the product has all the functionalities and gets to market on time. So, the incentive systems are often not aligned. That's one of the reasons why there exists a disconnect. What do you feel? 06:36 -- What practices, what structures, are in place to achieve the dual goal of quality software that is also very secure? 08:18 -- Why is it that these teams (software development and information security teams) must be separate? Why can't they be fused and work as one team towards the delivery of a particular product? 12:49 -- Share with the listeners some best practices for reducing the disconnect. What would be certain things that folks could do in their organization within their sphere and scope of influence?17:14 -- What are some best practices for building and scaling a modern application security program?24:55 -- How do you empower AppSec teams so they can focus their time on more high-level strategic work?27:43 -- I'd like to give you the opportunity to put it all together and wrap it up for us. So, what are your final thoughts?Memorable Harshal Parikh Quotes"The unfortunate reality of our current world is that most engineering leadership does not measure developers or does not incentivize developers on building high-quality code that is also secure, to a reasonable extent."" I doubt if most companies are in the business of building the most secure software ever. That's just not the reality of the world. So, how do you find that balance of being agile, being fast, but also being able to incorporate security to a reasonable extent that works for the business.""Our world is nowhere close to being automated by bots because it is complex.""If development is continuous, deployment is continuous, then security should also be continuous." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Reducing the Disconnect Between Security and Development Teams

In a wide-ranging discussion, Vishal Salvi, CISO &amp; Head of Cyber Practice at Infosys, sheds light on a range of topics from CISO empowerment to creating and sustaining a high-performance information security culture. He highlights the importance of "delivering on your agenda" for CISOs to gain trust and credibility. Vishal also recommends making the CISO role independent of the CIO, uniformly enforcing security policies across the organizational hierarchy, and operating at a high state of readiness.Time Stamps00:41 -- Please share some highlights of your professional journey.02:00 -- Does your job keep you up at night? What worries you?04:09 -- What makes you so good at what you do, what do you bring to the table by way of strengths?07:54 -- If you had a say on how CISOs should be empowered by the organization, who should the CISO be reporting to?  What would be the ideal organizational structure?10:50 -- You will probably agree that to gain that kind of access or that level of reporting that you're talking about, the CISO has to earn the trust and credibility and be respected. What are your thoughts?15:14 -- What would be a few metrics that you recommend CISOs track or you track that gives you a sense of whether you're on the right trajectory, or you need to do something different? What would those important metrics be?17:36 -- Enhancing cyber transparency to customers and investors through formalized reporting, such as SEC reporting, could bring about a sea change in a variety of things, probably the most important of which is the top management commitment. What are your thoughts?20:16 -- Given your extensive experience working across different organizations in the public and private sector, share some best practices of top management commitment?24:01 -- I'd like your thoughts on what a high-performing information security culture is, how do you get there, and how do you sustain it?29:15 -- If you approach security learning from the standpoint of say, one question a day that gets emailed to every person who has to respond, it's like these word games that people play every day. They have to come up with a solution, but one a day. So instead of trying to impart a one-stop-shop training at one go and then do it again six months later, if you infuse cybersecurity training into the organizational work practices whereby,  just like I said, one question a day, and you approach it that way, what are your thoughts? Do you think that might help enhance awareness and sustain the level of knowledge? What are your thoughts?31:23 -- I've often wondered, why that sensitivity to make training more substantive, is not there? Why is it that organizations are so compliance-driven that they don't recognize that compliance is often not enough, and they need to go beyond that, to have a substantive effect? 34:28 -- Why do individuals and organizations often drop the ball when it comes to cyber intelligence?41:24 -- What advice and recommendations do you have for professionals who are either entering the field or who are considering cybersecurity as a career?Memorable Vishal Salvi Quotes"Cybersecurity roles actually test all your leadership capabilities fully.""Every single CISO in the Indian banking industry is independent of the CIO.""It is always preferred that you make the CISO independent of CIO and elevate the CISO to a level where you are able to drive the mandate of cybersecurity. So the more elevated and more empowered the CISO, the more committed is your mission to cyber.""The most important thing for gaining credibility and earning respect is to deliver on your agenda.""When you start defining policies for your organization, you need to be able to implement them consistently across the organization. You shouldn't have a separate set of policies for your senior leaders, and a separate set of policies for your juniors.""Most of the courses that we see and organizations are not actually focused on learning, but they're more focused on going through the motions and achieving compliance.""Our endeavor should always be to make our staff battle-ready in peacetime."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

In a wide-ranging discussion, <a href="https://www.linkedin.com/in/vishalsalvi/" rel="noopener noreferrer nofollow" target="_blank">Vishal Salvi, CISO &amp; Head of Cyber Practice at Infosys</a>, sheds light on a range of topics from CISO empowerment to creating and sustaining a high-performance information security culture. He highlights the importance of "delivering on your agenda" for CISOs to gain trust and credibility. Vishal also recommends making the CISO role independent of the CIO, uniformly enforcing security policies across the organizational hierarchy, and operating at a high state of readiness.Time Stamps00:41 -- Please share some highlights of your professional journey.02:00 -- Does your job keep you up at night? What worries you?04:09 -- What makes you so good at what you do, what do you bring to the table by way of strengths?07:54 -- If you had a say on how CISOs should be empowered by the organization, who should the CISO be reporting to? What would be the ideal organizational structure?10:50 -- You will probably agree that to gain that kind of access or that level of reporting that you're talking about, the CISO has to earn the trust and credibility and be respected. What are your thoughts?15:14 -- What would be a few metrics that you recommend CISOs track or you track that gives you a sense of whether you're on the right trajectory, or you need to do something different? What would those important metrics be?17:36 -- Enhancing cyber transparency to customers and investors through formalized reporting, such as SEC reporting, could bring about a sea change in a variety of things, probably the most important of which is the top management commitment. What are your thoughts?20:16 -- Given your extensive experience working across different organizations in the public and private sector, share some best practices of top management commitment?24:01 -- I'd like your thoughts on what a high-performing information security culture is, how do you get there, and how do you sustain it?29:15 -- If you approach security learning from the standpoint of say, one question a day that gets emailed to every person who has to respond, it's like these word games that people play every day. They have to come up with a solution, but one a day. So instead of trying to impart a one-stop-shop training at one go and then do it again six months later, if you infuse cybersecurity training into the organizational work practices whereby, just like I said, one question a day, and you approach it that way, what are your thoughts? Do you think that might help enhance awareness and sustain the level of knowledge? What are your thoughts?31:23 -- I've often wondered, why that sensitivity to make training more substantive, is not there? Why is it that organizations are so compliance-driven that they don't recognize that compliance is often not enough, and they need to go beyond that, to have a substantive effect? 34:28 -- Why do individuals and organizations often drop the ball when it comes to cyber intelligence?41:24 -- What advice and recommendations do you have for professionals who are either entering the field or who are considering cybersecurity as a career? Memorable Vishal Salvi Quotes"Cybersecurity roles actually test all your leadership capabilities fully.""Every single CISO in the Indian banking industry is independent of the CIO.""It is always preferred that you make the CISO independent of CIO and elevate the CISO to a level where you are able to drive the mandate of cybersecurity. So the more elevated and more empowered the CISO, the more committed is your mission to cyber.""The most important thing for gaining credibility and earning respect is to deliver on your agenda.""When you start defining policies for your organization, you need to be able to implement them consistently across the organization. You shouldn't have a separate set of policies for your senior leaders, and a separate set of policies for your juniors.""Most of the courses that we see and organizations are not actually focused on learning, but they're more focused on going through the motions and achieving compliance.""Our endeavor should always be to make our staff battle-ready in peacetime." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Perspectives of a Global Chief Information Security Officer

Using compelling stories and metaphors, Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments.Time Stamps01:59 -- So let's talk about hacking. For the benefit of the listeners, provide an overview of hacking like hacking 101, what is it? What are the many consequences?04:30 -- Shed some light on why hackers might be interested in breaching the systems of certain types of organizations over others. And related to that, are any organization types more vulnerable than others?08:18 -- We hear the phrase 'thinking like a hacker' a lot. The ability to think like a hacker is considered a best practice in cybersecurity governance. I'd like to probe a little deeper into it. Can you shed some light on that?11:32 -- What are your thoughts and perspectives on the other group, the folks who are not very security savvy and generally get compromised. You would not recommend or expect them to think like a hacker. What advice do you have for them?15:55 -- Maybe we need the media to help popularize thinking like a hacker, so literally everyone on the street has some sense of what these guys are up to, how they are thinking, how they try to attack. Not to suggest that this exposure would make everyone an expert. But at least it whets the appetite, it gives them a basic understanding. And that would help mobilize organization-wide support. Thoughts, reactions?22:09 -- Let's talk about security assessments. It's reasonable to assume that most organizations are engaging in security assessments. But the more nuanced question is, are they engaging in the right kinds of security assessments, with methodologies that best align with their desired outcomes? What are your thoughts?32:40 -- What are you seeing out there in terms of top management commitment to information security?37:37 -- What is so difficult or challenging about patch management, vulnerability management?42:10 -- What lessons do organizations refuse to learn? Memorable Ted Harrington Quotes"The term hacker is neutral. It's neither good nor bad. "A hacker is someone who is a problem solver. They're creative. They're someone who looks at the way a system works and says, you know, can it behave differently than what it was intended to do?""To defend against an attacker, we need to think like an attacker.""Most people think about security as avoiding a bad thing. Let's not get hacked. That is a good way to think about security, but it's incomplete. We need to think about not just how do we avoid a bad thing, but also how do we get a good thing? Not just how we do not get hacked, but how can we gain an advantage?" Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Using compelling stories and metaphors, <a href="https://www.linkedin.com/in/securityted/" rel="noopener noreferrer nofollow" target="_blank">Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators</a>, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments. Time Stamps01:59 -- So let's talk about hacking. For the benefit of the listeners, provide an overview of hacking like hacking 101, what is it? What are the many consequences?04:30 -- Shed some light on why hackers might be interested in breaching the systems of certain types of organizations over others. And related to that, are any organization types more vulnerable than others?08:18 -- We hear the phrase 'thinking like a hacker' a lot. The ability to think like a hacker is considered a best practice in cybersecurity governance. I'd like to probe a little deeper into it. Can you shed some light on that?11:32 -- What are your thoughts and perspectives on the other group, the folks who are not very security savvy and generally get compromised. You would not recommend or expect them to think like a hacker. What advice do you have for them?15:55 -- Maybe we need the media to help popularize thinking like a hacker, so literally everyone on the street has some sense of what these guys are up to, how they are thinking, how they try to attack. Not to suggest that this exposure would make everyone an expert. But at least it whets the appetite, it gives them a basic understanding. And that would help mobilize organization-wide support. Thoughts, reactions?22:09 -- Let's talk about security assessments. It's reasonable to assume that most organizations are engaging in security assessments. But the more nuanced question is, are they engaging in the right kinds of security assessments, with methodologies that best align with their desired outcomes? What are your thoughts?32:40 -- What are you seeing out there in terms of top management commitment to information security?37:37 -- What is so difficult or challenging about patch management, vulnerability management?42:10 -- What lessons do organizations refuse to learn? Memorable Ted Harrington Quotes"The term hacker is neutral. It's neither good nor bad. "A hacker is someone who is a problem solver. They're creative. They're someone who looks at the way a system works and says, you know, can it behave differently than what it was intended to do?""To defend against an attacker, we need to think like an attacker.""Most people think about security as avoiding a bad thing. Let's not get hacked. That is a good way to think about security, but it's incomplete. We need to think about not just how do we avoid a bad thing, but also how do we get a good thing? Not just how we do not get hacked, but how can we gain an advantage?" Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Thinking Like A Hacker

"The story of the RMS Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security. The ship was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. The designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required." (securicon.com) Dixon Wright, Vice President, Vice President, Compliance Management and Automation Platform, Coalfire, speaks to the importance of moving beyond the check-the-box approach and engaging in substantive information security compliance efforts. He recommends the judicious adoption and use of appropriate compliance management and automation platforms.Time Stamps01:55Yeah, let's talk about your passion. What gets you passionate about information security compliance?03:15For the benefit of the listeners, please provide an overview of information security compliance and the current state of affairs.06:16Trying to stay on top of all these different compliance requirements can be an extremely challenging proposition. What do you think?09:15How do we ensure that check-the-box behavior is not encouraged?12:46I feel this discussion on compliance needs to be coupled with the discussion on governance mechanisms, and measures, which ensure that the tools that are being leveraged effectively and essentially, people are doing the right thing. Your thoughts, your reactions?16:33What does it take to create a robust cyber secure cybersecurity compliance program? In other words, if you could highlight some of the key elements of a robust compliance program?22:24So going back to automation and compliance, I know your organization has developed a platform to provide those services. When an organization is considering investing in such tools and capabilities, what guidance or recommendations do you have for them?31:25What else do you think listeners could benefit from learning about compliance management from an information security standpoint? Or anything else that you think is pertinent to this discussion that we haven't talked about yet? 37:05Let's conclude with a few final words that you may have for our listeners.Memorable Dixon Wright Quotes"We hire really expensive, technical people. And 60 to 70% of their job is being a technical writer.""All these different kinds of industries and sectors have created their own types of standards, and now all these organizations have to comply with them.""There's a challenge of getting compliant, and then there's an even greater challenge of actually maintaining it.""I think, in many cases, compliance is just sales. You're just doing it so that you can sell to other companies, it's not actually used as a mechanism to secure things internally." "We need better assurance that what is being automated is legitimate."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

"The story of the RMS Titanic has served as a grim reminder that regulatory compliance does not guarantee safety or security. The ship was carrying 2,224 passengers and crew when it sank one April night in 1912, killing over 1,500 people. The designers of Titanic had followed the British Board of Trade by equipping it with 20 lifeboats, and even threw in four more than the regulations required." (<a href="http://securicon.com" rel="nofollow" target="_blank">securicon.com</a>) <a href="https://www.linkedin.com/in/dixon-wright-aab68321/" rel="noopener noreferrer nofollow" target="_blank">Dixon Wright, Vice President, Vice President, Compliance Management and Automation Platform, Coalfire</a>, speaks to the importance of moving beyond the check-the-box approach and engaging in substantive information security compliance efforts. He recommends the judicious adoption and use of appropriate compliance management and automation platforms. Time Stamps01:55Yeah, let's talk about your passion. What gets you passionate about information security compliance?03:15For the benefit of the listeners, please provide an overview of information security compliance and the current state of affairs.06:16Trying to stay on top of all these different compliance requirements can be an extremely challenging proposition. What do you think?09:15How do we ensure that check-the-box behavior is not encouraged?12:46I feel this discussion on compliance needs to be coupled with the discussion on governance mechanisms, and measures, which ensure that the tools that are being leveraged effectively and essentially, people are doing the right thing. Your thoughts, your reactions?16:33What does it take to create a robust cyber secure cybersecurity compliance program? In other words, if you could highlight some of the key elements of a robust compliance program?22:24So going back to automation and compliance, I know your organization has developed a platform to provide those services. When an organization is considering investing in such tools and capabilities, what guidance or recommendations do you have for them?31:25What else do you think listeners could benefit from learning about compliance management from an information security standpoint? Or anything else that you think is pertinent to this discussion that we haven't talked about yet? 37:05Let's conclude with a few final words that you may have for our listeners. Memorable Dixon Wright Quotes"We hire really expensive, technical people. And 60 to 70% of their job is being a technical writer.""All these different kinds of industries and sectors have created their own types of standards, and now all these organizations have to comply with them.""There's a challenge of getting compliant, and then there's an even greater challenge of actually maintaining it.""I think, in many cases, compliance is just sales. You're just doing it so that you can sell to other companies, it's not actually used as a mechanism to secure things internally." "We need better assurance that what is being automated is legitimate." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Is Cybersecurity Regulatory Compliance Good Enough?

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, Erica Davis, Global Co-Head of Cyber, Guy Carpenter &amp; Co, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions. Time Stamps01:56So let's begin by talking about you your professional journey, your current role at Guy Carpenter. 04:52So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that in the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?09:26As somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say from the standpoint of a cyber risk insurer?12:17Many of the listeners are possibly thinking about cyber insurance, but they're not sure where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them, recommendations?13:47What are some key elements of a good cyber insurance policy?16:33Is it fair to assume that an organization that has a very strong or robust cyber defense in place is likely to get a better deal compared to another organization? 18:36I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you look for, as an insurance company?21:14I'm sure it is safe to assume that even after an organization gets coverage, it will be continually assessed, to make sure they remain eligible for the coverage?23:48I heard this from a practitioner that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Is this a common sentiment or just an outlier?26:05Let's talk a little bit about self-insurance mechanisms.30:17Is there any merit to this inference of mine: having cyber insurance gets organizational attention which in turn motivates efforts towards greater cyber resiliency?34:08Does the insurance company take into consideration how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, and whether to provide coverage or not?Memorable Erica Gates Quotes"In the US, there are actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment.""Cyber risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs is difficult to put a number on for many organizations. And it gets even more complex when we think about measuring cyber risk beyond the four walls of the organization.""Quite frankly, as an industry, I don't think we've done a really great job at defining cyber risk and helping businesses fully grasp what a cyber product offers. But we are getting better at it.""If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party. So I would say it's really important to understand what coverages are most applicable given your class a business.""It is important to mention that cyber underwriting extends beyond pure evaluation at the level of security controls. And it includes things like culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in and practicing and promoting good cyber standards.""I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is really to work with a specialist broker who understands the risk.""Given the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

"Security experts are split on cyber insurance and its place in business, with just as many arguing that it is a useless add-on as an essential business enabler." A KPMG study indicated that these policies were not overly trusted by business leaders. In this podcast episode, <a href="https://www.linkedin.com/in/erica-davis-1287964a/" rel="noopener noreferrer nofollow" target="_blank">Erica Davis, Global Co-Head of Cyber, Guy Carpenter &amp; Co</a>, discusses at length the different types of coverages, how underwriters evaluate and assess cyber risks, the current state of the market, re-insurance mechanisms, and more. She also offers valuable guidance on how to plan and approach cyber insurance-related decisions. Time Stamps01:56So let's begin by talking about you your professional journey, your current role at Guy Carpenter. 04:52So, you know, I had reached out to a couple of my CISO connections, I told them that I was going to be talking to you and if they have any questions of interest. So one of them sent this to me, he said, Why should we get cyber insurance now? It seems that in the last 12 to 18 months, the industry has moved away from insuring verticals, companies, or has made the cost of coverage so high, that it raises the question of why not just self-insure? How would you react to that statement or question?09:26As somebody who carries personal insurance of different types, one of the things that I worry about is when the time comes when I submit a claim, will the claim be honored? Will I have a good experience? What do you have to say from the standpoint of a cyber risk insurer?12:17Many of the listeners are possibly thinking about cyber insurance, but they're not sure where to start. What should be the next steps? What are some resources that they might find valuable? Any suggestions for them, recommendations?13:47What are some key elements of a good cyber insurance policy?16:33Is it fair to assume that an organization that has a very strong or robust cyber defense in place is likely to get a better deal compared to another organization? 18:36I'll be curious to know that based on your experience of assessing culture resiliency, what are the things that you look for, as an insurance company?21:14I'm sure it is safe to assume that even after an organization gets coverage, it will be continually assessed, to make sure they remain eligible for the coverage?23:48I heard this from a practitioner that if we buy a lot of cyber insurance, that often gives the impression that we are not good at cyber. And it poorly reflects on the CISO and the CISO function. Is this a common sentiment or just an outlier?26:05Let's talk a little bit about self-insurance mechanisms.30:17Is there any merit to this inference of mine: having cyber insurance gets organizational attention which in turn motivates efforts towards greater cyber resiliency?34:08Does the insurance company take into consideration how actively engaged is top management? Is that a factor in the evaluation of an organization's cyber risk and subsequently, and whether to provide coverage or not? Memorable Erica Gates Quotes"In the US, there are actually more buyers of cyber insurance than there are outside of the US. So a greater percentage of businesses buy. And the reason for that is largely driven by a regulatory environment.""Cyber risk is different. Assessing its value is a challenge. The quantification of what happens if a cyber event occurs is difficult to put a number on for many organizations. And it gets even more complex when we think about measuring cyber risk beyond the four walls of the organization.""Quite frankly, as an industry, I don't think we've done a really great job at defining cyber risk and helping businesses fully grasp what a cyber product offers. But we are getting better at it.""If you're somebody who's feeling more exposed to ransomware, it's really important to look at those forensics, business interruption, and extortion payment coverages offered under the first party. So I would say it's really important to understand what coverages are most applicable given your class a business.""It is important to mention that cyber underwriting extends beyond pure evaluation at the level of security controls. And it includes things like culture resiliency, and stakeholder connectivity, and is your HR team, talking with your legal team and talking with your product dev team in and practicing and promoting good cyber standards.""I think the best advice that I can give to businesses who are evaluating whether a cyber insurance product is the next step for them is really to work with a specialist broker who understands the risk.""Given the hard market conditions, meaning that insurers are increasing prices, it's actually increasingly difficult to get cyber insurance protection without those key controls in place." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Is Cyber Insurance Necessary?

The phenomenon of cyber trauma is very real and individuals and organizations are often not adequately prepared to deal with it. Patrick Wheeler, a Luxembourg-based cybersecurity practitioner and Director of the Cyber Wayfinder program, shares his experience in dealing with cyber trauma incidents. He also talks about the Cyber Wayfinder program that is designed to help people with diverse life experiences and skillsets pivot to cybersecurity careers. Patrick passionately argues for removing the artificial barriers to attract a diverse cybersecurity talent pool. To quote him, "why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business."Time Stamps01:34Please introduce Cyber Trauma to the listeners.11:20What are some resources to get the appropriate training to deal with cyber trauma? Do you have any suggestions for the listeners?18:50Patrick, speak to the importance of developing appropriate soft skills as part of cybersecurity training. 35:17Please wrap it up for us.Memorable Patrick Wheeler QuotesAnd when our corporation suffers a critical cyber incident, that actually does have a psychological impact, not just on the cybersecurity practitioners, but actually on the staff themselves.We tend to quickly brush under the rug this type of cybersecurity traumatic incident, we focus on it as an IT problem, even though we all argue that cybersecurity is a  business problem.And one of the things that I've worked very hard on is to surround the cyber team with a fair amount of soft skills.Why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business.It's often easier for me to train one of my business people on how to do cybersecurity than it is to train a cybersecurity professional on how my business works.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

The phenomenon of cyber trauma is very real and individuals and organizations are often not adequately prepared to deal with it. <a href="https://www.linkedin.com/in/kpatrickwheeler/" rel="noopener noreferrer nofollow" target="_blank">Patrick Wheeler</a>, a Luxembourg-based cybersecurity practitioner and Director of the <a href="https://www.cyberwayfinder.com/" rel="noopener noreferrer nofollow" target="_blank">Cyber Wayfinde</a>r program, shares his experience in dealing with cyber trauma incidents. He also talks about the Cyber Wayfinder program that is designed to help people with diverse life experiences and skillsets pivot to cybersecurity careers. Patrick passionately argues for removing the artificial barriers to attract a diverse cybersecurity talent pool. To quote him, "why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business."Time Stamps01:34Please introduce Cyber Trauma to the listeners.11:20What are some resources to get the appropriate training to deal with cyber trauma? Do you have any suggestions for the listeners?18:50Patrick, speak to the importance of developing appropriate soft skills as part of cybersecurity training. 35:17Please wrap it up for us. Memorable Patrick Wheeler QuotesAnd when our corporation suffers a critical cyber incident, that actually does have a psychological impact, not just on the cybersecurity practitioners, but actually on the staff themselves.We tend to quickly brush under the rug this type of cybersecurity traumatic incident, we focus on it as an IT problem, even though we all argue that cybersecurity is a business problem.And one of the things that I've worked very hard on is to surround the cyber team with a fair amount of soft skills.Why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business.It's often easier for me to train one of my business people on how to do cybersecurity than it is to train a cybersecurity professional on how my business works. Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Dealing with Cyber Trauma

Art Ehuan, Vice President, Palo Alto Networks, and Former FBI Special Agent, discusses at length the unfortunate evolution and escalation of ransomware attacks. He explains how the threat actors have upped their game and are now engaging in double, triple, and quadruple extortions. While lamenting that "organizations continue to make the same mistakes," Art also acknowledges the challenges of vulnerability management. He offers some interesting insights into ransomware negotiations and provides excellent advice and recommendations on how to proactively thwart such attacks.Time Stamps03:00Before we started the recording, you made a statement that "companies keep making the same mistakes." Tell us more about it.07:03For the benefit of our listeners, if you would explain what a ransomware attack is and what the threat landscape is like? Who are the threat actors? 10:57What is the level of preparedness?15:20Have you seen any best practices out there or any exemplars where irrespective of the directive, irrespective of board oversight, there is a conscious commitment to create and sustain a high-performance information security culture? Have you seen evidence of that?22:01I have seen a difference between having frameworks and truly following the framework in a very disciplined and committed manner. And there being some oversight to ensure that the compliance is thorough, the compliance is meticulous. What have you seen?25:28Please provide some insights into ransomware negotiations.31:32What is the best defense against ransomware attacks? And you've already shared with us that, patch management is important, but that can be challenging. What else? What else should companies be doing to reduce the possibility of such attacks?35:06Have you come across an instance where a company was a victim of a ransomware attack and they're like, "doesn't matter, thank you very much, we are all backed up and good to go?"38:54I've also heard that if you (organization) pay, you are on that list. And they (threat actors) know that if you are attacked again, you will pay again. Is that true? 39:35We are aware of the Colonial Pipeline attack, and how the FBI was able to recover some of the ransom money. Given your experience with the FBI, why is it so hard to get hold of these criminals, and put them away?41:05If crypto could be regulated, that might help mitigate some of these types of attacks? Do you have any thoughts on that?44:17What are your thoughts on senior leadership treating cybersecurity as a strategic priority, as a distinctive competency, and making every effort to protect against all possible vulnerabilities?48:03There might come a time, hopefully, sooner than later, when the CISO reports directly to the Board? This would allow the CISO function to operate as independently as possible. Your thoughts? 53:44I would like you to wrap it up for us with some final words. Memorable Art Euhan QuotesThe importance of hygiene around patch management -- making sure that you've got a vulnerability management program, and that you implement it so that as vulnerabilities are identified on systems, you're patching them in a timely fashion.You could potentially have a nation-state masking their activity as a ransomware attack when they're actually burrowing into your infrastructure.You're (CEO) trying to make a determination, do I put more money into cyber, or do I put more money into customer satisfaction? You know, that's sometimes a hard decision because you've got limited dollars, and trying to make that decision is sometimes difficult? If you're the CEO, you want to do the right thing, make sure the company is protected. But you also want to make sure that your customers are happy and you're doing everything possible to provide those products or services. So, sometimes that's a very difficult balancing act.If you're just checking a box, you're not meeting the spirit of the framework, you're not actually doing what you really need to be doing to ensure the security of the organization.There is this view out there, that if we pay and get the key, the next day, we're up and back in operation. I want to dispel that myth that you get the key and you're back in operation the next day. It typically is going to take several days, even when you get the key.One of the first things that these threat actors do when they get into the environment is go looking for the backups because those are going to be some of the first systems they hit you with ransomware attacks. They're going after the backups.It is very difficult for an organization to say to their C-level or their board, hey, I absolutely 100% guarantee we will never suffer a breach. But you can do things to minimize impact. Or, even better, make it hard for that group or that attacker. Make it so hard that they're just going to move on to another company. If you pay, the threat actor group will follow through with what they've promised to you. Right now, the deterrence factor, unfortunately, is very low. Because it's very difficult to have these individuals (threat actors) arrested.Ransomware is more than just a CISO problem. It's a corporate problem. You need the executives, you need the Board, you need the executives, you need the management, and you need the employees to all to be in unison, in how do we protect our company? I'm a huge fan of anything that will get the CISO as close to the CEO, or the Board as possible so they can have that influence.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

<a href="https://www.linkedin.com/in/art-ehuan-9826aa1/" rel="noopener noreferrer nofollow" target="_blank">Art Ehuan, Vice President, Palo Alto Networks, and Former FBI Special Agent</a>, discusses at length the unfortunate evolution and escalation of ransomware attacks. He explains how the threat actors have upped their game and are now engaging in double, triple, and quadruple extortions. While lamenting that "organizations continue to make the same mistakes," Art also acknowledges the challenges of vulnerability management. He offers some interesting insights into ransomware negotiations and provides excellent advice and recommendations on how to proactively thwart such attacks. Time Stamps03:00Before we started the recording, you made a statement that "companies keep making the same mistakes." Tell us more about it.07:03For the benefit of our listeners, if you would explain what a ransomware attack is and what the threat landscape is like? Who are the threat actors? 10:57What is the level of preparedness?15:20Have you seen any best practices out there or any exemplars where irrespective of the directive, irrespective of board oversight, there is a conscious commitment to create and sustain a high-performance information security culture? Have you seen evidence of that?22:01I have seen a difference between having frameworks and truly following the framework in a very disciplined and committed manner. And there being some oversight to ensure that the compliance is thorough, the compliance is meticulous. What have you seen?25:28Please provide some insights into ransomware negotiations.31:32What is the best defense against ransomware attacks? And you've already shared with us that, patch management is important, but that can be challenging. What else? What else should companies be doing to reduce the possibility of such attacks?35:06Have you come across an instance where a company was a victim of a ransomware attack and they're like, "doesn't matter, thank you very much, we are all backed up and good to go?"38:54I've also heard that if you (organization) pay, you are on that list. And they (threat actors) know that if you are attacked again, you will pay again. Is that true? 39:35We are aware of the Colonial Pipeline attack, and how the FBI was able to recover some of the ransom money. Given your experience with the FBI, why is it so hard to get hold of these criminals, and put them away?41:05If crypto could be regulated, that might help mitigate some of these types of attacks? Do you have any thoughts on that?44:17What are your thoughts on senior leadership treating cybersecurity as a strategic priority, as a distinctive competency, and making every effort to protect against all possible vulnerabilities?48:03There might come a time, hopefully, sooner than later, when the CISO reports directly to the Board? This would allow the CISO function to operate as independently as possible. Your thoughts? 53:44I would like you to wrap it up for us with some final words. Memorable Art Euhan QuotesThe importance of hygiene around patch management -- making sure that you've got a vulnerability management program, and that you implement it so that as vulnerabilities are identified on systems, you're patching them in a timely fashion.You could potentially have a nation-state masking their activity as a ransomware attack when they're actually burrowing into your infrastructure.You're (CEO) trying to make a determination, do I put more money into cyber, or do I put more money into customer satisfaction? You know, that's sometimes a hard decision because you've got limited dollars, and trying to make that decision is sometimes difficult? If you're the CEO, you want to do the right thing, make sure the company is protected. But you also want to make sure that your customers are happy and you're doing everything possible to provide those products or services. So, sometimes that's a very difficult balancing act.If you're just checking a box, you're not meeting the spirit of the framework, you're not actually doing what you really need to be doing to ensure the security of the organization.There is this view out there, that if we pay and get the key, the next day, we're up and back in operation. I want to dispel that myth that you get the key and you're back in operation the next day. It typically is going to take several days, even when you get the key.One of the first things that these threat actors do when they get into the environment is go looking for the backups because those are going to be some of the first systems they hit you with ransomware attacks. They're going after the backups.It is very difficult for an organization to say to their C-level or their board, hey, I absolutely 100% guarantee we will never suffer a breach. But you can do things to minimize impact. Or, even better, make it hard for that group or that attacker. Make it so hard that they're just going to move on to another company. If you pay, the threat actor group will follow through with what they've promised to you. Right now, the deterrence factor, unfortunately, is very low. Because it's very difficult to have these individuals (threat actors) arrested.Ransomware is more than just a CISO problem. It's a corporate problem. You need the executives, you need the Board, you need the executives, you need the management, and you need the employees to all to be in unison, in how do we protect our company? I'm a huge fan of anything that will get the CISO as close to the CEO, or the Board as possible so they can have that influence. Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

A Deep Dive into Ransomware Attacks and Negotiations

The Cybersecurity Readiness Podcast Series serves to have a reflective, thought-provoking and jargon free discussion on how to enhance the state of cybersecurity at an individual, organizational and national level.  Host Dr. Dave Chatterjee converses with subject matter experts, business and technology leaders, trainers and educators and members of user communities. He has been studying cybersecurity for over a decade. He has delivered talks, conducted webinars, consulted with companies and served on a cybersecurity SWAT team with CISO's. He is an Associate Professor of Management Information Systems at the University of Georgia and Visiting Professor at Duke University.Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/

Cybersecurity communication should be simple, immersive, attractive, continuous, and multi-channel, says Marcin Ganclerz, a subject matter expert. He passionately argues for creating a 'culture of enablement and not fear' so employees can play a vital role in enhancing cybersecurity communication effectiveness. Marcin also shares several examples and best practices in support of his recommendations.Time Stamps00:42Martin, how about sharing with listeners a bit about your professional and cybersecurity journey?03:10How about we start with some challenges and hurdles that are associated with effective cybersecurity communication.07:18What would you consider are the key elements or attributes of effective cyber communication?13:43So let's talk about some best practices or guiding principles that you see out there.22:56You said the education about cybersecurity should be permanent. Tell us a little more about that.38:29So I'd like to ask you to start wrapping this up by sharing some key messages, some final thoughts, whatever you'd like to share with the listenersMemorable Marcin Ganclerz Quotes"The technical experts suffer from the curse of knowledge.""We should show employees, show users, why cybersecurity is so important for them. And I think the best way to do it is to show them that it applies to their personal life.""Cybersecurity communication should be simple, immersive, attractive, permanent, and multi-channel.""When we treat people as a strong link, they act as a strong link.""Concentrate on building a culture of enablement, rather than a culture of fear.""People love to feel valued. They want to be an important part of the cybersecurity system.""If you have the right culture, people will feel responsible for cybersecurity, they will feel like a vital part of the cybersecurity system and they can be your really valuable asset. But remember, you have to educate them, train them and reward them, not blame them.""Employees can be valuable assets for the organization, but we have to educate them, train them, and reward them.""So if you want to build a great culture in your organization, you have to reward your employees, show them that they are important."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Cybersecurity communication should be simple, immersive, attractive, continuous, and multi-channel, says <a href="https://www.linkedin.com/in/marcin-ganclerz-39519815b/" rel="noopener noreferrer nofollow" target="_blank">Marcin Ganclerz</a>, a subject matter expert. He passionately argues for creating a 'culture of enablement and not fear' so employees can play a vital role in enhancing cybersecurity communication effectiveness. Marcin also shares several examples and best practices in support of his recommendations.Time Stamps00:42Martin, how about sharing with listeners a bit about your professional and cybersecurity journey?03:10How about we start with some challenges and hurdles that are associated with effective cybersecurity communication.07:18What would you consider are the key elements or attributes of effective cyber communication?13:43So let's talk about some best practices or guiding principles that you see out there.22:56You said the education about cybersecurity should be permanent. Tell us a little more about that.38:29So I'd like to ask you to start wrapping this up by sharing some key messages, some final thoughts, whatever you'd like to share with the listeners Memorable Marcin Ganclerz Quotes"The technical experts suffer from the curse of knowledge.""We should show employees, show users, why cybersecurity is so important for them. And I think the best way to do it is to show them that it applies to their personal life.""Cybersecurity communication should be simple, immersive, attractive, permanent, and multi-channel.""When we treat people as a strong link, they act as a strong link.""Concentrate on building a culture of enablement, rather than a culture of fear.""People love to feel valued. They want to be an important part of the cybersecurity system.""If you have the right culture, people will feel responsible for cybersecurity, they will feel like a vital part of the cybersecurity system and they can be your really valuable asset. But remember, you have to educate them, train them and reward them, not blame them.""Employees can be valuable assets for the organization, but we have to educate them, train them, and reward them.""So if you want to build a great culture in your organization, you have to reward your employees, show them that they are important." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Making Cybersecurity Communication Effective

In episode 18, Alan Mihalic, President IoT Security Institute, speaks to the challenges and success factors associated with securing Internet-of-Things (IoT) devices in smart supply chains. He draws upon the IoT Security Framework to share some guiding principles and practices to help supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely for smart cities and critical infrastructure.  Time Stamps00:42 -- Please share with the listeners a bit about your cybersecurity journey?02:17 -- How would you define or describe the challenges of a smart supply chain?06:56 -- In fact, you mentioned during our prior discussion about the security-by-design approach, and that really appeals to me, I'd love for you to expand on that for our listeners.14:22 -- What are your thoughts and recommendations on vendor selection and vendor management in the context of IoT devices?29:20 --  Can you speak about the IoT Security Institute, its offerings, and its benefits?40:57 -- I'd like to give you the opportunity to close it out with some key messages for our listeners.Memorable Alan Mihalic Quotes06:17So to protect a smart grid or water supply or things of that nature, the government can't just do it, the government relies on the community and corporations to ensure they do their part. Now, that ostensibly may seem a very logical thing and it certainly is, but from a practical deployment and accountability perspective, it is a seismic shift in the way we look at security. 13:27The underpinning success story of any smart technology implementation is to trust more. We can stand up a server if it gets knocked out, we can stand up a power plant if it gets knocked down, but when the trust of the community is knocked over, then that's a very hard thing to get back. 14:06It's very hard to ask someone to provide all the privacy information, all of the access to things that can be aggregated and circulated when that's abused. 17:20IoT device has to fit be fit for purpose, it needs to be able to maintain baseline security that is in accordance with the data that it's collecting, aggregating, filtering, analyzing, etc. It cannot simply be a dumb device, for want of a better word, that has no inherent security controls.17:47You could spend an awful lot of money on security controls, but be undermined and done in by a $10 IoT device.Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

In episode 18, <a href="https://www.linkedin.com/in/alanmihalic/" rel="noopener noreferrer nofollow" target="_blank">Alan Mihalic, President IoT Security Institute</a>, speaks to the challenges and success factors associated with securing Internet-of-Things (IoT) devices in smart supply chains. He draws upon the IoT Security Framework to share some guiding principles and practices to help supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely for smart cities and critical infrastructure. Time Stamps00:42 -- Please share with the listeners a bit about your cybersecurity journey?02:17 -- How would you define or describe the challenges of a smart supply chain?06:56 -- In fact, you mentioned during our prior discussion about the security-by-design approach, and that really appeals to me, I'd love for you to expand on that for our listeners.14:22 -- What are your thoughts and recommendations on vendor selection and vendor management in the context of IoT devices?29:20 -- Can you speak about the IoT Security Institute, its offerings, and its benefits?40:57 -- I'd like to give you the opportunity to close it out with some key messages for our listeners. Memorable Alan Mihalic Quotes06:17So to protect a smart grid or water supply or things of that nature, the government can't just do it, the government relies on the community and corporations to ensure they do their part. Now, that ostensibly may seem a very logical thing and it certainly is, but from a practical deployment and accountability perspective, it is a seismic shift in the way we look at security. 13:27The underpinning success story of any smart technology implementation is to trust more. We can stand up a server if it gets knocked out, we can stand up a power plant if it gets knocked down, but when the trust of the community is knocked over, then that's a very hard thing to get back. 14:06It's very hard to ask someone to provide all the privacy information, all of the access to things that can be aggregated and circulated when that's abused. 17:20IoT device has to fit be fit for purpose, it needs to be able to maintain baseline security that is in accordance with the data that it's collecting, aggregating, filtering, analyzing, etc. It cannot simply be a dumb device, for want of a better word, that has no inherent security controls.17:47You could spend an awful lot of money on security controls, but be undermined and done in by a $10 IoT device. Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Securing the Smart Supply Chain

When justifying cybersecurity investments, Andy Bates, Chief Development and Strategic Partnership Officer, Global Cyber Alliance, recommends making the business case from the standpoint of reducing the carbon footprint. He feels people will make a stronger emotional connection with the carbon reduction argument and thereby be more willing to fund and participate in cybersecurity initiatives. Changing up the cyber conversation and making it more relatable was one of the key takeaways from this discussion. Andy also talked about the vision and offerings of the non-profit organization Global Cyber Alliance.Time Stamps00:42 -- How about, we get started on a reflective note where you share with us what got you into cybersecurity? What's your story?03:12 -- You talked about reducing the carbon footprint, looking at cybersecurity investments from the standpoint of reducing carbon footprint. Can you expand on that?08:27 -- So if I understand you correctly when organizations are trying to justify investments in cybersecurity, reduction of carbon generation should be another dimension of their business case, correct?11:26 -- This might be a good opportunity for you to share with the listeners, what the organization Global Cyber Alliance does, and how other organizations can benefit from their offerings?16:55 -- In one of our earlier conversations, you talked about turning cyber into a profit center, or a strategic part of the business where we are approaching cybersecurity investments from the standpoint of reducing carbon footprint. Can you expand on that?26:48 -- You made a telling statement that nobody wants to fund cyber, but they want to fund a lot of other things. What recommendations, what guidance would you like to offer listeners who are pitching for money for cyber investments or organizations who are trying to get funding for cyber investments? 33:19 -- How do you incorporate carbon reduction as an important criterion for selecting and sponsoring organizational initiatives?38:33 -- Final thoughts?Memorable Andy Bates Quotes"I think our lives in cyber would be easier if there was an emotional connection with the problem as there is with murder, robbery, etc.""People get angry about carbon, but they don't get angry about cyber.""If I draw a Venn diagram of people who are interested in cyber, and then a bigger Venn Diagram of people who are interested in computers, and then a much bigger circle of people interested in carbon and the planet, by virtue of human survival, we're all nominally interested in carbon and the planet.""People will fund education, people will fund carbon, people fund veterans, people don't fund cyber.""It's much better to find things people are interested in, and carbon is a thing that almost everybody is becoming interested in or needs to become interested in."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

When justifying cybersecurity investments, <a href="https://www.linkedin.com/in/andy-bates-3107b41/" rel="noopener noreferrer nofollow" target="_blank">Andy Bates, Chief Development and Strategic Partnership Officer, Global Cyber Alliance</a>, recommends making the business case from the standpoint of reducing the carbon footprint. He feels people will make a stronger emotional connection with the carbon reduction argument and thereby be more willing to fund and participate in cybersecurity initiatives. Changing up the cyber conversation and making it more relatable was one of the key takeaways from this discussion. Andy also talked about the vision and offerings of the non-profit organization <a href="https://www.globalcyberalliance.org/" rel="noopener noreferrer nofollow" target="_blank">Global Cyber Alliance</a>. Time Stamps00:42 -- How about, we get started on a reflective note where you share with us what got you into cybersecurity? What's your story?03:12 -- You talked about reducing the carbon footprint, looking at cybersecurity investments from the standpoint of reducing carbon footprint. Can you expand on that?08:27 -- So if I understand you correctly when organizations are trying to justify investments in cybersecurity, reduction of carbon generation should be another dimension of their business case, correct?11:26 -- This might be a good opportunity for you to share with the listeners, what the organization Global Cyber Alliance does, and how other organizations can benefit from their offerings?16:55 -- In one of our earlier conversations, you talked about turning cyber into a profit center, or a strategic part of the business where we are approaching cybersecurity investments from the standpoint of reducing carbon footprint. Can you expand on that?26:48 -- You made a telling statement that nobody wants to fund cyber, but they want to fund a lot of other things. What recommendations, what guidance would you like to offer listeners who are pitching for money for cyber investments or organizations who are trying to get funding for cyber investments? 33:19 -- How do you incorporate carbon reduction as an important criterion for selecting and sponsoring organizational initiatives?38:33 -- Final thoughts? Memorable Andy Bates Quotes"I think our lives in cyber would be easier if there was an emotional connection with the problem as there is with murder, robbery, etc.""People get angry about carbon, but they don't get angry about cyber.""If I draw a Venn diagram of people who are interested in cyber, and then a bigger Venn Diagram of people who are interested in computers, and then a much bigger circle of people interested in carbon and the planet, by virtue of human survival, we're all nominally interested in carbon and the planet.""People will fund education, people will fund carbon, people fund veterans, people don't fund cyber.""It's much better to find things people are interested in, and carbon is a thing that almost everybody is becoming interested in or needs to become interested in." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Reducing the Carbon Footprint

Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive, highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear.Time Stamps00:49 -- I'd like to begin by asking you to reflect on your experience at NATO.09:25 -- How do you get organizational members at all levels, more committed to achieving a high level of cybersecurity performance?19:38 -- There is growing recognition that security is an important organizational capability, a very important organizational competency? How do you get that realization shaping the organization's culture? 41:01 -- During our podcast planning discussion, you shared some very powerful quotes, such as a) practice reason over fear, and b) use empathy to counter social engineering attacks. Can you speak to them?49:59 -- This discussion we've had speaks to human-related controls. The ability to effectively implement such controls requires a very different skill set. Can you speak to that, as we wrap up this conversation?Memorable Nadja El Fertasi Quotes"If you want to change mindsets and implement cyber hygiene, language is important."Build a culture of empowerment, not fear.""So how can you speak in a way that security is seen as an enabler and not as a barrier.""Practice reason over fear.""Use empathy to counter social engineering attacks."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

<a href="https://www.linkedin.com/in/nadja-elfertasi/" rel="noopener noreferrer nofollow" target="_blank">Nadia El Fertasi, Human Readiness and Resilience Expert and former NATO senior executive,</a> highlights the importance of leveraging emotional intelligence to create and sustain a healthy information security culture. During a very thought-provoking discussion, Nadja made some poignant statements and recommendations such as a) build a culture of empowerment and not fear, b) use empathy to counter social engineering attacks, c) make cyber hygiene practices non-technical and reduce human firewalls, and d) practice reason over fear. Time Stamps00:49 -- I'd like to begin by asking you to reflect on your experience at NATO.09:25 -- How do you get organizational members at all levels, more committed to achieving a high level of cybersecurity performance?19:38 -- There is growing recognition that security is an important organizational capability, a very important organizational competency? How do you get that realization shaping the organization's culture? 41:01 -- During our podcast planning discussion, you shared some very powerful quotes, such as a) practice reason over fear, and b) use empathy to counter social engineering attacks. Can you speak to them?49:59 -- This discussion we've had speaks to human-related controls. The ability to effectively implement such controls requires a very different skill set. Can you speak to that, as we wrap up this conversation? Memorable Nadja El Fertasi Quotes"If you want to change mindsets and implement cyber hygiene, language is important."Build a culture of empowerment, not fear.""So how can you speak in a way that security is seen as an enabler and not as a barrier.""Practice reason over fear.""Use empathy to counter social engineering attacks." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Role of Emotional Intelligence in Creating a Healthy Information Security Culture

Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.Time Stamps00:46How does your research on human safety in automation and robotics inform cybersecurity research?04:28How do human factors such as behavioral traits and motivations influence cybersecurity training effectiveness?08:46How do you go about analyzing and measuring unintentional human errors and malicious behavior?13:29As educators, what's your opinion on how widespread cybersecurity education should be? Who all should we be reaching out to as educators, as trainers? 17:19So I worry more about the organizations which are resource-constrained and to what extent they are making those fearless calls of finding the right balance between pursuing their organizational goals and mission without compromising on having a certain level of cybersecurity readiness. Any reactions thoughts to that?22:21Cybersecurity is a strategic competency. It's a competency that organizations need to develop, and master over a period of time, if they want to thrive in the years to come. Thoughts reactions?36:41I wonder if we need regulations like Sarbanes-Oxley (SOX) Act to get people to comply, organizations to comply with cybersecurity. What do you think?41:56What are you trying to instill in students who take your class?43:11Besides regulation, what would it take for top management to recognize cybersecurity to be a key issue? 46:08Any final thoughts?Memorable Missy Cummings Quotes"You want to keep your friends close, but your enemies closer.""If we can figure out how to get in the minds of the people who are doing the deceiving, the hacking, that is another way to mitigate cybersecurity attacks.""If you can actually develop a good model of a human's engagement in their everyday work practices, you can actually figure out when is the right time to deceive them.""Cybersecurity is a living process, it's not just a check in the box.""We're just missing a core recognition at universities that cybersecurity is not like changing the oil of your car, it is its own science.""A lot of companies are not going to get at least good enough cybersecurity practices unless you force their hand.""I think the number one change that needs to happen, is for government, industry, and academia to recognize that like COVID, cybersecurity is here to stay. And the longer you keep ignoring it, the worse it's going to get.""Systems-level thinking and cybersecurity, to me, they're one and the same."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Renowned authority in human-technology interactions and Presidential appointee <a href="https://www.linkedin.com/in/missy-cummings-7681588b/" rel="noopener noreferrer nofollow" target="_blank">Prof. Missy Cummings</a> of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.Time Stamps00:46How does your research on human safety in automation and robotics inform cybersecurity research?04:28How do human factors such as behavioral traits and motivations influence cybersecurity training effectiveness?08:46How do you go about analyzing and measuring unintentional human errors and malicious behavior?13:29As educators, what's your opinion on how widespread cybersecurity education should be? Who all should we be reaching out to as educators, as trainers? 17:19So I worry more about the organizations which are resource-constrained and to what extent they are making those fearless calls of finding the right balance between pursuing their organizational goals and mission without compromising on having a certain level of cybersecurity readiness. Any reactions thoughts to that?22:21Cybersecurity is a strategic competency. It's a competency that organizations need to develop, and master over a period of time, if they want to thrive in the years to come. Thoughts reactions?36:41I wonder if we need regulations like Sarbanes-Oxley (SOX) Act to get people to comply, organizations to comply with cybersecurity. What do you think?41:56What are you trying to instill in students who take your class?43:11Besides regulation, what would it take for top management to recognize cybersecurity to be a key issue? 46:08Any final thoughts? Memorable Missy Cummings Quotes"You want to keep your friends close, but your enemies closer.""If we can figure out how to get in the minds of the people who are doing the deceiving, the hacking, that is another way to mitigate cybersecurity attacks.""If you can actually develop a good model of a human's engagement in their everyday work practices, you can actually figure out when is the right time to deceive them.""Cybersecurity is a living process, it's not just a check in the box.""We're just missing a core recognition at universities that cybersecurity is not like changing the oil of your car, it is its own science.""A lot of companies are not going to get at least good enough cybersecurity practices unless you force their hand.""I think the number one change that needs to happen, is for government, industry, and academia to recognize that like COVID, cybersecurity is here to stay. And the longer you keep ignoring it, the worse it's going to get.""Systems-level thinking and cybersecurity, to me, they're one and the same." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Significance of the Human Element in Cybersecurity

Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.Time Stamps00:45I'd like you to talk to our listeners about the cyber attack simulation that you have authored. And this engaging simulation is available from the Harvard Business Publishing website.05:15As I reflect on this simulation tool that you have available for executives and students, it does offer an opportunity to assess organizational readiness from a cybersecurity standpoint. What else does it accomplish based on your experience of using it out there?08:02How would you compare this particular simulation exercise with the tabletop exercises that organizations are known to conduct?10:25I wanted to mention to my listeners that Professor Austin was one of the authors of a case called iPremier, and to the best of my knowledge, it's one of the few graphically written cases where essentially you're seeing a whole bunch of cartoons that describe the scenario, and then walk you through the next steps as you use the case. And you can use that case for simulation as well. Rob, if I remember correctly, that case was authored as early as 2002, or 2003. Give the listeners a bit of a background of the iPremier case.13:41As you look at the big picture, as you reflect on how things are evolving over a period of time, what has changed, what are your concerns? What is your assessment of where things are going? What can we do better? 21:34What are you seeing in terms of best practices of actively engaging top management in cybersecurity planning, execution, monitoring? Anything that stands out?38:38What structures or mechanisms should be in place so that business leaders, technology leaders, security leaders, work together, they're incentivized to work together as opposed to taking the approach, it's your problem, not mine?Memorable Rob Austin Quotes"It's one thing to plan, it's another thing to be able to actually walk the talk. And that's one of the things the simulation shows us.""You learn something from a simulation, but you learn even more from discussing the experience that you had in the simulation.""It's unlikely you're going to be able to execute everything exactly according to plan.""We're working very hard to add nodes to the network, but often every node is a potential attack point, as well.""The dilemma of IT security is that if you do everything that you're supposed to do, and as a result, your company does well, and does not suffer IT security events, the result is, nothing happens. And, it's hard to get credit for nothing happens.""We used to be able to assume that we could just pursue our own interests, and everything would be fine. But now we discover that our interests interact with other people's interests. And I think that's true in business ecosystems as well. But it is definitely true in cybersecurity. If you've got really great cyber defenses, but one of your business partners has really bad cyber defenses, that's an entry point into your company as well. That's a risk factor for your company.""It's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

<a href="https://www.linkedin.com/in/robertdaustin/" rel="noopener noreferrer nofollow" target="_blank">Robert Austin, Professor, Ivey Business School</a>, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource. Time Stamps00:45I'd like you to talk to our listeners about the cyber attack simulation that you have authored. And this engaging simulation is available from the Harvard Business Publishing website.05:15As I reflect on this simulation tool that you have available for executives and students, it does offer an opportunity to assess organizational readiness from a cybersecurity standpoint. What else does it accomplish based on your experience of using it out there?08:02How would you compare this particular simulation exercise with the tabletop exercises that organizations are known to conduct?10:25I wanted to mention to my listeners that Professor Austin was one of the authors of a case called iPremier, and to the best of my knowledge, it's one of the few graphically written cases where essentially you're seeing a whole bunch of cartoons that describe the scenario, and then walk you through the next steps as you use the case. And you can use that case for simulation as well. Rob, if I remember correctly, that case was authored as early as 2002, or 2003. Give the listeners a bit of a background of the iPremier case.13:41As you look at the big picture, as you reflect on how things are evolving over a period of time, what has changed, what are your concerns? What is your assessment of where things are going? What can we do better? 21:34What are you seeing in terms of best practices of actively engaging top management in cybersecurity planning, execution, monitoring? Anything that stands out?38:38What structures or mechanisms should be in place so that business leaders, technology leaders, security leaders, work together, they're incentivized to work together as opposed to taking the approach, it's your problem, not mine? Memorable Rob Austin Quotes"It's one thing to plan, it's another thing to be able to actually walk the talk. And that's one of the things the simulation shows us.""You learn something from a simulation, but you learn even more from discussing the experience that you had in the simulation.""It's unlikely you're going to be able to execute everything exactly according to plan.""We're working very hard to add nodes to the network, but often every node is a potential attack point, as well.""The dilemma of IT security is that if you do everything that you're supposed to do, and as a result, your company does well, and does not suffer IT security events, the result is, nothing happens. And, it's hard to get credit for nothing happens.""We used to be able to assume that we could just pursue our own interests, and everything would be fine. But now we discover that our interests interact with other people's interests. And I think that's true in business ecosystems as well. But it is definitely true in cybersecurity. If you've got really great cyber defenses, but one of your business partners has really bad cyber defenses, that's an entry point into your company as well. That's a risk factor for your company.""It's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Enhancing Organizational Readiness by Simulating Cyber Attacks

"Cybersecurity is patient safety and patient safety is cybersecurity," is how Stoddard Manikin, Chief Information Security Officer, Children's Healthcare of Atlanta, described the significance of cybersecurity readiness in the healthcare sector. Speaking with exceptional clarity and eloquence, Stoddard traced the evolution of the cybersecurity threat landscape and governance approaches, before discussing in detail what it takes to succeed as a modern CISO.Time Stamps01:35How would you describe the evolution of the cybersecurity phenomenon and what has stayed with you by way of lessons learned?05:17Talking about specialization, getting the right people for the right kinds of roles in cybersecurity is very critical. And there are challenges there. But at the same time, you also need the non-cyber security professionals, the members of the organization to do their part. Don't you agree? 06:55What are your recommendations when it comes to cybersecurity awareness and training?10:41What are some metrics or KPIs that are being tracked or should be tracked?13:37What does it take to make a CISO, and when I say CISO, I mean the CISO function as a whole, effective?17:35From a practical standpoint, how feasible is it to involve legal or to work with legal closely?19:59How and to what extent does your function partner with Legal when formulating and reviewing cybersecurity strategies?22:25How do you stay on top of industry regulations and compliance requirements?24:18What is the state of cybersecurity readiness in the US healthcare industry?28:40Is it common practice to regularly test the disaster recovery capabilities of an organization?30:46What are your thoughts on the practicality of conducting real-time security audits?33:19According to media reports, many of the breaches that have happened, large breaches, major breaches, the story goes that the organization was made aware, or a particular individual was made aware, who did nothing about it. Based on your experience in the field, how or why does that happen? 36:03How feasible is it to have structures and mechanisms to ensure joint ownership and accountability both within the organization, as well as when you're partnering up with vendors? 40:23Any final thoughts for the audience?Memorable Stoddard Manikin Quotes"Cybersecurity is everyone's responsibility within an organization. We're past the days where you have a few people in a room providing all the security to the organization, and it's just up to them to take care of it. It's now a central team coordinating cybersecurity for an organization but directing a lot of different players.""And when it comes down to it, people are the easiest way to breach an organization's security defenses. So it's incumbent on every organization to train all of their users that have access to IT resources, and equip them with the knowledge and awareness they need, so that they can be prepared, should someone target them with some kind of attack or attempted attack.""I find that providing them specialized training, giving them a forum to ask questions, testing them on it, perhaps even monthly with a simulation exercise is how you get the best behavioral response. The other part of that training is it can't just be one way where you're giving them the info; the next step is to test them on it. And then the step after that is to measure them on it.""First and foremost, the most fundamental thing you've got to know as the CISO is the business of the organization that you're in. Because if you don't understand how the business operates, what it does, how it earns money, how it spends money, where it really makes its profit that funds other areas that have losses, then it's very hard for you to understand how to prioritize what security controls need to be put in place, and also how restrictive you can be without cutting off the lifeblood of the organization.""So a patient can recover from a data breach, but they might not be able to fully recover from lack of care. So that's where I really want to emphasize that cybersecurity is patient safety. And we all have to take it seriously, regardless of where we are in that healthcare ecosystem."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

"Cybersecurity is patient safety and patient safety is cybersecurity," is how <a href="https://www.linkedin.com/in/smanikin/" rel="noopener noreferrer nofollow" target="_blank">Stoddard Manikin, Chief Information Security Officer, Children's Healthcare of Atlanta</a>, described the significance of cybersecurity readiness in the healthcare sector. Speaking with exceptional clarity and eloquence, Stoddard traced the evolution of the cybersecurity threat landscape and governance approaches, before discussing in detail what it takes to succeed as a modern CISO.Time Stamps01:35How would you describe the evolution of the cybersecurity phenomenon and what has stayed with you by way of lessons learned?05:17Talking about specialization, getting the right people for the right kinds of roles in cybersecurity is very critical. And there are challenges there. But at the same time, you also need the non-cyber security professionals, the members of the organization to do their part. Don't you agree? 06:55What are your recommendations when it comes to cybersecurity awareness and training?10:41What are some metrics or KPIs that are being tracked or should be tracked?13:37What does it take to make a CISO, and when I say CISO, I mean the CISO function as a whole, effective?17:35From a practical standpoint, how feasible is it to involve legal or to work with legal closely?19:59How and to what extent does your function partner with Legal when formulating and reviewing cybersecurity strategies?22:25How do you stay on top of industry regulations and compliance requirements?24:18What is the state of cybersecurity readiness in the US healthcare industry?28:40Is it common practice to regularly test the disaster recovery capabilities of an organization?30:46What are your thoughts on the practicality of conducting real-time security audits?33:19According to media reports, many of the breaches that have happened, large breaches, major breaches, the story goes that the organization was made aware, or a particular individual was made aware, who did nothing about it. Based on your experience in the field, how or why does that happen? 36:03How feasible is it to have structures and mechanisms to ensure joint ownership and accountability both within the organization, as well as when you're partnering up with vendors? 40:23Any final thoughts for the audience? Memorable Stoddard Manikin Quotes"Cybersecurity is everyone's responsibility within an organization. We're past the days where you have a few people in a room providing all the security to the organization, and it's just up to them to take care of it. It's now a central team coordinating cybersecurity for an organization but directing a lot of different players.""And when it comes down to it, people are the easiest way to breach an organization's security defenses. So it's incumbent on every organization to train all of their users that have access to IT resources, and equip them with the knowledge and awareness they need, so that they can be prepared, should someone target them with some kind of attack or attempted attack.""I find that providing them specialized training, giving them a forum to ask questions, testing them on it, perhaps even monthly with a simulation exercise is how you get the best behavioral response. The other part of that training is it can't just be one way where you're giving them the info; the next step is to test them on it. And then the step after that is to measure them on it.""First and foremost, the most fundamental thing you've got to know as the CISO is the business of the organization that you're in. Because if you don't understand how the business operates, what it does, how it earns money, how it spends money, where it really makes its profit that funds other areas that have losses, then it's very hard for you to understand how to prioritize what security controls need to be put in place, and also how restrictive you can be without cutting off the lifeblood of the organization.""So a patient can recover from a data breach, but they might not be able to fully recover from lack of care. So that's where I really want to emphasize that cybersecurity is patient safety. And we all have to take it seriously, regardless of where we are in that healthcare ecosystem." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Cybersecurity is Patient Safety

The incredibly articulate Anne Leslie, Threat Management Consultant, IBM Security, shares some powerful messages and recommendations on threat management. One such message is to nurture a Whole-of-Enterprise approach where "leaders believe that the people who work for them are not just as important as the systems and the data, they're more important." Anne also emphasizes the importance of "looking within and knowing what it is that we have, why people might want that, and how they might go about getting it."Time Stamps00:42 -- So, let's begin by talking about the major information security threats out there and you being in Europe, we'd love to get that perspective.05:49 -- Anything that you see out there by way of best practices, in terms of staying on top of the latest attack vectors and methods.10:43 -- I'd love to hear your perspective on a human-centered cyber defense strategy.19:20 -- I read in the media reports that organizations are often slow, and for lack of a better word, negligent in promptly and effectively responding to cyber intelligence. This is definitely a weakness that no organization can afford. What are your thoughts?29:38 -- I'd love to get your thoughts on joint ownership and accountability, or shared ownership and accountability?38:44 -- Any final thoughts?Memorable Anne Leslie Quotes06:29"So one of the things that I notice in our industry, across businesses, is that we have a tendency to look outwards before we look inwards. And in practical terms, what that means is, we're not very clear collectively about what it is in our organizations and our businesses that adversaries might want."06:29"Let's start with looking within and knowing what it is that we have, why people might want that, and how they might go about getting it. If we already have answers to those questions, we're on a good footing."13:34"I believe that people come to work every day with an often unarticulated aspiration to be useful. And it just seems to me that we're totally missing out on capitalizing on people's best intentions and their creativity and their motivation - when we label them weak when we label them as a vulnerability against which we need to defend."13:34"People want to contribute, people want to be helpful, they want to be united in something that's a little bit bigger than themselves. And security practitioners, in particular, maybe not all of them, but the majority that I've interacted with, are driven by a desire to protect, they're driven by a cause. To them, security is more than a job, it's a cause they want to defend." 18:09"It's not just about buying more technology, It's about doing more with what we have, where we are. And making the most of the capability that we can get from our people is a key factor in that."23:41"I loved what you just said about the impact of security being positively correlated with the health of the culture in the organization. Yes, a million times, yes! Because when you have a healthy organization - which is built up consistently, with consistent behaviors, consistent attitudes, consistent interventions on the part of leadership - what it instills, in people at every level of the organization, is a sense of accountability, a sense of responsibility, a sense of pride. And most importantly, it instills a desire to protect, because people have an emotional connection to their organization and an emotional connection to the leadership, even if they've never spoken to them."----------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

The incredibly articulate <a href="https://my.captivate.fm/Anne%20Leslie,%20Senior%20Management%20Consultant,%20IBM%20Security" rel="noopener noreferrer nofollow" target="_blank">Anne Leslie, Threat Management Consultant, IBM Security</a>, shares some powerful messages and recommendations on threat management. One such message is to nurture a Whole-of-Enterprise approach where "leaders believe that the people who work for them are not just as important as the systems and the data, they're more important." Anne also emphasizes the importance of "looking within and knowing what it is that we have, why people might want that, and how they might go about getting it."Time Stamps00:42 -- So, let's begin by talking about the major information security threats out there and you being in Europe, we'd love to get that perspective.05:49 -- Anything that you see out there by way of best practices, in terms of staying on top of the latest attack vectors and methods.10:43 -- I'd love to hear your perspective on a human-centered cyber defense strategy.19:20 -- I read in the media reports that organizations are often slow, and for lack of a better word, negligent in promptly and effectively responding to cyber intelligence. This is definitely a weakness that no organization can afford. What are your thoughts?29:38 -- I'd love to get your thoughts on joint ownership and accountability, or shared ownership and accountability?38:44 -- Any final thoughts?Memorable Anne Leslie Quotes06:29"So one of the things that I notice in our industry, across businesses, is that we have a tendency to look outwards before we look inwards. And in practical terms, what that means is, we're not very clear collectively about what it is in our organizations and our businesses that adversaries might want."06:29"Let's start with looking within and knowing what it is that we have, why people might want that, and how they might go about getting it. If we already have answers to those questions, we're on a good footing."13:34"I believe that people come to work every day with an often unarticulated aspiration to be useful. And it just seems to me that we're totally missing out on capitalizing on people's best intentions and their creativity and their motivation - when we label them weak when we label them as a vulnerability against which we need to defend."13:34"People want to contribute, people want to be helpful, they want to be united in something that's a little bit bigger than themselves. And security practitioners, in particular, maybe not all of them, but the majority that I've interacted with, are driven by a desire to protect, they're driven by a cause. To them, security is more than a job, it's a cause they want to defend." 18:09"It's not just about buying more technology, It's about doing more with what we have, where we are. And making the most of the capability that we can get from our people is a key factor in that."23:41"I loved what you just said about the impact of security being positively correlated with the health of the culture in the organization. Yes, a million times, yes! Because when you have a healthy organization - which is built up consistently, with consistent behaviors, consistent attitudes, consistent interventions on the part of leadership - what it instills, in people at every level of the organization, is a sense of accountability, a sense of responsibility, a sense of pride. And most importantly, it instills a desire to protect, because people have an emotional connection to their organization and an emotional connection to the leadership, even if they've never spoken to them."----------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Ignorance is not bliss: A Whole-of-Enterprise Approach to Threat Management

Fly the Plane is how Dr. Timothy Chester, Vice President of Information Technology, The University of Georgia, characterizes his philosophy and approach to cybersecurity readiness. Dr. Chester spoke at length about a proactive approach to information security management anchored on strategic planning, senior leadership commitment, strong teamwork, sophisticated intelligence monitoring, and robust training and testing practices. His candor and reflection made for a most interesting conversation.Time Stamps02:07 -- What is your take on cybersecurity preparedness? How do you approach readiness?04:49 -- What are some cybersecurity blind spots? And how do you cope with them?09:36 -- How do you ensure that your team has the latest experience and expertise in keeping up with these different evolving attack vectors?12:51 -- What kind of help and support can you expect from the other business units, as well as the individual stakeholders, whether it's faculty members, whether it's students, what could or should they be doing to help secure the environment?16:02  -- Anything that you'd like to add for people who are listening in, and who feel a little frustrated or let down that they don't see that level of active commitment from top management?20:11 -- Now, there is a lot of research out there that speaks to the importance of customized training, that speaks to the importance of role-based training, training that shouldn't be one shot, because people often don't remember the first time what they were trained in. And then another aspect that often doesn't get addressed is how do you measure training effectiveness? 22:40 -- How do you customize cybersecurity communication and make it more effective? 25:46 -- From a faculty member's standpoint, what are some cybersecurity do's and don'ts?27:08 -- Are you happy with the cybersecurity training exercises and rehearsals that are in place? Or can we do better?30:46 -- Does the organization have a good structure and mechanism in place to process cyber intelligence?34:53 -- Organizations seem to be struggling when it comes to identifying and using suitable cybersecurity performance measures. What's your take on that?36:57 -- What would be some good rewards and incentive systems to achieve the desired cybersecurity behavior?40:37 -- What are your thoughts about CISO (Chief Information Security Officer) empowerment?46:47 -- Any final thoughts?Memorable Tim Chester Quotes/Statements"When we say fly the plane what we simply mean is through strong teamwork and strategic planning and foresight we try to think through constantly the types of scenarios that we could be facing; and we try to plan for the little bitty factors that probably aren't a high probability of occurring but could be high-impact if they do occur.""Our human desire to basically live through rote repetition and structure that's comfortable and unchanging leads us to be creatures of habit. Creatures of habit who are following the habits and rote behaviors typically find themselves in circumstances sometimes where the plane starts flying them and the way in which they react to that plane, become wilder and wilder swings that could lead to a disaster."-------------------------------------------------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/﻿Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Fly the Plane is how <a href="https://www.linkedin.com/in/timothychester/" rel="noopener noreferrer nofollow" target="_blank">Dr. Timothy Chester, Vice President of Information Technology, The University of Georgia</a>, characterizes his philosophy and approach to cybersecurity readiness. Dr. Chester spoke at length about a proactive approach to information security management anchored on strategic planning, senior leadership commitment, strong teamwork, sophisticated intelligence monitoring, and robust training and testing practices. His candor and reflection made for a most interesting conversation.Time Stamps02:07 -- What is your take on cybersecurity preparedness? How do you approach readiness?04:49 -- What are some cybersecurity blind spots? And how do you cope with them?09:36 -- How do you ensure that your team has the latest experience and expertise in keeping up with these different evolving attack vectors?12:51 -- What kind of help and support can you expect from the other business units, as well as the individual stakeholders, whether it's faculty members, whether it's students, what could or should they be doing to help secure the environment?16:02 -- Anything that you'd like to add for people who are listening in, and who feel a little frustrated or let down that they don't see that level of active commitment from top management?20:11 -- Now, there is a lot of research out there that speaks to the importance of customized training, that speaks to the importance of role-based training, training that shouldn't be one shot, because people often don't remember the first time what they were trained in. And then another aspect that often doesn't get addressed is how do you measure training effectiveness? 22:40 -- How do you customize cybersecurity communication and make it more effective? 25:46 -- From a faculty member's standpoint, what are some cybersecurity do's and don'ts?27:08 -- Are you happy with the cybersecurity training exercises and rehearsals that are in place? Or can we do better?30:46 -- Does the organization have a good structure and mechanism in place to process cyber intelligence?34:53 -- Organizations seem to be struggling when it comes to identifying and using suitable cybersecurity performance measures. What's your take on that?36:57 -- What would be some good rewards and incentive systems to achieve the desired cybersecurity behavior?40:37 -- What are your thoughts about CISO (Chief Information Security Officer) empowerment?46:47 -- Any final thoughts?Memorable Tim Chester Quotes/Statements"When we say fly the plane what we simply mean is through strong teamwork and strategic planning and foresight we try to think through constantly the types of scenarios that we could be facing; and we try to plan for the little bitty factors that probably aren't a high probability of occurring but could be high-impact if they do occur.""Our human desire to basically live through rote repetition and structure that's comfortable and unchanging leads us to be creatures of habit. Creatures of habit who are following the habits and rote behaviors typically find themselves in circumstances sometimes where the plane starts flying them and the way in which they react to that plane, become wilder and wilder swings that could lead to a disaster."-------------------------------------------------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>﻿Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Fly the Plane: A CIO's Approach to Cybersecurity Readiness

Driven by a mission and passion to fight online crime, Ori Eisen, Founder and CEO of Trusona, explains the fundamentals of passwordless authentication and why it is a superior and simpler way of securing access. He also dispels several myths and addresses potential adoption hurdles, ranging from incompatibility with legacy applications to transition costs, regulatory compliance, privacy concerns, and more. Ori offers some valuable tips and recommendations to protect individuals from becoming victims of hacking. Finally, he shares some hilarious jokes at the end.Time Stamps02:40 -- If you could give us a little bit of a primer on what is passwordless authentication.05:10 -- So can you help dispel some of the myths around passwordless authentication?09:10 -- What would be some factors that could influence an organizational decision of adopting a particular method? 11:32 -- So how are users being authenticated? And what about that information that is being used to authenticate individuals? How is that secure? And if that falls in the hands of the wrong, folks, isn't that concerning?14:44  -- So when I was doing my research on this topic, and I was trying to learn about the pros and cons of passwordless authentication, something that came up was incompatibility with legacy applications. Could you speak to that?16:12 -- Okay, now, you mentioned FIDO. What is FIDO?17:32 -- So it seems like we don't have to choose between convenience or security, we can have the best of both worlds, right?19:07 -- Now the solution sounds great. And we need to move in that direction. What about the cost aspect of it? I've read that the cost implications can be significant. Is there any truth to that?21:04 -- What about the regulation aspect of it, I was reading somewhere that -- regulations require clear information on data storage, considering the sensitive nature of passwordless data when it isn't stored appropriately, there could be a lot of issues, would you? How would you react to this statement?23:46 -- What about privacy concerns? You think users, you know, how would you alleviate privacy concerns amongst users? 25:29 -- What is the relationship between passwordless authentication, multi-factor authentication, and mobile multi-factor authentication?28:17 -- Multi-factor authentication becomes much stronger and effective if you were to go passwordless. Correct?29:09 -- Well, let's talk about the bad guys. And let's talk about your motivation, what got you doing, what you're doing, and all the great things you've been doing and trying to reduce or fight online crime.30:59 -- What tips or recommendations would you have to anyone from protecting themselves from different types of attacks? 34:15 -- So, Ori, what are your thoughts about a strong password and how best to store passwords?37:24 -- Ori, share with us that VC joke that I heard in one of your other podcasts the other day. I think our listeners would love to hear that joke.39:27 -- What's the other joke?40:13 -- Any final words to wrap up this session?Memorable Ori Eisen Quotes/Statements"Maybe passwords are not the most secure thing. And our parents are not security experts we should trust with creating long and complicated ends, passwords. So the whole idea of getting passwordless is to remove this factor, which as you probably know, contributes to 81% of all the data we see lost out there and just do away with it. Because the technology to do it is already in our pockets.""The first thing to know is that passwordless authentication does not use static passwords that users pick. So that's the first thing to know. So obviously, you can ask, Well, what does it use? It uses the very same architecture and technology we already have used for e-commerce in the form of HTTPS certificates, and public and private keys.""Putting your passwords into a password vault does not eliminate them. And if you were to inspect with Wireshark or Ethereal, the connectivity between you and the server, you'll see that the password vault only saves you from remembering it, but it's still on the wire. So if you have malware or anything like a Man-In-The-Middle, you are still revealing your credentials.""It's not about money anymore. The delta between going passwordless or not, on many of the systems is just your sheer will. That's it.""So I'm a proponent of not changing the taboo, not changing the security behavior, because then you have something to overcome. Let's make it easy, ubiquitous, and democratize it.""I hope today if I say fax me your resume, you'll think that's crazy. I hope that using a password will be just as crazy a few years from now."Trusona LinksLink to free WordPress plugin: https://wordpress.org/plugins/trusona/Try a passwordless login: https://www.trusona.com/workforce/tryBall To All: https://www.balltoall.org/; Or on social media @balltoallThorn: https://www.thorn.org/----------------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Driven by a mission and passion to fight online crime, <a href="https://www.trusona.com/about/ori-eisen" rel="noopener noreferrer nofollow" target="_blank">Ori Eisen, Founder and CEO of Trusona</a>, explains the fundamentals of passwordless authentication and why it is a superior and simpler way of securing access. He also dispels several myths and addresses potential adoption hurdles, ranging from incompatibility with legacy applications to transition costs, regulatory compliance, privacy concerns, and more. Ori offers some valuable tips and recommendations to protect individuals from becoming victims of hacking. Finally, he shares some hilarious jokes at the end. Time Stamps02:40 -- If you could give us a little bit of a primer on what is passwordless authentication.05:10 -- So can you help dispel some of the myths around passwordless authentication?09:10 -- What would be some factors that could influence an organizational decision of adopting a particular method? 11:32 -- So how are users being authenticated? And what about that information that is being used to authenticate individuals? How is that secure? And if that falls in the hands of the wrong, folks, isn't that concerning?14:44 -- So when I was doing my research on this topic, and I was trying to learn about the pros and cons of passwordless authentication, something that came up was incompatibility with legacy applications. Could you speak to that?16:12 -- Okay, now, you mentioned FIDO. What is FIDO?17:32 -- So it seems like we don't have to choose between convenience or security, we can have the best of both worlds, right?19:07 -- Now the solution sounds great. And we need to move in that direction. What about the cost aspect of it? I've read that the cost implications can be significant. Is there any truth to that?21:04 -- What about the regulation aspect of it, I was reading somewhere that -- regulations require clear information on data storage, considering the sensitive nature of passwordless data when it isn't stored appropriately, there could be a lot of issues, would you? How would you react to this statement?23:46 -- What about privacy concerns? You think users, you know, how would you alleviate privacy concerns amongst users? 25:29 -- What is the relationship between passwordless authentication, multi-factor authentication, and mobile multi-factor authentication?28:17 -- Multi-factor authentication becomes much stronger and effective if you were to go passwordless. Correct?29:09 -- Well, let's talk about the bad guys. And let's talk about your motivation, what got you doing, what you're doing, and all the great things you've been doing and trying to reduce or fight online crime.30:59 -- What tips or recommendations would you have to anyone from protecting themselves from different types of attacks? 34:15 -- So, Ori, what are your thoughts about a strong password and how best to store passwords?37:24 -- Ori, share with us that VC joke that I heard in one of your other podcasts the other day. I think our listeners would love to hear that joke.39:27 -- What's the other joke?40:13 -- Any final words to wrap up this session?Memorable Ori Eisen Quotes/Statements"Maybe passwords are not the most secure thing. And our parents are not security experts we should trust with creating long and complicated ends, passwords. So the whole idea of getting passwordless is to remove this factor, which as you probably know, contributes to 81% of all the data we see lost out there and just do away with it. Because the technology to do it is already in our pockets.""The first thing to know is that passwordless authentication does not use static passwords that users pick. So that's the first thing to know. So obviously, you can ask, Well, what does it use? It uses the very same architecture and technology we already have used for e-commerce in the form of HTTPS certificates, and public and private keys.""Putting your passwords into a password vault does not eliminate them. And if you were to inspect with Wireshark or Ethereal, the connectivity between you and the server, you'll see that the password vault only saves you from remembering it, but it's still on the wire. So if you have malware or anything like a Man-In-The-Middle, you are still revealing your credentials.""It's not about money anymore. The delta between going passwordless or not, on many of the systems is just your sheer will. That's it.""So I'm a proponent of not changing the taboo, not changing the security behavior, because then you have something to overcome. Let's make it easy, ubiquitous, and democratize it.""I hope today if I say fax me your resume, you'll think that's crazy. I hope that using a password will be just as crazy a few years from now."Trusona LinksLink to free WordPress plugin: <a href="https://wordpress.org/plugins/trusona/" rel="noopener noreferrer nofollow" target="_blank">https://wordpress.org/plugins/trusona/</a>Try a passwordless login: <a href="https://www.trusona.com/workforce/try" rel="noopener noreferrer nofollow" target="_blank">https://www.trusona.com/workforce/try</a>Ball To All: <a href="https://www.balltoall.org/" rel="noopener noreferrer nofollow" target="_blank">https://www.balltoall.org/</a>; Or on social media @balltoallThorn: <a href="https://www.thorn.org/" rel="noopener noreferrer nofollow" target="_blank">https://www.thorn.org/</a>----------------------------------------------------Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/ " rel="noopener noreferrer nofollow" target="_blank">https://www.linkedin.com/in/dchatte/ </a>Website: <a href="https://dchatte.com/" rel="noopener noreferrer nofollow" target="_blank">https://dchatte.com/</a>Cybersecurity Readiness Book: <a href="https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338" rel="noopener noreferrer nofollow" target="_blank">https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338</a>

Passwordless Authentication: Myths and Realities

The Cybersecurity Readiness Podcast Series serves to have a reflective, thought-provoking and jargon free discussion on how to enhance the state of cybersecurity at an individual, organizational and national level. Host Dr. Dave Chatterjee converses with subject matter experts, business and technology leaders, trainers and educators and members of user communities. He has been studying cybersecurity for over a decade. He has delivered talks, conducted webinars, consulted with companies and served on a cybersecurity SWAT team with CISO's. He is an Associate Professor of Management Information Systems at the University of Georgia and Visiting Professor at Duke University. Connect with Dr. Chatterjee on these platforms: LinkedIn: <a href="https://www.linkedin.com/in/dchatte/" rel="nofollow" target="_blank">https://www.linkedin.com/in/dchatte/</a> Website: <a href="https://dchatte.com/" rel="nofollow" target="_blank">https://dchatte.com/</a>

The Cybersecurity Readiness Podcast Series

The best philosophy podcast episodes. Asking questions about how to live a better life, what it means to be and do good, to the idea of God. This topic includes episodes that bring about important questions that everyone should be asking themselves. Add episodes you're interested into your queue below!

Best Episodes on Practical Philosophy & How To Live

The best podcast episodes on Startups. For anyone working in a startup, or anyone interested in the incredible stories behind how people built companies like Instagram, and Facebook. Offering both practical advice and insights, as well as the stories for how many of the biggest startups got to where they are today. Add episodes you're interested into your queue below!