Dealing with Cyber Trauma

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I'll be talking with Patrick Wheeler,

who's joining us from Luxembourg. Patrick wears many

hats in the field of cybersecurity. He's a

cybersecurity innovator, educator, mentor, practitioner,

and architect. A few of his professional highlights include

executive leader of transformative security

initiatives, building Next-Gen cyber solutions, driving

professional development of cyber executives, and rethinking

traditional cybersecurity approaches. So it's truly an

honor and a pleasure to welcome Patrick to the show. Patrick,

welcome.

Thank you, Dave. It's a pleasure to be

here.

So when we were having our planning

meeting, Patrick, I was intrigued to learn about the

cyber trauma phenomenon. Over the last several years, I've

been working in this area, nobody quite highlighted that

challenge, that issue, quite like you did. So I'd like to

start with that topic. And then we can move on to others. So

please introduce the cyber trauma to the listeners. And

let's take it from there.

Okay, well, with pleasure. The the concept

of cyber trauma is one that I'm still struggling with, as to how

to best apply it. And there are people who are critical about

using it in this context. But I think when we look at analogies,

it's it's a very powerful and useful analogy. And it came to

me in part because a few years ago, I started looking at why it

was that so many of my large customers were paying ransomware

ransoms to to recover their data, when all of the

cybersecurity practitioners were screaming up and down, don't

pay, don't pay, don't pay. And I had the opportunity to work with

some of my corporate communications people. And I was

giving a presentation in Copenhagen. And I wanted to talk

about the situation that had occurred with Maersk. And we all

know the Maersk situation, one of the early Russian cyber

attacks against the Ukraine that had gotten out of control and

had seized up one of the world's largest shipping company's

computers. And initially, my people were very hesitant to

allow me to talk about it because he said, Well, Maersk is

one of our customers. You can't talk about that. You just we

know. And I said no. Please listen, you have to understand

what I'm going to say about Maersk. And they did allow me to

get up there and speak in front of a bunch of financial

professionals, not cybersecurity professionals. This is at a

financial conference. And I said, Maersk did everything

right. When this unexpected event happened to them, they

didn't hide, they didn't obfuscate, they didn't lie about

what was going on. They also didn't overshare, they said

basically to the industry -- Listen, something really bad has

happened. We're working like heck to try to recover from it.

Please be patient with us while we go through this very

traumatic time. They didn't use the word trauma at that time.

But after this event, a lady came up to me. And she had a

very interesting conversation with me. And the thing that she

said that really struck and stayed with me. As she said,

Patrick, it meant so much to me, to hear from you a respected

person in the industry, my bank effectively that we didn't do

anything wrong, because I cannot even describe to you the feeling

of helplessness as I sat at my desk, and stared at the computer

screen, and there was absolutely nothing I could do. And the

reason this stuck with me quite so much just as I was

empathizing with her and putting myself in her shoes. This is a

person who is in charge of the financial Treasury Department of

Maersk at that time. She since moved on. Oh, but she had

responsibilities, tremendous responsibilities to ships at

sea, to vendors, to partners, she knew that if she couldn't

make her payments, that salaries wouldn't get paid, the ships

couldn't get offloaded, that critical business functions

weren't going to happen. And that was a very emotionally

fraught incident for her. And it was also quite interesting when

you read later on some of the best analyses that came out of

the the Maersk incident, how well Maersk handled this. But

then also the fact that we don't talk about it so much. And

everyone is terribly afraid to talk about these types of

events. And as I was listening to her, I was also quite struck

with the the similarities to people talking to me about

traumatic events in their lives that have happened in other

contexts. There was another discussion that I had with some

people that was perhaps a little bit more lighthearted, that also

made me think about these. And it had to do with taking

executives through cyber exercises, Cyber Range

scenarios. So like the X Force truck that was running through

Europe a couple years ago. And they would talk about taking a

bunch of business executives, through a critically destructive

cybersecurity incident, modeled one in this case, and basically

them leaving the trailer being completely white, shaking, and,

you know, completely destroyed emotionally. And I was really

looking at the saying, what is it that we're doing that is

causing people to have such an aversion to what we're doing?

And to use terminology that sounds like this around trauma?

So I started talking to some people around this, and I asked

them, you know, what is it that is that around this idea that is

so powerful, and it was actually a friend of mine who works out

of Finland who gave me one of the best analogies that I can

think of, and we were talking about EMDR, which is something

Eye Movement Desensitization and Reprocessing therapy that's

often used in military persons who have gone through quite

significant amounts of physical trauma. And what she was

describing was, you know, when a car almost runs you over, the

traumatic event isn't necessarily the car running you

over, it's the sense of, I'm not in control of the situation. Bad

things have happened to me, because I'm unworthy. And the

sense that we should be in control, and especially in

critically destructive cyber incidents, we have an

expectation that we're supposed to be in control. That's a lot

of what we I mean, a lot of our languages in cybersecurity is

all about control. And I kept exploring this analogy, and I

was looking at our sense of corporate identity. And the fact

that we have so much group adhesion that we do, we actually

have people who are specialized in our human resources

departments to make us connected to our corporations. And when

our corporation suffers a critical cyber incident, that

actually does have a psychological impact, not just

on the cybersecurity practitioners, but actually on

the staff themselves. And this is something that as I looked

into it, I think there's been a not enough but a fair body of

work done around the trauma that cyber incident responders go

through. And if you look up to look this up, you see, this is

indeed a part of a reason why we end up having a lot of people

leaving our incident response teams. And I will personally

attest to this, I used to sit right next to one of the most

amazing Incident Response managers I've ever had the

pleasure to work with. And sometimes he would come out of

the room just, you know, the the incident room, just bone white

and sweating. And then he would do this day after day, and you

could see the type of psychological toll this was

taking on him. And, and this is something we also need to do a

better job of, but what I was really struck by is, you know,

what is the impact on cybersecurity incidents that we

keep hidden from our employees, even though we know they've

happened. Um, and this was also one of the things when you look

at trauma, where we talk about, we don't want to silence it to

death. When you have personal trauma, everything that's pushed

into into a closet just grows and tends to repeat itself. In a

corporate cyber incident, we rush to recover from it, and

then we tend to try very hard to forget about it. And indeed, we

don't like to talk about it all that much, especially in certain

sectors, sectors where I predominantly work in heavy

infrastructure and financial services. We definitely don't

want to talk about it because we're incredibly embarrassed by

these types of things. I was doing some work with some

hostage negotiators. These are people who work with the United

Nations. They do critical incident handling for police

forces nationwide. They do some some very interesting work in

critical incidents to. And they provided me the the manual on

countering kidnapping and extortion from the United

Nations Office of Counterterrorism. And they

talked about how, when you have people coming out of a critical

incident like this, you want to be able to offer them

specialized psychological support for hostages for the

family that have gone through these types of critical

incidents. But they had a critical mention in here, which

is often people don't want this type of support initially.

Initially, we refuse the label of traumatized or victim, we

very quickly want to revert ourselves to norm, we want to

get back to our regular lives. And this also, I think, is

something that we do in cybersecurity as well. And so we

tend to over overload and quickly brush under the rug this

type of cybersecurity traumatic incident, we focus it as an IT

problem, even though we all argue in cybersecurity, it's a

it's a business problem. But then we actually don't talk to

our business partners about what happened and how we can do

better about it. So this is what I one of the things that I've

really been working on trying to figure out how can we break this

down?

This is such an important topic. And I'm

surprised that like you said, it's not talked about enough. I

haven't heard anything about dealing with or providing people

with training to deal with cyber trauma. What are some resources

that listeners could leverage to get the right kind of training?

Do you have any suggestions for the listeners?

Well, there's not a lot out there right now,

particularly around cyber trauma, or digital trauma, one

of the things that we do see is, there's some very good work that

is happening in intimate partner digital violence. Now, this is

another form of cyber trauma, if you will, less of a corporate

form and more of a personal form. But there's actually some

really good PDFs if you if you look up intimate partner

violence, digital, you'll you'll find some some really

interesting discussions around this. The best things, the best

materials I've found so far, are actually out of the trauma

industry. And this is a psychological industry. So this

is something like the Body Keeps the Score by Bessel Vander Kolk,

which is a quite an interesting book around trauma. I personally

find the EMDR, something that speaks to me a great deal,

because it talks about how we can practically deal with some

of these things. And what we have to do then is we have to

transpose these into the corporate context. And the thing

I would say is that when we're looking at cyberculture, there's

a huge amount of blame gaming that goes on or victim blaming

that happens. The first thing we tell people is don't click on

that link. One of the analogies I like to use is that one of the

worst cyber attacks I ever went through, started with someone

clicking on an opening link. And she did everything perfect that

day. Because the link that she opened was one that she was

supposed to receive every single day from that business partner.

She opened the link, it didn't behave properly. The first thing

she did is she called her business partner at a at a

fellow bank across town and said, Hey, that that file you

sent me today didn't work. And he said, Oh, don't open that

file. I've been compromised. My security people are here. I hope

you're okay. Now, I loved the the psychological dissonance in

what he just said in that. First off, she's calling to say that

the file didn't behave properly. And he says don't open it. Well,

of course, she tried to open it if it didn't behave properly.

And then he says, you know, I'm under attack, or I've been

compromised. I hope you're okay.

So I just found that that's such a compelling discussion about

how the human brain reacts under crisis. We're humans. And when

this happens that this is just normal. Um, so the person did

her third, perfect thing that day -- she picked up the phone,

and she called me. And I was in charge of the cybersecurity for

that team. And that turned our dwell time, the amount of time

the attacker existed on our network, down from the months or

weeks that it might have been down to about five minutes. And

so the fact that she a) opened the link, b) called the partner

and c) called me, was actually quite perfect. And so many of

our business processes depend on our employees doing things that

we tell them not to do. And then we try to blame them. And

indeed, our head of operations wanted to blame this lady for

opening that file. Because indeed, he had received the

message through all of the standard awareness trainings,

tell people not to click on the links. And so he wanted to

immediately kick off a phishing campaign, get human resources

all over anyone who clicked on the phishing campaign, and if

there was a person who clicked on it three times, my God, they

were going to be fired. And I looked at this as a complete

horror of a way in which we could damage our cyber culture

such that someone would not call me. And so when we look at how

can we transpose this discussion, first off, we need

to change our narrative around how do we work with our

employees, and we need to engage them so very much more. And we

need to have our narrative not about don't click on the link,

but about being responsive. And when people do respond

appropriately, we need to reward them. One of the things that I

was most proud of in this incident is I actually gave this

lady a very public award for having done those three perfect

things that day. And having cut my dwell time down. This took

the rumor mill, which said, hey, this person clicked on a link,

and change that narrative entirely to say, hey, this

person called Security immediately after doing her job,

when something went wrong, she saw it fast. And so this is one

of the first things we need to do. The other one is that

actually, after an incident occurs, we do need to deal with

this thing internally, we do need to communicate. And this

needs to be an honest communication. We all know the

kind of BS communication, the announcement that comes out on

Friday, the fact that you know that we underplay it. One of the

one of the things that I really appreciated a few years back was

the story about the RSA hack. This was written in wired in mid

2021, the full story of the RSA tech attack can finally be told

this was when China broke into RSA, which handles a lot of the

two factor authentication. And 10 years later, as they're

quoting people, the language that the people were still using

was the language of trauma. This is an extinction event, RSA is

over. I made sure that all members of the team, I don't

care who they were, what reputation, they were

investigated, because you had to be sure that it wasn't an

internal attack. And the way RSA handled the attack and dribs and

drabs dissembling to their customers, and I was one of

their customers. And I received the message from RSA saying, Oh,

we're certain that the the seeds have not been compromised. And

we're all sitting on the other end of this telephone long going

BS. We all know this type of corporate BS when we hear it, we

knew it when we heard it. It was a fig leaf at the very best, but

the people inside who were forced to lie to their

customers. That was a traumatic event to them. They were they

were put in a compromising situation. And you could see in

this Wired article 10 years later, they were still

struggling with it. So number one, in dealing with an

incident, we need to not place our employees in impossible

situations, we need to communicate like Maersk

communicated about their incident. But also, I don't want

to say that that Maersk couldn't have done better. I mean, we can

all do better. The thing that I think is really critical for us

is that post incident communication, and to have that

be authentic and genuine. Not just from the executives, we

expect to hear from the executives, but actually bring

in external people. And do this not just directly after the

incident, but bring people in a little while afterwards, after

things have settled down a little bit. And we can talk

about it and have some discussions and some sharing

sessions around these. This is something again, not seeing

happening. But this

Yeah, if I can chime in here, you've been

sharing some very interesting and useful perspectives. One of

the things that's that's coming through in your narrative is the

importance of, of honest communication. There's a lot of

best practices out there about or recommendations about

customized communication, targeted communication. But I

think we need to emphasize the importance of honest

communication. And also the need to create an environment, a

friendly environment, where people can speak up and just

admit and say, Hey, I did click on the link, but I'm at least

informing you right away, so you can take necessary action.

That's better than just going silent, recognizing that I made

a mistake, and now if I fess up to it, there are consequences.

So I really like this approach and this syncs well, with the

mindset out there. You know, I've been speaking to many

companies. about their cybersecurity training

approaches. And the good news is, the mindset is not about

firing people. It's all about nurturing, encouraging, to

ensure the desired behavior. So that's very, very, that's a very

healthy sign. But going back to once again to start dealing with

cyber trauma, and you mentioned about the post mortem exercises,

what should you be doing after the event? It begs the other

question that when we engage in cybersecurity training, though,

the word training these days is associated with very technical

traditional controls based training, the emphasis on soft

skills dealing with like you give an example about this boss,

the belligerent boss, and the employee who had clicked on the

link, was scared of the boss. And that led her to behave a

certain way. She wasn't trained to deal with the situation

appropriately. So Patrick speak to the importance of developing

appropriate soft skills as part of cybersecurity training.

Well, this is something that we've been

working on a lot. And there's a couple of different ways to

approach this. And one of the things that I've worked very

hard on is to surround the cyber team with a fair amount of soft

skills as well, but also to engage our business partners, so

that they're closer to our cyber activities. One of the things

that I found most impactful was to spin up a cyber master class.

And this was a really interesting exercise where I

would take my executives for two days in Paris, we would go into

a locked room, and basically spend two days doing a deep dive

on cybersecurity. Not in a in the type of attack room

scenario. But really, you know, what does it mean for corporate

entities? What are the incidents like? How are we supposed to

deal with them? The goal here was to give our executives the

ability to calmly control a cybersecurity discussion,

whether it's during an incident or not during an incident. So

this is one example of training that I found really, really

impactful. And indeed, I do like the this, the switch that a lot

of our people have been doing is away from awareness, and away

from training and into awareness and engagement. And this

masterclass was one of my first examples in really trying to

engage quite at a deeper level. The other thing, of course, is

to bring your cybersecurity practitioners in as trainers for

this engagement as well. So you're, you're building a better

rapport between between your people. Um, one of the other

things that I've been working a lot on recently is, is how to

attract and retain new types of skills. So there's a huge lack

of diversity. We have a very a shortage of skills, and a lack

of new entrants into cybersecurity. I work in some of

the more traditional industries, and we suffer from recruitment

problems. So we're not as hip and trendy and sexy as some of

the fintechs or some of the other types of companies. And so

we are challenged trying to find new people. And this was one of

the things that started the other profile of mine, if you

will, which is the Cyber Wayfinder program. And this is a

program that is designed to take practitioners in other

industries, whether they're in law, whether they are in IT

administration, whether they're in governance, and basically

pivot them into full time careers in cybersecurity. And

this effort came through initially, in an effort, I was

asked to present cybersecurity as a career to a group of young

professionals who were working on gender and tech in

Luxembourg. And I gave what I now characterize as one of the

worst presentations of my professional career, and I've

been asked to do a lot of presentations. So this is a

really standout failure on my part. After the presentation, I

got a lot of feedback saying thank you, sir, for taking time

from your very important job to tell us about these very

important topics. And then everyone ran away to talk to the

person who had presented on WordPress that night. And so I

really looked at this and said, What is it that we're doing in

cybersecurity that is actually making us look unattractive to

new entrants. And this is one of the things that the Cyber

Wayfinder program is designed to do, which is to give people

foundational knowledge to get them into cybersecurity careers.

And the one thing I really, really love about this is it's

exactly this. We're bringing people with different life

experiences. So they're not just people like me, I consider

myself someone who came through the wires. I was a sysadmin, I

was an engineer, I was kind of a traditional cybersecurity

profile, shall we say? And I absolutely love working with the

people who are non STEM graduates. And this was one of

the first discussions that I had around this. I said, Why is it

that everyone says you have to be a STEM graduate to work in

cybersecurity, some of my best colleagues and peers do not have

a STEM degree. One of the best cryptographers I know, practical

cryptography, has a degree in international business. You

know, so why did we create this, this artificial barrier to entry

for new people, but it didn't exist for us before.

So so this is also one of the areas where I've been really,

really happy to see the level of engagement that can happen when

you bring in atypical profiles into cybersecurity. And then

these people also can often be champions of the business and

understand the business better. And one of the primary sponsors

of this effort was the chief security officer of Swift, which

is the large banking network. And his comment that we quote

regularly, and I've never found a better one is that, you know,

it's easier, it's often easier for me to train one of my

business people how to do cybersecurity, than it is to

train a cybersecurity professional how my business

works. And I looked at his challenges. And this is actually

very true, because they're, they're a very important

organization. And they they hire people from the cybersecurity

industry, but they're a very complex organization. And what

they do is quite unique. And then often the cybersecurity

professional, gains that experience and then leaves the

organization. The people that he sponsored through our program

have actually stayed with the organization much, much longer

than other people. And also, I argue has had a great impact

because they understood the business first, before they

layered on the cybersecurity discussion.

I'd like to add something to that that's so

true. Business first, awareness of the business is as important

as awareness of the cybersecurity skills. I'd like

to share a few things with the listeners, one of my guests, who

is a CISO in a major educational institution. When I asked him,

What's the success factor, he said, I have to keep reminding

myself, that my organization is not about cybersecurity. It's

about research, teaching, service. And I have to make sure

that they can continue with their mission, with their

activities in as secure a manner as possible. The second thing I

want to say Patrick, and I'm going to be sharing this podcast

with my students. Fortunately, in the program that I teach at

Duke University, we attract people from different

disciplines. And they would love to hear what you just said, that

you don't have to be from a very traditional technical program to

thrive in this field, you can come from different backgrounds,

like I have somebody in the program. Her you know, her one

of her majors is in philosophy. I think there is another person

who has a background in communications. The third

student I can think of has a background in law. And talking

about communications. Another of my guests recently, who was a

former journalist now is a Cybersecurity Communications

analyst at a major corporation, he made a very interesting

statement. He said, Dave, you know these cybersecurity

specialists, these technical people, often the technical

knowledge is a real curse to them, they have a hard time

relating to what or to how the non-technical people perceive or

understand them. So for them to be able to communicate in a

manner and fashion that is intelligible across the

organization can be quite the challenge. So bringing in

somebody who has expertise in communication, and then teaching

that person, you know, the relevant cybersecurity, subject

areas issues, and of course, the overall business context. That

might be a better way of preparing a person for a certain

type of cybersecurity job that doesn't involve being in the

trenches, and thwarting attacks, which is very important. Don't

get me wrong. I just want to emphasize that. But then there

are different roles, which require different skill sets. So

the thinking out there often is that cybersecurity is belongs in

the technology domain belongs to the technical people, that's not

quite true. We have to approach cybersecurity from a holistic

perspective, we have to broaden the skill sets that they bring

in to deal with this challenge. So what you're saying is just so

good to hear. So please continue. I had to jump in to

share a few things.

Yeah, no, thank you for that. And indeed, that's

what we see in our program. And I love one of the discussions as

I was having this discussion inside the financial sector in

and one of my partners in Paris was a CISO over there. He said

to me, yeah, Patrick, that's, that's really great. I mean, for

example, I have a I have a PhD in opera. And I said, Oh, that's

wonderful. I'm going to share that with our students. So I

went up to his LinkedIn profile. And I called him back and I

said, Mark, your LinkedIn profile doesn't show that you

have a PhD in opera, he said, Yeah, I was embarrassed by that.

So I didn't put it in my professional profile. I'll fix

that for you. And I love this discussion, because he actually

went and fixed it. And I was able to share that with our

students. And if you look at the discipline that would take to

get a PhD in opera, the amount of work that goes into this type

of stuff, the amount of work that goes into pass the bar

exam, if you become a lawyer, and all of these types of

things. That very much is an academic preparation. But I also

love the success of people who don't have these academic

preparations. Oh, one of our students whom I'm terribly proud

of, she came out of the German educational system, where she

was sidelined very early in her life, and basically sent to

trade school and said, you'll never amount to anything. One of

our other success stories was a young lady of African descent in

Belgium, who there's a problem in our educational system, where

we like to sideline people like the US, and she was told to be a

hairdresser. And she absolutely refused and continue to her

educational track. But at the end, was looking at possibly

working in a museum because that was about the only role that she

could actually find in the workforce. She now does identity

and access management for one of my major financial partners. And

time and time again, we see this type of success, irrespective of

early academic achievement. And we see this for people who who

don't do well, early in academia, they can actually

change their lives significantly. And I especially

love working with people much later in their careers. But I

also really liked what you had to say about cybersecurity

practitioners, alienating the business or not communicating

well. And I have an analogy here where I like to say that we are

very much thingist, it's, it's about the thing, it's about the

cyber thing. And it's all about right, and we have to do the

right thing. And as a technologist, we're very good at

doing things. And absolutely we we desperately need our

technologists, when you're when you're trying to make sure your

everything is patched when you're trying to make sure your

your network is running properly. When you're trying to

deal with an incident, we need these technical resources to do

things for us. But also when we look at our longer term

cybersecurity objectives, we need project managers and

program managers who understand cybersecurity, but also

understand how to get things done, hopefully, on time on

budget, and in scope. It used to be if you get two out of three,

I think these days, it's one out of three. But but you know, if

we're getting one of those three, then it's it's also not

too bad in some cyber teams. We also need architects or threat

hunters, you know, people who understand the external

perspective, because a lot of times when we look inside, we're

just patching. We're doing the rote activities that were told

by the control framework to do. But we also need to have that

external threat perspective. So we need to get the right things

done. And then the other component we need to add into

that is business perspective. We need to get the right things

done for my business. And this is one of the things I've been

trying hard to keep expressing again and again to cybersecurity

practitioners. And I put it under the rubric of politics.

And people don't like office politics, they don't like to be

said you have to become a better politician. But the argument I

have instead of doing technical things, getting things done,

getting the right things done, actually don't matter if I

alienate my business at the same time. And I've seen this time

and time again with what we call strong CISOs. And I've talked to

some people who come out of the military and and I try to

caution them on what I call the colonel syndrome, which is you

come in, you have an objective, you know what you have to do,

and you do a damn fine job of it. And then you totally

alienate your business and they fire you. And then you're

replacing a CFO every three years to three months. And a lot

of the

metric, I have to add something there, it

brings back a memory of when I was in corporate, a senior

executive gave me a great piece of advice. And you know how life

is, you hear things, and I'm becoming more and more convinced

that you hear things or you're told things for a reason.

Because ultimately, it comes back to you. And here we have an

opportunity to validate what was shared with me long time ago.

The gentleman said, "Dave when you join an organization, don't

give them the impression that here I come, I'm going to change

everything up, I know what's good, you all need to follow my

approach, that's going to be the worst thing that you can do,

because before you know it, you'll be kicked out or you'll

be sidelined. And you'll have no effect. And this is so

consistent with what you just shared about a CISO. Taking on

the role, making sure they connect well with the other C

level executives to connect well across functions. So they can

truly become an enabler, a strategic enabler, as opposed to

becoming known as a person who is always going to put up a

hurdle or will always say why a certain initiative cannot be

done because of these kinds of risks. So to develop that

persona, that friendly persona, that a person or somebody who

informs who educates, who tries to find pathways to the business

can do what they need to do without digging a huge hole.

That that's the kind of savvy that happens with experience.

But that also requires training in the softer skill sets,

whether it's interpersonal skills, whether it's

communication skills, whether it's the ability to deal with

cyber trauma like scenarios. So there are so many skills that

are at play here. And I'm so glad you touched upon these

many, many skills, because people who will be who are

listening to this podcast, and are wondering whether

cybersecurity is really a field for them, given their

background, given their experience. I'm sure you will

agree with me that, absolutely, if you have the passion, if you

have the interest, if you have the curiosity, there is no

reason why you shouldn't jump in and explore where you would be a

great fit. But anyhow, Patrick, we are running out of time. So

I'd like to give you the opportunity to wrap it up for us

here.

Okay, so exactly what you said, do jump

in and do explore this. The end. The other thing is you don't

have to be perfect from day zero. And this is the thing

advice I give to newcomers, but also to professionals. When

we're when we're looking at dealing with the executives, I

say, let them see you sweat. Let them see you working. Let them

see your passion for what you're doing. Even if they disagree

with you, even if they shut you down, communicate honestly with

them that you're passionate about what you're doing that

you're passionate about learning, you're passionate

about protecting the organization. And I've seen this

work time and time again, where we really care to see our

colleagues care about what they're doing. And if you can

get this passion for yourself. Please join cybersecurity

because we need people who are passionate about it. If you're

losing your passion, try to find it again. Because we need people

not to leave. We've got far too many people leaving. And then

this this thing about continually training ourselves

and working with empathizing with our partners is just so so

important. And this is something I had to work on myself, this

empathy didn't come naturally. And so we can indeed train

ourselves to be more empathetic. I'm a fan of the design thinking

methodology. I'm a fan of looking really deeply at the

people and try to put myself in their feet to understand why

they're making the decisions they are so I can be a better

influencer in this context. So please, Dave, keep up the good

work, bring new resources in we desperately need them. And thank

you for this opportunity.

Thank you, Patrick. That was great. I look

forward to having such conversations with you in the

near future. Thank you.

Okay, until soon.

A special thanks to Patrick Wheeler for

his time and insights. If you like what you heard, please

leave the podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization