Enhancing Organizational Readiness by Simulating Cyber Attacks
Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-14-enhancing-organizational-readiness-by-simulating-cyber-attacks/
Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-14-enhancing-organizational-readiness-by-simulating-cyber-attacks/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Introducer:
Welcome to the Cybersecurity Readiness Podcast
Introducer:
series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach by SAGE publishing. He has been studying cybersecurity
Cybersecurity Readiness:
for over a decade, authored and edited scholarly papers,
Cybersecurity Readiness:
delivered talks, conducted webinars, consulted with
Cybersecurity Readiness:
companies, and served on a cybersecurity SWAT team with
Cybersecurity Readiness:
Chief Information Security officers. Dr. Chatterjee is an
Cybersecurity Readiness:
Associate Professor of Management Information Systems
Cybersecurity Readiness:
at the Terry College of Business, the University of
Cybersecurity Readiness:
Georgia and Visiting Professor at Duke University's Pratt
Cybersecurity Readiness:
School of Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast series, where I will be talking with Professor Robert
Dr. Dave Chatterjee:
Austin of Ivey Business School, located in London, Ontario,
Dr. Dave Chatterjee:
Canada. Professor Austin is a highly distinguished educator
Dr. Dave Chatterjee:
with extensive experience and accomplishments in academia and
Dr. Dave Chatterjee:
industry. He has worked at major multinational corporations in
Dr. Dave Chatterjee:
the automotive and technology sector. He has also been the
Dr. Dave Chatterjee:
dean of a business school, and the CEO of an Executive
Dr. Dave Chatterjee:
Education Foundation. Rob is also an experienced C-level
Dr. Dave Chatterjee:
consultant to multinational companies. He has been a faculty
Dr. Dave Chatterjee:
chair, member in executive education programs at Harvard
Dr. Dave Chatterjee:
Business School, Harvard Medical School, Ivy, Business, School
Dr. Dave Chatterjee:
and elsewhere. He's also the author of several books, and
Dr. Dave Chatterjee:
more than 100 articles and cases. Rob, welcome. Thank you
Dr. Dave Chatterjee:
for making time to share your expertise with my listeners. To
Dr. Dave Chatterjee:
get the ball rolling. I'd like you to talk to our listeners
Dr. Dave Chatterjee:
about the cyber attack simulation that you have
Dr. Dave Chatterjee:
authored. And for the benefit of the listeners, this simulation
Dr. Dave Chatterjee:
is accessible from the Harvard Business publishing website.
Rob Austin:
Sure, it's, it's great to be here, thank you for
Rob Austin:
inviting me. So this simulation, it, it basically engages
Rob Austin:
participants in a real time cyber attack. So it's, you
Rob Austin:
experience it as a flow of events that unfold in real time,
Rob Austin:
you were asked to make decisions that are as much as we could
Rob Austin:
make them modeled on the kinds of decisions that you would face
Rob Austin:
in a situation like this. You have to during the attack, you
Rob Austin:
have to coordinate with team members, with the people who you
Rob Austin:
work for, as well as with, you know, partners, partners at
Rob Austin:
hosting facilities and various other people who not all of whom
Rob Austin:
are people that you necessarily want involved in the problem
Rob Austin:
solving. Sometimes people inject themselves into situations like
Rob Austin:
this in ways that are not entirely helpful. Also, another
Rob Austin:
feature of the simulation is that not everything unfolds, as
Rob Austin:
you expect it to. And you have to process that. The scenario in
Rob Austin:
this simulation is that they're experiencing a DDoS attack,
Rob Austin:
distributed denial of service attack, but they begin to
Rob Austin:
suspect that there might also be an intrusion that has occurred.
Rob Austin:
And of course, a DDoS attack doesn't necessarily imply an
Rob Austin:
intrusion. But some things start to look suspicious as they start
Rob Austin:
to investigate what's going on with the DDoS attack. The DDoS
Rob Austin:
attack seems to have defeated some of their defenses, and they
Rob Austin:
can't figure out why that would be the case, right away. Another
Rob Austin:
feature of the simulation is that the information that you
Rob Austin:
have, is not sufficient to fully understand what's happening. But
Rob Austin:
you're still being called on to make decisions, which I think is
Rob Austin:
another realistic feature. That's kind of the first part of
Rob Austin:
the simulation, the second part in so that goes on, you know,
Rob Austin:
with a timer with a clock counting down. The second part
Rob Austin:
of the simulation, though, it has to do with, I think, an
Rob Austin:
important problem in the aftermath of a cyber attack. And
Rob Austin:
that's what do I say about what has happened? And what's very
Rob Austin:
difficult about those situations frequently, as you know, Dave,
Rob Austin:
is that often you're called on to say something about it before
Rob Austin:
you have a fully confident assessment of what has actually
Rob Austin:
happened. And so, so that that can be very difficult. One of
Rob Austin:
the reasons I like simulations like this, is it's possible when
Rob Austin:
you sit down to plan to imagine that you have a plan and you
Rob Austin:
know what you would do, but it can be quite difficult to
Rob Austin:
actually execute your plan. So it's one thing to plan, it's
Rob Austin:
another thing to be able to actually walk the talk, if you
Rob Austin:
like. And that's one of the things I think the simulation
Rob Austin:
shows us.
Dr. Dave Chatterjee:
Yeah, you know, I've had the pleasure of
Dr. Dave Chatterjee:
reviewing the simulation, I plan to use it. In my upcoming class
Dr. Dave Chatterjee:
I find it fascinating the way you have it set up. And I feel
Dr. Dave Chatterjee:
it'll it will definitely achieve some of the learning objectives
Dr. Dave Chatterjee:
that use spelt out such as discovering human biases that
Dr. Dave Chatterjee:
lead to ineffective behavior while responding to a crisis in
Dr. Dave Chatterjee:
real time, recognising the importance of crisis
Dr. Dave Chatterjee:
preparedness, learning to ascertain and manage priorities
Dr. Dave Chatterjee:
during a crisis, practice collaboration and decision
Dr. Dave Chatterjee:
making, to structure effective diagnosis and response and more.
Dr. Dave Chatterjee:
So a kind of backing up a little bit as I reflect on this
Dr. Dave Chatterjee:
simulation tool that you have available for executives, for
Dr. Dave Chatterjee:
students, it does offer an opportunity to assess
Dr. Dave Chatterjee:
organizational readiness from a cybersecurity standpoint. What
Dr. Dave Chatterjee:
else does it accomplish based on your experience of using it out
Dr. Dave Chatterjee:
there?
Rob Austin:
Yeah, so I think one of the things that happens in
Rob Austin:
the aftermath of the experience of the simulation itself is it
Rob Austin:
often provokes a very useful discussion. We, one of my, one
Rob Austin:
of the principles that I like to put forth when, when we talk
Rob Austin:
about simulations is that you know it, you learn something
Rob Austin:
from a simulation, but you learn even more from discussing the
Rob Austin:
experience that you had in the simulation. So the debrief after
Rob Austin:
the simulation is, is, you know, probably the most important
Rob Austin:
part. And what you discover, I mentioned this kind of before,
Rob Austin:
right, that what you discover when you go through a
Rob Austin:
simulation, is it, it's harder to do things that you assume
Rob Austin:
that you would do than you expected. And, you know, one of
Rob Austin:
the things about events unfolding in real time is that,
Rob Austin:
you know, you have that the information comes to you in the
Rob Austin:
wrong order, and incomplete. And so you have to do sense making,
Rob Austin:
despite this, the situation not being very ideal for that. And
Rob Austin:
these are some of the things that you realize after the
Rob Austin:
experience, and that you can talk about it, it leads you to
Rob Austin:
realize that there may be holes in your preparedness plan, there
Rob Austin:
may be things that you've assumed you could do that you
Rob Austin:
can't actually pull off in the heat of the crisis. And so I'd
Rob Austin:
say that's, that's one of the big things is the quality of the
Rob Austin:
conversation that you have about your preparedness plans, after a
Rob Austin:
simulation, I think is really quite high that it causes you to
Rob Austin:
realize some things that can cause you to make material
Rob Austin:
improvements in your plans.
Dr. Dave Chatterjee:
Okay. And how would you compare this
Dr. Dave Chatterjee:
particular simulation exercise with, you know, the tabletop
Dr. Dave Chatterjee:
exercises that organizations are known to conduct?
Rob Austin:
Yeah, I think those can be really good to write in,
Rob Austin:
in fact, that, to be perfectly honest, the genesis of this
Rob Austin:
online simulation was a tabletop simulation, right? It's it's
Rob Austin:
sort of a, it's an automated version of something that we
Rob Austin:
used to run in, in a lot of different situations in a lot
Rob Austin:
less animated fashion. But, but I do think there's something to
Rob Austin:
it, one of the things that's that people say, as a striking
Rob Austin:
feeling, after having gone through the simulation is, is
Rob Austin:
that clock just keeps ticking. And things come at you in an
Rob Austin:
order, and at a time, when you know, that you you basically
Rob Austin:
don't have any control over the clock, and in how the things are
Rob Austin:
unfolding in time. And while that can be part of a tabletop
Rob Austin:
simulation, I think it's it's especially impressive, I think,
Rob Austin:
when you're when you're experiencing in in the in the
Rob Austin:
online setting, but you know, I'm a fan of those too, I'm a
Rob Austin:
fan of the, the tabletop settings, and they're also kind
Rob Austin:
of they have flexibility advantages, right? You can, you
Rob Austin:
can quickly redesign them, you can add things to them, and so
Rob Austin:
forth. So I kind of like the idea of using tools like this
Rob Austin:
one, this automated simulation tool, in conjunction with other
Rob Austin:
other kinds of activities like planning, like less automated
Rob Austin:
simulations, like case discussions, right. So one of
Rob Austin:
the things that we have sometimes done, is it we'll have
Rob Austin:
a case discussion about a company being attacked, and the
Rob Austin:
situation parallels fairly closely the situation in the
Rob Austin:
simulation, and people decide what they think they would do.
Rob Austin:
And then the in the next session, we have them run the
Rob Austin:
simulation and they discover, you know, kind of how unfolding
Rob Austin:
real events make shambles of their plans, in some cases, so
Rob Austin:
that's a very useful thing to, to realize is that it's unlikely
Rob Austin:
you're going to be able to execute everything exactly
Rob Austin:
according to plan.
Dr. Dave Chatterjee:
Absolutely, you can plan as much as you
Dr. Dave Chatterjee:
want. But when it comes to execution, it can be a very
Dr. Dave Chatterjee:
different experience. And I think such simulation exercises
Dr. Dave Chatterjee:
can be very helpful for management. Talking about case
Dr. Dave Chatterjee:
studies, case discussions, I wanted to mention to my
Dr. Dave Chatterjee:
listeners that Professor Austin was one of the authors of a case
Dr. Dave Chatterjee:
called iPremier, and to the best of my knowledge, it's one of the
Dr. Dave Chatterjee:
few graphically written cases where essentially you're seeing
Dr. Dave Chatterjee:
a whole bunch of cartoons that describe the scenario, and then
Dr. Dave Chatterjee:
walk you through the next steps as you use the case. And you can
Dr. Dave Chatterjee:
use that case for simulation as well. Rob, if I remember
Dr. Dave Chatterjee:
correctly, that case was authored as early as 2002, or
Dr. Dave Chatterjee:
2003? What was the give the listeners a little bit of a
Dr. Dave Chatterjee:
background of the iPremier case?
Rob Austin:
Yeah, you're right about that, that it's actually
Rob Austin:
by now quite an old case. And we usually think that old cases get
Rob Austin:
out of date. But one of the things, I think you and I've
Rob Austin:
talked about this before, one of the things that's remarkable
Rob Austin:
about that case is the issues are still with us. And so we've
Rob Austin:
actually updated it a bit over the years to to take into
Rob Austin:
account things like you know, now people are better at
Rob Austin:
defending against denial-of -service attacks, things like
Rob Austin:
that. But but the truth is this case, I think, was 2001,
Rob Austin:
actually, when we wrote the first version of it, and the
Rob Austin:
world really was different then. A guy named Chris Darby and I
Rob Austin:
wrote the very first Harvard Business Review article about
Rob Austin:
cybersecurity. It was called the myth of IT security. And that
Rob Austin:
was published in 2003. And, you know, part of the lead up to
Rob Austin:
that was writing this iPremiere case, and believe it or not, I
Rob Austin:
mean, it's hard to imagine this now, but we had to work hard to
Rob Austin:
convince them that cybersecurity was something that CEOs should
Rob Austin:
think about. Right? In, in the in those in that timeframe, late
Rob Austin:
90s, early 2000, it probably took us two or three years to
Rob Austin:
convince them that this is something that should be, you
Rob Austin:
know, on the table when the senior team discusses the
Rob Austin:
important issues for the firm. But yet, it is also the case
Rob Austin:
you're describing in 2009, we turned it into what we call a
Rob Austin:
graphic novel version. That worked with a Professor, Jeremy
Rob Austin:
Short, who has done a lot of interesting research around
Rob Austin:
whether that might be a good mode to get information across
Rob Austin:
to people in. And, you know, we there's a little bit of
Rob Austin:
resistance to that idea, too. Because I remember somebody
Rob Austin:
saying to me, tell me again, why we need a comic book with the
Rob Austin:
Harvard Business School logo at the top of it. But but in the
Rob Austin:
end, we prevailed, it was the first graphic novel business
Rob Austin:
school case at Harvard. Since then, there have been more
Rob Austin:
because there there are people who who quite like to use those.
Dr. Dave Chatterjee:
And I happen to be one of them. I
Dr. Dave Chatterjee:
found that approach to writing cases to be extremely
Dr. Dave Chatterjee:
interesting, dramatic, and it gets students attention. Moving
Dr. Dave Chatterjee:
along, Rob, you have such a lot of experience in the technology
Dr. Dave Chatterjee:
space, of course in the cybersecurity space; as you look
Dr. Dave Chatterjee:
at the big picture, as you reflect on how things are
Dr. Dave Chatterjee:
evolving over a period of time, you mentioned about your writing
Dr. Dave Chatterjee:
the first article in 2001, the Harvard Business Review, what
Dr. Dave Chatterjee:
has changed? What are your concerns? What are your what is
Dr. Dave Chatterjee:
your assessment of where things are going, what can we do
Dr. Dave Chatterjee:
better?
Rob Austin:
Yeah, I'm probably you know, I there are other
Rob Austin:
people who I would go to for the authoritative version on where
Rob Austin:
things are going. For years in my Executive Program at Harvard
Rob Austin:
that was targeted at Chief Information Officers, I used to
Rob Austin:
go to a guy named Dan Geer and he I would still recommend going
Rob Austin:
out on the web and finding out what he's talking about lately.
Rob Austin:
Dan was trained as a trained as a healthcare statistician, an
Rob Austin:
epidemiologist, basically. And he has always approached
Rob Austin:
cybersecurity from a similar sort of a standpoint. And so
Rob Austin:
he's always come up with interesting conclusions. But of
Rob Austin:
course, you know, he was one of the very first people who said
Rob Austin:
that we're losing, right, that the the threats, the threats are
Rob Austin:
getting more sophisticated, much faster than we can advance the
Rob Austin:
defenses. And I guess that, I mean, yeah, I guess I'd ask you
Rob Austin:
too Dave, but, you know, that seems to be true still, that the
Rob Austin:
nation states are involved in the threats now. There's a lot
Rob Austin:
of very sophisticated attacks, we're working on some cases now,
Rob Austin:
about companies that, you know, have had very dire problems with
Rob Austin:
ransomware attacks. And so, you know, and people are still not
Rob Austin:
still not prepared. Despite hearing these stories about
Rob Austin:
companies that blink out of existence, I mean, one of the
Rob Austin:
cases we're working on right now, one of the serious options
Rob Austin:
on the table was just declare bankruptcy for this company and
Rob Austin:
start another one. Because they couldn't, you know, they
Rob Austin:
couldn't fix it. Now, they did eventually fix it. But it was
Rob Austin:
for a funny reason. They'd worked with a vendor who didn't
Rob Austin:
thought their network was too slow. And the vendor took a
Rob Austin:
whole copy of an instance of their systems to a different
Rob Austin:
environment to work on improvements and enhancements to
Rob Austin:
the system. And it turned out to be very lucky that he had a
Rob Austin:
recent version of the system because everything was messed
Rob Austin:
up, the backups were messed up. And if this guy hadn't taken,
Rob Austin:
basically took the the company systems off site and wasn't
Rob Austin:
quite a thumb drive, but it was like that. Right. And they were
Rob Austin:
they've never been more relieved than discover that somebody else
Rob Austin:
had taken their systems off site, their software.
Dr. Dave Chatterjee:
Yeah, it's it's hard to believe that
Dr. Dave Chatterjee:
organizations can be so underprepared. And again, it's
Dr. Dave Chatterjee:
not fair to generalize. But as you mentioned, the reality of it
Dr. Dave Chatterjee:
is the attack surfaces are expanding, thanks to increasing
Dr. Dave Chatterjee:
digitization. And that's not going to stop. The hackers are
Dr. Dave Chatterjee:
getting increasingly sophisticated. It's a pretty
Dr. Dave Chatterjee:
mature industry now. So that's not going to stop. So
Dr. Dave Chatterjee:
organizations don't have a choice but to put on their best
Dr. Dave Chatterjee:
game and be as prepared as they can be, and planning is
Dr. Dave Chatterjee:
important. But you know, testing the planning is equally
Dr. Dave Chatterjee:
important. And that's where every possible help, including
Dr. Dave Chatterjee:
using simulations should be leveraged to enhance their
Dr. Dave Chatterjee:
extent of readiness.
Rob Austin:
Now, I agree the the other thing I would point out
Rob Austin:
there is the human side is super important, right? That. I mean,
Rob Austin:
you talked about the, the attack surfaces growing and, you know,
Rob Austin:
one of the things I also teach my students these days is, you
Rob Austin:
know, we talk about platform economics and the power of
Rob Austin:
network effects. And a lot of business models now are powered
Rob Austin:
by network effects, you know, the idea that we want to add as
Rob Austin:
many people as possible or as many nodes as possible to a
Rob Austin:
network, because the value of the network is increasing faster
Rob Austin:
than the rate at which we're increasing the size of the
Rob Austin:
network. And yeah, this is the power of companies like Google
Rob Austin:
and Facebook and all these platforms. But one of the things
Rob Austin:
that this also implies is that, you know, we're working very
Rob Austin:
hard to add nodes to the network, but often every node is
Rob Austin:
a potential attack point, as well. So we have these business
Rob Austin:
models that are driving us, you know, I guess what I'd say is
Rob Austin:
the, the increasing attack surface is being driven by
Rob Austin:
business models. And I don't know where that ends, you know.
Dr. Dave Chatterjee:
yeah, you know, it's like, we are trying
Dr. Dave Chatterjee:
to get better. We are engaging in as we call it, the the
Dr. Dave Chatterjee:
digital transformation of businesses. And while we engage
Dr. Dave Chatterjee:
in that we create more problems for ourselves. The other day, I
Dr. Dave Chatterjee:
was talking in the classroom about highly integrated systems
Dr. Dave Chatterjee:
and I was sharing with students how important it is for
Dr. Dave Chatterjee:
information to flow seamlessly from one point to the other
Dr. Dave Chatterjee:
without any disruption. And I was sharing with them the
Dr. Dave Chatterjee:
history of, you know, siloed organizations, siloed systems,
Dr. Dave Chatterjee:
and why and how that happens. And then I told them, I said,
Dr. Dave Chatterjee:
you know, what, as I think about it, maybe there are some
Dr. Dave Chatterjee:
benefits of systems not being well integrated, systems being
Dr. Dave Chatterjee:
disconnected, maybe there are some advantages from a
Dr. Dave Chatterjee:
cybersecurity standpoint.
Rob Austin:
I think that's true. I mean, you, you've probably
Rob Austin:
used this material to but the Charles Perrow's book on normal
Rob Austin:
accidents is interesting here, because he points out that one
Rob Austin:
of the, you know, one of the characteristics of systems that
Rob Austin:
experience what he calls normal accidents, these, these
Rob Austin:
situations where low probabilities line up to
Rob Austin:
disastrous effect; one of the characteristics of systems that
Rob Austin:
have this is what he calls tight coupling. And another another
Rob Austin:
way of saying tight coupling, I think is exactly what you were
Rob Austin:
just talking about, right? How integrated information flow is
Rob Austin:
across the system. So, you know, it's another situation where
Rob Austin:
we're actually doing our very best to create what, you know,
Rob Austin:
in one context is a really good thing, right, integration of
Rob Austin:
information flow. But, you know, taken from another perspective,
Rob Austin:
like an information security perspective, that's tight
Rob Austin:
coupling, and we probably are going to see more normal
Rob Austin:
accidents as a result. And that's, that's actually not even
Rob Austin:
normal accidents are accidents, right. There's not even even any
Rob Austin:
bad guys in those stories. So you add bad guys, and it all
Rob Austin:
starts to get even more complicated. But I like to think
Rob Austin:
it's not hopeless. But but it does look pretty formidable.
Dr. Dave Chatterjee:
It is formidable, it's keeping
Dr. Dave Chatterjee:
everyone on their toes. And organizations can no longer
Dr. Dave Chatterjee:
afford to consider cybersecurity as something that can be
Dr. Dave Chatterjee:
outsourced. I'm, I'm a huge proponent of considering
Dr. Dave Chatterjee:
cybersecurity as an as an integral part of business
Dr. Dave Chatterjee:
objectives. In fact, cybersecurity is a strategic
Dr. Dave Chatterjee:
competency that's going to determine the long term success
Dr. Dave Chatterjee:
of organizations. So the mindset has to really change. There was
Dr. Dave Chatterjee:
a time when I was impressing upon executives about investing
Dr. Dave Chatterjee:
in very robust technology infrastructure, and I was using
Dr. Dave Chatterjee:
the word strategic investments. And I was told that, Dave, if
Dr. Dave Chatterjee:
you're not investing in things, that's going to generate sales,
Dr. Dave Chatterjee:
we don't really call them strategic. And I said, I said, I
Dr. Dave Chatterjee:
agree. But I think we have to change that mindset a little
Dr. Dave Chatterjee:
bit. Because if your business doesn't exist, you wouldn't have
Dr. Dave Chatterjee:
anything to sell. So you have to first understand what keeps your
Dr. Dave Chatterjee:
engine running. And you have to secure that before you can do
Dr. Dave Chatterjee:
anything else. So cybersecurity is one of those things, a core
Dr. Dave Chatterjee:
component of business operations today that can cannot be
Dr. Dave Chatterjee:
ignored. And that needs to be get front and center attention
Dr. Dave Chatterjee:
of top management. And that brings up a question that I'd
Dr. Dave Chatterjee:
like to put out there and get your perspective. What are you
Dr. Dave Chatterjee:
seeing in terms of best practices of actively engaging
Dr. Dave Chatterjee:
top management in cybersecurity planning, execution, monitoring?
Dr. Dave Chatterjee:
Anything that stands out?
Rob Austin:
Yeah, I don't know if I know, of, I don't know if I
Rob Austin:
have sort of a methodology for best practice for dealing with
Rob Austin:
execs, I know examples of senior execs that do a good job. And,
Rob Austin:
you know, they take an interest and, you know, probably more
Rob Austin:
impressive or memorable, are the situations that you see where
Rob Austin:
that's not happening, right, where people go to their
Rob Austin:
corners, basically. We worked with a company one time where
Rob Austin:
the CEO invited us in to assess their IT capability. And I think
Rob Austin:
when what we discovered after we'd been there for a while, is
Rob Austin:
that what he was really kind of looking for, was a reason to get
Rob Austin:
rid of his current IT leadership, right. He, he didn't
Rob Austin:
like them. He they made his head hurt. He wanted them to just
Rob Austin:
take care of things. And so when he was also he was kind of a, it
Rob Austin:
was a business leader. He's a big, big guy physically, he was
Rob Austin:
kind of belligerent. And what we discovered was the biggest
Rob Austin:
dysfunction in the organization, is it when he got belligerent
Rob Austin:
and started you know, sort of throwing his weight around or
Rob Austin:
yelling or it wasn't always actual yelling, but the IT
Rob Austin:
management, the CIO, he dove for cover, right, understandably, I
Rob Austin:
think. And so, ultimately, what we ended up recommending is that
Rob Austin:
that this company hire an IT leader, a senior digital leader
Rob Austin:
who would not dive for cover? Who would? Who would go head to
Rob Austin:
head with, with the executive. But to be perfectly honest, that
Rob Austin:
didn't work very well, either. And so I think, you know, I
Rob Austin:
think the ultimate difficulties in a situation like that have to
Rob Austin:
do with the senior leadership, like the non the business
Rob Austin:
leadership. The companies that do well at this are the ones
Rob Austin:
where the senior executives take this seriously, and where
Rob Austin:
they're willing to engage on it. A lot of times, I see executives
Rob Austin:
who, I mean, you don't have to become a digital expert, right,
Rob Austin:
as a CEO, but you do have to engage with it. I think, and you
Rob Austin:
have to ask questions, and you have to not just want it to go
Rob Austin:
away. And you know, there are boards that can help with this.
Rob Austin:
One of my frequent colleagues, you know, are co authors Dick
Rob Austin:
Nolan, he and Warren MacFarlan wrote I think was an HBR
Rob Austin:
(Harvard Business Review) or Sloan Management Review article
Rob Austin:
on how boards can help with this, how boards can be
Rob Austin:
involved. But that's, you know, that's pretty hit or miss, I
Rob Austin:
think, from company to company, how well that works. So
Dr. Dave Chatterjee:
Yes, that's kind of even what I have been
Dr. Dave Chatterjee:
noticing, based on my work, based on my field work that
Dr. Dave Chatterjee:
there are organizations where the leadership is extremely
Dr. Dave Chatterjee:
committed. In fact, the first podcast that I did in this
Dr. Dave Chatterjee:
series, I had the president of a major insurance provider, who
Dr. Dave Chatterjee:
made a very strong statement of how committed their organization
Dr. Dave Chatterjee:
is and how every C level executive in that organization,
Dr. Dave Chatterjee:
you know, takes advantage of cybersecurity training
Dr. Dave Chatterjee:
opportunities to up their skills, up their level of
Dr. Dave Chatterjee:
awareness, and to your point, we're not talking, we're not
Dr. Dave Chatterjee:
talking about creating a cybersecurity expert of
Dr. Dave Chatterjee:
everybody in the organization. And that connects to the human
Dr. Dave Chatterjee:
factor that you mentioned a little while ago. And the way I
Dr. Dave Chatterjee:
look at it is organizations with resources will have a cyber
Dr. Dave Chatterjee:
team. And they are definitely part of the solution. But for a
Dr. Dave Chatterjee:
solution to be truly effective, we the organization has to
Dr. Dave Chatterjee:
engage every member. And that extends even to their partners.
Dr. Dave Chatterjee:
So in other words, cybersecurity readiness needs to become
Dr. Dave Chatterjee:
everybody's business. And that's the way it needs to be pitched
Dr. Dave Chatterjee:
not as something that is technical. And that remains in
Dr. Dave Chatterjee:
the domain of the highly specialized operators. And I
Dr. Dave Chatterjee:
absolutely believe in them, they are of great value. But they
Dr. Dave Chatterjee:
have to be complemented by folks who are doing regular work, and
Dr. Dave Chatterjee:
who have to do their part in ensuring that they are taking
Dr. Dave Chatterjee:
every step so that the vulnerability is reduced at
Dr. Dave Chatterjee:
there, and are at their level.
Rob Austin:
Yeah, no, I agree. And you know, the thing you said
Rob Austin:
earlier about the company that told you, if it doesn't
Rob Austin:
contribute to sales, it can't be strategic. You know, I think one
Rob Austin:
of the things that I find helpful along these lines is,
Rob Austin:
there is a framework that Warren McFarlan, professor at Harvard
Rob Austin:
Business School, he many years ago, 19, early 1970s, I think,
Rob Austin:
created something that people now call the MacFarlan grid,
Rob Austin:
right. It's a two by two, we love two-by-twos in our business
Rob Austin:
schools, right. Yeah. And then on the one axis is sort of the
Rob Austin:
strategic importance of IT. And that has to do with things like
Rob Austin:
is does it generate additional sales, right, does it generate
Rob Austin:
differences from our competitors, that they have a
Rob Austin:
hard time matching? So that's on one axis. The other axis though,
Rob Austin:
is operational dependence on IT. And that has to do with you
Rob Austin:
know, if my IT systems fail, how soon do I have a problem? Is it
Rob Austin:
a day? Is it a minute? Is it a melt microsecond? And when I
Rob Austin:
when I, when I tried to get across to you know, I teach a
Rob Austin:
lot of general managers I'm sure you do too, MBA students and
Rob Austin:
executives and so forth, who, you know, they're trying to
Rob Austin:
understand or I'm trying to help them understand how IT actually
Rob Austin:
functions as a value creation activity within their
Rob Austin:
organization. And what I do with the McFarlan grid is I say,
Rob Austin:
look, these are the two reasons to spend money or to invest
Rob Austin:
money in digital technology, the two axes to the McFarlan grid,
Rob Austin:
one of them is, you know what you think it would be, it's to
Rob Austin:
create sales, to generate sales, to generate competitive
Rob Austin:
advantage over your rivals. That's the that's the one axis.
Rob Austin:
But the other one that gets less press and gets less attention is
Rob Austin:
the operational dependence. And you invest on that axis to
Rob Austin:
insure yourself against that operational dependence because
Rob Austin:
as much value as we get on the one axis out of IT, it also you
Rob Austin:
know, causes companies become operationally dependent on IT;
Rob Austin:
this is one of the points McFarlan made way back then,
Rob Austin:
companies don't tend to become strategically reliant on IT
Rob Austin:
without also becoming operational reliant on them. And
Rob Austin:
so, so, you know, on the one hand, the two reasons, as I said
Rob Austin:
to my MBA students, there's two reasons to spend money on IT.
Rob Austin:
One is to achieve some kind of strategic advantage, some
Rob Austin:
business advantage that we can all relate to. But the other is
Rob Austin:
to avoid some sort of operational threat, to insure
Rob Austin:
against it to remediate it, or to reduce its severity, when it
Rob Austin:
happens. And those are equally legitimate reasons to spend
Rob Austin:
money on technology. The second one, it has the problem you
Rob Austin:
described, though, right? I mean, the way another way, I
Rob Austin:
used to say it, in my CIO Executive Program at Harvard is,
Rob Austin:
you know, the dilemma of IT security is that if you do
Rob Austin:
everything that you're supposed to do, and as a result, your
Rob Austin:
company does well, and is not, you know, does not suffer IT
Rob Austin:
security events, the result is, nothing happens, right? And it's
Rob Austin:
hard to get credit for nothing happens.
Dr. Dave Chatterjee:
You know, I think I think we think very
Dr. Dave Chatterjee:
alike, because that's one of the things I emphasize, or I
Dr. Dave Chatterjee:
highlight in my talks, I approach it a little
Dr. Dave Chatterjee:
differently. But the same thing, I say, you know, the job of a
Dr. Dave Chatterjee:
CISO can be considered a thankless job in many ways.
Dr. Dave Chatterjee:
Because you don't hear much about the effectiveness of the
Dr. Dave Chatterjee:
CISO function, as long as things are going well. But when things
Dr. Dave Chatterjee:
go in the wrong direction, then some of the first heads to roll
Dr. Dave Chatterjee:
come from that unit. And I don't think that's a fair, or that's a
Dr. Dave Chatterjee:
substantive, substantive approach, it's more of a
Dr. Dave Chatterjee:
symbolic approach to react, we are reacting, we are reacting
Dr. Dave Chatterjee:
promptly, we mean business. But there could be much more to the
Dr. Dave Chatterjee:
reason why the organization was compromised, and it could go
Dr. Dave Chatterjee:
beyond individuals, it could be somewhere down deep down in the
Dr. Dave Chatterjee:
processes and other areas. So it's really important to take a
Dr. Dave Chatterjee:
holistic approach. You talked about spending in technology,
Dr. Dave Chatterjee:
similarly spending in cyber, and you might you will agree that
Dr. Dave Chatterjee:
it's not just about spending a certain amount of money or spent
Dr. Dave Chatterjee:
spending in comparison to the industry average, it's about how
Dr. Dave Chatterjee:
and where you're spending, what's the thinking behind it.
Dr. Dave Chatterjee:
And that's, that's precisely why cybersecurity strategy
Dr. Dave Chatterjee:
formulation, cybersecurity strategic investments require
Dr. Dave Chatterjee:
senior level involvement, cross functional involvement, it's not
Dr. Dave Chatterjee:
something that you should let you should outsource, let a
Dr. Dave Chatterjee:
group of people deal with it. And like you said earlier, that
Dr. Dave Chatterjee:
you just don't want to think about it. It's something that
Dr. Dave Chatterjee:
comes in the way of your organizational goals, and you'd
Dr. Dave Chatterjee:
rather have somebody else you just have to accept the reality
Dr. Dave Chatterjee:
and face it. I think that's probably the best approach under
Dr. Dave Chatterjee:
the circumstances. Sorry. Yeah, sorry. No, I
Rob Austin:
just agree. Yeah.
Dr. Dave Chatterjee:
Yeah, it's, it's, it's, it's, it's a it's
Dr. Dave Chatterjee:
one of those ongoing challenges, ongoing battles, that's gonna
Dr. Dave Chatterjee:
continuously keep organizations for lack of a better word,
Dr. Dave Chatterjee:
distracted, but that's where they have to find a balance
Dr. Dave Chatterjee:
where they keep the war or the fight against cybersecurity
Dr. Dave Chatterjee:
going while they continue their, their operations as effectively
Dr. Dave Chatterjee:
as possible. You were saying something, I didn't mean to
Dr. Dave Chatterjee:
interrupt.
Rob Austin:
No, no. I just, I, when you were talking about how
Rob Austin:
there are there are differences, right, between companies. It's
Rob Austin:
not a matter of how much you spend as a percentage of your
Rob Austin:
sales or profits or whatever. One of the things that reminds
Rob Austin:
me is Erik Brynjolfsson at MIT who, whose work, I'm sure, you
Rob Austin:
know, he's done a lot of work showing that IT does actually
Rob Austin:
create value that adds productivity and other forms of
Rob Austin:
value to the company. And there's a graph that he did a
Rob Austin:
study where they, they kind of normalized for the size of the
Rob Austin:
company, how much companies were spending on IT, and then they
Rob Austin:
plotted it against productivity increases, and you do get an
Rob Austin:
upward sloping line. But the data of course, if you plot the
Rob Austin:
data as a scatter graph, on the against the two axes, it's of
Rob Austin:
course, not a perfect line, it's more like a football, right?
Rob Austin:
It's like a upwardly sloping football. And one of the things
Rob Austin:
that is always been important in the way to seemed important to
Rob Austin:
me, is if you draw a straight line vertically through that
Rob Austin:
football, there are some people who are well above the average
Rob Austin:
line, and some people who are well below the average line, in
Rob Austin:
terms of the value they're extracting, but they're both
Rob Austin:
spending the same amount of money, you know, normalized for
Rob Austin:
size of company. So, so, you know, for any amount of money
Rob Austin:
you spend, there's you you might spend, there are some companies
Rob Austin:
that are putting it together into an in a very effective way.
Rob Austin:
And there are other companies that are underperforming, given
Rob Austin:
the amount that they're spending. So it kind of goes to
Rob Austin:
the point of what you were just saying, It matters how, right,
Rob Austin:
doesn't matter how much you're spending, if you're not also
Rob Austin:
thinking about how you're spending it.
Dr. Dave Chatterjee:
You know, recently I was speaking with a
Dr. Dave Chatterjee:
legal expert. And she made a very telling point, she said,
Dr. Dave Chatterjee:
Dave, when cybersecurity breaches go to a court of law,
Dr. Dave Chatterjee:
and the judge or the jury are evaluating whether an
Dr. Dave Chatterjee:
organization had done their due diligence, had made the
Dr. Dave Chatterjee:
necessary investments, they take into consideration the
Dr. Dave Chatterjee:
organization size, and the expectations are very
Dr. Dave Chatterjee:
reasonable. So there is no expectation that a company that
Dr. Dave Chatterjee:
is, say, half the size of GE or has half the resources of GE
Dr. Dave Chatterjee:
should have the same level of investments in cybersecurity as
Dr. Dave Chatterjee:
GE. I'm just using a hypothetical example here. And
Dr. Dave Chatterjee:
that's kind of the the way to approach it as a very realistic,
Dr. Dave Chatterjee:
very practical approach as to who we are, what's our context?
Dr. Dave Chatterjee:
What can we afford? And, most importantly, how well are we
Dr. Dave Chatterjee:
doing these things? Whether it's training, whether it's
Dr. Dave Chatterjee:
simulation, whether it's enhancing awareness, you know,
Dr. Dave Chatterjee:
there is a method to all of this, you mentioned a couple of
Dr. Dave Chatterjee:
frameworks, there are lots of guidance out there. One thing is
Dr. Dave Chatterjee:
to have the guidance, the other thing is to follow them well,
Dr. Dave Chatterjee:
assess the effectiveness of the implementation, make make
Dr. Dave Chatterjee:
adjustments, and it's a continuous process. And that's
Dr. Dave Chatterjee:
where I think the difference lies with companies who are more
Dr. Dave Chatterjee:
likely to be resilient and recover a lot faster than
Dr. Dave Chatterjee:
others. So that's kind of the way I see it.
Rob Austin:
Yeah. Well, and as you said, before receipt, we see
Rob Austin:
things a lot the same way.
Dr. Dave Chatterjee:
So moving along, Rob, from the stand up,
Dr. Dave Chatterjee:
do you have any thoughts on shared ownership and
Dr. Dave Chatterjee:
responsibility, you, you mentioned about this vendor
Dr. Dave Chatterjee:
helping out a company that almost went underground, and was
Dr. Dave Chatterjee:
able to get their operations started up again, because they
Dr. Dave Chatterjee:
had a copy of their instance of their technology instance. In
Dr. Dave Chatterjee:
that spirit, and especially in a highly networked economy, you
Dr. Dave Chatterjee:
talked about network effects, platform economics, you'll agree
Dr. Dave Chatterjee:
that in today's day and age, it's not company A competing
Dr. Dave Chatterjee:
against company B, it's the network of Company A versus the
Dr. Dave Chatterjee:
network of Company B. So in that kind of a highly networked,
Dr. Dave Chatterjee:
distributed kind of an environment what what structures
Dr. Dave Chatterjee:
or mechanisms could be in place so that business leaders,
Dr. Dave Chatterjee:
technology leaders, security leaders, work together, they're
Dr. Dave Chatterjee:
incentivized to work together as opposed to taking the approach
Dr. Dave Chatterjee:
that it is your problem, not mine.
Rob Austin:
Yeah, I, I don't again, I don't really think I
Rob Austin:
have the silver bullet for this. But, I do think one of the
Rob Austin:
things that can help with this is what I might call an
Rob Austin:
ecosystem mindset. And, you know, I'm encouraged a bit,
Rob Austin:
because people are talking a lot more about ecosystems, it seems
Rob Austin:
to me these days business ecosystems, and, you know, the
Rob Austin:
idea that our ability to do well with business models and with a
Rob Austin:
lot of other things are interdependent, right. One of
Rob Austin:
the one of the things that reminds me of is Mirko Iansiti,
Rob Austin:
who is a professor at Harvard Business School, wrote a book, I
Rob Austin:
couldn't, I can't tell you, off the top of my head, the name or
Rob Austin:
the year. But it was about it was about this before everybody
Rob Austin:
was talking about ecosystems. And it was comparing a lot of
Rob Austin:
business systems to biological systems. And one of the points
Rob Austin:
that I remember coming out, or, you know, leaping out at me
Rob Austin:
about that, is that we don't see biological ecosystems flourish,
Rob Austin:
when one party within the ecosystem, you know, succeeds at
Rob Austin:
the expense of the others, right, that the if if a, if a
Rob Austin:
powerful member of an ecosystem succeeds in gaining most of the
Rob Austin:
advantage that's available in the ecosystem, then the
Rob Austin:
ecosystem becomes unhealthy. Instead, so this attitude that,
Rob Austin:
you know, to do well, ourselves, we must all do well, is, I
Rob Austin:
think, a general principle that is worth thinking about in our,
Rob Austin:
you know, kind of increasingly interconnected world, that seems
Rob Austin:
to be one of the themes of recent events. And I'm talking
Rob Austin:
now about things like the pandemic, is it we're all more
Rob Austin:
connected than we thought we were. And so there are these,
Rob Austin:
you know, these social collective social good problems
Rob Austin:
where, you know, we used to be able to assume that we could
Rob Austin:
just pursue our own interests, and everything would be fine.
Rob Austin:
But now we discover that our interests interact with other
Rob Austin:
people's interests. And I think that's true in business
Rob Austin:
ecosystems as well. But it is it is definitely true in
Rob Austin:
cybersecurity, right. I mean, I think you'll, you'll have
Rob Austin:
probably a lot of experience with this. But if you've got
Rob Austin:
really great cyber defenses, but one of your business partners
Rob Austin:
has really bad cyber defenses, that's an entry point into your
Rob Austin:
company as well, right, that's a that's a risk factor for your
Rob Austin:
company.
Dr. Dave Chatterjee:
Well, that's spot on, means I think
Dr. Dave Chatterjee:
this pandemic has shown us clearly how connected we are,
Dr. Dave Chatterjee:
whether we like it or don't like it globally. Cybersecurity is
Dr. Dave Chatterjee:
also showing us the same reality, and to your point, we
Dr. Dave Chatterjee:
can still compete. But we need to leverage each other's
Dr. Dave Chatterjee:
competencies to deal with problems of this magnitude, that
Dr. Dave Chatterjee:
could consume us all, for lack of a better word. You know, it
Dr. Dave Chatterjee:
reminds me of an initiative that Cisco runs, and I'm sure many
Dr. Dave Chatterjee:
other companies do as well. If I remember correctly, it's called
Dr. Dave Chatterjee:
the CHILL initiative, HyperInnovation Living Lab,
Dr. Dave Chatterjee:
Cisco's HyperInnovation Living Lab. And the whole idea is to
Dr. Dave Chatterjee:
bring together some of the best minds from competing companies
Dr. Dave Chatterjee:
to a location for a week let's say, and have them brainstorm
Dr. Dave Chatterjee:
ideas about pressing issues. But the important thing is, at the
Dr. Dave Chatterjee:
end of the week, at the end of the retreat, they have to come
Dr. Dave Chatterjee:
up with something that is, you know, that is converted to a
Dr. Dave Chatterjee:
product that is marketable. So in other words, come up with a
Dr. Dave Chatterjee:
solution, which is supported by that by that team of
Dr. Dave Chatterjee:
representatives from different companies. So it's like creating
Dr. Dave Chatterjee:
a collaborative solution to deal with a larger problem than what
Dr. Dave Chatterjee:
they could handle by themselves. And I think that kind of a
Dr. Dave Chatterjee:
collaborative partnership mindset has to prevail, if we
Dr. Dave Chatterjee:
want to succeed against these kinds of problems, which is kind
Dr. Dave Chatterjee:
of you know, which is engulfing everybody, every possible
Dr. Dave Chatterjee:
network, every possible node. So that's, that's, that's so spot
Dr. Dave Chatterjee:
on.
Rob Austin:
Yeah, no, I agree. You know, the way I like to
Rob Austin:
think about it sometimes and the way I, I put it to people
Rob Austin:
sometimes is it's better to going forward as you move into
Rob Austin:
the future. It's better to have a smaller portion of an
Rob Austin:
expanding pie than to have an expanding portion of a shrinking
Rob Austin:
pie. And I think if we don't watch out if we continue to
Rob Austin:
behave in many of the ways that have worked well for us in the
Rob Austin:
past, you know, these very independent ways, then we're in
Rob Austin:
the future going to find ourselves, yeah, we're gonna
Rob Austin:
have a bigger, bigger portion of that pie, but the pie is going
Rob Austin:
to be shrinking. And so as you know, I think we need to adopt
Rob Austin:
different mindsets. I worked in the auto industry for a long
Rob Austin:
time. And one of the things the auto industry's not so good at
Rob Austin:
in my view is, and I discovered this in one of my jobs there, I
Rob Austin:
had a job there where I had to interact a lot with our
Rob Austin:
suppliers. And I discovered, we weren't very popular with them.
Rob Austin:
Because we were much bigger. And we were, you know, we were
Rob Austin:
pounding the pounding the crap out of them, right. I mean,
Rob Austin:
anytime they figured out a new way to get some more margin, we
Rob Austin:
took the biggest part of it from them. And so I think that kind
Rob Austin:
of that kind of, you know, behavior is not going to be
Rob Austin:
healthy for ecosystems. And I mean, we're getting a bit far
Rob Austin:
field of cybersecurity here, but, but I think the principles
Rob Austin:
are the same.
Dr. Dave Chatterjee:
Absolutely, the principles are very much the
Dr. Dave Chatterjee:
same. The, you know, as you may have seen in my book on
Dr. Dave Chatterjee:
cybersecurity readiness, the the commitment, preparedness and
Dr. Dave Chatterjee:
discipline framework that I came up with, that that identifies
Dr. Dave Chatterjee:
17, cybersecurity success factors, when I look at these
Dr. Dave Chatterjee:
factors, at a very high level, we are talking about people
Dr. Dave Chatterjee:
process and technology issues. When you take a deeper dive,
Dr. Dave Chatterjee:
then you get more specific about what these factors entail, and
Dr. Dave Chatterjee:
how how you address them. But at a higher level, it's still, for
Dr. Dave Chatterjee:
lack of a better word, a game of finding the right set, the right
Dr. Dave Chatterjee:
balance between the people element, the process element and
Dr. Dave Chatterjee:
the technology element, and how we find the balance, and how we
Dr. Dave Chatterjee:
sustain it, that's what's gonna make the difference. It is one
Dr. Dave Chatterjee:
thing to come up with a solution and implement it, it is another
Dr. Dave Chatterjee:
thing to be able to sustain it. And that's why I am big on
Dr. Dave Chatterjee:
creating and sustaining a high- performance information security
Dr. Dave Chatterjee:
culture, because unless you create that kind of an
Dr. Dave Chatterjee:
environment, you kind of etch it in the DNA of the organization,
Dr. Dave Chatterjee:
you're unlikely to sustain the good work that got started,
Dr. Dave Chatterjee:
because of say, X, Y, and Z, who may have moved on, the good work
Dr. Dave Chatterjee:
has to go on. So how are you going to embed that fabric of
Dr. Dave Chatterjee:
the blueprint of robust cybersecurity practices? How do
Dr. Dave Chatterjee:
you do that, and that's where you have to work on the cultural
Dr. Dave Chatterjee:
aspects. And these are tough challenges. So they often get
Dr. Dave Chatterjee:
ignored. And we try to get away by focusing on, you know,
Dr. Dave Chatterjee:
specific controls, and making sure those controls are in
Dr. Dave Chatterjee:
place, especially the technical ones. And I'm all for controls,
Dr. Dave Chatterjee:
but do recognize that controls are also on the people side of
Dr. Dave Chatterjee:
things, on the governance side of things. So the human factor
Dr. Dave Chatterjee:
plays a huge role. Just a little while ago, I was talking with a
Dr. Dave Chatterjee:
human factors expert from NATO. She advises NATO on how to
Dr. Dave Chatterjee:
manage the human involvement in cybersecurity strategies. And
Dr. Dave Chatterjee:
she made a very interesting point, she says, Dave, just
Dr. Dave Chatterjee:
imagine somebody holding a key position in cybersecurity, but
Dr. Dave Chatterjee:
has gets intimidated. And so it's like the example you shared
Dr. Dave Chatterjee:
about this belligerent CEO. So the cybersecurity guy had to
Dr. Dave Chatterjee:
deal with a boss who was kind of overly dominating. And as a
Dr. Dave Chatterjee:
result, even when they were receiving good intelligence that
Dr. Dave Chatterjee:
should have been passed on to the right channels, they were
Dr. Dave Chatterjee:
scared of the repercussions and when silent on some of these
Dr. Dave Chatterjee:
alerts, that that could hurt the company. As an I'm not going to
Dr. Dave Chatterjee:
take the name of some of these companies, but that's precisely
Dr. Dave Chatterjee:
what has happened with some of the major breaches. I'm not
Dr. Dave Chatterjee:
saying it has happened because of the human personality trait,
Dr. Dave Chatterjee:
but it is because someone dropped the ball even after
Dr. Dave Chatterjee:
receiving the intelligence. So So yeah, that's kind of any
Dr. Dave Chatterjee:
Yeah, please,
Rob Austin:
Let me just say that , aagin, we're agreeing, but
Rob Austin:
,you know, one of my jobs somewhat early in my career was
Rob Austin:
I was in an automaker. And I was managing a group of really
Rob Austin:
talented software developers that were responsible for a lot
Rob Austin:
of the systems that were inside the assembly plant. So these are
Rob Austin:
the production critical systems. And, you know, this is back to
Rob Austin:
your point about controls, right. So that, yeah, we had
Rob Austin:
controls in place, but you know, and we'd have people come around
Rob Austin:
from time to time at regular intervals, who were certifying
Rob Austin:
that the controls were in place. But you know, the guys who, who
Rob Austin:
worked for me at the time, they that we would sit around at
Rob Austin:
lunch, sometimes and chuckle, right. So like, if every single
Rob Austin:
one of them with their knowledge of the production critical
Rob Austin:
systems used to talk about if we put together a list of the 20
Rob Austin:
top ways to take down an assembly plant, none of those
Rob Austin:
would be would be, you know, would be addressed by any of the
Rob Austin:
controls that that the the auditors were basically spending
Rob Austin:
a lot of time thinking about, which is not to say those aren't
Rob Austin:
important, too. But I guess, I guess what I'm saying. And I
Rob Austin:
think I'm agreeing with something you said a few minutes
Rob Austin:
ago, which is the people side is super important. And this isn't
Rob Austin:
just the people side is important because there's
Rob Austin:
weaknesses there, you need the very resourceful people like the
Rob Austin:
ones that I'm talking about, who knew everything about the, you
Rob Austin:
know, the code and the software that was running this company's
Rob Austin:
assembly plants. And you needed those guys, because just doing a
Rob Austin:
formal analysis of controls and what controls were in place,
Rob Austin:
left huge gaping holes without the the deep knowledge of these
Rob Austin:
talented individuals who were, you know, really close to the
Rob Austin:
systems, what they could do and where they might get in trouble.
Rob Austin:
So yeah, I couldn't agree more that it's not just, it's not
Rob Austin:
just a technical problem, right.
Dr. Dave Chatterjee:
Well, Rob, I think we can end on that note.
Dr. Dave Chatterjee:
Once again, thank you very much for your time. It's truly a
Dr. Dave Chatterjee:
pleasure to have you come on board and share your wisdom with
Dr. Dave Chatterjee:
with me and my listeners. It's been a pleasure.
Rob Austin:
Yeah, I've enjoyed it a lot, too. So thank you for
Rob Austin:
inviting me. best, best to you and going forward.
Dr. Dave Chatterjee:
Thank you very much,
Rob Austin:
and your listeners. Yeah.
Dr. Dave Chatterjee:
A special thanks to Professor Robert
Dr. Dave Chatterjee:
Austin for his time and insights. If you liked what you
Dr. Dave Chatterjee:
heard, please leave the podcast a rating and share it with your
Dr. Dave Chatterjee:
network. Also subscribe to the show, so you don't miss any new
Dr. Dave Chatterjee:
episodes. Thank you for listening, and I'll see you in
Dr. Dave Chatterjee:
the next episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only, the discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as-is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
Listen On
