Welcome to the Cybersecurity Readiness Podcast Site
Dec. 8, 2021

Enhancing Organizational Readiness by Simulating Cyber Attacks

Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.

Apple Podcasts podcast player icon Spotify podcast player icon RSS Feed podcast player icon Amazon Music podcast player icon Audible podcast player icon
Apple Podcasts podcast player icon Spotify podcast player icon RSS Feed podcast player icon Amazon Music podcast player icon Audible podcast player icon

Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.

 

Time Stamps

00:45

I'd like you to talk to our listeners about the cyber attack simulation that you have authored. And this engaging simulation is available from the Harvard Business Publishing website.

05:15

As I reflect on this simulation tool that you have available for executives and students, it does offer an opportunity to assess organizational readiness from a cybersecurity standpoint. What else does it accomplish based on your experience of using it out there?

08:02

How would you compare this particular simulation exercise with the tabletop exercises that organizations are known to conduct?

10:25

I wanted to mention to my listeners that Professor Austin was one of the authors of a case called iPremier, and to the best of my knowledge, it's one of the few graphically written cases where essentially you're seeing a whole bunch of cartoons that describe the scenario, and then walk you through the next steps as you use the case. And you can use that case for simulation as well. Rob, if I remember correctly, that case was authored as early as 2002, or 2003. Give the listeners a bit of a background of the iPremier case.

13:41

As you look at the big picture, as you reflect on how things are evolving over a period of time, what has changed, what are your concerns? What is your assessment of where things are going? What can we do better?

21:34

What are you seeing in terms of best practices of actively engaging top management in cybersecurity planning, execution, monitoring? Anything that stands out?

38:38

What structures or mechanisms should be in place so that business leaders, technology leaders, security leaders, work together, they're incentivized to work together as opposed to taking the approach, it's your problem, not mine?

 

Memorable Rob Austin Quotes

"It's one thing to plan, it's another thing to be able to actually walk the talk. And that's one of the things the simulation shows us."

"You learn something from a simulation, but you learn even more from discussing the experience that you had in the simulation."

"It's unlikely you're going to be able to execute everything exactly according to plan."

"We're working very hard to add nodes to the network, but often every node is a potential attack point, as well."

"The dilemma of IT security is that if you do everything that you're supposed to do, and as a result, your company does well, and does not suffer IT security events, the result is, nothing happens. And, it's hard to get credit for nothing happens."

"We used to be able to assume that we could just pursue our own interests, and everything would be fine. But now we discover that our interests interact with other people's interests. And I think that's true in business ecosystems as well. But it is definitely true in cybersecurity. If you've got really great cyber defenses, but one of your business partners has really bad cyber defenses, that's an entry point into your company as well. That's a risk factor for your company."

"It's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie."

 

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338