Welcome to the Cybersecurity Readiness Podcast Site
Feb. 1, 2023

From Law Enforcement Officer to Chief Information Security Officer

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-44-from-law-enforcement-officer-to-chief-information-security-officer/

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-44-from-law-enforcement-officer-to-chief-information-security-officer/

 

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript

Introducer:

Welcome to the Cybersecurity Readiness Podcast

 

 


Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

 

 


Introducer:

the book Cybersecurity Readiness: A Holistic and

 

 


Introducer:

High-Performance Approach, a SAGE publication. He has been

 

 


Introducer:

studying cybersecurity for over a decade, authored and edited

 

 


Introducer:

scholarly papers, delivered talks, conducted webinars and

 

 


Introducer:

workshops, consulted with companies, and served on a

 

 


Introducer:

cybersecurity SWAT team with Chief Information Security

 

 


Introducer:

officers. Dr. Chatterjee is Associate Professor of

 

 


Introducer:

Management Information Systems at the Terry College of

 

 


Introducer:

Business, the University of Georgia. As a Duke University

 

 


Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

 

 


Introducer:

Engineering in Cybersecurity program at the Pratt School of

 

 


Introducer:

Engineering.

 

 


Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

 

 


Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

 

 


Dr. Dave Chatterjee:

Podcast series. Today, I have as my guest, Brian Penders, Chief

 

 


Dr. Dave Chatterjee:

Information Security Officer of the School of Medicine at the

 

 


Dr. Dave Chatterjee:

University of North Carolina, Chapel Hill. I had the pleasure

 

 


Dr. Dave Chatterjee:

of meeting Brian at a cybersecurity conference hosted

 

 


Dr. Dave Chatterjee:

by UNC's World View program. And I really enjoyed his

 

 


Dr. Dave Chatterjee:

presentation. So I felt that all of you would enjoy hearing what

 

 


Dr. Dave Chatterjee:

Brian has to share by way of his experiences and perspectives in

 

 


Dr. Dave Chatterjee:

cybersecurity. While I was learning about Brian, the

 

 


Dr. Dave Chatterjee:

professional, I was super intrigued by his background, he

 

 


Dr. Dave Chatterjee:

has a very interesting journey that began in law enforcement.

 

 


Dr. Dave Chatterjee:

In fact, it began in the US Nuclear Navy. And today, he is a

 

 


Dr. Dave Chatterjee:

senior information security governance officer, a leader.

 

 


Dr. Dave Chatterjee:

It's a fascinating story, a story that he needs to share

 

 


Dr. Dave Chatterjee:

himself, not me on his behalf. But bottom line, it's a great

 

 


Dr. Dave Chatterjee:

honor and a privilege to have Brian on the show today. Brian,

 

 


Dr. Dave Chatterjee:

welcome!

 

 


Brian Penders:

Thank you, Dave. It's great to be here. I really

 

 


Brian Penders:

appreciate the invite. And yes, it was. It was great meeting you

 

 


Brian Penders:

at the conference and having lunch and getting to know each

 

 


Brian Penders:

other.

 

 


Dr. Dave Chatterjee:

It really was. So Brian, as I just

 

 


Dr. Dave Chatterjee:

mentioned in my intro, you have a very interesting professional

 

 


Dr. Dave Chatterjee:

background, you worked as a lab technician in the US Navy

 

 


Dr. Dave Chatterjee:

Nuclear Submarine for six years, then you were a law enforcement

 

 


Dr. Dave Chatterjee:

officer for 15 years before transitioning to incident

 

 


Dr. Dave Chatterjee:

response and digital forensics. And now you are the chief

 

 


Dr. Dave Chatterjee:

information security officer at UNC School of Medicine. Wow,

 

 


Dr. Dave Chatterjee:

what a journey! Take us behind the scenes and share with us

 

 


Dr. Dave Chatterjee:

some highlights. What were the drivers? What were the

 

 


Dr. Dave Chatterjee:

motivators? What can listeners take away from your experience?

 

 


Brian Penders:

Yes, happy to do so. I know, you know many people

 

 


Brian Penders:

in the cybersecurity field as I do, I've been amazed at the

 

 


Brian Penders:

different backgrounds of these professionals, particularly

 

 


Brian Penders:

security leaders, I'm not sure if it's true in other fields,

 

 


Brian Penders:

but vast differences, no two are the same. And I love reading

 

 


Brian Penders:

about about background of these folks. And mine was like many

 

 


Brian Penders:

people in this field, I didn't think about getting into

 

 


Brian Penders:

cybersecurity way back. It was something where I wanted to I

 

 


Brian Penders:

when I was in college, I took liberal arts and humanities

 

 


Brian Penders:

courses. And I was interested in science, but I more read about

 

 


Brian Penders:

science on my own. I you know, didn't really do well in science

 

 


Brian Penders:

courses in universities, because it seemed a bit more a bit

 

 


Brian Penders:

abstract to me. And so after college, my father and my few

 

 


Brian Penders:

uncles were veterans, so that influence may. And so I went

 

 


Brian Penders:

into this program, I did some research, and I wanted to do

 

 


Brian Penders:

some traveling and really get into something that was

 

 


Brian Penders:

challenging academically and to serve served my country. And so

 

 


Brian Penders:

I looked into this program and went into the six year tour for

 

 


Brian Penders:

this naval nuclear propulsion. The first two years is in

 

 


Brian Penders:

schools, engineering schools, very challenging curriculums and

 

 


Brian Penders:

then went to my duty station, which was a fast attack

 

 


Brian Penders:

submarine out of Pearl Harbor. Hawaii. Wow. Very difficult

 

 


Brian Penders:

duty. Yeah, a gorgeous place to live no doubt but very difficult

 

 


Brian Penders:

duty, was at sea quite a bit. And the work life balance was

 

 


Brian Penders:

tough. That's why I can't really recommend this path, I should

 

 


Brian Penders:

say because some of these positions were very tough on on

 

 


Brian Penders:

the home life, as you can understand. So after the

 

 


Brian Penders:

military, I had an interest in law enforcement and you know,

 

 


Brian Penders:

people were scratching their heads. Why didn't you use this

 

 


Brian Penders:

training? Why didn't you get into civilian nuclear power. And

 

 


Brian Penders:

you know, I didn't really have an interest. And for me, and we

 

 


Brian Penders:

will talk about this a bit more later, for me, it was about the

 

 


Brian Penders:

Navy taught me how to learn. And that was more valuable to me at

 

 


Brian Penders:

the time than anything I learned about nuclear engineering. And

 

 


Brian Penders:

so that's really threaded through a lot of this journey.

 

 


Brian Penders:

And so I went and applied for and got a position with the

 

 


Brian Penders:

Vermont State Police after that, and like, like most like every

 

 


Brian Penders:

other person, you do patrol work for several years. And then I

 

 


Brian Penders:

did some executive protection with the governor's security

 

 


Brian Penders:

unit. And then I started to get the itch for technology and

 

 


Brian Penders:

something a little more intense and some training. And at first,

 

 


Brian Penders:

I looked at a polygraph examiner position, because that had

 

 


Brian Penders:

significant training, and was pretty complex and difficult job

 

 


Brian Penders:

that didn't work out. And then a Computer Crimes Unit position

 

 


Brian Penders:

opened up a very small unit. And keep in mind, this is in 2007,

 

 


Brian Penders:

which is when the iPhone came out. So this is when everybody

 

 


Brian Penders:

had computers at home. Everybody's got cell phones with

 

 


Brian Penders:

them. And as you can imagine, every crime just about had a had

 

 


Brian Penders:

a digital component to it. Huge demand for for expertise in this

 

 


Brian Penders:

area. So I was fortunate. And you and I talked about this

 

 


Brian Penders:

school last time we spoke to be able to go to this amazing

 

 


Brian Penders:

facility down in Hoover, Alabama, that's called the

 

 


Brian Penders:

National Computer forensics Institute, NCFI. It's literally

 

 


Brian Penders:

for state and local law enforcement to learn digital

 

 


Brian Penders:

forensics and prosecutors. It's run by the Department of

 

 


Brian Penders:

Homeland Security. The first course I was there for a total

 

 


Brian Penders:

of 11 weeks. The first course is five weeks where you learn from

 

 


Brian Penders:

the ground up about how computers work, how networks

 

 


Brian Penders:

operate, and then you get into forensic software and doing

 

 


Brian Penders:

forensic exams and writing reports. And then the great

 

 


Brian Penders:

thing about it is you go back to your department, with the

 

 


Brian Penders:

equipment and the software to get going from day one. And so

 

 


Brian Penders:

anyway, those first few years were were I can't say enough

 

 


Brian Penders:

about how steep learning curve was. And my biggest takeaway

 

 


Brian Penders:

from this position that I brought to North Carolina was

 

 


Brian Penders:

there's nothing more terrifying preparing for a trial where the

 

 


Brian Penders:

stakes are high. These are many of our victims were children,

 

 


Brian Penders:

heinous crimes, you need to get this right. And so it was a lot

 

 


Brian Penders:

of, you know, checking and double checking in reaching out

 

 


Brian Penders:

to anybody I could. To make sure I got this right, I needed to be

 

 


Brian Penders:

able to present data to an older jury, because I think keeping my

 

 


Brian Penders:

Vermont as an older state juries are older, a lot of them were

 

 


Brian Penders:

not familiar with technology, and then also be technical

 

 


Brian Penders:

enough so that the defense examiner, the defense attorney,

 

 


Brian Penders:

who also has a defense forensic examiner, you can survive that

 

 


Brian Penders:

cross examination. So it was really a way to not only learn

 

 


Brian Penders:

the material, but how do I document it? How do I present

 

 


Brian Penders:

this to different audiences. That was a really great takeaway

 

 


Brian Penders:

from me, when I moved on from Vermont to down here in North

 

 


Brian Penders:

Carolina, we had, we had wanted to move south for a couple of

 

 


Brian Penders:

years. And I wanted to stay in the field. But I didn't put the

 

 


Brian Penders:

work cases were pretty heavy and stressful. And so my wife had

 

 


Brian Penders:

always worked in higher education. So I had an interest

 

 


Brian Penders:

in trying to work at a university and this worked out

 

 


Brian Penders:

at Chapel Hill, like you said, I came down into a digital

 

 


Brian Penders:

forensics incident response team lead role, and I really found a

 

 


Brian Penders:

home here and it, there's, you know, I was, you know, one

 

 


Brian Penders:

flight of stairs away from experts in storage, and servers

 

 


Brian Penders:

and emails, Splunk pretty much everything. And incident

 

 


Brian Penders:

response is a really great way to learn and environment and

 

 


Brian Penders:

build partnerships across an organization. And then after

 

 


Brian Penders:

five years there, this position opened up in School of Medicine,

 

 


Brian Penders:

where I could do security more across across the board. And

 

 


Brian Penders:

it's been great. I've been here almost four years. So that's

 

 


Brian Penders:

kind of the journey in a nutshell.

 

 


Dr. Dave Chatterjee:

Fascinating. Thank you for your service. I

 

 


Dr. Dave Chatterjee:

have many former students who have been in the nuclear navy

 

 


Dr. Dave Chatterjee:

vessels, and I've heard a lot of stories. So hats off to you

 

 


Dr. Dave Chatterjee:

guys. I believe the training, the expectations are quite

 

 


Dr. Dave Chatterjee:

steep. And it really gets everything out of you. So So

 

 


Dr. Dave Chatterjee:

yes, you know, we all have our journeys. They're almost meant

 

 


Dr. Dave Chatterjee:

to be and we learn. So this is fabulous that I'm able to talk

 

 


Dr. Dave Chatterjee:

to you. The US Nuclear Navy Propulsion Program, which

 

 


Dr. Dave Chatterjee:

Admiral Hyman Rickover launched, he's considered the founding

 

 


Dr. Dave Chatterjee:

father. There was an article written about the culture that

 

 


Dr. Dave Chatterjee:

he established, which enabled the program to avoid

 

 


Dr. Dave Chatterjee:

catastrophic losses for a long period of time. And this culture

 

 


Dr. Dave Chatterjee:

that Admiral Rickover established is characterized by

 

 


Dr. Dave Chatterjee:

five or six principles. such as integrity, depth of knowledge,

 

 


Dr. Dave Chatterjee:

procedural compliance, forceful backup, questioning attitude,

 

 


Dr. Dave Chatterjee:

and formality in communications. So when I was reading this

 

 


Dr. Dave Chatterjee:

article about the culture that he had established, and I was

 

 


Dr. Dave Chatterjee:

learning about these principles, it dawned on me that why don't

 

 


Dr. Dave Chatterjee:

we apply those principles in the private sector in the context of

 

 


Dr. Dave Chatterjee:

cybersecurity governance, and try to execute them as best as

 

 


Dr. Dave Chatterjee:

we can, as they did, or as they do in the nuclear Navy world.

 

 


Dr. Dave Chatterjee:

And we in the private sector will do a lot better. So that

 

 


Dr. Dave Chatterjee:

was almost the start of my journey into cybersecurity

 

 


Dr. Dave Chatterjee:

research. And in fact that that framework helped me develop my

 

 


Dr. Dave Chatterjee:

cybersecurity, holistic governance framework, which is

 

 


Dr. Dave Chatterjee:

in my book. So I'm so glad that you are here, Brian, to talk to

 

 


Dr. Dave Chatterjee:

us about your variety of experiences. But let me first

 

 


Dr. Dave Chatterjee:

focus on that high-reliability, organizational culture that was

 

 


Dr. Dave Chatterjee:

established in the US nuclear Navy, and you have lived in that

 

 


Dr. Dave Chatterjee:

culture. Share a bit about what it is like and what could be

 

 


Dr. Dave Chatterjee:

some takeaways that are relatable or applicable in the

 

 


Dr. Dave Chatterjee:

world of cybersecurity governance?

 

 


Brian Penders:

Yes, I'll be honest, I had not really thought

 

 


Brian Penders:

about tying these principles to my current role until we spoke

 

 


Brian Penders:

about this. And you're right, these. First of all, it's

 

 


Brian Penders:

probably the least talked about success story. As you know,

 

 


Brian Penders:

this, the Nuclear Propulsion Program that was that began with

 

 


Brian Penders:

Admiral Rickover. And we're talking about this is now 40

 

 


Brian Penders:

years after he retired, and this program is still going strong,

 

 


Brian Penders:

as you said, accident free. It's really incredible. But you're

 

 


Brian Penders:

right, these principles could probably apply to many

 

 


Brian Penders:

industries, but they certainly can for this field. And I would

 

 


Brian Penders:

like to touch on a couple things that were a part of Admiral

 

 


Brian Penders:

Rickover principles and, and that I saw in my experience

 

 


Brian Penders:

there that I've that have stayed with me. One of them is depth of

 

 


Brian Penders:

knowledge. That is one thing that I mentioned, the Navy

 

 


Brian Penders:

taught me how to learn the way that Admiral Rickover thought

 

 


Brian Penders:

through individuals gaining technical knowledge was really

 

 


Brian Penders:

amazing it was it was based on if you could not draw and

 

 


Brian Penders:

explain something to a group of experts sufficiently, then you

 

 


Brian Penders:

are not going to move forward. And this is everything from the

 

 


Brian Penders:

micro to the macro, this is this could be drawn explain a

 

 


Brian Penders:

particular valve and up to a system, and then how systems

 

 


Brian Penders:

work together or an evolution like an engine room startup,

 

 


Brian Penders:

talk us through that. And that stays the same not just in the

 

 


Brian Penders:

two years of school. But when you get to your duty station,

 

 


Brian Penders:

you really are just beginning your training, it doesn't end

 

 


Brian Penders:

fact, I think I thought through all of the oral boards that I

 

 


Brian Penders:

went through before I was fully qualified as a essentially a

 

 


Brian Penders:

junior person in the engineering department and it was around 10.

 

 


Brian Penders:

Those are formal ones. That is something that I think he

 

 


Brian Penders:

doesn't want, he wanted you to move away from memorization to

 

 


Brian Penders:

understand, once you understand there was no need to memorize.

 

 


Brian Penders:

But that was a big one. And the other was his focus generally

 

 


Brian Penders:

just on people, I think he was the first military person to

 

 


Brian Penders:

this is post-WW II. So he's trying to move away from the

 

 


Brian Penders:

brawny warrior type to the thoughtful engineer type. I

 

 


Brian Penders:

don't think anyone had done that before. And how rank actually

 

 


Brian Penders:

took a backseat to knowledge. Many people may not know this,

 

 


Brian Penders:

when you stand a watch on a submarine, you may outrank

 

 


Brian Penders:

administratively people on that watch, and it seemed to work.

 

 


Brian Penders:

When you got off watch you were back in your administrative

 

 


Brian Penders:

rank. You didn't have as many privileges as that person but on

 

 


Brian Penders:

watch if, if you proved your superior knowledge and qualify

 

 


Brian Penders:

that watch station, you were over them operationally. So that

 

 


Brian Penders:

was that's fascinating. And then, lastly, another thing he

 

 


Brian Penders:

talked about was a preoccupation with failure, thinking about

 

 


Brian Penders:

failure, and this is where in cybersecurity, you get to this

 

 


Brian Penders:

idea of assume breach, and really zero-Trust is based on

 

 


Brian Penders:

having a failure already. So and then, you know, he stressed

 

 


Brian Penders:

people before the idea of people, process, and technology,

 

 


Brian Penders:

which we know today is very important in that order. And he

 

 


Brian Penders:

really stressed that early on.

 

 


Dr. Dave Chatterjee:

Sure, sure. I'd like to share something that

 

 


Dr. Dave Chatterjee:

was shared by one of my former students, and he said Dr.

 

 


Dr. Dave Chatterjee:

Chatterjee in the nuclear Navy vessel when we were given a

 

 


Dr. Dave Chatterjee:

command to do something we were required to repeat the command

 

 


Dr. Dave Chatterjee:

verbatim, before we executed. And he said, it kind of felt

 

 


Dr. Dave Chatterjee:

really awkward. We felt like we are really dumb people, as if we

 

 


Dr. Dave Chatterjee:

don't follow, but you realized how much importance and emphasis

 

 


Dr. Dave Chatterjee:

was given to communication accuracy, communication

 

 


Dr. Dave Chatterjee:

integrity, and that stayed with me as well. When you talk about

 

 


Dr. Dave Chatterjee:

cybersecurity governance, and you know it better than anybody

 

 


Dr. Dave Chatterjee:

else, because you do it for a living, a lot of it is

 

 


Dr. Dave Chatterjee:

communication, but effective communication. And one of the

 

 


Dr. Dave Chatterjee:

hallmarks of effective communication is when if you are

 

 


Dr. Dave Chatterjee:

communicating something, there has to be a mechanism whereby

 

 


Dr. Dave Chatterjee:

you know, that your communication is being received

 

 


Dr. Dave Chatterjee:

appropriately. And how do you do that? So that was one way of

 

 


Dr. Dave Chatterjee:

doing it is just tell me what I told you. And now that you've

 

 


Dr. Dave Chatterjee:

told me what I've told you, and I believe you get it, now go

 

 


Dr. Dave Chatterjee:

ahead and execute it. I think that's fabulous.

 

 


Brian Penders:

I agree. 100%, it takes out of the equation, one

 

 


Brian Penders:

error that could be costly, for sure. Yeah,

 

 


Dr. Dave Chatterjee:

exactly. Let's switch gears a little bit,

 

 


Dr. Dave Chatterjee:

you are managing the security environment in a medical school

 

 


Dr. Dave Chatterjee:

at a large institution, a very reputed medical school. That's

 

 


Dr. Dave Chatterjee:

quite the responsibility. I've had CISOs on my podcast, who've

 

 


Dr. Dave Chatterjee:

talked about the various challenges that academic

 

 


Dr. Dave Chatterjee:

institutions face, and they have shared solutions, best

 

 


Dr. Dave Chatterjee:

practices. There are many units within an academic institution,

 

 


Dr. Dave Chatterjee:

and you focus on a particular unit, the medical school, are

 

 


Dr. Dave Chatterjee:

there any unique challenges that medical school faces compared to

 

 


Dr. Dave Chatterjee:

the other units? And if so, how do you go about dealing with

 

 


Dr. Dave Chatterjee:

them?

 

 


Brian Penders:

Yes, there are. And there's a couple I'd like to

 

 


Brian Penders:

talk about. One is really true for all Health Affairs schools.

 

 


Brian Penders:

And it's something that a lot of people don't think about. And it

 

 


Brian Penders:

has to do with something simple that there are high earners in

 

 


Brian Penders:

Health Affairs. And what this means is, we're targeted for a

 

 


Brian Penders:

lot of these, what I'll call money grab type scams and

 

 


Brian Penders:

attacks. So specifically, years ago, there was a phishing

 

 


Brian Penders:

campaign around stealing W2s for tax fraud purposes, and a large

 

 


Brian Penders:

percentage of those accounts were from the School of

 

 


Brian Penders:

Medicine. Other attacks involving social engineering to

 

 


Brian Penders:

get into retirement accounts, we get, I think, we get a large

 

 


Brian Penders:

portion of the tech support scams, which really try to get a

 

 


Brian Penders:

credit card number, get a credit card number from a

 

 


Brian Penders:

doctor, it's different from others, and also just

 

 


Brian Penders:

credentials, or medical email credentials are more valuable,

 

 


Brian Penders:

frankly, on the dark web to sell. So that's something that

 

 


Brian Penders:

we talk to right from when students get here all the way

 

 


Brian Penders:

through is be careful, you may be caught up in this. And

 

 


Brian Penders:

honestly, those are really have really been the root cause for

 

 


Brian Penders:

our incidents that involve regulated data PHI, because

 

 


Brian Penders:

there really isn't an interest in the PHI. But because these

 

 


Brian Penders:

attacks happen, there may be an email, an exposure of email that

 

 


Brian Penders:

contains regulated data. So it's a real headache. It's very risky

 

 


Brian Penders:

for us. So we try to talk to our users, our faculty, staff and

 

 


Brian Penders:

students about that. The second big category is really around

 

 


Brian Penders:

governance risk. There's, if you can imagine the Venn diagram,

 

 


Brian Penders:

the School of Medicine is one of the HIPAA covered components of

 

 


Brian Penders:

the university. But we are also tied to UNC Health, our partners

 

 


Brian Penders:

there, and that's by statute, the Dean of the School of

 

 


Brian Penders:

Medicine is also the CEO of UNC Health. We are separate legal

 

 


Brian Penders:

organizations, but we share our clinical faculty. You're a

 

 


Brian Penders:

faculty members. Well, Dr. Chatterjee. So you know, as a

 

 


Brian Penders:

faculty member, you want to be available to people, you want

 

 


Brian Penders:

your work to be known. You want people to be able to get in

 

 


Brian Penders:

touch with you. And it's particularly easy in that

 

 


Brian Penders:

regard, because we're a public university. And when you add the

 

 


Brian Penders:

fact that these are also our clinicians who are working with

 

 


Brian Penders:

regulated data, they're doing research that involves health

 

 


Brian Penders:

information. It's very challenging when you get that

 

 


Brian Penders:

mix together. It takes a lot of communication with our faculty

 

 


Brian Penders:

to understand the differences and to be able to work with our

 

 


Brian Penders:

partners and UNC Health to make sure that there aren't any gaps

 

 


Brian Penders:

there that could expose data. So those are the two two big

 

 


Brian Penders:

differences here in School of Medicine.

 

 


Dr. Dave Chatterjee:

Yeah, thanks for sharing. I'll take

 

 


Dr. Dave Chatterjee:

this opportunity to share with the listeners some common

 

 


Dr. Dave Chatterjee:

cybersecurity challenges that plague educational institutions.

 

 


Dr. Dave Chatterjee:

I talked about these in my talk at UNC where I met Brian. One of

 

 


Dr. Dave Chatterjee:

the challenges is dealing with legacy systems, numerous remote

 

 


Dr. Dave Chatterjee:

endpoint devices is another challenge, securing students

 

 


Dr. Dave Chatterjee:

student body lack of incident response plans, no budget line

 

 


Dr. Dave Chatterjee:

item for cybersecurity. yhat's more true for the community

 

 


Dr. Dave Chatterjee:

colleges difficulty keeping up with emerging threats. And

 

 


Dr. Dave Chatterjee:

finally, the ability to hire and retain staff because

 

 


Dr. Dave Chatterjee:

cybersecurity jobs can be exciting, but they can also

 

 


Dr. Dave Chatterjee:

cause burnouts. So there can be a high turnover. You emphasize

 

 


Dr. Dave Chatterjee:

incident response plans, and research finds that in general,

 

 


Dr. Dave Chatterjee:

organizations don't do a very good job of rehearsing their

 

 


Dr. Dave Chatterjee:

incident response plan, sometimes they don't even have a

 

 


Dr. Dave Chatterjee:

good plan in place. I'm not going to ask you to speak

 

 


Dr. Dave Chatterjee:

specifically to your organization. But generically,

 

 


Dr. Dave Chatterjee:

Brian, as a practitioner, what's feasible and what's ideal? Yeah,

 

 


Brian Penders:

it's a good question. And you're right,

 

 


Brian Penders:

these things can slip away as everyone gets busy. But but

 

 


Brian Penders:

they're very important. I think the trick is to not think you

 

 


Brian Penders:

have to go to the nth degree with this, you know, ideally, we

 

 


Brian Penders:

would have something that involve the entire university,

 

 


Brian Penders:

UNC Health School of Medicine, and we would get all get

 

 


Brian Penders:

together, you don't have to go right there, you could just do

 

 


Brian Penders:

something as simple as when you actually have an incident, you

 

 


Brian Penders:

can actually use that as an example of checking it against

 

 


Brian Penders:

your plans. And when we work with third parties, that's their

 

 


Brian Penders:

recommendation to you know, take advantage when things come in to

 

 


Brian Penders:

run through your plan. And then honestly, working with third

 

 


Brian Penders:

parties to help with tabletops. And reviewing Incident Response

 

 


Brian Penders:

Plans, I think is is a great way to go that, you know, they can

 

 


Brian Penders:

provide some great expertise, they can sort of sit from the

 

 


Brian Penders:

outside and tell you what how you're doing and the direction

 

 


Brian Penders:

you need to go.

 

 


Dr. Dave Chatterjee:

Okay, good to know ransomware attacks are a

 

 


Dr. Dave Chatterjee:

threat to all organizations, academic institutions are no

 

 


Dr. Dave Chatterjee:

exception. In fact, they are being hit very heavily. So is it

 

 


Dr. Dave Chatterjee:

fair to assume that institutions engage in rehearsing how to

 

 


Dr. Dave Chatterjee:

recover from a ransomware attack?

 

 


Brian Penders:

Yes, I think it's done under the umbrella of

 

 


Brian Penders:

disaster recovery generally, which isn't really specific to

 

 


Brian Penders:

ransomware, you usually your infrastructure teams are in

 

 


Brian Penders:

charge of developing your business continuity and disaster

 

 


Brian Penders:

recovery plans. And they periodically do test restores of

 

 


Brian Penders:

systems that would help with ransomware incident or after it.

 

 


Dr. Dave Chatterjee:

Okay, that's good to know as well. So

 

 


Dr. Dave Chatterjee:

as a faculty member, we get communication from the

 

 


Dr. Dave Chatterjee:

Technology Office, the Security Office, from time to time, I

 

 


Dr. Dave Chatterjee:

don't recollect any communication or guidance, where

 

 


Dr. Dave Chatterjee:

they are proactively preparing us from a ransomware attack that

 

 


Dr. Dave Chatterjee:

could freeze our systems, compromise our data. So what I'm

 

 


Dr. Dave Chatterjee:

trying to understand is this rehearsal of proactively or

 

 


Dr. Dave Chatterjee:

reactively, responding to ransomware attacks, is this

 

 


Dr. Dave Chatterjee:

rehearsal taking place at a certain level, and not at all

 

 


Dr. Dave Chatterjee:

levels. What would be, I'm just trying to get a better sense,

 

 


Dr. Dave Chatterjee:

from your perspective,

 

 


Brian Penders:

right? It wouldn't be something that would

 

 


Brian Penders:

rise to the user level, it could certainly be an attack and

 

 


Brian Penders:

certainly start there. But it'd be more about when a ransomware

 

 


Brian Penders:

actors are looking at a large organization, they're not as

 

 


Brian Penders:

focused on doing a whole lot with individual users

 

 


Brian Penders:

workstations, they're going to use that as possibly an entry

 

 


Brian Penders:

point. But it would be taking some time using different

 

 


Brian Penders:

malware to move across an organization to get to something

 

 


Brian Penders:

that they want could be domain controllers, or could be bigger

 

 


Brian Penders:

servers and storage arrays, something that can really hamper

 

 


Brian Penders:

the organization such that a payment would be feasible, it

 

 


Brian Penders:

wouldn't be something that a user would really get involved

 

 


Brian Penders:

with in terms of testing those programs.

 

 


Dr. Dave Chatterjee:

So moving on to cybersecurity governance,

 

 


Dr. Dave Chatterjee:

best practices, there are several out there, would you

 

 


Dr. Dave Chatterjee:

like to highlight a few that you are really big on?

 

 


Brian Penders:

Yes, I mean, considering I mentioned, we've,

 

 


Brian Penders:

we've had some incidents with phishing and social engineering,

 

 


Brian Penders:

our best practices, the last couple of years have focused in

 

 


Brian Penders:

those areas in what I'll call a good better best type scenario,

 

 


Brian Penders:

where in terms of, let's say passwords, we talked to our

 

 


Brian Penders:

users about strong and unique passwords. Now, some of their

 

 


Brian Penders:

university accounts are automatically done, but their

 

 


Brian Penders:

own accounts. And we focus on things like think about your

 

 


Brian Penders:

primary personal email account, and how important that is. You

 

 


Brian Penders:

need a strong and unique password. And you need multi

 

 


Brian Penders:

factor authentication, because that could be the key to all of

 

 


Brian Penders:

your other accounts, least the ones that don't have multi

 

 


Brian Penders:

factor authentication. And beyond that, we say now look at

 

 


Brian Penders:

your finance, banking, retirement, and then look at

 

 


Brian Penders:

your social media. And then if you can, make sure you do that

 

 


Brian Penders:

for all them, use passphrases and a lot of those general

 

 


Brian Penders:

password guidance but lay lately because of the nuances of the

 

 


Brian Penders:

attacks, especially in terms of multifactor workarounds, our

 

 


Brian Penders:

exact playbooks of guidance don't really work with our

 

 


Brian Penders:

users. So we've been talking to them about this idea of having

 

 


Brian Penders:

situational awareness in terms of are you already logged in,

 

 


Brian Penders:

you are going to you may get an email, you should look to see if

 

 


Brian Penders:

is an external from an external source. And if there is a link

 

 


Brian Penders:

there, and if there is you should have, you should be very

 

 


Brian Penders:

careful about that link. And if you do, click the link, and

 

 


Brian Penders:

you're asked to log in, why would you need to login. And so

 

 


Brian Penders:

we use two different MFA solutions here, but the one we

 

 


Brian Penders:

use for Microsoft, they should not have to log in as you know,

 

 


Brian Penders:

when you log in, you get a session token, it should last a

 

 


Brian Penders:

while. So you should really think through why you're being

 

 


Brian Penders:

asked to put your credentials in here. Because some of the ones

 

 


Brian Penders:

we've seen have been this attack where there's a credential turn

 

 


Brian Penders:

around where attackers take the credentials in real time log in,

 

 


Brian Penders:

and that will generate a push. So the advice to our users to

 

 


Brian Penders:

only accept push notifications that they expect, doesn't work,

 

 


Brian Penders:

because they did expect one. So that's when we have had to back

 

 


Brian Penders:

up and talk to them about situational awareness. So those

 

 


Brian Penders:

are some of the big ones around passwords and MFA, and the other

 

 


Brian Penders:

one is updating software, I'll say if I had 30 seconds with a

 

 


Brian Penders:

group, I would tell them to keep their software updated. And what

 

 


Brian Penders:

we're talking to our users about is they don't really know a lot

 

 


Brian Penders:

about the software release cycles and how the software is

 

 


Brian Penders:

likely a combination of security updates and new features. Our

 

 


Brian Penders:

users get lulled into thinking that it's only new features. And

 

 


Brian Penders:

they, you know, hit remind me tomorrow, and they don't quite

 

 


Brian Penders:

understand that the updates are security patches for the

 

 


Brian Penders:

previous update. And so again, it's a good better best, we

 

 


Brian Penders:

don't expect everyone to stop what they're doing. People are

 

 


Brian Penders:

busy, but we say as soon as possible. But if you can, within

 

 


Brian Penders:

a couple of weeks, get that new software installed, you're going

 

 


Brian Penders:

to have the security updates that you need. So those are just

 

 


Brian Penders:

a few of the big ones we've been talking about.

 

 


Dr. Dave Chatterjee:

Absolutely makes sense. I'd like to react

 

 


Dr. Dave Chatterjee:

to a couple of things. When you mentioned multifactor

 

 


Dr. Dave Chatterjee:

authentication. Recently, I did an episode on multifactor

 

 


Dr. Dave Chatterjee:

authentication fatigue, and that the guest was talking about how

 

 


Dr. Dave Chatterjee:

developers detest having to authenticate time and again,

 

 


Dr. Dave Chatterjee:

when they're working on 50 different applications that

 

 


Dr. Dave Chatterjee:

they're having to go back and forth. And then there are human

 

 


Dr. Dave Chatterjee:

beings who are also at times unwilling to have it have to

 

 


Dr. Dave Chatterjee:

authenticate every time they are having to log into a system. I

 

 


Dr. Dave Chatterjee:

will I will admit that initially, I belonged to that

 

 


Dr. Dave Chatterjee:

camp. But I've changed since because I now recognize how

 

 


Dr. Dave Chatterjee:

important that security feature is. I also wonder about these

 

 


Dr. Dave Chatterjee:

passwords, you know, we're tired of remembering passwords, tired,

 

 


Dr. Dave Chatterjee:

tired of trying to save passwords, password protection

 

 


Dr. Dave Chatterjee:

managers don't work, they get hacked. We hear about them all

 

 


Dr. Dave Chatterjee:

the time. So there's a huge push towards passwordless

 

 


Dr. Dave Chatterjee:

authentication, I guess curious, what are your thoughts? What's

 

 


Dr. Dave Chatterjee:

the reality around password less authentication?

 

 


Brian Penders:

when I think about the big defenses that have

 

 


Brian Penders:

come out around identity, certainly MFA years ago was one

 

 


Brian Penders:

and I think we're on the cusp of another with web auth. And and

 

 


Brian Penders:

using biometrics on your system to prevent this idea of a shared

 

 


Brian Penders:

secret, right, we need to get out of the business of the

 

 


Brian Penders:

shared secret. And so UNC is moving to offering passwordless

 

 


Brian Penders:

authentication this year, we have a strategy to roll it out.

 

 


Brian Penders:

And I think it's going to be well received. And we'll see how

 

 


Brian Penders:

it goes. But this is going to be attackers will pivot it'll be

 

 


Brian Penders:

they may go back to malware, or they may, you know, use malware

 

 


Brian Penders:

to grab session tokens. And so there might be a new thing. But

 

 


Brian Penders:

this I think is a big new defense to credential theft.

 

 


Dr. Dave Chatterjee:

Excellent. Wonderful. So Brian, we are kind

 

 


Dr. Dave Chatterjee:

of coming towards the end of our episode here. I wish we could

 

 


Dr. Dave Chatterjee:

continue the conversation, but we will have to wrap it up. So

 

 


Dr. Dave Chatterjee:

I'd like to give you the opportunity to share some final

 

 


Dr. Dave Chatterjee:

thoughts with the listeners.

 

 


Brian Penders:

Yeah, I just wanted to spend a few minutes

 

 


Brian Penders:

talking a little bit about building teams. You and I

 

 


Brian Penders:

discussed this a bit. Last time we talked some of the things

 

 


Brian Penders:

that we look for in terms of when we're looking at someone

 

 


Brian Penders:

from IT, who's interested in coming to cyber security. We

 

 


Brian Penders:

look at Service Desk experience system and server administrators

 

 


Brian Penders:

and developers. But it's also important we have found in

 

 


Brian Penders:

addition to traditional diversity, diversity of

 

 


Brian Penders:

background, we have found that our folks from liberal arts and

 

 


Brian Penders:

humanities hat can be extremely valuable to supplement and

 

 


Brian Penders:

sometimes lead our cybersecurity teams. I'm generalizing but

 

 


Brian Penders:

they're good problem solvers. They're able to see the big

 

 


Brian Penders:

picture and they're excellent communicators, all amazing

 

 


Brian Penders:

skills. And if they have a propensity and an interest in

 

 


Brian Penders:

being technical, that just makes it all the better. And then the

 

 


Brian Penders:

other thing is for any folks who are trying to, to get into

 

 


Brian Penders:

cybersecurity, it can be really hard. It's easy for us to say,

 

 


Brian Penders:

well, you know, just take an entry level IT job and move from

 

 


Brian Penders:

there. But that's not feasible for some people. And so the only

 

 


Brian Penders:

advice I have is to bug your IT teams wherever you are. And if

 

 


Brian Penders:

you're in IT, bug, your security team, I'm, I'm surprised more

 

 


Brian Penders:

people don't come and talk to us just knock on our door and say,

 

 


Brian Penders:

can you tell us what you do? Show me, show me some of the

 

 


Brian Penders:

things that you all do. So I know a lot of my colleagues

 

 


Brian Penders:

would welcome would welcome that. So just a few tips for

 

 


Brian Penders:

anyone looking to get into cyber

 

 


Dr. Dave Chatterjee:

fantastic. In fact, I'd like to reiterate

 

 


Dr. Dave Chatterjee:

what you just said that even if you coming from a non technical

 

 


Dr. Dave Chatterjee:

background, and there is no reason to shy away from a field

 

 


Dr. Dave Chatterjee:

like cybersecurity because the field could benefit from people

 

 


Dr. Dave Chatterjee:

bringing in different perspectives, different

 

 


Dr. Dave Chatterjee:

expertise. And there are numerous instances of people

 

 


Dr. Dave Chatterjee:

with liberal arts degrees. I had a subject matter expert on

 

 


Dr. Dave Chatterjee:

another episode, she has a PhD in philosophy, phenomenology was

 

 


Dr. Dave Chatterjee:

was the focus of her dissertation. She's a real

 

 


Dr. Dave Chatterjee:

techie, she assessed cybersecurity technologies for

 

 


Dr. Dave Chatterjee:

the government. So there's nothing that you can't learn,

 

 


Dr. Dave Chatterjee:

even if you didn't have the traditional technical training

 

 


Dr. Dave Chatterjee:

or technical foundation, it's all a matter of interest and

 

 


Dr. Dave Chatterjee:

willing to be curious and being willing to adapt. So I think

 

 


Dr. Dave Chatterjee:

there are several other skill sets that come into play,

 

 


Dr. Dave Chatterjee:

Brian's own journey, where he himself mentioned coming from a

 

 


Dr. Dave Chatterjee:

liberal arts background and how he literally stumbled into these

 

 


Dr. Dave Chatterjee:

roles, and then he grew with them. I'm sure he'll be the

 

 


Dr. Dave Chatterjee:

first person to agree that he didn't envision himself doing

 

 


Dr. Dave Chatterjee:

what he is doing today, when he got out of college with a

 

 


Dr. Dave Chatterjee:

liberal arts degree. So do keep that in mind. For those of you

 

 


Dr. Dave Chatterjee:

who are aspiring to pursue a career in cybersecurity and

 

 


Dr. Dave Chatterjee:

you're sitting on the sidelines, wondering if that would be a

 

 


Dr. Dave Chatterjee:

good career move or not, I think it'll be a great career move.

 

 


Dr. Dave Chatterjee:

More importantly, there is also the opportunity to secure the

 

 


Dr. Dave Chatterjee:

enterprise secure the nation, there is the other aspect to

 

 


Dr. Dave Chatterjee:

this job. That makes it very noble. I want to take this

 

 


Dr. Dave Chatterjee:

opportunity to thank all the cybersecurity professionals out

 

 


Dr. Dave Chatterjee:

there who do this job and they often are never recognized. They

 

 


Dr. Dave Chatterjee:

do it behind the scenes. The purpose of podcasts like mine,

 

 


Dr. Dave Chatterjee:

is to try to bring them out of their cubicles and share with

 

 


Dr. Dave Chatterjee:

the world the realities behind cybersecurity governance, and

 

 


Dr. Dave Chatterjee:

all the great things they do. So, Brian, thank you again for

 

 


Dr. Dave Chatterjee:

your time. It has been a real pleasure.

 

 


Brian Penders:

Thank you very much. I enjoyed the

 

 


Brian Penders:

conversation.

 

 


Dr. Dave Chatterjee:

A special thanks to Brian Penders for his

 

 


Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

 

 


Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

 

 


Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

 

 


Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

 

 


Dr. Dave Chatterjee:

episode.

 

 


Introducer:

The information contained in this podcast is for

 

 


Introducer:

general guidance only. The discussants assume no

 

 


Introducer:

responsibility or liability for any errors or omissions in the

 

 


Introducer:

content of this podcast. The information contained in this

 

 


Introducer:

podcast is provided on an as-is basis with no guarantee of

 

 


Introducer:

completeness, accuracy, usefulness, or timeliness. The

 

 


Introducer:

opinions and recommendations expressed in this podcast are

 

 


Introducer:

those of the discussants and not of any organization.