Reducing the Carbon Footprint

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I'll be talking with Andy Bates, Chief

Development and Strategic Partnership Officer at Global

Cyber Alliance. Andy, welcome. It's great to have you as a

guest on the Cybersecurity Readiness Podcast Series. Thanks

for making time to share your thoughts and perspectives with

the listeners. How about, we get started on a reflective note

where you share with us what got you into cybersecurity? What's

your story?

Brilliant! Well, first of all, thanks for for the

opportunity. And thanks for having me here. So it's it's

great to be with you. And thanks, everyone for listening

in. And yeah, great question. I guess I've been in telecoms all

my life. So I kind of started my career as an engineer and, and

business development. So found myself building secure networks.

And I guess before the term cybersecurity was invented, I'd

probably realized I was on the receiving end of cyber attacks.

So So on the one hand, I think I'm kind of feeling the pain or

felt the pain that I want the audience not to be feeling. And

so that's one of the reasons why I kind of left the commercial

sector and came to GCA as a as a global, not- -for-profit, I

guess, to fight back. And then the then the other thing is, I'm

a great one for asking the really annoying questions like,

like, I guess the average 10 year old would do. So having

built secure networks, and been kind of part of building the

internet. And, you know, the internet's as old as I am, it

was born in 1969, I'm afraid to say and, you know, the first

email, I think, was transmitted in 1972. So it's come a long

way, the internet, we've all come a long way. And I kind of

look at things in the internet and think, surely, we can make

this safer. And as you and the listeners probably know, you

know, the Internet was originally designed for

universities and academic institute's to communicate

together. And it's a wholly different thing now. So yeah, I

look at it at the Internet as a networking engineer and go, we

could, we could make this a lot safer. And just to kind of close

out, you know, you turn on the water at home, and you can drink

water from the tap in most countries. But the internet is

kind of dangerous, you have to buy a firewall, you have to be

on your game, you have to train people. So ultimately, I'd love

the internet to be just as safe as, as the water system for want

of a better word. And, and I think we can get there maybe not

in my lifetime in my career. But yeah, that that's, that's what

gets me out of bed in the morning, I think.

Fabulous. Yeah, we know, we all want to be

able to operate in a safer environment. As you know, it's

great to be digitized. We appreciate the convenience of

electronic capabilities. But now we're also having to deal with

the consequences of the good things that we have created. You

know, the last time we were chatting, you brought up a very

interesting perspective on cyber that I don't often hear. You

talked about reducing the carbon footprint, why not look at

cybersecurity investments from the standpoint of reducing

carbon footprint? Can you expand on that?

Yeah, totally. And I mean, this is not new thinking

maybe. But when I've spoken to people about it, people go,

actually that's that's a new angle. And, and I think the

first thing to say is, you know, we in GCA (Global Cyber

Alliance) and I were talking about this before the recent Cop

conference (held in Glasgow), he said there's a there's a

potential for saying that we've jumped on the bandwagon and the

zeitgeist here because everybody's talking about

carbon. But I guess first of all, you know, people watch TV,

dramas, and detective programs about fighting what are called

physical crime. But nobody gets excited about cybercrime. Nobody

gets excited about online fraud, as you say, we kind of get used

to living with it. For years, in fact, when I was at school, I

remember people talking about climate crisis, and maybe that

was kind of a quiet event. And now that's become acknowledged

and real and visceral and people get angry about carbon, but they

don't get angry about cyber. So I think that's the first thing

to say that I think all of our lives in cyber would be easier

if there was an emotional connection with the problem as

there is with murder, robbery, etc. So, so yeah, we were

looking for different angles to try and make cyber more

interesting and more able to talk to, I want to be able to

have a conversation with my mother about what I do at work.

I'm convinced my mom thinks I'm a spy or run an IT department or

those kind of things so so if we can put cyber into the modern

parlance, which, you know, you talk about in your book, I think

that's, that's an important factor. So, with that back to

the kind of carbon discussion, cybercrime and fraud on the

planet, it's hard to get accurate figures. But generally,

it's accepted that the cost of cybercrime and fraud online

crime is around a trillion dollars a year. So imagine if

there was a country out there whose GDP was a trillion

dollars, that's more than the Kingdom of Saudi Arabia. In

fact, it's approximately the same as the GDP of Canada. So it

is reasonable to say, if there was a bad nation, a rogue nation

on the planet, generating subtle stealing so much money, it must

have a carbon impact. Now, the natural conversation there goes

that well, cybercriminals are using computers, they use

clouds, all of that contributes carbon. And I think that's,

that's true. But if I take a country with a GDP of a trillion

dollars, its carbon output is somewhere between 50 and 100

million tons of carbon. Now, there isn't a rogue nation

that's occupied entirely by criminals. This is their

obviously spread across the nations that exists today. So

think of the good economy, the good economy has to generate

another trillion dollars to make up for that trillion that has

been stolen by the criminals. We can't say that can be carbon

zero, doing that replacement, economic activity has to

generate carbon, and arguably, there's a number of 50 million

tons there. GCA, ourselves, people, good people investing

$25 million to keep GCA up so that we can go find cybercrime,

we think we've saved a little bit of research around a billion

dollars of online crime in the past five years, you rolled that

back using the same kind of formulas, we think that would be

around 100,000 tonnes of carbon. So that's, that's going to be a

good conversation. So that's, that was really the starting

discussion. So you know, some very vague maths there, but I

think the point is, as you say, opens up a different

conversation, rather than just hey, you should change your

passwords, you should buy a firewall, you should train your

staff, which I think a lot of people have been saying for some

time. Not a lot of people have been listening. But But yeah,

that's the starting point.

You know, that's probably a very good way

of looking at the impact of cyber, it goes beyond what we

generally quantify in terms of financial losses, losses to

individuals, and they are all very valid, and we got to

address those. But in the bigger scheme of things, how

cybersecurity attacks are hurting the environment, whether

it's attacks on the infrastructure, and then you,

you gave it a different spin we talked about, we are generating

good carbon to deal with the bad carbon. Yeah.

So let me just to give you a bit of a COVID

analogy. So without naming the names of any vaccine

organizations, clearly generating a billion COVID COVID

vaccines is a good thing. But clearly, that generates carbon.

So there's a use of carbon that I think we'd all be happy with.

So the inverse is clearly if we're allowing people to steal a

trillion dollars, those people a) generate carbon in the

process, but I think more importantly, it's, it's that

theft that we created something in if you like, the good

economy, we've got to create another one to to catch up. And

that's really the the net contribution of carbon.

So if I understand you correctly, when

organizations are trying to justify investments in

cybersecurity, and there are methods and measures, this

should be another dimension to their business case, correct.

That total, go ahead.

So yeah, totally. Um, so yeah, the risk of drawing

an X, Y and Zed axis, I think we can all understand reasonably

how to monetize costs of cyber cyber defense, monetizing the

cost of the consequences are harder. There's obviously

emotional, and if you like human consequences, I think we heard

of several people who committed suicide because of constant

phishing emails and attacks. Clearly those those folks

weren't in a great mental state to start with. But yeah, if we

roll the carbon conversation in as well, it gives another

dimension to that business case. So to give you an example of a

bank I was speaking to recently, obviously, being safe is part of

a bank's business. And again, as you say, in your book, making

cyber part of the cost to do business is important. So

they've grasped that and, and banks, I think get cyber, you

know, they used to have safes to put money in gold in now they

have the equivalent of online safes to keep themselves safe.

But if you asked what the bank strategy was number two in there

is carbon reduction. So this particular IT team and said they

wanted to reduce their attack surface, loads of firewalls,

loads of pin holes into the environment, API's, those kind

of things. And being a bank, they had their own servers and

their own processes. During that, they were struggling to

find the case to remove that infrastructure, that legacy

infrastructure and move forward to arguably a more safe

position. When they, we had this conversation and it was just a

two sentence chat from a webinar not dissimilar to this one I was

doing and they said, Wait, if we add up all the carbon that all

those servers are producing, and our banks number two thing in

its strategy is carbon reduction, suddenly, we've got a

different angle to drive that business case. And frankly, you

know, that what's I think cool, charismatic carbon. So the more

interesting ways of reducing carbon, the carbon trading is at

50 pounds a ton for that more interesting version of carbon.

50 pounds isn't a lot, but and a ton of carbon is similar. But as

I say, if the GCA we if we believe we would have saved

100,000 tons of carbon 50 pounds a ton, that's 5 million. That's

actually the cost to keep GCA running on a per annum basis. So

you know, everything counts in large amounts. I think that was

a, that was one of the rare test cases that I've worked on so far

that allowed an organization to say, this business case now

makes more sense if I put the conversation of carbon in there.

And it was less about the money, it was more about the fact that

the strategy that the CEO of that bank stands on stage with

his shareholders and says, this year, we're going to do these

three things. And thing number two was reduce our carbon

output. And that's that drives shareholder value that drives

customer commitment, and all of that can ultimately be

monetized.

Absolutely, that's a great way of also

showcasing that the organization is environmentally conscious,

environmentally responsible. And that's always a great thing.

Now, along those lines, Andy, as you know that it is the small

and the medium sized enterprises, who are always

struggling for resources, and maybe this carbon reduction

impact argument that might help their case, but still they could

do with help. And I know that you are involved with the Global

Cyber Alliance. So I thought this might be a good opportunity

for you to share with the listeners, what the organization

does, and how, you know how other organizations can benefit

from their offerings?

Yeah, absolutely. So, first of all, one of the

fundamental principles of GCA is that we democratize

cybersecurity. And by that we mean that our belief is that

everybody whether an individual or business has the rights and

the access to good cyber defense. In other words, it's

not just something that's the the reserve of big businesses,

rich people, clever people, and a bit like, without overly

quoting the current global pandemic, once everybody has

access to good health care, then the whole planet is a lot safer.

So it's, it's that kind of position. So GCA has two things.

We have our Capacity and Resilience Program. Today that's

very much focused on producing toolkits. So we produce free

toolkits which are available for businesses, soon to be for

individuals, for journalists, and for election officials. So

that helps people to protect freedom of speech, protect

democracy, but also stay safe online. So, you know, the debate

around a free thing, what value does it have? We nominally think

the value of the toolkit is around $3,000 3000 pounds per

small business, clearly, depending on on how much of

those things they use. So yeah, there's there's a free resource.

So I think, you know, part of today's conversation is about

business case, part is about carbon. So I feel for the small

business, you know, the local pub and chip shop in my in my

village, can't maybe afford high-end cyber defense, they

certainly can't afford to employ a CISO (Chief Information

Security Officer). So some free solutions is a good way of

starting that conversation and moving that chapter forward. As

you'd say the other part of GCA we have a thing called the IT

program, internet integrity, they really develop solutions,

which as I said in my kind of personal introduction and

check-in help the internet itself to be safer. So we have a

large IoT honeypot, we have a platform called Domain Trust.

And we we co-created with IBM and PCH a platform called Quad9.

So guess to come back to the carbon discussion, Quad9 is a

protective DNS platform. So point your DNS to 9.9.9.9. and

you will be safer, you will have another layer of defense. When

we did some testing in our pilot user base, which was a million

users. Today, Quad9 protects around 250 million users. But we

found out that your virus scanner, the load went down by

88 0%. So that's great, because clearly the thing is working,

it's stopping inbound attacks happening. But again, just let's

think of on a on a business angle. If I say to anybody in

the street, would you like your computer to run faster? The

answer is of course going to be yes. So if you get an 80% less

viruses and spam and all kinds of nonsense coming from the

Internet into your computer, it's doing less, that's good

because your computer runs faster. But maybe it uses less

electricity yet to run some numbers around that. But again,

I think that's a good way of of making cyber a different

conversation and a different business case. You know, let's

face it, cyber is a big, geeky, the word cyber probably wasn't

known as an industry, as I said about 10 years ago. Whereas

people do want their emails to be delivered better. People

don't want things to go into junk folders, people do want

their computers to run faster, people do want to pay a cheaper

electricity bill. And if cyber can help them to get to all of

those points, then it becomes more interesting and more

I absolutely couldn't agree with

engaging.

you more. In fact, the more I hear what you say about reducing

the carbon footprint, I feel that that's the kind of pitch

that's gonna go very well with the non technical folks, with

the business folks, the leadership, because everyone

wants to do their share for the overall environment. We are I

would like to believe on a optimistic note that we are

becoming environmentally more conscious.

you've got it. And I think one of the things you say

in your book, one of your key points is that cyber is a team

sport. I'm not sure you quite say like that. But cyber

involves everybody. Carbon, by definition involves everybody,

we all breathe it out, breathe the atmosphere, we all live on

the same planet. So unless you move to the moon, there's no way

out to the carbon conversation. But the problem with cyber is,

it's kind of the job of the CISO. Like, he's got, he's got

cyber, I'll carry on doing the business, I'm the Sales VP, I am

the operations VP, cyber is in the corner over there. And you

know, we find this as the as the Global Cyber Alliance, we get

introduced to CISOs. Whereas actually, if the banks we work

with probably the CMO is the person we most like to talk to,

because we want to give free stuff to their customers, which

makes them safer, which is a great marketing conversation. So

yeah, I think you've hit on it beautifully that you cannot

check out the cop conversation. People do mentally check out the

the cyber conversation, because it is not cool, it's not

interesting, a bit techie, it's not their specialism. So So

again, I think you're right, this is this is a way of joining

the two things into the same sentence.

And, you know, along those lines, and I

think you mentioned you kind of mentioned that in one of our

earlier conversations, you said, you know, can we turn cyber into

a profit center, or a strategic part of the business where we

are, we're approaching cybersecurity investments from

the standpoint of reducing carbon footprint, and that is

considered to be a good strategic objective that aligns

with the other goals and missions of the organization.

Can you expand on that?

Yeah, totally. I mean, I'm, most people who are

in the world of sales that can have trusted advisor sales

conversation is the best place to be. So not everybody can do

this. Not every company can do this. But asking your customer

what their big concerns are about you as an organization or

generally is a very powerful question. So walking up to your

biggest customer with your sales guy and your sales VP, but

bringing the CISO going, hey, I brought my CISO along, we want

to have an open discussion about cyber. Everybody in the world of

cyber, like you and me is always talking about supply chain.

Somehow supply chain is always thought of people who supply

you. Whereas I want to call it a supply circle. Everybody

supplies everybody with something, nobody is at the top

of the supply food chain. Nobody is at the bottom, the smallest

company buys electricity, buys gas buys insurance, the biggest

bank etc, buys things from those people. But the biggest company

sells things to to someone else to small people. So everybody's

a supplier, everybody's therefore a buyer. And we always

say the problem is in the supply chain. So I'll go and get my

procurement department to go beat up on the supply chain to

make them more cybersafe. If you make that the salespersons job

to go into your customers, that's a powerful thing. Because

you're opening up a different conversation. Somebody who walks

up and says, Hello, I've got some products in this place.

That's that's a very basic sales conversation. People would

rather talk about how do I solve your problems, Mr. Mrs.

Customer? And cyber is a problem. Yeah. So if you're

CISOs got an angle on helping to solve your customers problems,

it's a powerful conversation. And guess what their procurement

person is probably about to beat up on you because they've gone

to Cyber Conference where we've all said the supply chain is

where the problem is. So I think, just like the carbon

thing, it opens up a different conversation, opening up

different conversations, drive sales conversations, I'll maybe

don't want to make cyber competitive advantage. But let's

think of telco for a second. You know, my my kind of home stable.

And I'll ask you this question. If you don't mind, Dave, and I

appreciate you asking questions. But would you pay 10 or 20% more

for your home internet provider, if they assured you that it was

90% safer? Absolutely. I would. Kind of no brainer question,

isn't it so straight away. So what's called in the telecom

sector, ARPU, average revenue per user per month. If you knew

you were going to get less scams or just just get less phishing.

I mean, I think isn't 30% of all emails scam phishing stuff. So

you just buying a rubbish product, you know, if I bought

one of the popular fizzy drink brands and one in three cans of

the fizzy drink that I won't mention has gone off or is

faulty or leaks, I'd be super annoyed. But with the internet,

I'm kind of it's just how it is, it's back to my point about

about the water analogy. So telcos an easy way to look at

that you could probably charge more for massive firewall in the

internet, that just means you're safer. I can hear lawyers on the

call getting angst about this, or what about liability? What

about blah, blah, blah. But again, my my opener, and it

comes back to the carbon conversation is very much the

internet, it's all about the problem is yours. It's never the

industries, it's an, you know, your book beautifully touches on

some of the points which people should do, my passionate belief

is that they should do those things. But it shouldn't be the

only line of defense somebody should be be helping these

folks. So I think that's that for telco is one example of how

cyber can become a sales differentiator. But let's think

of other things, you know, if I don't know if if the Wi Fi in

your local restaurant guarantees that you're going to be safer

versus the coffee shop across the road and everything else

neutral, you're going to make an informed decision to go to the

safer environment. So I think there are a whole load of

conversations there where cyber can become more mainstream in

the business. And again, you know, you said this, this in the

book that cyber needs to be everybody's thing. And I think

these kinds of conversations are a way of making it everybody's

thing, rather than saying everybody should do cyber, it

means everybody shouldn't click on this link, everybody should

update their software. And that's good advice. But the kind

of sales conversations allows people to embrace it a lot more.

You know, it's, it's so true, what you

just said. Often, it's how you pitch things. You know, like

somebody said that, you know, don't approach the cybersecurity

conversation, or the cybersecurity communication,

from the standpoint of getting people fearful about it,

approach it in a very positive way. You know, tell them what

they could do and keep it simple have, you know, conversation

should not be complicated. You know, I'm a huge believer that

despite the complexity of anything, there has to be a

simple, easy way of getting the key messages across, you don't

need to, don't need to get the the recipient of the message, to

understand the intricate details. You know, give it to

them at a level that they can relate to give it to them in a

manner that really strikes a chord with them. That that

requires some deliberate thinking, you know, I have

mentioned in the book that we can't afford this check-the-box

approach, yes, here are these requirements, we are meeting

them we are, we've hired this particular vendor who's giving

us this training, we are following through with these

kinds of communications, they're all good guidelines, but you

have to personalize it, you have to customize it, you have to

recognize the company culture, and you know, this approach,

the, you know, reducing the carbon footprint approach, this

could be a way of changing the information security culture,

making it a more integral part of the overall organizational

culture, that's when I think organizations are likely to see

greater benefits over a sustained period of time, as

opposed to making it an information security function

thing, as opposed to making it their problem, I'm in the

business to grow revenue, it is somebody else's problem, to deal

with security, that kind of myopic approach, a siloed

approach doesn't help anybody and you put it beautifully. You

know, we come from carbon, if I may. Yeah. And, and carbon

connects us and you know, the, the pandemic is emphasizing that

and that as much as we would like to do our own thing and

like to operate independently and be profit centers and

showcase how how much better we are than the others; at a much

deeper and a much higher level, you know, everybody's future is

connected in a very deep way. And we have to recognize that

and show the responsibility. So we help us by helping others. So

that's the that's the approach, that's the mindset that needs to

go into the cybersecurity conversation to prevent it from

becoming a technical conversation, which results in

people tuning off. You know what, it's not my thing.

Exactly. I mean, a couple of things to pick up from

what you said and I think I'm probably quoting Ian levy from

from NTSC but when you teach your kids to cross the road, you

teach them to look left look right, look left again or the

other way around. If you're in the USA, you don't teach them

how the internal combustion engine works or kinetic

collision theory. But often the way people teach languages and

the people teach sciences, you got to go with that. So exactly

as you said, the the information that's relevant to people is so

important. And again, at the risk of quoting, I think it's

Dale Carnegie, who said, If you want somebody to be interested

in you, it'll probably take two years, there's nothing better

people really love people talking about them. So if you

want somebody to be interested in you, you got to talk to them

about what they're interested in, then it will take them two

months to have, you know, the conversation, a deeper

conversation, I guess so. So the point that that really is, if I

draw a Venn diagram of people who are interested in cyber, and

then a bigger Venn Diagram of people who are interested in

computers, and then a much bigger circle of people

interested in carbon and the planet, by virtue of human

survival, we're all nominally interested in carbon on the

planet. So if that's just if we're just using carbon as a

different way of introducing cyber into what other people are

interested in, then it means more people will be interested

in us, ie the cyber geeks, and therefore they do something

about it. And there's loads of other subjects that people would

would be interested in. I mean, one of my, the main part of my

job is finding the funding to ngca. People will fund

education, people will fund carbon people, fund veterans,

people don't fund cyber, because that's the job of police surely,

and that's why I pay my tax. So why the heck are you asking me

for money. So again, back to the Dale Carnegie quote, if you're

interested in other people they become interested in you trying

to force them to become interested in you is arguably

takes 10 times the amount of time and effort. And in cyber,

we just don't have that amount of time and effort just to throw

around. So it's much better to find things people are

interested in and, and carbon is a thing that almost everybody is

becoming interested in or needs to become interested in.

You know, this reminds me of a

conversation I had with a senior executive and I started my my

career in corporate. I was a management trainee in this major

British multinational, and as part of our training program, we

had to meet with the company director. So when I walked into

his office, he of course, asked me how I was doing how I was

liking the environment, and then he gave me some advice. And

something that stayed with me was when he said, "Dave I am not

asking you to be committed to the organization to be loyal to

the organization, I'm asking you to be loyal to yourself to be

loyal to your family, and believe me, if you do that, you

will be loyal to the organization." I never quite

understood that then. But when you use the Dale Carnegie

example, you kind of made the same point that make it about

the person make it about their contribution to the world, you

know, their legacy, what is my legacy, my legacy is more than

the job that I do, my legacy is how I contribute to make the

world a better a safer place. And this carbon reduction carbon

emission angle, is a great way of getting there. And so I

think, you know, your approach to this subject on cyber is, is

a welcome approach. And I'd like to probe further about

justifying cyber investments. You mentioned, you made a, you

know, telling statement that nobody wants to fund cyber, but

they want to fund a lot of other things. What recommendations,

what guidance would you like to give to listeners who are maybe

who are, you know, pitching for money for cyber investments or

organizations who are trying to get funding for cyber

investments? What guidance would you give them? What

recommendations do you have for them?

I mean, great question. And to me, that falls

into two questions. So I think there's the CISO in the

corporate who wants to get more investment for the corporate.

And then there's people like me in the not-for-profit world who

are looking to foundations, grant funders, etc. So I guess

the first part is probably most relevant to your audience, your

listeners. I mean, I think anybody who's making a pitch for

money, stakeholder management is super important. And I've had

lots of conversations. And we've done talks on how the CISO is

engaged with the Board. So again, I think getting a Board

level sponsor who's not the IT director who's not maybe the CFO

is a good way forward. We've touched on it already. But when

I was, it feels like a million years ago now when my job was a

chief engineer, and I ran a design team, going out with the

sales VP to talk to customers was powerful for them and

powerful for us. We knew what the customers wanted to do. The

sales VP loved bringing out somebody from a design

department to go in and just be interested in them. So I think

just to reiterate the point we made earlier that the CISO

becoming friends with the sales VP, and the sales VP as the one

who drives the engine of growth of most commercial businesses,

gets you an insider stakeholder there. Just meeting with the

Board and hoping that they're going to give you an infinite

amount of money is crazy. And as you said, anything that's put in

common sense language for anybody so that all of the Board

can understand the conversation has to be the way forward,

having big, geeky technical conversations about things is

super difficult. And let's face it, you don't know if a cyber

attack is going to happen, you don't know how much is going to

be stolen, you don't know the consequences. You also don't

know the carbon consequences of rebuilding something. But I

would say that putting carbon in a business case, and also

putting the human consequences in a business case. So the below

the line things, the bit that the CFO probably won't look at,

I think those are powerful ways of grabbing people's attention.

Most Boards are going to review hundreds of business cases and

loads of ideas, many of which they may seem crazy along rocks

the CISO so so you're you the CISO one of those many people in

that conversation. So anything you can do to make your business

case relevant to everybody on the Board, show that how you're

driving business on the Board, make it simple, but also make it

stand out. And if carbon and the emotional effects of cyber one

of the ways of making people just stop on page three and go,

wait, I'm gonna read this again, this is this has grabbed my

attention, then then that would be my my recommendation. And as

I say with that with the bank, we mentioned who we shall not

name, one of their key corporate strategies is carbon. Every

company's declared what their one, two and three corporate

strategy things are. I'm doubting cybers in there, unless

they're for cyber organization, in which case, it's probably

let's do more cyber. Yeah. So finding out what those

strategies are mapping your business case to align with

those things just makes makes complete common sense.

Not-for-profit world, yeah, if I was talking to a high net worth

individual or talking to foundation, they love education,

they love making sure that diversity is is respected and

improved across all forms of diversity, whether gender, race,

creed, neurodiversity, all super important. People care about

those things. So again, with one of our funders, he wasn't so

interested in cyber, but he was interested in democracy

interested in freedom of speech. So we built a toolkit with him

with his funding and support for journalists. Because if a

journalist gets hacked, and they've got, let's say, 10

million followers, that's a lot of people who are going to be

influenced in a in a big way. So again, that goes back to, again,

the Dale Carnegie quote, this particular funder was interested

in these things, I could have spent two years trying to get

him interested in cyber, much better for us to be interested

in democracy and interested in freedom of speech, and then see

how cyber fits into that. It'll be like we said, at the start of

this call, you know, I'd love to make the internet as safe as the

water industry as safe as the electricity industry, maybe. But

that's, that's going to take quite a while. That's, that's my

passion. But why would anybody be interested in the safety of

water or the safety of electricity, it's kind of just

there. So cyber is a utility, it's a kind of telco, it's an

internet service. So it's not fun, it's not exciting. So

you're much better to engage in what they're already excited

about. And those things need the utilities of electricity, water,

gas, cyber, we're just one of those things, and we therefore

got to make it make it relevant.

True, so true. When I hear you talk about

justifying cybersecurity investments, at a more

fundamental level, I'm reminded of some work I did with a

company many years ago, the company was in the energy

sector, they had this business case process in place, where you

had to justify a strategic investment over a certain dollar

amount, by linking it to at least one of their four value

propositions. If you could not make a compelling argument on

how the proposed initiatives directly or indirectly impacted

those value propositions, the chances of getting funding

significantly diminished. As I reflect on our discussion, I

believe carbon reduction should become one of the value

propositions for every company. When reducing the carbon

footprint becomes one of the key selection criteria, the process

automatically ensures that every initiative and organization

pursues has a direct or indirect impact on reducing the carbon

footprint. Yeah,

no, totally agree. And and I think you've got it in

one, but to expand on it some more. So there's going to be two

types of companies on that the type of company where one of its

three big strategies is to reduce carbon. So it's a no

brainer, as you say, if a business case doesn't have that

in there, why would anybody look at the business case it falls at

the first gate, therefore If you're a CISO, or you're

pitching for some IT project that involves cyber or your

cyber sales organization, you're dumb not to include that in

there. If your company that you work for or you're selling to,

doesn't have cyber in its top three priorities, kind a

surprise, but actually back to the point to make to make one of

100 business cases jump off the page and jump out and grab

somebody by the throat and go, Yeah, I've got this emotional

connection with this thing. Why not put carbon in even if it's

not monetizable, so it doesn't add up to the dollars cents

pounds and pence in the in the balance sheet that's in your

business proposal, if it's in the words that go and by the

way, a net benefit of this is dot, dot dot. I mean, in the UK,

since, since the new year, I've seen two adverts on primetime TV

for kind of pensions, investment things and they say, put your

money with us. And these are some of the things we are doing.

And it's got brilliant pictures of people blowing up coal fired

power stations, building solar panel things, etc. So people are

starting to build this whole thing into their sales messaging

to say, bring your money to me because I'm caring for the

planet. So people are desperate to get these these messages in

there. And the point of reality, you know, if I were talking to

CFOs, on the planet is the whole carbon trading industry, the

whole carbon offset industry is running out of road, you know,

there's only a finite number of trees you can plant and the more

trees you plant, okay, solve the carbon problem today, but it

probably moves the problem to our children and our

grandchildren. Big data center providers now are looking at

putting data providers under the ocean as a way of going carbon

neutral carbon negative for that, for that cooling. So

people are doing really big innovative thinking in terms of

really big investments, I mean, putting a data center for one of

the four big cloud providers under the ocean is a non trivial

conversation, they can have quite hostile environment. So

going back to one of my openers, cybercrime is a trillion dollar

thing. If I go to the, if it were a country, it would be in

the G 20, if not in the G7. G 20, G7 world leaders talk about

these big things. trillion dollar is an eye watering amount

of money. In fact, of the top tech companies on the planet,

they've only recently burst through the trillion dollar

valuation thing. They don't have the revenues of a trillion

dollars. So anything that big, economically in terms of you

know, global macro economic scale, must have must be a big

conversation. So if people like the big data providers are

having really big billion dollar conversations to reduce carbon,

then surely the cyber angle, the cyber carbon angle must be a

conversation that today we're missing. In other words, people

need new ideas in this space, and therefore we're prepared to

pay for those ideas or give people their intellectual

capital give people their time. Because, yeah, you know, I get

back to the point that, although I'm in the cyber industry, we're

both in the cyber industry, it's not that engaging, it can be a

bit boring, saying change your passwords by a firewall,

everybody should be engaged, we should all train our staff. Some

of those things have been repeated quite a bit. Therefore,

cyber needs a new conversation. But also, the carbon reduction

conversation needs new ideas, because people are desperate.

And and we've proved with a recent Cop conference that

people aren't doing enough to solve the carbon problem. So

therefore, a trillion dollar industry for want of a better

word, there must be some solution in there. And I don't

have all the answers. We just at the start of this journey. I'm

just at the start of this journey. We kicked about with

some students, which we worked with from NCSC in the UK over

the summer, we just ran some numbers, and we thought, hey,

there's something in here.

That absolutely I think there's a lot

in there. And we need to change the conversation or reconfigure

the conversation, talking about reconfiguring the conversation,

it brings back memories, and I've been a business school

professor for over two decades. And I've seen how the business

media, they are great at changing the labels to draw

attention to certain phenomenon. For instance, you probably have

heard this business process reengineering was a huge

buzzword for a long period of time. That has evolved to now

what we call business process management, I teach I happen to

teach a class in that area, then E business e commerce even that

that area has gone through evolution from the standpoint of

labeling from the standpoint of scoping the field, what what it

entails what it doesn't. So it helps to refresh the discussion.

You know, come at it with a new pair of eyes or with a different

kind of a mindset. And so I think I really like this

approach of looking at cybersecurity investments

looking at the importance of securing the organization from

the standpoint of reducing carbon footprint, it gives it a

bigger appeal, it makes it environmentally more conscious.

So that conversation takes on a different tone and a hue, if I

may. Well, as, unfortunately, all good things have to come to

an end, this episode is also coming to an end. But I'd like

to give you an opportunity to wrap this up with some final

thoughts with some summaries, whatever you want.

I mean, so again, thanks. Thanks for the time.

Brilliant conversation. So really to say is, it's early

days. So this is a thought we've kind of had in 2021 2022. So

hopefully, we can report back in and you can follow the GCA and

see how things are going. I think, for me, you've hit on a

good point there. I think the word cyber is probably 10 years

old. So as you say, relabeling some things or rebooting, I

think various films that were out 20 years ago just just been

remade. So I'm not suggesting we call it cyber 2.0. But But yes,

when when the thing has existed for 10 years, we need to up the

excitement, we need to up the engagement. And I think one of

the things you've talked about his key message for the regular

folks, and I don't think we have enough of those. So I think if

there was one key message for the regular folks is that

everybody is part of somebody's supply chain, and cyber matters

to everybody. And if if we acknowledge that we're not

everybody's not just a buyer or something, they're also a seller

or something. And we can put cyber into the sales

conversation, they get cyber more mainstream in the business,

which we all acknowledge it needs to be. And the closing

point of that is, yeah, as we said, there's, there's no escape

room for carbon. Unless we all go to the moon, or one of the

famous billionaires manages to build a rocket and completely

leave the planet, leaving a whole lot of carbon behind us,

he does it. And we're kind of stuck on this planet. And we all

love it. So we're all in this together. And the more we can

use that conversation, to realize that we're actually all

in it together with cyber and cyber is stealing a trillion

from our planet's economy every year. tying those two together

to get as emotionally connected with both of those problems has

to be a good thing. So So hopefully, that's been useful.

But again, we'll keep the conversation going elsewhere and

hopefully report back in and see how we can drive that forward.

Well, thank you very much, Andy, for your

time. This was truly a great conversation.

Thank you. Thanks again.

A special thanks to Andy Bates for his

time and insights. If you liked what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.