Artwork for podcast The Cybersecurity Readiness Podcast
Ignorance is not bliss: A Whole-of-Enterprise Approach to Threat Management
Episode 1210th November 2021 • The Cybersecurity Readiness Podcast • Dr. Dave Chatterjee
00:00:00 00:49:06

Share Episode

Shownotes

The incredibly articulate Anne Leslie, Threat Management Consultant, IBM Security, shares some powerful messages and recommendations on threat management. One such message is to nurture a Whole-of-Enterprise approach where "leaders believe that the people who work for them are not just as important as the systems and the data, they're more important." Anne also emphasizes the importance of "looking within and knowing what it is that we have, why people might want that, and how they might go about getting it."

Time Stamps

00:42 -- So, let's begin by talking about the major information security threats out there and you being in Europe, we'd love to get that perspective.

05:49 -- Anything that you see out there by way of best practices, in terms of staying on top of the latest attack vectors and methods.

10:43 -- I'd love to hear your perspective on a human-centered cyber defense strategy.

19:20 -- I read in the media reports that organizations are often slow, and for lack of a better word, negligent in promptly and effectively responding to cyber intelligence. This is definitely a weakness that no organization can afford. What are your thoughts?

29:38 -- I'd love to get your thoughts on joint ownership and accountability, or shared ownership and accountability?

38:44 -- Any final thoughts?

Memorable Anne Leslie Quotes

06:29

"So one of the things that I notice in our industry, across businesses, is that we have a tendency to look outwards before we look inwards. And in practical terms, what that means is, we're not very clear collectively about what it is in our organizations and our businesses that adversaries might want."

06:29

"Let's start with looking within and knowing what it is that we have, why people might want that, and how they might go about getting it. If we already have answers to those questions, we're on a good footing."

13:34

"I believe that people come to work every day with an often unarticulated aspiration to be useful. And it just seems to me that we're totally missing out on capitalizing on people's best intentions and their creativity and their motivation - when we label them weak when we label them as a vulnerability against which we need to defend."

13:34

"People want to contribute, people want to be helpful, they want to be united in something that's a little bit bigger than themselves. And security practitioners, in particular, maybe not all of them, but the majority that I've interacted with, are driven by a desire to protect, they're driven by a cause. To them, security is more than a job, it's a cause they want to defend."

18:09

"It's not just about buying more technology, It's about doing more with what we have, where we are. And making the most of the capability that we can get from our people is a key factor in that."

23:41

"I loved what you just said about the impact of security being positively correlated with the health of the culture in the organization. Yes, a million times, yes! Because when you have a healthy organization - which is built up consistently, with consistent behaviors, consistent attitudes, consistent interventions on the part of leadership - what it instills, in people at every level of the organization, is a sense of accountability, a sense of responsibility, a sense of pride. And most importantly, it instills a desire to protect, because people have an emotional connection to their organization and an emotional connection to the leadership, even if they've never spoken to them."

----------------------------------------------

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach by SAGE publishing. He has been studying cybersecurity

Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

Cybersecurity Readiness:

chief information security officers. Dr. Chatterjee is an

Cybersecurity Readiness:

Associate Professor of Management Information Systems

Cybersecurity Readiness:

at the Terry College of Business, the University of

Cybersecurity Readiness:

Georgia, and Visiting Professor at Duke University's Pratt

Cybersecurity Readiness:

School of Engineering.

Dr. Dave Chatterjee:

Hello, folks, I'm delighted to welcome

Dr. Dave Chatterjee:

you to this episode of the Cybersecurity Readiness Podcast

Dr. Dave Chatterjee:

Series. Today, I will be talking with Anne Leslie of IBM, about

Dr. Dave Chatterjee:

threat management and security, intelligence and operations best

Dr. Dave Chatterjee:

practices. It's going to be a very exciting conversation, Anne

Dr. Dave Chatterjee:

is a terrific speaker. I've heard her many times. And I know

Dr. Dave Chatterjee:

you'll enjoy listening to what she has to offer. A little bit

Dr. Dave Chatterjee:

about Anne. She is a Senior Managing Consultant for Threat

Dr. Dave Chatterjee:

Management in the IBM Security Center of Competency. Within the

Dr. Dave Chatterjee:

center of competency, Anne leads the application of Garage and

Dr. Dave Chatterjee:

Design Thinking to some of the most wicked problems facing

Dr. Dave Chatterjee:

security practitioners. And she is a fervent champion of human

Dr. Dave Chatterjee:

centered approaches to improving security outcomes. Prior to

Dr. Dave Chatterjee:

joining IBM, Anne's career spanned the intersection of

Dr. Dave Chatterjee:

financial services, European regulatory policy, blockchain

Dr. Dave Chatterjee:

and IT in leadership roles in both sales and advisory.

Dr. Dave Chatterjee:

Bilingual in French and English, she holds an executive MBA from

Dr. Dave Chatterjee:

the HEC Business School in Paris, and also has several

Dr. Dave Chatterjee:

technology and cybersecurity certifications. Anne was born

Dr. Dave Chatterjee:

and raised in the Republic of Ireland, and currently resides

Dr. Dave Chatterjee:

in Paris, France, which has been her home now for over 20 years.

Dr. Dave Chatterjee:

Anne welcome! thanks for making time to share your expertise

Dr. Dave Chatterjee:

with our listeners here. So, let's begin by talking about the

Dr. Dave Chatterjee:

major information security threats out there and you being

Dr. Dave Chatterjee:

in Europe, we'd love to get that perspective.

Anne Leslie:

Thanks, Dave, I'm absolutely delighted to be with

Anne Leslie:

you. And I really appreciate the invitation. So the threats that

Anne Leslie:

are, you know, prevalent. It's very easy in cybersecurity, to

Anne Leslie:

feel constantly overwhelmed. There are threats everywhere,

Anne Leslie:

affecting every industry. And they just you know that the

Anne Leslie:

headlines just seem to give us this impression that it's an

Anne Leslie:

unfightable wave, you know, that almost sort of resistance is

Anne Leslie:

futile that there are threats coming at us from every

Anne Leslie:

direction. And it's just all terrible. Now, that's not a

Anne Leslie:

helpful state of affairs. And I'm not here to tell you that

Anne Leslie:

there aren't threats. I'm not here to tell you that, you know,

Anne Leslie:

we're not facing things that are serious, we are. But we're not

Anne Leslie:

all facing the same threats. And that's one of the things that I

Anne Leslie:

think is really important to emphasize is that all of the

Anne Leslie:

headlines that are coming out and the bulletins and the

Anne Leslie:

warnings, they don't apply to everybody. And it's knowing how

Anne Leslie:

to sift through that mass of information, and to not get

Anne Leslie:

lulled by fear into inertia, that that's that's really where

Anne Leslie:

the secret sauce is in all of this. It's knowing how to

Anne Leslie:

distill out of all of that, what is the intelligence that matters

Anne Leslie:

to me, my team, my organization, what are the threats that

Anne Leslie:

matter? And, one of the things that I've noticed in my time in

Anne Leslie:

security is that the people who have real expertise in this the

Anne Leslie:

people who have real mastery, and I'm not putting myself in

Anne Leslie:

that category, right? I'm looking at sort of, you know,

Anne Leslie:

Katie Nickels, for example, who's now at Red Canary and used

Anne Leslie:

to be at MITRE, now an instructor at SANS. I'd look to

Anne Leslie:

her often right, as a teacher in this space, and I've noticed

Anne Leslie:

that the people in in cybersecurity who do have

Anne Leslie:

mastery of their domain, they have no problem simplifying it.

Anne Leslie:

They have no problem asking simple questions as a way of

Anne Leslie:

getting started. And having that ability to ask simple but

Anne Leslie:

targeted questions, it seems to come with confidence. I think

Anne Leslie:

that's one of the things that we really need to help each other

Anne Leslie:

do better in security is as practitioners, we need to help

Anne Leslie:

each other, build the confidence to ask better questions, simpler

Anne Leslie:

questions, more targeted questions as a way of starting,

Anne Leslie:

and then getting incrementally better at identifying and then

Anne Leslie:

defending against the threats that matter.

Dr. Dave Chatterjee:

Excellent. Yes, that's precisely the way to

Dr. Dave Chatterjee:

go about staying up on things. Talking about staying abreast of

Dr. Dave Chatterjee:

the latest attack vectors and methods, like you said, every

Dr. Dave Chatterjee:

organization needs to be able to filter through all the messaging

Dr. Dave Chatterjee:

out there, all the information out there, all the intelligence

Dr. Dave Chatterjee:

out there, and taking what is most relevant to their context

Dr. Dave Chatterjee:

to their organizational needs. You know, anything that you see

Dr. Dave Chatterjee:

out there by way of best practices, in terms of staying

Dr. Dave Chatterjee:

on top of the latest attack vectors and methods?

Anne Leslie:

So a personal life hack that I use, as a way of

Anne Leslie:

filtering through, just there's too much information out there

Anne Leslie:

right now on every single topic. And as a way for me, to manage

Anne Leslie:

that information, what I have a tendency to do is go back to

Anne Leslie:

timeless pieces of writing. And what I mean by that, I go back

Anne Leslie:

to writings of stoic philosophers, I go back to the

Anne Leslie:

Art of War by Sun Tzu. And the reason I do that is because

Anne Leslie:

there is wisdom in there, that is applicable everywhere, in our

Anne Leslie:

personal lives, and in our professional lives, and two

Anne Leslie:

particular aspects of those writings stick with me. So from

Anne Leslie:

the art of war, I would look for example, at the wisdom about

Anne Leslie:

knowing yourself and knowing your enemy. And from the stoic

Anne Leslie:

philosophers, this idea that we can't choose our circumstances,

Anne Leslie:

but we always have a choice in response. So one of the things,

Anne Leslie:

again, that I noticed in our industry, across businesses, is

Anne Leslie:

that we have a tendency to look outwards before we look inwards.

Anne Leslie:

And in practical terms, what that means is, we're not very

Anne Leslie:

clear collectively about what it is in our organizations and our

Anne Leslie:

businesses that adversaries might want. What do we have

Anne Leslie:

that's valuable? Have we catalogued it? Have we

Anne Leslie:

inventoried it? Do we know precisely what it is that

Anne Leslie:

adversaries might want to steal from us? Do we know precisely

Anne Leslie:

what are the systems, information assets, the

Anne Leslie:

infrastructure that if it was attacked, or if it was subject

Anne Leslie:

to some kind of harm, what parts of our business would cripple us

Anne Leslie:

if they were attacked? And it's a simple question, getting the

Anne Leslie:

answer isn't always easy. But it does blew my mind a little bit

Anne Leslie:

that we are so bad in some ways as having an answer to it. And

Anne Leslie:

not knowing is not a crime, right? I'm not trying to

Anne Leslie:

castigate anybody here for not knowing but skirting around it

Anne Leslie:

is negligence. You know, not asking that question is

Anne Leslie:

negligence. So I always encourage, when I get the

Anne Leslie:

opportunity, starts by looking within, start by talking to the

Anne Leslie:

people, if you've got experienced people who've been

Anne Leslie:

in your organization, system administrators, for example, go

Anne Leslie:

talk to them. They're going to know, for example, what your

Anne Leslie:

network looks like, they'll probably have a pretty good idea

Anne Leslie:

of where you're vulnerable. Start there. Start by collecting

Anne Leslie:

the intelligence that the people in your organization already

Anne Leslie:

have about you. And once you've exhausted what you can get from

Anne Leslie:

within your organization, then start looking out. But it's a

Anne Leslie:

question of knowing what to look for. And you know, when we talk

Anne Leslie:

about intelligence, there's the the framework of the

Anne Leslie:

intelligence cycle, the first and the last stages of that are

Anne Leslie:

the ones where I sort of see the most most problems. So we'd be

Anne Leslie:

talking about to the planning and direction. You know, what,

Anne Leslie:

what intelligence are we trying to gather for what purpose. And

Anne Leslie:

that requires making choices. And as humans, we're not great

Anne Leslie:

at making choices because choices imply risk, that always

Anne Leslie:

the risk that we might get it wrong. But starting with looking

Anne Leslie:

within and knowing what it is that we have, why people might

Anne Leslie:

want that, and how they might go about getting it. If we already

Anne Leslie:

have answers to those questions, we're on a good footing.

Dr. Dave Chatterjee:

I love it, I'd like to re emphasize what

Dr. Dave Chatterjee:

you just said. The two things that came to mind, first is,

Dr. Dave Chatterjee:

ignorance is not bliss, when it comes to cybersecurity

Dr. Dave Chatterjee:

management. I like the way you framed it, you have to look

Dr. Dave Chatterjee:

inside first, you have to know what your vulnerabilities are as

Dr. Dave Chatterjee:

an organization. And who's you? I guess it starts all at the

Dr. Dave Chatterjee:

top, the senior management, the top management. Now, are we

Dr. Dave Chatterjee:

expecting top management to know everything about security?

Dr. Dave Chatterjee:

Absolutely not. But are we expecting them to be on top of

Dr. Dave Chatterjee:

it to make every effort, like you said that it's not

Dr. Dave Chatterjee:

acceptable to not know or make no effort to know. I think

Dr. Dave Chatterjee:

that's probably the more appropriate word that and again,

Dr. Dave Chatterjee:

negligence is a very powerful word, we'll talk about that as

Dr. Dave Chatterjee:

we go along in this conversation. But at the onset,

Dr. Dave Chatterjee:

as a senior executive, I would make every effort to know as

Dr. Dave Chatterjee:

much as I can about the security threats that plague my

Dr. Dave Chatterjee:

organization, or that could potentially affect my

Dr. Dave Chatterjee:

organization, and how best I could organize to defend against

Dr. Dave Chatterjee:

those threats. I would make every effort, so later on, if

Dr. Dave Chatterjee:

something were to go wrong, and there's no guarantee that an

Dr. Dave Chatterjee:

organization won't be hacked, so that is a possibility. If that

Dr. Dave Chatterjee:

were to happen, I have a much stronger case, I can at least

Dr. Dave Chatterjee:

emphatically state that I did everything I possibly could.

Dr. Dave Chatterjee:

There are no dearth of resources, there are no dearth

Dr. Dave Chatterjee:

of expertise out there. You have to make the effort to plug into

Dr. Dave Chatterjee:

those resources, plug into those expertise. You're not, you know,

Dr. Dave Chatterjee:

likely to have everyone that you would like, who are experts in

Dr. Dave Chatterjee:

the field, but there are many who are really good. And there

Dr. Dave Chatterjee:

is a lot of advice that is out there that you could benefit

Dr. Dave Chatterjee:

from. So ultimately, it comes down to the will, the desire to

Dr. Dave Chatterjee:

want to be on top of things. Fantastic. The next thing I want

Dr. Dave Chatterjee:

to talk about, I loved reading this in your bio, you state that

Dr. Dave Chatterjee:

you are a fervent champion of human centered approaches to

Dr. Dave Chatterjee:

improving security outcomes. And you know, human element is such

Dr. Dave Chatterjee:

an important element. You can't overemphasize the significance

Dr. Dave Chatterjee:

of the human factor. I'd love to hear your perspective on a

Dr. Dave Chatterjee:

human-centered cyber defense strategy.

Anne Leslie:

Thank you so much for asking that question. So I,

Anne Leslie:

I noticed when I first started working in security, that

Anne Leslie:

frequently, we'd hear about how the human element was the

Anne Leslie:

weakest element, how people are the achilles heel of the best

Anne Leslie:

laid plans in security, how people make mistakes, how people

Anne Leslie:

click on links, how people are what makes our organizations

Anne Leslie:

vulnerable. Now, that grinds my gears on so many levels, because

Anne Leslie:

I do believe that organizations depend on people, no! We live in

Anne Leslie:

a world where organizations are fueled by human endeavor. And I

Anne Leslie:

believe that people come to work every day with sometimes an

Anne Leslie:

unarticulated aspiration but to be useful. And it just seems to

Anne Leslie:

me that we're totally missing out on capitalizing on people's

Anne Leslie:

best intentions and their creativity and their motivation,

Anne Leslie:

when we label them weak when we label them as a vulnerability

Anne Leslie:

against which we need to defend. So there are a few layers on

Anne Leslie:

this. The first is that I am always positively blown away

Anne Leslie:

when I get the chance to go and speak to security practitioners

Anne Leslie:

in different organizations, and even not just security

Anne Leslie:

practitioners, just people in general. People want to

Anne Leslie:

contribute, people want to be helpful, they want to be united

Anne Leslie:

in something that's a little bit bigger than themselves. And

Anne Leslie:

security people in particular, maybe not all of them, but the

Anne Leslie:

majority that I've interacted with, are driven by a desire to

Anne Leslie:

protect, they're driven by a cause security is more than a

Anne Leslie:

job, it's a cause they want to defend. And when I talk about

Anne Leslie:

utilizing human centered methods, it's going and actually

Anne Leslie:

interacting with these people and saying to them, how could we

Anne Leslie:

go about making your day go better? How could we go about

Anne Leslie:

allowing you to have more impact? What might we be able to

Anne Leslie:

do to take obstacles out of your way? And those are simple

Anne Leslie:

questions, but they don't get asked very often. And one of the

Anne Leslie:

the experiences that I had earlier this year was talking to

Anne Leslie:

a Level II SOC (security and operations center) analyst. And

Anne Leslie:

I was interviewing him asking him, you know about process and

Anne Leslie:

you know, how his day is structured. And we're talking

Anne Leslie:

about systems he uses. And he was very suspicious initially in

Anne Leslie:

the interview, a bit cagey and I, you know, I really had to

Anne Leslie:

work hard to try and build up a bit of a rapport, put him at

Anne Leslie:

ease. And eventually I just said it to myself, you seem to be,

Anne Leslie:

you know, very wary of me. I'm not trying to catch you out. He

Anne Leslie:

looked at me and said, well, okay, it's just nobody's ever

Anne Leslie:

asked me before. Nobody's ever really seem to care. You know,

Anne Leslie:

as I used to be a level one analyst and I got promoted to

Anne Leslie:

level two. But, you know, we're kind of looked as though we're

Anne Leslie:

grunts. We're kind of looked at as though, well, we can't

Anne Leslie:

replace you yet with bots. But if we could, we would. And it

Anne Leslie:

made me sad. It made me sad that there is so much potential

Anne Leslie:

there. There are so many great people being thwarted for the

Anne Leslie:

impact that they would be able to have for their organizations'

Anne Leslie:

because we don't try to help them enough to actually do the

Anne Leslie:

jobs, but deep down, they really want to do, they want to defend,

Anne Leslie:

they want to protect, they want to feel that they're doing

Anne Leslie:

something positive and constructive. And yet, too

Anne Leslie:

often, they feel that it's futile, that the work they're

Anne Leslie:

doing is a) unnoticed, b) unremarkable, and c) just

Anne Leslie:

thankless.

Anne Leslie:

And it shouldn't be that way. What we're up against

Anne Leslie:

individually in organizations and collectively is too

Anne Leslie:

important for us to miss out on leveraging all of that human

Anne Leslie:

potential. So where I get the opportunity, I try to do

Anne Leslie:

discovery around what's really going on for these

Anne Leslie:

practitioners. And I do my utmost to then communicate it to

Anne Leslie:

the leaders in those organizations, to translate it

Anne Leslie:

into business terms, risk impact, and say, if we did this,

Anne Leslie:

it will allow you from an executive perspective, to have

Anne Leslie:

these, this impact and these outcomes which matter to you

Anne Leslie:

from an executive perspective. But it's not just about buying

Anne Leslie:

more technology. It's about doing more with what we have,

Anne Leslie:

where we are. And instrumentalizing capability

Anne Leslie:

that we can get from our people is a key key factor in that.

Dr. Dave Chatterjee:

Wonderful, very well articulated, in fact,

Dr. Dave Chatterjee:

several thoughts come to mind, as I hear your take on

Dr. Dave Chatterjee:

involving, engaging humans; as you've heard me mentioned

Dr. Dave Chatterjee:

several times and in my talks, I'm a huge fan of theme or

Dr. Dave Chatterjee:

statement that cybersecurity or cybersecurity readiness is

Dr. Dave Chatterjee:

everyone's business. This is not just a domain for technology

Dr. Dave Chatterjee:

experts. This is not just a domain for information security

Dr. Dave Chatterjee:

experts. Everyone needs to get involved. And I couldn't agree

Dr. Dave Chatterjee:

with you more when you said that people come to work with great

Dr. Dave Chatterjee:

intentions, they want to do great things. The exact same

Dr. Dave Chatterjee:

view was articulated in my first podcast, with the president of

Dr. Dave Chatterjee:

an insurance company, he said exactly the same thing. We must

Dr. Dave Chatterjee:

trust in the people in our organization, they can do great

Dr. Dave Chatterjee:

things, we are not asking them to all become cybersecurity

Dr. Dave Chatterjee:

experts, we should not frighten them away by making them think

Dr. Dave Chatterjee:

that they have to learn all these technical details. But we

Dr. Dave Chatterjee:

can definitely equip them with the necessary knowledge that

Dr. Dave Chatterjee:

could help us deal with one of the key threats in cyber

Dr. Dave Chatterjee:

security, which is hacking, and as you know, 99% of the hacks

Dr. Dave Chatterjee:

are focused on the vulnerable humans. Along those lines,

Dr. Dave Chatterjee:

there's one more thing I'd like to share with our listeners, I

Dr. Dave Chatterjee:

talked about it in my book. And that relates to how do you

Dr. Dave Chatterjee:

create a cohesive culture, a human-centered

Dr. Dave Chatterjee:

We-Are-In-It-Together culture? Whenever we use the word

Dr. Dave Chatterjee:

culture, you know, it's kind of abstract. People like to stay

Dr. Dave Chatterjee:

away from it, because it's easier said than done. But as

Dr. Dave Chatterjee:

you know, there's a lot of research, backed by great

Dr. Dave Chatterjee:

evidence, case studies, that the more high-performing the

Dr. Dave Chatterjee:

culture, the more effective the firm performance. So what how do

Dr. Dave Chatterjee:

you create this high-performance information security culture, I

Dr. Dave Chatterjee:

won't get into all the details of it. But one thing I'm going

Dr. Dave Chatterjee:

to mention, and that is striving to build emotional capital, over

Dr. Dave Chatterjee:

a period of time, where employees feel valued, and

Dr. Dave Chatterjee:

develop a sense of belonging, they take pride in their work.

Dr. Dave Chatterjee:

They're having fun. And last, but not the least, they perceive

Dr. Dave Chatterjee:

leadership to be genuine and authentic. We've touched upon

Dr. Dave Chatterjee:

this earlier, we will touch upon it again. At the end of the day,

Dr. Dave Chatterjee:

I'm convinced that it really boils down to how committed, how

Dr. Dave Chatterjee:

involved, how engaged, top management is, because then

Dr. Dave Chatterjee:

that's the spirit that spreads throughout the organization that

Dr. Dave Chatterjee:

infuses people to do great things. And the result is

Dr. Dave Chatterjee:

generally great. Fabulous, you really got me going here Anne.

Dr. Dave Chatterjee:

I'm not the guest, but I'm going to switch it back to you

Dr. Dave Chatterjee:

shortly. So let's talk about what you do at IBM, in the area

Dr. Dave Chatterjee:

of security, intelligence and operations. By way of a prompt,

Dr. Dave Chatterjee:

and again, feel free to deviate from it. One of the things that,

Dr. Dave Chatterjee:

once again, strikes me as extremely important is, I read

Dr. Dave Chatterjee:

in the media reports that organizations are often slow,

Dr. Dave Chatterjee:

and for lack of a better word, negligent in promptly and

Dr. Dave Chatterjee:

effectively responding to cyber intelligence. This is definitely

Dr. Dave Chatterjee:

a weakness that no organization can afford. What are your

Dr. Dave Chatterjee:

thoughts?

Anne Leslie:

So there are a few aspects to that. The first one

Anne Leslie:

is that we have, and I mean that in the broader sense that we as

Anne Leslie:

a society, we love to, we love to blame. We love victim

Anne Leslie:

blaming. Yeah. And yes, there's always they're always

Anne Leslie:

contributing factors. We need to look at root causes, we need to

Anne Leslie:

find out what happened. But the tendency that we have to try and

Anne Leslie:

pin blame frequently on an individual in my view is

Anne Leslie:

unhelpful and we do it way too often. There are some been some

Anne Leslie:

very, very high profile breaches where responsibility was

Anne Leslie:

assigned to the chief information security officer.

Anne Leslie:

Generally that person gets dismissed in disgrace. Okay. Is

Anne Leslie:

it an appropriate response? That's probably a conversation

Anne Leslie:

for another time, but the thing that really bothers me about

Anne Leslie:

that approach is that, were any real changes made to the

Anne Leslie:

fundamental systemic problems that exists in those

Anne Leslie:

organizations. Was there any organizational cultural change?

Anne Leslie:

Were there any leadership changes? Did we really exercise

Anne Leslie:

due diligence in being disciplined? And looking at why,

Anne Leslie:

from a systemic perspective, that breach happened? And I

Anne Leslie:

would hazard a guess, and say, No. That's the problem. That's

Anne Leslie:

where leadership is absolutely essential. Because it doesn't

Anne Leslie:

matter how great we have, how great the people we have lower

Anne Leslie:

down the organization, if the culture is one of blame, if the

Anne Leslie:

culture is one of making individuals responsible for

Anne Leslie:

organizational failure, then security will never be able to

Anne Leslie:

deliver. So I loved what you just said about the the impact

Anne Leslie:

of security being positively correlated with the health of

Anne Leslie:

the culture in the organization. Yes, a million times, yes.

Anne Leslie:

Because when you have a healthy organization, which is built up

Anne Leslie:

consistently, with consistent behaviors, consistent attitudes,

Anne Leslie:

consistent interventions on the part of leadership, what it

Anne Leslie:

instills, in people at every level of the organization, is a

Anne Leslie:

sense of accountability, a sense of responsibility, a sense of

Anne Leslie:

pride, and most importantly, a desire to protect, because they

Anne Leslie:

have an emotional connection to their organization, an emotional

Anne Leslie:

connection to the leadership, even if they've never spoken to

Anne Leslie:

them. There's an emotional connection, which says, I feel

Anne Leslie:

responsible for the person to the left of me, the person to

Anne Leslie:

the right of me, I feel responsible for the things that

Anne Leslie:

we work on, the data, the systems, I'm going to make an

Anne Leslie:

effort that if I see something that's a bit odd, a bit of

Anne Leslie:

scans, I could just walk on by. But if I care, if I feel that

Anne Leslie:

emotional connection, I won't walk on by, I'll find a way of

Anne Leslie:

alerting somebody who can do something about it. And people

Anne Leslie:

who are disengaged from the organization, don't care. They

Anne Leslie:

don't have that emotional connection. So they won't make

Anne Leslie:

the effort. And in the worst cases, that's where you get your

Anne Leslie:

insider threats is where people are so, so resentful, so bitter,

Anne Leslie:

so disenchanted. That they want to hurt the organization that

Anne Leslie:

they work for. So security, yes, we have systems, we have

Anne Leslie:

technology, we have processes, we have security operation

Anne Leslie:

centers, we have all of the component parts of security as a

Anne Leslie:

domain, but for security to really infuse the fabric of an

Anne Leslie:

organization.

Anne Leslie:

It will never have the impact it needs to have unless the

Anne Leslie:

organization as a whole is already functioning well as a

Anne Leslie:

collective body, with leaders who care leaders who connect

Anne Leslie:

leaders who believe that the people who work for them are not

Anne Leslie:

just as important as the systems and the data, they're more

Anne Leslie:

important. And we try them to enable them. We try to protect

Anne Leslie:

those people. And there is a real difference in in the the

Anne Leslie:

outcomes that you will see in companies where the leadership

Anne Leslie:

embodies this belief that people matter. That's an organization

Anne Leslie:

where you can do amazing things with security, because it will

Anne Leslie:

be a whole of enterprise initiative. And like you say, We

Anne Leslie:

don't need everybody in the organization to know all the

Anne Leslie:

specifics of what happens on the back -end of security. We have

Anne Leslie:

experts to do that. But we need to have a whole of enterprise

Anne Leslie:

approach so that people care.

Dr. Dave Chatterjee:

Love it, love it. The whole of enterprise

Dr. Dave Chatterjee:

approach. That makes so much sense. In fact, I'd like to

Dr. Dave Chatterjee:

again, highlight a few things that you talked about. I

Dr. Dave Chatterjee:

believe, you emphasized the importance of getting away from

Dr. Dave Chatterjee:

the scapegoating culture. We don't need that. I think as you

Dr. Dave Chatterjee:

said, brilliantly, when a problem happens, when there's a

Dr. Dave Chatterjee:

major breach, the easy part is to point to an individual, blame

Dr. Dave Chatterjee:

that person person, fire him or her. And often the organization

Dr. Dave Chatterjee:

comes across as very responsive, acting promptly and often the

Dr. Dave Chatterjee:

organization is rewarded by the financial markets. But even I am

Dr. Dave Chatterjee:

of the opinion as you that that may not be the right approach,

Dr. Dave Chatterjee:

the organization has to look deeper. Root cause analysis is

Dr. Dave Chatterjee:

an approach or method that is widely touted whatever the name

Dr. Dave Chatterjee:

whatever the acronym bottom line is, you've got to look deeper

Dr. Dave Chatterjee:

into your systems and processes to see what went wrong. As

Dr. Dave Chatterjee:

compared to just blaming one person, by replacing that person

Dr. Dave Chatterjee:

really would you have solved the problem that caused the breach,

Dr. Dave Chatterjee:

let's say; that may not be the case, there might be a need for

Dr. Dave Chatterjee:

bringing about more systemic changes in structure, in

Dr. Dave Chatterjee:

processes, in training. So it has to be an organization- wide

Dr. Dave Chatterjee:

effort. So we've got to be much more substantive in our

Dr. Dave Chatterjee:

approach, and not being very superficial. So that's kind of,

Dr. Dave Chatterjee:

it is important to remind folks, that, at the end of the day, we

Dr. Dave Chatterjee:

want an organization, like you said, where everyone comes

Dr. Dave Chatterjee:

together as a team, and wants to do their best to protect. In

Dr. Dave Chatterjee:

return, there is an expectation that while I do my best to

Dr. Dave Chatterjee:

protect the organization from getting breached, the

Dr. Dave Chatterjee:

organization also has a responsibility to give me the

Dr. Dave Chatterjee:

benefit of the doubt and protect me. And I know that we might be

Dr. Dave Chatterjee:

entering a territory that has its pros and cons. So not trying

Dr. Dave Chatterjee:

to suggest that there is this one right approach, but at least

Dr. Dave Chatterjee:

trying to alert the leadership that you've got to look at it

Dr. Dave Chatterjee:

more holistically. Along those lines, and the next thing I

Dr. Dave Chatterjee:

wanted to discuss with you and you touched upon it, which is

Dr. Dave Chatterjee:

about joint ownership and accountability, or shared

Dr. Dave Chatterjee:

ownership and accountability. Easier said than done. But if

Dr. Dave Chatterjee:

there are structures and mechanisms through which this

Dr. Dave Chatterjee:

can be accomplished, that's another way of bringing the

Dr. Dave Chatterjee:

business people, the operations people, together with the

Dr. Dave Chatterjee:

security people. And I also include the vendors, the service

Dr. Dave Chatterjee:

providers, because organizations are often leveraging their

Dr. Dave Chatterjee:

services, it's very important to create a true partnership, where

Dr. Dave Chatterjee:

everyone has a stake in the game, as opposed to, here are my

Dr. Dave Chatterjee:

services you've paid for it. So you have access to these

Dr. Dave Chatterjee:

servers. Here is how you set the security for the servers. Now,

Dr. Dave Chatterjee:

now that I have trained you, I've given you some tutorial,

Dr. Dave Chatterjee:

it's your problem, nnd not mine. Instead of taking that approach,

Dr. Dave Chatterjee:

being there and saying, yes, we will support you as you manage.

Dr. Dave Chatterjee:

That is how I look at it. I'd love to get your perspective,

Dr. Dave Chatterjee:

your thoughts?

Anne Leslie:

Great question. One of the real obstacles to

Anne Leslie:

security delivering outcomes that are positive for the

Anne Leslie:

business, visible to the business, is that security in a

Anne Leslie:

lot of organizations is still very much siloed. The security

Anne Leslie:

team does security. And you'll have the ops team and the

Anne Leslie:

infrastructure team doing their thing, separately. And, it gets

Anne Leslie:

even more complicated, if for example, in the mix, you have a

Anne Leslie:

managed security provider from an external organization and an

Anne Leslie:

external infrastructure provider. And one of the things

Anne Leslie:

that I've seen again and again and again is massive, massive

Anne Leslie:

frustration in security teams saying we know where the

Anne Leslie:

vulnerabilities are. We keep flagging them. Can't do anything

Anne Leslie:

about them. Because we don't have access to the

Anne Leslie:

infrastructure. We don't have access to those assets. So what

Anne Leslie:

frequently happens is that they alert and it kind of, for want

Anne Leslie:

of a better expression, gets thrown over the fence to the

Anne Leslie:

infrastructure team. But the thing is, is that the security

Anne Leslie:

team is measured on a certain set of metrics and KPIs, the

Anne Leslie:

infrastructure team is managed on something completely

Anne Leslie:

different. And if the infrastructure team took

Anne Leslie:

instruction already, that's one of the things they don't want to

Anne Leslie:

take instruction from the security team, who are you to

Anne Leslie:

tell me how I should be doing my work. So you have that problem,

Anne Leslie:

there's an interpersonal issue there. And they frequently

Anne Leslie:

fight, they hate each other. But the the impact in terms of

Anne Leslie:

security is that the infrastructure team gets

Anne Leslie:

measured on uptime, and they have their own set of

Anne Leslie:

performance metrics and implementing the best advice

Anne Leslie:

coming from the security team would actually adversely affect

Anne Leslie:

their performance metrics.

Anne Leslie:

So what happens is that you end up having a false view from an

Anne Leslie:

executive level, because both teams are probably doing vanity

Anne Leslie:

reporting, because they don't want to look bad, you know,

Anne Leslie:

their metrics, and their dashboards are probably green.

Anne Leslie:

And yet, the enterprise is probably pretty vulnerable.

Anne Leslie:

Because alerts are coming in, there are known vulnerabilities,

Anne Leslie:

but they're not being fixed, because there's no incentive to

Anne Leslie:

actually go fix them because it will actually adversely affect

Anne Leslie:

the metrics against which people are measured and incentivized.

Anne Leslie:

So again, leadership problem, we're not measuring the right

Anne Leslie:

things. And we're not incentivizing the right types of

Anne Leslie:

behaviors, to get the teams who have dependencies on each other,

Anne Leslie:

to deliver an outcome that matters for the business. We're

Anne Leslie:

not enabling them to do that we're actually setting them up

Anne Leslie:

for conflict and failure, because they have antagonistic

Anne Leslie:

incentives, they have antagonistic performance

Anne Leslie:

metrics. So what would need to happen and again, you know, sort

Anne Leslie:

of human centered approaches, but it's like design thinking is

Anne Leslie:

bringing those people together, allow them to actually build a

Anne Leslie:

relationship, get them talking, allow them to express what it

Anne Leslie:

is, that frustrates them about the people on the other side of

Anne Leslie:

the fence, and then explain much you probably don't even need to

Anne Leslie:

explain to them right, people aren't stupid. They know,

Anne Leslie:

intuitively what needs to be done. But it's let's find a way

Anne Leslie:

again, you know, your analogy of we're all in it together a team

Anne Leslie:

sport. Nobody comes to work. I really don't believe this, that

Anne Leslie:

people come to work wanting to fight, right. And yet we do in

Anne Leslie:

companies, we spend a lot of time with turf wars and

Anne Leslie:

politics; wouldn't it be great if we could actually focus on

Anne Leslie:

something that was much more positive, much more

Anne Leslie:

constructive. So trying to get the security teams with the

Anne Leslie:

infrastructure teams and with leadership, so that the

Anne Leslie:

leadership actually realizes how badly aligned incentives cause

Anne Leslie:

people's days to be full of hostility and aggression,

Anne Leslie:

friction, and bad outcomes. How might we go about actually

Anne Leslie:

instilling something much more productive, where there are

Anne Leslie:

aligned incentives towards a shared objective, which is one

Anne Leslie:

of risk reduction and better defense?

Dr. Dave Chatterjee:

Well, wow! Totally agree, in fact, what a

Dr. Dave Chatterjee:

great segue way to the next topic, and probably the final

Dr. Dave Chatterjee:

topic of our discussion, we can go on and on. But in the

Dr. Dave Chatterjee:

interest of time, we'll probably have to draw a line somewhere.

Dr. Dave Chatterjee:

But I wanted to touch upon performance measures before we

Dr. Dave Chatterjee:

ended this episode. And you already talked about it, and

Dr. Dave Chatterjee:

you're such a great articulator of these very important trends

Dr. Dave Chatterjee:

principles. I'd like to say a few things about performance

Dr. Dave Chatterjee:

measures, what I have found in my research and work with

Dr. Dave Chatterjee:

organizations, unfortunately, often what gets measured is what

Dr. Dave Chatterjee:

is convenient to measure measure, not what needs to be

Dr. Dave Chatterjee:

measured. And I have seen that problem with e-business

Dr. Dave Chatterjee:

initiatives. And I wouldn't be surprised if that problem

Dr. Dave Chatterjee:

transcends and also exists in the cybersecurity governance

Dr. Dave Chatterjee:

space. Once again, referring to my book in the appendix, I share

Dr. Dave Chatterjee:

some examples of cybersecurity KPIs and I come at it

Dr. Dave Chatterjee:

holistically, because as you know, when you are assessing or

Dr. Dave Chatterjee:

evaluating performance, it cannot be unit dimensional, it

Dr. Dave Chatterjee:

has to be multi dimensional. So from the standpoint of cyber,

Dr. Dave Chatterjee:

you have to look at the business value impact, you have to look

Dr. Dave Chatterjee:

at the productivity impact. You also have to assess extent of

Dr. Dave Chatterjee:

preparedness, nature of incidents frequency of

Dr. Dave Chatterjee:

occurrence, compliance. So there are various aspects that needs

Dr. Dave Chatterjee:

to be monitored, and you need good measures to monitor. And

Dr. Dave Chatterjee:

you put it so well when you said your call to align these

Dr. Dave Chatterjee:

incentives. Because if I'm doing these things, if I'm attending

Dr. Dave Chatterjee:

Cybersecurity Awareness classes, and if I'm being able to apply

Dr. Dave Chatterjee:

some of the training in practice, who's watching, who's

Dr. Dave Chatterjee:

recognizing, so at the end of the year, or whenever the

Dr. Dave Chatterjee:

performance review happens, are my efforts in becoming a better

Dr. Dave Chatterjee:

cybersecurity citizen are my efforts being recognized. And at

Dr. Dave Chatterjee:

the end of the day, like you said, when people come to the

Dr. Dave Chatterjee:

organization, they all want to do great things. But it is also

Dr. Dave Chatterjee:

human nature, to want to be recognized to want to be

Dr. Dave Chatterjee:

appreciated, and there's nothing wrong with that. And often, I'll

Dr. Dave Chatterjee:

hear somebody say, well, they get paid. And I don't think

Dr. Dave Chatterjee:

that's good enough, we all get paid to do what we do. But

Dr. Dave Chatterjee:

there's something to be said for the other forms of recognition.

Dr. Dave Chatterjee:

And that comes through some of these measures, and you're

Dr. Dave Chatterjee:

tapping into the findings. And then accordingly, making

Dr. Dave Chatterjee:

adjustments where you need to praise the person, please do so

Dr. Dave Chatterjee:

praise a function, please do so. There, you need to change

Dr. Dave Chatterjee:

tactics, you somebody needs more counseling, more help make those

Dr. Dave Chatterjee:

efforts. And along those lines, there's something else that I

Dr. Dave Chatterjee:

have often preached shared with whoever wishes to listen. And

Dr. Dave Chatterjee:

that is, we have our annual reports, where the key aspects

Dr. Dave Chatterjee:

of performance are highlighted for the shareholders. And I feel

Dr. Dave Chatterjee:

that there should be a line in there are a couple of lines in

Dr. Dave Chatterjee:

there, where the cyber performance should be talked

Dr. Dave Chatterjee:

about. Especially when there are no breaches to report, it has

Dr. Dave Chatterjee:

been an uneventful year, doesn't mean you go silent. let's

Dr. Dave Chatterjee:

recognize the people who are behind the scenes, doing the

Dr. Dave Chatterjee:

good good work. And for all, you know, that's the reason why

Dr. Dave Chatterjee:

there has been no incidents. So as organizational leaders, we

Dr. Dave Chatterjee:

have to be very mindful of these things. And once again, take a

Dr. Dave Chatterjee:

very holistic approach to readiness to preparedness,

Dr. Dave Chatterjee:

because that's how we are going to bring the best out of of

Dr. Dave Chatterjee:

people. So and as we are coming to the end of this discussion,

Dr. Dave Chatterjee:

share with the audience any final words, any final thoughts,

Dr. Dave Chatterjee:

reflections?

Anne Leslie:

Absolutely. So I'd love to just to jump on what you

Anne Leslie:

just said, which is reflecting as well, in the context of

Anne Leslie:

Mental Health Awareness Day, right? So mental health is an

Anne Leslie:

issue in cyber, and it's linked to the stress. And there's also

Anne Leslie:

an aspect of the futility, there can be a sometimes feeling that

Anne Leslie:

resistance is futile, that what we're doing is futile. We only

Anne Leslie:

ever get noticed when things go wrong. We never get acknowledged

Anne Leslie:

for all of the things we're doing to reverse the breaches to

Anne Leslie:

avert the terrible headlines. So I love what you just said, it's

Anne Leslie:

super important to acknowledge what didn't go wrong. If things

Anne Leslie:

have been quiet, fantastic, well done. And I think it's really

Anne Leslie:

important to bring the cyber security teams the information

Anne Leslie:

security teams, into things like reporting on customer

Anne Leslie:

satisfaction. So for example, you know, I've been doing some

Anne Leslie:

work in the banking industry, we'd be looking at Net Promoter

Anne Leslie:

scores, okay, that's an imperfect measure, but for the

Anne Leslie:

volume that it does where customers are satisfied? Well,

Anne Leslie:

it's because they feel secure doing their banking. It's

Anne Leslie:

because they've been able to access their bank accounts, it's

Anne Leslie:

because they trust that the balance that they're seeing in

Anne Leslie:

their mobile app is actually the money that they have. Security

Anne Leslie:

is instrumental in that. So when a business is reporting the fact

Anne Leslie:

that customers are happy, we need to also acknowledge that

Anne Leslie:

security paid played a role in that, where business continuity

Anne Leslie:

hasn't been impacted, adversely impacted adversely. Again, same

Anne Leslie:

thing. So anytime we're reporting on things that are

Anne Leslie:

going well, let's emphasize them, let's accentuate them. And

Anne Leslie:

let's acknowledge all of the contributors to that, including

Anne Leslie:

security, we tend to only talk about security when things have

Anne Leslie:

gone wrong. But no, you know, this whole of enterprise

Anne Leslie:

approach that I mentioned earlier, customer satisfaction

Anne Leslie:

in a digital enterprise, which is increasingly every enterprise

Anne Leslie:

these days, security is a key player in that. So where things

Anne Leslie:

are going wrong, let's fix them. Let's be curious about them.

Anne Leslie:

Let's be disciplined and intellectually honest, when

Anne Leslie:

we're looking for root causes, and how we can better address

Anne Leslie:

them. But let's not just focus on the negative, let's celebrate

Anne Leslie:

small wins. And it's super important for operational teams

Anne Leslie:

who often feel overwhelmed, unloved, and thanked. Let's find

Anne Leslie:

metrics for executive level reporting. It's important for

Anne Leslie:

securing it's important for investment. But let's also have

Anne Leslie:

metrics that allow the people who are turning up every day to

Anne Leslie:

do security, to provide defense, let's find some way of taking

Anne Leslie:

the futility out of their day to day, let's take away some of the

Anne Leslie:

frustration. Let's find a way of celebrating the things that are

Anne Leslie:

going well, the things that we've managed to achieve.

Anne Leslie:

Because it's really important from a mental health

Anne Leslie:

perspective, from a motivational perspective, from an engagement

Anne Leslie:

perspective, people are the core of security. So let's celebrate

Anne Leslie:

them. Let's celebrate us. And let's find a way of

Anne Leslie:

communicating the value that we bring individually and

Anne Leslie:

collectively at our level, and then amplify it and defuse it

Anne Leslie:

and give it to our leadership in a way that helps them secure the

Anne Leslie:

business. But let's not underestimate how important

Anne Leslie:

small wins are, we can find something to celebrate every

Anne Leslie:

day.

Dr. Dave Chatterjee:

Well, thank you. And thank you very much for

Dr. Dave Chatterjee:

your time, your insights or perspectives. It is much

Dr. Dave Chatterjee:

appreciated, and I hope you will come back again to share your

Dr. Dave Chatterjee:

thoughts and perspective. Thanks again.

Anne Leslie:

Thank you so much Dave.

Dr. Dave Chatterjee:

A special thanks to Anne Leslie, for her

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an AS IS BASIS with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.