"If you can plan for the zombie apocalypse, you can probably face just about anything," said Tim Callahan, Senior Vice President, and Global Chief Information Security Officer, Aflac during a talk in my Master's level class on cybersecurity readiness at Duke University. In this podcast, Tim describes the key elements of an effective crisis management framework and shares several best practices. Some of the highlights of a robust business resiliency and recovery posture include -- a) well thought-out and rehearsed plan that takes into consideration different scenarios; b) world-class forensics team; c) strong partnership with Legal, HR, Law Enforcement (local FBI and Secret Service), Department of Treasury, and independent agents; d) highly trained in-house teams focused on response and recovery; e) leveraging open-source and paid intelligence; f) CEO led strong commitment throughout the organization; g) honest and candid communication; h) rewards and incentive programs such as the Global Security Challenge Coin; and j) building a caring and empathetic work culture.

Time Stamps

00:49 -- Please share with listeners some highlights of your professional journey. Share with them how this journey of yours has shaped your views of cybersecurity, and cyber risk management.

05:55 -- So, Tim, during your talk in my Master's level class on cybersecurity readiness at Duke University, you made a very poignant statement, you said, "if you can plan for the zombie apocalypse, you can probably face just about anything." Please share with the listeners the key elements of an effective crisis management framework and related best practices.

11:15 -- As we all know, ransomware attacks are rampant, and many organizations are underprepared to deal with such attacks. Based on your experience, what advice do you have for your peers in other organizations?

17:16 -- It's not good enough to just have backups, and that they're properly secured both offline and online. It is equally important to have read-only backups. Would you like to add anything to that?

19:45 -- Given the variety of ways in which the ransomware attackers put pressure on the organization, and the unfortunate reality, that it is hard to keep up with the evolving attacks and techniques, it must be a very unnerving feeling that if your organization gets attacked, if your organization gets compromised, the battle against the ransomware attackers is hard to win, because they have the data and you have to depend on them live up to their promise that if the ransom is paid, they won't share the stolen data, or they won't do anything more with it. That's a very difficult kind of situation, isn't it?

24:56 -- I'd love to hear your reaction to some of the CPD (Commitment-Preparedness-Discipline) framework success factors. For instance, how does an organization create and sustain a We-Are-In-Together culture? What are some key elements of a best practice to do that?

34:20 -- I was just speaking with another group before this discussion, and they were talking about how important empathy is when it comes to cybersecurity governance. And I'm sure you will agree that it plays a huge role. Because, unless you're empathetic to people making mistakes, even though they use their good judgment, they trained sincerely, but they can make mistakes. But as long as they're owning up to it, and enabling organizations to react quickly to the consequences of their mistakes, instead of punishing them, be encouraging, and maybe celebrate their candor and honesty. It has been done by some companies. So I'll let you speak to that as well.

38:59 -- We can end on that note unless you have any final thoughts, Tim.

Memorable Tim Callahan Quotes

"If you plan for the zombie apocalypse, you can handle just about anything."

"You can't do a good job in post-recovery if you don't do a good job in the response process, and in those stages leading up to that."

"I think it's very important that you exercise with different scenarios before the event happens. And you put yourself in continuous learning and improvement mode. When we generally have our exercise, we bring in third parties, we also call on law enforcement, our intelligence partners, intelligence we paid for, and intelligence through FS-ISAC (Financial Services Information Sharing and Analysis Center). All of these things help us prepare for different attack scenarios."

"I mean, when employees enjoy coming to work, or enjoy their workplace, because of empathy, because of humor, because we care, obviously, they're going to do a better job, they're going to feel a sense of ownership to that company. It's not kind of the working in the coal mine attitude, it's, I want to be there, I want to be there. And because I want to be there, I want to protect it."

"I think the public and our customers would have a lot of sympathy for a company if we're doing the right thing, we've done the right thing, and we're communicating honestly, openly, and transparently. They'll realize and we've seen this in other companies, the customers realize that we're a victim too and we're doing our very best to protect them."

"One thing that we do is three or four times a year, we actually host a shred day. So people can bring their personal information that gets piled up in the corner someplace and bring it to the shred they can bring their computer disks, they can bring hard drives, we sponsor that. And we use that opportunity as people bringing things to just reinforce the principles of good sound security."



Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering and cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I have the pleasure of talking with Tim

Callahan, Senior Vice President and Global Chief Information

Security Officer of Aflac. Our discussion will revolve around

cybersecurity best practices, especially in the area of post

breach management. But before we get into those details, I'd like

to share a few highlights of Tim's very impressive career. He

has spent 23 years in the Air Force specializing in explosive

ordnance disposal. Tim is a highly experienced chief

information security officer with a demonstrated history of

working in the financial services and insurance sector

building leading cybersecurity programs. He's a very

distinguished member of the cybersecurity community

nationally, as well as globally. Tim has served as board chair,

board member, board advisor, conference keynote speaker, and

panelist. So it's really an honor and a privilege to have

Tim join this podcast. Tim, welcome! Please share with

listeners some highlights of your professional journey,

because surely, I did not do justice to it. Share with them

how this journey of yours has shaped your views of

cybersecurity, and cyber risk management.

Thank you, Dave, I had the privilege to work, as

you point out, and in so many part of with the military as

well as in the civilian world, and financial institutions in

obviously, most recently, a insurance company with a heavy

financial sector presence. My career after the military

started at SunTrust. And I had the privilege to become part of

a new program -- SunTrust Bank decided to take all the

independent banks that were many small SunTrust banks at the time

around the Southeast, and they consolidated into one big bank

and that showed the need or displayed the need for a

corporate security program. And so I was able to come in start

my career in information security, leading first the

program office, and then eventually a group access

management support services within the security group

continuing to lead the program office. And then that led me

from there I went to a bank in Connecticut, People's Bank at

the time now it's People's United Bank, which has recently

been acquired by M&T. But that was a situation where they had

started on a very aggressive strategy. And in order to meet

the regulatory requirements, they needed to get technology

risk and security in order to satisfy the regulators. And so

we were on a very tight timeline to accomplish that. And it

really was a grounds up building of a program of the scale

commensurate with the size of the financial organization they

wanted to be. And they were fine if they stayed a small kind of

community bank, but as they were branching out into other states

and growing, the regulators was just concerned that that their

program would not meet that, so we accomplished that. I wound up

coming back to SunTrust for about four years. But then in

2014 I was recruited to Aflac. It was interesting that the

leadership at Aflac the Board at Aflac had gotten very concerned

about the cyber threat turning to the insurance industry. And

there was really no one in the company that could help that

time, kind of articulate their risk and then what we knew to do

about it. So, I was brought on to do that. We, I started really

in the US subsidiary Aflac US. And then in 2016, established a

global security program, and had began building out our entire

company, all the subsidiaries, the different lines of business,

and brought them into that corporate program. I really

started seeing, and we did in fact see that a lot of the

controls that we needed, because the cybercriminals were turning

their attention to insurance; a lot of the controls were very

similar to what we needed in banking. So we actually adopted

the NIST cybersecurity framework, but then infused the

FFIC requirements into that, in order to have a bit more

tangible measure of a program than just the framework itself.

And that's worked out very well for us.

Fantastic. Thanks for sharing. So Tim,

during your talk in my Master's level class on cybersecurity

readiness at Duke University, you made a very poignant

statement, you said, "if you can plan for the zombie apocalypse,

you can probably face just about everything." Please share with

the listeners, the key elements of an effective crisis

management framework and related best practices.

Yeah, so the zombie apocalypse thing did not

originate with me. Oh, gosh, probably 2011-2012, the CDC came

out with this zombie apocalypse plan. And it was kind of a

tongue in cheek humorous one. Just illustrate that if you plan

for the zombie apocalypse, you can you can handle just about

anything. So we adopted from that Aflac, probably beginning

in 2016 ish 2017, we adopted an all hazards approach. And the

all hazards approach was we write a master crisis management

plan that can cover anything the apocalypse, zombie apocalypse,

to a data center loss to a cyber event, a pandemic.

Coincidentally, we've addressed it in this plan. And then we

have particular annexes for the major kinds of things. So the

master plan covers the fundamentals of how you gather

together, who do you gather together, what are your

alternatives, if our communications are out, those

kinds of things. But then you have particular plans. And part

of it was us adopting a model that says we can work from

anywhere. So in the past, we had, like many companies had a

model where you would use disaster recovery trailers, so

to speak. And as we started pushing on that plan, it really

crumbled pretty quickly. Because just the logistics of getting in

enough trailers for the seats that we would need, the the fact

that getting power and internet to those trailers could be very

difficult in the scenarios that we talked about. So we adopted

the work from anywhere model and began building out the security

infrastructure for that, and the technology infrastructure for

that. And lo and behold, we put it to the test in March of 2020,

when we had to evacuate all of our buildings due to the

pandemic. Now, looking back, was that the right thing to do? I

don't think anybody would say yes or no to that. But we did,

we immediately put within the US right at 6000 people from an

office to working from home. And I'm not saying we didn't have

any hiccups. But the fact that we planned for that helped us

get through that quickly, where many companies had to kind of

architect it on the fly. So we formed that; we formed up

addressing, we went through scenarios, we had global

executive response exercise, we had formal plans around who what

part each would play. And again, most companies have that kind of

thing. But the fact that we had it, we practiced it. And then we

kind of felt like we trained so to speak, in order to execute

that. We've been very fortunate we've not had any major global

cyber security events. We have had cybersecurity events, we

were very dependent on third parties, and when they have an

event, we have to respond as well. So the structure has been

very, very good in prepping us for for these kinds of

scenarios. We also think it's very important that we have a

trained in- house team on initial measures, looking

towards the post recovery. So as we're responding to events, how

we preserve the environment so that we can later do forensics

is very important. As you pointed out, I was a bomb tech

in the Air Force. And oftentimes we would get sideways with our

law enforcement partners because they wanted us to preserve

evidence. Obviously, we just wanted to get rid of the hazard.

But you have to kind of think through that more strategic

thing for us bomb techs was, if this was a terrorist

organization, a criminal organization, we had a vested

interest in helping our law enforcement partners find out

who did it so that they wouldn't do it again. Right. And so

that's a very similar kind of correlation. Our forensics teams

have to and our response teams have to be able to think through

that. And we have plans for that. We've got very good

relationships with our legal counsel in house as well as we

exercise with outside legal services. We've got a good

partnership with our local FBI Secret Service, we attend

Department of Treasury briefings, and a strong member

in the Financial Services Information Sharing and Analysis

Center. So all of this forms up to post recovery, right? You

can't do a good job in post recovery. If you don't do a good

job in the response process and those stages leading up to that.

Great! I'd like to reiterate a couple of

things you said, one of which is to be in lockstep with the chief

legal counsel, and establish a good partnership with law

enforcement. Oftentimes, when I'm asked for advice by

organizations on how best to build and manage their

cybersecurity strategy, I emphasize the importance of

closely working with the legal team. Involving Legal in

cybersecurity strategy formulation, execution planning,

and review are very good practices. Get in touch with the

legal team and discuss with them, what are the likely

pitfalls or consequences of different types of breaches? And

what would the jury and the judge like to hear and see, by

way of evidence, of due diligence? Did the organization

comply with all the regulatory requirements and follow through

with the recommended cybersecurity best practices?

Ultimately, it is the legal team that you have to go to for help,

for defending the organization in the court of law. So why not

involve them from the get-go? Developing a strong and

sustained partnership with Legal is definitely a critical success

factor. So thanks for sharing that Tim. Moving along, when it

comes to dealing with ransomware attacks, as we all know, these

attacks are rampant, and many organizations are underprepared

to deal with such attacks. What advice do you have for your

peers in other organizations?

Yeah. So when you take ransomware, and as you say,

it is rampant, we've been affected less directly in

internal, we did have a couple years back, one of our small

subsidiaries affected and we we recovered from that fine, but

we're we've had several instances where a critical third

party was affected and actually shut down services. And we had

to recover from that, right? Not necessarily from the malware

that caused the ransomware cuz that was in the third party, but

obviously, the impact on our services. So it's very important

when you think through a ransomware attack, you think

through all the factors that you can be affected, and then you

plan for that, right. So it's always a little bit different

than other business disruptions when you think through it,

right. So from a true business disruption, we have business

continuity plans, and we invoke those, those kinds of things. We

have work arounds, there's always a discussion in the in

the work arounds about is this effective? In other words,

should we go to manual process from automated process? Or

should we just concentrate on getting recovered because if we

go to manual process, you're introducing human error and

other kinds of things. So these are all the discussions, you'd

have to kind of think through during a response. One thing, in

any ransomware response, you're going to slow down a little bit,

because you've really got to determine where the ransomware

is, where the malware is, that caused that event, to make sure

that you don't recover in a way that you reintroduce that same

infection into the new the new area. And so you have to kind of

bring forensics up to the front to some degree in a ransomware

event, whereas in other kinds of events, you don't necessarily

have to do that. So that's a consideration unique to

ransomware. I do think in ransomware I use the term

ransomware but any cyber extortion type event whether

it's DDoS attack, destructive attack for extortion, whatever

it is, you really have to think through, and have I think a very

well articulated policy set your highest company level. If you're

a public company, it would be discussed with the Board, you

shouldn't surprise your Board with whether we're paying or

not. I mean, it's something that should be discussed at the Board

level, it definitely has to have crossed the business buy-in, at

the executive level. So again, with a ransomware event, you're

going to have these other factors that you may not in in

other type of cyber events. So those are some of the

conditional, the considerations. I think working with law

enforcement, again, is very important in ransomware,

bringing them early, we've seen in other companies and major

ransomware events, the federal law enforcement was able to be

pretty helpful, and giving Intel and giving advice, and then in

some cases actually recovering. And when one company paid the

ransom, they were able to recover a good portion of it. So

I think, again, in this type of incidents, you really have to

think through differently your response, the post incident

correction, again, as it's going to be a little more time

consuming than than maybe other type of events. Because you want

to make sure that everything is clean everything that to the

extent you can you you've gathered all the indicators of

compromise that you've ran those through your systems. And make

sure that you're not you don't have any latent infection there

or hid and not allocated space, or the the typical things that

you go through. Also, I do think it's very important that you

exercise with different scenarios, before the event

happens. And you put yourself in a continuous learning and

improvement. I mean, when we generally have our exercise, we

bring in third parties. But we also call on law enforcement,

our intelligence partners, really part of open source

intelligence, intelligence we paid for, intelligence through

FS-ISAC (Financial Services Information Sharing and Analysis

Center), all of these things help us form that scenario. So

we're getting realistic play, and to the extent possible, can

be prepared for that.

That's, that's great insight. Thank you

so much for sharing, I'd like to add something to what you

shared. And this comes from a discussion that I had with a

former FBI professional who worked in, who still works in

the cybersecurity space. And I'm going to quote him here. He

says, "one of the first things that these threat actors do when

they get into the environment is go looking for the backups,

because those are going to be the some of the first systems

they hit you with ransomware attacks." And, in fact, that was

validated by another expert, who said that it's not good enough

to just have backups, a nd they're properly secured both

offline and online. But it is equally important to have read-

only backups. Would you like to add anything to that?

Yeah, I think it's important, for years I've led

the business continuity programs, and pretty much every

company I've worked for, but for years, we were trying to

accelerate backups. I mean, that was the our assurance, right? So

you have your recovery time of that objective, your recovery

point objective. And generally, the requirements for recovery

point are minutes, right. So in order to do that, you had to do

very rapid backup. And thinking through the ransom scenario,

that can really hurt you. Even if you have you don't have a

criminal that's penetrated and been able to move laterally

across your environment and get into your backups. If you're

replicating very quickly, then you could actually replicate the

ransomware encryption into into your backup. So it really caused

us to take a pause and think through what what our strategy

ought to be. Best practices here, as your FBI friend pointed

out is definitely to have read-only backups, it's

definitely important to air gap your backup, or at least have

some preservation methodology to air gap your back-up. So there

is some definitive action that that it takes; in different

companies with different technologies, we'll we'll do

that in different ways. In fact, we have two major subsidiaries

that just because of their configuration and and how they

do things, do it two different ways. So I do think that's a

very important consideration that's different than

traditional crisis disaster situations.

Okay. Thanks for sharing that. Another

thing that I'd like to share with listeners is the evolution

of the ransomware extortion methods: from single extortion

practices, where they encrypt systems and data, to double

extortion, meaning stealing your data before encrypting it, then

there is triple extortion, when the perpetrators launch a

denial- of-service attack, so the business can no longer

function. And the latest is the quadruple extortion, where the

ransomware attackers contact the customers of the breached

organization and ask them to put pressure on the organization to

pay up. Given the variety of ways in which the ransomware

attackers put pressure on the organization, and the

unfortunate reality, that it is hard to keep up with the

evolving attacks and techniques, it must be a very unnerving

feeling that if your organization gets attacked, if

your organization gets compromised, the battle against

the ransomware attackers is hard to win, because they have the

data and you have to depend on them live up to their promise

that if the ransom is paid, they won't share the stolen data, or

they won't do anything more with it. That's a very difficult kind

of a situation, isn't it?

Most certainly. And I think when you get the

quadruple extortion, you're you're just having a bad day. I,

but we have thought through that scenario in our exercises. And I

think what happens is at some point, you cease a traditional

cyber technical response to a true public relations response,

or sharing. So I know that our number one concern is always

protecting our customers. And we make all of our decisions based

on that. Because our customers have trusted us with their

information. They trust us. In fact, our CEO often says that

what we sell at Aflac is we sell a promise, right? We sell a

promise to be there for our customers when they need us

most. And we're going to fulfill that promise. And that extends

across our company into our cybersecurity program, because

we our employees, see the importance of protecting our

customers our customer information. So if you got to

the point that criminals are reaching out to our customers,

and urging our customers put pressure on us, I think quite

honestly, I think we would have failed in our response. Because

if we believe that our data has been compromised to the point

that a criminal could identify our customers, then we have to

tell our customers, "look, this is what's going on, we're under

a criminal attack, here's the measures that you can take to

protect yourself, here's what we're going to do for you,

here's how we're going to battle it." And you have a very honest

discussion at that point, a very honest release. I think our

prevention measures, I think, are definitely at industry

standards, if not a bit beyond, but we can never count on not

being compromised. So I do think you think through all of those

scenarios, and you address them that way. I do know that we've

suffered DDoS attacks for extortion we've come out okay on

that never have paid on that we've, as I pointed out, we had

one of our subsidiaries suffer ransomware. We didn't pay, we

gutted through recovery, and was able to restore the business in

very good time. But I do think that, when you prepare, you have

to think through and plan for the worst case, and then have a

scenario and have thought through how we're going to

respond as a company. It's one of those things, you want to be

prepared for the worst. And hope you never see the worst, but you

still have to be prepared for it. But to do that, you have to

have all components of your company singing off a single

sheet. So our communications team or corporate

communications, PR folks, our marketing team, our legal team,

our technology team, our security team are all led by our

crisis management leader, we have to have statements

prescribed statements kind of at least drafted in our plan,

right, that can quickly be tailored to particular incidents

and released. We have to exercise and have again a

partnership with our law enforcement. All of these things

are your best defense against against the more disastrous

outcome. I think the public and our customers would have a lot

of sympathy for a company if we're doing the right thing,

we've done the right thing, and we're communicating honestly,

openly, transparently. They they'll realize and we've seen

this in other companies, the customers realize that we're a

victim too and we're doing our very best to protect them.

Thanks for sharing, you're spot on, I think

a really honest, candid, transparent approach that

reflects a genuine attempt by the organization to be

deliberate and comprehensive in their cybersecurity strategy is

key. And it's great to hear that there is such strong support

from the CEO level in your organization. I love what you

said, it's about selling a promise that we truly care. And

if we don't live up to it, then what's the point and that spirit

of caring, percolates right through and includes protecting

customer data. In fact, I want to take this opportunity to also

share a quote which will resonate with you; here's what a

subject matter expert had to say about dealing with ransomware

--ransomware is more than just a CISO problem, it's a corporate

problem, you need the executives, you need the Board,

you need the management, and you need the employees to all be in

unison, in how you go about protecting your company. And

that's exactly what I'm hearing you saying, and also aligns very

well with one of my messages, that cybersecurity is really

everyone's business. You cannot outsource cybersecurity

management to a team or a function and expect miracles to

happen. While you do count on their expertise, and it's only

right to do so, everyone has to do their part. So creating and

sustaining a We-Are-In-It-Together culture,

with the tone being set at the top by the CEO, that is really

the best that an organization can do, in my humble opinion.

And I'm hearing that in your statements, in your discussion

of how your organization approaches cybersecurity

preparedness. Finally, coming to the last section of our

discussion, in a book that I recently authored, titled,

A Holistic and High-Performance

Approach, I presented the Commitment-Preparedness-Discipline

(CPD) framework. This framework is associated with 17

cybersecurity readiness success factors. And I'd like to believe

that this governance framework is holistic, because it not only

covers the technical controls that are enumerated and shared

by the very established frameworks such as NIST, ISO

27,000, and others, but it also speaks to the non-technical

controls such as top management commitment, creating a

We-Are-In-Together culture, empowering the CISO function,

cross-functional participation, and many other governance and

leadership success factors. I'd love to hear your reaction to

some of the CPD framework success factors. For instance,

how does an organization create and sustain a We-Are-In-Together

culture? What are some key elements of a best practice to

do that?

I think it's very important that all parts of the

company sees decisions around security as true business

decisions, not decisions made in a hole in a dark room someplace

in the back of the company. And so very early when I came to

Aflac, and a practice I've used at my other companies too, is, I

formed a at first it was kind of an advisory council, it turned

into a governance council. And so the security oversight

committee concept. So as I was working with my my different

peers and coming on board, I asked them to be a part of

forming up the security group, right? Because when you when you

think about the company, and the other organizations, how

interdependent we all are on each other, our HR function, we

look at HR HR to communicate security policy through the

employee handbook, type, structure, right? So

incorporating our security principles into the fabric of

our company, on-board training, or each year at our company, we

reaffirm our commitment to the company and one another in

following the principles outlined in the employee

handbook. Right? And that touches our culture, ethics, how

we're going to conduct, how we're going to talk to one

another. So HR was a critical partner very early on, and still

is. So they're they're a member of our oversight committee, the

legal function, the compliance function, our privacy function,

which is under legal, so the business leaders, most of our

activity from a sales point of view is conducted by independent

agents. So we had to have conversations with them. And

again, they're independent agents, they're, they're not

employees, we, but we have to partner with them as well,

because they're on the very tip of the spear of protecting our

customers. So we have representatives on that on our

oversight committee we have and when I say the Oversight

Committee, these are the SVPs and EVPs of the company, so to

speak, that, that share the table have come on as a partner.

Because it's very important from day one to communicate, look,

I'm going to be here, I'm going to do my best to protect the

company through my technical controls and through the these

things, but at the end of the day, we all have to be committed

together, or we're going to fail. It's very good that at

the VP level at the very business unit, in fact, our

Deputy President for Aflac US has been a great partner. They

they know the ramifications of having a qualified SOC 2. And so

they want to make sure that the concept of the way we sell our

product through to businesses often who buy the product for

their employees, they rely on the SOC 2 structure to assess

our security. So they see that as business enabling, they don't

see security as a burden, they see it as business enabling. So

we are in it together and our sales teams know of one of the

best methods of selling or I guess tools and selling is the

Aflac reputation and they know that that reputation get can get

tarnished. There's there's such a high degree of trust in Aflac

as, as a provider as a partner that if we have an event, it

could tarnish that reputation. And so they're they're

definitely bought in, we have, and we do campaigns, we do

things to keep awareness in the public, right? For compliance

reasons, every company has to do their annual awareness training.

But if you're relying on that, for true awareness, that's

that's not getting it, it just doesn't I mean, I, you can go to

anyone and ask them two weeks after they took the awareness

training key points, and they're not going to remember it. But if

you have a methodology of integration and embedding

yourself into the business and the business processes, then

they remember that and in fact, we do fun things. One thing that

we do is three or four times a year, we actually host a shred

day. So people can bring their personal information that gets

piled up in the corner someplace and bring it to the shred they

can bring their their computer disks, they can bring hard

drives, we we sponsor that. And and we use that opportunity as

people bringing things to just reinforce the principles of good

sound security. We do other kinds of fun events during

during the year to try to help employees, we also have what we

call cyber ambassadors. And these are volunteers and planted

in the business that have committed to take extra training

so that they can within their business look for opportunities

to reinforce the importance of security. So if you got kind of

the tops down, and the bottoms up, I think you get it a real

we're all in it together. And again, I cannot I cannot under

or over emphasize the fact that the tone at the top has; when

our CEO talks security to our officers and directors groups,

when probably once once a year, once every couple of years, the

CEO will put a message out particular to the importance of

protecting our customers information. Our President, my

boss, he can when he goes out talking, he gets it, he

understands it, he understands the impact it could have on our

company. And so we get that support. And because we get that

support at his level, all of his reports, direct reports embrace

it as well. So it's it's been a very positive experience getting

getting this culture.

That's fantastic. So encouraging to

hear. In fact, I also want to take this opportunity to share

with listeners and you Tim, unless you've had a chance to

read my book; something I talk about in the context of

We-Are-In-It-Together culture. I talk about building emotional

capital, by creating a work environment where a) employees

feel valued, b) develop a sense of belonging and pride, c) are

having fun, and d) not necessarily in this order, but

in any order, and perceive leadership to be genuine and

authentic. And, what you just shared with me by way of

practices, you seem to be doing all of this. And that's so so

good to hear. In fact, Herb Kelleher of Southwest Airlines,

who was instrumental in establishing a very happy and

motivated culture, that culture was founded on three core values

-- humor, altruism, and love. As this might sound a little

abstract and mushy-mushy, but in reality, I was just speaking

with another group before this discussion, and they were

talking about how important is empathy when it comes to

cybersecurity governance. And I'm sure you will agree that

it's it plays a huge role. Because unless you're empathetic

to people making mistakes, even though they use their good

judgment, they trained sincerely, but they can make

mistakes. But as long as they're owning up to it, and enabling

organizations react quickly to the consequences of their

mistakes, instead of punishing them, be encouraging, maybe

celebrate their candor and honesty, it has been it has been

done by some companies. So I'll let you speak to that as well.

Yeah, I couldn't agree more with with those

fundamental principles, not only security, but in leadership and

life. I mean, when employees enjoy coming to work, or enjoy

their workplace, because of empathy because of humor,

because we care, obviously, they're going to do a better

job, they're going to feel a sense of ownership to that

company. It's not kind of the working in the coal mine

attitude, it's, I want to be there, I want to be there. And

because I want to be there, I want to protect it. The

employees of Aflac, we've got incredible tenure, which is

celebrated every year in an Employee Appreciation Week,

which is just an unbelievable week of telling our employees,

we love them. But now you got to do it 365, you can't just do it

in one week. But a lot of companies say they value their

employees, but it's just words, right? You've got to show you

value them. I've read a book many years ago called Love 'Em

Or Lose Em.' And it was the whole principle about letting

employees know how much you appreciate them and care for

them and care for their personal aspects, not just their

productivity in the company, but seeing them. So we carry those

those principles into our cybersecurity information

security program. Yes, people will make mistakes, we have in

some cases rewarded the coming forward. And we do that in

different cases. We recently introduced I think a symbol of

that, we developed a Global Security Challenge Coin, which

we did it for our core group, global security group, our Cyber

ambassadors. But we also use the coin to recognize someone that

has gone the extra mile. And we've awarded a couple of those

coins, they are not given out willy nilly. They're they're

earned. But we recognize people doing the right things. We

recognize that a few if you look at statistics, every year, one

of the biggest 'insiders' is employee mistakes, right?

Posting something unsecure to a website, failure to ship

sensitive information and in accordance with a standard and

losing control of it, those those kinds of things, the

laptop falling off the back of a truck. Those kinds of things

account for many, many of the reportable incidents every year.

So how do you build a culture where people are paying

attention to that, and I think catching them doing the right

thing is one of those, those methods to build that culture.

But again, I I've experienced firsthand the benefits of

treating our employees well, and caring for them. And then

reinforcing that.

Fantastic! We can end on that note, unless

you have any final thoughts, Tim. This was great!

Dave, I appreciate this opportunity to share my

thoughts and to foster that servant leadership principles

that you've you've espoused in your book and, and how they're

proven over and over again. So thank you very much.

Thank you, Sir. A special thanks to Tim

Callahan for his time and insights. If you like what you

heard, please leave the podcast a rating and share it with your

network. Also, subscribe to the show, so you don't miss any new

episodes. Thank you for listening, and I'll see you in

the next episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.