"If you can plan for the zombie apocalypse, you can probably face just about anything," said Tim Callahan, Senior Vice President, and Global Chief Information Security Officer, Aflac during a talk in my Master's level class on cybersecurity readiness at Duke University. In this podcast, Tim describes the key elements of an effective crisis management framework and shares several best practices. Some of the highlights of a robust business resiliency and recovery posture include -- a) well thought-out and rehearsed plan that takes into consideration different scenarios; b) world-class forensics team; c) strong partnership with Legal, HR, Law Enforcement (local FBI and Secret Service), Department of Treasury, and independent agents; d) highly trained in-house teams focused on response and recovery; e) leveraging open-source and paid intelligence; f) CEO led strong commitment throughout the organization; g) honest and candid communication; h) rewards and incentive programs such as the Global Security Challenge Coin; and j) building a caring and empathetic work culture.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-29-global-security-and-post-breach-management-best-practices/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Unknown:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Unknown:the book Cybersecurity Readiness: A Holistic and
Unknown:High-Performance Approach, a SAGE publication. He has been
Unknown:studying cybersecurity for over a decade, authored and edited
Unknown:scholarly papers, delivered talks, conducted webinars and
Unknown:workshops, consulted with companies and served on a
Unknown:cybersecurity SWAT team with Chief Information Security
Unknown:officers. Dr. Chatterjee is Associate Professor of
Unknown:Management Information Systems at the Terry College of
Unknown:Business, the University of Georgia. As a Duke University
Unknown:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Unknown:Engineering and cybersecurity program at the Pratt School of
Unknown:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I have the pleasure of talking with Tim
Dr. Dave Chatterjee:Callahan, Senior Vice President and Global Chief Information
Dr. Dave Chatterjee:Security Officer of Aflac. Our discussion will revolve around
Dr. Dave Chatterjee:cybersecurity best practices, especially in the area of post
Dr. Dave Chatterjee:breach management. But before we get into those details, I'd like
Dr. Dave Chatterjee:to share a few highlights of Tim's very impressive career. He
Dr. Dave Chatterjee:has spent 23 years in the Air Force specializing in explosive
Dr. Dave Chatterjee:ordnance disposal. Tim is a highly experienced chief
Dr. Dave Chatterjee:information security officer with a demonstrated history of
Dr. Dave Chatterjee:working in the financial services and insurance sector
Dr. Dave Chatterjee:building leading cybersecurity programs. He's a very
Dr. Dave Chatterjee:distinguished member of the cybersecurity community
Dr. Dave Chatterjee:nationally, as well as globally. Tim has served as board chair,
Dr. Dave Chatterjee:board member, board advisor, conference keynote speaker, and
Dr. Dave Chatterjee:panelist. So it's really an honor and a privilege to have
Dr. Dave Chatterjee:Tim join this podcast. Tim, welcome! Please share with
Dr. Dave Chatterjee:listeners some highlights of your professional journey,
Dr. Dave Chatterjee:because surely, I did not do justice to it. Share with them
Dr. Dave Chatterjee:how this journey of yours has shaped your views of
Dr. Dave Chatterjee:cybersecurity, and cyber risk management.
Tim Callahan:Thank you, Dave, I had the privilege to work, as
Tim Callahan:you point out, and in so many part of with the military as
Tim Callahan:well as in the civilian world, and financial institutions in
Tim Callahan:obviously, most recently, a insurance company with a heavy
Tim Callahan:financial sector presence. My career after the military
Tim Callahan:started at SunTrust. And I had the privilege to become part of
Tim Callahan:a new program -- SunTrust Bank decided to take all the
Tim Callahan:independent banks that were many small SunTrust banks at the time
Tim Callahan:around the Southeast, and they consolidated into one big bank
Tim Callahan:and that showed the need or displayed the need for a
Tim Callahan:corporate security program. And so I was able to come in start
Tim Callahan:my career in information security, leading first the
Tim Callahan:program office, and then eventually a group access
Tim Callahan:management support services within the security group
Tim Callahan:continuing to lead the program office. And then that led me
Tim Callahan:from there I went to a bank in Connecticut, People's Bank at
Tim Callahan:the time now it's People's United Bank, which has recently
Tim Callahan:been acquired by M&T. But that was a situation where they had
Tim Callahan:started on a very aggressive strategy. And in order to meet
Tim Callahan:the regulatory requirements, they needed to get technology
Tim Callahan:risk and security in order to satisfy the regulators. And so
Tim Callahan:we were on a very tight timeline to accomplish that. And it
Tim Callahan:really was a grounds up building of a program of the scale
Tim Callahan:commensurate with the size of the financial organization they
Tim Callahan:wanted to be. And they were fine if they stayed a small kind of
Tim Callahan:community bank, but as they were branching out into other states
Tim Callahan:and growing, the regulators was just concerned that that their
Tim Callahan:program would not meet that, so we accomplished that. I wound up
Tim Callahan:coming back to SunTrust for about four years. But then in
Tim Callahan:2014 I was recruited to Aflac. It was interesting that the
Tim Callahan:leadership at Aflac the Board at Aflac had gotten very concerned
Tim Callahan:about the cyber threat turning to the insurance industry. And
Tim Callahan:there was really no one in the company that could help that
Tim Callahan:time, kind of articulate their risk and then what we knew to do
Tim Callahan:about it. So, I was brought on to do that. We, I started really
Tim Callahan:in the US subsidiary Aflac US. And then in 2016, established a
Tim Callahan:global security program, and had began building out our entire
Tim Callahan:company, all the subsidiaries, the different lines of business,
Tim Callahan:and brought them into that corporate program. I really
Tim Callahan:started seeing, and we did in fact see that a lot of the
Tim Callahan:controls that we needed, because the cybercriminals were turning
Tim Callahan:their attention to insurance; a lot of the controls were very
Tim Callahan:similar to what we needed in banking. So we actually adopted
Tim Callahan:the NIST cybersecurity framework, but then infused the
Tim Callahan:FFIC requirements into that, in order to have a bit more
Tim Callahan:tangible measure of a program than just the framework itself.
Tim Callahan:And that's worked out very well for us.
Dr. Dave Chatterjee:Fantastic. Thanks for sharing. So Tim,
Dr. Dave Chatterjee:during your talk in my Master's level class on cybersecurity
Dr. Dave Chatterjee:readiness at Duke University, you made a very poignant
Dr. Dave Chatterjee:statement, you said, "if you can plan for the zombie apocalypse,
Dr. Dave Chatterjee:you can probably face just about everything." Please share with
Dr. Dave Chatterjee:the listeners, the key elements of an effective crisis
Dr. Dave Chatterjee:management framework and related best practices.
Tim Callahan:Yeah, so the zombie apocalypse thing did not
Tim Callahan:originate with me. Oh, gosh, probably 2011-2012, the CDC came
Tim Callahan:out with this zombie apocalypse plan. And it was kind of a
Tim Callahan:tongue in cheek humorous one. Just illustrate that if you plan
Tim Callahan:for the zombie apocalypse, you can you can handle just about
Tim Callahan:anything. So we adopted from that Aflac, probably beginning
Tim Callahan:in 2016 ish 2017, we adopted an all hazards approach. And the
Tim Callahan:all hazards approach was we write a master crisis management
Tim Callahan:plan that can cover anything the apocalypse, zombie apocalypse,
Tim Callahan:to a data center loss to a cyber event, a pandemic.
Tim Callahan:Coincidentally, we've addressed it in this plan. And then we
Tim Callahan:have particular annexes for the major kinds of things. So the
Tim Callahan:master plan covers the fundamentals of how you gather
Tim Callahan:together, who do you gather together, what are your
Tim Callahan:alternatives, if our communications are out, those
Tim Callahan:kinds of things. But then you have particular plans. And part
Tim Callahan:of it was us adopting a model that says we can work from
Tim Callahan:anywhere. So in the past, we had, like many companies had a
Tim Callahan:model where you would use disaster recovery trailers, so
Tim Callahan:to speak. And as we started pushing on that plan, it really
Tim Callahan:crumbled pretty quickly. Because just the logistics of getting in
Tim Callahan:enough trailers for the seats that we would need, the the fact
Tim Callahan:that getting power and internet to those trailers could be very
Tim Callahan:difficult in the scenarios that we talked about. So we adopted
Tim Callahan:the work from anywhere model and began building out the security
Tim Callahan:infrastructure for that, and the technology infrastructure for
Tim Callahan:that. And lo and behold, we put it to the test in March of 2020,
Tim Callahan:when we had to evacuate all of our buildings due to the
Tim Callahan:pandemic. Now, looking back, was that the right thing to do? I
Tim Callahan:don't think anybody would say yes or no to that. But we did,
Tim Callahan:we immediately put within the US right at 6000 people from an
Tim Callahan:office to working from home. And I'm not saying we didn't have
Tim Callahan:any hiccups. But the fact that we planned for that helped us
Tim Callahan:get through that quickly, where many companies had to kind of
Tim Callahan:architect it on the fly. So we formed that; we formed up
Tim Callahan:addressing, we went through scenarios, we had global
Tim Callahan:executive response exercise, we had formal plans around who what
Tim Callahan:part each would play. And again, most companies have that kind of
Tim Callahan:thing. But the fact that we had it, we practiced it. And then we
Tim Callahan:kind of felt like we trained so to speak, in order to execute
Tim Callahan:that. We've been very fortunate we've not had any major global
Tim Callahan:cyber security events. We have had cybersecurity events, we
Tim Callahan:were very dependent on third parties, and when they have an
Tim Callahan:event, we have to respond as well. So the structure has been
Tim Callahan:very, very good in prepping us for for these kinds of
Tim Callahan:scenarios. We also think it's very important that we have a
Tim Callahan:trained in- house team on initial measures, looking
Tim Callahan:towards the post recovery. So as we're responding to events, how
Tim Callahan:we preserve the environment so that we can later do forensics
Tim Callahan:is very important. As you pointed out, I was a bomb tech
Tim Callahan:in the Air Force. And oftentimes we would get sideways with our
Tim Callahan:law enforcement partners because they wanted us to preserve
Tim Callahan:evidence. Obviously, we just wanted to get rid of the hazard.
Tim Callahan:But you have to kind of think through that more strategic
Tim Callahan:thing for us bomb techs was, if this was a terrorist
Tim Callahan:organization, a criminal organization, we had a vested
Tim Callahan:interest in helping our law enforcement partners find out
Tim Callahan:who did it so that they wouldn't do it again. Right. And so
Tim Callahan:that's a very similar kind of correlation. Our forensics teams
Tim Callahan:have to and our response teams have to be able to think through
Tim Callahan:that. And we have plans for that. We've got very good
Tim Callahan:relationships with our legal counsel in house as well as we
Tim Callahan:exercise with outside legal services. We've got a good
Tim Callahan:partnership with our local FBI Secret Service, we attend
Tim Callahan:Department of Treasury briefings, and a strong member
Tim Callahan:in the Financial Services Information Sharing and Analysis
Tim Callahan:Center. So all of this forms up to post recovery, right? You
Tim Callahan:can't do a good job in post recovery. If you don't do a good
Tim Callahan:job in the response process and those stages leading up to that.
Dr. Dave Chatterjee:Great! I'd like to reiterate a couple of
Dr. Dave Chatterjee:things you said, one of which is to be in lockstep with the chief
Dr. Dave Chatterjee:legal counsel, and establish a good partnership with law
Dr. Dave Chatterjee:enforcement. Oftentimes, when I'm asked for advice by
Dr. Dave Chatterjee:organizations on how best to build and manage their
Dr. Dave Chatterjee:cybersecurity strategy, I emphasize the importance of
Dr. Dave Chatterjee:closely working with the legal team. Involving Legal in
Dr. Dave Chatterjee:cybersecurity strategy formulation, execution planning,
Dr. Dave Chatterjee:and review are very good practices. Get in touch with the
Dr. Dave Chatterjee:legal team and discuss with them, what are the likely
Dr. Dave Chatterjee:pitfalls or consequences of different types of breaches? And
Dr. Dave Chatterjee:what would the jury and the judge like to hear and see, by
Dr. Dave Chatterjee:way of evidence, of due diligence? Did the organization
Dr. Dave Chatterjee:comply with all the regulatory requirements and follow through
Dr. Dave Chatterjee:with the recommended cybersecurity best practices?
Dr. Dave Chatterjee:Ultimately, it is the legal team that you have to go to for help,
Dr. Dave Chatterjee:for defending the organization in the court of law. So why not
Dr. Dave Chatterjee:involve them from the get-go? Developing a strong and
Dr. Dave Chatterjee:sustained partnership with Legal is definitely a critical success
Dr. Dave Chatterjee:factor. So thanks for sharing that Tim. Moving along, when it
Dr. Dave Chatterjee:comes to dealing with ransomware attacks, as we all know, these
Dr. Dave Chatterjee:attacks are rampant, and many organizations are underprepared
Dr. Dave Chatterjee:to deal with such attacks. What advice do you have for your
Dr. Dave Chatterjee:peers in other organizations?
Tim Callahan:Yeah. So when you take ransomware, and as you say,
Tim Callahan:it is rampant, we've been affected less directly in
Tim Callahan:internal, we did have a couple years back, one of our small
Tim Callahan:subsidiaries affected and we we recovered from that fine, but
Tim Callahan:we're we've had several instances where a critical third
Tim Callahan:party was affected and actually shut down services. And we had
Tim Callahan:to recover from that, right? Not necessarily from the malware
Tim Callahan:that caused the ransomware cuz that was in the third party, but
Tim Callahan:obviously, the impact on our services. So it's very important
Tim Callahan:when you think through a ransomware attack, you think
Tim Callahan:through all the factors that you can be affected, and then you
Tim Callahan:plan for that, right. So it's always a little bit different
Tim Callahan:than other business disruptions when you think through it,
Tim Callahan:right. So from a true business disruption, we have business
Tim Callahan:continuity plans, and we invoke those, those kinds of things. We
Tim Callahan:have work arounds, there's always a discussion in the in
Tim Callahan:the work arounds about is this effective? In other words,
Tim Callahan:should we go to manual process from automated process? Or
Tim Callahan:should we just concentrate on getting recovered because if we
Tim Callahan:go to manual process, you're introducing human error and
Tim Callahan:other kinds of things. So these are all the discussions, you'd
Tim Callahan:have to kind of think through during a response. One thing, in
Tim Callahan:any ransomware response, you're going to slow down a little bit,
Tim Callahan:because you've really got to determine where the ransomware
Tim Callahan:is, where the malware is, that caused that event, to make sure
Tim Callahan:that you don't recover in a way that you reintroduce that same
Tim Callahan:infection into the new the new area. And so you have to kind of
Tim Callahan:bring forensics up to the front to some degree in a ransomware
Tim Callahan:event, whereas in other kinds of events, you don't necessarily
Tim Callahan:have to do that. So that's a consideration unique to
Tim Callahan:ransomware. I do think in ransomware I use the term
Tim Callahan:ransomware but any cyber extortion type event whether
Tim Callahan:it's DDoS attack, destructive attack for extortion, whatever
Tim Callahan:it is, you really have to think through, and have I think a very
Tim Callahan:well articulated policy set your highest company level. If you're
Tim Callahan:a public company, it would be discussed with the Board, you
Tim Callahan:shouldn't surprise your Board with whether we're paying or
Tim Callahan:not. I mean, it's something that should be discussed at the Board
Tim Callahan:level, it definitely has to have crossed the business buy-in, at
Tim Callahan:the executive level. So again, with a ransomware event, you're
Tim Callahan:going to have these other factors that you may not in in
Tim Callahan:other type of cyber events. So those are some of the
Tim Callahan:conditional, the considerations. I think working with law
Tim Callahan:enforcement, again, is very important in ransomware,
Tim Callahan:bringing them early, we've seen in other companies and major
Tim Callahan:ransomware events, the federal law enforcement was able to be
Tim Callahan:pretty helpful, and giving Intel and giving advice, and then in
Tim Callahan:some cases actually recovering. And when one company paid the
Tim Callahan:ransom, they were able to recover a good portion of it. So
Tim Callahan:I think, again, in this type of incidents, you really have to
Tim Callahan:think through differently your response, the post incident
Tim Callahan:correction, again, as it's going to be a little more time
Tim Callahan:consuming than than maybe other type of events. Because you want
Tim Callahan:to make sure that everything is clean everything that to the
Tim Callahan:extent you can you you've gathered all the indicators of
Tim Callahan:compromise that you've ran those through your systems. And make
Tim Callahan:sure that you're not you don't have any latent infection there
Tim Callahan:or hid and not allocated space, or the the typical things that
Tim Callahan:you go through. Also, I do think it's very important that you
Tim Callahan:exercise with different scenarios, before the event
Tim Callahan:happens. And you put yourself in a continuous learning and
Tim Callahan:improvement. I mean, when we generally have our exercise, we
Tim Callahan:bring in third parties. But we also call on law enforcement,
Tim Callahan:our intelligence partners, really part of open source
Tim Callahan:intelligence, intelligence we paid for, intelligence through
Tim Callahan:FS-ISAC (Financial Services Information Sharing and Analysis
Tim Callahan:Center), all of these things help us form that scenario. So
Tim Callahan:we're getting realistic play, and to the extent possible, can
Tim Callahan:be prepared for that.
Dr. Dave Chatterjee:That's, that's great insight. Thank you
Dr. Dave Chatterjee:so much for sharing, I'd like to add something to what you
Dr. Dave Chatterjee:shared. And this comes from a discussion that I had with a
Dr. Dave Chatterjee:former FBI professional who worked in, who still works in
Dr. Dave Chatterjee:the cybersecurity space. And I'm going to quote him here. He
Dr. Dave Chatterjee:says, "one of the first things that these threat actors do when
Dr. Dave Chatterjee:they get into the environment is go looking for the backups,
Dr. Dave Chatterjee:because those are going to be the some of the first systems
Dr. Dave Chatterjee:they hit you with ransomware attacks." And, in fact, that was
Dr. Dave Chatterjee:validated by another expert, who said that it's not good enough
Dr. Dave Chatterjee:to just have backups, a nd they're properly secured both
Dr. Dave Chatterjee:offline and online. But it is equally important to have read-
Dr. Dave Chatterjee:only backups. Would you like to add anything to that?
Tim Callahan:Yeah, I think it's important, for years I've led
Tim Callahan:the business continuity programs, and pretty much every
Tim Callahan:company I've worked for, but for years, we were trying to
Tim Callahan:accelerate backups. I mean, that was the our assurance, right? So
Tim Callahan:you have your recovery time of that objective, your recovery
Tim Callahan:point objective. And generally, the requirements for recovery
Tim Callahan:point are minutes, right. So in order to do that, you had to do
Tim Callahan:very rapid backup. And thinking through the ransom scenario,
Tim Callahan:that can really hurt you. Even if you have you don't have a
Tim Callahan:criminal that's penetrated and been able to move laterally
Tim Callahan:across your environment and get into your backups. If you're
Tim Callahan:replicating very quickly, then you could actually replicate the
Tim Callahan:ransomware encryption into into your backup. So it really caused
Tim Callahan:us to take a pause and think through what what our strategy
Tim Callahan:ought to be. Best practices here, as your FBI friend pointed
Tim Callahan:out is definitely to have read-only backups, it's
Tim Callahan:definitely important to air gap your backup, or at least have
Tim Callahan:some preservation methodology to air gap your back-up. So there
Tim Callahan:is some definitive action that that it takes; in different
Tim Callahan:companies with different technologies, we'll we'll do
Tim Callahan:that in different ways. In fact, we have two major subsidiaries
Tim Callahan:that just because of their configuration and and how they
Tim Callahan:do things, do it two different ways. So I do think that's a
Tim Callahan:very important consideration that's different than
Tim Callahan:traditional crisis disaster situations.
Dr. Dave Chatterjee:Okay. Thanks for sharing that. Another
Dr. Dave Chatterjee:thing that I'd like to share with listeners is the evolution
Dr. Dave Chatterjee:of the ransomware extortion methods: from single extortion
Dr. Dave Chatterjee:practices, where they encrypt systems and data, to double
Dr. Dave Chatterjee:extortion, meaning stealing your data before encrypting it, then
Dr. Dave Chatterjee:there is triple extortion, when the perpetrators launch a
Dr. Dave Chatterjee:denial- of-service attack, so the business can no longer
Dr. Dave Chatterjee:function. And the latest is the quadruple extortion, where the
Dr. Dave Chatterjee:ransomware attackers contact the customers of the breached
Dr. Dave Chatterjee:organization and ask them to put pressure on the organization to
Dr. Dave Chatterjee:pay up. Given the variety of ways in which the ransomware
Dr. Dave Chatterjee:attackers put pressure on the organization, and the
Dr. Dave Chatterjee:unfortunate reality, that it is hard to keep up with the
Dr. Dave Chatterjee:evolving attacks and techniques, it must be a very unnerving
Dr. Dave Chatterjee:feeling that if your organization gets attacked, if
Dr. Dave Chatterjee:your organization gets compromised, the battle against
Dr. Dave Chatterjee:the ransomware attackers is hard to win, because they have the
Dr. Dave Chatterjee:data and you have to depend on them live up to their promise
Dr. Dave Chatterjee:that if the ransom is paid, they won't share the stolen data, or
Dr. Dave Chatterjee:they won't do anything more with it. That's a very difficult kind
Dr. Dave Chatterjee:of a situation, isn't it?
Tim Callahan:Most certainly. And I think when you get the
Tim Callahan:quadruple extortion, you're you're just having a bad day. I,
Tim Callahan:but we have thought through that scenario in our exercises. And I
Tim Callahan:think what happens is at some point, you cease a traditional
Tim Callahan:cyber technical response to a true public relations response,
Tim Callahan:or sharing. So I know that our number one concern is always
Tim Callahan:protecting our customers. And we make all of our decisions based
Tim Callahan:on that. Because our customers have trusted us with their
Tim Callahan:information. They trust us. In fact, our CEO often says that
Tim Callahan:what we sell at Aflac is we sell a promise, right? We sell a
Tim Callahan:promise to be there for our customers when they need us
Tim Callahan:most. And we're going to fulfill that promise. And that extends
Tim Callahan:across our company into our cybersecurity program, because
Tim Callahan:we our employees, see the importance of protecting our
Tim Callahan:customers our customer information. So if you got to
Tim Callahan:the point that criminals are reaching out to our customers,
Tim Callahan:and urging our customers put pressure on us, I think quite
Tim Callahan:honestly, I think we would have failed in our response. Because
Tim Callahan:if we believe that our data has been compromised to the point
Tim Callahan:that a criminal could identify our customers, then we have to
Tim Callahan:tell our customers, "look, this is what's going on, we're under
Tim Callahan:a criminal attack, here's the measures that you can take to
Tim Callahan:protect yourself, here's what we're going to do for you,
Tim Callahan:here's how we're going to battle it." And you have a very honest
Tim Callahan:discussion at that point, a very honest release. I think our
Tim Callahan:prevention measures, I think, are definitely at industry
Tim Callahan:standards, if not a bit beyond, but we can never count on not
Tim Callahan:being compromised. So I do think you think through all of those
Tim Callahan:scenarios, and you address them that way. I do know that we've
Tim Callahan:suffered DDoS attacks for extortion we've come out okay on
Tim Callahan:that never have paid on that we've, as I pointed out, we had
Tim Callahan:one of our subsidiaries suffer ransomware. We didn't pay, we
Tim Callahan:gutted through recovery, and was able to restore the business in
Tim Callahan:very good time. But I do think that, when you prepare, you have
Tim Callahan:to think through and plan for the worst case, and then have a
Tim Callahan:scenario and have thought through how we're going to
Tim Callahan:respond as a company. It's one of those things, you want to be
Tim Callahan:prepared for the worst. And hope you never see the worst, but you
Tim Callahan:still have to be prepared for it. But to do that, you have to
Tim Callahan:have all components of your company singing off a single
Tim Callahan:sheet. So our communications team or corporate
Tim Callahan:communications, PR folks, our marketing team, our legal team,
Tim Callahan:our technology team, our security team are all led by our
Tim Callahan:crisis management leader, we have to have statements
Tim Callahan:prescribed statements kind of at least drafted in our plan,
Tim Callahan:right, that can quickly be tailored to particular incidents
Tim Callahan:and released. We have to exercise and have again a
Tim Callahan:partnership with our law enforcement. All of these things
Tim Callahan:are your best defense against against the more disastrous
Tim Callahan:outcome. I think the public and our customers would have a lot
Tim Callahan:of sympathy for a company if we're doing the right thing,
Tim Callahan:we've done the right thing, and we're communicating honestly,
Tim Callahan:openly, transparently. They they'll realize and we've seen
Tim Callahan:this in other companies, the customers realize that we're a
Tim Callahan:victim too and we're doing our very best to protect them.
Dr. Dave Chatterjee:Thanks for sharing, you're spot on, I think
Dr. Dave Chatterjee:a really honest, candid, transparent approach that
Dr. Dave Chatterjee:reflects a genuine attempt by the organization to be
Dr. Dave Chatterjee:deliberate and comprehensive in their cybersecurity strategy is
Dr. Dave Chatterjee:key. And it's great to hear that there is such strong support
Dr. Dave Chatterjee:from the CEO level in your organization. I love what you
Dr. Dave Chatterjee:said, it's about selling a promise that we truly care. And
Dr. Dave Chatterjee:if we don't live up to it, then what's the point and that spirit
Dr. Dave Chatterjee:of caring, percolates right through and includes protecting
Dr. Dave Chatterjee:customer data. In fact, I want to take this opportunity to also
Dr. Dave Chatterjee:share a quote which will resonate with you; here's what a
Dr. Dave Chatterjee:subject matter expert had to say about dealing with ransomware
Dr. Dave Chatterjee:--ransomware is more than just a CISO problem, it's a corporate
Dr. Dave Chatterjee:problem, you need the executives, you need the Board,
Dr. Dave Chatterjee:you need the management, and you need the employees to all be in
Dr. Dave Chatterjee:unison, in how you go about protecting your company. And
Dr. Dave Chatterjee:that's exactly what I'm hearing you saying, and also aligns very
Dr. Dave Chatterjee:well with one of my messages, that cybersecurity is really
Dr. Dave Chatterjee:everyone's business. You cannot outsource cybersecurity
Dr. Dave Chatterjee:management to a team or a function and expect miracles to
Dr. Dave Chatterjee:happen. While you do count on their expertise, and it's only
Dr. Dave Chatterjee:right to do so, everyone has to do their part. So creating and
Dr. Dave Chatterjee:sustaining a We-Are-In-It-Together culture,
Dr. Dave Chatterjee:with the tone being set at the top by the CEO, that is really
Dr. Dave Chatterjee:the best that an organization can do, in my humble opinion.
Dr. Dave Chatterjee:And I'm hearing that in your statements, in your discussion
Dr. Dave Chatterjee:of how your organization approaches cybersecurity
Dr. Dave Chatterjee:preparedness. Finally, coming to the last section of our
Dr. Dave Chatterjee:discussion, in a book that I recently authored, titled,
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach, I presented the Commitment-Preparedness-Discipline
Cybersecurity Readiness:(CPD) framework. This framework is associated with 17
Cybersecurity Readiness:cybersecurity readiness success factors. And I'd like to believe
Cybersecurity Readiness:that this governance framework is holistic, because it not only
Cybersecurity Readiness:covers the technical controls that are enumerated and shared
Cybersecurity Readiness:by the very established frameworks such as NIST, ISO
Cybersecurity Readiness:27,000, and others, but it also speaks to the non-technical
Cybersecurity Readiness:controls such as top management commitment, creating a
Cybersecurity Readiness:We-Are-In-Together culture, empowering the CISO function,
Cybersecurity Readiness:cross-functional participation, and many other governance and
Cybersecurity Readiness:leadership success factors. I'd love to hear your reaction to
Cybersecurity Readiness:some of the CPD framework success factors. For instance,
Cybersecurity Readiness:how does an organization create and sustain a We-Are-In-Together
Cybersecurity Readiness:culture? What are some key elements of a best practice to
Cybersecurity Readiness:do that?
Tim Callahan:I think it's very important that all parts of the
Tim Callahan:company sees decisions around security as true business
Tim Callahan:decisions, not decisions made in a hole in a dark room someplace
Tim Callahan:in the back of the company. And so very early when I came to
Tim Callahan:Aflac, and a practice I've used at my other companies too, is, I
Tim Callahan:formed a at first it was kind of an advisory council, it turned
Tim Callahan:into a governance council. And so the security oversight
Tim Callahan:committee concept. So as I was working with my my different
Tim Callahan:peers and coming on board, I asked them to be a part of
Tim Callahan:forming up the security group, right? Because when you when you
Tim Callahan:think about the company, and the other organizations, how
Tim Callahan:interdependent we all are on each other, our HR function, we
Tim Callahan:look at HR HR to communicate security policy through the
Tim Callahan:employee handbook, type, structure, right? So
Tim Callahan:incorporating our security principles into the fabric of
Tim Callahan:our company, on-board training, or each year at our company, we
Tim Callahan:reaffirm our commitment to the company and one another in
Tim Callahan:following the principles outlined in the employee
Tim Callahan:handbook. Right? And that touches our culture, ethics, how
Tim Callahan:we're going to conduct, how we're going to talk to one
Tim Callahan:another. So HR was a critical partner very early on, and still
Tim Callahan:is. So they're they're a member of our oversight committee, the
Tim Callahan:legal function, the compliance function, our privacy function,
Tim Callahan:which is under legal, so the business leaders, most of our
Tim Callahan:activity from a sales point of view is conducted by independent
Tim Callahan:agents. So we had to have conversations with them. And
Tim Callahan:again, they're independent agents, they're, they're not
Tim Callahan:employees, we, but we have to partner with them as well,
Tim Callahan:because they're on the very tip of the spear of protecting our
Tim Callahan:customers. So we have representatives on that on our
Tim Callahan:oversight committee we have and when I say the Oversight
Tim Callahan:Committee, these are the SVPs and EVPs of the company, so to
Tim Callahan:speak, that, that share the table have come on as a partner.
Tim Callahan:Because it's very important from day one to communicate, look,
Tim Callahan:I'm going to be here, I'm going to do my best to protect the
Tim Callahan:company through my technical controls and through the these
Tim Callahan:things, but at the end of the day, we all have to be committed
Tim Callahan:together, or we're going to fail. It's very good that at
Tim Callahan:the VP level at the very business unit, in fact, our
Tim Callahan:Deputy President for Aflac US has been a great partner. They
Tim Callahan:they know the ramifications of having a qualified SOC 2. And so
Tim Callahan:they want to make sure that the concept of the way we sell our
Tim Callahan:product through to businesses often who buy the product for
Tim Callahan:their employees, they rely on the SOC 2 structure to assess
Tim Callahan:our security. So they see that as business enabling, they don't
Tim Callahan:see security as a burden, they see it as business enabling. So
Tim Callahan:we are in it together and our sales teams know of one of the
Tim Callahan:best methods of selling or I guess tools and selling is the
Tim Callahan:Aflac reputation and they know that that reputation get can get
Tim Callahan:tarnished. There's there's such a high degree of trust in Aflac
Tim Callahan:as, as a provider as a partner that if we have an event, it
Tim Callahan:could tarnish that reputation. And so they're they're
Tim Callahan:definitely bought in, we have, and we do campaigns, we do
Tim Callahan:things to keep awareness in the public, right? For compliance
Tim Callahan:reasons, every company has to do their annual awareness training.
Tim Callahan:But if you're relying on that, for true awareness, that's
Tim Callahan:that's not getting it, it just doesn't I mean, I, you can go to
Tim Callahan:anyone and ask them two weeks after they took the awareness
Tim Callahan:training key points, and they're not going to remember it. But if
Tim Callahan:you have a methodology of integration and embedding
Tim Callahan:yourself into the business and the business processes, then
Tim Callahan:they remember that and in fact, we do fun things. One thing that
Tim Callahan:we do is three or four times a year, we actually host a shred
Tim Callahan:day. So people can bring their personal information that gets
Tim Callahan:piled up in the corner someplace and bring it to the shred they
Tim Callahan:can bring their their computer disks, they can bring hard
Tim Callahan:drives, we we sponsor that. And and we use that opportunity as
Tim Callahan:people bringing things to just reinforce the principles of good
Tim Callahan:sound security. We do other kinds of fun events during
Tim Callahan:during the year to try to help employees, we also have what we
Tim Callahan:call cyber ambassadors. And these are volunteers and planted
Tim Callahan:in the business that have committed to take extra training
Tim Callahan:so that they can within their business look for opportunities
Tim Callahan:to reinforce the importance of security. So if you got kind of
Tim Callahan:the tops down, and the bottoms up, I think you get it a real
Tim Callahan:we're all in it together. And again, I cannot I cannot under
Tim Callahan:or over emphasize the fact that the tone at the top has; when
Tim Callahan:our CEO talks security to our officers and directors groups,
Tim Callahan:when probably once once a year, once every couple of years, the
Tim Callahan:CEO will put a message out particular to the importance of
Tim Callahan:protecting our customers information. Our President, my
Tim Callahan:boss, he can when he goes out talking, he gets it, he
Tim Callahan:understands it, he understands the impact it could have on our
Tim Callahan:company. And so we get that support. And because we get that
Tim Callahan:support at his level, all of his reports, direct reports embrace
Tim Callahan:it as well. So it's it's been a very positive experience getting
Tim Callahan:getting this culture.
Dr. Dave Chatterjee:That's fantastic. So encouraging to
Dr. Dave Chatterjee:hear. In fact, I also want to take this opportunity to share
Dr. Dave Chatterjee:with listeners and you Tim, unless you've had a chance to
Dr. Dave Chatterjee:read my book; something I talk about in the context of
Dr. Dave Chatterjee:We-Are-In-It-Together culture. I talk about building emotional
Dr. Dave Chatterjee:capital, by creating a work environment where a) employees
Dr. Dave Chatterjee:feel valued, b) develop a sense of belonging and pride, c) are
Dr. Dave Chatterjee:having fun, and d) not necessarily in this order, but
Dr. Dave Chatterjee:in any order, and perceive leadership to be genuine and
Dr. Dave Chatterjee:authentic. And, what you just shared with me by way of
Dr. Dave Chatterjee:practices, you seem to be doing all of this. And that's so so
Dr. Dave Chatterjee:good to hear. In fact, Herb Kelleher of Southwest Airlines,
Dr. Dave Chatterjee:who was instrumental in establishing a very happy and
Dr. Dave Chatterjee:motivated culture, that culture was founded on three core values
Dr. Dave Chatterjee:-- humor, altruism, and love. As this might sound a little
Dr. Dave Chatterjee:abstract and mushy-mushy, but in reality, I was just speaking
Dr. Dave Chatterjee:with another group before this discussion, and they were
Dr. Dave Chatterjee:talking about how important is empathy when it comes to
Dr. Dave Chatterjee:cybersecurity governance. And I'm sure you will agree that
Dr. Dave Chatterjee:it's it plays a huge role. Because unless you're empathetic
Dr. Dave Chatterjee:to people making mistakes, even though they use their good
Dr. Dave Chatterjee:judgment, they trained sincerely, but they can make
Dr. Dave Chatterjee:mistakes. But as long as they're owning up to it, and enabling
Dr. Dave Chatterjee:organizations react quickly to the consequences of their
Dr. Dave Chatterjee:mistakes, instead of punishing them, be encouraging, maybe
Dr. Dave Chatterjee:celebrate their candor and honesty, it has been it has been
Dr. Dave Chatterjee:done by some companies. So I'll let you speak to that as well.
Tim Callahan:Yeah, I couldn't agree more with with those
Tim Callahan:fundamental principles, not only security, but in leadership and
Tim Callahan:life. I mean, when employees enjoy coming to work, or enjoy
Tim Callahan:their workplace, because of empathy because of humor,
Tim Callahan:because we care, obviously, they're going to do a better
Tim Callahan:job, they're going to feel a sense of ownership to that
Tim Callahan:company. It's not kind of the working in the coal mine
Tim Callahan:attitude, it's, I want to be there, I want to be there. And
Tim Callahan:because I want to be there, I want to protect it. The
Tim Callahan:employees of Aflac, we've got incredible tenure, which is
Tim Callahan:celebrated every year in an Employee Appreciation Week,
Tim Callahan:which is just an unbelievable week of telling our employees,
Tim Callahan:we love them. But now you got to do it 365, you can't just do it
Tim Callahan:in one week. But a lot of companies say they value their
Tim Callahan:employees, but it's just words, right? You've got to show you
Tim Callahan:value them. I've read a book many years ago called Love 'Em
Tim Callahan:Or Lose Em.' And it was the whole principle about letting
Tim Callahan:employees know how much you appreciate them and care for
Tim Callahan:them and care for their personal aspects, not just their
Tim Callahan:productivity in the company, but seeing them. So we carry those
Tim Callahan:those principles into our cybersecurity information
Tim Callahan:security program. Yes, people will make mistakes, we have in
Tim Callahan:some cases rewarded the coming forward. And we do that in
Tim Callahan:different cases. We recently introduced I think a symbol of
Tim Callahan:that, we developed a Global Security Challenge Coin, which
Tim Callahan:we did it for our core group, global security group, our Cyber
Tim Callahan:ambassadors. But we also use the coin to recognize someone that
Tim Callahan:has gone the extra mile. And we've awarded a couple of those
Tim Callahan:coins, they are not given out willy nilly. They're they're
Tim Callahan:earned. But we recognize people doing the right things. We
Tim Callahan:recognize that a few if you look at statistics, every year, one
Tim Callahan:of the biggest 'insiders' is employee mistakes, right?
Tim Callahan:Posting something unsecure to a website, failure to ship
Tim Callahan:sensitive information and in accordance with a standard and
Tim Callahan:losing control of it, those those kinds of things, the
Tim Callahan:laptop falling off the back of a truck. Those kinds of things
Tim Callahan:account for many, many of the reportable incidents every year.
Tim Callahan:So how do you build a culture where people are paying
Tim Callahan:attention to that, and I think catching them doing the right
Tim Callahan:thing is one of those, those methods to build that culture.
Tim Callahan:But again, I I've experienced firsthand the benefits of
Tim Callahan:treating our employees well, and caring for them. And then
Tim Callahan:reinforcing that.
Dr. Dave Chatterjee:Fantastic! We can end on that note, unless
Dr. Dave Chatterjee:you have any final thoughts, Tim. This was great!
Tim Callahan:Dave, I appreciate this opportunity to share my
Tim Callahan:thoughts and to foster that servant leadership principles
Tim Callahan:that you've you've espoused in your book and, and how they're
Tim Callahan:proven over and over again. So thank you very much.
Dr. Dave Chatterjee:Thank you, Sir. A special thanks to Tim
Dr. Dave Chatterjee:Callahan for his time and insights. If you like what you
Dr. Dave Chatterjee:heard, please leave the podcast a rating and share it with your
Dr. Dave Chatterjee:network. Also, subscribe to the show, so you don't miss any new
Dr. Dave Chatterjee:episodes. Thank you for listening, and I'll see you in
Dr. Dave Chatterjee:the next episode.
Unknown:The information contained in this podcast is for
Unknown:general guidance only. The discussants assume no
Unknown:responsibility or liability for any errors or omissions in the
Unknown:content of this podcast. The information contained in this
Unknown:podcast is provided on an as-is basis with no guarantee of
Unknown:completeness, accuracy, usefulness or timeliness. The
Unknown:opinions and recommendations expressed in this podcast are
Unknown:those of the discussants and not of any organization.