Artwork for podcast The Cybersecurity Readiness Podcast Series
Global Security and Post Breach Management Best Practices
Episode 296th July 2022 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:40:27

Share Episode

Shownotes

"If you can plan for the zombie apocalypse, you can probably face just about anything," said Tim Callahan, Senior Vice President, and Global Chief Information Security Officer, Aflac during a talk in my Master's level class on cybersecurity readiness at Duke University. In this podcast, Tim describes the key elements of an effective crisis management framework and shares several best practices. Some of the highlights of a robust business resiliency and recovery posture include -- a) well thought-out and rehearsed plan that takes into consideration different scenarios; b) world-class forensics team; c) strong partnership with Legal, HR, Law Enforcement (local FBI and Secret Service), Department of Treasury, and independent agents; d) highly trained in-house teams focused on response and recovery; e) leveraging open-source and paid intelligence; f) CEO led strong commitment throughout the organization; g) honest and candid communication; h) rewards and incentive programs such as the Global Security Challenge Coin; and j) building a caring and empathetic work culture.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-29-global-security-and-post-breach-management-best-practices/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcripts

Unknown:

Welcome to the Cybersecurity Readiness Podcast

Unknown:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Unknown:

the book Cybersecurity Readiness: A Holistic and

Unknown:

High-Performance Approach, a SAGE publication. He has been

Unknown:

studying cybersecurity for over a decade, authored and edited

Unknown:

scholarly papers, delivered talks, conducted webinars and

Unknown:

workshops, consulted with companies and served on a

Unknown:

cybersecurity SWAT team with Chief Information Security

Unknown:

officers. Dr. Chatterjee is Associate Professor of

Unknown:

Management Information Systems at the Terry College of

Unknown:

Business, the University of Georgia. As a Duke University

Unknown:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Unknown:

Engineering and cybersecurity program at the Pratt School of

Unknown:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with Tim

Dr. Dave Chatterjee:

Callahan, Senior Vice President and Global Chief Information

Dr. Dave Chatterjee:

Security Officer of Aflac. Our discussion will revolve around

Dr. Dave Chatterjee:

cybersecurity best practices, especially in the area of post

Dr. Dave Chatterjee:

breach management. But before we get into those details, I'd like

Dr. Dave Chatterjee:

to share a few highlights of Tim's very impressive career. He

Dr. Dave Chatterjee:

has spent 23 years in the Air Force specializing in explosive

Dr. Dave Chatterjee:

ordnance disposal. Tim is a highly experienced chief

Dr. Dave Chatterjee:

information security officer with a demonstrated history of

Dr. Dave Chatterjee:

working in the financial services and insurance sector

Dr. Dave Chatterjee:

building leading cybersecurity programs. He's a very

Dr. Dave Chatterjee:

distinguished member of the cybersecurity community

Dr. Dave Chatterjee:

nationally, as well as globally. Tim has served as board chair,

Dr. Dave Chatterjee:

board member, board advisor, conference keynote speaker, and

Dr. Dave Chatterjee:

panelist. So it's really an honor and a privilege to have

Dr. Dave Chatterjee:

Tim join this podcast. Tim, welcome! Please share with

Dr. Dave Chatterjee:

listeners some highlights of your professional journey,

Dr. Dave Chatterjee:

because surely, I did not do justice to it. Share with them

Dr. Dave Chatterjee:

how this journey of yours has shaped your views of

Dr. Dave Chatterjee:

cybersecurity, and cyber risk management.

Tim Callahan:

Thank you, Dave, I had the privilege to work, as

Tim Callahan:

you point out, and in so many part of with the military as

Tim Callahan:

well as in the civilian world, and financial institutions in

Tim Callahan:

obviously, most recently, a insurance company with a heavy

Tim Callahan:

financial sector presence. My career after the military

Tim Callahan:

started at SunTrust. And I had the privilege to become part of

Tim Callahan:

a new program -- SunTrust Bank decided to take all the

Tim Callahan:

independent banks that were many small SunTrust banks at the time

Tim Callahan:

around the Southeast, and they consolidated into one big bank

Tim Callahan:

and that showed the need or displayed the need for a

Tim Callahan:

corporate security program. And so I was able to come in start

Tim Callahan:

my career in information security, leading first the

Tim Callahan:

program office, and then eventually a group access

Tim Callahan:

management support services within the security group

Tim Callahan:

continuing to lead the program office. And then that led me

Tim Callahan:

from there I went to a bank in Connecticut, People's Bank at

Tim Callahan:

the time now it's People's United Bank, which has recently

Tim Callahan:

been acquired by M&T. But that was a situation where they had

Tim Callahan:

started on a very aggressive strategy. And in order to meet

Tim Callahan:

the regulatory requirements, they needed to get technology

Tim Callahan:

risk and security in order to satisfy the regulators. And so

Tim Callahan:

we were on a very tight timeline to accomplish that. And it

Tim Callahan:

really was a grounds up building of a program of the scale

Tim Callahan:

commensurate with the size of the financial organization they

Tim Callahan:

wanted to be. And they were fine if they stayed a small kind of

Tim Callahan:

community bank, but as they were branching out into other states

Tim Callahan:

and growing, the regulators was just concerned that that their

Tim Callahan:

program would not meet that, so we accomplished that. I wound up

Tim Callahan:

coming back to SunTrust for about four years. But then in

Tim Callahan:

2014 I was recruited to Aflac. It was interesting that the

Tim Callahan:

leadership at Aflac the Board at Aflac had gotten very concerned

Tim Callahan:

about the cyber threat turning to the insurance industry. And

Tim Callahan:

there was really no one in the company that could help that

Tim Callahan:

time, kind of articulate their risk and then what we knew to do

Tim Callahan:

about it. So, I was brought on to do that. We, I started really

Tim Callahan:

in the US subsidiary Aflac US. And then in 2016, established a

Tim Callahan:

global security program, and had began building out our entire

Tim Callahan:

company, all the subsidiaries, the different lines of business,

Tim Callahan:

and brought them into that corporate program. I really

Tim Callahan:

started seeing, and we did in fact see that a lot of the

Tim Callahan:

controls that we needed, because the cybercriminals were turning

Tim Callahan:

their attention to insurance; a lot of the controls were very

Tim Callahan:

similar to what we needed in banking. So we actually adopted

Tim Callahan:

the NIST cybersecurity framework, but then infused the

Tim Callahan:

FFIC requirements into that, in order to have a bit more

Tim Callahan:

tangible measure of a program than just the framework itself.

Tim Callahan:

And that's worked out very well for us.

Dr. Dave Chatterjee:

Fantastic. Thanks for sharing. So Tim,

Dr. Dave Chatterjee:

during your talk in my Master's level class on cybersecurity

Dr. Dave Chatterjee:

readiness at Duke University, you made a very poignant

Dr. Dave Chatterjee:

statement, you said, "if you can plan for the zombie apocalypse,

Dr. Dave Chatterjee:

you can probably face just about everything." Please share with

Dr. Dave Chatterjee:

the listeners, the key elements of an effective crisis

Dr. Dave Chatterjee:

management framework and related best practices.

Tim Callahan:

Yeah, so the zombie apocalypse thing did not

Tim Callahan:

originate with me. Oh, gosh, probably 2011-2012, the CDC came

Tim Callahan:

out with this zombie apocalypse plan. And it was kind of a

Tim Callahan:

tongue in cheek humorous one. Just illustrate that if you plan

Tim Callahan:

for the zombie apocalypse, you can you can handle just about

Tim Callahan:

anything. So we adopted from that Aflac, probably beginning

Tim Callahan:

in 2016 ish 2017, we adopted an all hazards approach. And the

Tim Callahan:

all hazards approach was we write a master crisis management

Tim Callahan:

plan that can cover anything the apocalypse, zombie apocalypse,

Tim Callahan:

to a data center loss to a cyber event, a pandemic.

Tim Callahan:

Coincidentally, we've addressed it in this plan. And then we

Tim Callahan:

have particular annexes for the major kinds of things. So the

Tim Callahan:

master plan covers the fundamentals of how you gather

Tim Callahan:

together, who do you gather together, what are your

Tim Callahan:

alternatives, if our communications are out, those

Tim Callahan:

kinds of things. But then you have particular plans. And part

Tim Callahan:

of it was us adopting a model that says we can work from

Tim Callahan:

anywhere. So in the past, we had, like many companies had a

Tim Callahan:

model where you would use disaster recovery trailers, so

Tim Callahan:

to speak. And as we started pushing on that plan, it really

Tim Callahan:

crumbled pretty quickly. Because just the logistics of getting in

Tim Callahan:

enough trailers for the seats that we would need, the the fact

Tim Callahan:

that getting power and internet to those trailers could be very

Tim Callahan:

difficult in the scenarios that we talked about. So we adopted

Tim Callahan:

the work from anywhere model and began building out the security

Tim Callahan:

infrastructure for that, and the technology infrastructure for

Tim Callahan:

that. And lo and behold, we put it to the test in March of 2020,

Tim Callahan:

when we had to evacuate all of our buildings due to the

Tim Callahan:

pandemic. Now, looking back, was that the right thing to do? I

Tim Callahan:

don't think anybody would say yes or no to that. But we did,

Tim Callahan:

we immediately put within the US right at 6000 people from an

Tim Callahan:

office to working from home. And I'm not saying we didn't have

Tim Callahan:

any hiccups. But the fact that we planned for that helped us

Tim Callahan:

get through that quickly, where many companies had to kind of

Tim Callahan:

architect it on the fly. So we formed that; we formed up

Tim Callahan:

addressing, we went through scenarios, we had global

Tim Callahan:

executive response exercise, we had formal plans around who what

Tim Callahan:

part each would play. And again, most companies have that kind of

Tim Callahan:

thing. But the fact that we had it, we practiced it. And then we

Tim Callahan:

kind of felt like we trained so to speak, in order to execute

Tim Callahan:

that. We've been very fortunate we've not had any major global

Tim Callahan:

cyber security events. We have had cybersecurity events, we

Tim Callahan:

were very dependent on third parties, and when they have an

Tim Callahan:

event, we have to respond as well. So the structure has been

Tim Callahan:

very, very good in prepping us for for these kinds of

Tim Callahan:

scenarios. We also think it's very important that we have a

Tim Callahan:

trained in- house team on initial measures, looking

Tim Callahan:

towards the post recovery. So as we're responding to events, how

Tim Callahan:

we preserve the environment so that we can later do forensics

Tim Callahan:

is very important. As you pointed out, I was a bomb tech

Tim Callahan:

in the Air Force. And oftentimes we would get sideways with our

Tim Callahan:

law enforcement partners because they wanted us to preserve

Tim Callahan:

evidence. Obviously, we just wanted to get rid of the hazard.

Tim Callahan:

But you have to kind of think through that more strategic

Tim Callahan:

thing for us bomb techs was, if this was a terrorist

Tim Callahan:

organization, a criminal organization, we had a vested

Tim Callahan:

interest in helping our law enforcement partners find out

Tim Callahan:

who did it so that they wouldn't do it again. Right. And so

Tim Callahan:

that's a very similar kind of correlation. Our forensics teams

Tim Callahan:

have to and our response teams have to be able to think through

Tim Callahan:

that. And we have plans for that. We've got very good

Tim Callahan:

relationships with our legal counsel in house as well as we

Tim Callahan:

exercise with outside legal services. We've got a good

Tim Callahan:

partnership with our local FBI Secret Service, we attend

Tim Callahan:

Department of Treasury briefings, and a strong member

Tim Callahan:

in the Financial Services Information Sharing and Analysis

Tim Callahan:

Center. So all of this forms up to post recovery, right? You

Tim Callahan:

can't do a good job in post recovery. If you don't do a good

Tim Callahan:

job in the response process and those stages leading up to that.

Dr. Dave Chatterjee:

Great! I'd like to reiterate a couple of

Dr. Dave Chatterjee:

things you said, one of which is to be in lockstep with the chief

Dr. Dave Chatterjee:

legal counsel, and establish a good partnership with law

Dr. Dave Chatterjee:

enforcement. Oftentimes, when I'm asked for advice by

Dr. Dave Chatterjee:

organizations on how best to build and manage their

Dr. Dave Chatterjee:

cybersecurity strategy, I emphasize the importance of

Dr. Dave Chatterjee:

closely working with the legal team. Involving Legal in

Dr. Dave Chatterjee:

cybersecurity strategy formulation, execution planning,

Dr. Dave Chatterjee:

and review are very good practices. Get in touch with the

Dr. Dave Chatterjee:

legal team and discuss with them, what are the likely

Dr. Dave Chatterjee:

pitfalls or consequences of different types of breaches? And

Dr. Dave Chatterjee:

what would the jury and the judge like to hear and see, by

Dr. Dave Chatterjee:

way of evidence, of due diligence? Did the organization

Dr. Dave Chatterjee:

comply with all the regulatory requirements and follow through

Dr. Dave Chatterjee:

with the recommended cybersecurity best practices?

Dr. Dave Chatterjee:

Ultimately, it is the legal team that you have to go to for help,

Dr. Dave Chatterjee:

for defending the organization in the court of law. So why not

Dr. Dave Chatterjee:

involve them from the get-go? Developing a strong and

Dr. Dave Chatterjee:

sustained partnership with Legal is definitely a critical success

Dr. Dave Chatterjee:

factor. So thanks for sharing that Tim. Moving along, when it

Dr. Dave Chatterjee:

comes to dealing with ransomware attacks, as we all know, these

Dr. Dave Chatterjee:

attacks are rampant, and many organizations are underprepared

Dr. Dave Chatterjee:

to deal with such attacks. What advice do you have for your

Dr. Dave Chatterjee:

peers in other organizations?

Tim Callahan:

Yeah. So when you take ransomware, and as you say,

Tim Callahan:

it is rampant, we've been affected less directly in

Tim Callahan:

internal, we did have a couple years back, one of our small

Tim Callahan:

subsidiaries affected and we we recovered from that fine, but

Tim Callahan:

we're we've had several instances where a critical third

Tim Callahan:

party was affected and actually shut down services. And we had

Tim Callahan:

to recover from that, right? Not necessarily from the malware

Tim Callahan:

that caused the ransomware cuz that was in the third party, but

Tim Callahan:

obviously, the impact on our services. So it's very important

Tim Callahan:

when you think through a ransomware attack, you think

Tim Callahan:

through all the factors that you can be affected, and then you

Tim Callahan:

plan for that, right. So it's always a little bit different

Tim Callahan:

than other business disruptions when you think through it,

Tim Callahan:

right. So from a true business disruption, we have business

Tim Callahan:

continuity plans, and we invoke those, those kinds of things. We

Tim Callahan:

have work arounds, there's always a discussion in the in

Tim Callahan:

the work arounds about is this effective? In other words,

Tim Callahan:

should we go to manual process from automated process? Or

Tim Callahan:

should we just concentrate on getting recovered because if we

Tim Callahan:

go to manual process, you're introducing human error and

Tim Callahan:

other kinds of things. So these are all the discussions, you'd

Tim Callahan:

have to kind of think through during a response. One thing, in

Tim Callahan:

any ransomware response, you're going to slow down a little bit,

Tim Callahan:

because you've really got to determine where the ransomware

Tim Callahan:

is, where the malware is, that caused that event, to make sure

Tim Callahan:

that you don't recover in a way that you reintroduce that same

Tim Callahan:

infection into the new the new area. And so you have to kind of

Tim Callahan:

bring forensics up to the front to some degree in a ransomware

Tim Callahan:

event, whereas in other kinds of events, you don't necessarily

Tim Callahan:

have to do that. So that's a consideration unique to

Tim Callahan:

ransomware. I do think in ransomware I use the term

Tim Callahan:

ransomware but any cyber extortion type event whether

Tim Callahan:

it's DDoS attack, destructive attack for extortion, whatever

Tim Callahan:

it is, you really have to think through, and have I think a very

Tim Callahan:

well articulated policy set your highest company level. If you're

Tim Callahan:

a public company, it would be discussed with the Board, you

Tim Callahan:

shouldn't surprise your Board with whether we're paying or

Tim Callahan:

not. I mean, it's something that should be discussed at the Board

Tim Callahan:

level, it definitely has to have crossed the business buy-in, at

Tim Callahan:

the executive level. So again, with a ransomware event, you're

Tim Callahan:

going to have these other factors that you may not in in

Tim Callahan:

other type of cyber events. So those are some of the

Tim Callahan:

conditional, the considerations. I think working with law

Tim Callahan:

enforcement, again, is very important in ransomware,

Tim Callahan:

bringing them early, we've seen in other companies and major

Tim Callahan:

ransomware events, the federal law enforcement was able to be

Tim Callahan:

pretty helpful, and giving Intel and giving advice, and then in

Tim Callahan:

some cases actually recovering. And when one company paid the

Tim Callahan:

ransom, they were able to recover a good portion of it. So

Tim Callahan:

I think, again, in this type of incidents, you really have to

Tim Callahan:

think through differently your response, the post incident

Tim Callahan:

correction, again, as it's going to be a little more time

Tim Callahan:

consuming than than maybe other type of events. Because you want

Tim Callahan:

to make sure that everything is clean everything that to the

Tim Callahan:

extent you can you you've gathered all the indicators of

Tim Callahan:

compromise that you've ran those through your systems. And make

Tim Callahan:

sure that you're not you don't have any latent infection there

Tim Callahan:

or hid and not allocated space, or the the typical things that

Tim Callahan:

you go through. Also, I do think it's very important that you

Tim Callahan:

exercise with different scenarios, before the event

Tim Callahan:

happens. And you put yourself in a continuous learning and

Tim Callahan:

improvement. I mean, when we generally have our exercise, we

Tim Callahan:

bring in third parties. But we also call on law enforcement,

Tim Callahan:

our intelligence partners, really part of open source

Tim Callahan:

intelligence, intelligence we paid for, intelligence through

Tim Callahan:

FS-ISAC (Financial Services Information Sharing and Analysis

Tim Callahan:

Center), all of these things help us form that scenario. So

Tim Callahan:

we're getting realistic play, and to the extent possible, can

Tim Callahan:

be prepared for that.

Dr. Dave Chatterjee:

That's, that's great insight. Thank you

Dr. Dave Chatterjee:

so much for sharing, I'd like to add something to what you

Dr. Dave Chatterjee:

shared. And this comes from a discussion that I had with a

Dr. Dave Chatterjee:

former FBI professional who worked in, who still works in

Dr. Dave Chatterjee:

the cybersecurity space. And I'm going to quote him here. He

Dr. Dave Chatterjee:

says, "one of the first things that these threat actors do when

Dr. Dave Chatterjee:

they get into the environment is go looking for the backups,

Dr. Dave Chatterjee:

because those are going to be the some of the first systems

Dr. Dave Chatterjee:

they hit you with ransomware attacks." And, in fact, that was

Dr. Dave Chatterjee:

validated by another expert, who said that it's not good enough

Dr. Dave Chatterjee:

to just have backups, a nd they're properly secured both

Dr. Dave Chatterjee:

offline and online. But it is equally important to have read-

Dr. Dave Chatterjee:

only backups. Would you like to add anything to that?

Tim Callahan:

Yeah, I think it's important, for years I've led

Tim Callahan:

the business continuity programs, and pretty much every

Tim Callahan:

company I've worked for, but for years, we were trying to

Tim Callahan:

accelerate backups. I mean, that was the our assurance, right? So

Tim Callahan:

you have your recovery time of that objective, your recovery

Tim Callahan:

point objective. And generally, the requirements for recovery

Tim Callahan:

point are minutes, right. So in order to do that, you had to do

Tim Callahan:

very rapid backup. And thinking through the ransom scenario,

Tim Callahan:

that can really hurt you. Even if you have you don't have a

Tim Callahan:

criminal that's penetrated and been able to move laterally

Tim Callahan:

across your environment and get into your backups. If you're

Tim Callahan:

replicating very quickly, then you could actually replicate the

Tim Callahan:

ransomware encryption into into your backup. So it really caused

Tim Callahan:

us to take a pause and think through what what our strategy

Tim Callahan:

ought to be. Best practices here, as your FBI friend pointed

Tim Callahan:

out is definitely to have read-only backups, it's

Tim Callahan:

definitely important to air gap your backup, or at least have

Tim Callahan:

some preservation methodology to air gap your back-up. So there

Tim Callahan:

is some definitive action that that it takes; in different

Tim Callahan:

companies with different technologies, we'll we'll do

Tim Callahan:

that in different ways. In fact, we have two major subsidiaries

Tim Callahan:

that just because of their configuration and and how they

Tim Callahan:

do things, do it two different ways. So I do think that's a

Tim Callahan:

very important consideration that's different than

Tim Callahan:

traditional crisis disaster situations.

Dr. Dave Chatterjee:

Okay. Thanks for sharing that. Another

Dr. Dave Chatterjee:

thing that I'd like to share with listeners is the evolution

Dr. Dave Chatterjee:

of the ransomware extortion methods: from single extortion

Dr. Dave Chatterjee:

practices, where they encrypt systems and data, to double

Dr. Dave Chatterjee:

extortion, meaning stealing your data before encrypting it, then

Dr. Dave Chatterjee:

there is triple extortion, when the perpetrators launch a

Dr. Dave Chatterjee:

denial- of-service attack, so the business can no longer

Dr. Dave Chatterjee:

function. And the latest is the quadruple extortion, where the

Dr. Dave Chatterjee:

ransomware attackers contact the customers of the breached

Dr. Dave Chatterjee:

organization and ask them to put pressure on the organization to

Dr. Dave Chatterjee:

pay up. Given the variety of ways in which the ransomware

Dr. Dave Chatterjee:

attackers put pressure on the organization, and the

Dr. Dave Chatterjee:

unfortunate reality, that it is hard to keep up with the

Dr. Dave Chatterjee:

evolving attacks and techniques, it must be a very unnerving

Dr. Dave Chatterjee:

feeling that if your organization gets attacked, if

Dr. Dave Chatterjee:

your organization gets compromised, the battle against

Dr. Dave Chatterjee:

the ransomware attackers is hard to win, because they have the

Dr. Dave Chatterjee:

data and you have to depend on them live up to their promise

Dr. Dave Chatterjee:

that if the ransom is paid, they won't share the stolen data, or

Dr. Dave Chatterjee:

they won't do anything more with it. That's a very difficult kind

Dr. Dave Chatterjee:

of a situation, isn't it?

Tim Callahan:

Most certainly. And I think when you get the

Tim Callahan:

quadruple extortion, you're you're just having a bad day. I,

Tim Callahan:

but we have thought through that scenario in our exercises. And I

Tim Callahan:

think what happens is at some point, you cease a traditional

Tim Callahan:

cyber technical response to a true public relations response,

Tim Callahan:

or sharing. So I know that our number one concern is always

Tim Callahan:

protecting our customers. And we make all of our decisions based

Tim Callahan:

on that. Because our customers have trusted us with their

Tim Callahan:

information. They trust us. In fact, our CEO often says that

Tim Callahan:

what we sell at Aflac is we sell a promise, right? We sell a

Tim Callahan:

promise to be there for our customers when they need us

Tim Callahan:

most. And we're going to fulfill that promise. And that extends

Tim Callahan:

across our company into our cybersecurity program, because

Tim Callahan:

we our employees, see the importance of protecting our

Tim Callahan:

customers our customer information. So if you got to

Tim Callahan:

the point that criminals are reaching out to our customers,

Tim Callahan:

and urging our customers put pressure on us, I think quite

Tim Callahan:

honestly, I think we would have failed in our response. Because

Tim Callahan:

if we believe that our data has been compromised to the point

Tim Callahan:

that a criminal could identify our customers, then we have to

Tim Callahan:

tell our customers, "look, this is what's going on, we're under

Tim Callahan:

a criminal attack, here's the measures that you can take to

Tim Callahan:

protect yourself, here's what we're going to do for you,

Tim Callahan:

here's how we're going to battle it." And you have a very honest

Tim Callahan:

discussion at that point, a very honest release. I think our

Tim Callahan:

prevention measures, I think, are definitely at industry

Tim Callahan:

standards, if not a bit beyond, but we can never count on not

Tim Callahan:

being compromised. So I do think you think through all of those

Tim Callahan:

scenarios, and you address them that way. I do know that we've

Tim Callahan:

suffered DDoS attacks for extortion we've come out okay on

Tim Callahan:

that never have paid on that we've, as I pointed out, we had

Tim Callahan:

one of our subsidiaries suffer ransomware. We didn't pay, we

Tim Callahan:

gutted through recovery, and was able to restore the business in

Tim Callahan:

very good time. But I do think that, when you prepare, you have

Tim Callahan:

to think through and plan for the worst case, and then have a

Tim Callahan:

scenario and have thought through how we're going to

Tim Callahan:

respond as a company. It's one of those things, you want to be

Tim Callahan:

prepared for the worst. And hope you never see the worst, but you

Tim Callahan:

still have to be prepared for it. But to do that, you have to

Tim Callahan:

have all components of your company singing off a single

Tim Callahan:

sheet. So our communications team or corporate

Tim Callahan:

communications, PR folks, our marketing team, our legal team,

Tim Callahan:

our technology team, our security team are all led by our

Tim Callahan:

crisis management leader, we have to have statements

Tim Callahan:

prescribed statements kind of at least drafted in our plan,

Tim Callahan:

right, that can quickly be tailored to particular incidents

Tim Callahan:

and released. We have to exercise and have again a

Tim Callahan:

partnership with our law enforcement. All of these things

Tim Callahan:

are your best defense against against the more disastrous

Tim Callahan:

outcome. I think the public and our customers would have a lot

Tim Callahan:

of sympathy for a company if we're doing the right thing,

Tim Callahan:

we've done the right thing, and we're communicating honestly,

Tim Callahan:

openly, transparently. They they'll realize and we've seen

Tim Callahan:

this in other companies, the customers realize that we're a

Tim Callahan:

victim too and we're doing our very best to protect them.

Dr. Dave Chatterjee:

Thanks for sharing, you're spot on, I think

Dr. Dave Chatterjee:

a really honest, candid, transparent approach that

Dr. Dave Chatterjee:

reflects a genuine attempt by the organization to be

Dr. Dave Chatterjee:

deliberate and comprehensive in their cybersecurity strategy is

Dr. Dave Chatterjee:

key. And it's great to hear that there is such strong support

Dr. Dave Chatterjee:

from the CEO level in your organization. I love what you

Dr. Dave Chatterjee:

said, it's about selling a promise that we truly care. And

Dr. Dave Chatterjee:

if we don't live up to it, then what's the point and that spirit

Dr. Dave Chatterjee:

of caring, percolates right through and includes protecting

Dr. Dave Chatterjee:

customer data. In fact, I want to take this opportunity to also

Dr. Dave Chatterjee:

share a quote which will resonate with you; here's what a

Dr. Dave Chatterjee:

subject matter expert had to say about dealing with ransomware

Dr. Dave Chatterjee:

--ransomware is more than just a CISO problem, it's a corporate

Dr. Dave Chatterjee:

problem, you need the executives, you need the Board,

Dr. Dave Chatterjee:

you need the management, and you need the employees to all be in

Dr. Dave Chatterjee:

unison, in how you go about protecting your company. And

Dr. Dave Chatterjee:

that's exactly what I'm hearing you saying, and also aligns very

Dr. Dave Chatterjee:

well with one of my messages, that cybersecurity is really

Dr. Dave Chatterjee:

everyone's business. You cannot outsource cybersecurity

Dr. Dave Chatterjee:

management to a team or a function and expect miracles to

Dr. Dave Chatterjee:

happen. While you do count on their expertise, and it's only

Dr. Dave Chatterjee:

right to do so, everyone has to do their part. So creating and

Dr. Dave Chatterjee:

sustaining a We-Are-In-It-Together culture,

Dr. Dave Chatterjee:

with the tone being set at the top by the CEO, that is really

Dr. Dave Chatterjee:

the best that an organization can do, in my humble opinion.

Dr. Dave Chatterjee:

And I'm hearing that in your statements, in your discussion

Dr. Dave Chatterjee:

of how your organization approaches cybersecurity

Dr. Dave Chatterjee:

preparedness. Finally, coming to the last section of our

Dr. Dave Chatterjee:

discussion, in a book that I recently authored, titled,

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach, I presented the Commitment-Preparedness-Discipline

Cybersecurity Readiness:

(CPD) framework. This framework is associated with 17

Cybersecurity Readiness:

cybersecurity readiness success factors. And I'd like to believe

Cybersecurity Readiness:

that this governance framework is holistic, because it not only

Cybersecurity Readiness:

covers the technical controls that are enumerated and shared

Cybersecurity Readiness:

by the very established frameworks such as NIST, ISO

Cybersecurity Readiness:

27,000, and others, but it also speaks to the non-technical

Cybersecurity Readiness:

controls such as top management commitment, creating a

Cybersecurity Readiness:

We-Are-In-Together culture, empowering the CISO function,

Cybersecurity Readiness:

cross-functional participation, and many other governance and

Cybersecurity Readiness:

leadership success factors. I'd love to hear your reaction to

Cybersecurity Readiness:

some of the CPD framework success factors. For instance,

Cybersecurity Readiness:

how does an organization create and sustain a We-Are-In-Together

Cybersecurity Readiness:

culture? What are some key elements of a best practice to

Cybersecurity Readiness:

do that?

Tim Callahan:

I think it's very important that all parts of the

Tim Callahan:

company sees decisions around security as true business

Tim Callahan:

decisions, not decisions made in a hole in a dark room someplace

Tim Callahan:

in the back of the company. And so very early when I came to

Tim Callahan:

Aflac, and a practice I've used at my other companies too, is, I

Tim Callahan:

formed a at first it was kind of an advisory council, it turned

Tim Callahan:

into a governance council. And so the security oversight

Tim Callahan:

committee concept. So as I was working with my my different

Tim Callahan:

peers and coming on board, I asked them to be a part of

Tim Callahan:

forming up the security group, right? Because when you when you

Tim Callahan:

think about the company, and the other organizations, how

Tim Callahan:

interdependent we all are on each other, our HR function, we

Tim Callahan:

look at HR HR to communicate security policy through the

Tim Callahan:

employee handbook, type, structure, right? So

Tim Callahan:

incorporating our security principles into the fabric of

Tim Callahan:

our company, on-board training, or each year at our company, we

Tim Callahan:

reaffirm our commitment to the company and one another in

Tim Callahan:

following the principles outlined in the employee

Tim Callahan:

handbook. Right? And that touches our culture, ethics, how

Tim Callahan:

we're going to conduct, how we're going to talk to one

Tim Callahan:

another. So HR was a critical partner very early on, and still

Tim Callahan:

is. So they're they're a member of our oversight committee, the

Tim Callahan:

legal function, the compliance function, our privacy function,

Tim Callahan:

which is under legal, so the business leaders, most of our

Tim Callahan:

activity from a sales point of view is conducted by independent

Tim Callahan:

agents. So we had to have conversations with them. And

Tim Callahan:

again, they're independent agents, they're, they're not

Tim Callahan:

employees, we, but we have to partner with them as well,

Tim Callahan:

because they're on the very tip of the spear of protecting our

Tim Callahan:

customers. So we have representatives on that on our

Tim Callahan:

oversight committee we have and when I say the Oversight

Tim Callahan:

Committee, these are the SVPs and EVPs of the company, so to

Tim Callahan:

speak, that, that share the table have come on as a partner.

Tim Callahan:

Because it's very important from day one to communicate, look,

Tim Callahan:

I'm going to be here, I'm going to do my best to protect the

Tim Callahan:

company through my technical controls and through the these

Tim Callahan:

things, but at the end of the day, we all have to be committed

Tim Callahan:

together, or we're going to fail. It's very good that at

Tim Callahan:

the VP level at the very business unit, in fact, our

Tim Callahan:

Deputy President for Aflac US has been a great partner. They

Tim Callahan:

they know the ramifications of having a qualified SOC 2. And so

Tim Callahan:

they want to make sure that the concept of the way we sell our

Tim Callahan:

product through to businesses often who buy the product for

Tim Callahan:

their employees, they rely on the SOC 2 structure to assess

Tim Callahan:

our security. So they see that as business enabling, they don't

Tim Callahan:

see security as a burden, they see it as business enabling. So

Tim Callahan:

we are in it together and our sales teams know of one of the

Tim Callahan:

best methods of selling or I guess tools and selling is the

Tim Callahan:

Aflac reputation and they know that that reputation get can get

Tim Callahan:

tarnished. There's there's such a high degree of trust in Aflac

Tim Callahan:

as, as a provider as a partner that if we have an event, it

Tim Callahan:

could tarnish that reputation. And so they're they're

Tim Callahan:

definitely bought in, we have, and we do campaigns, we do

Tim Callahan:

things to keep awareness in the public, right? For compliance

Tim Callahan:

reasons, every company has to do their annual awareness training.

Tim Callahan:

But if you're relying on that, for true awareness, that's

Tim Callahan:

that's not getting it, it just doesn't I mean, I, you can go to

Tim Callahan:

anyone and ask them two weeks after they took the awareness

Tim Callahan:

training key points, and they're not going to remember it. But if

Tim Callahan:

you have a methodology of integration and embedding

Tim Callahan:

yourself into the business and the business processes, then

Tim Callahan:

they remember that and in fact, we do fun things. One thing that

Tim Callahan:

we do is three or four times a year, we actually host a shred

Tim Callahan:

day. So people can bring their personal information that gets

Tim Callahan:

piled up in the corner someplace and bring it to the shred they

Tim Callahan:

can bring their their computer disks, they can bring hard

Tim Callahan:

drives, we we sponsor that. And and we use that opportunity as

Tim Callahan:

people bringing things to just reinforce the principles of good

Tim Callahan:

sound security. We do other kinds of fun events during

Tim Callahan:

during the year to try to help employees, we also have what we

Tim Callahan:

call cyber ambassadors. And these are volunteers and planted

Tim Callahan:

in the business that have committed to take extra training

Tim Callahan:

so that they can within their business look for opportunities

Tim Callahan:

to reinforce the importance of security. So if you got kind of

Tim Callahan:

the tops down, and the bottoms up, I think you get it a real

Tim Callahan:

we're all in it together. And again, I cannot I cannot under

Tim Callahan:

or over emphasize the fact that the tone at the top has; when

Tim Callahan:

our CEO talks security to our officers and directors groups,

Tim Callahan:

when probably once once a year, once every couple of years, the

Tim Callahan:

CEO will put a message out particular to the importance of

Tim Callahan:

protecting our customers information. Our President, my

Tim Callahan:

boss, he can when he goes out talking, he gets it, he

Tim Callahan:

understands it, he understands the impact it could have on our

Tim Callahan:

company. And so we get that support. And because we get that

Tim Callahan:

support at his level, all of his reports, direct reports embrace

Tim Callahan:

it as well. So it's it's been a very positive experience getting

Tim Callahan:

getting this culture.

Dr. Dave Chatterjee:

That's fantastic. So encouraging to

Dr. Dave Chatterjee:

hear. In fact, I also want to take this opportunity to share

Dr. Dave Chatterjee:

with listeners and you Tim, unless you've had a chance to

Dr. Dave Chatterjee:

read my book; something I talk about in the context of

Dr. Dave Chatterjee:

We-Are-In-It-Together culture. I talk about building emotional

Dr. Dave Chatterjee:

capital, by creating a work environment where a) employees

Dr. Dave Chatterjee:

feel valued, b) develop a sense of belonging and pride, c) are

Dr. Dave Chatterjee:

having fun, and d) not necessarily in this order, but

Dr. Dave Chatterjee:

in any order, and perceive leadership to be genuine and

Dr. Dave Chatterjee:

authentic. And, what you just shared with me by way of

Dr. Dave Chatterjee:

practices, you seem to be doing all of this. And that's so so

Dr. Dave Chatterjee:

good to hear. In fact, Herb Kelleher of Southwest Airlines,

Dr. Dave Chatterjee:

who was instrumental in establishing a very happy and

Dr. Dave Chatterjee:

motivated culture, that culture was founded on three core values

Dr. Dave Chatterjee:

-- humor, altruism, and love. As this might sound a little

Dr. Dave Chatterjee:

abstract and mushy-mushy, but in reality, I was just speaking

Dr. Dave Chatterjee:

with another group before this discussion, and they were

Dr. Dave Chatterjee:

talking about how important is empathy when it comes to

Dr. Dave Chatterjee:

cybersecurity governance. And I'm sure you will agree that

Dr. Dave Chatterjee:

it's it plays a huge role. Because unless you're empathetic

Dr. Dave Chatterjee:

to people making mistakes, even though they use their good

Dr. Dave Chatterjee:

judgment, they trained sincerely, but they can make

Dr. Dave Chatterjee:

mistakes. But as long as they're owning up to it, and enabling

Dr. Dave Chatterjee:

organizations react quickly to the consequences of their

Dr. Dave Chatterjee:

mistakes, instead of punishing them, be encouraging, maybe

Dr. Dave Chatterjee:

celebrate their candor and honesty, it has been it has been

Dr. Dave Chatterjee:

done by some companies. So I'll let you speak to that as well.

Tim Callahan:

Yeah, I couldn't agree more with with those

Tim Callahan:

fundamental principles, not only security, but in leadership and

Tim Callahan:

life. I mean, when employees enjoy coming to work, or enjoy

Tim Callahan:

their workplace, because of empathy because of humor,

Tim Callahan:

because we care, obviously, they're going to do a better

Tim Callahan:

job, they're going to feel a sense of ownership to that

Tim Callahan:

company. It's not kind of the working in the coal mine

Tim Callahan:

attitude, it's, I want to be there, I want to be there. And

Tim Callahan:

because I want to be there, I want to protect it. The

Tim Callahan:

employees of Aflac, we've got incredible tenure, which is

Tim Callahan:

celebrated every year in an Employee Appreciation Week,

Tim Callahan:

which is just an unbelievable week of telling our employees,

Tim Callahan:

we love them. But now you got to do it 365, you can't just do it

Tim Callahan:

in one week. But a lot of companies say they value their

Tim Callahan:

employees, but it's just words, right? You've got to show you

Tim Callahan:

value them. I've read a book many years ago called Love 'Em

Tim Callahan:

Or Lose Em.' And it was the whole principle about letting

Tim Callahan:

employees know how much you appreciate them and care for

Tim Callahan:

them and care for their personal aspects, not just their

Tim Callahan:

productivity in the company, but seeing them. So we carry those

Tim Callahan:

those principles into our cybersecurity information

Tim Callahan:

security program. Yes, people will make mistakes, we have in

Tim Callahan:

some cases rewarded the coming forward. And we do that in

Tim Callahan:

different cases. We recently introduced I think a symbol of

Tim Callahan:

that, we developed a Global Security Challenge Coin, which

Tim Callahan:

we did it for our core group, global security group, our Cyber

Tim Callahan:

ambassadors. But we also use the coin to recognize someone that

Tim Callahan:

has gone the extra mile. And we've awarded a couple of those

Tim Callahan:

coins, they are not given out willy nilly. They're they're

Tim Callahan:

earned. But we recognize people doing the right things. We

Tim Callahan:

recognize that a few if you look at statistics, every year, one

Tim Callahan:

of the biggest 'insiders' is employee mistakes, right?

Tim Callahan:

Posting something unsecure to a website, failure to ship

Tim Callahan:

sensitive information and in accordance with a standard and

Tim Callahan:

losing control of it, those those kinds of things, the

Tim Callahan:

laptop falling off the back of a truck. Those kinds of things

Tim Callahan:

account for many, many of the reportable incidents every year.

Tim Callahan:

So how do you build a culture where people are paying

Tim Callahan:

attention to that, and I think catching them doing the right

Tim Callahan:

thing is one of those, those methods to build that culture.

Tim Callahan:

But again, I I've experienced firsthand the benefits of

Tim Callahan:

treating our employees well, and caring for them. And then

Tim Callahan:

reinforcing that.

Dr. Dave Chatterjee:

Fantastic! We can end on that note, unless

Dr. Dave Chatterjee:

you have any final thoughts, Tim. This was great!

Tim Callahan:

Dave, I appreciate this opportunity to share my

Tim Callahan:

thoughts and to foster that servant leadership principles

Tim Callahan:

that you've you've espoused in your book and, and how they're

Tim Callahan:

proven over and over again. So thank you very much.

Dr. Dave Chatterjee:

Thank you, Sir. A special thanks to Tim

Dr. Dave Chatterjee:

Callahan for his time and insights. If you like what you

Dr. Dave Chatterjee:

heard, please leave the podcast a rating and share it with your

Dr. Dave Chatterjee:

network. Also, subscribe to the show, so you don't miss any new

Dr. Dave Chatterjee:

episodes. Thank you for listening, and I'll see you in

Dr. Dave Chatterjee:

the next episode.

Unknown:

The information contained in this podcast is for

Unknown:

general guidance only. The discussants assume no

Unknown:

responsibility or liability for any errors or omissions in the

Unknown:

content of this podcast. The information contained in this

Unknown:

podcast is provided on an as-is basis with no guarantee of

Unknown:

completeness, accuracy, usefulness or timeliness. The

Unknown:

opinions and recommendations expressed in this podcast are

Unknown:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube