Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.

Time Stamps

00:45

I'd like you to talk to our listeners about the cyber attack simulation that you have authored. And this engaging simulation is available from the Harvard Business Publishing website.

05:15

As I reflect on this simulation tool that you have available for executives and students, it does offer an opportunity to assess organizational readiness from a cybersecurity standpoint. What else does it accomplish based on your experience of using it out there?

08:02

How would you compare this particular simulation exercise with the tabletop exercises that organizations are known to conduct?

10:25

I wanted to mention to my listeners that Professor Austin was one of the authors of a case called iPremier, and to the best of my knowledge, it's one of the few graphically written cases where essentially you're seeing a whole bunch of cartoons that describe the scenario, and then walk you through the next steps as you use the case. And you can use that case for simulation as well. Rob, if I remember correctly, that case was authored as early as 2002, or 2003. Give the listeners a bit of a background of the iPremier case.

13:41

As you look at the big picture, as you reflect on how things are evolving over a period of time, what has changed, what are your concerns? What is your assessment of where things are going? What can we do better?

21:34

What are you seeing in terms of best practices of actively engaging top management in cybersecurity planning, execution, monitoring? Anything that stands out?

38:38

What structures or mechanisms should be in place so that business leaders, technology leaders, security leaders, work together, they're incentivized to work together as opposed to taking the approach, it's your problem, not mine?

Memorable Rob Austin Quotes

"It's one thing to plan, it's another thing to be able to actually walk the talk. And that's one of the things the simulation shows us."

"You learn something from a simulation, but you learn even more from discussing the experience that you had in the simulation."

"It's unlikely you're going to be able to execute everything exactly according to plan."

"We're working very hard to add nodes to the network, but often every node is a potential attack point, as well."

"The dilemma of IT security is that if you do everything that you're supposed to do, and as a result, your company does well, and does not suffer IT security events, the result is, nothing happens. And, it's hard to get credit for nothing happens."

"We used to be able to assume that we could just pursue our own interests, and everything would be fine. But now we discover that our interests interact with other people's interests. And I think that's true in business ecosystems as well. But it is definitely true in cybersecurity. If you've got really great cyber defenses, but one of your business partners has really bad cyber defenses, that's an entry point into your company as well. That's a risk factor for your company."

"It's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach by SAGE publishing. He has been studying cybersecurity

for over a decade, authored and edited scholarly papers,

delivered talks, conducted webinars, consulted with

companies, and served on a cybersecurity SWAT team with

Chief Information Security officers. Dr. Chatterjee is an

Associate Professor of Management Information Systems

at the Terry College of Business, the University of

Georgia and Visiting Professor at Duke University's Pratt

School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast series, where I will be talking with Professor Robert

Austin of Ivey Business School, located in London, Ontario,

Canada. Professor Austin is a highly distinguished educator

with extensive experience and accomplishments in academia and

industry. He has worked at major multinational corporations in

the automotive and technology sector. He has also been the

dean of a business school, and the CEO of an Executive

Education Foundation. Rob is also an experienced C-level

consultant to multinational companies. He has been a faculty

chair, member in executive education programs at Harvard

Business School, Harvard Medical School, Ivy, Business, School

and elsewhere. He's also the author of several books, and

more than 100 articles and cases. Rob, welcome. Thank you

for making time to share your expertise with my listeners. To

get the ball rolling. I'd like you to talk to our listeners

about the cyber attack simulation that you have

authored. And for the benefit of the listeners, this simulation

is accessible from the Harvard Business publishing website.

Sure, it's, it's great to be here, thank you for

inviting me. So this simulation, it, it basically engages

participants in a real time cyber attack. So it's, you

experience it as a flow of events that unfold in real time,

you were asked to make decisions that are as much as we could

make them modeled on the kinds of decisions that you would face

in a situation like this. You have to during the attack, you

have to coordinate with team members, with the people who you

work for, as well as with, you know, partners, partners at

hosting facilities and various other people who not all of whom

are people that you necessarily want involved in the problem

solving. Sometimes people inject themselves into situations like

this in ways that are not entirely helpful. Also, another

feature of the simulation is that not everything unfolds, as

you expect it to. And you have to process that. The scenario in

this simulation is that they're experiencing a DDoS attack,

distributed denial of service attack, but they begin to

suspect that there might also be an intrusion that has occurred.

And of course, a DDoS attack doesn't necessarily imply an

intrusion. But some things start to look suspicious as they start

to investigate what's going on with the DDoS attack. The DDoS

attack seems to have defeated some of their defenses, and they

can't figure out why that would be the case, right away. Another

feature of the simulation is that the information that you

have, is not sufficient to fully understand what's happening. But

you're still being called on to make decisions, which I think is

another realistic feature. That's kind of the first part of

the simulation, the second part in so that goes on, you know,

with a timer with a clock counting down. The second part

of the simulation, though, it has to do with, I think, an

important problem in the aftermath of a cyber attack. And

that's what do I say about what has happened? And what's very

difficult about those situations frequently, as you know, Dave,

is that often you're called on to say something about it before

you have a fully confident assessment of what has actually

happened. And so, so that that can be very difficult. One of

the reasons I like simulations like this, is it's possible when

you sit down to plan to imagine that you have a plan and you

know what you would do, but it can be quite difficult to

actually execute your plan. So it's one thing to plan, it's

another thing to be able to actually walk the talk, if you

like. And that's one of the things I think the simulation

shows us.

Yeah, you know, I've had the pleasure of

reviewing the simulation, I plan to use it. In my upcoming class

I find it fascinating the way you have it set up. And I feel

it'll it will definitely achieve some of the learning objectives

that use spelt out such as discovering human biases that

lead to ineffective behavior while responding to a crisis in

real time, recognising the importance of crisis

preparedness, learning to ascertain and manage priorities

during a crisis, practice collaboration and decision

making, to structure effective diagnosis and response and more.

So a kind of backing up a little bit as I reflect on this

simulation tool that you have available for executives, for

students, it does offer an opportunity to assess

organizational readiness from a cybersecurity standpoint. What

else does it accomplish based on your experience of using it out

there?

Yeah, so I think one of the things that happens in

the aftermath of the experience of the simulation itself is it

often provokes a very useful discussion. We, one of my, one

of the principles that I like to put forth when, when we talk

about simulations is that you know it, you learn something

from a simulation, but you learn even more from discussing the

experience that you had in the simulation. So the debrief after

the simulation is, is, you know, probably the most important

part. And what you discover, I mentioned this kind of before,

right, that what you discover when you go through a

simulation, is it, it's harder to do things that you assume

that you would do than you expected. And, you know, one of

the things about events unfolding in real time is that,

you know, you have that the information comes to you in the

wrong order, and incomplete. And so you have to do sense making,

despite this, the situation not being very ideal for that. And

these are some of the things that you realize after the

experience, and that you can talk about it, it leads you to

realize that there may be holes in your preparedness plan, there

may be things that you've assumed you could do that you

can't actually pull off in the heat of the crisis. And so I'd

say that's, that's one of the big things is the quality of the

conversation that you have about your preparedness plans, after a

simulation, I think is really quite high that it causes you to

realize some things that can cause you to make material

improvements in your plans.

Okay. And how would you compare this

particular simulation exercise with, you know, the tabletop

exercises that organizations are known to conduct?

Yeah, I think those can be really good to write in,

in fact, that, to be perfectly honest, the genesis of this

online simulation was a tabletop simulation, right? It's it's

sort of a, it's an automated version of something that we

used to run in, in a lot of different situations in a lot

less animated fashion. But, but I do think there's something to

it, one of the things that's that people say, as a striking

feeling, after having gone through the simulation is, is

that clock just keeps ticking. And things come at you in an

order, and at a time, when you know, that you you basically

don't have any control over the clock, and in how the things are

unfolding in time. And while that can be part of a tabletop

simulation, I think it's it's especially impressive, I think,

when you're when you're experiencing in in the in the

online setting, but you know, I'm a fan of those too, I'm a

fan of the, the tabletop settings, and they're also kind

of they have flexibility advantages, right? You can, you

can quickly redesign them, you can add things to them, and so

forth. So I kind of like the idea of using tools like this

one, this automated simulation tool, in conjunction with other

other kinds of activities like planning, like less automated

simulations, like case discussions, right. So one of

the things that we have sometimes done, is it we'll have

a case discussion about a company being attacked, and the

situation parallels fairly closely the situation in the

simulation, and people decide what they think they would do.

And then the in the next session, we have them run the

simulation and they discover, you know, kind of how unfolding

real events make shambles of their plans, in some cases, so

that's a very useful thing to, to realize is that it's unlikely

you're going to be able to execute everything exactly

according to plan.

Absolutely, you can plan as much as you

want. But when it comes to execution, it can be a very

different experience. And I think such simulation exercises

can be very helpful for management. Talking about case

studies, case discussions, I wanted to mention to my

listeners that Professor Austin was one of the authors of a case

called iPremier, and to the best of my knowledge, it's one of the

few graphically written cases where essentially you're seeing

a whole bunch of cartoons that describe the scenario, and then

walk you through the next steps as you use the case. And you can

use that case for simulation as well. Rob, if I remember

correctly, that case was authored as early as 2002, or

2003? What was the give the listeners a little bit of a

background of the iPremier case?

Yeah, you're right about that, that it's actually

by now quite an old case. And we usually think that old cases get

out of date. But one of the things, I think you and I've

talked about this before, one of the things that's remarkable

about that case is the issues are still with us. And so we've

actually updated it a bit over the years to to take into

account things like you know, now people are better at

defending against denial-of -service attacks, things like

that. But but the truth is this case, I think, was 2001,

actually, when we wrote the first version of it, and the

world really was different then. A guy named Chris Darby and I

wrote the very first Harvard Business Review article about

cybersecurity. It was called the myth of IT security. And that

was published in 2003. And, you know, part of the lead up to

that was writing this iPremiere case, and believe it or not, I

mean, it's hard to imagine this now, but we had to work hard to

convince them that cybersecurity was something that CEOs should

think about. Right? In, in the in those in that timeframe, late

90s, early 2000, it probably took us two or three years to

convince them that this is something that should be, you

know, on the table when the senior team discusses the

important issues for the firm. But yet, it is also the case

you're describing in 2009, we turned it into what we call a

graphic novel version. That worked with a Professor, Jeremy

Short, who has done a lot of interesting research around

whether that might be a good mode to get information across

to people in. And, you know, we there's a little bit of

resistance to that idea, too. Because I remember somebody

saying to me, tell me again, why we need a comic book with the

Harvard Business School logo at the top of it. But but in the

end, we prevailed, it was the first graphic novel business

school case at Harvard. Since then, there have been more

because there there are people who who quite like to use those.

And I happen to be one of them. I

found that approach to writing cases to be extremely

interesting, dramatic, and it gets students attention. Moving

along, Rob, you have such a lot of experience in the technology

space, of course in the cybersecurity space; as you look

at the big picture, as you reflect on how things are

evolving over a period of time, you mentioned about your writing

the first article in 2001, the Harvard Business Review, what

has changed? What are your concerns? What are your what is

your assessment of where things are going, what can we do

better?

Yeah, I'm probably you know, I there are other

people who I would go to for the authoritative version on where

things are going. For years in my Executive Program at Harvard

that was targeted at Chief Information Officers, I used to

go to a guy named Dan Geer and he I would still recommend going

out on the web and finding out what he's talking about lately.

Dan was trained as a trained as a healthcare statistician, an

epidemiologist, basically. And he has always approached

cybersecurity from a similar sort of a standpoint. And so

he's always come up with interesting conclusions. But of

course, you know, he was one of the very first people who said

that we're losing, right, that the the threats, the threats are

getting more sophisticated, much faster than we can advance the

defenses. And I guess that, I mean, yeah, I guess I'd ask you

too Dave, but, you know, that seems to be true still, that the

nation states are involved in the threats now. There's a lot

of very sophisticated attacks, we're working on some cases now,

about companies that, you know, have had very dire problems with

ransomware attacks. And so, you know, and people are still not

still not prepared. Despite hearing these stories about

companies that blink out of existence, I mean, one of the

cases we're working on right now, one of the serious options

on the table was just declare bankruptcy for this company and

start another one. Because they couldn't, you know, they

couldn't fix it. Now, they did eventually fix it. But it was

for a funny reason. They'd worked with a vendor who didn't

thought their network was too slow. And the vendor took a

whole copy of an instance of their systems to a different

environment to work on improvements and enhancements to

the system. And it turned out to be very lucky that he had a

recent version of the system because everything was messed

up, the backups were messed up. And if this guy hadn't taken,

basically took the the company systems off site and wasn't

quite a thumb drive, but it was like that. Right. And they were

they've never been more relieved than discover that somebody else

had taken their systems off site, their software.

Yeah, it's it's hard to believe that

organizations can be so underprepared. And again, it's

not fair to generalize. But as you mentioned, the reality of it

is the attack surfaces are expanding, thanks to increasing

digitization. And that's not going to stop. The hackers are

getting increasingly sophisticated. It's a pretty

mature industry now. So that's not going to stop. So

organizations don't have a choice but to put on their best

game and be as prepared as they can be, and planning is

important. But you know, testing the planning is equally

important. And that's where every possible help, including

using simulations should be leveraged to enhance their

extent of readiness.

Now, I agree the the other thing I would point out

there is the human side is super important, right? That. I mean,

you talked about the, the attack surfaces growing and, you know,

one of the things I also teach my students these days is, you

know, we talk about platform economics and the power of

network effects. And a lot of business models now are powered

by network effects, you know, the idea that we want to add as

many people as possible or as many nodes as possible to a

network, because the value of the network is increasing faster

than the rate at which we're increasing the size of the

network. And yeah, this is the power of companies like Google

and Facebook and all these platforms. But one of the things

that this also implies is that, you know, we're working very

hard to add nodes to the network, but often every node is

a potential attack point, as well. So we have these business

models that are driving us, you know, I guess what I'd say is

the, the increasing attack surface is being driven by

business models. And I don't know where that ends, you know.

yeah, you know, it's like, we are trying

to get better. We are engaging in as we call it, the the

digital transformation of businesses. And while we engage

in that we create more problems for ourselves. The other day, I

was talking in the classroom about highly integrated systems

and I was sharing with students how important it is for

information to flow seamlessly from one point to the other

without any disruption. And I was sharing with them the

history of, you know, siloed organizations, siloed systems,

and why and how that happens. And then I told them, I said,

you know, what, as I think about it, maybe there are some

benefits of systems not being well integrated, systems being

disconnected, maybe there are some advantages from a

cybersecurity standpoint.

I think that's true. I mean, you, you've probably

used this material to but the Charles Perrow's book on normal

accidents is interesting here, because he points out that one

of the, you know, one of the characteristics of systems that

experience what he calls normal accidents, these, these

situations where low probabilities line up to

disastrous effect; one of the characteristics of systems that

have this is what he calls tight coupling. And another another

way of saying tight coupling, I think is exactly what you were

just talking about, right? How integrated information flow is

across the system. So, you know, it's another situation where

we're actually doing our very best to create what, you know,

in one context is a really good thing, right, integration of

information flow. But, you know, taken from another perspective,

like an information security perspective, that's tight

coupling, and we probably are going to see more normal

accidents as a result. And that's, that's actually not even

normal accidents are accidents, right. There's not even even any

bad guys in those stories. So you add bad guys, and it all

starts to get even more complicated. But I like to think

it's not hopeless. But but it does look pretty formidable.

It is formidable, it's keeping

everyone on their toes. And organizations can no longer

afford to consider cybersecurity as something that can be

outsourced. I'm, I'm a huge proponent of considering

cybersecurity as an as an integral part of business

objectives. In fact, cybersecurity is a strategic

competency that's going to determine the long term success

of organizations. So the mindset has to really change. There was

a time when I was impressing upon executives about investing

in very robust technology infrastructure, and I was using

the word strategic investments. And I was told that, Dave, if

you're not investing in things, that's going to generate sales,

we don't really call them strategic. And I said, I said, I

agree. But I think we have to change that mindset a little

bit. Because if your business doesn't exist, you wouldn't have

anything to sell. So you have to first understand what keeps your

engine running. And you have to secure that before you can do

anything else. So cybersecurity is one of those things, a core

component of business operations today that can cannot be

ignored. And that needs to be get front and center attention

of top management. And that brings up a question that I'd

like to put out there and get your perspective. What are you

seeing in terms of best practices of actively engaging

top management in cybersecurity planning, execution, monitoring?

Anything that stands out?

Yeah, I don't know if I know, of, I don't know if I

have sort of a methodology for best practice for dealing with

execs, I know examples of senior execs that do a good job. And,

you know, they take an interest and, you know, probably more

impressive or memorable, are the situations that you see where

that's not happening, right, where people go to their

corners, basically. We worked with a company one time where

the CEO invited us in to assess their IT capability. And I think

when what we discovered after we'd been there for a while, is

that what he was really kind of looking for, was a reason to get

rid of his current IT leadership, right. He, he didn't

like them. He they made his head hurt. He wanted them to just

take care of things. And so when he was also he was kind of a, it

was a business leader. He's a big, big guy physically, he was

kind of belligerent. And what we discovered was the biggest

dysfunction in the organization, is it when he got belligerent

and started you know, sort of throwing his weight around or

yelling or it wasn't always actual yelling, but the IT

management, the CIO, he dove for cover, right, understandably, I

think. And so, ultimately, what we ended up recommending is that

that this company hire an IT leader, a senior digital leader

who would not dive for cover? Who would? Who would go head to

head with, with the executive. But to be perfectly honest, that

didn't work very well, either. And so I think, you know, I

think the ultimate difficulties in a situation like that have to

do with the senior leadership, like the non the business

leadership. The companies that do well at this are the ones

where the senior executives take this seriously, and where

they're willing to engage on it. A lot of times, I see executives

who, I mean, you don't have to become a digital expert, right,

as a CEO, but you do have to engage with it. I think, and you

have to ask questions, and you have to not just want it to go

away. And you know, there are boards that can help with this.

One of my frequent colleagues, you know, are co authors Dick

Nolan, he and Warren MacFarlan wrote I think was an HBR

(Harvard Business Review) or Sloan Management Review article

on how boards can help with this, how boards can be

involved. But that's, you know, that's pretty hit or miss, I

think, from company to company, how well that works. So

Yes, that's kind of even what I have been

noticing, based on my work, based on my field work that

there are organizations where the leadership is extremely

committed. In fact, the first podcast that I did in this

series, I had the president of a major insurance provider, who

made a very strong statement of how committed their organization

is and how every C level executive in that organization,

you know, takes advantage of cybersecurity training

opportunities to up their skills, up their level of

awareness, and to your point, we're not talking, we're not

talking about creating a cybersecurity expert of

everybody in the organization. And that connects to the human

factor that you mentioned a little while ago. And the way I

look at it is organizations with resources will have a cyber

team. And they are definitely part of the solution. But for a

solution to be truly effective, we the organization has to

engage every member. And that extends even to their partners.

So in other words, cybersecurity readiness needs to become

everybody's business. And that's the way it needs to be pitched

not as something that is technical. And that remains in

the domain of the highly specialized operators. And I

absolutely believe in them, they are of great value. But they

have to be complemented by folks who are doing regular work, and

who have to do their part in ensuring that they are taking

every step so that the vulnerability is reduced at

there, and are at their level.

Yeah, no, I agree. And you know, the thing you said

earlier about the company that told you, if it doesn't

contribute to sales, it can't be strategic. You know, I think one

of the things that I find helpful along these lines is,

there is a framework that Warren McFarlan, professor at Harvard

Business School, he many years ago, 19, early 1970s, I think,

created something that people now call the MacFarlan grid,

right. It's a two by two, we love two-by-twos in our business

schools, right. Yeah. And then on the one axis is sort of the

strategic importance of IT. And that has to do with things like

is does it generate additional sales, right, does it generate

differences from our competitors, that they have a

hard time matching? So that's on one axis. The other axis though,

is operational dependence on IT. And that has to do with you

know, if my IT systems fail, how soon do I have a problem? Is it

a day? Is it a minute? Is it a melt microsecond? And when I

when I, when I tried to get across to you know, I teach a

lot of general managers I'm sure you do too, MBA students and

executives and so forth, who, you know, they're trying to

understand or I'm trying to help them understand how IT actually

functions as a value creation activity within their

organization. And what I do with the McFarlan grid is I say,

look, these are the two reasons to spend money or to invest

money in digital technology, the two axes to the McFarlan grid,

one of them is, you know what you think it would be, it's to

create sales, to generate sales, to generate competitive

advantage over your rivals. That's the that's the one axis.

But the other one that gets less press and gets less attention is

the operational dependence. And you invest on that axis to

insure yourself against that operational dependence because

as much value as we get on the one axis out of IT, it also you

know, causes companies become operationally dependent on IT;

this is one of the points McFarlan made way back then,

companies don't tend to become strategically reliant on IT

without also becoming operational reliant on them. And

so, so, you know, on the one hand, the two reasons, as I said

to my MBA students, there's two reasons to spend money on IT.

One is to achieve some kind of strategic advantage, some

business advantage that we can all relate to. But the other is

to avoid some sort of operational threat, to insure

against it to remediate it, or to reduce its severity, when it

happens. And those are equally legitimate reasons to spend

money on technology. The second one, it has the problem you

described, though, right? I mean, the way another way, I

used to say it, in my CIO Executive Program at Harvard is,

you know, the dilemma of IT security is that if you do

everything that you're supposed to do, and as a result, your

company does well, and is not, you know, does not suffer IT

security events, the result is, nothing happens, right? And it's

hard to get credit for nothing happens.

You know, I think I think we think very

alike, because that's one of the things I emphasize, or I

highlight in my talks, I approach it a little

differently. But the same thing, I say, you know, the job of a

CISO can be considered a thankless job in many ways.

Because you don't hear much about the effectiveness of the

CISO function, as long as things are going well. But when things

go in the wrong direction, then some of the first heads to roll

come from that unit. And I don't think that's a fair, or that's a

substantive, substantive approach, it's more of a

symbolic approach to react, we are reacting, we are reacting

promptly, we mean business. But there could be much more to the

reason why the organization was compromised, and it could go

beyond individuals, it could be somewhere down deep down in the

processes and other areas. So it's really important to take a

holistic approach. You talked about spending in technology,

similarly spending in cyber, and you might you will agree that

it's not just about spending a certain amount of money or spent

spending in comparison to the industry average, it's about how

and where you're spending, what's the thinking behind it.

And that's, that's precisely why cybersecurity strategy

formulation, cybersecurity strategic investments require

senior level involvement, cross functional involvement, it's not

something that you should let you should outsource, let a

group of people deal with it. And like you said earlier, that

you just don't want to think about it. It's something that

comes in the way of your organizational goals, and you'd

rather have somebody else you just have to accept the reality

and face it. I think that's probably the best approach under

the circumstances. Sorry. Yeah, sorry. No, I

just agree. Yeah.

Yeah, it's, it's, it's, it's, it's a it's

one of those ongoing challenges, ongoing battles, that's gonna

continuously keep organizations for lack of a better word,

distracted, but that's where they have to find a balance

where they keep the war or the fight against cybersecurity

going while they continue their, their operations as effectively

as possible. You were saying something, I didn't mean to

interrupt.

No, no. I just, I, when you were talking about how

there are there are differences, right, between companies. It's

not a matter of how much you spend as a percentage of your

sales or profits or whatever. One of the things that reminds

me is Erik Brynjolfsson at MIT who, whose work, I'm sure, you

know, he's done a lot of work showing that IT does actually

create value that adds productivity and other forms of

value to the company. And there's a graph that he did a

study where they, they kind of normalized for the size of the

company, how much companies were spending on IT, and then they

plotted it against productivity increases, and you do get an

upward sloping line. But the data of course, if you plot the

data as a scatter graph, on the against the two axes, it's of

course, not a perfect line, it's more like a football, right?

It's like a upwardly sloping football. And one of the things

that is always been important in the way to seemed important to

me, is if you draw a straight line vertically through that

football, there are some people who are well above the average

line, and some people who are well below the average line, in

terms of the value they're extracting, but they're both

spending the same amount of money, you know, normalized for

size of company. So, so, you know, for any amount of money

you spend, there's you you might spend, there are some companies

that are putting it together into an in a very effective way.

And there are other companies that are underperforming, given

the amount that they're spending. So it kind of goes to

the point of what you were just saying, It matters how, right,

doesn't matter how much you're spending, if you're not also

thinking about how you're spending it.

You know, recently I was speaking with a

legal expert. And she made a very telling point, she said,

Dave, when cybersecurity breaches go to a court of law,

and the judge or the jury are evaluating whether an

organization had done their due diligence, had made the

necessary investments, they take into consideration the

organization size, and the expectations are very

reasonable. So there is no expectation that a company that

is, say, half the size of GE or has half the resources of GE

should have the same level of investments in cybersecurity as

GE. I'm just using a hypothetical example here. And

that's kind of the the way to approach it as a very realistic,

very practical approach as to who we are, what's our context?

What can we afford? And, most importantly, how well are we

doing these things? Whether it's training, whether it's

simulation, whether it's enhancing awareness, you know,

there is a method to all of this, you mentioned a couple of

frameworks, there are lots of guidance out there. One thing is

to have the guidance, the other thing is to follow them well,

assess the effectiveness of the implementation, make make

adjustments, and it's a continuous process. And that's

where I think the difference lies with companies who are more

likely to be resilient and recover a lot faster than

others. So that's kind of the way I see it.

Yeah. Well, and as you said, before receipt, we see

things a lot the same way.

So moving along, Rob, from the stand up,

do you have any thoughts on shared ownership and

responsibility, you, you mentioned about this vendor

helping out a company that almost went underground, and was

able to get their operations started up again, because they

had a copy of their instance of their technology instance. In

that spirit, and especially in a highly networked economy, you

talked about network effects, platform economics, you'll agree

that in today's day and age, it's not company A competing

against company B, it's the network of Company A versus the

network of Company B. So in that kind of a highly networked,

distributed kind of an environment what what structures

or mechanisms could be in place so that business leaders,

technology leaders, security leaders, work together, they're

incentivized to work together as opposed to taking the approach

that it is your problem, not mine.

Yeah, I, I don't again, I don't really think I

have the silver bullet for this. But, I do think one of the

things that can help with this is what I might call an

ecosystem mindset. And, you know, I'm encouraged a bit,

because people are talking a lot more about ecosystems, it seems

to me these days business ecosystems, and, you know, the

idea that our ability to do well with business models and with a

lot of other things are interdependent, right. One of

the one of the things that reminds me of is Mirko Iansiti,

who is a professor at Harvard Business School, wrote a book, I

couldn't, I can't tell you, off the top of my head, the name or

the year. But it was about it was about this before everybody

was talking about ecosystems. And it was comparing a lot of

business systems to biological systems. And one of the points

that I remember coming out, or, you know, leaping out at me

about that, is that we don't see biological ecosystems flourish,

when one party within the ecosystem, you know, succeeds at

the expense of the others, right, that the if if a, if a

powerful member of an ecosystem succeeds in gaining most of the

advantage that's available in the ecosystem, then the

ecosystem becomes unhealthy. Instead, so this attitude that,

you know, to do well, ourselves, we must all do well, is, I

think, a general principle that is worth thinking about in our,

you know, kind of increasingly interconnected world, that seems

to be one of the themes of recent events. And I'm talking

now about things like the pandemic, is it we're all more

connected than we thought we were. And so there are these,

you know, these social collective social good problems

where, you know, we used to be able to assume that we could

just pursue our own interests, and everything would be fine.

But now we discover that our interests interact with other

people's interests. And I think that's true in business

ecosystems as well. But it is it is definitely true in

cybersecurity, right. I mean, I think you'll, you'll have

probably a lot of experience with this. But if you've got

really great cyber defenses, but one of your business partners

has really bad cyber defenses, that's an entry point into your

company as well, right, that's a that's a risk factor for your

company.

Well, that's spot on, means I think

this pandemic has shown us clearly how connected we are,

whether we like it or don't like it globally. Cybersecurity is

also showing us the same reality, and to your point, we

can still compete. But we need to leverage each other's

competencies to deal with problems of this magnitude, that

could consume us all, for lack of a better word. You know, it

reminds me of an initiative that Cisco runs, and I'm sure many

other companies do as well. If I remember correctly, it's called

the CHILL initiative, HyperInnovation Living Lab,

Cisco's HyperInnovation Living Lab. And the whole idea is to

bring together some of the best minds from competing companies

to a location for a week let's say, and have them brainstorm

ideas about pressing issues. But the important thing is, at the

end of the week, at the end of the retreat, they have to come

up with something that is, you know, that is converted to a

product that is marketable. So in other words, come up with a

solution, which is supported by that by that team of

representatives from different companies. So it's like creating

a collaborative solution to deal with a larger problem than what

they could handle by themselves. And I think that kind of a

collaborative partnership mindset has to prevail, if we

want to succeed against these kinds of problems, which is kind

of you know, which is engulfing everybody, every possible

network, every possible node. So that's, that's, that's so spot

on.

Yeah, no, I agree. You know, the way I like to

think about it sometimes and the way I, I put it to people

sometimes is it's better to going forward as you move into

the future. It's better to have a smaller portion of an

expanding pie than to have an expanding portion of a shrinking

pie. And I think if we don't watch out if we continue to

behave in many of the ways that have worked well for us in the

past, you know, these very independent ways, then we're in

the future going to find ourselves, yeah, we're gonna

have a bigger, bigger portion of that pie, but the pie is going

to be shrinking. And so as you know, I think we need to adopt

different mindsets. I worked in the auto industry for a long

time. And one of the things the auto industry's not so good at

in my view is, and I discovered this in one of my jobs there, I

had a job there where I had to interact a lot with our

suppliers. And I discovered, we weren't very popular with them.

Because we were much bigger. And we were, you know, we were

pounding the pounding the crap out of them, right. I mean,

anytime they figured out a new way to get some more margin, we

took the biggest part of it from them. And so I think that kind

of that kind of, you know, behavior is not going to be

healthy for ecosystems. And I mean, we're getting a bit far

field of cybersecurity here, but, but I think the principles

are the same.

Absolutely, the principles are very much the

same. The, you know, as you may have seen in my book on

cybersecurity readiness, the the commitment, preparedness and

discipline framework that I came up with, that that identifies

17, cybersecurity success factors, when I look at these

factors, at a very high level, we are talking about people

process and technology issues. When you take a deeper dive,

then you get more specific about what these factors entail, and

how how you address them. But at a higher level, it's still, for

lack of a better word, a game of finding the right set, the right

balance between the people element, the process element and

the technology element, and how we find the balance, and how we

sustain it, that's what's gonna make the difference. It is one

thing to come up with a solution and implement it, it is another

thing to be able to sustain it. And that's why I am big on

creating and sustaining a high- performance information security

culture, because unless you create that kind of an

environment, you kind of etch it in the DNA of the organization,

you're unlikely to sustain the good work that got started,

because of say, X, Y, and Z, who may have moved on, the good work

has to go on. So how are you going to embed that fabric of

the blueprint of robust cybersecurity practices? How do

you do that, and that's where you have to work on the cultural

aspects. And these are tough challenges. So they often get

ignored. And we try to get away by focusing on, you know,

specific controls, and making sure those controls are in

place, especially the technical ones. And I'm all for controls,

but do recognize that controls are also on the people side of

things, on the governance side of things. So the human factor

plays a huge role. Just a little while ago, I was talking with a

human factors expert from NATO. She advises NATO on how to

manage the human involvement in cybersecurity strategies. And

she made a very interesting point, she says, Dave, just

imagine somebody holding a key position in cybersecurity, but

has gets intimidated. And so it's like the example you shared

about this belligerent CEO. So the cybersecurity guy had to

deal with a boss who was kind of overly dominating. And as a

result, even when they were receiving good intelligence that

should have been passed on to the right channels, they were

scared of the repercussions and when silent on some of these

alerts, that that could hurt the company. As an I'm not going to

take the name of some of these companies, but that's precisely

what has happened with some of the major breaches. I'm not

saying it has happened because of the human personality trait,

but it is because someone dropped the ball even after

receiving the intelligence. So So yeah, that's kind of any

Yeah, please,

Let me just say that , aagin, we're agreeing, but

,you know, one of my jobs somewhat early in my career was

I was in an automaker. And I was managing a group of really

talented software developers that were responsible for a lot

of the systems that were inside the assembly plant. So these are

the production critical systems. And, you know, this is back to

your point about controls, right. So that, yeah, we had

controls in place, but you know, and we'd have people come around

from time to time at regular intervals, who were certifying

that the controls were in place. But you know, the guys who, who

worked for me at the time, they that we would sit around at

lunch, sometimes and chuckle, right. So like, if every single

one of them with their knowledge of the production critical

systems used to talk about if we put together a list of the 20

top ways to take down an assembly plant, none of those

would be would be, you know, would be addressed by any of the

controls that that the the auditors were basically spending

a lot of time thinking about, which is not to say those aren't

important, too. But I guess, I guess what I'm saying. And I

think I'm agreeing with something you said a few minutes

ago, which is the people side is super important. And this isn't

just the people side is important because there's

weaknesses there, you need the very resourceful people like the

ones that I'm talking about, who knew everything about the, you

know, the code and the software that was running this company's

assembly plants. And you needed those guys, because just doing a

formal analysis of controls and what controls were in place,

left huge gaping holes without the the deep knowledge of these

talented individuals who were, you know, really close to the

systems, what they could do and where they might get in trouble.

So yeah, I couldn't agree more that it's not just, it's not

just a technical problem, right.

Well, Rob, I think we can end on that note.

Once again, thank you very much for your time. It's truly a

pleasure to have you come on board and share your wisdom with

with me and my listeners. It's been a pleasure.

Yeah, I've enjoyed it a lot, too. So thank you for

inviting me. best, best to you and going forward.

Thank you very much,

and your listeners. Yeah.

A special thanks to Professor Robert

Austin for his time and insights. If you liked what you

heard, please leave the podcast a rating and share it with your

network. Also subscribe to the show, so you don't miss any new

episodes. Thank you for listening, and I'll see you in

the next episode.

The information contained in this podcast is for

general guidance only, the discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.