Art Ehuan, Vice President, Palo Alto Networks, and Former FBI Special Agent, discusses at length the unfortunate evolution and escalation of ransomware attacks. He explains how the threat actors have upped their game and are now engaging in double, triple, and quadruple extortions. While lamenting that "organizations continue to make the same mistakes," Art also acknowledges the challenges of vulnerability management. He offers some interesting insights into ransomware negotiations and provides excellent advice and recommendations on how to proactively thwart such attacks.
Time Stamps
03:00
Before we started the recording, you made a statement that "companies keep making the same mistakes." Tell us more about it.
07:03
For the benefit of our listeners, if you would explain what a ransomware attack is and what the threat landscape is like? Who are the threat actors?
10:57
What is the level of preparedness?
15:20
Have you seen any best practices out there or any exemplars where irrespective of the directive, irrespective of board oversight, there is a conscious commitment to create and sustain a high-performance information security culture? Have you seen evidence of that?
22:01
I have seen a difference between having frameworks and truly following the framework in a very disciplined and committed manner. And there being some oversight to ensure that the compliance is thorough, the compliance is meticulous. What have you seen?
25:28
Please provide some insights into ransomware negotiations.
31:32
What is the best defense against ransomware attacks? And you've already shared with us that, patch management is important, but that can be challenging. What else? What else should companies be doing to reduce the possibility of such attacks?
35:06
Have you come across an instance where a company was a victim of a ransomware attack and they're like, "doesn't matter, thank you very much, we are all backed up and good to go?"
38:54
I've also heard that if you (organization) pay, you are on that list. And they (threat actors) know that if you are attacked again, you will pay again. Is that true?
39:35
We are aware of the Colonial Pipeline attack, and how the FBI was able to recover some of the ransom money. Given your experience with the FBI, why is it so hard to get hold of these criminals, and put them away?
41:05
If crypto could be regulated, that might help mitigate some of these types of attacks? Do you have any thoughts on that?
44:17
What are your thoughts on senior leadership treating cybersecurity as a strategic priority, as a distinctive competency, and making every effort to protect against all possible vulnerabilities?
48:03
There might come a time, hopefully, sooner than later, when the CISO reports directly to the Board? This would allow the CISO function to operate as independently as possible. Your thoughts?
53:44
I would like you to wrap it up for us with some final words.
Memorable Art Euhan Quotes
The importance of hygiene around patch management -- making sure that you've got a vulnerability management program, and that you implement it so that as vulnerabilities are identified on systems, you're patching them in a timely fashion.
You could potentially have a nation-state masking their activity as a ransomware attack when they're actually burrowing into your infrastructure.
You're (CEO) trying to make a determination, do I put more money into cyber, or do I put more money into customer satisfaction? You know, that's sometimes a hard decision because you've got limited dollars, and trying to make that decision is sometimes difficult? If you're the CEO, you want to do the right thing, make sure the company is protected. But you also want to make sure that your customers are happy and you're doing everything possible to provide those products or services. So, sometimes that's a very difficult balancing act.
If you're just checking a box, you're not meeting the spirit of the framework, you're not actually doing what you really need to be doing to ensure the security of the organization.
There is this view out there, that if we pay and get the key, the next day, we're up and back in operation. I want to dispel that myth that you get the key and you're back in operation the next day. It typically is going to take several days, even when you get the key.
One of the first things that these threat actors do when they get into the environment is go looking for the backups because those are going to be some of the first systems they hit you with ransomware attacks. They're going after the backups.
It is very difficult for an organization to say to their C-level or their board, hey, I absolutely 100% guarantee we will never suffer a breach. But you can do things to minimize impact. Or, even better, make it hard for that group or that attacker. Make it so hard that they're just going to move on to another company.
If you pay, the threat actor group will follow through with what they've promised to you.
Right now, the deterrence factor, unfortunately, is very low. Because it's very difficult to have these individuals (threat actors) arrested.
Ransomware is more than just a CISO problem. It's a corporate problem. You need the executives, you need the Board, you need the executives, you need the management, and you need the employees to all to be in unison, in how do we protect our company?
I'm a huge fan of anything that will get the CISO as close to the CEO, or the Board as possible so they can have that influence.
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I have the pleasure of talking with Art
Dr. Dave Chatterjee:Ehuan, Vice President of Palo Alto Networks, Art has extensive
Dr. Dave Chatterjee:experience in the field of cybersecurity. Having worked
Dr. Dave Chatterjee:both in the public and private sector to share a few highlights
Dr. Dave Chatterjee:of his work experience and expertise. As Vice President at
Dr. Dave Chatterjee:Palo Alto Networks, Art manages federal and international
Dr. Dave Chatterjee:customer relationships. He provides cybersecurity advisory
Dr. Dave Chatterjee:services to board of directors, chief information security
Dr. Dave Chatterjee:officers, chief risk officers and senior management of risk
Dr. Dave Chatterjee:mitigation. Art has also been retained as a cybersecurity
Dr. Dave Chatterjee:expert for matters that include Marriott, international, Capital
Dr. Dave Chatterjee:One, Equifax, Anthem, Sony and others. He has also been
Dr. Dave Chatterjee:involved in cybersecurity operations in organizations such
Dr. Dave Chatterjee:as USAA, Cisco Systems, and he has served with the Federal
Dr. Dave Chatterjee:Bureau of Investigation as a supervisory special agent in
Dr. Dave Chatterjee:computer crime investigations. Last but not least, Art is a
Dr. Dave Chatterjee:colleague of mine, at Duke University's Master of
Dr. Dave Chatterjee:Engineering in cybersecurity program, where he'll be teaching
Dr. Dave Chatterjee:a class on security, incident response, and resilience. Our
Dr. Dave Chatterjee:discussion today will focus on ransomware attacks. And I can't
Dr. Dave Chatterjee:think of a better person than Art to discuss this topic, and
Dr. Dave Chatterjee:more. So I'm sure we are all excited to hear from him.
Dr. Dave Chatterjee:Without any further ado, Art, welcome.
Art Ehuan:Thank you, Dave, appreciate the opportunity to
Art Ehuan:speak with you and the audience about what what I'm seeing in
Art Ehuan:the world of ransomware, which unfortunately, has exploded in
Art Ehuan:the past couple of years. And I anticipate will continue to grow
Art Ehuan:as the the threats to corporations continues to
Art Ehuan:increase.
Dr. Dave Chatterjee:Before we started the recording, you made
Dr. Dave Chatterjee:the statement that "companies keep making the same mistakes."
Dr. Dave Chatterjee:Tell us more about it.
Art Ehuan:Yeah, so you know, some of the basic things, some
Art Ehuan:of the the hygiene that you would expect to see in
Art Ehuan:organizations, for whatever reason, sometimes aren't done
Art Ehuan:right, so I'm specifically I'm going to mention patch
Art Ehuan:management, right? Because, I mean, attackers have several
Art Ehuan:ways of getting into an organization, you know, it can
Art Ehuan:be through a phishing attack, it could be through through, you
Art Ehuan:know, an attack on credentials. But another way, obviously, is
Art Ehuan:through vulnerabilities and systems. And if those system
Art Ehuan:vulnerabilities exist, an attacker can leverage that to
Art Ehuan:access the network. So that highlights to me the importance
Art Ehuan:of hygiene around patch management, you know, making
Art Ehuan:sure that you've got a vulnerability management
Art Ehuan:program, and that you implement it so that as vulnerabilities
Art Ehuan:are identified on systems, you're you're patching them in
Art Ehuan:in a timely fashion. Now, having said that, and having been on a
Art Ehuan:on the back end of corporations where I'd been CISO or acting
Art Ehuan:CISO, sometimes it can be difficult, right? Because
Art Ehuan:there's so many dependencies in in systems that maybe if you do,
Art Ehuan:you know, put a patch into a system without appropriate
Art Ehuan:testing, you're potentially going to break something where
Art Ehuan:your customers are no longer able to access your data. Or you
Art Ehuan:may create additional vulnerabilities. So you close
Art Ehuan:one vulnerability but you create additional vulnerabilities
Art Ehuan:downstream. So I do understand that you need to be careful when
Art Ehuan:identifying vulnerabilities and conducting patch management, but
Art Ehuan:there are vulnerabilities, certain vulnerabilities, like
Art Ehuan:the recent Log4j, that are so critical that you absolutely
Art Ehuan:have to patch those systems, especially on the perimeter. And
Art Ehuan:then I've been talking to companies here, since that that
Art Ehuan:Log4j vulnerability was posted in, you know, to me, it's one of
Art Ehuan:the largest vulnerabilities I've seen in a very, very, very long
Art Ehuan:time, just because of the potential for an attacker to
Art Ehuan:access the corporation with, you know, potentially leaving little
Art Ehuan:trace evidence, right. So, in my discussions with companies, I
Art Ehuan:mean, especially the large companies, they were immediately
Art Ehuan:looking at identifying where that vulnerability existed, and
Art Ehuan:then trying to patch it without breaking anything, at least at
Art Ehuan:the perimeter. And then now companies I see are now trying
Art Ehuan:to go in the back end, because this vulnerability, even if
Art Ehuan:patched at the at the perimeter, if it exists in your back end
Art Ehuan:systems, it's still vulnerable. And, you know, one of the things
Art Ehuan:that I do hear from, from organizations is, I don't
Art Ehuan:understand what my environment looks like a complex environment
Art Ehuan:on the backend, or some of these these questions come up, you
Art Ehuan:know, with customers that, you know, they need help, right,
Art Ehuan:they need assistance in identifying what the data flow
Art Ehuan:looks like, what the network looks like. So it isn't easy.
Art Ehuan:And I I will, I will always agree when, when the CISO says
Art Ehuan:it's hard, I absolutely agree it's hard. But there are certain
Art Ehuan:things that in my opinion, patch management, you just have to be
Art Ehuan:doing it right. Especially, especially critical
Art Ehuan:vulnerabilities. It's one of the things that we need to put, you
Art Ehuan:know, those those appropriate controls in place to protect,
Art Ehuan:you know, when a critical vulnerability is identified.
Dr. Dave Chatterjee:Fair enough, fair enough. So let's
Dr. Dave Chatterjee:back up a little bit. For the benefit of our listeners, if you
Dr. Dave Chatterjee:would explain what ransomware attack is, what's the threat
Dr. Dave Chatterjee:landscape Like? Who are the threat actors? That would be
Art Ehuan:Oh, absolutely. Okay. So I'll start with Yeah, what is
Art Ehuan:very beneficial.
Art Ehuan:ransomware. Ransomware is is a an attack, that a threat actor
Art Ehuan:will conduct and that threat actor, usually an organized
Art Ehuan:crime or some criminal group. And now, I'm not, I won't say
Art Ehuan:never going to be a nation- state, because you could
Art Ehuan:potentially have a nation-state masking their activity as a
Art Ehuan:ransomware attack when they're actually burrowing into your
Art Ehuan:infrastructure. But a ransomware attack is an attack that is
Art Ehuan:designed to encrypt systems encrypt data, so you no longer
Art Ehuan:have access either to the systems or your data. Now,
Art Ehuan:what's happened in the past, say year or two, is that the threat
Art Ehuan:actors as they've come to the realization that some companies
Art Ehuan:are able to recover on their own right, they're able to recover
Art Ehuan:their systems, because they do a real good backup process of, you
Art Ehuan:know, real good disaster recovery process, you know, and
Art Ehuan:thus, are not inclined then to to conduct negotiations with the
Art Ehuan:threat actor to pay them to get access to their systems, what
Art Ehuan:the threat actors are now doing is they've upped their game. And
Art Ehuan:by that, I mean, what they now do is along with encrypting your
Art Ehuan:systems and your data, they're doing now something called
Art Ehuan:double extortion. They're also stealing your data before they
Art Ehuan:encrypt it. And now they're forcing you to negotiate. Even
Art Ehuan:if you can recover your systems on your own, even if you can
Art Ehuan:recover your data on your own with your backups and your
Art Ehuan:disaster recovery business continuity plan, you are still
Art Ehuan:forced to negotiate a to get an agreement from them that they're
Art Ehuan:not going to post that, you know, customer data that you
Art Ehuan:know, protected health information out on the internet,
Art Ehuan:so and then now they've even increased that tempo, because
Art Ehuan:now the threat actors are going to triple extortion where
Art Ehuan:they're encrypting system data, they're stealing data. And
Art Ehuan:they're launching a denial of service attack on you so that
Art Ehuan:your businesses no longer able to function. And then we're now
Art Ehuan:seeing something called quadruple extortion, where
Art Ehuan:they're doing all three of those, but they're adding the
Art Ehuan:element that they're not communicating with your
Art Ehuan:customers whose data they have, and telling them your that your
Art Ehuan:customers or your patients, hey, we've got your data we breached
Art Ehuan:you know the organization and we're gonna post this
Art Ehuan:information to the internet. You might want to talk to you know,
Art Ehuan:your company that has this, that who, from whom the data we stole
Art Ehuan:and tell them to do the right thing and pay us, right. So, you
Art Ehuan:know, now they're putting that pressure on the company, because
Art Ehuan:now they're notifying the victims as well, that they've
Art Ehuan:got your data so. So they really, you know, upped their
Art Ehuan:game in, in a sense, because, you know, they're really forcing
Art Ehuan:an organization to negotiate and make some kind of payment to get
Art Ehuan:those assurances that, you know, they're going to stop that
Art Ehuan:activity. So yeah, the number of matters, I, you know, that we
Art Ehuan:see now, every year, they're increasing and they continue to
Art Ehuan:increase. I certainly, in as I look at the future, I certainly
Art Ehuan:don't see a future where I'm saying, hey, ransomware is going
Art Ehuan:to come down, there's just so much money to be made, right.
Art Ehuan:And these threat actors have identified that there's a lot of
Art Ehuan:money to be made. So it's, it's a very cost effective way to
Art Ehuan:commit crime and make make money.
Dr. Dave Chatterjee:I was just reading an article, where it
Dr. Dave Chatterjee:states that there's a severe increase in ransomware attacks,
Dr. Dave Chatterjee:that cybersecurity authorities from Australia, the United
Dr. Dave Chatterjee:Kingdom, United States, have published a joint advisory
Dr. Dave Chatterjee:warning of an increase in sophisticated high impact
Dr. Dave Chatterjee:ransomware attacks targeting critical infrastructure
Dr. Dave Chatterjee:organizations across the world. And that's what concerns me
Dr. Dave Chatterjee:means you don't want ransomware attack on anyone, individuals or
Dr. Dave Chatterjee:organizations. But I especially worried about the critical
Dr. Dave Chatterjee:infrastructure, you know, you were candid enough to say that
Dr. Dave Chatterjee:it's difficult, it's not an easy task, to be super protected, to
Dr. Dave Chatterjee:do the kinds of patch management and other things that needs to
Dr. Dave Chatterjee:be done. But having said that, given the severe consequences of
Dr. Dave Chatterjee:these attacks, what are you finding out there, both public
Dr. Dave Chatterjee:sector and private sector? What is the level of preparedness?
Art Ehuan:Yeah, so I think it's going to depend on an industry
Art Ehuan:Dave, you know, especially critical infrastructure, you
Art Ehuan:know, there's more regulation around financial services around
Art Ehuan:energy. So typically, organizations that fall under
Art Ehuan:some kind of regulatory regime, typically, you know, are putting
Art Ehuan:more of an investment in protecting the organization.
Art Ehuan:Also organizations where there's more Board involvement, more,
Art Ehuan:you know, governance and oversight, because, you know, in
Art Ehuan:my opinion, especially with, with publicly traded companies,
Art Ehuan:you know, they have a Board, for instance, if there's an engaged
Art Ehuan:Board, that's asking questions of the cybersecurity program on
Art Ehuan:a regular basis, that's gonna, you know, I think for the C-
Art Ehuan:level, that shows that, you know, the Board is very
Art Ehuan:interested in this, we, as the C-level, obviously have to also
Art Ehuan:support those types of activities and make sure that
Art Ehuan:they get the appropriate funding, they get the
Art Ehuan:appropriate resources that are needed. Now, again, there's
Art Ehuan:always outliers, right. So,and by that, I mean, you know,
Art Ehuan:companies, you know, they're, they exist, obviously, to, to,
Art Ehuan:to generate revenue, right? I mean, they, they produce a
Art Ehuan:product, or they provide a service and for the purpose of
Art Ehuan:generating revenue. Sometimes, you know, if you're in a
Art Ehuan:particular industry, and, and, and you're trying to make a
Art Ehuan:determination, do I, you know, do I put more money into cyber,
Art Ehuan:or do I put more money into customer satisfaction, you know,
Art Ehuan:that's sometimes that's a hard one, right? Because you've got
Art Ehuan:limited dollars, and, and trying to make that decision is
Art Ehuan:sometimes difficult, right? If you're the CEO, you know, you
Art Ehuan:want to do the right thing, make sure the company is protected.
Art Ehuan:But you also want to make sure that your customers are happy
Art Ehuan:and you're doing everything, you know, possible to, to provide
Art Ehuan:those either products or services. So, sometimes that's a
Art Ehuan:very difficult balancing act for, you know, executives, right
Art Ehuan:to, to have to manage, right, because in a perfect world, they
Art Ehuan:would, they would have enough funding for everything, but it's
Art Ehuan:never perfect world and there's always going to be that
Art Ehuan:push-pull inside of an organization, you know, the
Art Ehuan:site, really, the cyber organization is going to be
Art Ehuan:asking for money and resources, you know, and operations is
Art Ehuan:asking for money and resources and the CEOs, you know, got a
Art Ehuan:limited budgets to work with and, you know, he's trying to do
Art Ehuan:the right thing, you know, to maybe, you know, keep both
Art Ehuan:constituents happy, right. I make sure that I'm protected and
Art Ehuan:I make sure my, my customers are happy and and it's a It's a
Art Ehuan:balancing act. And I think that's why it's important, you
Art Ehuan:know, to have that governance and oversight with with, with
Art Ehuan:the board, you know, so that they can provide you know that
Art Ehuan:you know that that top level guidance to the organization.
Dr. Dave Chatterjee:You know, you talk about governance,
Dr. Dave Chatterjee:oversight, regulation. It brings to mind Sarbanes Oxley Sox. As
Dr. Dave Chatterjee:you might know, Sarbanes Oxley was introduced when fraudulent
Dr. Dave Chatterjee:accounting transactions were taking place. Yep. And there
Dr. Dave Chatterjee:wasn't that level of top management commitment to ensure
Dr. Dave Chatterjee:that those kinds of activities didn't happen. So it took
Dr. Dave Chatterjee:legislation to get senior leadership attention. Yeah. And
Dr. Dave Chatterjee:it's my hunch that we are going that way, even with cyber, there
Dr. Dave Chatterjee:are some regulations out there existing laws are being used to
Dr. Dave Chatterjee:regulate cyber activities or to provide reasonable oversight,
Dr. Dave Chatterjee:you know, but I almost feel that there's going to be a major
Dr. Dave Chatterjee:legislation which will come down the pipe, and that's going to
Dr. Dave Chatterjee:really get everybody's attention, because like you
Dr. Dave Chatterjee:said, it is a hard balance for the CEO. Yeah, yeah. But then if
Dr. Dave Chatterjee:you have that regulatory pressure, the regulatory burden,
Dr. Dave Chatterjee:that would force you to do the right thing when it comes to
Dr. Dave Chatterjee:cybersecurity competency, cybersecurity due diligence. And
Dr. Dave Chatterjee:I know, this is easier said than done, it's a great conversation
Dr. Dave Chatterjee:to have, but for people who are trying to make things happen,
Dr. Dave Chatterjee:it's a it's a tough ask. Given your experience, you know,
Dr. Dave Chatterjee:you've been industry you've actively engaged with the senior
Dr. Dave Chatterjee:leadership, have you seen any best practice out there, or any
Dr. Dave Chatterjee:exemplars where irrespective of the directors, irrespective of
Dr. Dave Chatterjee:Board oversight, there is a conscious commitment, it's like,
Dr. Dave Chatterjee:woven into the organizational culture, that we must create and
Dr. Dave Chatterjee:sustain a high performance Information Security Culture,
Dr. Dave Chatterjee:have you seen evidence of that? Oh, absolutely.
Art Ehuan:Yes, I certainly see it, you know, again, especially
Art Ehuan:with the large organizations that, you know, have, you know,
Art Ehuan:have a dedicated program, right. So, it is possible, I will say
Art Ehuan:that a cybersecurity program is a dynamic thing, right? It's a
Art Ehuan:living to me, it's a living thing, that that is always
Art Ehuan:changing as the threat evolves, right, because, as I mentioned
Art Ehuan:earlier with ransomware, right, you know, as as, as
Art Ehuan:organizations put up defenses, the threat actors, you know, put
Art Ehuan:up countermeasures, right to to get around those defenses. So,
Art Ehuan:cybersecurity can never be static. And and if it's static,
Art Ehuan:then I, I fear that a company may be is not, you know,
Art Ehuan:thinking about the, the, you know, the the, how would I say
Art Ehuan:the evolving nature of cyber threats, and because of the
Art Ehuan:evolving nature of cyber threats, you've got to have a
Art Ehuan:dynamic program and to me, a dynamic program, you know, you
Art Ehuan:would have one, you would have a program that follows a
Art Ehuan:recognized cybersecurity standard or framework and, and
Art Ehuan:I'll throw out, I'll throw out like the NIST cybersecurity
Art Ehuan:framework, right? It's been around since 2014. It's, it's, I
Art Ehuan:recently saw some statistics that over 50% of large
Art Ehuan:corporations are adhering to to that framework, right? Because
Art Ehuan:that framework gives you a baseline right? The NIST
Art Ehuan:cybersecurity framework is designed to establish a baseline
Art Ehuan:and then also assist an organization in determining what
Art Ehuan:is the future state of the cybersecurity program look like?
Art Ehuan:But what I really like about it is again, it's dynamic in nature
Art Ehuan:in that you never reach a state where you're completely happy
Art Ehuan:and I will never be breached because again, we've got to stay
Art Ehuan:dynamic, and there is NIST, you've got the the ISO 27001 two
Art Ehuan:series, you've got the the CIS 20. So there's a number of
Art Ehuan:standards out there but to me, when I'm looking at an
Art Ehuan:organization, I'm gonna say okay, this organization is, is
Art Ehuan:on track they're thinking you You know, they're putting that
Art Ehuan:security mindset. I look to see if they've got Are they are they
Art Ehuan:mapping to one of these recognized cybersecurity
Art Ehuan:standards? Now, you brought up the the regulatory regime.
Art Ehuan:Having worked with having worked with regulators in the past,
Art Ehuan:right been hired as a kind of an expert advisor to regulators,
Art Ehuan:when they're when they're conducting an investigation or
Art Ehuan:analysis of a regulated company. I will tell you, the regulators
Art Ehuan:are using the NIST CSF as their model to assess companies. And
Art Ehuan:then even more recently, the US Department of Defense, they,
Art Ehuan:they actually released a a something called the CMMC, the
Art Ehuan:Cybersecurity Maturity Models Certification. That is a
Art Ehuan:requirement for organizations that are doing business with the
Art Ehuan:US Department of Defense to follow the CMMC. In order for
Art Ehuan:them to be able to do business with the Department of Defense,
Art Ehuan:I would anticipate as I look at the the CMMC. As its
Art Ehuan:effectiveness grows, I potentially would forecast that
Art Ehuan:other agencies within the United States government, Homeland
Art Ehuan:Security or Veterans Affairs, I would see other organizations
Art Ehuan:potentially adopting this similar model where they will
Art Ehuan:say to organizations, if you're going to do business with us,
Art Ehuan:you have to go through this, this this accreditation, and get
Art Ehuan:certified in order to do business with us. So again, that
Art Ehuan:adds more of that kind of, you know, kind of a regulatory type
Art Ehuan:type spin for organizations that I would envision would, would
Art Ehuan:flow down to to to the corporate sector.
Dr. Dave Chatterjee:You're talking about frameworks, and
Dr. Dave Chatterjee:there are several out there. And I've had, I've had the
Dr. Dave Chatterjee:opportunity to review them when I was authoring my book. They're
Dr. Dave Chatterjee:all great frameworks. Yeah. But what I have found from my work,
Dr. Dave Chatterjee:is there's a significant variance in how these
Dr. Dave Chatterjee:organizations follow the framework. How disciplined is
Dr. Dave Chatterjee:their approach in following in complying with or following
Dr. Dave Chatterjee:through with the guidelines? You know, often I have seen, it's
Dr. Dave Chatterjee:like, let's check the box here. Yeah, you're supposed to offer
Dr. Dave Chatterjee:this kind of training, we have done it, move on, as opposed to
Dr. Dave Chatterjee:going deeper, and making sure the training is substantive, it
Dr. Dave Chatterjee:is year round, it is continuous. So that's where I have seen a
Dr. Dave Chatterjee:difference between having frameworks and the frameworks,
Dr. Dave Chatterjee:guiding cybersecurity operations, and truly following
Dr. Dave Chatterjee:the framework in a very disciplined and committed
Dr. Dave Chatterjee:manner. And there being some oversight to ensure that the
Dr. Dave Chatterjee:compliance is thorough, the compliance is meticulous, what
Dr. Dave Chatterjee:have you seen? Dave, I
Art Ehuan:will agree with you that, that I mean, to me a
Art Ehuan:framework is is only as good as the the implementation and as
Art Ehuan:good as the, the following of that framework, right? Because
Art Ehuan:yeah, so I completely agree with you. I mean, I've seen, I've
Art Ehuan:seen plenty of organizations that are, you know, that are,
Art Ehuan:you know, box checking, and they suffer a breach. Because when
Art Ehuan:you get past the box checking, they're not, you know, they
Art Ehuan:haven't actually implemented correctly, right. So, so it's
Art Ehuan:more than just checking the box, if you're just checking a box,
Art Ehuan:in my opinion, you're not meeting the, you know, maybe
Art Ehuan:you're meeting the spirit of the framework, but you're not
Art Ehuan:actually doing what you really need to be doing to ensure the
Art Ehuan:security of the organization. So, yeah, I mean, when I think
Art Ehuan:of frameworks, right, so, so PCI, right, that's a framework
Art Ehuan:for organizations that handle credit card data. I have seen
Art Ehuan:many, many, a organization that are PCI compliant, they've
Art Ehuan:checked off the box that have suffered breaches. And us you
Art Ehuan:know, the questions asked, well, they, they they've been
Art Ehuan:accredited, you know, by by an assessor and they, you know, all
Art Ehuan:the boxes are checked off, yet they still suffered the breach.
Art Ehuan:It's because we didn't do that deeper digging. Unfortunately,
Art Ehuan:so if, if you're just looking to hey, you know, I'm gonna follow
Art Ehuan:this and you know, so I can check off the boxes. Maybe in
Art Ehuan:spirit, you know, you're following the framework, but you
Art Ehuan:certainly are doing good Cybersecurity, you're you're
Art Ehuan:not, you know, you're not going deeper than just checking a box.
Art Ehuan:So I yeah, I, I can't tell you the number of organizations that
Art Ehuan:I've seen that have checked off the boxes and they still suffer
Art Ehuan:a breach. And then when you're doing the analysis, you you when
Art Ehuan:you dig in, it's like, okay, you checked off a box, but you
Art Ehuan:didn't do these things, you know, these, these, these things
Art Ehuan:underneath that box that does allow and contributed to the
Art Ehuan:breach to occur.
Dr. Dave Chatterjee:Exactly. In fact, talking about PCI
Dr. Dave Chatterjee:standard, it brings back memories of a major breach that
Dr. Dave Chatterjee:happened several years ago, I don't want to name the
Dr. Dave Chatterjee:organization. But there was detailed reports and of the
Dr. Dave Chatterjee:findings. And one of the very concerning finding was they were
Dr. Dave Chatterjee:warned by their auditors, that they were not in compliance with
Dr. Dave Chatterjee:most of the PCI standards. Yeah. And they did nothing about it.
Dr. Dave Chatterjee:Sure. So I'm sure all kinds of things are happening there. And
Dr. Dave Chatterjee:it again, goes back to what we started the discussion with.
Dr. Dave Chatterjee:Like, why are companies making the same mistakes over and over
Dr. Dave Chatterjee:again, you shared with us the challenges that senior
Dr. Dave Chatterjee:executives face. But at the same time, there is this reality of
Dr. Dave Chatterjee:ransomware type attacks that keep getting more sophisticated.
Dr. Dave Chatterjee:And it's a it's a game that's hard to win. Yeah. So going back
Dr. Dave Chatterjee:to ransomware attacks. Let's talk a little bit about what
Dr. Dave Chatterjee:does a ransomware negotiation look like? Not that I'm a fan of
Dr. Dave Chatterjee:ransomware negotiations. In fact, I think the recommendation
Dr. Dave Chatterjee:is not to negotiate. But please share with the listeners your
Dr. Dave Chatterjee:thoughts.
Art Ehuan:Yeah. So and I will agree with you, you know, I I'm
Art Ehuan:not a fan of paying a criminal to get access to your systems
Art Ehuan:and your data. I certainly, you know, don't support it, but
Art Ehuan:there are occasions where a customer will say I have no
Art Ehuan:other choice, I, my systems, my backups are encrypted. And you
Art Ehuan:know, I need my data in healthcare provider, right, you
Art Ehuan:can't be down. So there's certain industries that
Art Ehuan:absolutely cannot be down, they've got to be up, you know,
Art Ehuan:for public safety. And they've got no other recourse. So if
Art Ehuan:that occurs, then, you know, you you contact the threat actor,
Art Ehuan:and again, these communications are taking place on the the Dark
Art Ehuan:Web, right, they give you an address where you can contact
Art Ehuan:them, they tell you what they're looking for, you know, you you
Art Ehuan:get an understanding of you know, what kind of payment
Art Ehuan:they're looking to be made. And you know, it's a, it's literally
Art Ehuan:a back and forth, you want to have, you want to get a proof
Art Ehuan:that they really do have the keys, you know, you you provide
Art Ehuan:them with, with a file that's encrypted, then you know, the
Art Ehuan:contents of that file they get it they they unencrypt it and
Art Ehuan:send it back to you so that you know that indeed they do have
Art Ehuan:the key. You know, and then you're you're you're negotiating
Art Ehuan:a price, right, that everyone can agree to once that that
Art Ehuan:agreement is made, you know, payment is made in
Art Ehuan:cryptocurrency, you know, you name the cryptocurrency and you
Art Ehuan:know, payments made after you've got the the guarantees, you
Art Ehuan:know, from if they're if cyber insurance is gonna pay or, you
Art Ehuan:know, the law firms, the customer, and then you help with
Art Ehuan:the payment. One of the other things I need to real quickly
Art Ehuan:bring up as well though is if, if this is going to occur if if
Art Ehuan:contact with a threat actor is going to take place, at least in
Art Ehuan:the US, because of the you know, US Treasury requirements, you
Art Ehuan:know, a checks have to be made. And they're typically made by,
Art Ehuan:you know, the, the insurance company by the by the law firm,
Art Ehuan:to see if the the threat actor group is potentially a sanction
Art Ehuan:group. So, as an example, REvil was the sanction group. So, a in
Art Ehuan:a in American organization, American corporation could find
Art Ehuan:themselves in legal jeopardy. For instance, if they were to,
Art Ehuan:you know, make payment to to one of these sanction groups. So, so
Art Ehuan:checking, checking the sanction list to make sure it's not a
Art Ehuan:sanction group is going to be very important. But again, it's
Art Ehuan:that communication back and forth. Getting assurance that
Art Ehuan:indeed they have the key, making payment, getting a copy of the
Art Ehuan:key, analyzing that key to make sure it doesn't contain anything
Art Ehuan:that potentially is going to be nefarious try it, you want to
Art Ehuan:make sure that the key in using the key and potentially download
Art Ehuan:additional payloads and then helping the organization start
Art Ehuan:unencrypting. One of the things I want to point out that I think
Art Ehuan:a lot, especially a lot of executives, a lot of, I think
Art Ehuan:Boards, there's this view up there, okay, this happens, I get
Art Ehuan:a ransomware attack, we pay and, you know, we get the key. And,
Art Ehuan:you know, the next day, we're up in, in, in, in back in
Art Ehuan:operation. You know, unfortunately, that's, uh, I
Art Ehuan:want to dispel that myth that, you know, you get the key and
Art Ehuan:you're back in operation, you know, the next day, it typically
Art Ehuan:is going to take several days, even when you get the key.
Art Ehuan:Because, you know, you want to make sure that your systems that
Art Ehuan:you're recovering don't contain any backdoors. In some cases,
Art Ehuan:organizations are building a greenfield a clean environment
Art Ehuan:to go into. So it's, it's typically multiple days,
Art Ehuan:especially larger organization multiple weeks, multiple months,
Art Ehuan:as you're restoring backed operation. So, so even when
Art Ehuan:payment is made.
Dr. Dave Chatterjee:It is it is
Art Ehuan:not as quick as you know, I'm up and running the
Art Ehuan:next day, and everything is great. And, you know, I'm back
Art Ehuan:back to business, it's it's typically an effort, a long term
Art Ehuan:effort to to really get back to operations.
Dr. Dave Chatterjee:Good to know, thanks for sharing. So, in
Dr. Dave Chatterjee:your opinion, what is the best defense against ransomware
Dr. Dave Chatterjee:attacks? And you've already shared with us that, you know,
Dr. Dave Chatterjee:patch management is important, but that can be challenging.
Dr. Dave Chatterjee:What else should companies be doing to, you know, to reduce
Art Ehuan:Companies encrypting their own data, so that even if
Art Ehuan:a threat actor gets access to them, they're not able to do
Art Ehuan:the possibility of such attacks?
Art Ehuan:anything with it would be would be a great defense, having your
Art Ehuan:backups in an environment where, you know, it's it's not
Art Ehuan:connected to the to the network, having backups that are
Art Ehuan:immutable, so that they can't be changed. You know, one of the
Art Ehuan:first things that these threat actors do when they get into the
Art Ehuan:environment literally is where are the backups, they're looking
Art Ehuan:for the backups, because those are going to be some of the
Art Ehuan:first systems when they hit you with with a ransomware attack.
Art Ehuan:They're going after the backups, right? So if you can protect
Art Ehuan:those backups, it's absolutely, I think, very critical for you
Art Ehuan:to be able to restore operations on your own, if you can, you
Art Ehuan:know if you can do that on your own, because your backups aren't
Art Ehuan:impacted. And like I said, I mean, segmenting the network,
Art Ehuan:I'm a big fan of segmentation. Again, it's not easy, I'll be
Art Ehuan:the first ones again, having been, you know, in the CISO
Art Ehuan:seat, segmentation, especially if you've got a large network,
Art Ehuan:and you know, you, you've grown it, and it's never really been
Art Ehuan:properly segmented. It could be a multi year effort, right. But
Art Ehuan:I'm a big fan of segmentation. I mean, I, I worked with, worked
Art Ehuan:with a health care organization some time ago that suffered a
Art Ehuan:ransomware attack. And there were three companies under the
Art Ehuan:umbrella company, but because of lack of segmentation, instead of
Art Ehuan:just getting access to one company, they got access to all
Art Ehuan:three companies within the umbrella, because there was zero
Art Ehuan:segmentation, so segmentation, you know, you know, a robust
Art Ehuan:backup plan, where those are'nt acce. And not only that, a
Art Ehuan:robust recovery plan, right? That's just as important. You
Art Ehuan:know, testing your recovery is absolutely critical, right?
Art Ehuan:Because if, again, something bad does happen. Have you even
Art Ehuan:tested your recovery capability, so that, you know, you can
Art Ehuan:recover in you know, X amount of time of critical systems, so, so
Art Ehuan:there are certainly things that we can do. Because I'll be the
Art Ehuan:first one to tell you that there is no such thing as 100%
Art Ehuan:guarantee that anybody can make that a company is never going to
Art Ehuan:suffer a breach, right? Because it's just the environment is so
Art Ehuan:complex. We've got remote workers, you know, we've got you
Art Ehuan:know, we've got the cloud and the environment is just so darn
Art Ehuan:complex. That that is just very difficult for an organization to
Art Ehuan:say to to their C level or to their Board, hey, I absolutely
Art Ehuan:100% guarantee we will never suffer a breach. But you can do
Art Ehuan:things to minimize impact or or even better, make it hard for
Art Ehuan:for that in that group or that attacker, make it so hard that
Art Ehuan:you know what, they're just gonna move on to another
Art Ehuan:company. Right? Because you've made it too hard for them.
Dr. Dave Chatterjee:I'm so happy that you mentioned about
Dr. Dave Chatterjee:the importance of having offline backups. Yeah. It kind of
Dr. Dave Chatterjee:probably sounds a little too simple and trivial. But the way
Dr. Dave Chatterjee:I look at it is, you know, let's, let's take a personal
Dr. Dave Chatterjee:example. Our house could get destroyed in a fire. Yeah. So if
Dr. Dave Chatterjee:you think about the possibility, and then ask the question, what
Dr. Dave Chatterjee:all would I like, you know, to be protected, I don't want to
Dr. Dave Chatterjee:lose that stuff to fire. So kind of taking an inventory of your
Dr. Dave Chatterjee:priority items. Yeah. And then making sure that you've done
Dr. Dave Chatterjee:everything possible, whereby even in the event of fire,
Dr. Dave Chatterjee:you're not going to lose them. Yeah. Now, I realize that
Dr. Dave Chatterjee:there's a scale aspect to it, large organizations, tons of
Dr. Dave Chatterjee:data, located in all kinds of places, but even then, I think
Dr. Dave Chatterjee:some of these simple rules and guidelines can work very well,
Dr. Dave Chatterjee:if there is a concerted effort to prioritize, to identify
Dr. Dave Chatterjee:what's important, and then closely monitor how they are
Dr. Dave Chatterjee:being backed up, you know, testing the recovery
Dr. Dave Chatterjee:capabilities. So even in the event of an attack, they are
Dr. Dave Chatterjee:minimizing the damage. That warrants a question for you:
Dr. Dave Chatterjee:have you come across an instance where a company was a victim of
Dr. Dave Chatterjee:a ransomware attack, and they're like, doesn't matter, thank you
Dr. Dave Chatterjee:very much. We are we are all backed up, you're good to go?
Dr. Dave Chatterjee:Oh, yeah, has that happened.
Art Ehuan:It has happened. I have seen companies that have
Art Ehuan:have been in that situation where they're going to recover
Art Ehuan:on their own, they've got good backups, and they don't need to
Art Ehuan:be, you know, need to communicate with the with the
Art Ehuan:attacker. But as I mentioned, now, we're starting to see that
Art Ehuan:double extortion, right, where, where they're taking your data,
Art Ehuan:so that even if you can restore on your own, you now have to get
Art Ehuan:in communication with them to get an assurance from them. And
Art Ehuan:that's all it is, right? It's an assurance from them that if you
Art Ehuan:pay them, they will not release your data. Now, you, you may
Art Ehuan:ask, well, they still have your data, can you believe them? If
Art Ehuan:they say they're not gonna release your data, if you pay
Art Ehuan:them, you know, for the threat actors, their business model is
Art Ehuan:that such that, you know, they make an assurance to you because
Art Ehuan:you've paid that they are not going to release your data,
Art Ehuan:they're probably not going to release your data, right? You
Art Ehuan:can't say 100%. But, you know, their community is so small that
Art Ehuan:if a threat actor group does not follow through on on their
Art Ehuan:assurance, you know, the word gets out. And then other other
Art Ehuan:cybersecurity companies say, Oh, this group does, you know, even
Art Ehuan:if you pay them, they don't, you know, they still post your data,
Art Ehuan:that that destroys your business model. Right. So, yeah, the way
Art Ehuan:these folks think is that, you know, if you pay, they're there,
Art Ehuan:they're gonna follow through with with, with what they've
Art Ehuan:promised to you. And I'll tell you, I recall having a
Art Ehuan:conversation with a CIO, one time that he said, you know,
Art Ehuan:the, the the support that the threat actors were providing and
Art Ehuan:helping restore, he said, it was better than his own his own
Art Ehuan:organizations, IT support group, he said, you know, we'd asked
Art Ehuan:him something, you know, we were having trouble rest,
Art Ehuan:restoration, and they'd get right back to us. And, you know,
Art Ehuan:walking us through, he said, I mean, so it is a model design,
Art Ehuan:at least for the threat actors that if you pay, you know,
Art Ehuan:they're, they're gonna follow through with what they what they
Art Ehuan:promised as part of that payment.
Dr. Dave Chatterjee:But I've also heard that if you pay, you
Dr. Dave Chatterjee:are in that list, and they know that if you are attacked again,
Dr. Dave Chatterjee:you will pay again, is that true?
Art Ehuan:I did have an organization that, that in the
Art Ehuan:space, I want to say months, was attacked by three different
Art Ehuan:ransomware groups. They paid the first time and then literally, a
Art Ehuan:different group comes in the second time. They pay the second
Art Ehuan:time and then a third group came in the third time before they
Art Ehuan:were able to then get their environment so that they
Art Ehuan:couldn't be attacked again. So it happens. It does. It
Art Ehuan:certainly happens.
Dr. Dave Chatterjee:Very, very interesting. Concerning but
Dr. Dave Chatterjee:interesting. You mentioned cryptocurrency, you mentioned
Dr. Dave Chatterjee:cyber insurance. I have a couple of questions in that area. But
Dr. Dave Chatterjee:before I go there, we are aware of the Colonial attack, and how
Dr. Dave Chatterjee:the FBI was able to recover some of the ransom money. Given your
Dr. Dave Chatterjee:experience with the FBI, why is it so hard to get hold of these
Dr. Dave Chatterjee:criminals, and, you know, put them away?
Art Ehuan:Yeah, well, unfortunately, a lot of these
Art Ehuan:groups are, are out of the reach of American law enforcement, or
Art Ehuan:or, say Western European law enforcement, a lot of these
Art Ehuan:groups are in, in countries where we don't have the best
Art Ehuan:relations with. And, you know, if we indict someone, say the
Art Ehuan:Bureau, Department of Justice indicted a threat actor, if you
Art Ehuan:can't get you know them into your your control, in your
Art Ehuan:custody, then, you know, makes it difficult to, to be able to
Art Ehuan:to, you know, put these individuals in jail and kind of
Art Ehuan:show a deterrence. Right now, the deterrence factor,
Art Ehuan:unfortunately, is very low. Because, you know, it's it's
Art Ehuan:very difficult to have these individuals arrested.
Dr. Dave Chatterjee:That's tough. Yeah. So what is your
Dr. Dave Chatterjee:opinion about this thought that if crypto could be regulated,
Dr. Dave Chatterjee:that might help mitigate some of these types of attacks? Do you
Dr. Dave Chatterjee:have any thoughts on that?
Art Ehuan:Well, in in with crypto being regulated, I mean,
Art Ehuan:to some extent, it is regulated in the United States, right. So
Art Ehuan:so there are rules, you know, regulatory standards that have
Art Ehuan:to be followed in the United States, but how do you pass that
Art Ehuan:on to other countries, so that they have a better understanding
Art Ehuan:of who, who's signing up for these accounts, right. Because
Art Ehuan:if you can, you can, you know, the US we have, you know, the
Art Ehuan:the know, your customer laws, right, where you have to know,
Art Ehuan:you have to know who it is who's opening an account, you know,
Art Ehuan:those, those laws don't necessarily transfer over to
Art Ehuan:other countries where you, you may be able to sign up over the
Art Ehuan:internet, and you can, you know, be whoever you want to be. And
Art Ehuan:it just makes it so much more difficult to, to to identify
Art Ehuan:these individuals as to who they are. So I think more regulation,
Art Ehuan:probably will, will help. But it's got to be international,
Art Ehuan:just can't be the US saying, Hey, we're going to do these
Art Ehuan:things. Because, I mean, at the end of the day, cybercrime is a
Art Ehuan:it's a transnational crime, right? It is, you know, and I
Art Ehuan:look at it, you know, from from my time when I was in the FBI,
Art Ehuan:so, when I was in the FBI, we used to investigate bank
Art Ehuan:properties, right, I would go to a bank robbery where someone
Art Ehuan:would come in, and they'd hold up the bank with a gun, but
Art Ehuan:they're leaving all kinds of evidence, right, you know,
Art Ehuan:there's video cameras, there's, you know, DNA, potentially,
Art Ehuan:you're leaving, you know, you're leaving a lot of physical
Art Ehuan:evidence, you know, there may be a mark police units driving by
Art Ehuan:their silent alarms. So, you know, there's a lot of risk with
Art Ehuan:with a physical bank robbery. To this day, I think the FBI
Art Ehuan:closure rate on bank robberies, I want to say probably in the,
Art Ehuan:the 8080 plus percent, right. So if you brought a bank, you're
Art Ehuan:probably going to get caught arrested and thrown in jail for
Art Ehuan:a long time. With with cyber, you don't have to be on the US,
Art Ehuan:you don't have to be in the UK, in France, you don't have to be
Art Ehuan:anywhere near the country, that you're attacking and conducting
Art Ehuan:a ransomware, you can be virtually anywhere in the world
Art Ehuan:conduct that activity. And, again, if the rules are not
Art Ehuan:consistent across the globe, this is where we run into
Art Ehuan:problems. So if other countries don't recognize that these type
Art Ehuan:of criminals, you know, right now they're, say attacking the
Art Ehuan:United States, or they're attacking the UK, you know, they
Art Ehuan:could potentially turn on your country and attack you as well.
Art Ehuan:So I really think we're at the point where where a regime needs
Art Ehuan:to be put in place, you know, international standards on, on
Art Ehuan:cooperation on these types of cyber criminals is, I think,
Art Ehuan:absolutely critical.
Dr. Dave Chatterjee:Absolutely. I totally agree with you that
Dr. Dave Chatterjee:there needs to be a lot more cooperation globally. If we want
Dr. Dave Chatterjee:to have any success. Yes. Dealing with these cyber
Dr. Dave Chatterjee:criminals, like the examples you gave and if they are operating
Dr. Dave Chatterjee:from countries where there is very little regulation, they are
Dr. Dave Chatterjee:not being tracked or they are not being brought to justice.
Dr. Dave Chatterjee:Yeah, there's there's no reason why they won't continue to
Dr. Dave Chatterjee:engage in correct kinds of these kinds of activities. So true, so
Dr. Dave Chatterjee:true. In fact, I also want to take this opportunity to share
Dr. Dave Chatterjee:with the listeners one of the realities of securing an
Dr. Dave Chatterjee:organization. Art spoke to that, even in my book based on my
Dr. Dave Chatterjee:research and my work with companies, you know, I found 17
Dr. Dave Chatterjee:success factors. And they're associated with three,
Dr. Dave Chatterjee:high-performance information security cultural traits. And I
Dr. Dave Chatterjee:call these traits -- commitment, preparedness and discipline. And
Dr. Dave Chatterjee:each of these traits are associated with factors such as
Dr. Dave Chatterjee:for commitment, there's Hands-on Top Management, Joint Ownership
Dr. Dave Chatterjee:& Accountability, Cross-Functional Participation,
Dr. Dave Chatterjee:and I can go on, I don't want to provide you with the long list.
Dr. Dave Chatterjee:But the point I'm trying to make here is, it is no easy task to
Dr. Dave Chatterjee:manage these 17 factors. So it's, it's easy to blame and
Dr. Dave Chatterjee:maybe get rid of the CISO, and you make a point. And it's a
Dr. Dave Chatterjee:symbolic reaction. But there are just too many vulnerabilities.
Dr. Dave Chatterjee:And you have to really cover a lot of ground. And that's all
Dr. Dave Chatterjee:the more reason why I have been preaching about making
Dr. Dave Chatterjee:cybersecurity a distinctive competency, the extent to which
Dr. Dave Chatterjee:top management gives it priority, the chances of
Dr. Dave Chatterjee:effectively addressing these success factors are a lot higher
Dr. Dave Chatterjee:than if you just give up and say, oh, you know, what, we'll
Dr. Dave Chatterjee:deal with with it when it happens. There's too many
Dr. Dave Chatterjee:vulnerabilities, we don't know where to start. And I've heard
Dr. Dave Chatterjee:that from many organizations, your thoughts Art?
Art Ehuan:No, no, you're absolutely right. I mean, so
Art Ehuan:this, this is more than just a CISO problem. It's, it's a, it's
Art Ehuan:a corporate problem, right? Because you need the executives,
Art Ehuan:you need, you need the Board, you need the Executives, you
Art Ehuan:need the Management, and you need the employees to all be in
Art Ehuan:unison, in in how do we protect our company? And how do we
Art Ehuan:protect our company's information? Whether that be,
Art Ehuan:you know, employee information, customer information, r&d, you
Art Ehuan:know, it's absolutely crucial that it there's a, there's a, a
Art Ehuan:unified approach, you know, that is that is, you know, with
Art Ehuan:oversight from, from the Board with, with concurrence, you
Art Ehuan:know, from from senior management, with, with middle
Art Ehuan:management, implementing, and employees obviously, following
Art Ehuan:that, that, that plan that that's been developed, but to
Art Ehuan:say, Okay, we just leave it up to the CISO, and, you know, they
Art Ehuan:need to, they need to fix it. They're just setting up that
Art Ehuan:poor CISO for failure, it's, it's moved beyond CISO, so it to
Art Ehuan:move beyond the CIO, it's, it really is a corporate issue that
Art Ehuan:needs to be addressed at the highest levels of the
Art Ehuan:organization.
Dr. Dave Chatterjee:I think you're talking about the board
Dr. Dave Chatterjee:of directors, yeah. You know, providing oversight, requiring
Dr. Dave Chatterjee:senior leadership, to provide them with regular updates. And
Dr. Dave Chatterjee:there might come a time, hopefully, sooner than later,
Dr. Dave Chatterjee:where the CISO reports directly to the Board. To that extent,
Dr. Dave Chatterjee:the CISO function can operate as independently as possible. Your
Dr. Dave Chatterjee:thoughts? Yeah,
Art Ehuan:I Yeah. So I'm going to tell you, I'm going to always
Art Ehuan:be of the opinion, the the closer you can get the CISO, to
Art Ehuan:the CEO or to to the Board, the better that organization is
Art Ehuan:going to be because nothing is being you know, you're trying to
Art Ehuan:minimize filtering, right? Because I've seen CISO
Art Ehuan:organizations buried under under IT or Operations. And, you know,
Art Ehuan:when that happens, and you know, you've got, you know, you've
Art Ehuan:got, you know, the personalities involved. You've got operations
Art Ehuan:or the CIO, that, you know, I got to have, you know, I've got
Art Ehuan:to have the, the infrastructure, always running anything that's
Art Ehuan:going to slow it down, potentially, by by subsidiary
Art Ehuan:organization, you know, you know, not a good thing for me,
Art Ehuan:if I've got a budget, and I'll have to provide it to the CISO,
Art Ehuan:so that's a budget away from operations. So I'm a huge fan of
Art Ehuan:anything that will get that CISO as close to the CEO or the Board
Art Ehuan:as possible, so that they can have that that that influence in
Art Ehuan:effect on these very key either executives, or or, or, or board
Art Ehuan:members, right, so that they understand the risk directly.
Art Ehuan:It's not being filtered in any way when it's been reported.
Dr. Dave Chatterjee:Full true, so very true. And I think that
Dr. Dave Chatterjee:an organization that truly cares about security, it should be a
Dr. Dave Chatterjee:no brainer for the leadership to do exactly what you are saying
Dr. Dave Chatterjee:that let the CISO operate as independently as possible. When
Dr. Dave Chatterjee:I say CISO, I mean the team, and let them directly report whether
Dr. Dave Chatterjee:it's the audit committee or the board of directors. So there is
Dr. Dave Chatterjee:some independence to the reporting. And I think that that
Dr. Dave Chatterjee:would be a reflection of true commitment on the part of the
Dr. Dave Chatterjee:organization towards cyber diligence, cybersecurity
Dr. Dave Chatterjee:management. So I wonder why that's not the norm. But, you
Dr. Dave Chatterjee:know, it's, it's at least, I'm glad we're having this
Dr. Dave Chatterjee:discussion. Hopefully, folks are listening. Hopefully, some
Dr. Dave Chatterjee:actions will be will be taken. Yeah.
Art Ehuan:I don't know if you've seen. There's there's a
Art Ehuan:bill. I don't know if it's getting much traction. I believe
Art Ehuan:in the Senate, that will require publicly traded organizations to
Art Ehuan:have a board member who is knowledgeable on cyber. Again, I
Art Ehuan:don't know, I don't think it's getting much traction, right.
Art Ehuan:But I, for me, you know, from what I've seen in the past 25
Art Ehuan:years of working cyber related crime and working with
Art Ehuan:organizations and helping them protect themselves. I think that
Art Ehuan:that has some good viability, right. If you have someone that
Art Ehuan:understands cyber at the Board level, you know, they can help
Art Ehuan:in they can help the board and understanding the risk. Because
Art Ehuan:at the end of the day, right, it's it's about risk and risk,
Art Ehuan:acceptance. And, and, and understanding how that
Art Ehuan:potentially would impact an organization.
Dr. Dave Chatterjee:Absolutely means, of course, it is
Dr. Dave Chatterjee:desirable, that you have somebody who understands cyber,
Dr. Dave Chatterjee:you're at a certain level of depth. But I'd also argue that
Dr. Dave Chatterjee:even if you didn't understand cyber, we all know what's going
Dr. Dave Chatterjee:on. And I was talking to the CEO of a major corporation. And I
Dr. Dave Chatterjee:asked him, I said, I keep getting these research reports
Dr. Dave Chatterjee:that the senior leadership are not very willing to stay up to
Dr. Dave Chatterjee:date, and undergo cybersecurity training. And he says, I don't
Dr. Dave Chatterjee:know about other organizations, but in my organization, we
Dr. Dave Chatterjee:totally believe in continuous training, we are engaged. So I
Dr. Dave Chatterjee:asked him, I said, So what convincing is required for all
Dr. Dave Chatterjee:other organizations to do what you all do. And his reaction
Dr. Dave Chatterjee:was, I don't know why there needs to be any convincing, you
Dr. Dave Chatterjee:just have to read Wall Street Journal to see the consequences
Dr. Dave Chatterjee:of these attacks. So if that if that data is not compelling
Dr. Dave Chatterjee:enough for people to sit up and say, You know what, even if I
Dr. Dave Chatterjee:don't understand cyber, I'm going to make every effort to
Dr. Dave Chatterjee:understand as much as I can, or at least engage people and have
Dr. Dave Chatterjee:regular conversations, so I'm securing my organization. You
Dr. Dave Chatterjee:know, it's like sending your kids to school. I obviously
Dr. Dave Chatterjee:don't understand all the subjects the way the teachers do
Dr. Dave Chatterjee:who teach them. But I want my kid to do well. So I would take
Dr. Dave Chatterjee:every step as a parent, to provide oversight to provide
Dr. Dave Chatterjee:guidance to hire tutors, whatever it takes to help the
Dr. Dave Chatterjee:kid be successful. And I think if that kind of mindset
Dr. Dave Chatterjee:prevails, we will we would do a lot better.
Art Ehuan:Yeah, yeah. Yeah. I agree with you.
Dr. Dave Chatterjee:But I'd like you to wrap it up for us
Dr. Dave Chatterjee:with some final words. I so appreciate you coming this
Dr. Dave Chatterjee:afternoon to talk to us. So,
Art Ehuan:of course, ya know, so, so final word is, I mean, I
Art Ehuan:get it. It is cybersecurity is hard. If someone says it's easy,
Art Ehuan:I again, I would raise an eyebrow and ask, you know, how
Art Ehuan:can you think that, it is difficult. The environments are
Art Ehuan:complex, the threat actors are getting more and more aggressive
Art Ehuan:and sophisticated. But there are things we can do, right? We just
Art Ehuan:can't throw up our hands and say, you know, i i there's no
Art Ehuan:way I can defend against this. There are things we can do to
Art Ehuan:better protect organizations. There are there's messaging that
Art Ehuan:we can do with the C level and the Board to get them more
Art Ehuan:involved in understanding what the what the threat is. The
Art Ehuan:threat is to the organization. So I certainly will would never
Art Ehuan:say there's just nothing we can do. There are things we can do.
Art Ehuan:And I it's always going to be very important, in my opinion to
Art Ehuan:have a plan right, have a plan. Put that plan in place and
Art Ehuan:follow your plan.
Dr. Dave Chatterjee:Thank you again. Thanks for coming. It's
Dr. Dave Chatterjee:been a pleasure.
Art Ehuan:Thank you Dave, appreciated.
Dr. Dave Chatterjee:A special thanks to Art Ehuan, for his
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization