Daniela Almeida Lourenco, Chief Information Security Officer (CISO) at Tinka, firmly believes that CISOs have the very best of intentions -- "we all mean the best; we all want to protect the organization, and that is all we want to do." However, often the reality of the Board's lack of a cybersecurity mindset coupled with insufficient budget and resources results "in a reactive posture, unpreparedness, unclear risk management strategy, and low response maturity." She also highlights "the misinterpretation and implementation of the lines of defense model" to be another reason why right intentions do not get translated into good practices. Advocating for a more hands-on senior management role, Daniela says, "if you're on the second line of defense, you're not supposed to just sit on your highchair and disconnect from Operation." She also expresses concern about the excessive use of the 'fear factor' in cybersecurity communications. Finally, Daniela recommends against reinventing the current culture but making suitable adaptations by embedding new practices.

Time Stamps

01:15 -- Share with us a bit about your professional journey.

04:26 -- Share with the listeners why this topic or theme appealed to you.

07:56 -- What's stopping an organization from being proactive?

12:55 -- Based on your experience and your understanding of sociology and psychology, what recommendations do you have to change things up, make them (senior leadership) more optimistic, make them more proactive, make the stance (cybersecurity stance and approach) more optimistic, make the stance more proactive?

18:54 -- Cybersecurity is everyone's business, and everyone has a role to play. It's just like the way we are fighting the pandemic. We cannot just rely on the healthcare professionals to do everything for us, we also have to do our part. And I think that's kind of similar to how we need to deal with the cyber attacks epidemic. What do you think?

21:17 -- Gamification can be perceived in some cultures, such as the German culture, as something not very serious; you're not being serious about it. Is that a fair interpretation?

22:37 -- What are your thoughts on the check-the-box mentality toward cybersecurity governance?

27:09 -- In my book, I talk about creating structures and mechanisms that will enable shared ownership and responsibility of cybersecurity initiatives. What are your thoughts?

30:53 -- What are your thoughts about the significance of prompt threat intelligence processing?

36:13 -- Please share your final thoughts and any additional points that are very relevant to this conversation.

Memorable Daniela Almeida Quotes

"Most practitioners say that they fell into information security by accident."

"There is a major or official priority over information security, but it's usually reactive."

"One of the things I do see with my peers in the industry is that we all mean the best; we all want to protect the organization, and that is all we want to do."

"Only after major breaches and losses does information security come to the agenda. So it's an afterthought."

"We've been building an ivory tower, and this ivory tower increases the gap between them and us, and I kind of tend to blame it on the misinterpretation and implementation of the lines of defense model. So you know, the first line as being Operation, and if you're on the second line, in my view, you're not supposed to just sit on your high chair and just disconnect from Operation."

"One of my favorite pain points is the excessive use of the fear factor in cybersecurity communications."

"One of the major things we're not doing is not knowing the organization and trying to impose a culture where it just turns out to be a counterculture; in the end, it won't work."

"What I would like to make very clear to everybody listening is that you cannot create a culture. And sometimes you hear that even on the news and or in other forums. You cannot create a culture. The culture is already there for 1000s of years, hundreds of years. It's a complex beast of old sets of values and norms. What you can do is embed new practices in it."

"Make sure that for awareness, you think of three things, explain the risks as they are towards different audiences in your organization, how they can protect themselves from them, and how to contact you if something seems abnormal."

"My advice would be, try not to invent the culture again, learn from the culture of the organization, try to adapt to it from within, and manage the expectations that the stakeholders have and listen to organization in all of the sectors, spend time with the core operations, spend time with everyone in your organization to understand where the risks are, where the opportunities are, and listen to the needs, because that's the foundation of everything that you've been built from then on."



Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Our discussion today will revolve around

bridging the gap between intentions and practicality.

Daniela Almeida, Chief Information Security Officer at

Tinka is our guest today. Welcome, Daniela.

Thank you, Dr. Dave, it's wonderful to be here.

Thank you very much for your invitation.

Thank you. So I'm very excited about our

discussion topic today. It excites me, because there's a

lot of guidance out there, lots of recommendations out there.

Still, for a variety of reasons, practitioners are not able to

follow through, not because they don't have the right intentions,

but because of certain situations and circumstances. I

hope this episode will shed some light on those contextual

factors and provide a much more practical perspective on how an

organization can secure itself from various types of cyber

attacks. So that's an exciting plan. And I'm looking forward to

your insights. But before we get into those details, share with

us a bit about your professional journey,

My professional journey. Well, that's

out-of-the-box, I think. I don't come from IT. I'm not an

engineer, I come from cultural sciences, cultural studies. So

my major and my master's degree first master's degrees in

communication, cultural study. So in the branch of sociology,

anthropology, and a bit of psychology as well. And then I

think it was really an accident. And I think most practitioners

say that they've fallen into information security by

accident. In my case, it was my career status as a compliance

officer. And back in those days, there was no information

security role. So Compliance would do the whole lot,

including including privacy, and security, and so on. And that's

where I found out that I had the taste for information security,

for cyber security, and I developed there and then that's

why I decided to have an Executive Masters in

cybersecurity to complement or at least to give me the hard

skills that I didn't have from cultural studies, although

always a geek, since I was small. So I still cherish the

moments with my aesthetic Spectrum and Commodore Amiga. So

that that also comes from the fact that I did enjoy working

with computers, but it is curious and sometimes people ask

me, So you come from communication, isn't it's a bit

the opposite of information security. And for me, it's an

advantage in this field, because knowing how communication

sciences of communication work, you appreciate how much

information is worth and how important it is to safeguard so

it's the undersize, I'm actually, I come from the other

side of the mirror, but it has been an advantage, especially

with the human factor that helps me align with the hard skills in

cybersecurity right now. Well, actually, I was born and raised

in Portugal, and I three years more than three years ago, I

moved to the Netherlands to work as this information security

officer for LeasePlan headquarters. And now since

beginning of this year, I'm the CISO at Tinka, which is a

FinTech organization that focuses on responsible deferred

payment services. So that's pretty much me in a nutshell.

Fantastic. And thanks for sharing that very

eclectic backgrounds. You'd assume that people need to have

a strong technical foundation to be in a field of cybersecurity.

And again, nothing wrong with having a strong technical

foundation. It helps, never hurts, but one also has to value

the soft skill sets. The more I talk to cybersecurity

professionals across organizations, I find that it is

that blend of hard and soft skills that is critical and in

your case, having a strong foundation and communications,

along with your understanding of anthropology and psychology, are

all very important. Because at the end of the day, you're

dealing with people, people continue to be the strongest

asset, and also the biggest weakness when it comes to

securing organizations. So I'm sure you're operating from a

position of strength, from a position of advantage. So

Daniella, when we were discussing about what we should

be, you know, what should be the topic for this episode, you came

up with this idea that how about something along the lines of

bridging the gap between intentions and practicality in

cybersecurity, and I love it, share with the listeners why

this topic or this theme appealed to you?

Oh, I hope I don't regret this subject,

because it's, it might be seed for discussion. And I'm very

passionate about the human side of cybersecurity. And one of the

things that I that I do see with my peers and in the industry is

that we all mean the best we all want to protect the

organization, that is all we want to do. Are we doing the

right thing? Or is it all because we don't have the budget

or the resources, but we have other problems that we may need

to work on from ourselves. And usually we hear from

organizations saying that security is very important, but

most of the times, the actions do not reflect the statements,

right. And I think that concern over the years, there is a major

or official priority over information security, but it's

usually reactive. So we see that only after major breaches and

losses, information security comes to to the agenda. So it's

an afterthought, and not only in the strategic standpoint of

cybersecurity, or all the types of organizations, but also in

awareness, for example, and this is one of the most, I think

that's the most obvious example, it's awareness. And this is

where things are going wrong in some organizations. It's often

and I hate this a lot. So I'm actually also coming from the

Business Information Security Officer role. I'm very

passionate about awareness and listening to the organization,

to the core organization. And sometimes it strikes me that

when people talk about incidents that were caused by human error,

we immediately think of the end users, however, the humans are

actually the basis and the creators of systems and their

interconnection and the elements that make an organization. So

not only the end users, and that I think that's why it's also

important to look at cybersecurity, not only from the

IT or management angle, but also from a sociological point of

view, I think, does that make sense?

Absolutely. In fact, it is unfortunate that

your experience has been that organizations are usually

reactive, and which is kind of what keeps coming up time and

again. So it's consistent. I would assume that by now with

all the major breaches that have happened, and that have received

a lot of media attention that organizations would strive to be

in a more of a proactive mode. Based on your experience working

in this area, why do you think this reactive approach? Why not

proactive? What's stopping an organization from being

proactive?

Well, I think that there are several factors

at play. And not only lack of funds or lack of resources, I

believe that there is an of course that I'm biased, talking

about sociologists, sociological traits, but there is a huge loss

in translation between the security practice or the

security agenda, and the overall organization. And maybe one of

one of the factors in that is the lack of cybersecurity

mindset of the board. And once you have this, this gap, once

you have this problem here isn't it has many other pain points,

such as not a proactive attitude, unprepared members of

the organization, unclear risk management strategy, low

response maturity, etc. And I do believe that this is maybe the

vital and I would love to hear from your from your listeners

after after that after our session. That is I think that we

practitioners are also at fault. It's our fault as well. And I

think that along with other areas such as privacy with the

GDPR fever that we had in Europe for some years ago, and

compliance, we've been building an ivory tower and this ivory

tower increases the gap between us and them and I usually blame

it or I kind of tend to blame it on the misinterpretation and

feel implementation of the lines of defense model. So you know,

the first line as being operation second, third, and if

you're on the second line, in my view, you're not supposed to

just sit on your high chair and just disconnect from operation.

And I see this in many organizations, including complex

and big organizations. And that's really important. And it

doesn't end there. I think one of them my favorite pain point,

I think it's used. And I'm sure that you've seen that as well is

the excessive use of the fear factor in the communications

towards the audience. That is a fear factor is when we use the

latest news articles about major data breaches about sanctions,

and we tend to use the tone of, we're all gonna die, very

afflictive very urgent. And this is not only in awareness, this

is also in presentations to the board that we tend to fill in

with this type of data. From a managerial perspective, it makes

sense to know all the facts to enable informed decision making,

and to highlight the importance of the cybersecurity program

with the data we have. However, from a sociological perspective,

we're perpetually appealing to the basic needs or deficiency

needs of human beings, if we consider that we're always

appealing to the need for safety of the human being, we only have

the reactive stimuli, we only get that so we only get

reaction. So you get the reactive turn of cybersecurity

right there. And the concept of Flint helplessness helps

interpreting this, when you have learned helplessness is pretty

much like whatever I do, it's not worth it. Because I'll

always be punished. I'll always be subject or the target of

cyber security incident, in the cybersecurity attacks. So why

should I worry. And even in cognitive security, this is

called as apathy. It's also presence is twice as high. If

you check the declassify investigation manuals from the

CIA, the cube, like for example, apathy is referred to frequently

in terms of excessive use of fear. And this is what we're

doing right now, in general, of course, and this goes hand in

hand with using KPIs that underline how bad your

organization is behaving in terms of phishing campaigns,

look, all these users, they fail the phishing campaign. So using

negative social proof is, in my view, very counterproductive.

And we're still communicating with technical jargon acting

very patronizing that the users don't know anything. That's the

problem is between the chair and the screen, and boring. And

above all, our strategy is not tailored towards our

organization. It's detached in standards. And it doesn't create

I actually, you mentioned this in your book, I loved your book,

by the way.

Thank you. It's

like the essential one on one first

security, you need to have this. You mentioned in your book, the

bonds of attachment. And this is what we're not doing is to

create or to embed cyber security in the culture of the

organization, we're actually trying to counter it, counter

those bonds, attachment, and that won't work.

Interesting. You touched upon so many very

important points. I want to pick up on a few things here, you

know, probe a little deeper, one of the things you mentioned was

a lack of a cybersecurity mindset amongst the leadership.

Now, given that there are all these compliance requirements,

and Europe, of course, is very big on privacy, the GDPR

requirements have to be strictly followed, or there are major

penalties. You know, given these kinds of regulatory expectations

and mandates, it does surprise me that the leadership mindset

regarding cybersecurity is not changing. I do understand the

fatalistic syndrome that whatever we do, or however much

money we spend, nobody can guarantee immunity. So what's

the point? So I guess my question to you is, what would

be your recommendation, like you said that fear should not be the

approach, though, according to you know, many schools of

thought fear, unfortunately, is often the best motivator. But

anyhow, based on your experience, your understanding

of sociology, psychology, what recommendations do you have to

change things up, make them more optimistic, make them more

proactive, make the stance more optimistic, make the stance more

Well, I have many suggestions. Not all of

proactive?

them might work and I'll explain why. But starting from the point

that you raised on countering the fear and using the fear

factor, I'm not saying maybe some listeners do feel the need

to show their audience that the threat is there. The attackers

are out there to get us, and that's fine. That is making them

aware of the risks they're running now abusing that using

it as a veiled threat towards the the organization that won't

work in the long-run and there'll be apathy and it just

won't cooperate from then on. So I would, I always tend to look

into a collaborative way of bringing them in, instead of

patronizing them. Even going back to the the lines of defense

model, this is something that I actually aim in my career for a

while now, that is to sit comfortably, and the 1.5 lines

of defense. So that is, of course, participating in the

governance of the second line. But I also want to be in the

trenches, I want to get my hands dirty, I want to know how my

organization works. That is one of the things that we're doing

wrong as things which is, in many cases, we're imposing our

norms and values to the organization that we need to be

secure. We need to do this and that. And even if we look at a

child, it's much easier for a child to comply with something

and I am not being patronizing. It's just really human nature,

its compliance, it's much easier if you understand why you have

to do something, and you have to explain why without having that

fear factor all over again. So that's, I think that's the major

thing that we're not doing. It's not knowing the organization and

trying to impose a culture where it just turns out to be a

counterculture in the end, it won't work.

Yep, very true. In fact, that is true for

implementation of anything, literally, implementation of

even large scale systems; unless you get user buy-in from a very

early stage. And to be able to get the buy-in, there's a lot of

good research that speaks to the importance of helping users

understand what is in it for them, why is it important for

them and the organization, there has to be that alignment of

values. Again, it's probably easier said than done. Probably

in many organizations, they're doing a good job of it. But I

think there's always opportunities to do better, and

remind folks that there is the employee turnover. So what you

did, went well with certain folks, but when they have left

the organization, you have a new crop, you have to again, you

know, get the newcomers integrated into the thinking or

in the creation of what I like to call a high-performance

information security culture. And to your point about creating

a culture that goes counter to the overall organizational

culture, I couldn't agree with you more. A good understanding

of the context, a good understanding of the overall

organizational culture is key to setting the foundations for a

high- performance information security culture. Here, I like

to bring in something which I share in my book, in my book, I

talk about the importance of building emotional capital,

which is anchored on four pillars, leadership

authenticity, having fun, feeling valued, and taking pride

in their work, I strongly believe that building such

emotional capital helps in creating and sustaining a

cohesive and aligned working culture. And again, this is not

restricted to creating a security culture. This is true

for any culture, you got to get the organizational members

excited, interested, driven, because that's when the will

take charge, take the initiative of recognizing that, yes, I have

a work to do for which I have been hired. But there is a

security component of the work that I also need to pay

attention. The reason I felt it necessary to mention this,

because when we have this discussion, about creating a

security mindset about getting top management, actively

engaged, often the feedback I get is, hey, I've been hired to

do a job. And that job is not to secure the organization.

I just work here, right? I just work here.

Yeah, I work here, I do this job. That's

for the cybersecurity professionals, don't try to bog

me down with this additional responsibility. I see the point.

But unfortunately, the reality is information security pervades

across functions, as we have heard time and time again, that

cybersecurity is everyone's business, everyone has a role to

play. It's just like the way we are fighting the pandemic. We

cannot just rely on the healthcare professionals to do

everything for us, we have to also do our part. And I think

that's kind of similar to how we need to deal with the cyber

attacks epidemic. But anyhow, I've been rambling for a bit now

it's your turn. What do you think?

Ahm, no, I was actually absorbing. And I

couldn't agree with you more actually. What I would like to

actually to make to make very clear to everybody listening is

that you cannot create a culture. And sometimes you hear

that even on the news and or in other forums. You cannot create

a culture. The culture is already there for 1000s of

years, hundreds of years. It's a complex beast of old sets of

values and norms. What you can do is to embed new practices in

it. And that's already a hefty job. And first of all, you need

to understand the already existing culture of the

organization when you join in what makes them tick, what are

the priorities? What's their identity? What do you refer to

in your book as 'togetherness.' So logically, we may be even

talking about determining the sense of belonging, then you

move on to creating new ways of responding to that and embedding

the desired behavior in there within that framing, and not

imposing a new framing. A while ago, I was delivering a

presentation about awareness in Germany. And I mentioned

gamification as a technique. And I remember this intervention of

German Pierre, because it makes perfect sense. And it just

highlights this, he said, "well, that's very nice, but

gamification, in many German organizations wont work. That's

not what we do. It's not part of what we are, who we are. They

would be more willing to comply, if they get regular updates,

communications with instruction, they don't like gamification in

general. So you do need to adapt to the organization, not the

other way around. You cannot just go there, cold turkey and

try to impose something else it won't work.

That's that's a very interesting

insight. So if I'm understanding this correctly, gamification can

be perceived in some cultures, such as the German culture, like

you said, as something not very serious, you're not being

serious about it. Is that Is that a fair interpretation?

Precisely! Yeah. Wow! As long as it was

precious that that intervention was precious, because we always

need to take to check where we are first, again, trying to

absorb the norms and values of behaviors. And that is just not

part of who they are maybe in different companies in German,

in Germany, multinational etc, that may work. But in some

others, it won't, even if that's one of the questions that

another dimension is that for us, that would be seen as loss

of efficiency, because we playing a game instead of

working. So you think we need to be very, very careful, and what

is good for us what sounds makes makes sense for us, especially

if you're an expat like me. I also although having my cultural

studies background, I still have some hurdles to come across when

adapting when when absorbing the Dutch culture. And that's what

you need to do as well, from the security point of view, or any

anything that you want in any other area or any of the

I couldn't agree with you more. It's so

subjects I would say.

important to constantly reflect on the current environment, how

your views, your communications could be misinterpreted or

misunderstood. I think it is human nature. I definitely am

part of that group, where I assume that I have communicated

very clearly, and people understand my points of view,

they get the get it, there is reasonable alignment. But I

think that's a flawed approach. That's why we have the feedback

where you communicate and then you find ways of getting quick

feedback to ensure that there is a consensus there is a common,

shared understanding, it brings to mind an interesting example.

And this goes to the culture that exists in the US Nuclear

Navy. It was shared by some of my former students who worked on

the naval submarines. And they said, Dr. Chatterjee, when we

are given a command by our senior, we are expected to

repeat verbatim, what was told to us before we went about

executing it. Now, it might kind of sound odd, even the person

who was sharing this, said, "it didn't feel really good, I felt

like I was a zombie. I didn't understand, I had to repeat what

I was told." But again, you have to understand the context here.

You can't afford to make any errors on a nuclear vessel,

because the consequences can be disastrous, can be fatal. So you

have to take every possible precaution to ensure the

communication is going through appropriately. And that's where

it is very important to be meticulous in your approach,

whether it's planning, whether it's strategizing, whether it's

communicating, and as opposed to just sending out a long email

with all the details as required by the regulators is as if like

I'm checking the box and even if people don't pick up on

everything, it doesn't matter, which is often the case in many

organizations, especially large organizations where it becomes

check-the-box approach mentality, as opposed to

customizing what a person needs to know, from a do's and don'ts

standpoint, when it comes to cyber. Your thoughts, reactions?

it just reminded me of a discussion that

I had specially about communication. And again,

culture and the way that it depends. Also, as I mentioned,

it depends on the industry and depends on the area. But at the

end of the day, there are things that are common to every single

area. And one of them in my view, and one of them is having

a clear management expectation. And you would say that having a

clear strategy, a clear statement, a clear posture, and

also maybe in military, it would have a different framing, but I

am sponsor of the open door policy, because that's, first of

all that increases engagement. So those bonds of attachment, it

provides you with the best threat intelligence you might

have, if people know that they can just report something

without having any consequences against them. And another thing

is, and we see that a lot, unfortunately, after major

breaches, that is plausible deniability. And we see very

many CEOs, many directors saying, we, we were not aware

that this was happening, or that we're going to we're going to

improve our processes from from now on. But what it translates

to me is that they were not ensuring that their security

stance, their risk appetite, was actually corresponding to the

effectiveness of the defenses. And plausible deniability is

very hurtful for a security practitioner, because especially

the warned, those peers that have been sending presentations

with all this data about breaches about sanction. And now

you have a fear of saying that we were not aware of the risk.

So it's very frustrating. And I think that's, it's something

that is the hardest thing to change is this posture, but it

also can be instigated or be encouraged by by trying to meet

halfway. So trying to understand what's the risk is or the risk

appetite, or the tolerance levels, as mentioned in your

book are

Right. In fact, that brings to mind a

couple of things. One is, I mentioned that in my book as one

of the success factors of creating structures and

mechanisms that will enable shared ownership and

responsibility where whenever any cybersecurity Initiative is

being pitched, or is being undertaken, business executives

or business leaders own it, they are an active active participant

as opposed to leaving it to the cybersecurity professionals to

do the needful and then come back to the business to say,

okay, this is how we want to implement it in your

organization. Instead of doing that, if from the get go, we

have a business champion of the security initiatives, it could

be a much easier sell, and such structures of sharing, of shared

ownership, shared responsibility also helps create that cross

functional awareness, where I am understanding the security

implications of my line of business of my product line.

What are your thoughts? You think this is being practiced?

This is practical? What are your thoughts?

Champions was a great invention in last few

years, I think it was the first attempt that I've seen to bring,

bring a security and the core organization closer, no doubt.

But we can do much more than that, to increase that sense of

belonging, belonging and embedding the importance of

cybersecurity in the organizational culture. One of

the things sometimes I ask my peers is, have you ever asked

your Board to draft up or to just make a statement about

their security stance? How is security important for them,

because not only this is good in the long run, because they'll

have to put the money where the mouth is, and that is, if for

top management, security is not a priority. Well, that's a

posture. That's the stance, that's the identity of your

organization. And you'll have to work with that. And then you

will have to deal with consequences because that's the

risk tolerance they have. And besides that, there needs to be

a voice from top down. So if security is important, cyber

security is important, not just because the the media, the

public needs to hear this, that cybersecurity is important, but

because they actually believe in it, that it's not done only by

assigning champions or security function is making sure that

everyone in the organization throughout the supply chain

throughout the stakeholders list, making them aware of the

risks they actually face, and how they can protect themselves

and the organization. So I want to work in an organization that

protects the employees like myself, and safeguard the

interests of the customer. I want to make sure that my data

is safe. I want to make sure that my customers data is safe.

As an employee, I need to know that that is my role as well. I

need to be shown how, and this is where it's failing. We're not

showing people ways of giving that ownership, we need to show.

First of all, you mentioned early on what's in it for you,

because the human being is really selfish, won't do

anything if it's not for some gain, personal gain, and we need

to show where they're actually gaining. One of the things I do

often do is, when I'm sending communications or sharing some

security, I actually advise on how people can protect their

children and how their family because being cyber aware, it's

also about protecting them themselves and their family,

that's what they're there for. Most of us don't work in

charity. So, we actually doing something, we're actually

working there for a purpose, and ultimately, for our families and

for ourselves. So we need to talk to that part of the human

being that is working in the organization.

Fabulous. I want to reemphasize what you

said about the leadership, clarifying their stance on

cybersecurity and clearly communicating where they stand

in terms of the appropriate cyber posture, and how do they

expect to get there. Such clarity of communication is so

important, and it helps the organization have a better sense

of where the leadership is, after all, as has been has been

said, time and again, the tone has to be set at the top, but

also to your point, which I have shared many times in my

writings, in my talks, and I'm so aligned with you here that

this posture or this mindset about cybersecurity should be

genuine, should be substantive, not influenced by a certain

requirement, a certain mandate, or being symbolic that let's do

these things, we look good to the external folks, the

community, the stakeholders; means I get it, the

communication piece is important; but if it comes out

of a genuine belief, a genuine recognition that it is really

important for the company to secure organizational assets,

digital assets, whether that protects the internal

stakeholders or the external stakeholders, and in an indirect

way, the nation, the world, that we're all connected after all,

so so having that sense of social responsibility is so

important. And, and I don't believe we are grandizing here,

trying to, you know, paint everything with a broad brush

and saying, oh, you know, we'd all do the right things, and

hallelujah, we will live happily ever after. I don't believe

you're trying to do that. But we're just trying to reinforce

certain things that seem obvious, but oftentimes, they

are not followed through, because of reasons like short

term goals, you know, I have to meet a certain deadline, have to

meet a certain expectation, you know, this company has been

formed to deliver quality health care, I can't afford to get too

carried away by security, I had to, I have to stay focused on my

goals, or I'm gonna lose my job. So these could be reasons why

the leadership is careful about what they want to put out there.

And they have their own way of approaching cyber, again, this

is based on what I hear what I read what I learned from my

research, but I think you make some excellent points there. I'd

like to pick up on another very important fact. And that is

prompt processing of threat intelligence. As you know, in

many media reports on major breaches a major reason put

forward that caused the breach was because somebody had the

threat alert, had received intelligence from an external

service provider, but dropped the ball, didn't do anything

about it. Just curious, your thoughts on that?

Well, doing nothing is also a strategy. It

is a choice. If we are looking from the outside, that is risk

treatment. It's making a decision how to deal with that

situation. And it depends on the risk appetite, if the risk

appetite is very high, well do nothing might be logical, as

long as they understand the consequences and ignoring

certain challenges, I don't know if they're actually ignoring

because again, they are consciously doing nothing. But

if you look into it from a security perspective, of course,

that that wouldn't be a way of dealing with a high risk, so you

would most likely try to mitigate it or eliminate it in

some way. I'm not really a fan of transferring it, because

again, it will come back to you like a boomerang, because if you

transfer risk, reputational damage is towards you, not

towards the organization whom you're transferring the risk to

and getting back to the risk tolerance. It also depends on

the industry, and depends on how you want to put yourself out

there in terms of solutions. Let's invoice solution ICT

solutions are expensive solutions that we see in the

market every day. They promise you everything. They're amazing.

They're 100% secure, their DNA is 100% security. And well, it's

just amazing. But I would not buy an ex er solution. For

example, for a local bakery, instead, I would be worried

about securing my IoT, my internet of things, because

everything is connected, even. Even that oven that bakes our

bread, if you have a small online business, conservations

will still be totally different. But there will include

prevention and detection mechanisms. And it's also about

leveraging what you have, especially the resources, it's

not only about money, we're not talking about, again, solutions.

Now we're talking about people, and again, encouraging the open

door principle. So you have free threat intelligence right there.

And you need to have also, you also need to have a risk

treatment process that you can stand on if you're under

scrutiny. So if you decided to do nothing, there may be a

reason for it, that your stakeholders might not accept

it, because they were not aware of your risk treatment or risk

management strategy. So again, we go back to communication.

Absolutely. And And if I may, you know, to

that point, it's very important to document because even if you

decide to do nothing about an alert that you have received,

documenting that, that why the decision of doing nothing that

helps in the long run, when you go back and review these logs to

see, yes, we didn't act on this alert, because we had good

reason to believe that this wasn't a significant threat. Or

we could afford to, you know, maybe take a hit, like you said,

if our risk appetite is large, whatever the reason, but that

discipline of recording the alerts, processing it promptly

and making a quick call whichever way you want to go

with it. I'm a fan of reminding organization that it's very

important to instill that discipline of promptly

processing, documenting threat intelligence. So your points

there as well are very, very well made. Well, we are kind of

getting towards the end of our discussion already. So I would

love to keep talking, because it's such a pleasure engaging

with you, Daniela, but I just want to make sure that there

isn't anything that you're very passionate about, that we didn't

talk. So I'd like to give you the opportunity to share maybe

your final thoughts or any additional points that are very

relevant to this conversation.

In a nutshell, that's difficult. I could go on

and on. If people are listening, or pretending to listen, I don't

know. My advice would be a try not to invent the culture again,

learn from the culture of the organization, try to adapt to it

from within, and manage the expectations that the

stakeholders have and listen to organization in all of the

sectors, spend time with the core operations, spend time with

everyone in your organization to understand where the risks are,

where the opportunities are, and listen to the needs, because

that's the foundation of everything that you've been

built from then on. And then creating bridges, talking about

building, creating bridges, to make sure that everyone meets

halfway for threat intelligence for everything else. And of

course, mentioning awareness, very quickly, maybe, maybe try

to distinguish between awareness, which I think it's a

patronizing term anyway, awareness and training. And make

sure that for awareness, you think of three things, explain

the risks as they are towards different audiences in your

organization, how they can protect themselves from them,

and how to contact you if something seems abnormal. So

these are three things that you should be focusing in awareness,

do not try to reinvent it, make sure that you find the best

technique, avoiding boredom please, because that's all that

matters even more a reputation of being boring and cherish

people and make sure that they have the tools to to work

confidently.

Fantastic. Fantastic. I really liked the

way you summed it all up. And if I may add to that, which is

totally aligned with what you said, is to just remind the

listeners that as hands on as top management can be, the

extent to which they can create We-Are-In-It-Together culture by

building emotional capital, the extent to which structures and

mechanisms can be in place to enable shared ownership and

accountability. You talked brilliantly about awareness and

training, that awareness and training needs to be customized

at the same time, recognize that gamification may not be okay in

certain cultures, so you have to appropriately pitch it

appropriately institutionalize it

and phishing phishing simulations as well. I

didn't mention but be very wary of phishing simulation. When do

you do it and how you do it, if you want to build trust.

Absolutely, thank you for adding that. And

then we talked about prompt processing of threat

intelligence, you said, doing nothing could be a strategy.

Absolutely. But as long as it's an informed one, you're made a

conscious decision to decide not to do anything about a certain

alert. Companies receive alerts all the time. So it's possible

that might be the way to go about it from time to time. And

finally, and you, you said it very eloquently, it's really not

about making a symbolic statement about our security

posture, it's about truly believing in securing the

organization and doing the best you can with the available

resources, there is no expectation that you have to go,

you know, totally out of your way to establish security

protocols and procedures that are way beyond what is what

could be considered reasonable. And so taking a realistic,

practical, and proactive stance on cybersecurity, I think can

help every organization. So once again, Daniela, I thank you for

your thoughts and insights, I think listeners will find them

very valuable.

Thank you very much for the opportunity to put

this out there to shout out to my peers as well as to to try

and make their life easier. And that it was a pleasure. And Dr.

dave, if you allow me if I can maybe share an awareness regimen

shedule that our listeners can use, because that may help as

well. I can share that.

Absolutely. Well. That was great. Thank you

very much.

Thank you very much Dave.

A special thanks to Danielle Almeida, for

her time and insights. If you like what you heard, please

leave the podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.