In this episode, we continue our discussion of the book “Fire Doesn’t Innovate” by conducting a Question and Answer session from the live audience in Episode 50.
Raj is the emcee throughout the conversation and asks Kip the different questions that students brought to the table. At the start of the conversation, Kip explains the analogy of the title of his book, Fire Doesn’t Innovate, and its importance in cybersecurity.
Kip Boyle:
Hi, this is your Cyber Path, we’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m an experienced hiring manager of cybersecurity professionals. This episode is available as an audio only recording and your favorite podcast app, and, it’s also available as a video on our YouTube channel. So just go there and search for Your Cyber Path podcast. Our previous episode was a replay of a guest lecture I did for an undergraduate class on the topic of cybersecurity management. Now whether you work in cybersecurity now, or you plan to, you’ll be part of an organization’s cybersecurity program.
Or it might be called an information security program. Well this time, I’m sharing the question and answer portion of the session. As I said last time, I want to share this information with you, so that you’ll get a better idea of what it takes to lead a cybersecurity program. If you want to be a [inaudible] one day, a chief information security officer, or you just want to really support your boss, either way, you need to know this stuff. Okay, before we get to the training, the Q&A, I want you to consider grabbing our free guide, and it’s called Play to Win” Getting Your Dream Cybersecurity Job.
It’s a very helpful 20 page visual guide, and it describes how taking a capture the flag approach, is going to help you compete and win in your job hunting. So if you want to check it out, just go to yourcyberpath.com/pdf, that’s yourcyberpath.com/pdf. And I want you to remember, you’re just one path away from your dream cybersecurity job.
Kevin:
Right. Okay, let’s head towards the questions from the students I want I know that they are [inaudible] at the bit. And Raj, you have them a couple people have asked me about whether they can ask them orally. But I’ll let Raj be the emcee of all this on his role. So, go for it, Raj.
Raj:
Yes. Thank you so much Kip Boyle, that was a really good presentation, and you were getting much praise in the chat. The chat has been exploding with questions, and I personally loved your presentation, especially the fonts you used are wonderful. So, thank you so much. First question I would like to ask you, a very repetitive question from students is, what is the meaning of fire doesn’t innovate? And why did you choose this particular title? It’s very intriguing?
Kip Boyle:
Well, that’s one of the reasons why I chose it. I had a conversation with my publisher about title, and so, I’m a very practical person, and a lot of my initial title suggestions were a lot more mundane. Then as I reached deeper and deeper, this one came up. The idea here is that fire is a wonderful static risk that we can use to illustrate how cyber is a very different risk. So, what I’m trying to do here is I’m trying to quickly capture the reader’s attention, and make them realize that fire is immutable, which is to say it needs heat, fuel and oxygen, those are the three ingredients to fire.
If you can prevent those three ingredients from coming together, or if a fire breaks out, if you can remove one of those ingredients, then the fire will go out, it’ll stop. So that’s why we have all kinds of well understood ways to use fire at scale. We don’t experience cities burning down anymore, because fire gets out of control, which used to happen in the 1800s in US American cities. So now that we understand fire very, very well, a big fire is a rare event, and often is deliberately set. But cyber is nothing like that.
Once you think you understand what cyber risk really is, you think, “Oh I know what the ingredients are.” As soon as you get that figured out and you develop a mitigation for it, well, fire doesn’t suddenly figure out how to burn bricks, or burn asbestos or what have you. But cyber criminals will figure out how to get around your mitigations. And if you think about passwords, just as one example, 20 years ago, nobody used password, or the passwords they used were incredibly simplistic and they never changed them. Over the past 20 years, we’ve evolved from that regime.
So now we have to have complicated passwords, our passwords need to change on a regular basis. And now people are telling us don’t use the same password twice. And we have passphrases and password managers and two factor authentication. So I hope you can see that over time, we’ve had to change the way we handle credentials because the ability of cyber attacks to exploit us has increased over time.
Raj:
Right. That’s a wonderful analogy. And it again goes on to saying, if it’s not the tool, it’s the user how the user [inaudible].
Kip Boyle:
Correct.
Raj:
Wonderful. The next question segwaying into the password manager, you said is, there are so many password managers and so many apps and softwares which are coming along. And with Google Chrome trying to make it easier, and even the policy statements they’re making is that we want to render a password useless so that the user can log in immediately. So, what are the risks involved in that, and should a individual user be concerned in how they can protect themselves against that?
Kip Boyle:
Yes. So, this is a common question that I get. And, I think there’s a fundamental misunderstanding about software with respect to security functionality. So the way that you should evaluate software that’s going to perform a security function is fundamentally different than the way you’re going to evaluate software for any other function. I’m not including nuclear power plants, I’m not including spaceflight, in what I’m about to say, because those are life safety situations and the way you would evaluate that software is even different. But thinking about commercial grade software, like a word processor or a web browser.
Your primary concerns there are, is it easy to use? Does it render web pages with high performance and with a lot of fidelity? And how much do I have to spend for it? But the way you buy software that’s performing a security function, your number one question is, is it attack-resistant? That’s your number one question. All other considerations are secondary. So is it easy to use? Does it not cost much? Is it open source? Is it closed source? All of those things are secondary. I see people making great mistakes by not realizing this fundamental difference in approach.
So what I would tell you is that, password managers that are primarily intended to provide convenience, are not the password managers that you want to use, you want to use one that of course is convenient, but primarily one that is going to actually safeguard your passwords. And most browser-based password managers, that is something that you find that’s pre built into a web browser by the people who made that web browser, are known to not provide adequate protection. So, if you want to go get a password manager that is more robust, the two that I would recommend right now, and there may be more, but these are the two I know, 1Password
So the number 1 and the word password is a wonderful choice. Another good choice is called LastPass L-A-S-T-P-A-S-S. Now I have some problems with some of the things LastPass has been doing lately, I think their Android app is not a good choice, because they’ve added some additional code to serve up ads and to track usage, because they’re trying to monetize that product. I think that just creates unnecessary attack surface. So I’m not as much of a fan of LastPass as I used to be. But I still think overall, they’re a better choice than using a built-in password manager in on a random web browser. I hope that helps.
Raj:
That does and that also makes me question whether I should stop using Google Chrome’s password manager.
Kip Boyle:
I don’t use it, and I don’t recommend it.
Raj:
Right. I see. Now we have one student who personally wants to ask you a question. So I’m going to unmute him and he will ask you a question.
Kip Boyle:
All right.
Speaker 4:
Hello professor … My bad. Hello, Mr. Kip Boyle, thank you very much for your presentation I found it very engaging and I must say if you can keep a university student engaged in your entire presentation, I’m sure you have no problems in your field of work.
Kip Boyle:
Thank you.
Speaker 4:
So, my question is, from a business perspective, when you advertise yourself, when you advertise your … let’s say consulting services to companies, how do you actually balance between informing your potential clients on the potential dangers and at the same time balance avoiding seeming like you’re maybe exaggerating or that you’re trying to scare them, because an example is hand soaps. At a time where … to us it’s very common to wash our hands, hygiene and all that but, let’s say in the 1800s in America when it just came out, you want to tell people to use hand soap, buy your product, but at the same time, you don’t really want to scare them.
Because I’m sure you can mention some actual occurrences where somebody maybe they got their hands dirty, they ate food and maybe some bacteria killed them-
Kip Boyle:
Yes.
Speaker 4:
at the same time you don’t want to scare them. Right?
Kip Boyle:
Right. Okay, so excellent question and so yes … and this is absolutely an issue that I pay attention to. And you’ll find a lot of security products being sold on the basis of fear. This is a very common sales tactic, you’ll see it a lot. And you know what? To a certain degree fear will motivate somebody to make a purchase. But not everybody, not everybody responds to fear in the same way. And this is why I talk a lot about senior decision makers and how to get them to respect that there really is a threat and to take it seriously, senior decision makers are very cynical buyers, and they don’t tend to respond to fear.
So what I do is I tend to talk about … well, I just tend to give them the facts, quite frankly. I also tend to give it to them in the form of stories. I found that if I can share a story about an organization that had trouble with a cyber risk, if they can recognize themselves in that story, then they’re more likely to listen to me. Having said that, I have had plenty of experiences where I told good stories, because stories are very powerful for human beings, right? Facts and figures are not that powerful. There’s a little aphorism, and it’s called … facts tell, stories sell.
So you want to tell a lot of stories, but if they don’t resonate with the person that you’re trying to connect with, stop, because until that person has a significant personal experience with cyber risk going bad, they’re not going to pay attention to you.
Speaker 4:
Okay, so should you maybe link it to maybe cyber hygiene is just like what you wrote in your book as well?
Kip Boyle:
Mm-hmm (affirmative). Yes, so you can try analogies, you can try metaphors, you can tell stories, you can go and become an expert marketer and advertiser, and you can use all of the methods, the known proven methods, and you could still strike out because there are just some people out there that are not going to believe you. They’re not going to buy what you have to sell, and you can’t make them. And it’s frustrating, I assure you, it is very frustrating. But that’s why I quote Claude Hopkins, as somebody who says, “People don’t buy prevention. People buy things that make them more beautiful, that make them more successful.”
That’s how you sell. And if you think about it, that’s how soaps are sold. You use soap as an example. People don’t buy soap because it cleans, so much as they buy soap because it smells good.
Speaker 4:
Right. Okay, so if you were to let’s say convince somebody in the COVID era to wash their hands, maybe talk about how they they’d scare people less or something. Okay, I understand. Thank you very much for your answer.
Kip Boyle:
You’re welcome.
Raj:
Yes, thank you so much. That was an excellent question and again, an excellent answer. I also want to segue that into the next question, which is where we talked about that fear sells. And that’s how the marketing strategy of many companies is to sell your security solutions. Now, the question is that, what should we do about it? And are these for example, the student mentions the company Apple. And Apple always says, “Hey, we are on the side of consumers, and we respect your privacy, so we’re going to give you utmost security. Do we believe them? And how do we know the true secure services from not so marketing gimmicks?
Kip Boyle:
Right. That’s very difficult, it’s a very challenging determination to make. It’s very, very difficult. So, it’s going to depend on who you trust. And it’s also going to depend on your own skills as an analyst. So for example, when I had to decide which password manager do I trust, I had to use analytical skills and I had to discover how to measure whether a company was offering a secure product or not. So I went and downloaded their white paper and I read how 1Password and how LastPass … because they take very different approaches to securing the passwords that you entrust with them.
But I read their white papers, and I used my knowledge of system security engineering, in order to know whether or not what they had written was credible. I also researched how many open public vulnerabilities were available in the public vulnerability databases. I also watched how they responded to new vulnerabilities that had been reported that had become public. How fast did they acknowledge those vulnerabilities? And how quickly did they develop a fix and release that fix? So there are ways that you can use to know the security potential of a product.
But sometimes a person is not qualified to do the kind of research that I just described. So they’re going to have to find different ways to discover that perhaps they’ll read a review, that an independent organization has done on that product. Sometimes you just have to make your best choice and just do the best you can, until evidence arises to suggest that that’s no longer the right choice.
Raj:
Right. Excellent. Just like how we should always test our assumptions, whether we’re on the right track or not. Now with that being said, with the third party software’s for example, Zoom initially it had many bugs and many Zoom raids and all that. Similarly, there are many companies which are sending patches, but sometimes hackers could get in there. Like it happened with the antivirus software, where the patch itself was infested with the viruses. What should a user be capable of doing to detect whether he’s been attacked or not? Because sometimes there could be a lurker, the system could have been hacked, but we may not knowing it. How do we detect that?
Kip Boyle:
So, the detection of cyber criminals and cyber attackers in general, whether they’re part of an organized crime, gang, or whether they’re an agent of a government is extremely difficult, very difficult, probably one of the most difficult challenges that we have in our discipline right now. And the way that you would know is going to vary depending on whether it’s your personal tech that we’re talking about or whether it’s an organization’s computer network. So the way you do detection is going to vary. A lot of the malicious codes these days that you are to be most concerned about, endeavor to make as few visible signs that you’re infected as they possibly can.
That makes things extremely difficult. So, the essential eight is what I keep coming back to, because I believe that those eight practices provide the greatest practical protection that you can bring around yourself and that you can bring around your organization. I’ll say a couple of specific things that you might want to think about. So, as an individual, you are going to want to avoid doing things like on your mobile device, you don’t want to add apps that don’t come from Google Play if you use Android or that don’t come through the Apple Store, if you use iOS, not that those stores are infallible.
But a lot of these side loaded apps are just brimming with malicious code. Same for downloaded software, if you don’t want to spend money to buy Adobe Acrobat or Photoshop and you instead download a cracked piece of code, you’re way more likely to get exploited by doing things like that. So, a lot of times we can stay out of trouble just by avoiding dangerous practices, one dangerous practice that I tell everybody to stay away from is the use of public WiFi. To me, you have no idea for any public WiFi that you use, you have no way of knowing whether it’s a well run network, or whether it’s a entirely exploited and dangerous network.
I liken it to a swimming pool, municipal or a public swimming pool. When you approach the swimming pool, you have no idea whether it’s been sanitized correctly. So, you just don’t know. So in the case of WiFi, it’s very easy to avoid public WiFi in most cases by using your mobile hotspot and you’ll get better performance anyway because you’re not sharing the bandwidth with anybody. Now in terms of an organizational detection method, there are two things that I recommend to my customers. One is the use of a honeypot. And there are many technologies out there that you can get, you can make your own honeypot or you can purchase appliance-based honeypots
That’s a great choice. Another choice is it’s called EC Hunter. And what it does is it specializes in detecting the advanced persistent threat beacons that are used to … once you exploit an organization to maintain access to that organization and so I would highly recommend those two technologies if you’re trying to detect people on your data network that don’t belong there.
Raj:
I see. So the hunter becomes scented with the trap we said as a bait that [crosstalk] right. So now you mentioned the distinction between individual level and on a organizational level. On individual level, would you say that practicing the those eight hygiene you mentioned and additional layer of antivirus softwares with VPN, would that be enough for individuals?
Kip Boyle:
I believe so. I would add the password manager. And let me caution you about VPNs. A virtual private network is a security software. So, what I find a lot of people the way they go wrong with a VPN is they use free VPNs. That’s not a good idea. In almost every situation, a free VPN is not going to protect you, you’ll end up with a false sense of security, the only VPNs that are really worth using from a security point of view, would be the one that’s provided to you by your employer, or your school, because that’s a professionally run virtual private network that is not trying to generate revenue.
A lot of these consumer grade or free VPNs, the reason they’re free is just the same reason why Facebook is free, because you’re the product.
Raj:
Right.
Kip Boyle:
So, they’re typically selling your browsing behavior, and their security mechanisms are typically awful and easy to break.
Kevin:
Yes, and I mentioned that in yesterday’s lecture, you are the product. Thank you for reinforcing that Kip.
Kip Boyle:
It’s true.
Kevin:
Yeah. Do you recommend something like … these are students here? Do you have a recommended VPN that you think is better than the rest or-
Kip Boyle:
I think if you’re willing to avoid public WiFi, I don’t think you need a VPN. Because, your mobile hotspot is going to provide you with a dedicated circuit onto the internet. What I find most students want a VPN for is because they want to location shift so that they can access entertainment.
Raj:
Mostly, yeah.
Kip Boyle:
In that case, it doesn’t matter what VPN you use. Just don’t be mistaken into thinking it’s a security device.
Kevin:
I see a lot of guilty laughs there [crosstalk] thing there? So, definitely that’s true there.
Raj:
VPNs charge because CBS sometimes don’t stream here.
Kip Boyle:
Of course, yeah, of course. And I personally don’t have a problem with it. I just think that if you believe that you’re using a security device, I think you’re fooling yourself.
Raj:
Right? That the false sense of safety and security, that’s something we’re [inaudible] here.
Kip Boyle:
Yeah, that’s awful, you don’t want that.
Raj:
True. It makes you unaware that you’re actually putting a target on your back and you think you’re safe when you’re in fact attracting more attention to yourself.
Kip Boyle:
Yes, that’s correct. I think in general, when it comes to bad things that could happen to you in this profession is a false sense of security is deadly, absolutely deadly, because you think you’re secure and in fact, not only you’re not secure, but you’re in fact vulnerable. So you’re getting the exact opposite with no awareness whatever.
Raj:
That’s right. Now-
Kevin:
Let me [crosstalk] for a second Raj just [crosstalk] we’re talking about this because another thing out there is, when you’re the product, which web browser to use, and I am seeing a lot of stuff that’s actually saying, go over to something like Brave and use a search engine like DuckDuckGo and I know that in Brave it actually gives you if you want to go incognito, you can actually go into using Tor.
Kip Boyle:
Yeah.
Kevin:
Talk about that just in general about what you think of that there. And I should say, part of the thing is why I’ve been myself looking at this is, I’m having to do certain levels of communication with people who are in locations where having communication with somebody in America or something like that could be detrimental to their physical [crosstalk].
Kip Boyle:
Right. Okay. Yes, this is excellent. So, what you’re going to do is going to depend on your profile and I’m so glad you mentioned the case where somebody may be living under the supervision of a hostile regime or a regime, a government that’s being accused of human rights violations. The amount of care that you need to take in that situation is very, very great. So there’s an organization on the internet called the Electronic Frontier Foundation. And if you go to their website, they will provide you with a thorough, practical and complete guide to protecting yourself online when you find yourself in that kind of a high stakes situation.
You could just be engaged in civil disobedience in the United States. And you may need to use some of the methods that they recommend, simply so that you won’t be tracked so easily by law enforcement. Not that they’re going to violate your civil rights by tracking you, but you may not want to be tracked in any event. So if you’re operating at that level, go to the Electronic Frontier Foundation or read their guides, their guides change all the time.
Now, if you’re just a typical person, a students, a business person, and you just want to have good privacy, then I’ll tell you what I do, I use the Firefox web browser. And in the past, I used different web browsers because things change, but today I’m using Firefox, I’m using it with an ad blocker called uBlock Origin. And the reason I do that is because, the advertisements that will come into your browser are not served up by the websites that you visit, they’re served up by advertising networks.
Those networks are a cesspool of malicious code. So you want to block advertisements not because you object to advertisements, but because they are a known vector for malicious code. It’s called malvertising. And uBlock Origin is an excellent browser plugin that will help you deal with that. I also tend to browse in anonymous mode a lot, because I don’t want to be tracked. I also use a functionality and extension for Firefox called Containers.
What containers allows you to do and I think Chrome has a similar functionality called Profiles, but containers in Firefox, you can designate where the cookies are going to live, so if you log into outlook.com under one user ID and password and then let’s say you’ve got another email address that you want to monitor on that same website, you can have one container for email address one and a separate container for email two, and those cookies never cross pollinate, they stay in different logical containers.
So you can actually be logged in to the same website under two different accounts at the same time. I just find that to be a fabulous security. What’s very convenient because I don’t have to log out and log back in all the time. But it’s also good because, it helps me remember not to put information that belongs in one account to accidentally put it into a different account because I forget, or because it’s just inconvenient for me to log out and log back in again. So, that’s what I recommend.
Raj:
I see. Wow, that’s wonderful, because I’ve been personally researching on this one. And this is wonderful advice. Because, what most people do is they log in one account and then they create incognito tab so that they can log in with different user ID. That’s great advice. Now one question that keeps coming is, how come Israel is so good at doing all this stuff? We keep reading in the news, and shouldn’t we be worried with Pegasus? Now this could be a really opening can of worms right now.
But I want to keep it to the student side of the situation where, how come they’re so good at this tech?
Kip Boyle:
Okay, so you really asked me two questions. And, I know I’ll answer them in turn. The caveat is, I don’t have any active business or personal relationships with anybody in the Israeli cybersecurity community. So what I’m going to tell you is a perception, not based on either anecdotal evidence or any structured study, but my perception is that Israel is in a perpetual state of war. And when they do cybersecurity, they bring a certain mindset to that work, and that mindset is I think more than anything is what distinguishes their ability to produce products that tend to be superior, because they themselves have to rely on those products for their own national security.
So that’s my perception. Now as to Pegasus, Pegasus is generally … and technologies like it are generally used for the purposes that I alluded to earlier, where you would want to go to the Electronic Frontier Foundation, it’s typically used in high end scenarios, where you’re an oppressive regime, and you need to monitor civil disobedience, intellectuals, reporters, people who come to your country as part of a non governmental organization. So, a typical student should not expect that they’re going to be targeted for that type of surveillance.
Raj:
Right. I see. Wonderful. So, that being said … That was about Israel. Now, let me move to a different continent. What do you think about Japan? Do you think Japanese companies are in a better position or they’re insulated because they are part of the world, but they have their own paradise island here, or they because the language is different, it insulates them in some way?
Kip Boyle:
I don’t believe that’s true. I am now speaking as somebody who has been to Japan has done business with Japanese companies on cybersecurity projects and products. And my observation is that they don’t have any inherent advantage that I’ve ever observed. I think that they are just as vulnerable as anybody connected to the internet, can be. I don’t think they’re especially vulnerable. But I don’t think that they’re especially set aside, that they would be attacked less.
Raj:
Right. So there’s no distinction for cyber solutions, whether it’s a Japanese company or non Japanese company in terms of attackers, it’s all the same.
Kip Boyle:
Yeah, I don’t think there’s any material distinction.
Raj:
Right. I understand. Thank you, that was a one of the biggest questions was about 60% of students are Japanese and other remaining are non Japanese. So, this question was one of the biggest, many times asked by the students.
Kip Boyle:
Let me also add in terms of my experience working in Japan on cybersecurity, my experience is that the state of the art, for enterprise technology, not for consumer technology, but for enterprise technology tends to be a little behind what I experienced in the United States. I also have noticed that the style of doing business in Japan, the way that decisions are made, also has an effect on the ability to understand the cyber risks and to make effective risk management decisions.
Raj:
Right. Now, there’s one more thing I want to ask and probably that will conclude our Q&A session and there are many questions I’m having. I’m still getting questions. So what I think I’ll do is I’ll curate a list of Q&As, and if it’s possible Mr. Boyle, I’ll send that to you via an email, and-
Kip Boyle:
Of course.
Raj:
whenever you get time you can get back to us on that.
Kip Boyle:
That’ll be fine.
Raj:
But yeah, thank you so much. That being said, one last question before we go is, we see many, many companies getting their data leaked. And with that, the user IDs and passwords are getting leaked, what is this tendency that’s happening? And does it come down to personal choice of hackers, whether they’re being ethical or not ethical? And what do you see in this situation? What’s your view of it?
Kip Boyle:
Well, I’ll acknowledge that there are a lot of data leaks happening. And I think the difficulty of course is that the controls that will either fail and allow data leaks or will resist cyber attack and data leakage, are outside of our ability to influence or monitor and so, we have to take risks in terms of who we trust with our data. Sometimes we don’t have very good choices, because we have to do business and sooner or later we do have to trust, we have to choose somebody, and often many different organizations to trust with our personal information. Now, my advice is to make the best choices that you can, and to rely on independent analysis where it’s available to help you make those choices.
But that you also need to protect yourself in the case that you’re your choice turns out to not have been a good one. So, I go back to the use of strong authentication, to use two factor authentication everywhere that it’s available, because then if your user ID and password should be compromised, then the fact that you use a second factor of authentication will protect you. Not that two factor authentication is impervious to attack, it’s not. And to that end, I would say make sure that when you have the chance to use a an app like a Google Authenticator, or a Microsoft Authenticator or Duo, that you’re going to want to use those forms of second factor authentication, as opposed to receiving a code as an SMS text.
So, if all you can do is SMS text codes, choose that. But if you can choose an app-based form of second factor authentication, you should always use that because it’s less subject to exploitation. And then if you’re living and working in the United States, my recommendation is that you put a freeze on all of your credit records at the major credit bureaus, that you freeze credit checks, not just monitor them, but actually shut them off. Because that’s the only way I know, to prevent your personal information from being used to exploit your credit records. Monitoring will only tell you that you’ve been exploited, freezing will actually prevent you from being exploited.
Raj:
That’s right. And then prevention is better than cure as we learn because the cure is worse than the disease. Now, there are many questions. I’m still getting questions, do you mind answering few more before we go?
Kip Boyle:
I have time-
Raj:
We’d really appreciate it.
Kip Boyle:
I have time if you have time.
Raj:
Thank you so much. So one question we are getting is you talk a lot about whether it should not be qualitative measurement of risk, it should be quantitative and it should be usually on a scale of one to 10. How do you measure that? What are the parameters in which you gauge the depth and extent of these risks?
Kip Boyle:
Right. Here’s my book, right? My book talks all about this. And part two of my book explains in detail how I recommend people should do this, and the essence of this zero through 10 scale is that there’s a scorecard, and if you happen to have a copy of my book and if you turn to page 165, you’ll actually see a scorecard, where I define what is considered to be a zero, a three, a five, an eight or a 10, by providing what I call testable statements. So as an example, a three in the zero through 10 scale that I suggest, is defined as … Our organization sometimes does this.
But unreliably and rework is common. So this is with respect to a control that you’re using to manage cyber risk. So when you can use these testable statements to translate what actually happens into a number, then you can aggregate those numbers and you can use some statistical analysis, which I talk about in the book. In order to move from a purely qualitative form of risk management, more towards a quantitative form without requiring the use of advanced statistical methods, which, if you can use them, and if your seeing your decision makers do like them, then I think that’s fine.
But again, I find that most senior decision makers that I’ve worked with, don’t have the time or the expertise to use advanced statistical methods. So I hope that addresses the question. Yes, thank you for putting that on the screen.
Raj:
Yes, it does address the question because, one thing in risk management is that eventually, you have to tie it down to numbers, and it’s hard to put number on risk, and then wait significantly. So it takes bit of storytelling to convince the people in charge of decision making that hey, this is big deal. One more thing I would like to ask you is that, many times what happens is many companies set up their business contingency plans and they have these sites for disaster recovery sites and fall back and fall back, then they test it on piece of paper, and everything looks good that they have turnaround time of within the specified time.
However, when the rubber meets the road, things don’t go out smoothly. So, do you think there is a lack or lethargy in senior management where they do invest in these technologies, but they don’t keep up or they don’t follow up?
Kip Boyle:
My observation is that this goes back to in part, this idea of negative visualization, the allocation of some time and energy to thinking about what could go wrong, and how one would respond in a situation where something went wrong. A lot of the disaster recovery and business continuity programs that I’ve observed are in place because there was a legal mandate or a regulatory requirement. And I would characterize those programs as being weak and as being designed primarily to check a box on a checklist, as opposed to provide genuine protection to the organization in the case of a failure, or in the case of a cyber attack.
But then I also want to say, that even in an organization that with sincerity and with sufficient resources, commits themselves to doing the best plan that they can, may still find themselves in an actual situation where the plans are not good enough. So that gets back to a saying that I believe in very much, which is that plans are worthless, but planning is everything. So, the act of planning is how you will prepare for a situation that you cannot plan for.
Raj:
That’s right. Thank you so much for that, that was really illuminating. One last question before we go and this is truly the last question I’m going to ask. Yesterday we had a bit … I believe a dark discussion that we are the product of all these IT softwares and Pegasus is there and this is happening and that’s happening. And there was this general feeling that, is it already over? Do we still have some real hope, or we are almost finished. Should this even all matter?
Kip Boyle:
Well, I haven’t given up. So I’ll say that. But I will say that the situation is probably worse than we realize, and that it’s going to continue to be difficult for quite some time. I think the correct course of action is to continue to do your very best, despite the fact that we are living in a gray zone, very little of what we see is black or white, can be definitively understood. And I want you to realize that we’re living in a time that is genuinely revolutionary, that this is in fact, the practical definition of a paradigm shift. I believe that the world is grappling with a change that is just as serious, and just as fundamental as the advent of nuclear weapons.
We don’t understand cyber, we don’t know how to manage it. We don’t understand what the rules of cyber war are, we are living in a state of cyber war. And we don’t understand its limits. We don’t understand active defense, and we need to understand active defense, and we’re just trying to figure it out. So, this is the world we live in. And we just have to continue to be vigilant and do the best we can.
Kevin:
Well, actually to end on a bright note, I’m going to ask you to do something that … You talked about telling a great story. Can you tell us one great story with maybe some humor about the situation or what have you, that might illustrate a great point about this, everything we’ve talked about, but also put a smile on our face at the end? Sorry to put you on the spot like that.
Kip Boyle:
No.
Kevin:
We all have these funny stories that sometimes we hear.
Kip Boyle:
Well, I don’t know if this is going to qualify. But this is what’s coming up for me, and I hope you don’t think it’s too self serving. But recently I was working with the Chief Technology Officer of one of my customers. This customer is a professional sports team based in the United States. And we were dealing with a very tricky problem that had to do with mobile computing and the security of their mobile devices. And we were unpacking the problem and we were trying to understand it and analyze it and figure out what to do. In the middle of this working session, he took a moment and he looked at me and he said, “This is so complicated. I don’t understand how small companies deal with this.”
Because he’s not part of a small company, he’s part of a well resourced organization, and he’s putting in a reasonable amount of care and attention to it. So, my podcast co-host Jake, the cybersecurity lawyer was also in on that meeting. So we looked at each other and we said, “That’s a podcast episode.” So we did in fact create, and we will publish on August 31st, a podcast episode called Cybersecurity For Small Companies. And in that I will actually talk about how you do it. And I mean organizations with as few as five employees, or as many as 500. The way that you do cybersecurity management for them is different than the way you do it for larger companies and for enterprises.
But it absolutely can be done, and so, sometimes in the middle of my work, there’s inspiration.
Kevin:
Got you. Well that’s very good. Well, I want to thank you very much. I’ll get my clap here to everything you’ve done. Everyone else can do the icon, whatever you want. But thank you very much for everything. I do appreciate it. Go get your dinner if you haven’t had it yet, or what have you but, I look forward … I know you will probably get quite a few new podcast listeners out of this group here. Raj [crosstalk] links to that and what have you.
Kip Boyle:
Yeah, please join the audience. I would love to have you.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!