Episode 20

full
Published on:

2nd Mar 2022

A Deep Dive into Ransomware Attacks and Negotiations

Art Ehuan, Vice President, Palo Alto Networks, and Former FBI Special Agent, discusses at length the unfortunate evolution and escalation of ransomware attacks. He explains how the threat actors have upped their game and are now engaging in double, triple, and quadruple extortions. While lamenting that "organizations continue to make the same mistakes," Art also acknowledges the challenges of vulnerability management. He offers some interesting insights into ransomware negotiations and provides excellent advice and recommendations on how to proactively thwart such attacks.


Time Stamps

03:00

Before we started the recording, you made a statement that "companies keep making the same mistakes." Tell us more about it.

07:03

For the benefit of our listeners, if you would explain what a ransomware attack is and what the threat landscape is like? Who are the threat actors?

10:57

What is the level of preparedness?

15:20

Have you seen any best practices out there or any exemplars where irrespective of the directive, irrespective of board oversight, there is a conscious commitment to create and sustain a high-performance information security culture? Have you seen evidence of that?

22:01

I have seen a difference between having frameworks and truly following the framework in a very disciplined and committed manner. And there being some oversight to ensure that the compliance is thorough, the compliance is meticulous. What have you seen?

25:28

Please provide some insights into ransomware negotiations.

31:32

What is the best defense against ransomware attacks? And you've already shared with us that, patch management is important, but that can be challenging. What else? What else should companies be doing to reduce the possibility of such attacks?

35:06

Have you come across an instance where a company was a victim of a ransomware attack and they're like, "doesn't matter, thank you very much, we are all backed up and good to go?"

38:54

I've also heard that if you (organization) pay, you are on that list. And they (threat actors) know that if you are attacked again, you will pay again. Is that true?

39:35

We are aware of the Colonial Pipeline attack, and how the FBI was able to recover some of the ransom money. Given your experience with the FBI, why is it so hard to get hold of these criminals, and put them away?

41:05

If crypto could be regulated, that might help mitigate some of these types of attacks? Do you have any thoughts on that?

44:17

What are your thoughts on senior leadership treating cybersecurity as a strategic priority, as a distinctive competency, and making every effort to protect against all possible vulnerabilities?

48:03

There might come a time, hopefully, sooner than later, when the CISO reports directly to the Board? This would allow the CISO function to operate as independently as possible. Your thoughts?

53:44

I would like you to wrap it up for us with some final words.


Memorable Art Euhan Quotes

The importance of hygiene around patch management -- making sure that you've got a vulnerability management program, and that you implement it so that as vulnerabilities are identified on systems, you're patching them in a timely fashion.

You could potentially have a nation-state masking their activity as a ransomware attack when they're actually burrowing into your infrastructure.

You're (CEO) trying to make a determination, do I put more money into cyber, or do I put more money into customer satisfaction? You know, that's sometimes a hard decision because you've got limited dollars, and trying to make that decision is sometimes difficult? If you're the CEO, you want to do the right thing, make sure the company is protected. But you also want to make sure that your customers are happy and you're doing everything possible to provide those products or services. So, sometimes that's a very difficult balancing act.

If you're just checking a box, you're not meeting the spirit of the framework, you're not actually doing what you really need to be doing to ensure the security of the organization.

There is this view out there, that if we pay and get the key, the next day, we're up and back in operation. I want to dispel that myth that you get the key and you're back in operation the next day. It typically is going to take several days, even when you get the key.

One of the first things that these threat actors do when they get into the environment is go looking for the backups because those are going to be some of the first systems they hit you with ransomware attacks. They're going after the backups.

It is very difficult for an organization to say to their C-level or their board, hey, I absolutely 100% guarantee we will never suffer a breach. But you can do things to minimize impact. Or, even better, make it hard for that group or that attacker. Make it so hard that they're just going to move on to another company.

If you pay, the threat actor group will follow through with what they've promised to you.

Right now, the deterrence factor, unfortunately, is very low. Because it's very difficult to have these individuals (threat actors) arrested.

Ransomware is more than just a CISO problem. It's a corporate problem. You need the executives, you need the Board, you need the executives, you need the management, and you need the employees to all to be in unison, in how do we protect our company?

I'm a huge fan of anything that will get the CISO as close to the CEO, or the Board as possible so they can have that influence.


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with Art

Dr. Dave Chatterjee:

Ehuan, Vice President of Palo Alto Networks, Art has extensive

Dr. Dave Chatterjee:

experience in the field of cybersecurity. Having worked

Dr. Dave Chatterjee:

both in the public and private sector to share a few highlights

Dr. Dave Chatterjee:

of his work experience and expertise. As Vice President at

Dr. Dave Chatterjee:

Palo Alto Networks, Art manages federal and international

Dr. Dave Chatterjee:

customer relationships. He provides cybersecurity advisory

Dr. Dave Chatterjee:

services to board of directors, chief information security

Dr. Dave Chatterjee:

officers, chief risk officers and senior management of risk

Dr. Dave Chatterjee:

mitigation. Art has also been retained as a cybersecurity

Dr. Dave Chatterjee:

expert for matters that include Marriott, international, Capital

Dr. Dave Chatterjee:

One, Equifax, Anthem, Sony and others. He has also been

Dr. Dave Chatterjee:

involved in cybersecurity operations in organizations such

Dr. Dave Chatterjee:

as USAA, Cisco Systems, and he has served with the Federal

Dr. Dave Chatterjee:

Bureau of Investigation as a supervisory special agent in

Dr. Dave Chatterjee:

computer crime investigations. Last but not least, Art is a

Dr. Dave Chatterjee:

colleague of mine, at Duke University's Master of

Dr. Dave Chatterjee:

Engineering in cybersecurity program, where he'll be teaching

Dr. Dave Chatterjee:

a class on security, incident response, and resilience. Our

Dr. Dave Chatterjee:

discussion today will focus on ransomware attacks. And I can't

Dr. Dave Chatterjee:

think of a better person than Art to discuss this topic, and

Dr. Dave Chatterjee:

more. So I'm sure we are all excited to hear from him.

Dr. Dave Chatterjee:

Without any further ado, Art, welcome.

Art Ehuan:

Thank you, Dave, appreciate the opportunity to

Art Ehuan:

speak with you and the audience about what what I'm seeing in

Art Ehuan:

the world of ransomware, which unfortunately, has exploded in

Art Ehuan:

the past couple of years. And I anticipate will continue to grow

Art Ehuan:

as the the threats to corporations continues to

Art Ehuan:

increase.

Dr. Dave Chatterjee:

Before we started the recording, you made

Dr. Dave Chatterjee:

the statement that "companies keep making the same mistakes."

Dr. Dave Chatterjee:

Tell us more about it.

Art Ehuan:

Yeah, so you know, some of the basic things, some

Art Ehuan:

of the the hygiene that you would expect to see in

Art Ehuan:

organizations, for whatever reason, sometimes aren't done

Art Ehuan:

right, so I'm specifically I'm going to mention patch

Art Ehuan:

management, right? Because, I mean, attackers have several

Art Ehuan:

ways of getting into an organization, you know, it can

Art Ehuan:

be through a phishing attack, it could be through through, you

Art Ehuan:

know, an attack on credentials. But another way, obviously, is

Art Ehuan:

through vulnerabilities and systems. And if those system

Art Ehuan:

vulnerabilities exist, an attacker can leverage that to

Art Ehuan:

access the network. So that highlights to me the importance

Art Ehuan:

of hygiene around patch management, you know, making

Art Ehuan:

sure that you've got a vulnerability management

Art Ehuan:

program, and that you implement it so that as vulnerabilities

Art Ehuan:

are identified on systems, you're you're patching them in

Art Ehuan:

in a timely fashion. Now, having said that, and having been on a

Art Ehuan:

on the back end of corporations where I'd been CISO or acting

Art Ehuan:

CISO, sometimes it can be difficult, right? Because

Art Ehuan:

there's so many dependencies in in systems that maybe if you do,

Art Ehuan:

you know, put a patch into a system without appropriate

Art Ehuan:

testing, you're potentially going to break something where

Art Ehuan:

your customers are no longer able to access your data. Or you

Art Ehuan:

may create additional vulnerabilities. So you close

Art Ehuan:

one vulnerability but you create additional vulnerabilities

Art Ehuan:

downstream. So I do understand that you need to be careful when

Art Ehuan:

identifying vulnerabilities and conducting patch management, but

Art Ehuan:

there are vulnerabilities, certain vulnerabilities, like

Art Ehuan:

the recent Log4j, that are so critical that you absolutely

Art Ehuan:

have to patch those systems, especially on the perimeter. And

Art Ehuan:

then I've been talking to companies here, since that that

Art Ehuan:

Log4j vulnerability was posted in, you know, to me, it's one of

Art Ehuan:

the largest vulnerabilities I've seen in a very, very, very long

Art Ehuan:

time, just because of the potential for an attacker to

Art Ehuan:

access the corporation with, you know, potentially leaving little

Art Ehuan:

trace evidence, right. So, in my discussions with companies, I

Art Ehuan:

mean, especially the large companies, they were immediately

Art Ehuan:

looking at identifying where that vulnerability existed, and

Art Ehuan:

then trying to patch it without breaking anything, at least at

Art Ehuan:

the perimeter. And then now companies I see are now trying

Art Ehuan:

to go in the back end, because this vulnerability, even if

Art Ehuan:

patched at the at the perimeter, if it exists in your back end

Art Ehuan:

systems, it's still vulnerable. And, you know, one of the things

Art Ehuan:

that I do hear from, from organizations is, I don't

Art Ehuan:

understand what my environment looks like a complex environment

Art Ehuan:

on the backend, or some of these these questions come up, you

Art Ehuan:

know, with customers that, you know, they need help, right,

Art Ehuan:

they need assistance in identifying what the data flow

Art Ehuan:

looks like, what the network looks like. So it isn't easy.

Art Ehuan:

And I I will, I will always agree when, when the CISO says

Art Ehuan:

it's hard, I absolutely agree it's hard. But there are certain

Art Ehuan:

things that in my opinion, patch management, you just have to be

Art Ehuan:

doing it right. Especially, especially critical

Art Ehuan:

vulnerabilities. It's one of the things that we need to put, you

Art Ehuan:

know, those those appropriate controls in place to protect,

Art Ehuan:

you know, when a critical vulnerability is identified.

Dr. Dave Chatterjee:

Fair enough, fair enough. So let's

Dr. Dave Chatterjee:

back up a little bit. For the benefit of our listeners, if you

Dr. Dave Chatterjee:

would explain what ransomware attack is, what's the threat

Dr. Dave Chatterjee:

landscape Like? Who are the threat actors? That would be

Art Ehuan:

Oh, absolutely. Okay. So I'll start with Yeah, what is

Art Ehuan:

very beneficial.

Art Ehuan:

ransomware. Ransomware is is a an attack, that a threat actor

Art Ehuan:

will conduct and that threat actor, usually an organized

Art Ehuan:

crime or some criminal group. And now, I'm not, I won't say

Art Ehuan:

never going to be a nation- state, because you could

Art Ehuan:

potentially have a nation-state masking their activity as a

Art Ehuan:

ransomware attack when they're actually burrowing into your

Art Ehuan:

infrastructure. But a ransomware attack is an attack that is

Art Ehuan:

designed to encrypt systems encrypt data, so you no longer

Art Ehuan:

have access either to the systems or your data. Now,

Art Ehuan:

what's happened in the past, say year or two, is that the threat

Art Ehuan:

actors as they've come to the realization that some companies

Art Ehuan:

are able to recover on their own right, they're able to recover

Art Ehuan:

their systems, because they do a real good backup process of, you

Art Ehuan:

know, real good disaster recovery process, you know, and

Art Ehuan:

thus, are not inclined then to to conduct negotiations with the

Art Ehuan:

threat actor to pay them to get access to their systems, what

Art Ehuan:

the threat actors are now doing is they've upped their game. And

Art Ehuan:

by that, I mean, what they now do is along with encrypting your

Art Ehuan:

systems and your data, they're doing now something called

Art Ehuan:

double extortion. They're also stealing your data before they

Art Ehuan:

encrypt it. And now they're forcing you to negotiate. Even

Art Ehuan:

if you can recover your systems on your own, even if you can

Art Ehuan:

recover your data on your own with your backups and your

Art Ehuan:

disaster recovery business continuity plan, you are still

Art Ehuan:

forced to negotiate a to get an agreement from them that they're

Art Ehuan:

not going to post that, you know, customer data that you

Art Ehuan:

know, protected health information out on the internet,

Art Ehuan:

so and then now they've even increased that tempo, because

Art Ehuan:

now the threat actors are going to triple extortion where

Art Ehuan:

they're encrypting system data, they're stealing data. And

Art Ehuan:

they're launching a denial of service attack on you so that

Art Ehuan:

your businesses no longer able to function. And then we're now

Art Ehuan:

seeing something called quadruple extortion, where

Art Ehuan:

they're doing all three of those, but they're adding the

Art Ehuan:

element that they're not communicating with your

Art Ehuan:

customers whose data they have, and telling them your that your

Art Ehuan:

customers or your patients, hey, we've got your data we breached

Art Ehuan:

you know the organization and we're gonna post this

Art Ehuan:

information to the internet. You might want to talk to you know,

Art Ehuan:

your company that has this, that who, from whom the data we stole

Art Ehuan:

and tell them to do the right thing and pay us, right. So, you

Art Ehuan:

know, now they're putting that pressure on the company, because

Art Ehuan:

now they're notifying the victims as well, that they've

Art Ehuan:

got your data so. So they really, you know, upped their

Art Ehuan:

game in, in a sense, because, you know, they're really forcing

Art Ehuan:

an organization to negotiate and make some kind of payment to get

Art Ehuan:

those assurances that, you know, they're going to stop that

Art Ehuan:

activity. So yeah, the number of matters, I, you know, that we

Art Ehuan:

see now, every year, they're increasing and they continue to

Art Ehuan:

increase. I certainly, in as I look at the future, I certainly

Art Ehuan:

don't see a future where I'm saying, hey, ransomware is going

Art Ehuan:

to come down, there's just so much money to be made, right.

Art Ehuan:

And these threat actors have identified that there's a lot of

Art Ehuan:

money to be made. So it's, it's a very cost effective way to

Art Ehuan:

commit crime and make make money.

Dr. Dave Chatterjee:

I was just reading an article, where it

Dr. Dave Chatterjee:

states that there's a severe increase in ransomware attacks,

Dr. Dave Chatterjee:

that cybersecurity authorities from Australia, the United

Dr. Dave Chatterjee:

Kingdom, United States, have published a joint advisory

Dr. Dave Chatterjee:

warning of an increase in sophisticated high impact

Dr. Dave Chatterjee:

ransomware attacks targeting critical infrastructure

Dr. Dave Chatterjee:

organizations across the world. And that's what concerns me

Dr. Dave Chatterjee:

means you don't want ransomware attack on anyone, individuals or

Dr. Dave Chatterjee:

organizations. But I especially worried about the critical

Dr. Dave Chatterjee:

infrastructure, you know, you were candid enough to say that

Dr. Dave Chatterjee:

it's difficult, it's not an easy task, to be super protected, to

Dr. Dave Chatterjee:

do the kinds of patch management and other things that needs to

Dr. Dave Chatterjee:

be done. But having said that, given the severe consequences of

Dr. Dave Chatterjee:

these attacks, what are you finding out there, both public

Dr. Dave Chatterjee:

sector and private sector? What is the level of preparedness?

Art Ehuan:

Yeah, so I think it's going to depend on an industry

Art Ehuan:

Dave, you know, especially critical infrastructure, you

Art Ehuan:

know, there's more regulation around financial services around

Art Ehuan:

energy. So typically, organizations that fall under

Art Ehuan:

some kind of regulatory regime, typically, you know, are putting

Art Ehuan:

more of an investment in protecting the organization.

Art Ehuan:

Also organizations where there's more Board involvement, more,

Art Ehuan:

you know, governance and oversight, because, you know, in

Art Ehuan:

my opinion, especially with, with publicly traded companies,

Art Ehuan:

you know, they have a Board, for instance, if there's an engaged

Art Ehuan:

Board, that's asking questions of the cybersecurity program on

Art Ehuan:

a regular basis, that's gonna, you know, I think for the C-

Art Ehuan:

level, that shows that, you know, the Board is very

Art Ehuan:

interested in this, we, as the C-level, obviously have to also

Art Ehuan:

support those types of activities and make sure that

Art Ehuan:

they get the appropriate funding, they get the

Art Ehuan:

appropriate resources that are needed. Now, again, there's

Art Ehuan:

always outliers, right. So,and by that, I mean, you know,

Art Ehuan:

companies, you know, they're, they exist, obviously, to, to,

Art Ehuan:

to generate revenue, right? I mean, they, they produce a

Art Ehuan:

product, or they provide a service and for the purpose of

Art Ehuan:

generating revenue. Sometimes, you know, if you're in a

Art Ehuan:

particular industry, and, and, and you're trying to make a

Art Ehuan:

determination, do I, you know, do I put more money into cyber,

Art Ehuan:

or do I put more money into customer satisfaction, you know,

Art Ehuan:

that's sometimes that's a hard one, right? Because you've got

Art Ehuan:

limited dollars, and, and trying to make that decision is

Art Ehuan:

sometimes difficult, right? If you're the CEO, you know, you

Art Ehuan:

want to do the right thing, make sure the company is protected.

Art Ehuan:

But you also want to make sure that your customers are happy

Art Ehuan:

and you're doing everything, you know, possible to, to provide

Art Ehuan:

those either products or services. So, sometimes that's a

Art Ehuan:

very difficult balancing act for, you know, executives, right

Art Ehuan:

to, to have to manage, right, because in a perfect world, they

Art Ehuan:

would, they would have enough funding for everything, but it's

Art Ehuan:

never perfect world and there's always going to be that

Art Ehuan:

push-pull inside of an organization, you know, the

Art Ehuan:

site, really, the cyber organization is going to be

Art Ehuan:

asking for money and resources, you know, and operations is

Art Ehuan:

asking for money and resources and the CEOs, you know, got a

Art Ehuan:

limited budgets to work with and, you know, he's trying to do

Art Ehuan:

the right thing, you know, to maybe, you know, keep both

Art Ehuan:

constituents happy, right. I make sure that I'm protected and

Art Ehuan:

I make sure my, my customers are happy and and it's a It's a

Art Ehuan:

balancing act. And I think that's why it's important, you

Art Ehuan:

know, to have that governance and oversight with with, with

Art Ehuan:

the board, you know, so that they can provide you know that

Art Ehuan:

you know that that top level guidance to the organization.

Dr. Dave Chatterjee:

You know, you talk about governance,

Dr. Dave Chatterjee:

oversight, regulation. It brings to mind Sarbanes Oxley Sox. As

Dr. Dave Chatterjee:

you might know, Sarbanes Oxley was introduced when fraudulent

Dr. Dave Chatterjee:

accounting transactions were taking place. Yep. And there

Dr. Dave Chatterjee:

wasn't that level of top management commitment to ensure

Dr. Dave Chatterjee:

that those kinds of activities didn't happen. So it took

Dr. Dave Chatterjee:

legislation to get senior leadership attention. Yeah. And

Dr. Dave Chatterjee:

it's my hunch that we are going that way, even with cyber, there

Dr. Dave Chatterjee:

are some regulations out there existing laws are being used to

Dr. Dave Chatterjee:

regulate cyber activities or to provide reasonable oversight,

Dr. Dave Chatterjee:

you know, but I almost feel that there's going to be a major

Dr. Dave Chatterjee:

legislation which will come down the pipe, and that's going to

Dr. Dave Chatterjee:

really get everybody's attention, because like you

Dr. Dave Chatterjee:

said, it is a hard balance for the CEO. Yeah, yeah. But then if

Dr. Dave Chatterjee:

you have that regulatory pressure, the regulatory burden,

Dr. Dave Chatterjee:

that would force you to do the right thing when it comes to

Dr. Dave Chatterjee:

cybersecurity competency, cybersecurity due diligence. And

Dr. Dave Chatterjee:

I know, this is easier said than done, it's a great conversation

Dr. Dave Chatterjee:

to have, but for people who are trying to make things happen,

Dr. Dave Chatterjee:

it's a it's a tough ask. Given your experience, you know,

Dr. Dave Chatterjee:

you've been industry you've actively engaged with the senior

Dr. Dave Chatterjee:

leadership, have you seen any best practice out there, or any

Dr. Dave Chatterjee:

exemplars where irrespective of the directors, irrespective of

Dr. Dave Chatterjee:

Board oversight, there is a conscious commitment, it's like,

Dr. Dave Chatterjee:

woven into the organizational culture, that we must create and

Dr. Dave Chatterjee:

sustain a high performance Information Security Culture,

Dr. Dave Chatterjee:

have you seen evidence of that? Oh, absolutely.

Art Ehuan:

Yes, I certainly see it, you know, again, especially

Art Ehuan:

with the large organizations that, you know, have, you know,

Art Ehuan:

have a dedicated program, right. So, it is possible, I will say

Art Ehuan:

that a cybersecurity program is a dynamic thing, right? It's a

Art Ehuan:

living to me, it's a living thing, that that is always

Art Ehuan:

changing as the threat evolves, right, because, as I mentioned

Art Ehuan:

earlier with ransomware, right, you know, as as, as

Art Ehuan:

organizations put up defenses, the threat actors, you know, put

Art Ehuan:

up countermeasures, right to to get around those defenses. So,

Art Ehuan:

cybersecurity can never be static. And and if it's static,

Art Ehuan:

then I, I fear that a company may be is not, you know,

Art Ehuan:

thinking about the, the, you know, the the, how would I say

Art Ehuan:

the evolving nature of cyber threats, and because of the

Art Ehuan:

evolving nature of cyber threats, you've got to have a

Art Ehuan:

dynamic program and to me, a dynamic program, you know, you

Art Ehuan:

would have one, you would have a program that follows a

Art Ehuan:

recognized cybersecurity standard or framework and, and

Art Ehuan:

I'll throw out, I'll throw out like the NIST cybersecurity

Art Ehuan:

framework, right? It's been around since 2014. It's, it's, I

Art Ehuan:

recently saw some statistics that over 50% of large

Art Ehuan:

corporations are adhering to to that framework, right? Because

Art Ehuan:

that framework gives you a baseline right? The NIST

Art Ehuan:

cybersecurity framework is designed to establish a baseline

Art Ehuan:

and then also assist an organization in determining what

Art Ehuan:

is the future state of the cybersecurity program look like?

Art Ehuan:

But what I really like about it is again, it's dynamic in nature

Art Ehuan:

in that you never reach a state where you're completely happy

Art Ehuan:

and I will never be breached because again, we've got to stay

Art Ehuan:

dynamic, and there is NIST, you've got the the ISO 27001 two

Art Ehuan:

series, you've got the the CIS 20. So there's a number of

Art Ehuan:

standards out there but to me, when I'm looking at an

Art Ehuan:

organization, I'm gonna say okay, this organization is, is

Art Ehuan:

on track they're thinking you You know, they're putting that

Art Ehuan:

security mindset. I look to see if they've got Are they are they

Art Ehuan:

mapping to one of these recognized cybersecurity

Art Ehuan:

standards? Now, you brought up the the regulatory regime.

Art Ehuan:

Having worked with having worked with regulators in the past,

Art Ehuan:

right been hired as a kind of an expert advisor to regulators,

Art Ehuan:

when they're when they're conducting an investigation or

Art Ehuan:

analysis of a regulated company. I will tell you, the regulators

Art Ehuan:

are using the NIST CSF as their model to assess companies. And

Art Ehuan:

then even more recently, the US Department of Defense, they,

Art Ehuan:

they actually released a a something called the CMMC, the

Art Ehuan:

Cybersecurity Maturity Models Certification. That is a

Art Ehuan:

requirement for organizations that are doing business with the

Art Ehuan:

US Department of Defense to follow the CMMC. In order for

Art Ehuan:

them to be able to do business with the Department of Defense,

Art Ehuan:

I would anticipate as I look at the the CMMC. As its

Art Ehuan:

effectiveness grows, I potentially would forecast that

Art Ehuan:

other agencies within the United States government, Homeland

Art Ehuan:

Security or Veterans Affairs, I would see other organizations

Art Ehuan:

potentially adopting this similar model where they will

Art Ehuan:

say to organizations, if you're going to do business with us,

Art Ehuan:

you have to go through this, this this accreditation, and get

Art Ehuan:

certified in order to do business with us. So again, that

Art Ehuan:

adds more of that kind of, you know, kind of a regulatory type

Art Ehuan:

type spin for organizations that I would envision would, would

Art Ehuan:

flow down to to to the corporate sector.

Dr. Dave Chatterjee:

You're talking about frameworks, and

Dr. Dave Chatterjee:

there are several out there. And I've had, I've had the

Dr. Dave Chatterjee:

opportunity to review them when I was authoring my book. They're

Dr. Dave Chatterjee:

all great frameworks. Yeah. But what I have found from my work,

Dr. Dave Chatterjee:

is there's a significant variance in how these

Dr. Dave Chatterjee:

organizations follow the framework. How disciplined is

Dr. Dave Chatterjee:

their approach in following in complying with or following

Dr. Dave Chatterjee:

through with the guidelines? You know, often I have seen, it's

Dr. Dave Chatterjee:

like, let's check the box here. Yeah, you're supposed to offer

Dr. Dave Chatterjee:

this kind of training, we have done it, move on, as opposed to

Dr. Dave Chatterjee:

going deeper, and making sure the training is substantive, it

Dr. Dave Chatterjee:

is year round, it is continuous. So that's where I have seen a

Dr. Dave Chatterjee:

difference between having frameworks and the frameworks,

Dr. Dave Chatterjee:

guiding cybersecurity operations, and truly following

Dr. Dave Chatterjee:

the framework in a very disciplined and committed

Dr. Dave Chatterjee:

manner. And there being some oversight to ensure that the

Dr. Dave Chatterjee:

compliance is thorough, the compliance is meticulous, what

Dr. Dave Chatterjee:

have you seen? Dave, I

Art Ehuan:

will agree with you that, that I mean, to me a

Art Ehuan:

framework is is only as good as the the implementation and as

Art Ehuan:

good as the, the following of that framework, right? Because

Art Ehuan:

yeah, so I completely agree with you. I mean, I've seen, I've

Art Ehuan:

seen plenty of organizations that are, you know, that are,

Art Ehuan:

you know, box checking, and they suffer a breach. Because when

Art Ehuan:

you get past the box checking, they're not, you know, they

Art Ehuan:

haven't actually implemented correctly, right. So, so it's

Art Ehuan:

more than just checking the box, if you're just checking a box,

Art Ehuan:

in my opinion, you're not meeting the, you know, maybe

Art Ehuan:

you're meeting the spirit of the framework, but you're not

Art Ehuan:

actually doing what you really need to be doing to ensure the

Art Ehuan:

security of the organization. So, yeah, I mean, when I think

Art Ehuan:

of frameworks, right, so, so PCI, right, that's a framework

Art Ehuan:

for organizations that handle credit card data. I have seen

Art Ehuan:

many, many, a organization that are PCI compliant, they've

Art Ehuan:

checked off the box that have suffered breaches. And us you

Art Ehuan:

know, the questions asked, well, they, they they've been

Art Ehuan:

accredited, you know, by by an assessor and they, you know, all

Art Ehuan:

the boxes are checked off, yet they still suffered the breach.

Art Ehuan:

It's because we didn't do that deeper digging. Unfortunately,

Art Ehuan:

so if, if you're just looking to hey, you know, I'm gonna follow

Art Ehuan:

this and you know, so I can check off the boxes. Maybe in

Art Ehuan:

spirit, you know, you're following the framework, but you

Art Ehuan:

certainly are doing good Cybersecurity, you're you're

Art Ehuan:

not, you know, you're not going deeper than just checking a box.

Art Ehuan:

So I yeah, I, I can't tell you the number of organizations that

Art Ehuan:

I've seen that have checked off the boxes and they still suffer

Art Ehuan:

a breach. And then when you're doing the analysis, you you when

Art Ehuan:

you dig in, it's like, okay, you checked off a box, but you

Art Ehuan:

didn't do these things, you know, these, these, these things

Art Ehuan:

underneath that box that does allow and contributed to the

Art Ehuan:

breach to occur.

Dr. Dave Chatterjee:

Exactly. In fact, talking about PCI

Dr. Dave Chatterjee:

standard, it brings back memories of a major breach that

Dr. Dave Chatterjee:

happened several years ago, I don't want to name the

Dr. Dave Chatterjee:

organization. But there was detailed reports and of the

Dr. Dave Chatterjee:

findings. And one of the very concerning finding was they were

Dr. Dave Chatterjee:

warned by their auditors, that they were not in compliance with

Dr. Dave Chatterjee:

most of the PCI standards. Yeah. And they did nothing about it.

Dr. Dave Chatterjee:

Sure. So I'm sure all kinds of things are happening there. And

Dr. Dave Chatterjee:

it again, goes back to what we started the discussion with.

Dr. Dave Chatterjee:

Like, why are companies making the same mistakes over and over

Dr. Dave Chatterjee:

again, you shared with us the challenges that senior

Dr. Dave Chatterjee:

executives face. But at the same time, there is this reality of

Dr. Dave Chatterjee:

ransomware type attacks that keep getting more sophisticated.

Dr. Dave Chatterjee:

And it's a it's a game that's hard to win. Yeah. So going back

Dr. Dave Chatterjee:

to ransomware attacks. Let's talk a little bit about what

Dr. Dave Chatterjee:

does a ransomware negotiation look like? Not that I'm a fan of

Dr. Dave Chatterjee:

ransomware negotiations. In fact, I think the recommendation

Dr. Dave Chatterjee:

is not to negotiate. But please share with the listeners your

Dr. Dave Chatterjee:

thoughts.

Art Ehuan:

Yeah. So and I will agree with you, you know, I I'm

Art Ehuan:

not a fan of paying a criminal to get access to your systems

Art Ehuan:

and your data. I certainly, you know, don't support it, but

Art Ehuan:

there are occasions where a customer will say I have no

Art Ehuan:

other choice, I, my systems, my backups are encrypted. And you

Art Ehuan:

know, I need my data in healthcare provider, right, you

Art Ehuan:

can't be down. So there's certain industries that

Art Ehuan:

absolutely cannot be down, they've got to be up, you know,

Art Ehuan:

for public safety. And they've got no other recourse. So if

Art Ehuan:

that occurs, then, you know, you you contact the threat actor,

Art Ehuan:

and again, these communications are taking place on the the Dark

Art Ehuan:

Web, right, they give you an address where you can contact

Art Ehuan:

them, they tell you what they're looking for, you know, you you

Art Ehuan:

get an understanding of you know, what kind of payment

Art Ehuan:

they're looking to be made. And you know, it's a, it's literally

Art Ehuan:

a back and forth, you want to have, you want to get a proof

Art Ehuan:

that they really do have the keys, you know, you you provide

Art Ehuan:

them with, with a file that's encrypted, then you know, the

Art Ehuan:

contents of that file they get it they they unencrypt it and

Art Ehuan:

send it back to you so that you know that indeed they do have

Art Ehuan:

the key. You know, and then you're you're you're negotiating

Art Ehuan:

a price, right, that everyone can agree to once that that

Art Ehuan:

agreement is made, you know, payment is made in

Art Ehuan:

cryptocurrency, you know, you name the cryptocurrency and you

Art Ehuan:

know, payments made after you've got the the guarantees, you

Art Ehuan:

know, from if they're if cyber insurance is gonna pay or, you

Art Ehuan:

know, the law firms, the customer, and then you help with

Art Ehuan:

the payment. One of the other things I need to real quickly

Art Ehuan:

bring up as well though is if, if this is going to occur if if

Art Ehuan:

contact with a threat actor is going to take place, at least in

Art Ehuan:

the US, because of the you know, US Treasury requirements, you

Art Ehuan:

know, a checks have to be made. And they're typically made by,

Art Ehuan:

you know, the, the insurance company by the by the law firm,

Art Ehuan:

to see if the the threat actor group is potentially a sanction

Art Ehuan:

group. So, as an example, REvil was the sanction group. So, a in

Art Ehuan:

a in American organization, American corporation could find

Art Ehuan:

themselves in legal jeopardy. For instance, if they were to,

Art Ehuan:

you know, make payment to to one of these sanction groups. So, so

Art Ehuan:

checking, checking the sanction list to make sure it's not a

Art Ehuan:

sanction group is going to be very important. But again, it's

Art Ehuan:

that communication back and forth. Getting assurance that

Art Ehuan:

indeed they have the key, making payment, getting a copy of the

Art Ehuan:

key, analyzing that key to make sure it doesn't contain anything

Art Ehuan:

that potentially is going to be nefarious try it, you want to

Art Ehuan:

make sure that the key in using the key and potentially download

Art Ehuan:

additional payloads and then helping the organization start

Art Ehuan:

unencrypting. One of the things I want to point out that I think

Art Ehuan:

a lot, especially a lot of executives, a lot of, I think

Art Ehuan:

Boards, there's this view up there, okay, this happens, I get

Art Ehuan:

a ransomware attack, we pay and, you know, we get the key. And,

Art Ehuan:

you know, the next day, we're up in, in, in, in back in

Art Ehuan:

operation. You know, unfortunately, that's, uh, I

Art Ehuan:

want to dispel that myth that, you know, you get the key and

Art Ehuan:

you're back in operation, you know, the next day, it typically

Art Ehuan:

is going to take several days, even when you get the key.

Art Ehuan:

Because, you know, you want to make sure that your systems that

Art Ehuan:

you're recovering don't contain any backdoors. In some cases,

Art Ehuan:

organizations are building a greenfield a clean environment

Art Ehuan:

to go into. So it's, it's typically multiple days,

Art Ehuan:

especially larger organization multiple weeks, multiple months,

Art Ehuan:

as you're restoring backed operation. So, so even when

Art Ehuan:

payment is made.

Dr. Dave Chatterjee:

It is it is

Art Ehuan:

not as quick as you know, I'm up and running the

Art Ehuan:

next day, and everything is great. And, you know, I'm back

Art Ehuan:

back to business, it's it's typically an effort, a long term

Art Ehuan:

effort to to really get back to operations.

Dr. Dave Chatterjee:

Good to know, thanks for sharing. So, in

Dr. Dave Chatterjee:

your opinion, what is the best defense against ransomware

Dr. Dave Chatterjee:

attacks? And you've already shared with us that, you know,

Dr. Dave Chatterjee:

patch management is important, but that can be challenging.

Dr. Dave Chatterjee:

What else should companies be doing to, you know, to reduce

Art Ehuan:

Companies encrypting their own data, so that even if

Art Ehuan:

a threat actor gets access to them, they're not able to do

Art Ehuan:

the possibility of such attacks?

Art Ehuan:

anything with it would be would be a great defense, having your

Art Ehuan:

backups in an environment where, you know, it's it's not

Art Ehuan:

connected to the to the network, having backups that are

Art Ehuan:

immutable, so that they can't be changed. You know, one of the

Art Ehuan:

first things that these threat actors do when they get into the

Art Ehuan:

environment literally is where are the backups, they're looking

Art Ehuan:

for the backups, because those are going to be some of the

Art Ehuan:

first systems when they hit you with with a ransomware attack.

Art Ehuan:

They're going after the backups, right? So if you can protect

Art Ehuan:

those backups, it's absolutely, I think, very critical for you

Art Ehuan:

to be able to restore operations on your own, if you can, you

Art Ehuan:

know if you can do that on your own, because your backups aren't

Art Ehuan:

impacted. And like I said, I mean, segmenting the network,

Art Ehuan:

I'm a big fan of segmentation. Again, it's not easy, I'll be

Art Ehuan:

the first ones again, having been, you know, in the CISO

Art Ehuan:

seat, segmentation, especially if you've got a large network,

Art Ehuan:

and you know, you, you've grown it, and it's never really been

Art Ehuan:

properly segmented. It could be a multi year effort, right. But

Art Ehuan:

I'm a big fan of segmentation. I mean, I, I worked with, worked

Art Ehuan:

with a health care organization some time ago that suffered a

Art Ehuan:

ransomware attack. And there were three companies under the

Art Ehuan:

umbrella company, but because of lack of segmentation, instead of

Art Ehuan:

just getting access to one company, they got access to all

Art Ehuan:

three companies within the umbrella, because there was zero

Art Ehuan:

segmentation, so segmentation, you know, you know, a robust

Art Ehuan:

backup plan, where those are'nt acce. And not only that, a

Art Ehuan:

robust recovery plan, right? That's just as important. You

Art Ehuan:

know, testing your recovery is absolutely critical, right?

Art Ehuan:

Because if, again, something bad does happen. Have you even

Art Ehuan:

tested your recovery capability, so that, you know, you can

Art Ehuan:

recover in you know, X amount of time of critical systems, so, so

Art Ehuan:

there are certainly things that we can do. Because I'll be the

Art Ehuan:

first one to tell you that there is no such thing as 100%

Art Ehuan:

guarantee that anybody can make that a company is never going to

Art Ehuan:

suffer a breach, right? Because it's just the environment is so

Art Ehuan:

complex. We've got remote workers, you know, we've got you

Art Ehuan:

know, we've got the cloud and the environment is just so darn

Art Ehuan:

complex. That that is just very difficult for an organization to

Art Ehuan:

say to to their C level or to their Board, hey, I absolutely

Art Ehuan:

100% guarantee we will never suffer a breach. But you can do

Art Ehuan:

things to minimize impact or or even better, make it hard for

Art Ehuan:

for that in that group or that attacker, make it so hard that

Art Ehuan:

you know what, they're just gonna move on to another

Art Ehuan:

company. Right? Because you've made it too hard for them.

Dr. Dave Chatterjee:

I'm so happy that you mentioned about

Dr. Dave Chatterjee:

the importance of having offline backups. Yeah. It kind of

Dr. Dave Chatterjee:

probably sounds a little too simple and trivial. But the way

Dr. Dave Chatterjee:

I look at it is, you know, let's, let's take a personal

Dr. Dave Chatterjee:

example. Our house could get destroyed in a fire. Yeah. So if

Dr. Dave Chatterjee:

you think about the possibility, and then ask the question, what

Dr. Dave Chatterjee:

all would I like, you know, to be protected, I don't want to

Dr. Dave Chatterjee:

lose that stuff to fire. So kind of taking an inventory of your

Dr. Dave Chatterjee:

priority items. Yeah. And then making sure that you've done

Dr. Dave Chatterjee:

everything possible, whereby even in the event of fire,

Dr. Dave Chatterjee:

you're not going to lose them. Yeah. Now, I realize that

Dr. Dave Chatterjee:

there's a scale aspect to it, large organizations, tons of

Dr. Dave Chatterjee:

data, located in all kinds of places, but even then, I think

Dr. Dave Chatterjee:

some of these simple rules and guidelines can work very well,

Dr. Dave Chatterjee:

if there is a concerted effort to prioritize, to identify

Dr. Dave Chatterjee:

what's important, and then closely monitor how they are

Dr. Dave Chatterjee:

being backed up, you know, testing the recovery

Dr. Dave Chatterjee:

capabilities. So even in the event of an attack, they are

Dr. Dave Chatterjee:

minimizing the damage. That warrants a question for you:

Dr. Dave Chatterjee:

have you come across an instance where a company was a victim of

Dr. Dave Chatterjee:

a ransomware attack, and they're like, doesn't matter, thank you

Dr. Dave Chatterjee:

very much. We are we are all backed up, you're good to go?

Dr. Dave Chatterjee:

Oh, yeah, has that happened.

Art Ehuan:

It has happened. I have seen companies that have

Art Ehuan:

have been in that situation where they're going to recover

Art Ehuan:

on their own, they've got good backups, and they don't need to

Art Ehuan:

be, you know, need to communicate with the with the

Art Ehuan:

attacker. But as I mentioned, now, we're starting to see that

Art Ehuan:

double extortion, right, where, where they're taking your data,

Art Ehuan:

so that even if you can restore on your own, you now have to get

Art Ehuan:

in communication with them to get an assurance from them. And

Art Ehuan:

that's all it is, right? It's an assurance from them that if you

Art Ehuan:

pay them, they will not release your data. Now, you, you may

Art Ehuan:

ask, well, they still have your data, can you believe them? If

Art Ehuan:

they say they're not gonna release your data, if you pay

Art Ehuan:

them, you know, for the threat actors, their business model is

Art Ehuan:

that such that, you know, they make an assurance to you because

Art Ehuan:

you've paid that they are not going to release your data,

Art Ehuan:

they're probably not going to release your data, right? You

Art Ehuan:

can't say 100%. But, you know, their community is so small that

Art Ehuan:

if a threat actor group does not follow through on on their

Art Ehuan:

assurance, you know, the word gets out. And then other other

Art Ehuan:

cybersecurity companies say, Oh, this group does, you know, even

Art Ehuan:

if you pay them, they don't, you know, they still post your data,

Art Ehuan:

that that destroys your business model. Right. So, yeah, the way

Art Ehuan:

these folks think is that, you know, if you pay, they're there,

Art Ehuan:

they're gonna follow through with with, with what they've

Art Ehuan:

promised to you. And I'll tell you, I recall having a

Art Ehuan:

conversation with a CIO, one time that he said, you know,

Art Ehuan:

the, the the support that the threat actors were providing and

Art Ehuan:

helping restore, he said, it was better than his own his own

Art Ehuan:

organizations, IT support group, he said, you know, we'd asked

Art Ehuan:

him something, you know, we were having trouble rest,

Art Ehuan:

restoration, and they'd get right back to us. And, you know,

Art Ehuan:

walking us through, he said, I mean, so it is a model design,

Art Ehuan:

at least for the threat actors that if you pay, you know,

Art Ehuan:

they're, they're gonna follow through with what they what they

Art Ehuan:

promised as part of that payment.

Dr. Dave Chatterjee:

But I've also heard that if you pay, you

Dr. Dave Chatterjee:

are in that list, and they know that if you are attacked again,

Dr. Dave Chatterjee:

you will pay again, is that true?

Art Ehuan:

I did have an organization that, that in the

Art Ehuan:

space, I want to say months, was attacked by three different

Art Ehuan:

ransomware groups. They paid the first time and then literally, a

Art Ehuan:

different group comes in the second time. They pay the second

Art Ehuan:

time and then a third group came in the third time before they

Art Ehuan:

were able to then get their environment so that they

Art Ehuan:

couldn't be attacked again. So it happens. It does. It

Art Ehuan:

certainly happens.

Dr. Dave Chatterjee:

Very, very interesting. Concerning but

Dr. Dave Chatterjee:

interesting. You mentioned cryptocurrency, you mentioned

Dr. Dave Chatterjee:

cyber insurance. I have a couple of questions in that area. But

Dr. Dave Chatterjee:

before I go there, we are aware of the Colonial attack, and how

Dr. Dave Chatterjee:

the FBI was able to recover some of the ransom money. Given your

Dr. Dave Chatterjee:

experience with the FBI, why is it so hard to get hold of these

Dr. Dave Chatterjee:

criminals, and, you know, put them away?

Art Ehuan:

Yeah, well, unfortunately, a lot of these

Art Ehuan:

groups are, are out of the reach of American law enforcement, or

Art Ehuan:

or, say Western European law enforcement, a lot of these

Art Ehuan:

groups are in, in countries where we don't have the best

Art Ehuan:

relations with. And, you know, if we indict someone, say the

Art Ehuan:

Bureau, Department of Justice indicted a threat actor, if you

Art Ehuan:

can't get you know them into your your control, in your

Art Ehuan:

custody, then, you know, makes it difficult to, to be able to

Art Ehuan:

to, you know, put these individuals in jail and kind of

Art Ehuan:

show a deterrence. Right now, the deterrence factor,

Art Ehuan:

unfortunately, is very low. Because, you know, it's it's

Art Ehuan:

very difficult to have these individuals arrested.

Dr. Dave Chatterjee:

That's tough. Yeah. So what is your

Dr. Dave Chatterjee:

opinion about this thought that if crypto could be regulated,

Dr. Dave Chatterjee:

that might help mitigate some of these types of attacks? Do you

Dr. Dave Chatterjee:

have any thoughts on that?

Art Ehuan:

Well, in in with crypto being regulated, I mean,

Art Ehuan:

to some extent, it is regulated in the United States, right. So

Art Ehuan:

so there are rules, you know, regulatory standards that have

Art Ehuan:

to be followed in the United States, but how do you pass that

Art Ehuan:

on to other countries, so that they have a better understanding

Art Ehuan:

of who, who's signing up for these accounts, right. Because

Art Ehuan:

if you can, you can, you know, the US we have, you know, the

Art Ehuan:

the know, your customer laws, right, where you have to know,

Art Ehuan:

you have to know who it is who's opening an account, you know,

Art Ehuan:

those, those laws don't necessarily transfer over to

Art Ehuan:

other countries where you, you may be able to sign up over the

Art Ehuan:

internet, and you can, you know, be whoever you want to be. And

Art Ehuan:

it just makes it so much more difficult to, to to identify

Art Ehuan:

these individuals as to who they are. So I think more regulation,

Art Ehuan:

probably will, will help. But it's got to be international,

Art Ehuan:

just can't be the US saying, Hey, we're going to do these

Art Ehuan:

things. Because, I mean, at the end of the day, cybercrime is a

Art Ehuan:

it's a transnational crime, right? It is, you know, and I

Art Ehuan:

look at it, you know, from from my time when I was in the FBI,

Art Ehuan:

so, when I was in the FBI, we used to investigate bank

Art Ehuan:

properties, right, I would go to a bank robbery where someone

Art Ehuan:

would come in, and they'd hold up the bank with a gun, but

Art Ehuan:

they're leaving all kinds of evidence, right, you know,

Art Ehuan:

there's video cameras, there's, you know, DNA, potentially,

Art Ehuan:

you're leaving, you know, you're leaving a lot of physical

Art Ehuan:

evidence, you know, there may be a mark police units driving by

Art Ehuan:

their silent alarms. So, you know, there's a lot of risk with

Art Ehuan:

with a physical bank robbery. To this day, I think the FBI

Art Ehuan:

closure rate on bank robberies, I want to say probably in the,

Art Ehuan:

the 8080 plus percent, right. So if you brought a bank, you're

Art Ehuan:

probably going to get caught arrested and thrown in jail for

Art Ehuan:

a long time. With with cyber, you don't have to be on the US,

Art Ehuan:

you don't have to be in the UK, in France, you don't have to be

Art Ehuan:

anywhere near the country, that you're attacking and conducting

Art Ehuan:

a ransomware, you can be virtually anywhere in the world

Art Ehuan:

conduct that activity. And, again, if the rules are not

Art Ehuan:

consistent across the globe, this is where we run into

Art Ehuan:

problems. So if other countries don't recognize that these type

Art Ehuan:

of criminals, you know, right now they're, say attacking the

Art Ehuan:

United States, or they're attacking the UK, you know, they

Art Ehuan:

could potentially turn on your country and attack you as well.

Art Ehuan:

So I really think we're at the point where where a regime needs

Art Ehuan:

to be put in place, you know, international standards on, on

Art Ehuan:

cooperation on these types of cyber criminals is, I think,

Art Ehuan:

absolutely critical.

Dr. Dave Chatterjee:

Absolutely. I totally agree with you that

Dr. Dave Chatterjee:

there needs to be a lot more cooperation globally. If we want

Dr. Dave Chatterjee:

to have any success. Yes. Dealing with these cyber

Dr. Dave Chatterjee:

criminals, like the examples you gave and if they are operating

Dr. Dave Chatterjee:

from countries where there is very little regulation, they are

Dr. Dave Chatterjee:

not being tracked or they are not being brought to justice.

Dr. Dave Chatterjee:

Yeah, there's there's no reason why they won't continue to

Dr. Dave Chatterjee:

engage in correct kinds of these kinds of activities. So true, so

Dr. Dave Chatterjee:

true. In fact, I also want to take this opportunity to share

Dr. Dave Chatterjee:

with the listeners one of the realities of securing an

Dr. Dave Chatterjee:

organization. Art spoke to that, even in my book based on my

Dr. Dave Chatterjee:

research and my work with companies, you know, I found 17

Dr. Dave Chatterjee:

success factors. And they're associated with three,

Dr. Dave Chatterjee:

high-performance information security cultural traits. And I

Dr. Dave Chatterjee:

call these traits -- commitment, preparedness and discipline. And

Dr. Dave Chatterjee:

each of these traits are associated with factors such as

Dr. Dave Chatterjee:

for commitment, there's Hands-on Top Management, Joint Ownership

Dr. Dave Chatterjee:

& Accountability, Cross-Functional Participation,

Dr. Dave Chatterjee:

and I can go on, I don't want to provide you with the long list.

Dr. Dave Chatterjee:

But the point I'm trying to make here is, it is no easy task to

Dr. Dave Chatterjee:

manage these 17 factors. So it's, it's easy to blame and

Dr. Dave Chatterjee:

maybe get rid of the CISO, and you make a point. And it's a

Dr. Dave Chatterjee:

symbolic reaction. But there are just too many vulnerabilities.

Dr. Dave Chatterjee:

And you have to really cover a lot of ground. And that's all

Dr. Dave Chatterjee:

the more reason why I have been preaching about making

Dr. Dave Chatterjee:

cybersecurity a distinctive competency, the extent to which

Dr. Dave Chatterjee:

top management gives it priority, the chances of

Dr. Dave Chatterjee:

effectively addressing these success factors are a lot higher

Dr. Dave Chatterjee:

than if you just give up and say, oh, you know, what, we'll

Dr. Dave Chatterjee:

deal with with it when it happens. There's too many

Dr. Dave Chatterjee:

vulnerabilities, we don't know where to start. And I've heard

Dr. Dave Chatterjee:

that from many organizations, your thoughts Art?

Art Ehuan:

No, no, you're absolutely right. I mean, so

Art Ehuan:

this, this is more than just a CISO problem. It's, it's a, it's

Art Ehuan:

a corporate problem, right? Because you need the executives,

Art Ehuan:

you need, you need the Board, you need the Executives, you

Art Ehuan:

need the Management, and you need the employees to all be in

Art Ehuan:

unison, in in how do we protect our company? And how do we

Art Ehuan:

protect our company's information? Whether that be,

Art Ehuan:

you know, employee information, customer information, r&d, you

Art Ehuan:

know, it's absolutely crucial that it there's a, there's a, a

Art Ehuan:

unified approach, you know, that is that is, you know, with

Art Ehuan:

oversight from, from the Board with, with concurrence, you

Art Ehuan:

know, from from senior management, with, with middle

Art Ehuan:

management, implementing, and employees obviously, following

Art Ehuan:

that, that, that plan that that's been developed, but to

Art Ehuan:

say, Okay, we just leave it up to the CISO, and, you know, they

Art Ehuan:

need to, they need to fix it. They're just setting up that

Art Ehuan:

poor CISO for failure, it's, it's moved beyond CISO, so it to

Art Ehuan:

move beyond the CIO, it's, it really is a corporate issue that

Art Ehuan:

needs to be addressed at the highest levels of the

Art Ehuan:

organization.

Dr. Dave Chatterjee:

I think you're talking about the board

Dr. Dave Chatterjee:

of directors, yeah. You know, providing oversight, requiring

Dr. Dave Chatterjee:

senior leadership, to provide them with regular updates. And

Dr. Dave Chatterjee:

there might come a time, hopefully, sooner than later,

Dr. Dave Chatterjee:

where the CISO reports directly to the Board. To that extent,

Dr. Dave Chatterjee:

the CISO function can operate as independently as possible. Your

Dr. Dave Chatterjee:

thoughts? Yeah,

Art Ehuan:

I Yeah. So I'm going to tell you, I'm going to always

Art Ehuan:

be of the opinion, the the closer you can get the CISO, to

Art Ehuan:

the CEO or to to the Board, the better that organization is

Art Ehuan:

going to be because nothing is being you know, you're trying to

Art Ehuan:

minimize filtering, right? Because I've seen CISO

Art Ehuan:

organizations buried under under IT or Operations. And, you know,

Art Ehuan:

when that happens, and you know, you've got, you know, you've

Art Ehuan:

got, you know, the personalities involved. You've got operations

Art Ehuan:

or the CIO, that, you know, I got to have, you know, I've got

Art Ehuan:

to have the, the infrastructure, always running anything that's

Art Ehuan:

going to slow it down, potentially, by by subsidiary

Art Ehuan:

organization, you know, you know, not a good thing for me,

Art Ehuan:

if I've got a budget, and I'll have to provide it to the CISO,

Art Ehuan:

so that's a budget away from operations. So I'm a huge fan of

Art Ehuan:

anything that will get that CISO as close to the CEO or the Board

Art Ehuan:

as possible, so that they can have that that that influence in

Art Ehuan:

effect on these very key either executives, or or, or, or board

Art Ehuan:

members, right, so that they understand the risk directly.

Art Ehuan:

It's not being filtered in any way when it's been reported.

Dr. Dave Chatterjee:

Full true, so very true. And I think that

Dr. Dave Chatterjee:

an organization that truly cares about security, it should be a

Dr. Dave Chatterjee:

no brainer for the leadership to do exactly what you are saying

Dr. Dave Chatterjee:

that let the CISO operate as independently as possible. When

Dr. Dave Chatterjee:

I say CISO, I mean the team, and let them directly report whether

Dr. Dave Chatterjee:

it's the audit committee or the board of directors. So there is

Dr. Dave Chatterjee:

some independence to the reporting. And I think that that

Dr. Dave Chatterjee:

would be a reflection of true commitment on the part of the

Dr. Dave Chatterjee:

organization towards cyber diligence, cybersecurity

Dr. Dave Chatterjee:

management. So I wonder why that's not the norm. But, you

Dr. Dave Chatterjee:

know, it's, it's at least, I'm glad we're having this

Dr. Dave Chatterjee:

discussion. Hopefully, folks are listening. Hopefully, some

Dr. Dave Chatterjee:

actions will be will be taken. Yeah.

Art Ehuan:

I don't know if you've seen. There's there's a

Art Ehuan:

bill. I don't know if it's getting much traction. I believe

Art Ehuan:

in the Senate, that will require publicly traded organizations to

Art Ehuan:

have a board member who is knowledgeable on cyber. Again, I

Art Ehuan:

don't know, I don't think it's getting much traction, right.

Art Ehuan:

But I, for me, you know, from what I've seen in the past 25

Art Ehuan:

years of working cyber related crime and working with

Art Ehuan:

organizations and helping them protect themselves. I think that

Art Ehuan:

that has some good viability, right. If you have someone that

Art Ehuan:

understands cyber at the Board level, you know, they can help

Art Ehuan:

in they can help the board and understanding the risk. Because

Art Ehuan:

at the end of the day, right, it's it's about risk and risk,

Art Ehuan:

acceptance. And, and, and understanding how that

Art Ehuan:

potentially would impact an organization.

Dr. Dave Chatterjee:

Absolutely means, of course, it is

Dr. Dave Chatterjee:

desirable, that you have somebody who understands cyber,

Dr. Dave Chatterjee:

you're at a certain level of depth. But I'd also argue that

Dr. Dave Chatterjee:

even if you didn't understand cyber, we all know what's going

Dr. Dave Chatterjee:

on. And I was talking to the CEO of a major corporation. And I

Dr. Dave Chatterjee:

asked him, I said, I keep getting these research reports

Dr. Dave Chatterjee:

that the senior leadership are not very willing to stay up to

Dr. Dave Chatterjee:

date, and undergo cybersecurity training. And he says, I don't

Dr. Dave Chatterjee:

know about other organizations, but in my organization, we

Dr. Dave Chatterjee:

totally believe in continuous training, we are engaged. So I

Dr. Dave Chatterjee:

asked him, I said, So what convincing is required for all

Dr. Dave Chatterjee:

other organizations to do what you all do. And his reaction

Dr. Dave Chatterjee:

was, I don't know why there needs to be any convincing, you

Dr. Dave Chatterjee:

just have to read Wall Street Journal to see the consequences

Dr. Dave Chatterjee:

of these attacks. So if that if that data is not compelling

Dr. Dave Chatterjee:

enough for people to sit up and say, You know what, even if I

Dr. Dave Chatterjee:

don't understand cyber, I'm going to make every effort to

Dr. Dave Chatterjee:

understand as much as I can, or at least engage people and have

Dr. Dave Chatterjee:

regular conversations, so I'm securing my organization. You

Dr. Dave Chatterjee:

know, it's like sending your kids to school. I obviously

Dr. Dave Chatterjee:

don't understand all the subjects the way the teachers do

Dr. Dave Chatterjee:

who teach them. But I want my kid to do well. So I would take

Dr. Dave Chatterjee:

every step as a parent, to provide oversight to provide

Dr. Dave Chatterjee:

guidance to hire tutors, whatever it takes to help the

Dr. Dave Chatterjee:

kid be successful. And I think if that kind of mindset

Dr. Dave Chatterjee:

prevails, we will we would do a lot better.

Art Ehuan:

Yeah, yeah. Yeah. I agree with you.

Dr. Dave Chatterjee:

But I'd like you to wrap it up for us

Dr. Dave Chatterjee:

with some final words. I so appreciate you coming this

Dr. Dave Chatterjee:

afternoon to talk to us. So,

Art Ehuan:

of course, ya know, so, so final word is, I mean, I

Art Ehuan:

get it. It is cybersecurity is hard. If someone says it's easy,

Art Ehuan:

I again, I would raise an eyebrow and ask, you know, how

Art Ehuan:

can you think that, it is difficult. The environments are

Art Ehuan:

complex, the threat actors are getting more and more aggressive

Art Ehuan:

and sophisticated. But there are things we can do, right? We just

Art Ehuan:

can't throw up our hands and say, you know, i i there's no

Art Ehuan:

way I can defend against this. There are things we can do to

Art Ehuan:

better protect organizations. There are there's messaging that

Art Ehuan:

we can do with the C level and the Board to get them more

Art Ehuan:

involved in understanding what the what the threat is. The

Art Ehuan:

threat is to the organization. So I certainly will would never

Art Ehuan:

say there's just nothing we can do. There are things we can do.

Art Ehuan:

And I it's always going to be very important, in my opinion to

Art Ehuan:

have a plan right, have a plan. Put that plan in place and

Art Ehuan:

follow your plan.

Dr. Dave Chatterjee:

Thank you again. Thanks for coming. It's

Dr. Dave Chatterjee:

been a pleasure.

Art Ehuan:

Thank you Dave, appreciated.

Dr. Dave Chatterjee:

A special thanks to Art Ehuan, for his

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization

Show artwork for The Cybersecurity Readiness Podcast

About the Podcast

The Cybersecurity Readiness Podcast
with Dr. Dave Chatterjee
The Cybersecurity Readiness podcast serves to have a reflective, thought-provoking and jargon free discussion on how to enhance the state of cybersecurity at an individual, organizational and national level. Host Dr. Dave Chatterjee converses with subject matter experts, business and technology leaders, trainers and educators and members of user communities. He has been studying cybersecurity for over a decade. He has delivered talks, conducted webinars, consulted with companies and served on a cybersecurity SWAT team with CISO's. He is an Associate Professor of Management Information Systems at the University of Georgia and Visiting Professor at Duke University.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.