Episode 32

Bridging the Gap Between Intentions and Practicality in Cybersecurity

Daniela Almeida Lourenco, Chief Information Security Officer (CISO) at Tinka, firmly believes that CISOs have the very best of intentions -- "we all mean the best; we all want to protect the organization, and that is all we want to do." However, often the reality of the Board's lack of a cybersecurity mindset coupled with insufficient budget and resources results "in a reactive posture, unpreparedness, unclear risk management strategy, and low response maturity." She also highlights "the misinterpretation and implementation of the lines of defense model" to be another reason why right intentions do not get translated into good practices. Advocating for a more hands-on senior management role, Daniela says, "if you're on the second line of defense, you're not supposed to just sit on your highchair and disconnect from Operation." She also expresses concern about the excessive use of the 'fear factor' in cybersecurity communications. Finally, Daniela recommends against reinventing the current culture but making suitable adaptations by embedding new practices.


Time Stamps

01:15 -- Share with us a bit about your professional journey.

04:26 -- Share with the listeners why this topic or theme appealed to you.

07:56 -- What's stopping an organization from being proactive?

12:55 -- Based on your experience and your understanding of sociology and psychology, what recommendations do you have to change things up, make them (senior leadership) more optimistic, make them more proactive, make the stance (cybersecurity stance and approach) more optimistic, make the stance more proactive?

18:54 -- Cybersecurity is everyone's business, and everyone has a role to play. It's just like the way we are fighting the pandemic. We cannot just rely on the healthcare professionals to do everything for us, we also have to do our part. And I think that's kind of similar to how we need to deal with the cyber attacks epidemic. What do you think?

21:17 -- Gamification can be perceived in some cultures, such as the German culture, as something not very serious; you're not being serious about it. Is that a fair interpretation?

22:37 -- What are your thoughts on the check-the-box mentality toward cybersecurity governance?

27:09 -- In my book, I talk about creating structures and mechanisms that will enable shared ownership and responsibility of cybersecurity initiatives. What are your thoughts?

30:53 -- What are your thoughts about the significance of prompt threat intelligence processing?

36:13 -- Please share your final thoughts and any additional points that are very relevant to this conversation.


Memorable Daniela Almeida Quotes

"Most practitioners say that they fell into information security by accident."

"There is a major or official priority over information security, but it's usually reactive."

"One of the things I do see with my peers in the industry is that we all mean the best; we all want to protect the organization, and that is all we want to do."

"Only after major breaches and losses does information security come to the agenda. So it's an afterthought."

"We've been building an ivory tower, and this ivory tower increases the gap between them and us, and I kind of tend to blame it on the misinterpretation and implementation of the lines of defense model. So you know, the first line as being Operation, and if you're on the second line, in my view, you're not supposed to just sit on your high chair and just disconnect from Operation."

"One of my favorite pain points is the excessive use of the fear factor in cybersecurity communications."

"One of the major things we're not doing is not knowing the organization and trying to impose a culture where it just turns out to be a counterculture; in the end, it won't work."

"What I would like to make very clear to everybody listening is that you cannot create a culture. And sometimes you hear that even on the news and or in other forums. You cannot create a culture. The culture is already there for 1000s of years, hundreds of years. It's a complex beast of old sets of values and norms. What you can do is embed new practices in it."

"Make sure that for awareness, you think of three things, explain the risks as they are towards different audiences in your organization, how they can protect themselves from them, and how to contact you if something seems abnormal."

"My advice would be, try not to invent the culture again, learn from the culture of the organization, try to adapt to it from within, and manage the expectations that the stakeholders have and listen to organization in all of the sectors, spend time with the core operations, spend time with everyone in your organization to understand where the risks are, where the opportunities are, and listen to the needs, because that's the foundation of everything that you've been built from then on."



Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will revolve around

Dr. Dave Chatterjee:

bridging the gap between intentions and practicality.

Dr. Dave Chatterjee:

Daniela Almeida, Chief Information Security Officer at

Dr. Dave Chatterjee:

Tinka is our guest today. Welcome, Daniela.

Daniela Almeida:

Thank you, Dr. Dave, it's wonderful to be here.

Daniela Almeida:

Thank you very much for your invitation.

Dr. Dave Chatterjee:

Thank you. So I'm very excited about our

Dr. Dave Chatterjee:

discussion topic today. It excites me, because there's a

Dr. Dave Chatterjee:

lot of guidance out there, lots of recommendations out there.

Dr. Dave Chatterjee:

Still, for a variety of reasons, practitioners are not able to

Dr. Dave Chatterjee:

follow through, not because they don't have the right intentions,

Dr. Dave Chatterjee:

but because of certain situations and circumstances. I

Dr. Dave Chatterjee:

hope this episode will shed some light on those contextual

Dr. Dave Chatterjee:

factors and provide a much more practical perspective on how an

Dr. Dave Chatterjee:

organization can secure itself from various types of cyber

Dr. Dave Chatterjee:

attacks. So that's an exciting plan. And I'm looking forward to

Dr. Dave Chatterjee:

your insights. But before we get into those details, share with

Dr. Dave Chatterjee:

us a bit about your professional journey,

Daniela Almeida:

My professional journey. Well, that's

Daniela Almeida:

out-of-the-box, I think. I don't come from IT. I'm not an

Daniela Almeida:

engineer, I come from cultural sciences, cultural studies. So

Daniela Almeida:

my major and my master's degree first master's degrees in

Daniela Almeida:

communication, cultural study. So in the branch of sociology,

Daniela Almeida:

anthropology, and a bit of psychology as well. And then I

Daniela Almeida:

think it was really an accident. And I think most practitioners

Daniela Almeida:

say that they've fallen into information security by

Daniela Almeida:

accident. In my case, it was my career status as a compliance

Daniela Almeida:

officer. And back in those days, there was no information

Daniela Almeida:

security role. So Compliance would do the whole lot,

Daniela Almeida:

including including privacy, and security, and so on. And that's

Daniela Almeida:

where I found out that I had the taste for information security,

Daniela Almeida:

for cyber security, and I developed there and then that's

Daniela Almeida:

why I decided to have an Executive Masters in

Daniela Almeida:

cybersecurity to complement or at least to give me the hard

Daniela Almeida:

skills that I didn't have from cultural studies, although

Daniela Almeida:

always a geek, since I was small. So I still cherish the

Daniela Almeida:

moments with my aesthetic Spectrum and Commodore Amiga. So

Daniela Almeida:

that that also comes from the fact that I did enjoy working

Daniela Almeida:

with computers, but it is curious and sometimes people ask

Daniela Almeida:

me, So you come from communication, isn't it's a bit

Daniela Almeida:

the opposite of information security. And for me, it's an

Daniela Almeida:

advantage in this field, because knowing how communication

Daniela Almeida:

sciences of communication work, you appreciate how much

Daniela Almeida:

information is worth and how important it is to safeguard so

Daniela Almeida:

it's the undersize, I'm actually, I come from the other

Daniela Almeida:

side of the mirror, but it has been an advantage, especially

Daniela Almeida:

with the human factor that helps me align with the hard skills in

Daniela Almeida:

cybersecurity right now. Well, actually, I was born and raised

Daniela Almeida:

in Portugal, and I three years more than three years ago, I

Daniela Almeida:

moved to the Netherlands to work as this information security

Daniela Almeida:

officer for LeasePlan headquarters. And now since

Daniela Almeida:

beginning of this year, I'm the CISO at Tinka, which is a

Daniela Almeida:

FinTech organization that focuses on responsible deferred

Daniela Almeida:

payment services. So that's pretty much me in a nutshell.

Dr. Dave Chatterjee:

Fantastic. And thanks for sharing that very

Dr. Dave Chatterjee:

eclectic backgrounds. You'd assume that people need to have

Dr. Dave Chatterjee:

a strong technical foundation to be in a field of cybersecurity.

Dr. Dave Chatterjee:

And again, nothing wrong with having a strong technical

Dr. Dave Chatterjee:

foundation. It helps, never hurts, but one also has to value

Dr. Dave Chatterjee:

the soft skill sets. The more I talk to cybersecurity

Dr. Dave Chatterjee:

professionals across organizations, I find that it is

Dr. Dave Chatterjee:

that blend of hard and soft skills that is critical and in

Dr. Dave Chatterjee:

your case, having a strong foundation and communications,

Dr. Dave Chatterjee:

along with your understanding of anthropology and psychology, are

Dr. Dave Chatterjee:

all very important. Because at the end of the day, you're

Dr. Dave Chatterjee:

dealing with people, people continue to be the strongest

Dr. Dave Chatterjee:

asset, and also the biggest weakness when it comes to

Dr. Dave Chatterjee:

securing organizations. So I'm sure you're operating from a

Dr. Dave Chatterjee:

position of strength, from a position of advantage. So

Dr. Dave Chatterjee:

Daniella, when we were discussing about what we should

Dr. Dave Chatterjee:

be, you know, what should be the topic for this episode, you came

Dr. Dave Chatterjee:

up with this idea that how about something along the lines of

Dr. Dave Chatterjee:

bridging the gap between intentions and practicality in

Dr. Dave Chatterjee:

cybersecurity, and I love it, share with the listeners why

Dr. Dave Chatterjee:

this topic or this theme appealed to you?

Daniela Almeida:

Oh, I hope I don't regret this subject,

Daniela Almeida:

because it's, it might be seed for discussion. And I'm very

Daniela Almeida:

passionate about the human side of cybersecurity. And one of the

Daniela Almeida:

things that I that I do see with my peers and in the industry is

Daniela Almeida:

that we all mean the best we all want to protect the

Daniela Almeida:

organization, that is all we want to do. Are we doing the

Daniela Almeida:

right thing? Or is it all because we don't have the budget

Daniela Almeida:

or the resources, but we have other problems that we may need

Daniela Almeida:

to work on from ourselves. And usually we hear from

Daniela Almeida:

organizations saying that security is very important, but

Daniela Almeida:

most of the times, the actions do not reflect the statements,

Daniela Almeida:

right. And I think that concern over the years, there is a major

Daniela Almeida:

or official priority over information security, but it's

Daniela Almeida:

usually reactive. So we see that only after major breaches and

Daniela Almeida:

losses, information security comes to to the agenda. So it's

Daniela Almeida:

an afterthought, and not only in the strategic standpoint of

Daniela Almeida:

cybersecurity, or all the types of organizations, but also in

Daniela Almeida:

awareness, for example, and this is one of the most, I think

Daniela Almeida:

that's the most obvious example, it's awareness. And this is

Daniela Almeida:

where things are going wrong in some organizations. It's often

Daniela Almeida:

and I hate this a lot. So I'm actually also coming from the

Daniela Almeida:

Business Information Security Officer role. I'm very

Daniela Almeida:

passionate about awareness and listening to the organization,

Daniela Almeida:

to the core organization. And sometimes it strikes me that

Daniela Almeida:

when people talk about incidents that were caused by human error,

Daniela Almeida:

we immediately think of the end users, however, the humans are

Daniela Almeida:

actually the basis and the creators of systems and their

Daniela Almeida:

interconnection and the elements that make an organization. So

Daniela Almeida:

not only the end users, and that I think that's why it's also

Daniela Almeida:

important to look at cybersecurity, not only from the

Daniela Almeida:

IT or management angle, but also from a sociological point of

Daniela Almeida:

view, I think, does that make sense?

Dr. Dave Chatterjee:

Absolutely. In fact, it is unfortunate that

Dr. Dave Chatterjee:

your experience has been that organizations are usually

Dr. Dave Chatterjee:

reactive, and which is kind of what keeps coming up time and

Dr. Dave Chatterjee:

again. So it's consistent. I would assume that by now with

Dr. Dave Chatterjee:

all the major breaches that have happened, and that have received

Dr. Dave Chatterjee:

a lot of media attention that organizations would strive to be

Dr. Dave Chatterjee:

in a more of a proactive mode. Based on your experience working

Dr. Dave Chatterjee:

in this area, why do you think this reactive approach? Why not

Dr. Dave Chatterjee:

proactive? What's stopping an organization from being

Dr. Dave Chatterjee:

proactive?

Daniela Almeida:

Well, I think that there are several factors

Daniela Almeida:

at play. And not only lack of funds or lack of resources, I

Daniela Almeida:

believe that there is an of course that I'm biased, talking

Daniela Almeida:

about sociologists, sociological traits, but there is a huge loss

Daniela Almeida:

in translation between the security practice or the

Daniela Almeida:

security agenda, and the overall organization. And maybe one of

Daniela Almeida:

one of the factors in that is the lack of cybersecurity

Daniela Almeida:

mindset of the board. And once you have this, this gap, once

Daniela Almeida:

you have this problem here isn't it has many other pain points,

Daniela Almeida:

such as not a proactive attitude, unprepared members of

Daniela Almeida:

the organization, unclear risk management strategy, low

Daniela Almeida:

response maturity, etc. And I do believe that this is maybe the

Daniela Almeida:

vital and I would love to hear from your from your listeners

Daniela Almeida:

after after that after our session. That is I think that we

Daniela Almeida:

practitioners are also at fault. It's our fault as well. And I

Daniela Almeida:

think that along with other areas such as privacy with the

Daniela Almeida:

GDPR fever that we had in Europe for some years ago, and

Daniela Almeida:

compliance, we've been building an ivory tower and this ivory

Daniela Almeida:

tower increases the gap between us and them and I usually blame

Daniela Almeida:

it or I kind of tend to blame it on the misinterpretation and

Daniela Almeida:

feel implementation of the lines of defense model. So you know,

Daniela Almeida:

the first line as being operation second, third, and if

Daniela Almeida:

you're on the second line, in my view, you're not supposed to

Daniela Almeida:

just sit on your high chair and just disconnect from operation.

Daniela Almeida:

And I see this in many organizations, including complex

Daniela Almeida:

and big organizations. And that's really important. And it

Daniela Almeida:

doesn't end there. I think one of them my favorite pain point,

Daniela Almeida:

I think it's used. And I'm sure that you've seen that as well is

Daniela Almeida:

the excessive use of the fear factor in the communications

Daniela Almeida:

towards the audience. That is a fear factor is when we use the

Daniela Almeida:

latest news articles about major data breaches about sanctions,

Daniela Almeida:

and we tend to use the tone of, we're all gonna die, very

Daniela Almeida:

afflictive very urgent. And this is not only in awareness, this

Daniela Almeida:

is also in presentations to the board that we tend to fill in

Daniela Almeida:

with this type of data. From a managerial perspective, it makes

Daniela Almeida:

sense to know all the facts to enable informed decision making,

Daniela Almeida:

and to highlight the importance of the cybersecurity program

Daniela Almeida:

with the data we have. However, from a sociological perspective,

Daniela Almeida:

we're perpetually appealing to the basic needs or deficiency

Daniela Almeida:

needs of human beings, if we consider that we're always

Daniela Almeida:

appealing to the need for safety of the human being, we only have

Daniela Almeida:

the reactive stimuli, we only get that so we only get

Daniela Almeida:

reaction. So you get the reactive turn of cybersecurity

Daniela Almeida:

right there. And the concept of Flint helplessness helps

Daniela Almeida:

interpreting this, when you have learned helplessness is pretty

Daniela Almeida:

much like whatever I do, it's not worth it. Because I'll

Daniela Almeida:

always be punished. I'll always be subject or the target of

Daniela Almeida:

cyber security incident, in the cybersecurity attacks. So why

Daniela Almeida:

should I worry. And even in cognitive security, this is

Daniela Almeida:

called as apathy. It's also presence is twice as high. If

Daniela Almeida:

you check the declassify investigation manuals from the

Daniela Almeida:

CIA, the cube, like for example, apathy is referred to frequently

Daniela Almeida:

in terms of excessive use of fear. And this is what we're

Daniela Almeida:

doing right now, in general, of course, and this goes hand in

Daniela Almeida:

hand with using KPIs that underline how bad your

Daniela Almeida:

organization is behaving in terms of phishing campaigns,

Daniela Almeida:

look, all these users, they fail the phishing campaign. So using

Daniela Almeida:

negative social proof is, in my view, very counterproductive.

Daniela Almeida:

And we're still communicating with technical jargon acting

Daniela Almeida:

very patronizing that the users don't know anything. That's the

Daniela Almeida:

problem is between the chair and the screen, and boring. And

Daniela Almeida:

above all, our strategy is not tailored towards our

Daniela Almeida:

organization. It's detached in standards. And it doesn't create

Daniela Almeida:

I actually, you mentioned this in your book, I loved your book,

Daniela Almeida:

by the way.

Dr. Dave Chatterjee:

Thank you. It's

Daniela Almeida:

like the essential one on one first

Daniela Almeida:

security, you need to have this. You mentioned in your book, the

Daniela Almeida:

bonds of attachment. And this is what we're not doing is to

Daniela Almeida:

create or to embed cyber security in the culture of the

Daniela Almeida:

organization, we're actually trying to counter it, counter

Daniela Almeida:

those bonds, attachment, and that won't work.

Dr. Dave Chatterjee:

Interesting. You touched upon so many very

Dr. Dave Chatterjee:

important points. I want to pick up on a few things here, you

Dr. Dave Chatterjee:

know, probe a little deeper, one of the things you mentioned was

Dr. Dave Chatterjee:

a lack of a cybersecurity mindset amongst the leadership.

Dr. Dave Chatterjee:

Now, given that there are all these compliance requirements,

Dr. Dave Chatterjee:

and Europe, of course, is very big on privacy, the GDPR

Dr. Dave Chatterjee:

requirements have to be strictly followed, or there are major

Dr. Dave Chatterjee:

penalties. You know, given these kinds of regulatory expectations

Dr. Dave Chatterjee:

and mandates, it does surprise me that the leadership mindset

Dr. Dave Chatterjee:

regarding cybersecurity is not changing. I do understand the

Dr. Dave Chatterjee:

fatalistic syndrome that whatever we do, or however much

Dr. Dave Chatterjee:

money we spend, nobody can guarantee immunity. So what's

Dr. Dave Chatterjee:

the point? So I guess my question to you is, what would

Dr. Dave Chatterjee:

be your recommendation, like you said that fear should not be the

Dr. Dave Chatterjee:

approach, though, according to you know, many schools of

Dr. Dave Chatterjee:

thought fear, unfortunately, is often the best motivator. But

Dr. Dave Chatterjee:

anyhow, based on your experience, your understanding

Dr. Dave Chatterjee:

of sociology, psychology, what recommendations do you have to

Dr. Dave Chatterjee:

change things up, make them more optimistic, make them more

Dr. Dave Chatterjee:

proactive, make the stance more optimistic, make the stance more

Daniela Almeida:

Well, I have many suggestions. Not all of

Daniela Almeida:

proactive?

Daniela Almeida:

them might work and I'll explain why. But starting from the point

Daniela Almeida:

that you raised on countering the fear and using the fear

Daniela Almeida:

factor, I'm not saying maybe some listeners do feel the need

Daniela Almeida:

to show their audience that the threat is there. The attackers

Daniela Almeida:

are out there to get us, and that's fine. That is making them

Daniela Almeida:

aware of the risks they're running now abusing that using

Daniela Almeida:

it as a veiled threat towards the the organization that won't

Daniela Almeida:

work in the long-run and there'll be apathy and it just

Daniela Almeida:

won't cooperate from then on. So I would, I always tend to look

Daniela Almeida:

into a collaborative way of bringing them in, instead of

Daniela Almeida:

patronizing them. Even going back to the the lines of defense

Daniela Almeida:

model, this is something that I actually aim in my career for a

Daniela Almeida:

while now, that is to sit comfortably, and the 1.5 lines

Daniela Almeida:

of defense. So that is, of course, participating in the

Daniela Almeida:

governance of the second line. But I also want to be in the

Daniela Almeida:

trenches, I want to get my hands dirty, I want to know how my

Daniela Almeida:

organization works. That is one of the things that we're doing

Daniela Almeida:

wrong as things which is, in many cases, we're imposing our

Daniela Almeida:

norms and values to the organization that we need to be

Daniela Almeida:

secure. We need to do this and that. And even if we look at a

Daniela Almeida:

child, it's much easier for a child to comply with something

Daniela Almeida:

and I am not being patronizing. It's just really human nature,

Daniela Almeida:

its compliance, it's much easier if you understand why you have

Daniela Almeida:

to do something, and you have to explain why without having that

Daniela Almeida:

fear factor all over again. So that's, I think that's the major

Daniela Almeida:

thing that we're not doing. It's not knowing the organization and

Daniela Almeida:

trying to impose a culture where it just turns out to be a

Daniela Almeida:

counterculture in the end, it won't work.

Dr. Dave Chatterjee:

Yep, very true. In fact, that is true for

Dr. Dave Chatterjee:

implementation of anything, literally, implementation of

Dr. Dave Chatterjee:

even large scale systems; unless you get user buy-in from a very

Dr. Dave Chatterjee:

early stage. And to be able to get the buy-in, there's a lot of

Dr. Dave Chatterjee:

good research that speaks to the importance of helping users

Dr. Dave Chatterjee:

understand what is in it for them, why is it important for

Dr. Dave Chatterjee:

them and the organization, there has to be that alignment of

Dr. Dave Chatterjee:

values. Again, it's probably easier said than done. Probably

Dr. Dave Chatterjee:

in many organizations, they're doing a good job of it. But I

Dr. Dave Chatterjee:

think there's always opportunities to do better, and

Dr. Dave Chatterjee:

remind folks that there is the employee turnover. So what you

Dr. Dave Chatterjee:

did, went well with certain folks, but when they have left

Dr. Dave Chatterjee:

the organization, you have a new crop, you have to again, you

Dr. Dave Chatterjee:

know, get the newcomers integrated into the thinking or

Dr. Dave Chatterjee:

in the creation of what I like to call a high-performance

Dr. Dave Chatterjee:

information security culture. And to your point about creating

Dr. Dave Chatterjee:

a culture that goes counter to the overall organizational

Dr. Dave Chatterjee:

culture, I couldn't agree with you more. A good understanding

Dr. Dave Chatterjee:

of the context, a good understanding of the overall

Dr. Dave Chatterjee:

organizational culture is key to setting the foundations for a

Dr. Dave Chatterjee:

high- performance information security culture. Here, I like

Dr. Dave Chatterjee:

to bring in something which I share in my book, in my book, I

Dr. Dave Chatterjee:

talk about the importance of building emotional capital,

Dr. Dave Chatterjee:

which is anchored on four pillars, leadership

Dr. Dave Chatterjee:

authenticity, having fun, feeling valued, and taking pride

Dr. Dave Chatterjee:

in their work, I strongly believe that building such

Dr. Dave Chatterjee:

emotional capital helps in creating and sustaining a

Dr. Dave Chatterjee:

cohesive and aligned working culture. And again, this is not

Dr. Dave Chatterjee:

restricted to creating a security culture. This is true

Dr. Dave Chatterjee:

for any culture, you got to get the organizational members

Dr. Dave Chatterjee:

excited, interested, driven, because that's when the will

Dr. Dave Chatterjee:

take charge, take the initiative of recognizing that, yes, I have

Dr. Dave Chatterjee:

a work to do for which I have been hired. But there is a

Dr. Dave Chatterjee:

security component of the work that I also need to pay

Dr. Dave Chatterjee:

attention. The reason I felt it necessary to mention this,

Dr. Dave Chatterjee:

because when we have this discussion, about creating a

Dr. Dave Chatterjee:

security mindset about getting top management, actively

Dr. Dave Chatterjee:

engaged, often the feedback I get is, hey, I've been hired to

Dr. Dave Chatterjee:

do a job. And that job is not to secure the organization.

Daniela Almeida:

I just work here, right? I just work here.

Dr. Dave Chatterjee:

Yeah, I work here, I do this job. That's

Dr. Dave Chatterjee:

for the cybersecurity professionals, don't try to bog

Dr. Dave Chatterjee:

me down with this additional responsibility. I see the point.

Dr. Dave Chatterjee:

But unfortunately, the reality is information security pervades

Dr. Dave Chatterjee:

across functions, as we have heard time and time again, that

Dr. Dave Chatterjee:

cybersecurity is everyone's business, everyone has a role to

Dr. Dave Chatterjee:

play. It's just like the way we are fighting the pandemic. We

Dr. Dave Chatterjee:

cannot just rely on the healthcare professionals to do

Dr. Dave Chatterjee:

everything for us, we have to also do our part. And I think

Dr. Dave Chatterjee:

that's kind of similar to how we need to deal with the cyber

Dr. Dave Chatterjee:

attacks epidemic. But anyhow, I've been rambling for a bit now

Dr. Dave Chatterjee:

it's your turn. What do you think?

Daniela Almeida:

Ahm, no, I was actually absorbing. And I

Daniela Almeida:

couldn't agree with you more actually. What I would like to

Daniela Almeida:

actually to make to make very clear to everybody listening is

Daniela Almeida:

that you cannot create a culture. And sometimes you hear

Daniela Almeida:

that even on the news and or in other forums. You cannot create

Daniela Almeida:

a culture. The culture is already there for 1000s of

Daniela Almeida:

years, hundreds of years. It's a complex beast of old sets of

Daniela Almeida:

values and norms. What you can do is to embed new practices in

Daniela Almeida:

it. And that's already a hefty job. And first of all, you need

Daniela Almeida:

to understand the already existing culture of the

Daniela Almeida:

organization when you join in what makes them tick, what are

Daniela Almeida:

the priorities? What's their identity? What do you refer to

Daniela Almeida:

in your book as 'togetherness.' So logically, we may be even

Daniela Almeida:

talking about determining the sense of belonging, then you

Daniela Almeida:

move on to creating new ways of responding to that and embedding

Daniela Almeida:

the desired behavior in there within that framing, and not

Daniela Almeida:

imposing a new framing. A while ago, I was delivering a

Daniela Almeida:

presentation about awareness in Germany. And I mentioned

Daniela Almeida:

gamification as a technique. And I remember this intervention of

Daniela Almeida:

German Pierre, because it makes perfect sense. And it just

Daniela Almeida:

highlights this, he said, "well, that's very nice, but

Daniela Almeida:

gamification, in many German organizations wont work. That's

Daniela Almeida:

not what we do. It's not part of what we are, who we are. They

Daniela Almeida:

would be more willing to comply, if they get regular updates,

Daniela Almeida:

communications with instruction, they don't like gamification in

Daniela Almeida:

general. So you do need to adapt to the organization, not the

Daniela Almeida:

other way around. You cannot just go there, cold turkey and

Daniela Almeida:

try to impose something else it won't work.

Dr. Dave Chatterjee:

That's that's a very interesting

Dr. Dave Chatterjee:

insight. So if I'm understanding this correctly, gamification can

Dr. Dave Chatterjee:

be perceived in some cultures, such as the German culture, like

Dr. Dave Chatterjee:

you said, as something not very serious, you're not being

Dr. Dave Chatterjee:

serious about it. Is that Is that a fair interpretation?

Daniela Almeida:

Precisely! Yeah. Wow! As long as it was

Daniela Almeida:

precious that that intervention was precious, because we always

Daniela Almeida:

need to take to check where we are first, again, trying to

Daniela Almeida:

absorb the norms and values of behaviors. And that is just not

Daniela Almeida:

part of who they are maybe in different companies in German,

Daniela Almeida:

in Germany, multinational etc, that may work. But in some

Daniela Almeida:

others, it won't, even if that's one of the questions that

Daniela Almeida:

another dimension is that for us, that would be seen as loss

Daniela Almeida:

of efficiency, because we playing a game instead of

Daniela Almeida:

working. So you think we need to be very, very careful, and what

Daniela Almeida:

is good for us what sounds makes makes sense for us, especially

Daniela Almeida:

if you're an expat like me. I also although having my cultural

Daniela Almeida:

studies background, I still have some hurdles to come across when

Daniela Almeida:

adapting when when absorbing the Dutch culture. And that's what

Daniela Almeida:

you need to do as well, from the security point of view, or any

Daniela Almeida:

anything that you want in any other area or any of the

Dr. Dave Chatterjee:

I couldn't agree with you more. It's so

Dr. Dave Chatterjee:

subjects I would say.

Dr. Dave Chatterjee:

important to constantly reflect on the current environment, how

Dr. Dave Chatterjee:

your views, your communications could be misinterpreted or

Dr. Dave Chatterjee:

misunderstood. I think it is human nature. I definitely am

Dr. Dave Chatterjee:

part of that group, where I assume that I have communicated

Dr. Dave Chatterjee:

very clearly, and people understand my points of view,

Dr. Dave Chatterjee:

they get the get it, there is reasonable alignment. But I

Dr. Dave Chatterjee:

think that's a flawed approach. That's why we have the feedback

Dr. Dave Chatterjee:

where you communicate and then you find ways of getting quick

Dr. Dave Chatterjee:

feedback to ensure that there is a consensus there is a common,

Dr. Dave Chatterjee:

shared understanding, it brings to mind an interesting example.

Dr. Dave Chatterjee:

And this goes to the culture that exists in the US Nuclear

Dr. Dave Chatterjee:

Navy. It was shared by some of my former students who worked on

Dr. Dave Chatterjee:

the naval submarines. And they said, Dr. Chatterjee, when we

Dr. Dave Chatterjee:

are given a command by our senior, we are expected to

Dr. Dave Chatterjee:

repeat verbatim, what was told to us before we went about

Dr. Dave Chatterjee:

executing it. Now, it might kind of sound odd, even the person

Dr. Dave Chatterjee:

who was sharing this, said, "it didn't feel really good, I felt

Dr. Dave Chatterjee:

like I was a zombie. I didn't understand, I had to repeat what

Dr. Dave Chatterjee:

I was told." But again, you have to understand the context here.

Dr. Dave Chatterjee:

You can't afford to make any errors on a nuclear vessel,

Dr. Dave Chatterjee:

because the consequences can be disastrous, can be fatal. So you

Dr. Dave Chatterjee:

have to take every possible precaution to ensure the

Dr. Dave Chatterjee:

communication is going through appropriately. And that's where

Dr. Dave Chatterjee:

it is very important to be meticulous in your approach,

Dr. Dave Chatterjee:

whether it's planning, whether it's strategizing, whether it's

Dr. Dave Chatterjee:

communicating, and as opposed to just sending out a long email

Dr. Dave Chatterjee:

with all the details as required by the regulators is as if like

Dr. Dave Chatterjee:

I'm checking the box and even if people don't pick up on

Dr. Dave Chatterjee:

everything, it doesn't matter, which is often the case in many

Dr. Dave Chatterjee:

organizations, especially large organizations where it becomes

Dr. Dave Chatterjee:

check-the-box approach mentality, as opposed to

Dr. Dave Chatterjee:

customizing what a person needs to know, from a do's and don'ts

Dr. Dave Chatterjee:

standpoint, when it comes to cyber. Your thoughts, reactions?

Daniela Almeida:

it just reminded me of a discussion that

Daniela Almeida:

I had specially about communication. And again,

Daniela Almeida:

culture and the way that it depends. Also, as I mentioned,

Daniela Almeida:

it depends on the industry and depends on the area. But at the

Daniela Almeida:

end of the day, there are things that are common to every single

Daniela Almeida:

area. And one of them in my view, and one of them is having

Daniela Almeida:

a clear management expectation. And you would say that having a

Daniela Almeida:

clear strategy, a clear statement, a clear posture, and

Daniela Almeida:

also maybe in military, it would have a different framing, but I

Daniela Almeida:

am sponsor of the open door policy, because that's, first of

Daniela Almeida:

all that increases engagement. So those bonds of attachment, it

Daniela Almeida:

provides you with the best threat intelligence you might

Daniela Almeida:

have, if people know that they can just report something

Daniela Almeida:

without having any consequences against them. And another thing

Daniela Almeida:

is, and we see that a lot, unfortunately, after major

Daniela Almeida:

breaches, that is plausible deniability. And we see very

Daniela Almeida:

many CEOs, many directors saying, we, we were not aware

Daniela Almeida:

that this was happening, or that we're going to we're going to

Daniela Almeida:

improve our processes from from now on. But what it translates

Daniela Almeida:

to me is that they were not ensuring that their security

Daniela Almeida:

stance, their risk appetite, was actually corresponding to the

Daniela Almeida:

effectiveness of the defenses. And plausible deniability is

Daniela Almeida:

very hurtful for a security practitioner, because especially

Daniela Almeida:

the warned, those peers that have been sending presentations

Daniela Almeida:

with all this data about breaches about sanction. And now

Daniela Almeida:

you have a fear of saying that we were not aware of the risk.

Daniela Almeida:

So it's very frustrating. And I think that's, it's something

Daniela Almeida:

that is the hardest thing to change is this posture, but it

Daniela Almeida:

also can be instigated or be encouraged by by trying to meet

Daniela Almeida:

halfway. So trying to understand what's the risk is or the risk

Daniela Almeida:

appetite, or the tolerance levels, as mentioned in your

Daniela Almeida:

book are

Dr. Dave Chatterjee:

Right. In fact, that brings to mind a

Dr. Dave Chatterjee:

couple of things. One is, I mentioned that in my book as one

Dr. Dave Chatterjee:

of the success factors of creating structures and

Dr. Dave Chatterjee:

mechanisms that will enable shared ownership and

Dr. Dave Chatterjee:

responsibility where whenever any cybersecurity Initiative is

Dr. Dave Chatterjee:

being pitched, or is being undertaken, business executives

Dr. Dave Chatterjee:

or business leaders own it, they are an active active participant

Dr. Dave Chatterjee:

as opposed to leaving it to the cybersecurity professionals to

Dr. Dave Chatterjee:

do the needful and then come back to the business to say,

Dr. Dave Chatterjee:

okay, this is how we want to implement it in your

Dr. Dave Chatterjee:

organization. Instead of doing that, if from the get go, we

Dr. Dave Chatterjee:

have a business champion of the security initiatives, it could

Dr. Dave Chatterjee:

be a much easier sell, and such structures of sharing, of shared

Dr. Dave Chatterjee:

ownership, shared responsibility also helps create that cross

Dr. Dave Chatterjee:

functional awareness, where I am understanding the security

Dr. Dave Chatterjee:

implications of my line of business of my product line.

Dr. Dave Chatterjee:

What are your thoughts? You think this is being practiced?

Dr. Dave Chatterjee:

This is practical? What are your thoughts?

Daniela Almeida:

Champions was a great invention in last few

Daniela Almeida:

years, I think it was the first attempt that I've seen to bring,

Daniela Almeida:

bring a security and the core organization closer, no doubt.

Daniela Almeida:

But we can do much more than that, to increase that sense of

Daniela Almeida:

belonging, belonging and embedding the importance of

Daniela Almeida:

cybersecurity in the organizational culture. One of

Daniela Almeida:

the things sometimes I ask my peers is, have you ever asked

Daniela Almeida:

your Board to draft up or to just make a statement about

Daniela Almeida:

their security stance? How is security important for them,

Daniela Almeida:

because not only this is good in the long run, because they'll

Daniela Almeida:

have to put the money where the mouth is, and that is, if for

Daniela Almeida:

top management, security is not a priority. Well, that's a

Daniela Almeida:

posture. That's the stance, that's the identity of your

Daniela Almeida:

organization. And you'll have to work with that. And then you

Daniela Almeida:

will have to deal with consequences because that's the

Daniela Almeida:

risk tolerance they have. And besides that, there needs to be

Daniela Almeida:

a voice from top down. So if security is important, cyber

Daniela Almeida:

security is important, not just because the the media, the

Daniela Almeida:

public needs to hear this, that cybersecurity is important, but

Daniela Almeida:

because they actually believe in it, that it's not done only by

Daniela Almeida:

assigning champions or security function is making sure that

Daniela Almeida:

everyone in the organization throughout the supply chain

Daniela Almeida:

throughout the stakeholders list, making them aware of the

Daniela Almeida:

risks they actually face, and how they can protect themselves

Daniela Almeida:

and the organization. So I want to work in an organization that

Daniela Almeida:

protects the employees like myself, and safeguard the

Daniela Almeida:

interests of the customer. I want to make sure that my data

Daniela Almeida:

is safe. I want to make sure that my customers data is safe.

Daniela Almeida:

As an employee, I need to know that that is my role as well. I

Daniela Almeida:

need to be shown how, and this is where it's failing. We're not

Daniela Almeida:

showing people ways of giving that ownership, we need to show.

Daniela Almeida:

First of all, you mentioned early on what's in it for you,

Daniela Almeida:

because the human being is really selfish, won't do

Daniela Almeida:

anything if it's not for some gain, personal gain, and we need

Daniela Almeida:

to show where they're actually gaining. One of the things I do

Daniela Almeida:

often do is, when I'm sending communications or sharing some

Daniela Almeida:

security, I actually advise on how people can protect their

Daniela Almeida:

children and how their family because being cyber aware, it's

Daniela Almeida:

also about protecting them themselves and their family,

Daniela Almeida:

that's what they're there for. Most of us don't work in

Daniela Almeida:

charity. So, we actually doing something, we're actually

Daniela Almeida:

working there for a purpose, and ultimately, for our families and

Daniela Almeida:

for ourselves. So we need to talk to that part of the human

Daniela Almeida:

being that is working in the organization.

Dr. Dave Chatterjee:

Fabulous. I want to reemphasize what you

Dr. Dave Chatterjee:

said about the leadership, clarifying their stance on

Dr. Dave Chatterjee:

cybersecurity and clearly communicating where they stand

Dr. Dave Chatterjee:

in terms of the appropriate cyber posture, and how do they

Dr. Dave Chatterjee:

expect to get there. Such clarity of communication is so

Dr. Dave Chatterjee:

important, and it helps the organization have a better sense

Dr. Dave Chatterjee:

of where the leadership is, after all, as has been has been

Dr. Dave Chatterjee:

said, time and again, the tone has to be set at the top, but

Dr. Dave Chatterjee:

also to your point, which I have shared many times in my

Dr. Dave Chatterjee:

writings, in my talks, and I'm so aligned with you here that

Dr. Dave Chatterjee:

this posture or this mindset about cybersecurity should be

Dr. Dave Chatterjee:

genuine, should be substantive, not influenced by a certain

Dr. Dave Chatterjee:

requirement, a certain mandate, or being symbolic that let's do

Dr. Dave Chatterjee:

these things, we look good to the external folks, the

Dr. Dave Chatterjee:

community, the stakeholders; means I get it, the

Dr. Dave Chatterjee:

communication piece is important; but if it comes out

Dr. Dave Chatterjee:

of a genuine belief, a genuine recognition that it is really

Dr. Dave Chatterjee:

important for the company to secure organizational assets,

Dr. Dave Chatterjee:

digital assets, whether that protects the internal

Dr. Dave Chatterjee:

stakeholders or the external stakeholders, and in an indirect

Dr. Dave Chatterjee:

way, the nation, the world, that we're all connected after all,

Dr. Dave Chatterjee:

so so having that sense of social responsibility is so

Dr. Dave Chatterjee:

important. And, and I don't believe we are grandizing here,

Dr. Dave Chatterjee:

trying to, you know, paint everything with a broad brush

Dr. Dave Chatterjee:

and saying, oh, you know, we'd all do the right things, and

Dr. Dave Chatterjee:

hallelujah, we will live happily ever after. I don't believe

Dr. Dave Chatterjee:

you're trying to do that. But we're just trying to reinforce

Dr. Dave Chatterjee:

certain things that seem obvious, but oftentimes, they

Dr. Dave Chatterjee:

are not followed through, because of reasons like short

Dr. Dave Chatterjee:

term goals, you know, I have to meet a certain deadline, have to

Dr. Dave Chatterjee:

meet a certain expectation, you know, this company has been

Dr. Dave Chatterjee:

formed to deliver quality health care, I can't afford to get too

Dr. Dave Chatterjee:

carried away by security, I had to, I have to stay focused on my

Dr. Dave Chatterjee:

goals, or I'm gonna lose my job. So these could be reasons why

Dr. Dave Chatterjee:

the leadership is careful about what they want to put out there.

Dr. Dave Chatterjee:

And they have their own way of approaching cyber, again, this

Dr. Dave Chatterjee:

is based on what I hear what I read what I learned from my

Dr. Dave Chatterjee:

research, but I think you make some excellent points there. I'd

Dr. Dave Chatterjee:

like to pick up on another very important fact. And that is

Dr. Dave Chatterjee:

prompt processing of threat intelligence. As you know, in

Dr. Dave Chatterjee:

many media reports on major breaches a major reason put

Dr. Dave Chatterjee:

forward that caused the breach was because somebody had the

Dr. Dave Chatterjee:

threat alert, had received intelligence from an external

Dr. Dave Chatterjee:

service provider, but dropped the ball, didn't do anything

Dr. Dave Chatterjee:

about it. Just curious, your thoughts on that?

Daniela Almeida:

Well, doing nothing is also a strategy. It

Daniela Almeida:

is a choice. If we are looking from the outside, that is risk

Daniela Almeida:

treatment. It's making a decision how to deal with that

Daniela Almeida:

situation. And it depends on the risk appetite, if the risk

Daniela Almeida:

appetite is very high, well do nothing might be logical, as

Daniela Almeida:

long as they understand the consequences and ignoring

Daniela Almeida:

certain challenges, I don't know if they're actually ignoring

Daniela Almeida:

because again, they are consciously doing nothing. But

Daniela Almeida:

if you look into it from a security perspective, of course,

Daniela Almeida:

that that wouldn't be a way of dealing with a high risk, so you

Daniela Almeida:

would most likely try to mitigate it or eliminate it in

Daniela Almeida:

some way. I'm not really a fan of transferring it, because

Daniela Almeida:

again, it will come back to you like a boomerang, because if you

Daniela Almeida:

transfer risk, reputational damage is towards you, not

Daniela Almeida:

towards the organization whom you're transferring the risk to

Daniela Almeida:

and getting back to the risk tolerance. It also depends on

Daniela Almeida:

the industry, and depends on how you want to put yourself out

Daniela Almeida:

there in terms of solutions. Let's invoice solution ICT

Daniela Almeida:

solutions are expensive solutions that we see in the

Daniela Almeida:

market every day. They promise you everything. They're amazing.

Daniela Almeida:

They're 100% secure, their DNA is 100% security. And well, it's

Daniela Almeida:

just amazing. But I would not buy an ex er solution. For

Daniela Almeida:

example, for a local bakery, instead, I would be worried

Daniela Almeida:

about securing my IoT, my internet of things, because

Daniela Almeida:

everything is connected, even. Even that oven that bakes our

Daniela Almeida:

bread, if you have a small online business, conservations

Daniela Almeida:

will still be totally different. But there will include

Daniela Almeida:

prevention and detection mechanisms. And it's also about

Daniela Almeida:

leveraging what you have, especially the resources, it's

Daniela Almeida:

not only about money, we're not talking about, again, solutions.

Daniela Almeida:

Now we're talking about people, and again, encouraging the open

Daniela Almeida:

door principle. So you have free threat intelligence right there.

Daniela Almeida:

And you need to have also, you also need to have a risk

Daniela Almeida:

treatment process that you can stand on if you're under

Daniela Almeida:

scrutiny. So if you decided to do nothing, there may be a

Daniela Almeida:

reason for it, that your stakeholders might not accept

Daniela Almeida:

it, because they were not aware of your risk treatment or risk

Daniela Almeida:

management strategy. So again, we go back to communication.

Dr. Dave Chatterjee:

Absolutely. And And if I may, you know, to

Dr. Dave Chatterjee:

that point, it's very important to document because even if you

Dr. Dave Chatterjee:

decide to do nothing about an alert that you have received,

Dr. Dave Chatterjee:

documenting that, that why the decision of doing nothing that

Dr. Dave Chatterjee:

helps in the long run, when you go back and review these logs to

Dr. Dave Chatterjee:

see, yes, we didn't act on this alert, because we had good

Dr. Dave Chatterjee:

reason to believe that this wasn't a significant threat. Or

Dr. Dave Chatterjee:

we could afford to, you know, maybe take a hit, like you said,

Dr. Dave Chatterjee:

if our risk appetite is large, whatever the reason, but that

Dr. Dave Chatterjee:

discipline of recording the alerts, processing it promptly

Dr. Dave Chatterjee:

and making a quick call whichever way you want to go

Dr. Dave Chatterjee:

with it. I'm a fan of reminding organization that it's very

Dr. Dave Chatterjee:

important to instill that discipline of promptly

Dr. Dave Chatterjee:

processing, documenting threat intelligence. So your points

Dr. Dave Chatterjee:

there as well are very, very well made. Well, we are kind of

Dr. Dave Chatterjee:

getting towards the end of our discussion already. So I would

Dr. Dave Chatterjee:

love to keep talking, because it's such a pleasure engaging

Dr. Dave Chatterjee:

with you, Daniela, but I just want to make sure that there

Dr. Dave Chatterjee:

isn't anything that you're very passionate about, that we didn't

Dr. Dave Chatterjee:

talk. So I'd like to give you the opportunity to share maybe

Dr. Dave Chatterjee:

your final thoughts or any additional points that are very

Dr. Dave Chatterjee:

relevant to this conversation.

Daniela Almeida:

In a nutshell, that's difficult. I could go on

Daniela Almeida:

and on. If people are listening, or pretending to listen, I don't

Daniela Almeida:

know. My advice would be a try not to invent the culture again,

Daniela Almeida:

learn from the culture of the organization, try to adapt to it

Daniela Almeida:

from within, and manage the expectations that the

Daniela Almeida:

stakeholders have and listen to organization in all of the

Daniela Almeida:

sectors, spend time with the core operations, spend time with

Daniela Almeida:

everyone in your organization to understand where the risks are,

Daniela Almeida:

where the opportunities are, and listen to the needs, because

Daniela Almeida:

that's the foundation of everything that you've been

Daniela Almeida:

built from then on. And then creating bridges, talking about

Daniela Almeida:

building, creating bridges, to make sure that everyone meets

Daniela Almeida:

halfway for threat intelligence for everything else. And of

Daniela Almeida:

course, mentioning awareness, very quickly, maybe, maybe try

Daniela Almeida:

to distinguish between awareness, which I think it's a

Daniela Almeida:

patronizing term anyway, awareness and training. And make

Daniela Almeida:

sure that for awareness, you think of three things, explain

Daniela Almeida:

the risks as they are towards different audiences in your

Daniela Almeida:

organization, how they can protect themselves from them,

Daniela Almeida:

and how to contact you if something seems abnormal. So

Daniela Almeida:

these are three things that you should be focusing in awareness,

Daniela Almeida:

do not try to reinvent it, make sure that you find the best

Daniela Almeida:

technique, avoiding boredom please, because that's all that

Daniela Almeida:

matters even more a reputation of being boring and cherish

Daniela Almeida:

people and make sure that they have the tools to to work

Daniela Almeida:

confidently.

Dr. Dave Chatterjee:

Fantastic. Fantastic. I really liked the

Dr. Dave Chatterjee:

way you summed it all up. And if I may add to that, which is

Dr. Dave Chatterjee:

totally aligned with what you said, is to just remind the

Dr. Dave Chatterjee:

listeners that as hands on as top management can be, the

Dr. Dave Chatterjee:

extent to which they can create We-Are-In-It-Together culture by

Dr. Dave Chatterjee:

building emotional capital, the extent to which structures and

Dr. Dave Chatterjee:

mechanisms can be in place to enable shared ownership and

Dr. Dave Chatterjee:

accountability. You talked brilliantly about awareness and

Dr. Dave Chatterjee:

training, that awareness and training needs to be customized

Dr. Dave Chatterjee:

at the same time, recognize that gamification may not be okay in

Dr. Dave Chatterjee:

certain cultures, so you have to appropriately pitch it

Dr. Dave Chatterjee:

appropriately institutionalize it

Daniela Almeida:

and phishing phishing simulations as well. I

Daniela Almeida:

didn't mention but be very wary of phishing simulation. When do

Daniela Almeida:

you do it and how you do it, if you want to build trust.

Dr. Dave Chatterjee:

Absolutely, thank you for adding that. And

Dr. Dave Chatterjee:

then we talked about prompt processing of threat

Dr. Dave Chatterjee:

intelligence, you said, doing nothing could be a strategy.

Dr. Dave Chatterjee:

Absolutely. But as long as it's an informed one, you're made a

Dr. Dave Chatterjee:

conscious decision to decide not to do anything about a certain

Dr. Dave Chatterjee:

alert. Companies receive alerts all the time. So it's possible

Dr. Dave Chatterjee:

that might be the way to go about it from time to time. And

Dr. Dave Chatterjee:

finally, and you, you said it very eloquently, it's really not

Dr. Dave Chatterjee:

about making a symbolic statement about our security

Dr. Dave Chatterjee:

posture, it's about truly believing in securing the

Dr. Dave Chatterjee:

organization and doing the best you can with the available

Dr. Dave Chatterjee:

resources, there is no expectation that you have to go,

Dr. Dave Chatterjee:

you know, totally out of your way to establish security

Dr. Dave Chatterjee:

protocols and procedures that are way beyond what is what

Dr. Dave Chatterjee:

could be considered reasonable. And so taking a realistic,

Dr. Dave Chatterjee:

practical, and proactive stance on cybersecurity, I think can

Dr. Dave Chatterjee:

help every organization. So once again, Daniela, I thank you for

Dr. Dave Chatterjee:

your thoughts and insights, I think listeners will find them

Dr. Dave Chatterjee:

very valuable.

Daniela Almeida:

Thank you very much for the opportunity to put

Daniela Almeida:

this out there to shout out to my peers as well as to to try

Daniela Almeida:

and make their life easier. And that it was a pleasure. And Dr.

Daniela Almeida:

dave, if you allow me if I can maybe share an awareness regimen

Daniela Almeida:

shedule that our listeners can use, because that may help as

Daniela Almeida:

well. I can share that.

Dr. Dave Chatterjee:

Absolutely. Well. That was great. Thank you

Dr. Dave Chatterjee:

very much.

Daniela Almeida:

Thank you very much Dave.

Dr. Dave Chatterjee:

A special thanks to Danielle Almeida, for

Dr. Dave Chatterjee:

her time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.