Episode 32
Bridging the Gap Between Intentions and Practicality in Cybersecurity
Daniela Almeida Lourenco, Chief Information Security Officer (CISO) at Tinka, firmly believes that CISOs have the very best of intentions -- "we all mean the best; we all want to protect the organization, and that is all we want to do." However, often the reality of the Board's lack of a cybersecurity mindset coupled with insufficient budget and resources results "in a reactive posture, unpreparedness, unclear risk management strategy, and low response maturity." She also highlights "the misinterpretation and implementation of the lines of defense model" to be another reason why right intentions do not get translated into good practices. Advocating for a more hands-on senior management role, Daniela says, "if you're on the second line of defense, you're not supposed to just sit on your highchair and disconnect from Operation." She also expresses concern about the excessive use of the 'fear factor' in cybersecurity communications. Finally, Daniela recommends against reinventing the current culture but making suitable adaptations by embedding new practices.
To access and download the entire podcast summary with discussion highlights --
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee, Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will revolve around
Dr. Dave Chatterjee:bridging the gap between intentions and practicality.
Dr. Dave Chatterjee:Daniela Almeida, Chief Information Security Officer at
Dr. Dave Chatterjee:Tinka is our guest today. Welcome, Daniela.
Daniela Almeida:Thank you, Dr. Dave, it's wonderful to be here.
Daniela Almeida:Thank you very much for your invitation.
Dr. Dave Chatterjee:Thank you. So I'm very excited about our
Dr. Dave Chatterjee:discussion topic today. It excites me, because there's a
Dr. Dave Chatterjee:lot of guidance out there, lots of recommendations out there.
Dr. Dave Chatterjee:Still, for a variety of reasons, practitioners are not able to
Dr. Dave Chatterjee:follow through, not because they don't have the right intentions,
Dr. Dave Chatterjee:but because of certain situations and circumstances. I
Dr. Dave Chatterjee:hope this episode will shed some light on those contextual
Dr. Dave Chatterjee:factors and provide a much more practical perspective on how an
Dr. Dave Chatterjee:organization can secure itself from various types of cyber
Dr. Dave Chatterjee:attacks. So that's an exciting plan. And I'm looking forward to
Dr. Dave Chatterjee:your insights. But before we get into those details, share with
Dr. Dave Chatterjee:us a bit about your professional journey,
Daniela Almeida:My professional journey. Well, that's
Daniela Almeida:out-of-the-box, I think. I don't come from IT. I'm not an
Daniela Almeida:engineer, I come from cultural sciences, cultural studies. So
Daniela Almeida:my major and my master's degree first master's degrees in
Daniela Almeida:communication, cultural study. So in the branch of sociology,
Daniela Almeida:anthropology, and a bit of psychology as well. And then I
Daniela Almeida:think it was really an accident. And I think most practitioners
Daniela Almeida:say that they've fallen into information security by
Daniela Almeida:accident. In my case, it was my career status as a compliance
Daniela Almeida:officer. And back in those days, there was no information
Daniela Almeida:security role. So Compliance would do the whole lot,
Daniela Almeida:including including privacy, and security, and so on. And that's
Daniela Almeida:where I found out that I had the taste for information security,
Daniela Almeida:for cyber security, and I developed there and then that's
Daniela Almeida:why I decided to have an Executive Masters in
Daniela Almeida:cybersecurity to complement or at least to give me the hard
Daniela Almeida:skills that I didn't have from cultural studies, although
Daniela Almeida:always a geek, since I was small. So I still cherish the
Daniela Almeida:moments with my aesthetic Spectrum and Commodore Amiga. So
Daniela Almeida:that that also comes from the fact that I did enjoy working
Daniela Almeida:with computers, but it is curious and sometimes people ask
Daniela Almeida:me, So you come from communication, isn't it's a bit
Daniela Almeida:the opposite of information security. And for me, it's an
Daniela Almeida:advantage in this field, because knowing how communication
Daniela Almeida:sciences of communication work, you appreciate how much
Daniela Almeida:information is worth and how important it is to safeguard so
Daniela Almeida:it's the undersize, I'm actually, I come from the other
Daniela Almeida:side of the mirror, but it has been an advantage, especially
Daniela Almeida:with the human factor that helps me align with the hard skills in
Daniela Almeida:cybersecurity right now. Well, actually, I was born and raised
Daniela Almeida:in Portugal, and I three years more than three years ago, I
Daniela Almeida:moved to the Netherlands to work as this information security
Daniela Almeida:officer for LeasePlan headquarters. And now since
Daniela Almeida:beginning of this year, I'm the CISO at Tinka, which is a
Daniela Almeida:FinTech organization that focuses on responsible deferred
Daniela Almeida:payment services. So that's pretty much me in a nutshell.
Dr. Dave Chatterjee:Fantastic. And thanks for sharing that very
Dr. Dave Chatterjee:eclectic backgrounds. You'd assume that people need to have
Dr. Dave Chatterjee:a strong technical foundation to be in a field of cybersecurity.
Dr. Dave Chatterjee:And again, nothing wrong with having a strong technical
Dr. Dave Chatterjee:foundation. It helps, never hurts, but one also has to value
Dr. Dave Chatterjee:the soft skill sets. The more I talk to cybersecurity
Dr. Dave Chatterjee:professionals across organizations, I find that it is
Dr. Dave Chatterjee:that blend of hard and soft skills that is critical and in
Dr. Dave Chatterjee:your case, having a strong foundation and communications,
Dr. Dave Chatterjee:along with your understanding of anthropology and psychology, are
Dr. Dave Chatterjee:all very important. Because at the end of the day, you're
Dr. Dave Chatterjee:dealing with people, people continue to be the strongest
Dr. Dave Chatterjee:asset, and also the biggest weakness when it comes to
Dr. Dave Chatterjee:securing organizations. So I'm sure you're operating from a
Dr. Dave Chatterjee:position of strength, from a position of advantage. So
Dr. Dave Chatterjee:Daniella, when we were discussing about what we should
Dr. Dave Chatterjee:be, you know, what should be the topic for this episode, you came
Dr. Dave Chatterjee:up with this idea that how about something along the lines of
Dr. Dave Chatterjee:bridging the gap between intentions and practicality in
Dr. Dave Chatterjee:cybersecurity, and I love it, share with the listeners why
Dr. Dave Chatterjee:this topic or this theme appealed to you?
Daniela Almeida:Oh, I hope I don't regret this subject,
Daniela Almeida:because it's, it might be seed for discussion. And I'm very
Daniela Almeida:passionate about the human side of cybersecurity. And one of the
Daniela Almeida:things that I that I do see with my peers and in the industry is
Daniela Almeida:that we all mean the best we all want to protect the
Daniela Almeida:organization, that is all we want to do. Are we doing the
Daniela Almeida:right thing? Or is it all because we don't have the budget
Daniela Almeida:or the resources, but we have other problems that we may need
Daniela Almeida:to work on from ourselves. And usually we hear from
Daniela Almeida:organizations saying that security is very important, but
Daniela Almeida:most of the times, the actions do not reflect the statements,
Daniela Almeida:right. And I think that concern over the years, there is a major
Daniela Almeida:or official priority over information security, but it's
Daniela Almeida:usually reactive. So we see that only after major breaches and
Daniela Almeida:losses, information security comes to to the agenda. So it's
Daniela Almeida:an afterthought, and not only in the strategic standpoint of
Daniela Almeida:cybersecurity, or all the types of organizations, but also in
Daniela Almeida:awareness, for example, and this is one of the most, I think
Daniela Almeida:that's the most obvious example, it's awareness. And this is
Daniela Almeida:where things are going wrong in some organizations. It's often
Daniela Almeida:and I hate this a lot. So I'm actually also coming from the
Daniela Almeida:Business Information Security Officer role. I'm very
Daniela Almeida:passionate about awareness and listening to the organization,
Daniela Almeida:to the core organization. And sometimes it strikes me that
Daniela Almeida:when people talk about incidents that were caused by human error,
Daniela Almeida:we immediately think of the end users, however, the humans are
Daniela Almeida:actually the basis and the creators of systems and their
Daniela Almeida:interconnection and the elements that make an organization. So
Daniela Almeida:not only the end users, and that I think that's why it's also
Daniela Almeida:important to look at cybersecurity, not only from the
Daniela Almeida:IT or management angle, but also from a sociological point of
Daniela Almeida:view, I think, does that make sense?
Dr. Dave Chatterjee:Absolutely. In fact, it is unfortunate that
Dr. Dave Chatterjee:your experience has been that organizations are usually
Dr. Dave Chatterjee:reactive, and which is kind of what keeps coming up time and
Dr. Dave Chatterjee:again. So it's consistent. I would assume that by now with
Dr. Dave Chatterjee:all the major breaches that have happened, and that have received
Dr. Dave Chatterjee:a lot of media attention that organizations would strive to be
Dr. Dave Chatterjee:in a more of a proactive mode. Based on your experience working
Dr. Dave Chatterjee:in this area, why do you think this reactive approach? Why not
Dr. Dave Chatterjee:proactive? What's stopping an organization from being
Dr. Dave Chatterjee:proactive?
Daniela Almeida:Well, I think that there are several factors
Daniela Almeida:at play. And not only lack of funds or lack of resources, I
Daniela Almeida:believe that there is an of course that I'm biased, talking
Daniela Almeida:about sociologists, sociological traits, but there is a huge loss
Daniela Almeida:in translation between the security practice or the
Daniela Almeida:security agenda, and the overall organization. And maybe one of
Daniela Almeida:one of the factors in that is the lack of cybersecurity
Daniela Almeida:mindset of the board. And once you have this, this gap, once
Daniela Almeida:you have this problem here isn't it has many other pain points,
Daniela Almeida:such as not a proactive attitude, unprepared members of
Daniela Almeida:the organization, unclear risk management strategy, low
Daniela Almeida:response maturity, etc. And I do believe that this is maybe the
Daniela Almeida:vital and I would love to hear from your from your listeners
Daniela Almeida:after after that after our session. That is I think that we
Daniela Almeida:practitioners are also at fault. It's our fault as well. And I
Daniela Almeida:think that along with other areas such as privacy with the
Daniela Almeida:GDPR fever that we had in Europe for some years ago, and
Daniela Almeida:compliance, we've been building an ivory tower and this ivory
Daniela Almeida:tower increases the gap between us and them and I usually blame
Daniela Almeida:it or I kind of tend to blame it on the misinterpretation and
Daniela Almeida:feel implementation of the lines of defense model. So you know,
Daniela Almeida:the first line as being operation second, third, and if
Daniela Almeida:you're on the second line, in my view, you're not supposed to
Daniela Almeida:just sit on your high chair and just disconnect from operation.
Daniela Almeida:And I see this in many organizations, including complex
Daniela Almeida:and big organizations. And that's really important. And it
Daniela Almeida:doesn't end there. I think one of them my favorite pain point,
Daniela Almeida:I think it's used. And I'm sure that you've seen that as well is
Daniela Almeida:the excessive use of the fear factor in the communications
Daniela Almeida:towards the audience. That is a fear factor is when we use the
Daniela Almeida:latest news articles about major data breaches about sanctions,
Daniela Almeida:and we tend to use the tone of, we're all gonna die, very
Daniela Almeida:afflictive very urgent. And this is not only in awareness, this
Daniela Almeida:is also in presentations to the board that we tend to fill in
Daniela Almeida:with this type of data. From a managerial perspective, it makes
Daniela Almeida:sense to know all the facts to enable informed decision making,
Daniela Almeida:and to highlight the importance of the cybersecurity program
Daniela Almeida:with the data we have. However, from a sociological perspective,
Daniela Almeida:we're perpetually appealing to the basic needs or deficiency
Daniela Almeida:needs of human beings, if we consider that we're always
Daniela Almeida:appealing to the need for safety of the human being, we only have
Daniela Almeida:the reactive stimuli, we only get that so we only get
Daniela Almeida:reaction. So you get the reactive turn of cybersecurity
Daniela Almeida:right there. And the concept of Flint helplessness helps
Daniela Almeida:interpreting this, when you have learned helplessness is pretty
Daniela Almeida:much like whatever I do, it's not worth it. Because I'll
Daniela Almeida:always be punished. I'll always be subject or the target of
Daniela Almeida:cyber security incident, in the cybersecurity attacks. So why
Daniela Almeida:should I worry. And even in cognitive security, this is
Daniela Almeida:called as apathy. It's also presence is twice as high. If
Daniela Almeida:you check the declassify investigation manuals from the
Daniela Almeida:CIA, the cube, like for example, apathy is referred to frequently
Daniela Almeida:in terms of excessive use of fear. And this is what we're
Daniela Almeida:doing right now, in general, of course, and this goes hand in
Daniela Almeida:hand with using KPIs that underline how bad your
Daniela Almeida:organization is behaving in terms of phishing campaigns,
Daniela Almeida:look, all these users, they fail the phishing campaign. So using
Daniela Almeida:negative social proof is, in my view, very counterproductive.
Daniela Almeida:And we're still communicating with technical jargon acting
Daniela Almeida:very patronizing that the users don't know anything. That's the
Daniela Almeida:problem is between the chair and the screen, and boring. And
Daniela Almeida:above all, our strategy is not tailored towards our
Daniela Almeida:organization. It's detached in standards. And it doesn't create
Daniela Almeida:I actually, you mentioned this in your book, I loved your book,
Daniela Almeida:by the way.
Dr. Dave Chatterjee:Thank you. It's
Daniela Almeida:like the essential one on one first
Daniela Almeida:security, you need to have this. You mentioned in your book, the
Daniela Almeida:bonds of attachment. And this is what we're not doing is to
Daniela Almeida:create or to embed cyber security in the culture of the
Daniela Almeida:organization, we're actually trying to counter it, counter
Daniela Almeida:those bonds, attachment, and that won't work.
Dr. Dave Chatterjee:Interesting. You touched upon so many very
Dr. Dave Chatterjee:important points. I want to pick up on a few things here, you
Dr. Dave Chatterjee:know, probe a little deeper, one of the things you mentioned was
Dr. Dave Chatterjee:a lack of a cybersecurity mindset amongst the leadership.
Dr. Dave Chatterjee:Now, given that there are all these compliance requirements,
Dr. Dave Chatterjee:and Europe, of course, is very big on privacy, the GDPR
Dr. Dave Chatterjee:requirements have to be strictly followed, or there are major
Dr. Dave Chatterjee:penalties. You know, given these kinds of regulatory expectations
Dr. Dave Chatterjee:and mandates, it does surprise me that the leadership mindset
Dr. Dave Chatterjee:regarding cybersecurity is not changing. I do understand the
Dr. Dave Chatterjee:fatalistic syndrome that whatever we do, or however much
Dr. Dave Chatterjee:money we spend, nobody can guarantee immunity. So what's
Dr. Dave Chatterjee:the point? So I guess my question to you is, what would
Dr. Dave Chatterjee:be your recommendation, like you said that fear should not be the
Dr. Dave Chatterjee:approach, though, according to you know, many schools of
Dr. Dave Chatterjee:thought fear, unfortunately, is often the best motivator. But
Dr. Dave Chatterjee:anyhow, based on your experience, your understanding
Dr. Dave Chatterjee:of sociology, psychology, what recommendations do you have to
Dr. Dave Chatterjee:change things up, make them more optimistic, make them more
Dr. Dave Chatterjee:proactive, make the stance more optimistic, make the stance more
Daniela Almeida:Well, I have many suggestions. Not all of
Daniela Almeida:proactive?
Daniela Almeida:them might work and I'll explain why. But starting from the point
Daniela Almeida:that you raised on countering the fear and using the fear
Daniela Almeida:factor, I'm not saying maybe some listeners do feel the need
Daniela Almeida:to show their audience that the threat is there. The attackers
Daniela Almeida:are out there to get us, and that's fine. That is making them
Daniela Almeida:aware of the risks they're running now abusing that using
Daniela Almeida:it as a veiled threat towards the the organization that won't
Daniela Almeida:work in the long-run and there'll be apathy and it just
Daniela Almeida:won't cooperate from then on. So I would, I always tend to look
Daniela Almeida:into a collaborative way of bringing them in, instead of
Daniela Almeida:patronizing them. Even going back to the the lines of defense
Daniela Almeida:model, this is something that I actually aim in my career for a
Daniela Almeida:while now, that is to sit comfortably, and the 1.5 lines
Daniela Almeida:of defense. So that is, of course, participating in the
Daniela Almeida:governance of the second line. But I also want to be in the
Daniela Almeida:trenches, I want to get my hands dirty, I want to know how my
Daniela Almeida:organization works. That is one of the things that we're doing
Daniela Almeida:wrong as things which is, in many cases, we're imposing our
Daniela Almeida:norms and values to the organization that we need to be
Daniela Almeida:secure. We need to do this and that. And even if we look at a
Daniela Almeida:child, it's much easier for a child to comply with something
Daniela Almeida:and I am not being patronizing. It's just really human nature,
Daniela Almeida:its compliance, it's much easier if you understand why you have
Daniela Almeida:to do something, and you have to explain why without having that
Daniela Almeida:fear factor all over again. So that's, I think that's the major
Daniela Almeida:thing that we're not doing. It's not knowing the organization and
Daniela Almeida:trying to impose a culture where it just turns out to be a
Daniela Almeida:counterculture in the end, it won't work.
Dr. Dave Chatterjee:Yep, very true. In fact, that is true for
Dr. Dave Chatterjee:implementation of anything, literally, implementation of
Dr. Dave Chatterjee:even large scale systems; unless you get user buy-in from a very
Dr. Dave Chatterjee:early stage. And to be able to get the buy-in, there's a lot of
Dr. Dave Chatterjee:good research that speaks to the importance of helping users
Dr. Dave Chatterjee:understand what is in it for them, why is it important for
Dr. Dave Chatterjee:them and the organization, there has to be that alignment of
Dr. Dave Chatterjee:values. Again, it's probably easier said than done. Probably
Dr. Dave Chatterjee:in many organizations, they're doing a good job of it. But I
Dr. Dave Chatterjee:think there's always opportunities to do better, and
Dr. Dave Chatterjee:remind folks that there is the employee turnover. So what you
Dr. Dave Chatterjee:did, went well with certain folks, but when they have left
Dr. Dave Chatterjee:the organization, you have a new crop, you have to again, you
Dr. Dave Chatterjee:know, get the newcomers integrated into the thinking or
Dr. Dave Chatterjee:in the creation of what I like to call a high-performance
Dr. Dave Chatterjee:information security culture. And to your point about creating
Dr. Dave Chatterjee:a culture that goes counter to the overall organizational
Dr. Dave Chatterjee:culture, I couldn't agree with you more. A good understanding
Dr. Dave Chatterjee:of the context, a good understanding of the overall
Dr. Dave Chatterjee:organizational culture is key to setting the foundations for a
Dr. Dave Chatterjee:high- performance information security culture. Here, I like
Dr. Dave Chatterjee:to bring in something which I share in my book, in my book, I
Dr. Dave Chatterjee:talk about the importance of building emotional capital,
Dr. Dave Chatterjee:which is anchored on four pillars, leadership
Dr. Dave Chatterjee:authenticity, having fun, feeling valued, and taking pride
Dr. Dave Chatterjee:in their work, I strongly believe that building such
Dr. Dave Chatterjee:emotional capital helps in creating and sustaining a
Dr. Dave Chatterjee:cohesive and aligned working culture. And again, this is not
Dr. Dave Chatterjee:restricted to creating a security culture. This is true
Dr. Dave Chatterjee:for any culture, you got to get the organizational members
Dr. Dave Chatterjee:excited, interested, driven, because that's when the will
Dr. Dave Chatterjee:take charge, take the initiative of recognizing that, yes, I have
Dr. Dave Chatterjee:a work to do for which I have been hired. But there is a
Dr. Dave Chatterjee:security component of the work that I also need to pay
Dr. Dave Chatterjee:attention. The reason I felt it necessary to mention this,
Dr. Dave Chatterjee:because when we have this discussion, about creating a
Dr. Dave Chatterjee:security mindset about getting top management, actively
Dr. Dave Chatterjee:engaged, often the feedback I get is, hey, I've been hired to
Dr. Dave Chatterjee:do a job. And that job is not to secure the organization.
Daniela Almeida:I just work here, right? I just work here.
Dr. Dave Chatterjee:Yeah, I work here, I do this job. That's
Dr. Dave Chatterjee:for the cybersecurity professionals, don't try to bog
Dr. Dave Chatterjee:me down with this additional responsibility. I see the point.
Dr. Dave Chatterjee:But unfortunately, the reality is information security pervades
Dr. Dave Chatterjee:across functions, as we have heard time and time again, that
Dr. Dave Chatterjee:cybersecurity is everyone's business, everyone has a role to
Dr. Dave Chatterjee:play. It's just like the way we are fighting the pandemic. We
Dr. Dave Chatterjee:cannot just rely on the healthcare professionals to do
Dr. Dave Chatterjee:everything for us, we have to also do our part. And I think
Dr. Dave Chatterjee:that's kind of similar to how we need to deal with the cyber
Dr. Dave Chatterjee:attacks epidemic. But anyhow, I've been rambling for a bit now
Dr. Dave Chatterjee:it's your turn. What do you think?
Daniela Almeida:Ahm, no, I was actually absorbing. And I
Daniela Almeida:couldn't agree with you more actually. What I would like to
Daniela Almeida:actually to make to make very clear to everybody listening is
Daniela Almeida:that you cannot create a culture. And sometimes you hear
Daniela Almeida:that even on the news and or in other forums. You cannot create
Daniela Almeida:a culture. The culture is already there for 1000s of
Daniela Almeida:years, hundreds of years. It's a complex beast of old sets of
Daniela Almeida:values and norms. What you can do is to embed new practices in
Daniela Almeida:it. And that's already a hefty job. And first of all, you need
Daniela Almeida:to understand the already existing culture of the
Daniela Almeida:organization when you join in what makes them tick, what are
Daniela Almeida:the priorities? What's their identity? What do you refer to
Daniela Almeida:in your book as 'togetherness.' So logically, we may be even
Daniela Almeida:talking about determining the sense of belonging, then you
Daniela Almeida:move on to creating new ways of responding to that and embedding
Daniela Almeida:the desired behavior in there within that framing, and not
Daniela Almeida:imposing a new framing. A while ago, I was delivering a
Daniela Almeida:presentation about awareness in Germany. And I mentioned
Daniela Almeida:gamification as a technique. And I remember this intervention of
Daniela Almeida:German Pierre, because it makes perfect sense. And it just
Daniela Almeida:highlights this, he said, "well, that's very nice, but
Daniela Almeida:gamification, in many German organizations wont work. That's
Daniela Almeida:not what we do. It's not part of what we are, who we are. They
Daniela Almeida:would be more willing to comply, if they get regular updates,
Daniela Almeida:communications with instruction, they don't like gamification in
Daniela Almeida:general. So you do need to adapt to the organization, not the
Daniela Almeida:other way around. You cannot just go there, cold turkey and
Daniela Almeida:try to impose something else it won't work.
Dr. Dave Chatterjee:That's that's a very interesting
Dr. Dave Chatterjee:insight. So if I'm understanding this correctly, gamification can
Dr. Dave Chatterjee:be perceived in some cultures, such as the German culture, like
Dr. Dave Chatterjee:you said, as something not very serious, you're not being
Dr. Dave Chatterjee:serious about it. Is that Is that a fair interpretation?
Daniela Almeida:Precisely! Yeah. Wow! As long as it was
Daniela Almeida:precious that that intervention was precious, because we always
Daniela Almeida:need to take to check where we are first, again, trying to
Daniela Almeida:absorb the norms and values of behaviors. And that is just not
Daniela Almeida:part of who they are maybe in different companies in German,
Daniela Almeida:in Germany, multinational etc, that may work. But in some
Daniela Almeida:others, it won't, even if that's one of the questions that
Daniela Almeida:another dimension is that for us, that would be seen as loss
Daniela Almeida:of efficiency, because we playing a game instead of
Daniela Almeida:working. So you think we need to be very, very careful, and what
Daniela Almeida:is good for us what sounds makes makes sense for us, especially
Daniela Almeida:if you're an expat like me. I also although having my cultural
Daniela Almeida:studies background, I still have some hurdles to come across when
Daniela Almeida:adapting when when absorbing the Dutch culture. And that's what
Daniela Almeida:you need to do as well, from the security point of view, or any
Daniela Almeida:anything that you want in any other area or any of the
Dr. Dave Chatterjee:I couldn't agree with you more. It's so
Dr. Dave Chatterjee:subjects I would say.
Dr. Dave Chatterjee:important to constantly reflect on the current environment, how
Dr. Dave Chatterjee:your views, your communications could be misinterpreted or
Dr. Dave Chatterjee:misunderstood. I think it is human nature. I definitely am
Dr. Dave Chatterjee:part of that group, where I assume that I have communicated
Dr. Dave Chatterjee:very clearly, and people understand my points of view,
Dr. Dave Chatterjee:they get the get it, there is reasonable alignment. But I
Dr. Dave Chatterjee:think that's a flawed approach. That's why we have the feedback
Dr. Dave Chatterjee:where you communicate and then you find ways of getting quick
Dr. Dave Chatterjee:feedback to ensure that there is a consensus there is a common,
Dr. Dave Chatterjee:shared understanding, it brings to mind an interesting example.
Dr. Dave Chatterjee:And this goes to the culture that exists in the US Nuclear
Dr. Dave Chatterjee:Navy. It was shared by some of my former students who worked on
Dr. Dave Chatterjee:the naval submarines. And they said, Dr. Chatterjee, when we
Dr. Dave Chatterjee:are given a command by our senior, we are expected to
Dr. Dave Chatterjee:repeat verbatim, what was told to us before we went about
Dr. Dave Chatterjee:executing it. Now, it might kind of sound odd, even the person
Dr. Dave Chatterjee:who was sharing this, said, "it didn't feel really good, I felt
Dr. Dave Chatterjee:like I was a zombie. I didn't understand, I had to repeat what
Dr. Dave Chatterjee:I was told." But again, you have to understand the context here.
Dr. Dave Chatterjee:You can't afford to make any errors on a nuclear vessel,
Dr. Dave Chatterjee:because the consequences can be disastrous, can be fatal. So you
Dr. Dave Chatterjee:have to take every possible precaution to ensure the
Dr. Dave Chatterjee:communication is going through appropriately. And that's where
Dr. Dave Chatterjee:it is very important to be meticulous in your approach,
Dr. Dave Chatterjee:whether it's planning, whether it's strategizing, whether it's
Dr. Dave Chatterjee:communicating, and as opposed to just sending out a long email
Dr. Dave Chatterjee:with all the details as required by the regulators is as if like
Dr. Dave Chatterjee:I'm checking the box and even if people don't pick up on
Dr. Dave Chatterjee:everything, it doesn't matter, which is often the case in many
Dr. Dave Chatterjee:organizations, especially large organizations where it becomes
Dr. Dave Chatterjee:check-the-box approach mentality, as opposed to
Dr. Dave Chatterjee:customizing what a person needs to know, from a do's and don'ts
Dr. Dave Chatterjee:standpoint, when it comes to cyber. Your thoughts, reactions?
Daniela Almeida:it just reminded me of a discussion that
Daniela Almeida:I had specially about communication. And again,
Daniela Almeida:culture and the way that it depends. Also, as I mentioned,
Daniela Almeida:it depends on the industry and depends on the area. But at the
Daniela Almeida:end of the day, there are things that are common to every single
Daniela Almeida:area. And one of them in my view, and one of them is having
Daniela Almeida:a clear management expectation. And you would say that having a
Daniela Almeida:clear strategy, a clear statement, a clear posture, and
Daniela Almeida:also maybe in military, it would have a different framing, but I
Daniela Almeida:am sponsor of the open door policy, because that's, first of
Daniela Almeida:all that increases engagement. So those bonds of attachment, it
Daniela Almeida:provides you with the best threat intelligence you might
Daniela Almeida:have, if people know that they can just report something
Daniela Almeida:without having any consequences against them. And another thing
Daniela Almeida:is, and we see that a lot, unfortunately, after major
Daniela Almeida:breaches, that is plausible deniability. And we see very
Daniela Almeida:many CEOs, many directors saying, we, we were not aware
Daniela Almeida:that this was happening, or that we're going to we're going to
Daniela Almeida:improve our processes from from now on. But what it translates
Daniela Almeida:to me is that they were not ensuring that their security
Daniela Almeida:stance, their risk appetite, was actually corresponding to the
Daniela Almeida:effectiveness of the defenses. And plausible deniability is
Daniela Almeida:very hurtful for a security practitioner, because especially
Daniela Almeida:the warned, those peers that have been sending presentations
Daniela Almeida:with all this data about breaches about sanction. And now
Daniela Almeida:you have a fear of saying that we were not aware of the risk.
Daniela Almeida:So it's very frustrating. And I think that's, it's something
Daniela Almeida:that is the hardest thing to change is this posture, but it
Daniela Almeida:also can be instigated or be encouraged by by trying to meet
Daniela Almeida:halfway. So trying to understand what's the risk is or the risk
Daniela Almeida:appetite, or the tolerance levels, as mentioned in your
Daniela Almeida:book are
Dr. Dave Chatterjee:Right. In fact, that brings to mind a
Dr. Dave Chatterjee:couple of things. One is, I mentioned that in my book as one
Dr. Dave Chatterjee:of the success factors of creating structures and
Dr. Dave Chatterjee:mechanisms that will enable shared ownership and
Dr. Dave Chatterjee:responsibility where whenever any cybersecurity Initiative is
Dr. Dave Chatterjee:being pitched, or is being undertaken, business executives
Dr. Dave Chatterjee:or business leaders own it, they are an active active participant
Dr. Dave Chatterjee:as opposed to leaving it to the cybersecurity professionals to
Dr. Dave Chatterjee:do the needful and then come back to the business to say,
Dr. Dave Chatterjee:okay, this is how we want to implement it in your
Dr. Dave Chatterjee:organization. Instead of doing that, if from the get go, we
Dr. Dave Chatterjee:have a business champion of the security initiatives, it could
Dr. Dave Chatterjee:be a much easier sell, and such structures of sharing, of shared
Dr. Dave Chatterjee:ownership, shared responsibility also helps create that cross
Dr. Dave Chatterjee:functional awareness, where I am understanding the security
Dr. Dave Chatterjee:implications of my line of business of my product line.
Dr. Dave Chatterjee:What are your thoughts? You think this is being practiced?
Dr. Dave Chatterjee:This is practical? What are your thoughts?
Daniela Almeida:Champions was a great invention in last few
Daniela Almeida:years, I think it was the first attempt that I've seen to bring,
Daniela Almeida:bring a security and the core organization closer, no doubt.
Daniela Almeida:But we can do much more than that, to increase that sense of
Daniela Almeida:belonging, belonging and embedding the importance of
Daniela Almeida:cybersecurity in the organizational culture. One of
Daniela Almeida:the things sometimes I ask my peers is, have you ever asked
Daniela Almeida:your Board to draft up or to just make a statement about
Daniela Almeida:their security stance? How is security important for them,
Daniela Almeida:because not only this is good in the long run, because they'll
Daniela Almeida:have to put the money where the mouth is, and that is, if for
Daniela Almeida:top management, security is not a priority. Well, that's a
Daniela Almeida:posture. That's the stance, that's the identity of your
Daniela Almeida:organization. And you'll have to work with that. And then you
Daniela Almeida:will have to deal with consequences because that's the
Daniela Almeida:risk tolerance they have. And besides that, there needs to be
Daniela Almeida:a voice from top down. So if security is important, cyber
Daniela Almeida:security is important, not just because the the media, the
Daniela Almeida:public needs to hear this, that cybersecurity is important, but
Daniela Almeida:because they actually believe in it, that it's not done only by
Daniela Almeida:assigning champions or security function is making sure that
Daniela Almeida:everyone in the organization throughout the supply chain
Daniela Almeida:throughout the stakeholders list, making them aware of the
Daniela Almeida:risks they actually face, and how they can protect themselves
Daniela Almeida:and the organization. So I want to work in an organization that
Daniela Almeida:protects the employees like myself, and safeguard the
Daniela Almeida:interests of the customer. I want to make sure that my data
Daniela Almeida:is safe. I want to make sure that my customers data is safe.
Daniela Almeida:As an employee, I need to know that that is my role as well. I
Daniela Almeida:need to be shown how, and this is where it's failing. We're not
Daniela Almeida:showing people ways of giving that ownership, we need to show.
Daniela Almeida:First of all, you mentioned early on what's in it for you,
Daniela Almeida:because the human being is really selfish, won't do
Daniela Almeida:anything if it's not for some gain, personal gain, and we need
Daniela Almeida:to show where they're actually gaining. One of the things I do
Daniela Almeida:often do is, when I'm sending communications or sharing some
Daniela Almeida:security, I actually advise on how people can protect their
Daniela Almeida:children and how their family because being cyber aware, it's
Daniela Almeida:also about protecting them themselves and their family,
Daniela Almeida:that's what they're there for. Most of us don't work in
Daniela Almeida:charity. So, we actually doing something, we're actually
Daniela Almeida:working there for a purpose, and ultimately, for our families and
Daniela Almeida:for ourselves. So we need to talk to that part of the human
Daniela Almeida:being that is working in the organization.
Dr. Dave Chatterjee:Fabulous. I want to reemphasize what you
Dr. Dave Chatterjee:said about the leadership, clarifying their stance on
Dr. Dave Chatterjee:cybersecurity and clearly communicating where they stand
Dr. Dave Chatterjee:in terms of the appropriate cyber posture, and how do they
Dr. Dave Chatterjee:expect to get there. Such clarity of communication is so
Dr. Dave Chatterjee:important, and it helps the organization have a better sense
Dr. Dave Chatterjee:of where the leadership is, after all, as has been has been
Dr. Dave Chatterjee:said, time and again, the tone has to be set at the top, but
Dr. Dave Chatterjee:also to your point, which I have shared many times in my
Dr. Dave Chatterjee:writings, in my talks, and I'm so aligned with you here that
Dr. Dave Chatterjee:this posture or this mindset about cybersecurity should be
Dr. Dave Chatterjee:genuine, should be substantive, not influenced by a certain
Dr. Dave Chatterjee:requirement, a certain mandate, or being symbolic that let's do
Dr. Dave Chatterjee:these things, we look good to the external folks, the
Dr. Dave Chatterjee:community, the stakeholders; means I get it, the
Dr. Dave Chatterjee:communication piece is important; but if it comes out
Dr. Dave Chatterjee:of a genuine belief, a genuine recognition that it is really
Dr. Dave Chatterjee:important for the company to secure organizational assets,
Dr. Dave Chatterjee:digital assets, whether that protects the internal
Dr. Dave Chatterjee:stakeholders or the external stakeholders, and in an indirect
Dr. Dave Chatterjee:way, the nation, the world, that we're all connected after all,
Dr. Dave Chatterjee:so so having that sense of social responsibility is so
Dr. Dave Chatterjee:important. And, and I don't believe we are grandizing here,
Dr. Dave Chatterjee:trying to, you know, paint everything with a broad brush
Dr. Dave Chatterjee:and saying, oh, you know, we'd all do the right things, and
Dr. Dave Chatterjee:hallelujah, we will live happily ever after. I don't believe
Dr. Dave Chatterjee:you're trying to do that. But we're just trying to reinforce
Dr. Dave Chatterjee:certain things that seem obvious, but oftentimes, they
Dr. Dave Chatterjee:are not followed through, because of reasons like short
Dr. Dave Chatterjee:term goals, you know, I have to meet a certain deadline, have to
Dr. Dave Chatterjee:meet a certain expectation, you know, this company has been
Dr. Dave Chatterjee:formed to deliver quality health care, I can't afford to get too
Dr. Dave Chatterjee:carried away by security, I had to, I have to stay focused on my
Dr. Dave Chatterjee:goals, or I'm gonna lose my job. So these could be reasons why
Dr. Dave Chatterjee:the leadership is careful about what they want to put out there.
Dr. Dave Chatterjee:And they have their own way of approaching cyber, again, this
Dr. Dave Chatterjee:is based on what I hear what I read what I learned from my
Dr. Dave Chatterjee:research, but I think you make some excellent points there. I'd
Dr. Dave Chatterjee:like to pick up on another very important fact. And that is
Dr. Dave Chatterjee:prompt processing of threat intelligence. As you know, in
Dr. Dave Chatterjee:many media reports on major breaches a major reason put
Dr. Dave Chatterjee:forward that caused the breach was because somebody had the
Dr. Dave Chatterjee:threat alert, had received intelligence from an external
Dr. Dave Chatterjee:service provider, but dropped the ball, didn't do anything
Dr. Dave Chatterjee:about it. Just curious, your thoughts on that?
Daniela Almeida:Well, doing nothing is also a strategy. It
Daniela Almeida:is a choice. If we are looking from the outside, that is risk
Daniela Almeida:treatment. It's making a decision how to deal with that
Daniela Almeida:situation. And it depends on the risk appetite, if the risk
Daniela Almeida:appetite is very high, well do nothing might be logical, as
Daniela Almeida:long as they understand the consequences and ignoring
Daniela Almeida:certain challenges, I don't know if they're actually ignoring
Daniela Almeida:because again, they are consciously doing nothing. But
Daniela Almeida:if you look into it from a security perspective, of course,
Daniela Almeida:that that wouldn't be a way of dealing with a high risk, so you
Daniela Almeida:would most likely try to mitigate it or eliminate it in
Daniela Almeida:some way. I'm not really a fan of transferring it, because
Daniela Almeida:again, it will come back to you like a boomerang, because if you
Daniela Almeida:transfer risk, reputational damage is towards you, not
Daniela Almeida:towards the organization whom you're transferring the risk to
Daniela Almeida:and getting back to the risk tolerance. It also depends on
Daniela Almeida:the industry, and depends on how you want to put yourself out
Daniela Almeida:there in terms of solutions. Let's invoice solution ICT
Daniela Almeida:solutions are expensive solutions that we see in the
Daniela Almeida:market every day. They promise you everything. They're amazing.
Daniela Almeida:They're 100% secure, their DNA is 100% security. And well, it's
Daniela Almeida:just amazing. But I would not buy an ex er solution. For
Daniela Almeida:example, for a local bakery, instead, I would be worried
Daniela Almeida:about securing my IoT, my internet of things, because
Daniela Almeida:everything is connected, even. Even that oven that bakes our
Daniela Almeida:bread, if you have a small online business, conservations
Daniela Almeida:will still be totally different. But there will include
Daniela Almeida:prevention and detection mechanisms. And it's also about
Daniela Almeida:leveraging what you have, especially the resources, it's
Daniela Almeida:not only about money, we're not talking about, again, solutions.
Daniela Almeida:Now we're talking about people, and again, encouraging the open
Daniela Almeida:door principle. So you have free threat intelligence right there.
Daniela Almeida:And you need to have also, you also need to have a risk
Daniela Almeida:treatment process that you can stand on if you're under
Daniela Almeida:scrutiny. So if you decided to do nothing, there may be a
Daniela Almeida:reason for it, that your stakeholders might not accept
Daniela Almeida:it, because they were not aware of your risk treatment or risk
Daniela Almeida:management strategy. So again, we go back to communication.
Dr. Dave Chatterjee:Absolutely. And And if I may, you know, to
Dr. Dave Chatterjee:that point, it's very important to document because even if you
Dr. Dave Chatterjee:decide to do nothing about an alert that you have received,
Dr. Dave Chatterjee:documenting that, that why the decision of doing nothing that
Dr. Dave Chatterjee:helps in the long run, when you go back and review these logs to
Dr. Dave Chatterjee:see, yes, we didn't act on this alert, because we had good
Dr. Dave Chatterjee:reason to believe that this wasn't a significant threat. Or
Dr. Dave Chatterjee:we could afford to, you know, maybe take a hit, like you said,
Dr. Dave Chatterjee:if our risk appetite is large, whatever the reason, but that
Dr. Dave Chatterjee:discipline of recording the alerts, processing it promptly
Dr. Dave Chatterjee:and making a quick call whichever way you want to go
Dr. Dave Chatterjee:with it. I'm a fan of reminding organization that it's very
Dr. Dave Chatterjee:important to instill that discipline of promptly
Dr. Dave Chatterjee:processing, documenting threat intelligence. So your points
Dr. Dave Chatterjee:there as well are very, very well made. Well, we are kind of
Dr. Dave Chatterjee:getting towards the end of our discussion already. So I would
Dr. Dave Chatterjee:love to keep talking, because it's such a pleasure engaging
Dr. Dave Chatterjee:with you, Daniela, but I just want to make sure that there
Dr. Dave Chatterjee:isn't anything that you're very passionate about, that we didn't
Dr. Dave Chatterjee:talk. So I'd like to give you the opportunity to share maybe
Dr. Dave Chatterjee:your final thoughts or any additional points that are very
Dr. Dave Chatterjee:relevant to this conversation.
Daniela Almeida:In a nutshell, that's difficult. I could go on
Daniela Almeida:and on. If people are listening, or pretending to listen, I don't
Daniela Almeida:know. My advice would be a try not to invent the culture again,
Daniela Almeida:learn from the culture of the organization, try to adapt to it
Daniela Almeida:from within, and manage the expectations that the
Daniela Almeida:stakeholders have and listen to organization in all of the
Daniela Almeida:sectors, spend time with the core operations, spend time with
Daniela Almeida:everyone in your organization to understand where the risks are,
Daniela Almeida:where the opportunities are, and listen to the needs, because
Daniela Almeida:that's the foundation of everything that you've been
Daniela Almeida:built from then on. And then creating bridges, talking about
Daniela Almeida:building, creating bridges, to make sure that everyone meets
Daniela Almeida:halfway for threat intelligence for everything else. And of
Daniela Almeida:course, mentioning awareness, very quickly, maybe, maybe try
Daniela Almeida:to distinguish between awareness, which I think it's a
Daniela Almeida:patronizing term anyway, awareness and training. And make
Daniela Almeida:sure that for awareness, you think of three things, explain
Daniela Almeida:the risks as they are towards different audiences in your
Daniela Almeida:organization, how they can protect themselves from them,
Daniela Almeida:and how to contact you if something seems abnormal. So
Daniela Almeida:these are three things that you should be focusing in awareness,
Daniela Almeida:do not try to reinvent it, make sure that you find the best
Daniela Almeida:technique, avoiding boredom please, because that's all that
Daniela Almeida:matters even more a reputation of being boring and cherish
Daniela Almeida:people and make sure that they have the tools to to work
Daniela Almeida:confidently.
Dr. Dave Chatterjee:Fantastic. Fantastic. I really liked the
Dr. Dave Chatterjee:way you summed it all up. And if I may add to that, which is
Dr. Dave Chatterjee:totally aligned with what you said, is to just remind the
Dr. Dave Chatterjee:listeners that as hands on as top management can be, the
Dr. Dave Chatterjee:extent to which they can create We-Are-In-It-Together culture by
Dr. Dave Chatterjee:building emotional capital, the extent to which structures and
Dr. Dave Chatterjee:mechanisms can be in place to enable shared ownership and
Dr. Dave Chatterjee:accountability. You talked brilliantly about awareness and
Dr. Dave Chatterjee:training, that awareness and training needs to be customized
Dr. Dave Chatterjee:at the same time, recognize that gamification may not be okay in
Dr. Dave Chatterjee:certain cultures, so you have to appropriately pitch it
Dr. Dave Chatterjee:appropriately institutionalize it
Daniela Almeida:and phishing phishing simulations as well. I
Daniela Almeida:didn't mention but be very wary of phishing simulation. When do
Daniela Almeida:you do it and how you do it, if you want to build trust.
Dr. Dave Chatterjee:Absolutely, thank you for adding that. And
Dr. Dave Chatterjee:then we talked about prompt processing of threat
Dr. Dave Chatterjee:intelligence, you said, doing nothing could be a strategy.
Dr. Dave Chatterjee:Absolutely. But as long as it's an informed one, you're made a
Dr. Dave Chatterjee:conscious decision to decide not to do anything about a certain
Dr. Dave Chatterjee:alert. Companies receive alerts all the time. So it's possible
Dr. Dave Chatterjee:that might be the way to go about it from time to time. And
Dr. Dave Chatterjee:finally, and you, you said it very eloquently, it's really not
Dr. Dave Chatterjee:about making a symbolic statement about our security
Dr. Dave Chatterjee:posture, it's about truly believing in securing the
Dr. Dave Chatterjee:organization and doing the best you can with the available
Dr. Dave Chatterjee:resources, there is no expectation that you have to go,
Dr. Dave Chatterjee:you know, totally out of your way to establish security
Dr. Dave Chatterjee:protocols and procedures that are way beyond what is what
Dr. Dave Chatterjee:could be considered reasonable. And so taking a realistic,
Dr. Dave Chatterjee:practical, and proactive stance on cybersecurity, I think can
Dr. Dave Chatterjee:help every organization. So once again, Daniela, I thank you for
Dr. Dave Chatterjee:your thoughts and insights, I think listeners will find them
Dr. Dave Chatterjee:very valuable.
Daniela Almeida:Thank you very much for the opportunity to put
Daniela Almeida:this out there to shout out to my peers as well as to to try
Daniela Almeida:and make their life easier. And that it was a pleasure. And Dr.
Daniela Almeida:dave, if you allow me if I can maybe share an awareness regimen
Daniela Almeida:shedule that our listeners can use, because that may help as
Daniela Almeida:well. I can share that.
Dr. Dave Chatterjee:Absolutely. Well. That was great. Thank you
Dr. Dave Chatterjee:very much.
Daniela Almeida:Thank you very much Dave.
Dr. Dave Chatterjee:A special thanks to Danielle Almeida, for
Dr. Dave Chatterjee:her time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.