Episode 21
Dealing with Cyber Trauma
The phenomenon of cyber trauma is very real and individuals and organizations are often not adequately prepared to deal with it. Patrick Wheeler, a Luxembourg-based cybersecurity practitioner and Director of the Cyber Wayfinder program, shares his experience in dealing with cyber trauma incidents. He also talks about the Cyber Wayfinder program that is designed to help people with diverse life experiences and skillsets pivot to cybersecurity careers. Patrick passionately argues for removing the artificial barriers to attract a diverse cybersecurity talent pool. To quote him, "why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business."
Time Stamps
Please introduce Cyber Trauma to the listeners.
What are some resources to get the appropriate training to deal with cyber trauma? Do you have any suggestions for the listeners?
Patrick, speak to the importance of developing appropriate soft skills as part of cybersecurity training.
Please wrap it up for us.
Memorable Patrick Wheeler Quotes
And when our corporation suffers a critical cyber incident, that actually does have a psychological impact, not just on the cybersecurity practitioners, but actually on the staff themselves.
We tend to quickly brush under the rug this type of cybersecurity traumatic incident, we focus on it as an IT problem, even though we all argue that cybersecurity is a business problem.
And one of the things that I've worked very hard on is to surround the cyber team with a fair amount of soft skills.
Why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business.
It's often easier for me to train one of my business people on how to do cybersecurity than it is to train a cybersecurity professional on how my business works.
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I'll be talking with Patrick Wheeler,
Dr. Dave Chatterjee:who's joining us from Luxembourg. Patrick wears many
Dr. Dave Chatterjee:hats in the field of cybersecurity. He's a
Dr. Dave Chatterjee:cybersecurity innovator, educator, mentor, practitioner,
Dr. Dave Chatterjee:and architect. A few of his professional highlights include
Dr. Dave Chatterjee:executive leader of transformative security
Dr. Dave Chatterjee:initiatives, building Next-Gen cyber solutions, driving
Dr. Dave Chatterjee:professional development of cyber executives, and rethinking
Dr. Dave Chatterjee:traditional cybersecurity approaches. So it's truly an
Dr. Dave Chatterjee:honor and a pleasure to welcome Patrick to the show. Patrick,
Dr. Dave Chatterjee:welcome.
Patrick Wheeler:Thank you, Dave. It's a pleasure to be
Patrick Wheeler:here.
Dr. Dave Chatterjee:So when we were having our planning
Dr. Dave Chatterjee:meeting, Patrick, I was intrigued to learn about the
Dr. Dave Chatterjee:cyber trauma phenomenon. Over the last several years, I've
Dr. Dave Chatterjee:been working in this area, nobody quite highlighted that
Dr. Dave Chatterjee:challenge, that issue, quite like you did. So I'd like to
Dr. Dave Chatterjee:start with that topic. And then we can move on to others. So
Dr. Dave Chatterjee:please introduce the cyber trauma to the listeners. And
Dr. Dave Chatterjee:let's take it from there.
Patrick Wheeler:Okay, well, with pleasure. The the concept
Patrick Wheeler:of cyber trauma is one that I'm still struggling with, as to how
Patrick Wheeler:to best apply it. And there are people who are critical about
Patrick Wheeler:using it in this context. But I think when we look at analogies,
Patrick Wheeler:it's it's a very powerful and useful analogy. And it came to
Patrick Wheeler:me in part because a few years ago, I started looking at why it
Patrick Wheeler:was that so many of my large customers were paying ransomware
Patrick Wheeler:ransoms to to recover their data, when all of the
Patrick Wheeler:cybersecurity practitioners were screaming up and down, don't
Patrick Wheeler:pay, don't pay, don't pay. And I had the opportunity to work with
Patrick Wheeler:some of my corporate communications people. And I was
Patrick Wheeler:giving a presentation in Copenhagen. And I wanted to talk
Patrick Wheeler:about the situation that had occurred with Maersk. And we all
Patrick Wheeler:know the Maersk situation, one of the early Russian cyber
Patrick Wheeler:attacks against the Ukraine that had gotten out of control and
Patrick Wheeler:had seized up one of the world's largest shipping company's
Patrick Wheeler:computers. And initially, my people were very hesitant to
Patrick Wheeler:allow me to talk about it because he said, Well, Maersk is
Patrick Wheeler:one of our customers. You can't talk about that. You just we
Patrick Wheeler:know. And I said no. Please listen, you have to understand
Patrick Wheeler:what I'm going to say about Maersk. And they did allow me to
Patrick Wheeler:get up there and speak in front of a bunch of financial
Patrick Wheeler:professionals, not cybersecurity professionals. This is at a
Patrick Wheeler:financial conference. And I said, Maersk did everything
Patrick Wheeler:right. When this unexpected event happened to them, they
Patrick Wheeler:didn't hide, they didn't obfuscate, they didn't lie about
Patrick Wheeler:what was going on. They also didn't overshare, they said
Patrick Wheeler:basically to the industry -- Listen, something really bad has
Patrick Wheeler:happened. We're working like heck to try to recover from it.
Patrick Wheeler:Please be patient with us while we go through this very
Patrick Wheeler:traumatic time. They didn't use the word trauma at that time.
Patrick Wheeler:But after this event, a lady came up to me. And she had a
Patrick Wheeler:very interesting conversation with me. And the thing that she
Patrick Wheeler:said that really struck and stayed with me. As she said,
Patrick Wheeler:Patrick, it meant so much to me, to hear from you a respected
Patrick Wheeler:person in the industry, my bank effectively that we didn't do
Patrick Wheeler:anything wrong, because I cannot even describe to you the feeling
Patrick Wheeler:of helplessness as I sat at my desk, and stared at the computer
Patrick Wheeler:screen, and there was absolutely nothing I could do. And the
Patrick Wheeler:reason this stuck with me quite so much just as I was
Patrick Wheeler:empathizing with her and putting myself in her shoes. This is a
Patrick Wheeler:person who is in charge of the financial Treasury Department of
Patrick Wheeler:Maersk at that time. She since moved on. Oh, but she had
Patrick Wheeler:responsibilities, tremendous responsibilities to ships at
Patrick Wheeler:sea, to vendors, to partners, she knew that if she couldn't
Patrick Wheeler:make her payments, that salaries wouldn't get paid, the ships
Patrick Wheeler:couldn't get offloaded, that critical business functions
Patrick Wheeler:weren't going to happen. And that was a very emotionally
Patrick Wheeler:fraught incident for her. And it was also quite interesting when
Patrick Wheeler:you read later on some of the best analyses that came out of
Patrick Wheeler:the the Maersk incident, how well Maersk handled this. But
Patrick Wheeler:then also the fact that we don't talk about it so much. And
Patrick Wheeler:everyone is terribly afraid to talk about these types of
Patrick Wheeler:events. And as I was listening to her, I was also quite struck
Patrick Wheeler:with the the similarities to people talking to me about
Patrick Wheeler:traumatic events in their lives that have happened in other
Patrick Wheeler:contexts. There was another discussion that I had with some
Patrick Wheeler:people that was perhaps a little bit more lighthearted, that also
Patrick Wheeler:made me think about these. And it had to do with taking
Patrick Wheeler:executives through cyber exercises, Cyber Range
Patrick Wheeler:scenarios. So like the X Force truck that was running through
Patrick Wheeler:Europe a couple years ago. And they would talk about taking a
Patrick Wheeler:bunch of business executives, through a critically destructive
Patrick Wheeler:cybersecurity incident, modeled one in this case, and basically
Patrick Wheeler:them leaving the trailer being completely white, shaking, and,
Patrick Wheeler:you know, completely destroyed emotionally. And I was really
Patrick Wheeler:looking at the saying, what is it that we're doing that is
Patrick Wheeler:causing people to have such an aversion to what we're doing?
Patrick Wheeler:And to use terminology that sounds like this around trauma?
Patrick Wheeler:So I started talking to some people around this, and I asked
Patrick Wheeler:them, you know, what is it that is that around this idea that is
Patrick Wheeler:so powerful, and it was actually a friend of mine who works out
Patrick Wheeler:of Finland who gave me one of the best analogies that I can
Patrick Wheeler:think of, and we were talking about EMDR, which is something
Patrick Wheeler:Eye Movement Desensitization and Reprocessing therapy that's
Patrick Wheeler:often used in military persons who have gone through quite
Patrick Wheeler:significant amounts of physical trauma. And what she was
Patrick Wheeler:describing was, you know, when a car almost runs you over, the
Patrick Wheeler:traumatic event isn't necessarily the car running you
Patrick Wheeler:over, it's the sense of, I'm not in control of the situation. Bad
Patrick Wheeler:things have happened to me, because I'm unworthy. And the
Patrick Wheeler:sense that we should be in control, and especially in
Patrick Wheeler:critically destructive cyber incidents, we have an
Patrick Wheeler:expectation that we're supposed to be in control. That's a lot
Patrick Wheeler:of what we I mean, a lot of our languages in cybersecurity is
Patrick Wheeler:all about control. And I kept exploring this analogy, and I
Patrick Wheeler:was looking at our sense of corporate identity. And the fact
Patrick Wheeler:that we have so much group adhesion that we do, we actually
Patrick Wheeler:have people who are specialized in our human resources
Patrick Wheeler:departments to make us connected to our corporations. And when
Patrick Wheeler:our corporation suffers a critical cyber incident, that
Patrick Wheeler:actually does have a psychological impact, not just
Patrick Wheeler:on the cybersecurity practitioners, but actually on
Patrick Wheeler:the staff themselves. And this is something that as I looked
Patrick Wheeler:into it, I think there's been a not enough but a fair body of
Patrick Wheeler:work done around the trauma that cyber incident responders go
Patrick Wheeler:through. And if you look up to look this up, you see, this is
Patrick Wheeler:indeed a part of a reason why we end up having a lot of people
Patrick Wheeler:leaving our incident response teams. And I will personally
Patrick Wheeler:attest to this, I used to sit right next to one of the most
Patrick Wheeler:amazing Incident Response managers I've ever had the
Patrick Wheeler:pleasure to work with. And sometimes he would come out of
Patrick Wheeler:the room just, you know, the the incident room, just bone white
Patrick Wheeler:and sweating. And then he would do this day after day, and you
Patrick Wheeler:could see the type of psychological toll this was
Patrick Wheeler:taking on him. And, and this is something we also need to do a
Patrick Wheeler:better job of, but what I was really struck by is, you know,
Patrick Wheeler:what is the impact on cybersecurity incidents that we
Patrick Wheeler:keep hidden from our employees, even though we know they've
Patrick Wheeler:happened. Um, and this was also one of the things when you look
Patrick Wheeler:at trauma, where we talk about, we don't want to silence it to
Patrick Wheeler:death. When you have personal trauma, everything that's pushed
Patrick Wheeler:into into a closet just grows and tends to repeat itself. In a
Patrick Wheeler:corporate cyber incident, we rush to recover from it, and
Patrick Wheeler:then we tend to try very hard to forget about it. And indeed, we
Patrick Wheeler:don't like to talk about it all that much, especially in certain
Patrick Wheeler:sectors, sectors where I predominantly work in heavy
Patrick Wheeler:infrastructure and financial services. We definitely don't
Patrick Wheeler:want to talk about it because we're incredibly embarrassed by
Patrick Wheeler:these types of things. I was doing some work with some
Patrick Wheeler:hostage negotiators. These are people who work with the United
Patrick Wheeler:Nations. They do critical incident handling for police
Patrick Wheeler:forces nationwide. They do some some very interesting work in
Patrick Wheeler:critical incidents to. And they provided me the the manual on
Patrick Wheeler:countering kidnapping and extortion from the United
Patrick Wheeler:Nations Office of Counterterrorism. And they
Patrick Wheeler:talked about how, when you have people coming out of a critical
Patrick Wheeler:incident like this, you want to be able to offer them
Patrick Wheeler:specialized psychological support for hostages for the
Patrick Wheeler:family that have gone through these types of critical
Patrick Wheeler:incidents. But they had a critical mention in here, which
Patrick Wheeler:is often people don't want this type of support initially.
Patrick Wheeler:Initially, we refuse the label of traumatized or victim, we
Patrick Wheeler:very quickly want to revert ourselves to norm, we want to
Patrick Wheeler:get back to our regular lives. And this also, I think, is
Patrick Wheeler:something that we do in cybersecurity as well. And so we
Patrick Wheeler:tend to over overload and quickly brush under the rug this
Patrick Wheeler:type of cybersecurity traumatic incident, we focus it as an IT
Patrick Wheeler:problem, even though we all argue in cybersecurity, it's a
Patrick Wheeler:it's a business problem. But then we actually don't talk to
Patrick Wheeler:our business partners about what happened and how we can do
Patrick Wheeler:better about it. So this is what I one of the things that I've
Patrick Wheeler:really been working on trying to figure out how can we break this
Patrick Wheeler:down?
Dr. Dave Chatterjee:This is such an important topic. And I'm
Dr. Dave Chatterjee:surprised that like you said, it's not talked about enough. I
Dr. Dave Chatterjee:haven't heard anything about dealing with or providing people
Dr. Dave Chatterjee:with training to deal with cyber trauma. What are some resources
Dr. Dave Chatterjee:that listeners could leverage to get the right kind of training?
Dr. Dave Chatterjee:Do you have any suggestions for the listeners?
Patrick Wheeler:Well, there's not a lot out there right now,
Patrick Wheeler:particularly around cyber trauma, or digital trauma, one
Patrick Wheeler:of the things that we do see is, there's some very good work that
Patrick Wheeler:is happening in intimate partner digital violence. Now, this is
Patrick Wheeler:another form of cyber trauma, if you will, less of a corporate
Patrick Wheeler:form and more of a personal form. But there's actually some
Patrick Wheeler:really good PDFs if you if you look up intimate partner
Patrick Wheeler:violence, digital, you'll you'll find some some really
Patrick Wheeler:interesting discussions around this. The best things, the best
Patrick Wheeler:materials I've found so far, are actually out of the trauma
Patrick Wheeler:industry. And this is a psychological industry. So this
Patrick Wheeler:is something like the Body Keeps the Score by Bessel Vander Kolk,
Patrick Wheeler:which is a quite an interesting book around trauma. I personally
Patrick Wheeler:find the EMDR, something that speaks to me a great deal,
Patrick Wheeler:because it talks about how we can practically deal with some
Patrick Wheeler:of these things. And what we have to do then is we have to
Patrick Wheeler:transpose these into the corporate context. And the thing
Patrick Wheeler:I would say is that when we're looking at cyberculture, there's
Patrick Wheeler:a huge amount of blame gaming that goes on or victim blaming
Patrick Wheeler:that happens. The first thing we tell people is don't click on
Patrick Wheeler:that link. One of the analogies I like to use is that one of the
Patrick Wheeler:worst cyber attacks I ever went through, started with someone
Patrick Wheeler:clicking on an opening link. And she did everything perfect that
Patrick Wheeler:day. Because the link that she opened was one that she was
Patrick Wheeler:supposed to receive every single day from that business partner.
Patrick Wheeler:She opened the link, it didn't behave properly. The first thing
Patrick Wheeler:she did is she called her business partner at a at a
Patrick Wheeler:fellow bank across town and said, Hey, that that file you
Patrick Wheeler:sent me today didn't work. And he said, Oh, don't open that
Patrick Wheeler:file. I've been compromised. My security people are here. I hope
Patrick Wheeler:you're okay. Now, I loved the the psychological dissonance in
Patrick Wheeler:what he just said in that. First off, she's calling to say that
Patrick Wheeler:the file didn't behave properly. And he says don't open it. Well,
Patrick Wheeler:of course, she tried to open it if it didn't behave properly.
Patrick Wheeler:And then he says, you know, I'm under attack, or I've been
Patrick Wheeler:compromised. I hope you're okay.
Patrick Wheeler:So I just found that that's such a compelling discussion about
Patrick Wheeler:how the human brain reacts under crisis. We're humans. And when
Patrick Wheeler:this happens that this is just normal. Um, so the person did
Patrick Wheeler:her third, perfect thing that day -- she picked up the phone,
Patrick Wheeler:and she called me. And I was in charge of the cybersecurity for
Patrick Wheeler:that team. And that turned our dwell time, the amount of time
Patrick Wheeler:the attacker existed on our network, down from the months or
Patrick Wheeler:weeks that it might have been down to about five minutes. And
Patrick Wheeler:so the fact that she a) opened the link, b) called the partner
Patrick Wheeler:and c) called me, was actually quite perfect. And so many of
Patrick Wheeler:our business processes depend on our employees doing things that
Patrick Wheeler:we tell them not to do. And then we try to blame them. And
Patrick Wheeler:indeed, our head of operations wanted to blame this lady for
Patrick Wheeler:opening that file. Because indeed, he had received the
Patrick Wheeler:message through all of the standard awareness trainings,
Patrick Wheeler:tell people not to click on the links. And so he wanted to
Patrick Wheeler:immediately kick off a phishing campaign, get human resources
Patrick Wheeler:all over anyone who clicked on the phishing campaign, and if
Patrick Wheeler:there was a person who clicked on it three times, my God, they
Patrick Wheeler:were going to be fired. And I looked at this as a complete
Patrick Wheeler:horror of a way in which we could damage our cyber culture
Patrick Wheeler:such that someone would not call me. And so when we look at how
Patrick Wheeler:can we transpose this discussion, first off, we need
Patrick Wheeler:to change our narrative around how do we work with our
Patrick Wheeler:employees, and we need to engage them so very much more. And we
Patrick Wheeler:need to have our narrative not about don't click on the link,
Patrick Wheeler:but about being responsive. And when people do respond
Patrick Wheeler:appropriately, we need to reward them. One of the things that I
Patrick Wheeler:was most proud of in this incident is I actually gave this
Patrick Wheeler:lady a very public award for having done those three perfect
Patrick Wheeler:things that day. And having cut my dwell time down. This took
Patrick Wheeler:the rumor mill, which said, hey, this person clicked on a link,
Patrick Wheeler:and change that narrative entirely to say, hey, this
Patrick Wheeler:person called Security immediately after doing her job,
Patrick Wheeler:when something went wrong, she saw it fast. And so this is one
Patrick Wheeler:of the first things we need to do. The other one is that
Patrick Wheeler:actually, after an incident occurs, we do need to deal with
Patrick Wheeler:this thing internally, we do need to communicate. And this
Patrick Wheeler:needs to be an honest communication. We all know the
Patrick Wheeler:kind of BS communication, the announcement that comes out on
Patrick Wheeler:Friday, the fact that you know that we underplay it. One of the
Patrick Wheeler:one of the things that I really appreciated a few years back was
Patrick Wheeler:the story about the RSA hack. This was written in wired in mid
Patrick Wheeler:2021, the full story of the RSA tech attack can finally be told
Patrick Wheeler:this was when China broke into RSA, which handles a lot of the
Patrick Wheeler:two factor authentication. And 10 years later, as they're
Patrick Wheeler:quoting people, the language that the people were still using
Patrick Wheeler:was the language of trauma. This is an extinction event, RSA is
Patrick Wheeler:over. I made sure that all members of the team, I don't
Patrick Wheeler:care who they were, what reputation, they were
Patrick Wheeler:investigated, because you had to be sure that it wasn't an
Patrick Wheeler:internal attack. And the way RSA handled the attack and dribs and
Patrick Wheeler:drabs dissembling to their customers, and I was one of
Patrick Wheeler:their customers. And I received the message from RSA saying, Oh,
Patrick Wheeler:we're certain that the the seeds have not been compromised. And
Patrick Wheeler:we're all sitting on the other end of this telephone long going
Patrick Wheeler:BS. We all know this type of corporate BS when we hear it, we
Patrick Wheeler:knew it when we heard it. It was a fig leaf at the very best, but
Patrick Wheeler:the people inside who were forced to lie to their
Patrick Wheeler:customers. That was a traumatic event to them. They were they
Patrick Wheeler:were put in a compromising situation. And you could see in
Patrick Wheeler:this Wired article 10 years later, they were still
Patrick Wheeler:struggling with it. So number one, in dealing with an
Patrick Wheeler:incident, we need to not place our employees in impossible
Patrick Wheeler:situations, we need to communicate like Maersk
Patrick Wheeler:communicated about their incident. But also, I don't want
Patrick Wheeler:to say that that Maersk couldn't have done better. I mean, we can
Patrick Wheeler:all do better. The thing that I think is really critical for us
Patrick Wheeler:is that post incident communication, and to have that
Patrick Wheeler:be authentic and genuine. Not just from the executives, we
Patrick Wheeler:expect to hear from the executives, but actually bring
Patrick Wheeler:in external people. And do this not just directly after the
Patrick Wheeler:incident, but bring people in a little while afterwards, after
Patrick Wheeler:things have settled down a little bit. And we can talk
Patrick Wheeler:about it and have some discussions and some sharing
Patrick Wheeler:sessions around these. This is something again, not seeing
Patrick Wheeler:happening. But this
Dr. Dave Chatterjee:Yeah, if I can chime in here, you've been
Dr. Dave Chatterjee:sharing some very interesting and useful perspectives. One of
Dr. Dave Chatterjee:the things that's that's coming through in your narrative is the
Dr. Dave Chatterjee:importance of, of honest communication. There's a lot of
Dr. Dave Chatterjee:best practices out there about or recommendations about
Dr. Dave Chatterjee:customized communication, targeted communication. But I
Dr. Dave Chatterjee:think we need to emphasize the importance of honest
Dr. Dave Chatterjee:communication. And also the need to create an environment, a
Dr. Dave Chatterjee:friendly environment, where people can speak up and just
Dr. Dave Chatterjee:admit and say, Hey, I did click on the link, but I'm at least
Dr. Dave Chatterjee:informing you right away, so you can take necessary action.
Dr. Dave Chatterjee:That's better than just going silent, recognizing that I made
Dr. Dave Chatterjee:a mistake, and now if I fess up to it, there are consequences.
Dr. Dave Chatterjee:So I really like this approach and this syncs well, with the
Dr. Dave Chatterjee:mindset out there. You know, I've been speaking to many
Dr. Dave Chatterjee:companies. about their cybersecurity training
Dr. Dave Chatterjee:approaches. And the good news is, the mindset is not about
Dr. Dave Chatterjee:firing people. It's all about nurturing, encouraging, to
Dr. Dave Chatterjee:ensure the desired behavior. So that's very, very, that's a very
Dr. Dave Chatterjee:healthy sign. But going back to once again to start dealing with
Dr. Dave Chatterjee:cyber trauma, and you mentioned about the post mortem exercises,
Dr. Dave Chatterjee:what should you be doing after the event? It begs the other
Dr. Dave Chatterjee:question that when we engage in cybersecurity training, though,
Dr. Dave Chatterjee:the word training these days is associated with very technical
Dr. Dave Chatterjee:traditional controls based training, the emphasis on soft
Dr. Dave Chatterjee:skills dealing with like you give an example about this boss,
Dr. Dave Chatterjee:the belligerent boss, and the employee who had clicked on the
Dr. Dave Chatterjee:link, was scared of the boss. And that led her to behave a
Dr. Dave Chatterjee:certain way. She wasn't trained to deal with the situation
Dr. Dave Chatterjee:appropriately. So Patrick speak to the importance of developing
Dr. Dave Chatterjee:appropriate soft skills as part of cybersecurity training.
Patrick Wheeler:Well, this is something that we've been
Patrick Wheeler:working on a lot. And there's a couple of different ways to
Patrick Wheeler:approach this. And one of the things that I've worked very
Patrick Wheeler:hard on is to surround the cyber team with a fair amount of soft
Patrick Wheeler:skills as well, but also to engage our business partners, so
Patrick Wheeler:that they're closer to our cyber activities. One of the things
Patrick Wheeler:that I found most impactful was to spin up a cyber master class.
Patrick Wheeler:And this was a really interesting exercise where I
Patrick Wheeler:would take my executives for two days in Paris, we would go into
Patrick Wheeler:a locked room, and basically spend two days doing a deep dive
Patrick Wheeler:on cybersecurity. Not in a in the type of attack room
Patrick Wheeler:scenario. But really, you know, what does it mean for corporate
Patrick Wheeler:entities? What are the incidents like? How are we supposed to
Patrick Wheeler:deal with them? The goal here was to give our executives the
Patrick Wheeler:ability to calmly control a cybersecurity discussion,
Patrick Wheeler:whether it's during an incident or not during an incident. So
Patrick Wheeler:this is one example of training that I found really, really
Patrick Wheeler:impactful. And indeed, I do like the this, the switch that a lot
Patrick Wheeler:of our people have been doing is away from awareness, and away
Patrick Wheeler:from training and into awareness and engagement. And this
Patrick Wheeler:masterclass was one of my first examples in really trying to
Patrick Wheeler:engage quite at a deeper level. The other thing, of course, is
Patrick Wheeler:to bring your cybersecurity practitioners in as trainers for
Patrick Wheeler:this engagement as well. So you're, you're building a better
Patrick Wheeler:rapport between between your people. Um, one of the other
Patrick Wheeler:things that I've been working a lot on recently is, is how to
Patrick Wheeler:attract and retain new types of skills. So there's a huge lack
Patrick Wheeler:of diversity. We have a very a shortage of skills, and a lack
Patrick Wheeler:of new entrants into cybersecurity. I work in some of
Patrick Wheeler:the more traditional industries, and we suffer from recruitment
Patrick Wheeler:problems. So we're not as hip and trendy and sexy as some of
Patrick Wheeler:the fintechs or some of the other types of companies. And so
Patrick Wheeler:we are challenged trying to find new people. And this was one of
Patrick Wheeler:the things that started the other profile of mine, if you
Patrick Wheeler:will, which is the Cyber Wayfinder program. And this is a
Patrick Wheeler:program that is designed to take practitioners in other
Patrick Wheeler:industries, whether they're in law, whether they are in IT
Patrick Wheeler:administration, whether they're in governance, and basically
Patrick Wheeler:pivot them into full time careers in cybersecurity. And
Patrick Wheeler:this effort came through initially, in an effort, I was
Patrick Wheeler:asked to present cybersecurity as a career to a group of young
Patrick Wheeler:professionals who were working on gender and tech in
Patrick Wheeler:Luxembourg. And I gave what I now characterize as one of the
Patrick Wheeler:worst presentations of my professional career, and I've
Patrick Wheeler:been asked to do a lot of presentations. So this is a
Patrick Wheeler:really standout failure on my part. After the presentation, I
Patrick Wheeler:got a lot of feedback saying thank you, sir, for taking time
Patrick Wheeler:from your very important job to tell us about these very
Patrick Wheeler:important topics. And then everyone ran away to talk to the
Patrick Wheeler:person who had presented on WordPress that night. And so I
Patrick Wheeler:really looked at this and said, What is it that we're doing in
Patrick Wheeler:cybersecurity that is actually making us look unattractive to
Patrick Wheeler:new entrants. And this is one of the things that the Cyber
Patrick Wheeler:Wayfinder program is designed to do, which is to give people
Patrick Wheeler:foundational knowledge to get them into cybersecurity careers.
Patrick Wheeler:And the one thing I really, really love about this is it's
Patrick Wheeler:exactly this. We're bringing people with different life
Patrick Wheeler:experiences. So they're not just people like me, I consider
Patrick Wheeler:myself someone who came through the wires. I was a sysadmin, I
Patrick Wheeler:was an engineer, I was kind of a traditional cybersecurity
Patrick Wheeler:profile, shall we say? And I absolutely love working with the
Patrick Wheeler:people who are non STEM graduates. And this was one of
Patrick Wheeler:the first discussions that I had around this. I said, Why is it
Patrick Wheeler:that everyone says you have to be a STEM graduate to work in
Patrick Wheeler:cybersecurity, some of my best colleagues and peers do not have
Patrick Wheeler:a STEM degree. One of the best cryptographers I know, practical
Patrick Wheeler:cryptography, has a degree in international business. You
Patrick Wheeler:know, so why did we create this, this artificial barrier to entry
Patrick Wheeler:for new people, but it didn't exist for us before.
Patrick Wheeler:So so this is also one of the areas where I've been really,
Patrick Wheeler:really happy to see the level of engagement that can happen when
Patrick Wheeler:you bring in atypical profiles into cybersecurity. And then
Patrick Wheeler:these people also can often be champions of the business and
Patrick Wheeler:understand the business better. And one of the primary sponsors
Patrick Wheeler:of this effort was the chief security officer of Swift, which
Patrick Wheeler:is the large banking network. And his comment that we quote
Patrick Wheeler:regularly, and I've never found a better one is that, you know,
Patrick Wheeler:it's easier, it's often easier for me to train one of my
Patrick Wheeler:business people how to do cybersecurity, than it is to
Patrick Wheeler:train a cybersecurity professional how my business
Patrick Wheeler:works. And I looked at his challenges. And this is actually
Patrick Wheeler:very true, because they're, they're a very important
Patrick Wheeler:organization. And they they hire people from the cybersecurity
Patrick Wheeler:industry, but they're a very complex organization. And what
Patrick Wheeler:they do is quite unique. And then often the cybersecurity
Patrick Wheeler:professional, gains that experience and then leaves the
Patrick Wheeler:organization. The people that he sponsored through our program
Patrick Wheeler:have actually stayed with the organization much, much longer
Patrick Wheeler:than other people. And also, I argue has had a great impact
Patrick Wheeler:because they understood the business first, before they
Patrick Wheeler:layered on the cybersecurity discussion.
Dr. Dave Chatterjee:I'd like to add something to that that's so
Dr. Dave Chatterjee:true. Business first, awareness of the business is as important
Dr. Dave Chatterjee:as awareness of the cybersecurity skills. I'd like
Dr. Dave Chatterjee:to share a few things with the listeners, one of my guests, who
Dr. Dave Chatterjee:is a CISO in a major educational institution. When I asked him,
Dr. Dave Chatterjee:What's the success factor, he said, I have to keep reminding
Dr. Dave Chatterjee:myself, that my organization is not about cybersecurity. It's
Dr. Dave Chatterjee:about research, teaching, service. And I have to make sure
Dr. Dave Chatterjee:that they can continue with their mission, with their
Dr. Dave Chatterjee:activities in as secure a manner as possible. The second thing I
Dr. Dave Chatterjee:want to say Patrick, and I'm going to be sharing this podcast
Dr. Dave Chatterjee:with my students. Fortunately, in the program that I teach at
Dr. Dave Chatterjee:Duke University, we attract people from different
Dr. Dave Chatterjee:disciplines. And they would love to hear what you just said, that
Dr. Dave Chatterjee:you don't have to be from a very traditional technical program to
Dr. Dave Chatterjee:thrive in this field, you can come from different backgrounds,
Dr. Dave Chatterjee:like I have somebody in the program. Her you know, her one
Dr. Dave Chatterjee:of her majors is in philosophy. I think there is another person
Dr. Dave Chatterjee:who has a background in communications. The third
Dr. Dave Chatterjee:student I can think of has a background in law. And talking
Dr. Dave Chatterjee:about communications. Another of my guests recently, who was a
Dr. Dave Chatterjee:former journalist now is a Cybersecurity Communications
Dr. Dave Chatterjee:analyst at a major corporation, he made a very interesting
Dr. Dave Chatterjee:statement. He said, Dave, you know these cybersecurity
Dr. Dave Chatterjee:specialists, these technical people, often the technical
Dr. Dave Chatterjee:knowledge is a real curse to them, they have a hard time
Dr. Dave Chatterjee:relating to what or to how the non-technical people perceive or
Dr. Dave Chatterjee:understand them. So for them to be able to communicate in a
Dr. Dave Chatterjee:manner and fashion that is intelligible across the
Dr. Dave Chatterjee:organization can be quite the challenge. So bringing in
Dr. Dave Chatterjee:somebody who has expertise in communication, and then teaching
Dr. Dave Chatterjee:that person, you know, the relevant cybersecurity, subject
Dr. Dave Chatterjee:areas issues, and of course, the overall business context. That
Dr. Dave Chatterjee:might be a better way of preparing a person for a certain
Dr. Dave Chatterjee:type of cybersecurity job that doesn't involve being in the
Dr. Dave Chatterjee:trenches, and thwarting attacks, which is very important. Don't
Dr. Dave Chatterjee:get me wrong. I just want to emphasize that. But then there
Dr. Dave Chatterjee:are different roles, which require different skill sets. So
Dr. Dave Chatterjee:the thinking out there often is that cybersecurity is belongs in
Dr. Dave Chatterjee:the technology domain belongs to the technical people, that's not
Dr. Dave Chatterjee:quite true. We have to approach cybersecurity from a holistic
Dr. Dave Chatterjee:perspective, we have to broaden the skill sets that they bring
Dr. Dave Chatterjee:in to deal with this challenge. So what you're saying is just so
Dr. Dave Chatterjee:good to hear. So please continue. I had to jump in to
Dr. Dave Chatterjee:share a few things.
Patrick Wheeler:Yeah, no, thank you for that. And indeed, that's
Patrick Wheeler:what we see in our program. And I love one of the discussions as
Patrick Wheeler:I was having this discussion inside the financial sector in
Patrick Wheeler:and one of my partners in Paris was a CISO over there. He said
Patrick Wheeler:to me, yeah, Patrick, that's, that's really great. I mean, for
Patrick Wheeler:example, I have a I have a PhD in opera. And I said, Oh, that's
Patrick Wheeler:wonderful. I'm going to share that with our students. So I
Patrick Wheeler:went up to his LinkedIn profile. And I called him back and I
Patrick Wheeler:said, Mark, your LinkedIn profile doesn't show that you
Patrick Wheeler:have a PhD in opera, he said, Yeah, I was embarrassed by that.
Patrick Wheeler:So I didn't put it in my professional profile. I'll fix
Patrick Wheeler:that for you. And I love this discussion, because he actually
Patrick Wheeler:went and fixed it. And I was able to share that with our
Patrick Wheeler:students. And if you look at the discipline that would take to
Patrick Wheeler:get a PhD in opera, the amount of work that goes into this type
Patrick Wheeler:of stuff, the amount of work that goes into pass the bar
Patrick Wheeler:exam, if you become a lawyer, and all of these types of
Patrick Wheeler:things. That very much is an academic preparation. But I also
Patrick Wheeler:love the success of people who don't have these academic
Patrick Wheeler:preparations. Oh, one of our students whom I'm terribly proud
Patrick Wheeler:of, she came out of the German educational system, where she
Patrick Wheeler:was sidelined very early in her life, and basically sent to
Patrick Wheeler:trade school and said, you'll never amount to anything. One of
Patrick Wheeler:our other success stories was a young lady of African descent in
Patrick Wheeler:Belgium, who there's a problem in our educational system, where
Patrick Wheeler:we like to sideline people like the US, and she was told to be a
Patrick Wheeler:hairdresser. And she absolutely refused and continue to her
Patrick Wheeler:educational track. But at the end, was looking at possibly
Patrick Wheeler:working in a museum because that was about the only role that she
Patrick Wheeler:could actually find in the workforce. She now does identity
Patrick Wheeler:and access management for one of my major financial partners. And
Patrick Wheeler:time and time again, we see this type of success, irrespective of
Patrick Wheeler:early academic achievement. And we see this for people who who
Patrick Wheeler:don't do well, early in academia, they can actually
Patrick Wheeler:change their lives significantly. And I especially
Patrick Wheeler:love working with people much later in their careers. But I
Patrick Wheeler:also really liked what you had to say about cybersecurity
Patrick Wheeler:practitioners, alienating the business or not communicating
Patrick Wheeler:well. And I have an analogy here where I like to say that we are
Patrick Wheeler:very much thingist, it's, it's about the thing, it's about the
Patrick Wheeler:cyber thing. And it's all about right, and we have to do the
Patrick Wheeler:right thing. And as a technologist, we're very good at
Patrick Wheeler:doing things. And absolutely we we desperately need our
Patrick Wheeler:technologists, when you're when you're trying to make sure your
Patrick Wheeler:everything is patched when you're trying to make sure your
Patrick Wheeler:your network is running properly. When you're trying to
Patrick Wheeler:deal with an incident, we need these technical resources to do
Patrick Wheeler:things for us. But also when we look at our longer term
Patrick Wheeler:cybersecurity objectives, we need project managers and
Patrick Wheeler:program managers who understand cybersecurity, but also
Patrick Wheeler:understand how to get things done, hopefully, on time on
Patrick Wheeler:budget, and in scope. It used to be if you get two out of three,
Patrick Wheeler:I think these days, it's one out of three. But but you know, if
Patrick Wheeler:we're getting one of those three, then it's it's also not
Patrick Wheeler:too bad in some cyber teams. We also need architects or threat
Patrick Wheeler:hunters, you know, people who understand the external
Patrick Wheeler:perspective, because a lot of times when we look inside, we're
Patrick Wheeler:just patching. We're doing the rote activities that were told
Patrick Wheeler:by the control framework to do. But we also need to have that
Patrick Wheeler:external threat perspective. So we need to get the right things
Patrick Wheeler:done. And then the other component we need to add into
Patrick Wheeler:that is business perspective. We need to get the right things
Patrick Wheeler:done for my business. And this is one of the things I've been
Patrick Wheeler:trying hard to keep expressing again and again to cybersecurity
Patrick Wheeler:practitioners. And I put it under the rubric of politics.
Patrick Wheeler:And people don't like office politics, they don't like to be
Patrick Wheeler:said you have to become a better politician. But the argument I
Patrick Wheeler:have instead of doing technical things, getting things done,
Patrick Wheeler:getting the right things done, actually don't matter if I
Patrick Wheeler:alienate my business at the same time. And I've seen this time
Patrick Wheeler:and time again with what we call strong CISOs. And I've talked to
Patrick Wheeler:some people who come out of the military and and I try to
Patrick Wheeler:caution them on what I call the colonel syndrome, which is you
Patrick Wheeler:come in, you have an objective, you know what you have to do,
Patrick Wheeler:and you do a damn fine job of it. And then you totally
Patrick Wheeler:alienate your business and they fire you. And then you're
Patrick Wheeler:replacing a CFO every three years to three months. And a lot
Patrick Wheeler:of the
Dr. Dave Chatterjee:metric, I have to add something there, it
Dr. Dave Chatterjee:brings back a memory of when I was in corporate, a senior
Dr. Dave Chatterjee:executive gave me a great piece of advice. And you know how life
Dr. Dave Chatterjee:is, you hear things, and I'm becoming more and more convinced
Dr. Dave Chatterjee:that you hear things or you're told things for a reason.
Dr. Dave Chatterjee:Because ultimately, it comes back to you. And here we have an
Dr. Dave Chatterjee:opportunity to validate what was shared with me long time ago.
Dr. Dave Chatterjee:The gentleman said, "Dave when you join an organization, don't
Dr. Dave Chatterjee:give them the impression that here I come, I'm going to change
Dr. Dave Chatterjee:everything up, I know what's good, you all need to follow my
Dr. Dave Chatterjee:approach, that's going to be the worst thing that you can do,
Dr. Dave Chatterjee:because before you know it, you'll be kicked out or you'll
Dr. Dave Chatterjee:be sidelined. And you'll have no effect. And this is so
Dr. Dave Chatterjee:consistent with what you just shared about a CISO. Taking on
Dr. Dave Chatterjee:the role, making sure they connect well with the other C
Dr. Dave Chatterjee:level executives to connect well across functions. So they can
Dr. Dave Chatterjee:truly become an enabler, a strategic enabler, as opposed to
Dr. Dave Chatterjee:becoming known as a person who is always going to put up a
Dr. Dave Chatterjee:hurdle or will always say why a certain initiative cannot be
Dr. Dave Chatterjee:done because of these kinds of risks. So to develop that
Dr. Dave Chatterjee:persona, that friendly persona, that a person or somebody who
Dr. Dave Chatterjee:informs who educates, who tries to find pathways to the business
Dr. Dave Chatterjee:can do what they need to do without digging a huge hole.
Dr. Dave Chatterjee:That that's the kind of savvy that happens with experience.
Dr. Dave Chatterjee:But that also requires training in the softer skill sets,
Dr. Dave Chatterjee:whether it's interpersonal skills, whether it's
Dr. Dave Chatterjee:communication skills, whether it's the ability to deal with
Dr. Dave Chatterjee:cyber trauma like scenarios. So there are so many skills that
Dr. Dave Chatterjee:are at play here. And I'm so glad you touched upon these
Dr. Dave Chatterjee:many, many skills, because people who will be who are
Dr. Dave Chatterjee:listening to this podcast, and are wondering whether
Dr. Dave Chatterjee:cybersecurity is really a field for them, given their
Dr. Dave Chatterjee:background, given their experience. I'm sure you will
Dr. Dave Chatterjee:agree with me that, absolutely, if you have the passion, if you
Dr. Dave Chatterjee:have the interest, if you have the curiosity, there is no
Dr. Dave Chatterjee:reason why you shouldn't jump in and explore where you would be a
Dr. Dave Chatterjee:great fit. But anyhow, Patrick, we are running out of time. So
Dr. Dave Chatterjee:I'd like to give you the opportunity to wrap it up for us
Dr. Dave Chatterjee:here.
Patrick Wheeler:Okay, so exactly what you said, do jump
Patrick Wheeler:in and do explore this. The end. The other thing is you don't
Patrick Wheeler:have to be perfect from day zero. And this is the thing
Patrick Wheeler:advice I give to newcomers, but also to professionals. When
Patrick Wheeler:we're when we're looking at dealing with the executives, I
Patrick Wheeler:say, let them see you sweat. Let them see you working. Let them
Patrick Wheeler:see your passion for what you're doing. Even if they disagree
Patrick Wheeler:with you, even if they shut you down, communicate honestly with
Patrick Wheeler:them that you're passionate about what you're doing that
Patrick Wheeler:you're passionate about learning, you're passionate
Patrick Wheeler:about protecting the organization. And I've seen this
Patrick Wheeler:work time and time again, where we really care to see our
Patrick Wheeler:colleagues care about what they're doing. And if you can
Patrick Wheeler:get this passion for yourself. Please join cybersecurity
Patrick Wheeler:because we need people who are passionate about it. If you're
Patrick Wheeler:losing your passion, try to find it again. Because we need people
Patrick Wheeler:not to leave. We've got far too many people leaving. And then
Patrick Wheeler:this this thing about continually training ourselves
Patrick Wheeler:and working with empathizing with our partners is just so so
Patrick Wheeler:important. And this is something I had to work on myself, this
Patrick Wheeler:empathy didn't come naturally. And so we can indeed train
Patrick Wheeler:ourselves to be more empathetic. I'm a fan of the design thinking
Patrick Wheeler:methodology. I'm a fan of looking really deeply at the
Patrick Wheeler:people and try to put myself in their feet to understand why
Patrick Wheeler:they're making the decisions they are so I can be a better
Patrick Wheeler:influencer in this context. So please, Dave, keep up the good
Patrick Wheeler:work, bring new resources in we desperately need them. And thank
Patrick Wheeler:you for this opportunity.
Dr. Dave Chatterjee:Thank you, Patrick. That was great. I look
Dr. Dave Chatterjee:forward to having such conversations with you in the
Dr. Dave Chatterjee:near future. Thank you.
Patrick Wheeler:Okay, until soon.
Dr. Dave Chatterjee:A special thanks to Patrick Wheeler for
Dr. Dave Chatterjee:his time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization
