Episode 21

Dealing with Cyber Trauma

The phenomenon of cyber trauma is very real and individuals and organizations are often not adequately prepared to deal with it. Patrick Wheeler, a Luxembourg-based cybersecurity practitioner and Director of the Cyber Wayfinder program, shares his experience in dealing with cyber trauma incidents. He also talks about the Cyber Wayfinder program that is designed to help people with diverse life experiences and skillsets pivot to cybersecurity careers. Patrick passionately argues for removing the artificial barriers to attract a diverse cybersecurity talent pool. To quote him, "why is it that everyone says you have to be a STEM graduate to work in cybersecurity, some of my best colleagues and peers do not have a STEM degree. One of the best cryptographers I know has a degree in international business."

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-21-dealing-with-cyber-trauma/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I'll be talking with Patrick Wheeler,

Dr. Dave Chatterjee:

who's joining us from Luxembourg. Patrick wears many

Dr. Dave Chatterjee:

hats in the field of cybersecurity. He's a

Dr. Dave Chatterjee:

cybersecurity innovator, educator, mentor, practitioner,

Dr. Dave Chatterjee:

and architect. A few of his professional highlights include

Dr. Dave Chatterjee:

executive leader of transformative security

Dr. Dave Chatterjee:

initiatives, building Next-Gen cyber solutions, driving

Dr. Dave Chatterjee:

professional development of cyber executives, and rethinking

Dr. Dave Chatterjee:

traditional cybersecurity approaches. So it's truly an

Dr. Dave Chatterjee:

honor and a pleasure to welcome Patrick to the show. Patrick,

Dr. Dave Chatterjee:

welcome.

Patrick Wheeler:

Thank you, Dave. It's a pleasure to be

Patrick Wheeler:

here.

Dr. Dave Chatterjee:

So when we were having our planning

Dr. Dave Chatterjee:

meeting, Patrick, I was intrigued to learn about the

Dr. Dave Chatterjee:

cyber trauma phenomenon. Over the last several years, I've

Dr. Dave Chatterjee:

been working in this area, nobody quite highlighted that

Dr. Dave Chatterjee:

challenge, that issue, quite like you did. So I'd like to

Dr. Dave Chatterjee:

start with that topic. And then we can move on to others. So

Dr. Dave Chatterjee:

please introduce the cyber trauma to the listeners. And

Dr. Dave Chatterjee:

let's take it from there.

Patrick Wheeler:

Okay, well, with pleasure. The the concept

Patrick Wheeler:

of cyber trauma is one that I'm still struggling with, as to how

Patrick Wheeler:

to best apply it. And there are people who are critical about

Patrick Wheeler:

using it in this context. But I think when we look at analogies,

Patrick Wheeler:

it's it's a very powerful and useful analogy. And it came to

Patrick Wheeler:

me in part because a few years ago, I started looking at why it

Patrick Wheeler:

was that so many of my large customers were paying ransomware

Patrick Wheeler:

ransoms to to recover their data, when all of the

Patrick Wheeler:

cybersecurity practitioners were screaming up and down, don't

Patrick Wheeler:

pay, don't pay, don't pay. And I had the opportunity to work with

Patrick Wheeler:

some of my corporate communications people. And I was

Patrick Wheeler:

giving a presentation in Copenhagen. And I wanted to talk

Patrick Wheeler:

about the situation that had occurred with Maersk. And we all

Patrick Wheeler:

know the Maersk situation, one of the early Russian cyber

Patrick Wheeler:

attacks against the Ukraine that had gotten out of control and

Patrick Wheeler:

had seized up one of the world's largest shipping company's

Patrick Wheeler:

computers. And initially, my people were very hesitant to

Patrick Wheeler:

allow me to talk about it because he said, Well, Maersk is

Patrick Wheeler:

one of our customers. You can't talk about that. You just we

Patrick Wheeler:

know. And I said no. Please listen, you have to understand

Patrick Wheeler:

what I'm going to say about Maersk. And they did allow me to

Patrick Wheeler:

get up there and speak in front of a bunch of financial

Patrick Wheeler:

professionals, not cybersecurity professionals. This is at a

Patrick Wheeler:

financial conference. And I said, Maersk did everything

Patrick Wheeler:

right. When this unexpected event happened to them, they

Patrick Wheeler:

didn't hide, they didn't obfuscate, they didn't lie about

Patrick Wheeler:

what was going on. They also didn't overshare, they said

Patrick Wheeler:

basically to the industry -- Listen, something really bad has

Patrick Wheeler:

happened. We're working like heck to try to recover from it.

Patrick Wheeler:

Please be patient with us while we go through this very

Patrick Wheeler:

traumatic time. They didn't use the word trauma at that time.

Patrick Wheeler:

But after this event, a lady came up to me. And she had a

Patrick Wheeler:

very interesting conversation with me. And the thing that she

Patrick Wheeler:

said that really struck and stayed with me. As she said,

Patrick Wheeler:

Patrick, it meant so much to me, to hear from you a respected

Patrick Wheeler:

person in the industry, my bank effectively that we didn't do

Patrick Wheeler:

anything wrong, because I cannot even describe to you the feeling

Patrick Wheeler:

of helplessness as I sat at my desk, and stared at the computer

Patrick Wheeler:

screen, and there was absolutely nothing I could do. And the

Patrick Wheeler:

reason this stuck with me quite so much just as I was

Patrick Wheeler:

empathizing with her and putting myself in her shoes. This is a

Patrick Wheeler:

person who is in charge of the financial Treasury Department of

Patrick Wheeler:

Maersk at that time. She since moved on. Oh, but she had

Patrick Wheeler:

responsibilities, tremendous responsibilities to ships at

Patrick Wheeler:

sea, to vendors, to partners, she knew that if she couldn't

Patrick Wheeler:

make her payments, that salaries wouldn't get paid, the ships

Patrick Wheeler:

couldn't get offloaded, that critical business functions

Patrick Wheeler:

weren't going to happen. And that was a very emotionally

Patrick Wheeler:

fraught incident for her. And it was also quite interesting when

Patrick Wheeler:

you read later on some of the best analyses that came out of

Patrick Wheeler:

the the Maersk incident, how well Maersk handled this. But

Patrick Wheeler:

then also the fact that we don't talk about it so much. And

Patrick Wheeler:

everyone is terribly afraid to talk about these types of

Patrick Wheeler:

events. And as I was listening to her, I was also quite struck

Patrick Wheeler:

with the the similarities to people talking to me about

Patrick Wheeler:

traumatic events in their lives that have happened in other

Patrick Wheeler:

contexts. There was another discussion that I had with some

Patrick Wheeler:

people that was perhaps a little bit more lighthearted, that also

Patrick Wheeler:

made me think about these. And it had to do with taking

Patrick Wheeler:

executives through cyber exercises, Cyber Range

Patrick Wheeler:

scenarios. So like the X Force truck that was running through

Patrick Wheeler:

Europe a couple years ago. And they would talk about taking a

Patrick Wheeler:

bunch of business executives, through a critically destructive

Patrick Wheeler:

cybersecurity incident, modeled one in this case, and basically

Patrick Wheeler:

them leaving the trailer being completely white, shaking, and,

Patrick Wheeler:

you know, completely destroyed emotionally. And I was really

Patrick Wheeler:

looking at the saying, what is it that we're doing that is

Patrick Wheeler:

causing people to have such an aversion to what we're doing?

Patrick Wheeler:

And to use terminology that sounds like this around trauma?

Patrick Wheeler:

So I started talking to some people around this, and I asked

Patrick Wheeler:

them, you know, what is it that is that around this idea that is

Patrick Wheeler:

so powerful, and it was actually a friend of mine who works out

Patrick Wheeler:

of Finland who gave me one of the best analogies that I can

Patrick Wheeler:

think of, and we were talking about EMDR, which is something

Patrick Wheeler:

Eye Movement Desensitization and Reprocessing therapy that's

Patrick Wheeler:

often used in military persons who have gone through quite

Patrick Wheeler:

significant amounts of physical trauma. And what she was

Patrick Wheeler:

describing was, you know, when a car almost runs you over, the

Patrick Wheeler:

traumatic event isn't necessarily the car running you

Patrick Wheeler:

over, it's the sense of, I'm not in control of the situation. Bad

Patrick Wheeler:

things have happened to me, because I'm unworthy. And the

Patrick Wheeler:

sense that we should be in control, and especially in

Patrick Wheeler:

critically destructive cyber incidents, we have an

Patrick Wheeler:

expectation that we're supposed to be in control. That's a lot

Patrick Wheeler:

of what we I mean, a lot of our languages in cybersecurity is

Patrick Wheeler:

all about control. And I kept exploring this analogy, and I

Patrick Wheeler:

was looking at our sense of corporate identity. And the fact

Patrick Wheeler:

that we have so much group adhesion that we do, we actually

Patrick Wheeler:

have people who are specialized in our human resources

Patrick Wheeler:

departments to make us connected to our corporations. And when

Patrick Wheeler:

our corporation suffers a critical cyber incident, that

Patrick Wheeler:

actually does have a psychological impact, not just

Patrick Wheeler:

on the cybersecurity practitioners, but actually on

Patrick Wheeler:

the staff themselves. And this is something that as I looked

Patrick Wheeler:

into it, I think there's been a not enough but a fair body of

Patrick Wheeler:

work done around the trauma that cyber incident responders go

Patrick Wheeler:

through. And if you look up to look this up, you see, this is

Patrick Wheeler:

indeed a part of a reason why we end up having a lot of people

Patrick Wheeler:

leaving our incident response teams. And I will personally

Patrick Wheeler:

attest to this, I used to sit right next to one of the most

Patrick Wheeler:

amazing Incident Response managers I've ever had the

Patrick Wheeler:

pleasure to work with. And sometimes he would come out of

Patrick Wheeler:

the room just, you know, the the incident room, just bone white

Patrick Wheeler:

and sweating. And then he would do this day after day, and you

Patrick Wheeler:

could see the type of psychological toll this was

Patrick Wheeler:

taking on him. And, and this is something we also need to do a

Patrick Wheeler:

better job of, but what I was really struck by is, you know,

Patrick Wheeler:

what is the impact on cybersecurity incidents that we

Patrick Wheeler:

keep hidden from our employees, even though we know they've

Patrick Wheeler:

happened. Um, and this was also one of the things when you look

Patrick Wheeler:

at trauma, where we talk about, we don't want to silence it to

Patrick Wheeler:

death. When you have personal trauma, everything that's pushed

Patrick Wheeler:

into into a closet just grows and tends to repeat itself. In a

Patrick Wheeler:

corporate cyber incident, we rush to recover from it, and

Patrick Wheeler:

then we tend to try very hard to forget about it. And indeed, we

Patrick Wheeler:

don't like to talk about it all that much, especially in certain

Patrick Wheeler:

sectors, sectors where I predominantly work in heavy

Patrick Wheeler:

infrastructure and financial services. We definitely don't

Patrick Wheeler:

want to talk about it because we're incredibly embarrassed by

Patrick Wheeler:

these types of things. I was doing some work with some

Patrick Wheeler:

hostage negotiators. These are people who work with the United

Patrick Wheeler:

Nations. They do critical incident handling for police

Patrick Wheeler:

forces nationwide. They do some some very interesting work in

Patrick Wheeler:

critical incidents to. And they provided me the the manual on

Patrick Wheeler:

countering kidnapping and extortion from the United

Patrick Wheeler:

Nations Office of Counterterrorism. And they

Patrick Wheeler:

talked about how, when you have people coming out of a critical

Patrick Wheeler:

incident like this, you want to be able to offer them

Patrick Wheeler:

specialized psychological support for hostages for the

Patrick Wheeler:

family that have gone through these types of critical

Patrick Wheeler:

incidents. But they had a critical mention in here, which

Patrick Wheeler:

is often people don't want this type of support initially.

Patrick Wheeler:

Initially, we refuse the label of traumatized or victim, we

Patrick Wheeler:

very quickly want to revert ourselves to norm, we want to

Patrick Wheeler:

get back to our regular lives. And this also, I think, is

Patrick Wheeler:

something that we do in cybersecurity as well. And so we

Patrick Wheeler:

tend to over overload and quickly brush under the rug this

Patrick Wheeler:

type of cybersecurity traumatic incident, we focus it as an IT

Patrick Wheeler:

problem, even though we all argue in cybersecurity, it's a

Patrick Wheeler:

it's a business problem. But then we actually don't talk to

Patrick Wheeler:

our business partners about what happened and how we can do

Patrick Wheeler:

better about it. So this is what I one of the things that I've

Patrick Wheeler:

really been working on trying to figure out how can we break this

Patrick Wheeler:

down?

Dr. Dave Chatterjee:

This is such an important topic. And I'm

Dr. Dave Chatterjee:

surprised that like you said, it's not talked about enough. I

Dr. Dave Chatterjee:

haven't heard anything about dealing with or providing people

Dr. Dave Chatterjee:

with training to deal with cyber trauma. What are some resources

Dr. Dave Chatterjee:

that listeners could leverage to get the right kind of training?

Dr. Dave Chatterjee:

Do you have any suggestions for the listeners?

Patrick Wheeler:

Well, there's not a lot out there right now,

Patrick Wheeler:

particularly around cyber trauma, or digital trauma, one

Patrick Wheeler:

of the things that we do see is, there's some very good work that

Patrick Wheeler:

is happening in intimate partner digital violence. Now, this is

Patrick Wheeler:

another form of cyber trauma, if you will, less of a corporate

Patrick Wheeler:

form and more of a personal form. But there's actually some

Patrick Wheeler:

really good PDFs if you if you look up intimate partner

Patrick Wheeler:

violence, digital, you'll you'll find some some really

Patrick Wheeler:

interesting discussions around this. The best things, the best

Patrick Wheeler:

materials I've found so far, are actually out of the trauma

Patrick Wheeler:

industry. And this is a psychological industry. So this

Patrick Wheeler:

is something like the Body Keeps the Score by Bessel Vander Kolk,

Patrick Wheeler:

which is a quite an interesting book around trauma. I personally

Patrick Wheeler:

find the EMDR, something that speaks to me a great deal,

Patrick Wheeler:

because it talks about how we can practically deal with some

Patrick Wheeler:

of these things. And what we have to do then is we have to

Patrick Wheeler:

transpose these into the corporate context. And the thing

Patrick Wheeler:

I would say is that when we're looking at cyberculture, there's

Patrick Wheeler:

a huge amount of blame gaming that goes on or victim blaming

Patrick Wheeler:

that happens. The first thing we tell people is don't click on

Patrick Wheeler:

that link. One of the analogies I like to use is that one of the

Patrick Wheeler:

worst cyber attacks I ever went through, started with someone

Patrick Wheeler:

clicking on an opening link. And she did everything perfect that

Patrick Wheeler:

day. Because the link that she opened was one that she was

Patrick Wheeler:

supposed to receive every single day from that business partner.

Patrick Wheeler:

She opened the link, it didn't behave properly. The first thing

Patrick Wheeler:

she did is she called her business partner at a at a

Patrick Wheeler:

fellow bank across town and said, Hey, that that file you

Patrick Wheeler:

sent me today didn't work. And he said, Oh, don't open that

Patrick Wheeler:

file. I've been compromised. My security people are here. I hope

Patrick Wheeler:

you're okay. Now, I loved the the psychological dissonance in

Patrick Wheeler:

what he just said in that. First off, she's calling to say that

Patrick Wheeler:

the file didn't behave properly. And he says don't open it. Well,

Patrick Wheeler:

of course, she tried to open it if it didn't behave properly.

Patrick Wheeler:

And then he says, you know, I'm under attack, or I've been

Patrick Wheeler:

compromised. I hope you're okay.

Patrick Wheeler:

So I just found that that's such a compelling discussion about

Patrick Wheeler:

how the human brain reacts under crisis. We're humans. And when

Patrick Wheeler:

this happens that this is just normal. Um, so the person did

Patrick Wheeler:

her third, perfect thing that day -- she picked up the phone,

Patrick Wheeler:

and she called me. And I was in charge of the cybersecurity for

Patrick Wheeler:

that team. And that turned our dwell time, the amount of time

Patrick Wheeler:

the attacker existed on our network, down from the months or

Patrick Wheeler:

weeks that it might have been down to about five minutes. And

Patrick Wheeler:

so the fact that she a) opened the link, b) called the partner

Patrick Wheeler:

and c) called me, was actually quite perfect. And so many of

Patrick Wheeler:

our business processes depend on our employees doing things that

Patrick Wheeler:

we tell them not to do. And then we try to blame them. And

Patrick Wheeler:

indeed, our head of operations wanted to blame this lady for

Patrick Wheeler:

opening that file. Because indeed, he had received the

Patrick Wheeler:

message through all of the standard awareness trainings,

Patrick Wheeler:

tell people not to click on the links. And so he wanted to

Patrick Wheeler:

immediately kick off a phishing campaign, get human resources

Patrick Wheeler:

all over anyone who clicked on the phishing campaign, and if

Patrick Wheeler:

there was a person who clicked on it three times, my God, they

Patrick Wheeler:

were going to be fired. And I looked at this as a complete

Patrick Wheeler:

horror of a way in which we could damage our cyber culture

Patrick Wheeler:

such that someone would not call me. And so when we look at how

Patrick Wheeler:

can we transpose this discussion, first off, we need

Patrick Wheeler:

to change our narrative around how do we work with our

Patrick Wheeler:

employees, and we need to engage them so very much more. And we

Patrick Wheeler:

need to have our narrative not about don't click on the link,

Patrick Wheeler:

but about being responsive. And when people do respond

Patrick Wheeler:

appropriately, we need to reward them. One of the things that I

Patrick Wheeler:

was most proud of in this incident is I actually gave this

Patrick Wheeler:

lady a very public award for having done those three perfect

Patrick Wheeler:

things that day. And having cut my dwell time down. This took

Patrick Wheeler:

the rumor mill, which said, hey, this person clicked on a link,

Patrick Wheeler:

and change that narrative entirely to say, hey, this

Patrick Wheeler:

person called Security immediately after doing her job,

Patrick Wheeler:

when something went wrong, she saw it fast. And so this is one

Patrick Wheeler:

of the first things we need to do. The other one is that

Patrick Wheeler:

actually, after an incident occurs, we do need to deal with

Patrick Wheeler:

this thing internally, we do need to communicate. And this

Patrick Wheeler:

needs to be an honest communication. We all know the

Patrick Wheeler:

kind of BS communication, the announcement that comes out on

Patrick Wheeler:

Friday, the fact that you know that we underplay it. One of the

Patrick Wheeler:

one of the things that I really appreciated a few years back was

Patrick Wheeler:

the story about the RSA hack. This was written in wired in mid

Patrick Wheeler:

2021, the full story of the RSA tech attack can finally be told

Patrick Wheeler:

this was when China broke into RSA, which handles a lot of the

Patrick Wheeler:

two factor authentication. And 10 years later, as they're

Patrick Wheeler:

quoting people, the language that the people were still using

Patrick Wheeler:

was the language of trauma. This is an extinction event, RSA is

Patrick Wheeler:

over. I made sure that all members of the team, I don't

Patrick Wheeler:

care who they were, what reputation, they were

Patrick Wheeler:

investigated, because you had to be sure that it wasn't an

Patrick Wheeler:

internal attack. And the way RSA handled the attack and dribs and

Patrick Wheeler:

drabs dissembling to their customers, and I was one of

Patrick Wheeler:

their customers. And I received the message from RSA saying, Oh,

Patrick Wheeler:

we're certain that the the seeds have not been compromised. And

Patrick Wheeler:

we're all sitting on the other end of this telephone long going

Patrick Wheeler:

BS. We all know this type of corporate BS when we hear it, we

Patrick Wheeler:

knew it when we heard it. It was a fig leaf at the very best, but

Patrick Wheeler:

the people inside who were forced to lie to their

Patrick Wheeler:

customers. That was a traumatic event to them. They were they

Patrick Wheeler:

were put in a compromising situation. And you could see in

Patrick Wheeler:

this Wired article 10 years later, they were still

Patrick Wheeler:

struggling with it. So number one, in dealing with an

Patrick Wheeler:

incident, we need to not place our employees in impossible

Patrick Wheeler:

situations, we need to communicate like Maersk

Patrick Wheeler:

communicated about their incident. But also, I don't want

Patrick Wheeler:

to say that that Maersk couldn't have done better. I mean, we can

Patrick Wheeler:

all do better. The thing that I think is really critical for us

Patrick Wheeler:

is that post incident communication, and to have that

Patrick Wheeler:

be authentic and genuine. Not just from the executives, we

Patrick Wheeler:

expect to hear from the executives, but actually bring

Patrick Wheeler:

in external people. And do this not just directly after the

Patrick Wheeler:

incident, but bring people in a little while afterwards, after

Patrick Wheeler:

things have settled down a little bit. And we can talk

Patrick Wheeler:

about it and have some discussions and some sharing

Patrick Wheeler:

sessions around these. This is something again, not seeing

Patrick Wheeler:

happening. But this

Dr. Dave Chatterjee:

Yeah, if I can chime in here, you've been

Dr. Dave Chatterjee:

sharing some very interesting and useful perspectives. One of

Dr. Dave Chatterjee:

the things that's that's coming through in your narrative is the

Dr. Dave Chatterjee:

importance of, of honest communication. There's a lot of

Dr. Dave Chatterjee:

best practices out there about or recommendations about

Dr. Dave Chatterjee:

customized communication, targeted communication. But I

Dr. Dave Chatterjee:

think we need to emphasize the importance of honest

Dr. Dave Chatterjee:

communication. And also the need to create an environment, a

Dr. Dave Chatterjee:

friendly environment, where people can speak up and just

Dr. Dave Chatterjee:

admit and say, Hey, I did click on the link, but I'm at least

Dr. Dave Chatterjee:

informing you right away, so you can take necessary action.

Dr. Dave Chatterjee:

That's better than just going silent, recognizing that I made

Dr. Dave Chatterjee:

a mistake, and now if I fess up to it, there are consequences.

Dr. Dave Chatterjee:

So I really like this approach and this syncs well, with the

Dr. Dave Chatterjee:

mindset out there. You know, I've been speaking to many

Dr. Dave Chatterjee:

companies. about their cybersecurity training

Dr. Dave Chatterjee:

approaches. And the good news is, the mindset is not about

Dr. Dave Chatterjee:

firing people. It's all about nurturing, encouraging, to

Dr. Dave Chatterjee:

ensure the desired behavior. So that's very, very, that's a very

Dr. Dave Chatterjee:

healthy sign. But going back to once again to start dealing with

Dr. Dave Chatterjee:

cyber trauma, and you mentioned about the post mortem exercises,

Dr. Dave Chatterjee:

what should you be doing after the event? It begs the other

Dr. Dave Chatterjee:

question that when we engage in cybersecurity training, though,

Dr. Dave Chatterjee:

the word training these days is associated with very technical

Dr. Dave Chatterjee:

traditional controls based training, the emphasis on soft

Dr. Dave Chatterjee:

skills dealing with like you give an example about this boss,

Dr. Dave Chatterjee:

the belligerent boss, and the employee who had clicked on the

Dr. Dave Chatterjee:

link, was scared of the boss. And that led her to behave a

Dr. Dave Chatterjee:

certain way. She wasn't trained to deal with the situation

Dr. Dave Chatterjee:

appropriately. So Patrick speak to the importance of developing

Dr. Dave Chatterjee:

appropriate soft skills as part of cybersecurity training.

Patrick Wheeler:

Well, this is something that we've been

Patrick Wheeler:

working on a lot. And there's a couple of different ways to

Patrick Wheeler:

approach this. And one of the things that I've worked very

Patrick Wheeler:

hard on is to surround the cyber team with a fair amount of soft

Patrick Wheeler:

skills as well, but also to engage our business partners, so

Patrick Wheeler:

that they're closer to our cyber activities. One of the things

Patrick Wheeler:

that I found most impactful was to spin up a cyber master class.

Patrick Wheeler:

And this was a really interesting exercise where I

Patrick Wheeler:

would take my executives for two days in Paris, we would go into

Patrick Wheeler:

a locked room, and basically spend two days doing a deep dive

Patrick Wheeler:

on cybersecurity. Not in a in the type of attack room

Patrick Wheeler:

scenario. But really, you know, what does it mean for corporate

Patrick Wheeler:

entities? What are the incidents like? How are we supposed to

Patrick Wheeler:

deal with them? The goal here was to give our executives the

Patrick Wheeler:

ability to calmly control a cybersecurity discussion,

Patrick Wheeler:

whether it's during an incident or not during an incident. So

Patrick Wheeler:

this is one example of training that I found really, really

Patrick Wheeler:

impactful. And indeed, I do like the this, the switch that a lot

Patrick Wheeler:

of our people have been doing is away from awareness, and away

Patrick Wheeler:

from training and into awareness and engagement. And this

Patrick Wheeler:

masterclass was one of my first examples in really trying to

Patrick Wheeler:

engage quite at a deeper level. The other thing, of course, is

Patrick Wheeler:

to bring your cybersecurity practitioners in as trainers for

Patrick Wheeler:

this engagement as well. So you're, you're building a better

Patrick Wheeler:

rapport between between your people. Um, one of the other

Patrick Wheeler:

things that I've been working a lot on recently is, is how to

Patrick Wheeler:

attract and retain new types of skills. So there's a huge lack

Patrick Wheeler:

of diversity. We have a very a shortage of skills, and a lack

Patrick Wheeler:

of new entrants into cybersecurity. I work in some of

Patrick Wheeler:

the more traditional industries, and we suffer from recruitment

Patrick Wheeler:

problems. So we're not as hip and trendy and sexy as some of

Patrick Wheeler:

the fintechs or some of the other types of companies. And so

Patrick Wheeler:

we are challenged trying to find new people. And this was one of

Patrick Wheeler:

the things that started the other profile of mine, if you

Patrick Wheeler:

will, which is the Cyber Wayfinder program. And this is a

Patrick Wheeler:

program that is designed to take practitioners in other

Patrick Wheeler:

industries, whether they're in law, whether they are in IT

Patrick Wheeler:

administration, whether they're in governance, and basically

Patrick Wheeler:

pivot them into full time careers in cybersecurity. And

Patrick Wheeler:

this effort came through initially, in an effort, I was

Patrick Wheeler:

asked to present cybersecurity as a career to a group of young

Patrick Wheeler:

professionals who were working on gender and tech in

Patrick Wheeler:

Luxembourg. And I gave what I now characterize as one of the

Patrick Wheeler:

worst presentations of my professional career, and I've

Patrick Wheeler:

been asked to do a lot of presentations. So this is a

Patrick Wheeler:

really standout failure on my part. After the presentation, I

Patrick Wheeler:

got a lot of feedback saying thank you, sir, for taking time

Patrick Wheeler:

from your very important job to tell us about these very

Patrick Wheeler:

important topics. And then everyone ran away to talk to the

Patrick Wheeler:

person who had presented on WordPress that night. And so I

Patrick Wheeler:

really looked at this and said, What is it that we're doing in

Patrick Wheeler:

cybersecurity that is actually making us look unattractive to

Patrick Wheeler:

new entrants. And this is one of the things that the Cyber

Patrick Wheeler:

Wayfinder program is designed to do, which is to give people

Patrick Wheeler:

foundational knowledge to get them into cybersecurity careers.

Patrick Wheeler:

And the one thing I really, really love about this is it's

Patrick Wheeler:

exactly this. We're bringing people with different life

Patrick Wheeler:

experiences. So they're not just people like me, I consider

Patrick Wheeler:

myself someone who came through the wires. I was a sysadmin, I

Patrick Wheeler:

was an engineer, I was kind of a traditional cybersecurity

Patrick Wheeler:

profile, shall we say? And I absolutely love working with the

Patrick Wheeler:

people who are non STEM graduates. And this was one of

Patrick Wheeler:

the first discussions that I had around this. I said, Why is it

Patrick Wheeler:

that everyone says you have to be a STEM graduate to work in

Patrick Wheeler:

cybersecurity, some of my best colleagues and peers do not have

Patrick Wheeler:

a STEM degree. One of the best cryptographers I know, practical

Patrick Wheeler:

cryptography, has a degree in international business. You

Patrick Wheeler:

know, so why did we create this, this artificial barrier to entry

Patrick Wheeler:

for new people, but it didn't exist for us before.

Patrick Wheeler:

So so this is also one of the areas where I've been really,

Patrick Wheeler:

really happy to see the level of engagement that can happen when

Patrick Wheeler:

you bring in atypical profiles into cybersecurity. And then

Patrick Wheeler:

these people also can often be champions of the business and

Patrick Wheeler:

understand the business better. And one of the primary sponsors

Patrick Wheeler:

of this effort was the chief security officer of Swift, which

Patrick Wheeler:

is the large banking network. And his comment that we quote

Patrick Wheeler:

regularly, and I've never found a better one is that, you know,

Patrick Wheeler:

it's easier, it's often easier for me to train one of my

Patrick Wheeler:

business people how to do cybersecurity, than it is to

Patrick Wheeler:

train a cybersecurity professional how my business

Patrick Wheeler:

works. And I looked at his challenges. And this is actually

Patrick Wheeler:

very true, because they're, they're a very important

Patrick Wheeler:

organization. And they they hire people from the cybersecurity

Patrick Wheeler:

industry, but they're a very complex organization. And what

Patrick Wheeler:

they do is quite unique. And then often the cybersecurity

Patrick Wheeler:

professional, gains that experience and then leaves the

Patrick Wheeler:

organization. The people that he sponsored through our program

Patrick Wheeler:

have actually stayed with the organization much, much longer

Patrick Wheeler:

than other people. And also, I argue has had a great impact

Patrick Wheeler:

because they understood the business first, before they

Patrick Wheeler:

layered on the cybersecurity discussion.

Dr. Dave Chatterjee:

I'd like to add something to that that's so

Dr. Dave Chatterjee:

true. Business first, awareness of the business is as important

Dr. Dave Chatterjee:

as awareness of the cybersecurity skills. I'd like

Dr. Dave Chatterjee:

to share a few things with the listeners, one of my guests, who

Dr. Dave Chatterjee:

is a CISO in a major educational institution. When I asked him,

Dr. Dave Chatterjee:

What's the success factor, he said, I have to keep reminding

Dr. Dave Chatterjee:

myself, that my organization is not about cybersecurity. It's

Dr. Dave Chatterjee:

about research, teaching, service. And I have to make sure

Dr. Dave Chatterjee:

that they can continue with their mission, with their

Dr. Dave Chatterjee:

activities in as secure a manner as possible. The second thing I

Dr. Dave Chatterjee:

want to say Patrick, and I'm going to be sharing this podcast

Dr. Dave Chatterjee:

with my students. Fortunately, in the program that I teach at

Dr. Dave Chatterjee:

Duke University, we attract people from different

Dr. Dave Chatterjee:

disciplines. And they would love to hear what you just said, that

Dr. Dave Chatterjee:

you don't have to be from a very traditional technical program to

Dr. Dave Chatterjee:

thrive in this field, you can come from different backgrounds,

Dr. Dave Chatterjee:

like I have somebody in the program. Her you know, her one

Dr. Dave Chatterjee:

of her majors is in philosophy. I think there is another person

Dr. Dave Chatterjee:

who has a background in communications. The third

Dr. Dave Chatterjee:

student I can think of has a background in law. And talking

Dr. Dave Chatterjee:

about communications. Another of my guests recently, who was a

Dr. Dave Chatterjee:

former journalist now is a Cybersecurity Communications

Dr. Dave Chatterjee:

analyst at a major corporation, he made a very interesting

Dr. Dave Chatterjee:

statement. He said, Dave, you know these cybersecurity

Dr. Dave Chatterjee:

specialists, these technical people, often the technical

Dr. Dave Chatterjee:

knowledge is a real curse to them, they have a hard time

Dr. Dave Chatterjee:

relating to what or to how the non-technical people perceive or

Dr. Dave Chatterjee:

understand them. So for them to be able to communicate in a

Dr. Dave Chatterjee:

manner and fashion that is intelligible across the

Dr. Dave Chatterjee:

organization can be quite the challenge. So bringing in

Dr. Dave Chatterjee:

somebody who has expertise in communication, and then teaching

Dr. Dave Chatterjee:

that person, you know, the relevant cybersecurity, subject

Dr. Dave Chatterjee:

areas issues, and of course, the overall business context. That

Dr. Dave Chatterjee:

might be a better way of preparing a person for a certain

Dr. Dave Chatterjee:

type of cybersecurity job that doesn't involve being in the

Dr. Dave Chatterjee:

trenches, and thwarting attacks, which is very important. Don't

Dr. Dave Chatterjee:

get me wrong. I just want to emphasize that. But then there

Dr. Dave Chatterjee:

are different roles, which require different skill sets. So

Dr. Dave Chatterjee:

the thinking out there often is that cybersecurity is belongs in

Dr. Dave Chatterjee:

the technology domain belongs to the technical people, that's not

Dr. Dave Chatterjee:

quite true. We have to approach cybersecurity from a holistic

Dr. Dave Chatterjee:

perspective, we have to broaden the skill sets that they bring

Dr. Dave Chatterjee:

in to deal with this challenge. So what you're saying is just so

Dr. Dave Chatterjee:

good to hear. So please continue. I had to jump in to

Dr. Dave Chatterjee:

share a few things.

Patrick Wheeler:

Yeah, no, thank you for that. And indeed, that's

Patrick Wheeler:

what we see in our program. And I love one of the discussions as

Patrick Wheeler:

I was having this discussion inside the financial sector in

Patrick Wheeler:

and one of my partners in Paris was a CISO over there. He said

Patrick Wheeler:

to me, yeah, Patrick, that's, that's really great. I mean, for

Patrick Wheeler:

example, I have a I have a PhD in opera. And I said, Oh, that's

Patrick Wheeler:

wonderful. I'm going to share that with our students. So I

Patrick Wheeler:

went up to his LinkedIn profile. And I called him back and I

Patrick Wheeler:

said, Mark, your LinkedIn profile doesn't show that you

Patrick Wheeler:

have a PhD in opera, he said, Yeah, I was embarrassed by that.

Patrick Wheeler:

So I didn't put it in my professional profile. I'll fix

Patrick Wheeler:

that for you. And I love this discussion, because he actually

Patrick Wheeler:

went and fixed it. And I was able to share that with our

Patrick Wheeler:

students. And if you look at the discipline that would take to

Patrick Wheeler:

get a PhD in opera, the amount of work that goes into this type

Patrick Wheeler:

of stuff, the amount of work that goes into pass the bar

Patrick Wheeler:

exam, if you become a lawyer, and all of these types of

Patrick Wheeler:

things. That very much is an academic preparation. But I also

Patrick Wheeler:

love the success of people who don't have these academic

Patrick Wheeler:

preparations. Oh, one of our students whom I'm terribly proud

Patrick Wheeler:

of, she came out of the German educational system, where she

Patrick Wheeler:

was sidelined very early in her life, and basically sent to

Patrick Wheeler:

trade school and said, you'll never amount to anything. One of

Patrick Wheeler:

our other success stories was a young lady of African descent in

Patrick Wheeler:

Belgium, who there's a problem in our educational system, where

Patrick Wheeler:

we like to sideline people like the US, and she was told to be a

Patrick Wheeler:

hairdresser. And she absolutely refused and continue to her

Patrick Wheeler:

educational track. But at the end, was looking at possibly

Patrick Wheeler:

working in a museum because that was about the only role that she

Patrick Wheeler:

could actually find in the workforce. She now does identity

Patrick Wheeler:

and access management for one of my major financial partners. And

Patrick Wheeler:

time and time again, we see this type of success, irrespective of

Patrick Wheeler:

early academic achievement. And we see this for people who who

Patrick Wheeler:

don't do well, early in academia, they can actually

Patrick Wheeler:

change their lives significantly. And I especially

Patrick Wheeler:

love working with people much later in their careers. But I

Patrick Wheeler:

also really liked what you had to say about cybersecurity

Patrick Wheeler:

practitioners, alienating the business or not communicating

Patrick Wheeler:

well. And I have an analogy here where I like to say that we are

Patrick Wheeler:

very much thingist, it's, it's about the thing, it's about the

Patrick Wheeler:

cyber thing. And it's all about right, and we have to do the

Patrick Wheeler:

right thing. And as a technologist, we're very good at

Patrick Wheeler:

doing things. And absolutely we we desperately need our

Patrick Wheeler:

technologists, when you're when you're trying to make sure your

Patrick Wheeler:

everything is patched when you're trying to make sure your

Patrick Wheeler:

your network is running properly. When you're trying to

Patrick Wheeler:

deal with an incident, we need these technical resources to do

Patrick Wheeler:

things for us. But also when we look at our longer term

Patrick Wheeler:

cybersecurity objectives, we need project managers and

Patrick Wheeler:

program managers who understand cybersecurity, but also

Patrick Wheeler:

understand how to get things done, hopefully, on time on

Patrick Wheeler:

budget, and in scope. It used to be if you get two out of three,

Patrick Wheeler:

I think these days, it's one out of three. But but you know, if

Patrick Wheeler:

we're getting one of those three, then it's it's also not

Patrick Wheeler:

too bad in some cyber teams. We also need architects or threat

Patrick Wheeler:

hunters, you know, people who understand the external

Patrick Wheeler:

perspective, because a lot of times when we look inside, we're

Patrick Wheeler:

just patching. We're doing the rote activities that were told

Patrick Wheeler:

by the control framework to do. But we also need to have that

Patrick Wheeler:

external threat perspective. So we need to get the right things

Patrick Wheeler:

done. And then the other component we need to add into

Patrick Wheeler:

that is business perspective. We need to get the right things

Patrick Wheeler:

done for my business. And this is one of the things I've been

Patrick Wheeler:

trying hard to keep expressing again and again to cybersecurity

Patrick Wheeler:

practitioners. And I put it under the rubric of politics.

Patrick Wheeler:

And people don't like office politics, they don't like to be

Patrick Wheeler:

said you have to become a better politician. But the argument I

Patrick Wheeler:

have instead of doing technical things, getting things done,

Patrick Wheeler:

getting the right things done, actually don't matter if I

Patrick Wheeler:

alienate my business at the same time. And I've seen this time

Patrick Wheeler:

and time again with what we call strong CISOs. And I've talked to

Patrick Wheeler:

some people who come out of the military and and I try to

Patrick Wheeler:

caution them on what I call the colonel syndrome, which is you

Patrick Wheeler:

come in, you have an objective, you know what you have to do,

Patrick Wheeler:

and you do a damn fine job of it. And then you totally

Patrick Wheeler:

alienate your business and they fire you. And then you're

Patrick Wheeler:

replacing a CFO every three years to three months. And a lot

Patrick Wheeler:

of the

Dr. Dave Chatterjee:

metric, I have to add something there, it

Dr. Dave Chatterjee:

brings back a memory of when I was in corporate, a senior

Dr. Dave Chatterjee:

executive gave me a great piece of advice. And you know how life

Dr. Dave Chatterjee:

is, you hear things, and I'm becoming more and more convinced

Dr. Dave Chatterjee:

that you hear things or you're told things for a reason.

Dr. Dave Chatterjee:

Because ultimately, it comes back to you. And here we have an

Dr. Dave Chatterjee:

opportunity to validate what was shared with me long time ago.

Dr. Dave Chatterjee:

The gentleman said, "Dave when you join an organization, don't

Dr. Dave Chatterjee:

give them the impression that here I come, I'm going to change

Dr. Dave Chatterjee:

everything up, I know what's good, you all need to follow my

Dr. Dave Chatterjee:

approach, that's going to be the worst thing that you can do,

Dr. Dave Chatterjee:

because before you know it, you'll be kicked out or you'll

Dr. Dave Chatterjee:

be sidelined. And you'll have no effect. And this is so

Dr. Dave Chatterjee:

consistent with what you just shared about a CISO. Taking on

Dr. Dave Chatterjee:

the role, making sure they connect well with the other C

Dr. Dave Chatterjee:

level executives to connect well across functions. So they can

Dr. Dave Chatterjee:

truly become an enabler, a strategic enabler, as opposed to

Dr. Dave Chatterjee:

becoming known as a person who is always going to put up a

Dr. Dave Chatterjee:

hurdle or will always say why a certain initiative cannot be

Dr. Dave Chatterjee:

done because of these kinds of risks. So to develop that

Dr. Dave Chatterjee:

persona, that friendly persona, that a person or somebody who

Dr. Dave Chatterjee:

informs who educates, who tries to find pathways to the business

Dr. Dave Chatterjee:

can do what they need to do without digging a huge hole.

Dr. Dave Chatterjee:

That that's the kind of savvy that happens with experience.

Dr. Dave Chatterjee:

But that also requires training in the softer skill sets,

Dr. Dave Chatterjee:

whether it's interpersonal skills, whether it's

Dr. Dave Chatterjee:

communication skills, whether it's the ability to deal with

Dr. Dave Chatterjee:

cyber trauma like scenarios. So there are so many skills that

Dr. Dave Chatterjee:

are at play here. And I'm so glad you touched upon these

Dr. Dave Chatterjee:

many, many skills, because people who will be who are

Dr. Dave Chatterjee:

listening to this podcast, and are wondering whether

Dr. Dave Chatterjee:

cybersecurity is really a field for them, given their

Dr. Dave Chatterjee:

background, given their experience. I'm sure you will

Dr. Dave Chatterjee:

agree with me that, absolutely, if you have the passion, if you

Dr. Dave Chatterjee:

have the interest, if you have the curiosity, there is no

Dr. Dave Chatterjee:

reason why you shouldn't jump in and explore where you would be a

Dr. Dave Chatterjee:

great fit. But anyhow, Patrick, we are running out of time. So

Dr. Dave Chatterjee:

I'd like to give you the opportunity to wrap it up for us

Dr. Dave Chatterjee:

here.

Patrick Wheeler:

Okay, so exactly what you said, do jump

Patrick Wheeler:

in and do explore this. The end. The other thing is you don't

Patrick Wheeler:

have to be perfect from day zero. And this is the thing

Patrick Wheeler:

advice I give to newcomers, but also to professionals. When

Patrick Wheeler:

we're when we're looking at dealing with the executives, I

Patrick Wheeler:

say, let them see you sweat. Let them see you working. Let them

Patrick Wheeler:

see your passion for what you're doing. Even if they disagree

Patrick Wheeler:

with you, even if they shut you down, communicate honestly with

Patrick Wheeler:

them that you're passionate about what you're doing that

Patrick Wheeler:

you're passionate about learning, you're passionate

Patrick Wheeler:

about protecting the organization. And I've seen this

Patrick Wheeler:

work time and time again, where we really care to see our

Patrick Wheeler:

colleagues care about what they're doing. And if you can

Patrick Wheeler:

get this passion for yourself. Please join cybersecurity

Patrick Wheeler:

because we need people who are passionate about it. If you're

Patrick Wheeler:

losing your passion, try to find it again. Because we need people

Patrick Wheeler:

not to leave. We've got far too many people leaving. And then

Patrick Wheeler:

this this thing about continually training ourselves

Patrick Wheeler:

and working with empathizing with our partners is just so so

Patrick Wheeler:

important. And this is something I had to work on myself, this

Patrick Wheeler:

empathy didn't come naturally. And so we can indeed train

Patrick Wheeler:

ourselves to be more empathetic. I'm a fan of the design thinking

Patrick Wheeler:

methodology. I'm a fan of looking really deeply at the

Patrick Wheeler:

people and try to put myself in their feet to understand why

Patrick Wheeler:

they're making the decisions they are so I can be a better

Patrick Wheeler:

influencer in this context. So please, Dave, keep up the good

Patrick Wheeler:

work, bring new resources in we desperately need them. And thank

Patrick Wheeler:

you for this opportunity.

Dr. Dave Chatterjee:

Thank you, Patrick. That was great. I look

Dr. Dave Chatterjee:

forward to having such conversations with you in the

Dr. Dave Chatterjee:

near future. Thank you.

Patrick Wheeler:

Okay, until soon.

Dr. Dave Chatterjee:

A special thanks to Patrick Wheeler for

Dr. Dave Chatterjee:

his time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.