Episode 14

Enhancing Organizational Readiness by Simulating Cyber Attacks

Robert Austin, Professor, Ivey Business School, discusses the value of cyber-attack simulation by drawing upon the learning tool (IT Management Simulation: Cyber Attack!, Harvard Business School Publishing) that he has developed. Using powerful metaphors such as "it's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie," Rob highlights the need for an unselfish and collaborative approach (among competitors) to dealing with cyber threats. He also emphasizes the importance of top management engagement, judicious technology spending to reduce operational dependencies and threats, and leveraging the power of the human resource.


Time Stamps

00:45

I'd like you to talk to our listeners about the cyber attack simulation that you have authored. And this engaging simulation is available from the Harvard Business Publishing website.

05:15

As I reflect on this simulation tool that you have available for executives and students, it does offer an opportunity to assess organizational readiness from a cybersecurity standpoint. What else does it accomplish based on your experience of using it out there?

08:02

How would you compare this particular simulation exercise with the tabletop exercises that organizations are known to conduct?

10:25

I wanted to mention to my listeners that Professor Austin was one of the authors of a case called iPremier, and to the best of my knowledge, it's one of the few graphically written cases where essentially you're seeing a whole bunch of cartoons that describe the scenario, and then walk you through the next steps as you use the case. And you can use that case for simulation as well. Rob, if I remember correctly, that case was authored as early as 2002, or 2003. Give the listeners a bit of a background of the iPremier case.

13:41

As you look at the big picture, as you reflect on how things are evolving over a period of time, what has changed, what are your concerns? What is your assessment of where things are going? What can we do better?

21:34

What are you seeing in terms of best practices of actively engaging top management in cybersecurity planning, execution, monitoring? Anything that stands out?

38:38

What structures or mechanisms should be in place so that business leaders, technology leaders, security leaders, work together, they're incentivized to work together as opposed to taking the approach, it's your problem, not mine?


Memorable Rob Austin Quotes

"It's one thing to plan, it's another thing to be able to actually walk the talk. And that's one of the things the simulation shows us."

"You learn something from a simulation, but you learn even more from discussing the experience that you had in the simulation."

"It's unlikely you're going to be able to execute everything exactly according to plan."

"We're working very hard to add nodes to the network, but often every node is a potential attack point, as well."

"The dilemma of IT security is that if you do everything that you're supposed to do, and as a result, your company does well, and does not suffer IT security events, the result is, nothing happens. And, it's hard to get credit for nothing happens."

"We used to be able to assume that we could just pursue our own interests, and everything would be fine. But now we discover that our interests interact with other people's interests. And I think that's true in business ecosystems as well. But it is definitely true in cybersecurity. If you've got really great cyber defenses, but one of your business partners has really bad cyber defenses, that's an entry point into your company as well. That's a risk factor for your company."

"It's better to have a smaller portion of an expanding pie than to have an expanding portion of a shrinking pie."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach by SAGE publishing. He has been studying cybersecurity

Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

Cybersecurity Readiness:

Chief Information Security officers. Dr. Chatterjee is an

Cybersecurity Readiness:

Associate Professor of Management Information Systems

Cybersecurity Readiness:

at the Terry College of Business, the University of

Cybersecurity Readiness:

Georgia and Visiting Professor at Duke University's Pratt

Cybersecurity Readiness:

School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast series, where I will be talking with Professor Robert

Dr. Dave Chatterjee:

Austin of Ivey Business School, located in London, Ontario,

Dr. Dave Chatterjee:

Canada. Professor Austin is a highly distinguished educator

Dr. Dave Chatterjee:

with extensive experience and accomplishments in academia and

Dr. Dave Chatterjee:

industry. He has worked at major multinational corporations in

Dr. Dave Chatterjee:

the automotive and technology sector. He has also been the

Dr. Dave Chatterjee:

dean of a business school, and the CEO of an Executive

Dr. Dave Chatterjee:

Education Foundation. Rob is also an experienced C-level

Dr. Dave Chatterjee:

consultant to multinational companies. He has been a faculty

Dr. Dave Chatterjee:

chair, member in executive education programs at Harvard

Dr. Dave Chatterjee:

Business School, Harvard Medical School, Ivy, Business, School

Dr. Dave Chatterjee:

and elsewhere. He's also the author of several books, and

Dr. Dave Chatterjee:

more than 100 articles and cases. Rob, welcome. Thank you

Dr. Dave Chatterjee:

for making time to share your expertise with my listeners. To

Dr. Dave Chatterjee:

get the ball rolling. I'd like you to talk to our listeners

Dr. Dave Chatterjee:

about the cyber attack simulation that you have

Dr. Dave Chatterjee:

authored. And for the benefit of the listeners, this simulation

Dr. Dave Chatterjee:

is accessible from the Harvard Business publishing website.

Rob Austin:

Sure, it's, it's great to be here, thank you for

Rob Austin:

inviting me. So this simulation, it, it basically engages

Rob Austin:

participants in a real time cyber attack. So it's, you

Rob Austin:

experience it as a flow of events that unfold in real time,

Rob Austin:

you were asked to make decisions that are as much as we could

Rob Austin:

make them modeled on the kinds of decisions that you would face

Rob Austin:

in a situation like this. You have to during the attack, you

Rob Austin:

have to coordinate with team members, with the people who you

Rob Austin:

work for, as well as with, you know, partners, partners at

Rob Austin:

hosting facilities and various other people who not all of whom

Rob Austin:

are people that you necessarily want involved in the problem

Rob Austin:

solving. Sometimes people inject themselves into situations like

Rob Austin:

this in ways that are not entirely helpful. Also, another

Rob Austin:

feature of the simulation is that not everything unfolds, as

Rob Austin:

you expect it to. And you have to process that. The scenario in

Rob Austin:

this simulation is that they're experiencing a DDoS attack,

Rob Austin:

distributed denial of service attack, but they begin to

Rob Austin:

suspect that there might also be an intrusion that has occurred.

Rob Austin:

And of course, a DDoS attack doesn't necessarily imply an

Rob Austin:

intrusion. But some things start to look suspicious as they start

Rob Austin:

to investigate what's going on with the DDoS attack. The DDoS

Rob Austin:

attack seems to have defeated some of their defenses, and they

Rob Austin:

can't figure out why that would be the case, right away. Another

Rob Austin:

feature of the simulation is that the information that you

Rob Austin:

have, is not sufficient to fully understand what's happening. But

Rob Austin:

you're still being called on to make decisions, which I think is

Rob Austin:

another realistic feature. That's kind of the first part of

Rob Austin:

the simulation, the second part in so that goes on, you know,

Rob Austin:

with a timer with a clock counting down. The second part

Rob Austin:

of the simulation, though, it has to do with, I think, an

Rob Austin:

important problem in the aftermath of a cyber attack. And

Rob Austin:

that's what do I say about what has happened? And what's very

Rob Austin:

difficult about those situations frequently, as you know, Dave,

Rob Austin:

is that often you're called on to say something about it before

Rob Austin:

you have a fully confident assessment of what has actually

Rob Austin:

happened. And so, so that that can be very difficult. One of

Rob Austin:

the reasons I like simulations like this, is it's possible when

Rob Austin:

you sit down to plan to imagine that you have a plan and you

Rob Austin:

know what you would do, but it can be quite difficult to

Rob Austin:

actually execute your plan. So it's one thing to plan, it's

Rob Austin:

another thing to be able to actually walk the talk, if you

Rob Austin:

like. And that's one of the things I think the simulation

Rob Austin:

shows us.

Dr. Dave Chatterjee:

Yeah, you know, I've had the pleasure of

Dr. Dave Chatterjee:

reviewing the simulation, I plan to use it. In my upcoming class

Dr. Dave Chatterjee:

I find it fascinating the way you have it set up. And I feel

Dr. Dave Chatterjee:

it'll it will definitely achieve some of the learning objectives

Dr. Dave Chatterjee:

that use spelt out such as discovering human biases that

Dr. Dave Chatterjee:

lead to ineffective behavior while responding to a crisis in

Dr. Dave Chatterjee:

real time, recognising the importance of crisis

Dr. Dave Chatterjee:

preparedness, learning to ascertain and manage priorities

Dr. Dave Chatterjee:

during a crisis, practice collaboration and decision

Dr. Dave Chatterjee:

making, to structure effective diagnosis and response and more.

Dr. Dave Chatterjee:

So a kind of backing up a little bit as I reflect on this

Dr. Dave Chatterjee:

simulation tool that you have available for executives, for

Dr. Dave Chatterjee:

students, it does offer an opportunity to assess

Dr. Dave Chatterjee:

organizational readiness from a cybersecurity standpoint. What

Dr. Dave Chatterjee:

else does it accomplish based on your experience of using it out

Dr. Dave Chatterjee:

there?

Rob Austin:

Yeah, so I think one of the things that happens in

Rob Austin:

the aftermath of the experience of the simulation itself is it

Rob Austin:

often provokes a very useful discussion. We, one of my, one

Rob Austin:

of the principles that I like to put forth when, when we talk

Rob Austin:

about simulations is that you know it, you learn something

Rob Austin:

from a simulation, but you learn even more from discussing the

Rob Austin:

experience that you had in the simulation. So the debrief after

Rob Austin:

the simulation is, is, you know, probably the most important

Rob Austin:

part. And what you discover, I mentioned this kind of before,

Rob Austin:

right, that what you discover when you go through a

Rob Austin:

simulation, is it, it's harder to do things that you assume

Rob Austin:

that you would do than you expected. And, you know, one of

Rob Austin:

the things about events unfolding in real time is that,

Rob Austin:

you know, you have that the information comes to you in the

Rob Austin:

wrong order, and incomplete. And so you have to do sense making,

Rob Austin:

despite this, the situation not being very ideal for that. And

Rob Austin:

these are some of the things that you realize after the

Rob Austin:

experience, and that you can talk about it, it leads you to

Rob Austin:

realize that there may be holes in your preparedness plan, there

Rob Austin:

may be things that you've assumed you could do that you

Rob Austin:

can't actually pull off in the heat of the crisis. And so I'd

Rob Austin:

say that's, that's one of the big things is the quality of the

Rob Austin:

conversation that you have about your preparedness plans, after a

Rob Austin:

simulation, I think is really quite high that it causes you to

Rob Austin:

realize some things that can cause you to make material

Rob Austin:

improvements in your plans.

Dr. Dave Chatterjee:

Okay. And how would you compare this

Dr. Dave Chatterjee:

particular simulation exercise with, you know, the tabletop

Dr. Dave Chatterjee:

exercises that organizations are known to conduct?

Rob Austin:

Yeah, I think those can be really good to write in,

Rob Austin:

in fact, that, to be perfectly honest, the genesis of this

Rob Austin:

online simulation was a tabletop simulation, right? It's it's

Rob Austin:

sort of a, it's an automated version of something that we

Rob Austin:

used to run in, in a lot of different situations in a lot

Rob Austin:

less animated fashion. But, but I do think there's something to

Rob Austin:

it, one of the things that's that people say, as a striking

Rob Austin:

feeling, after having gone through the simulation is, is

Rob Austin:

that clock just keeps ticking. And things come at you in an

Rob Austin:

order, and at a time, when you know, that you you basically

Rob Austin:

don't have any control over the clock, and in how the things are

Rob Austin:

unfolding in time. And while that can be part of a tabletop

Rob Austin:

simulation, I think it's it's especially impressive, I think,

Rob Austin:

when you're when you're experiencing in in the in the

Rob Austin:

online setting, but you know, I'm a fan of those too, I'm a

Rob Austin:

fan of the, the tabletop settings, and they're also kind

Rob Austin:

of they have flexibility advantages, right? You can, you

Rob Austin:

can quickly redesign them, you can add things to them, and so

Rob Austin:

forth. So I kind of like the idea of using tools like this

Rob Austin:

one, this automated simulation tool, in conjunction with other

Rob Austin:

other kinds of activities like planning, like less automated

Rob Austin:

simulations, like case discussions, right. So one of

Rob Austin:

the things that we have sometimes done, is it we'll have

Rob Austin:

a case discussion about a company being attacked, and the

Rob Austin:

situation parallels fairly closely the situation in the

Rob Austin:

simulation, and people decide what they think they would do.

Rob Austin:

And then the in the next session, we have them run the

Rob Austin:

simulation and they discover, you know, kind of how unfolding

Rob Austin:

real events make shambles of their plans, in some cases, so

Rob Austin:

that's a very useful thing to, to realize is that it's unlikely

Rob Austin:

you're going to be able to execute everything exactly

Rob Austin:

according to plan.

Dr. Dave Chatterjee:

Absolutely, you can plan as much as you

Dr. Dave Chatterjee:

want. But when it comes to execution, it can be a very

Dr. Dave Chatterjee:

different experience. And I think such simulation exercises

Dr. Dave Chatterjee:

can be very helpful for management. Talking about case

Dr. Dave Chatterjee:

studies, case discussions, I wanted to mention to my

Dr. Dave Chatterjee:

listeners that Professor Austin was one of the authors of a case

Dr. Dave Chatterjee:

called iPremier, and to the best of my knowledge, it's one of the

Dr. Dave Chatterjee:

few graphically written cases where essentially you're seeing

Dr. Dave Chatterjee:

a whole bunch of cartoons that describe the scenario, and then

Dr. Dave Chatterjee:

walk you through the next steps as you use the case. And you can

Dr. Dave Chatterjee:

use that case for simulation as well. Rob, if I remember

Dr. Dave Chatterjee:

correctly, that case was authored as early as 2002, or

Dr. Dave Chatterjee:

2003? What was the give the listeners a little bit of a

Dr. Dave Chatterjee:

background of the iPremier case?

Rob Austin:

Yeah, you're right about that, that it's actually

Rob Austin:

by now quite an old case. And we usually think that old cases get

Rob Austin:

out of date. But one of the things, I think you and I've

Rob Austin:

talked about this before, one of the things that's remarkable

Rob Austin:

about that case is the issues are still with us. And so we've

Rob Austin:

actually updated it a bit over the years to to take into

Rob Austin:

account things like you know, now people are better at

Rob Austin:

defending against denial-of -service attacks, things like

Rob Austin:

that. But but the truth is this case, I think, was 2001,

Rob Austin:

actually, when we wrote the first version of it, and the

Rob Austin:

world really was different then. A guy named Chris Darby and I

Rob Austin:

wrote the very first Harvard Business Review article about

Rob Austin:

cybersecurity. It was called the myth of IT security. And that

Rob Austin:

was published in 2003. And, you know, part of the lead up to

Rob Austin:

that was writing this iPremiere case, and believe it or not, I

Rob Austin:

mean, it's hard to imagine this now, but we had to work hard to

Rob Austin:

convince them that cybersecurity was something that CEOs should

Rob Austin:

think about. Right? In, in the in those in that timeframe, late

Rob Austin:

90s, early 2000, it probably took us two or three years to

Rob Austin:

convince them that this is something that should be, you

Rob Austin:

know, on the table when the senior team discusses the

Rob Austin:

important issues for the firm. But yet, it is also the case

Rob Austin:

you're describing in 2009, we turned it into what we call a

Rob Austin:

graphic novel version. That worked with a Professor, Jeremy

Rob Austin:

Short, who has done a lot of interesting research around

Rob Austin:

whether that might be a good mode to get information across

Rob Austin:

to people in. And, you know, we there's a little bit of

Rob Austin:

resistance to that idea, too. Because I remember somebody

Rob Austin:

saying to me, tell me again, why we need a comic book with the

Rob Austin:

Harvard Business School logo at the top of it. But but in the

Rob Austin:

end, we prevailed, it was the first graphic novel business

Rob Austin:

school case at Harvard. Since then, there have been more

Rob Austin:

because there there are people who who quite like to use those.

Dr. Dave Chatterjee:

And I happen to be one of them. I

Dr. Dave Chatterjee:

found that approach to writing cases to be extremely

Dr. Dave Chatterjee:

interesting, dramatic, and it gets students attention. Moving

Dr. Dave Chatterjee:

along, Rob, you have such a lot of experience in the technology

Dr. Dave Chatterjee:

space, of course in the cybersecurity space; as you look

Dr. Dave Chatterjee:

at the big picture, as you reflect on how things are

Dr. Dave Chatterjee:

evolving over a period of time, you mentioned about your writing

Dr. Dave Chatterjee:

the first article in 2001, the Harvard Business Review, what

Dr. Dave Chatterjee:

has changed? What are your concerns? What are your what is

Dr. Dave Chatterjee:

your assessment of where things are going, what can we do

Dr. Dave Chatterjee:

better?

Rob Austin:

Yeah, I'm probably you know, I there are other

Rob Austin:

people who I would go to for the authoritative version on where

Rob Austin:

things are going. For years in my Executive Program at Harvard

Rob Austin:

that was targeted at Chief Information Officers, I used to

Rob Austin:

go to a guy named Dan Geer and he I would still recommend going

Rob Austin:

out on the web and finding out what he's talking about lately.

Rob Austin:

Dan was trained as a trained as a healthcare statistician, an

Rob Austin:

epidemiologist, basically. And he has always approached

Rob Austin:

cybersecurity from a similar sort of a standpoint. And so

Rob Austin:

he's always come up with interesting conclusions. But of

Rob Austin:

course, you know, he was one of the very first people who said

Rob Austin:

that we're losing, right, that the the threats, the threats are

Rob Austin:

getting more sophisticated, much faster than we can advance the

Rob Austin:

defenses. And I guess that, I mean, yeah, I guess I'd ask you

Rob Austin:

too Dave, but, you know, that seems to be true still, that the

Rob Austin:

nation states are involved in the threats now. There's a lot

Rob Austin:

of very sophisticated attacks, we're working on some cases now,

Rob Austin:

about companies that, you know, have had very dire problems with

Rob Austin:

ransomware attacks. And so, you know, and people are still not

Rob Austin:

still not prepared. Despite hearing these stories about

Rob Austin:

companies that blink out of existence, I mean, one of the

Rob Austin:

cases we're working on right now, one of the serious options

Rob Austin:

on the table was just declare bankruptcy for this company and

Rob Austin:

start another one. Because they couldn't, you know, they

Rob Austin:

couldn't fix it. Now, they did eventually fix it. But it was

Rob Austin:

for a funny reason. They'd worked with a vendor who didn't

Rob Austin:

thought their network was too slow. And the vendor took a

Rob Austin:

whole copy of an instance of their systems to a different

Rob Austin:

environment to work on improvements and enhancements to

Rob Austin:

the system. And it turned out to be very lucky that he had a

Rob Austin:

recent version of the system because everything was messed

Rob Austin:

up, the backups were messed up. And if this guy hadn't taken,

Rob Austin:

basically took the the company systems off site and wasn't

Rob Austin:

quite a thumb drive, but it was like that. Right. And they were

Rob Austin:

they've never been more relieved than discover that somebody else

Rob Austin:

had taken their systems off site, their software.

Dr. Dave Chatterjee:

Yeah, it's it's hard to believe that

Dr. Dave Chatterjee:

organizations can be so underprepared. And again, it's

Dr. Dave Chatterjee:

not fair to generalize. But as you mentioned, the reality of it

Dr. Dave Chatterjee:

is the attack surfaces are expanding, thanks to increasing

Dr. Dave Chatterjee:

digitization. And that's not going to stop. The hackers are

Dr. Dave Chatterjee:

getting increasingly sophisticated. It's a pretty

Dr. Dave Chatterjee:

mature industry now. So that's not going to stop. So

Dr. Dave Chatterjee:

organizations don't have a choice but to put on their best

Dr. Dave Chatterjee:

game and be as prepared as they can be, and planning is

Dr. Dave Chatterjee:

important. But you know, testing the planning is equally

Dr. Dave Chatterjee:

important. And that's where every possible help, including

Dr. Dave Chatterjee:

using simulations should be leveraged to enhance their

Dr. Dave Chatterjee:

extent of readiness.

Rob Austin:

Now, I agree the the other thing I would point out

Rob Austin:

there is the human side is super important, right? That. I mean,

Rob Austin:

you talked about the, the attack surfaces growing and, you know,

Rob Austin:

one of the things I also teach my students these days is, you

Rob Austin:

know, we talk about platform economics and the power of

Rob Austin:

network effects. And a lot of business models now are powered

Rob Austin:

by network effects, you know, the idea that we want to add as

Rob Austin:

many people as possible or as many nodes as possible to a

Rob Austin:

network, because the value of the network is increasing faster

Rob Austin:

than the rate at which we're increasing the size of the

Rob Austin:

network. And yeah, this is the power of companies like Google

Rob Austin:

and Facebook and all these platforms. But one of the things

Rob Austin:

that this also implies is that, you know, we're working very

Rob Austin:

hard to add nodes to the network, but often every node is

Rob Austin:

a potential attack point, as well. So we have these business

Rob Austin:

models that are driving us, you know, I guess what I'd say is

Rob Austin:

the, the increasing attack surface is being driven by

Rob Austin:

business models. And I don't know where that ends, you know.

Dr. Dave Chatterjee:

yeah, you know, it's like, we are trying

Dr. Dave Chatterjee:

to get better. We are engaging in as we call it, the the

Dr. Dave Chatterjee:

digital transformation of businesses. And while we engage

Dr. Dave Chatterjee:

in that we create more problems for ourselves. The other day, I

Dr. Dave Chatterjee:

was talking in the classroom about highly integrated systems

Dr. Dave Chatterjee:

and I was sharing with students how important it is for

Dr. Dave Chatterjee:

information to flow seamlessly from one point to the other

Dr. Dave Chatterjee:

without any disruption. And I was sharing with them the

Dr. Dave Chatterjee:

history of, you know, siloed organizations, siloed systems,

Dr. Dave Chatterjee:

and why and how that happens. And then I told them, I said,

Dr. Dave Chatterjee:

you know, what, as I think about it, maybe there are some

Dr. Dave Chatterjee:

benefits of systems not being well integrated, systems being

Dr. Dave Chatterjee:

disconnected, maybe there are some advantages from a

Dr. Dave Chatterjee:

cybersecurity standpoint.

Rob Austin:

I think that's true. I mean, you, you've probably

Rob Austin:

used this material to but the Charles Perrow's book on normal

Rob Austin:

accidents is interesting here, because he points out that one

Rob Austin:

of the, you know, one of the characteristics of systems that

Rob Austin:

experience what he calls normal accidents, these, these

Rob Austin:

situations where low probabilities line up to

Rob Austin:

disastrous effect; one of the characteristics of systems that

Rob Austin:

have this is what he calls tight coupling. And another another

Rob Austin:

way of saying tight coupling, I think is exactly what you were

Rob Austin:

just talking about, right? How integrated information flow is

Rob Austin:

across the system. So, you know, it's another situation where

Rob Austin:

we're actually doing our very best to create what, you know,

Rob Austin:

in one context is a really good thing, right, integration of

Rob Austin:

information flow. But, you know, taken from another perspective,

Rob Austin:

like an information security perspective, that's tight

Rob Austin:

coupling, and we probably are going to see more normal

Rob Austin:

accidents as a result. And that's, that's actually not even

Rob Austin:

normal accidents are accidents, right. There's not even even any

Rob Austin:

bad guys in those stories. So you add bad guys, and it all

Rob Austin:

starts to get even more complicated. But I like to think

Rob Austin:

it's not hopeless. But but it does look pretty formidable.

Dr. Dave Chatterjee:

It is formidable, it's keeping

Dr. Dave Chatterjee:

everyone on their toes. And organizations can no longer

Dr. Dave Chatterjee:

afford to consider cybersecurity as something that can be

Dr. Dave Chatterjee:

outsourced. I'm, I'm a huge proponent of considering

Dr. Dave Chatterjee:

cybersecurity as an as an integral part of business

Dr. Dave Chatterjee:

objectives. In fact, cybersecurity is a strategic

Dr. Dave Chatterjee:

competency that's going to determine the long term success

Dr. Dave Chatterjee:

of organizations. So the mindset has to really change. There was

Dr. Dave Chatterjee:

a time when I was impressing upon executives about investing

Dr. Dave Chatterjee:

in very robust technology infrastructure, and I was using

Dr. Dave Chatterjee:

the word strategic investments. And I was told that, Dave, if

Dr. Dave Chatterjee:

you're not investing in things, that's going to generate sales,

Dr. Dave Chatterjee:

we don't really call them strategic. And I said, I said, I

Dr. Dave Chatterjee:

agree. But I think we have to change that mindset a little

Dr. Dave Chatterjee:

bit. Because if your business doesn't exist, you wouldn't have

Dr. Dave Chatterjee:

anything to sell. So you have to first understand what keeps your

Dr. Dave Chatterjee:

engine running. And you have to secure that before you can do

Dr. Dave Chatterjee:

anything else. So cybersecurity is one of those things, a core

Dr. Dave Chatterjee:

component of business operations today that can cannot be

Dr. Dave Chatterjee:

ignored. And that needs to be get front and center attention

Dr. Dave Chatterjee:

of top management. And that brings up a question that I'd

Dr. Dave Chatterjee:

like to put out there and get your perspective. What are you

Dr. Dave Chatterjee:

seeing in terms of best practices of actively engaging

Dr. Dave Chatterjee:

top management in cybersecurity planning, execution, monitoring?

Dr. Dave Chatterjee:

Anything that stands out?

Rob Austin:

Yeah, I don't know if I know, of, I don't know if I

Rob Austin:

have sort of a methodology for best practice for dealing with

Rob Austin:

execs, I know examples of senior execs that do a good job. And,

Rob Austin:

you know, they take an interest and, you know, probably more

Rob Austin:

impressive or memorable, are the situations that you see where

Rob Austin:

that's not happening, right, where people go to their

Rob Austin:

corners, basically. We worked with a company one time where

Rob Austin:

the CEO invited us in to assess their IT capability. And I think

Rob Austin:

when what we discovered after we'd been there for a while, is

Rob Austin:

that what he was really kind of looking for, was a reason to get

Rob Austin:

rid of his current IT leadership, right. He, he didn't

Rob Austin:

like them. He they made his head hurt. He wanted them to just

Rob Austin:

take care of things. And so when he was also he was kind of a, it

Rob Austin:

was a business leader. He's a big, big guy physically, he was

Rob Austin:

kind of belligerent. And what we discovered was the biggest

Rob Austin:

dysfunction in the organization, is it when he got belligerent

Rob Austin:

and started you know, sort of throwing his weight around or

Rob Austin:

yelling or it wasn't always actual yelling, but the IT

Rob Austin:

management, the CIO, he dove for cover, right, understandably, I

Rob Austin:

think. And so, ultimately, what we ended up recommending is that

Rob Austin:

that this company hire an IT leader, a senior digital leader

Rob Austin:

who would not dive for cover? Who would? Who would go head to

Rob Austin:

head with, with the executive. But to be perfectly honest, that

Rob Austin:

didn't work very well, either. And so I think, you know, I

Rob Austin:

think the ultimate difficulties in a situation like that have to

Rob Austin:

do with the senior leadership, like the non the business

Rob Austin:

leadership. The companies that do well at this are the ones

Rob Austin:

where the senior executives take this seriously, and where

Rob Austin:

they're willing to engage on it. A lot of times, I see executives

Rob Austin:

who, I mean, you don't have to become a digital expert, right,

Rob Austin:

as a CEO, but you do have to engage with it. I think, and you

Rob Austin:

have to ask questions, and you have to not just want it to go

Rob Austin:

away. And you know, there are boards that can help with this.

Rob Austin:

One of my frequent colleagues, you know, are co authors Dick

Rob Austin:

Nolan, he and Warren MacFarlan wrote I think was an HBR

Rob Austin:

(Harvard Business Review) or Sloan Management Review article

Rob Austin:

on how boards can help with this, how boards can be

Rob Austin:

involved. But that's, you know, that's pretty hit or miss, I

Rob Austin:

think, from company to company, how well that works. So

Dr. Dave Chatterjee:

Yes, that's kind of even what I have been

Dr. Dave Chatterjee:

noticing, based on my work, based on my field work that

Dr. Dave Chatterjee:

there are organizations where the leadership is extremely

Dr. Dave Chatterjee:

committed. In fact, the first podcast that I did in this

Dr. Dave Chatterjee:

series, I had the president of a major insurance provider, who

Dr. Dave Chatterjee:

made a very strong statement of how committed their organization

Dr. Dave Chatterjee:

is and how every C level executive in that organization,

Dr. Dave Chatterjee:

you know, takes advantage of cybersecurity training

Dr. Dave Chatterjee:

opportunities to up their skills, up their level of

Dr. Dave Chatterjee:

awareness, and to your point, we're not talking, we're not

Dr. Dave Chatterjee:

talking about creating a cybersecurity expert of

Dr. Dave Chatterjee:

everybody in the organization. And that connects to the human

Dr. Dave Chatterjee:

factor that you mentioned a little while ago. And the way I

Dr. Dave Chatterjee:

look at it is organizations with resources will have a cyber

Dr. Dave Chatterjee:

team. And they are definitely part of the solution. But for a

Dr. Dave Chatterjee:

solution to be truly effective, we the organization has to

Dr. Dave Chatterjee:

engage every member. And that extends even to their partners.

Dr. Dave Chatterjee:

So in other words, cybersecurity readiness needs to become

Dr. Dave Chatterjee:

everybody's business. And that's the way it needs to be pitched

Dr. Dave Chatterjee:

not as something that is technical. And that remains in

Dr. Dave Chatterjee:

the domain of the highly specialized operators. And I

Dr. Dave Chatterjee:

absolutely believe in them, they are of great value. But they

Dr. Dave Chatterjee:

have to be complemented by folks who are doing regular work, and

Dr. Dave Chatterjee:

who have to do their part in ensuring that they are taking

Dr. Dave Chatterjee:

every step so that the vulnerability is reduced at

Dr. Dave Chatterjee:

there, and are at their level.

Rob Austin:

Yeah, no, I agree. And you know, the thing you said

Rob Austin:

earlier about the company that told you, if it doesn't

Rob Austin:

contribute to sales, it can't be strategic. You know, I think one

Rob Austin:

of the things that I find helpful along these lines is,

Rob Austin:

there is a framework that Warren McFarlan, professor at Harvard

Rob Austin:

Business School, he many years ago, 19, early 1970s, I think,

Rob Austin:

created something that people now call the MacFarlan grid,

Rob Austin:

right. It's a two by two, we love two-by-twos in our business

Rob Austin:

schools, right. Yeah. And then on the one axis is sort of the

Rob Austin:

strategic importance of IT. And that has to do with things like

Rob Austin:

is does it generate additional sales, right, does it generate

Rob Austin:

differences from our competitors, that they have a

Rob Austin:

hard time matching? So that's on one axis. The other axis though,

Rob Austin:

is operational dependence on IT. And that has to do with you

Rob Austin:

know, if my IT systems fail, how soon do I have a problem? Is it

Rob Austin:

a day? Is it a minute? Is it a melt microsecond? And when I

Rob Austin:

when I, when I tried to get across to you know, I teach a

Rob Austin:

lot of general managers I'm sure you do too, MBA students and

Rob Austin:

executives and so forth, who, you know, they're trying to

Rob Austin:

understand or I'm trying to help them understand how IT actually

Rob Austin:

functions as a value creation activity within their

Rob Austin:

organization. And what I do with the McFarlan grid is I say,

Rob Austin:

look, these are the two reasons to spend money or to invest

Rob Austin:

money in digital technology, the two axes to the McFarlan grid,

Rob Austin:

one of them is, you know what you think it would be, it's to

Rob Austin:

create sales, to generate sales, to generate competitive

Rob Austin:

advantage over your rivals. That's the that's the one axis.

Rob Austin:

But the other one that gets less press and gets less attention is

Rob Austin:

the operational dependence. And you invest on that axis to

Rob Austin:

insure yourself against that operational dependence because

Rob Austin:

as much value as we get on the one axis out of IT, it also you

Rob Austin:

know, causes companies become operationally dependent on IT;

Rob Austin:

this is one of the points McFarlan made way back then,

Rob Austin:

companies don't tend to become strategically reliant on IT

Rob Austin:

without also becoming operational reliant on them. And

Rob Austin:

so, so, you know, on the one hand, the two reasons, as I said

Rob Austin:

to my MBA students, there's two reasons to spend money on IT.

Rob Austin:

One is to achieve some kind of strategic advantage, some

Rob Austin:

business advantage that we can all relate to. But the other is

Rob Austin:

to avoid some sort of operational threat, to insure

Rob Austin:

against it to remediate it, or to reduce its severity, when it

Rob Austin:

happens. And those are equally legitimate reasons to spend

Rob Austin:

money on technology. The second one, it has the problem you

Rob Austin:

described, though, right? I mean, the way another way, I

Rob Austin:

used to say it, in my CIO Executive Program at Harvard is,

Rob Austin:

you know, the dilemma of IT security is that if you do

Rob Austin:

everything that you're supposed to do, and as a result, your

Rob Austin:

company does well, and is not, you know, does not suffer IT

Rob Austin:

security events, the result is, nothing happens, right? And it's

Rob Austin:

hard to get credit for nothing happens.

Dr. Dave Chatterjee:

You know, I think I think we think very

Dr. Dave Chatterjee:

alike, because that's one of the things I emphasize, or I

Dr. Dave Chatterjee:

highlight in my talks, I approach it a little

Dr. Dave Chatterjee:

differently. But the same thing, I say, you know, the job of a

Dr. Dave Chatterjee:

CISO can be considered a thankless job in many ways.

Dr. Dave Chatterjee:

Because you don't hear much about the effectiveness of the

Dr. Dave Chatterjee:

CISO function, as long as things are going well. But when things

Dr. Dave Chatterjee:

go in the wrong direction, then some of the first heads to roll

Dr. Dave Chatterjee:

come from that unit. And I don't think that's a fair, or that's a

Dr. Dave Chatterjee:

substantive, substantive approach, it's more of a

Dr. Dave Chatterjee:

symbolic approach to react, we are reacting, we are reacting

Dr. Dave Chatterjee:

promptly, we mean business. But there could be much more to the

Dr. Dave Chatterjee:

reason why the organization was compromised, and it could go

Dr. Dave Chatterjee:

beyond individuals, it could be somewhere down deep down in the

Dr. Dave Chatterjee:

processes and other areas. So it's really important to take a

Dr. Dave Chatterjee:

holistic approach. You talked about spending in technology,

Dr. Dave Chatterjee:

similarly spending in cyber, and you might you will agree that

Dr. Dave Chatterjee:

it's not just about spending a certain amount of money or spent

Dr. Dave Chatterjee:

spending in comparison to the industry average, it's about how

Dr. Dave Chatterjee:

and where you're spending, what's the thinking behind it.

Dr. Dave Chatterjee:

And that's, that's precisely why cybersecurity strategy

Dr. Dave Chatterjee:

formulation, cybersecurity strategic investments require

Dr. Dave Chatterjee:

senior level involvement, cross functional involvement, it's not

Dr. Dave Chatterjee:

something that you should let you should outsource, let a

Dr. Dave Chatterjee:

group of people deal with it. And like you said earlier, that

Dr. Dave Chatterjee:

you just don't want to think about it. It's something that

Dr. Dave Chatterjee:

comes in the way of your organizational goals, and you'd

Dr. Dave Chatterjee:

rather have somebody else you just have to accept the reality

Dr. Dave Chatterjee:

and face it. I think that's probably the best approach under

Dr. Dave Chatterjee:

the circumstances. Sorry. Yeah, sorry. No, I

Rob Austin:

just agree. Yeah.

Dr. Dave Chatterjee:

Yeah, it's, it's, it's, it's, it's a it's

Dr. Dave Chatterjee:

one of those ongoing challenges, ongoing battles, that's gonna

Dr. Dave Chatterjee:

continuously keep organizations for lack of a better word,

Dr. Dave Chatterjee:

distracted, but that's where they have to find a balance

Dr. Dave Chatterjee:

where they keep the war or the fight against cybersecurity

Dr. Dave Chatterjee:

going while they continue their, their operations as effectively

Dr. Dave Chatterjee:

as possible. You were saying something, I didn't mean to

Dr. Dave Chatterjee:

interrupt.

Rob Austin:

No, no. I just, I, when you were talking about how

Rob Austin:

there are there are differences, right, between companies. It's

Rob Austin:

not a matter of how much you spend as a percentage of your

Rob Austin:

sales or profits or whatever. One of the things that reminds

Rob Austin:

me is Erik Brynjolfsson at MIT who, whose work, I'm sure, you

Rob Austin:

know, he's done a lot of work showing that IT does actually

Rob Austin:

create value that adds productivity and other forms of

Rob Austin:

value to the company. And there's a graph that he did a

Rob Austin:

study where they, they kind of normalized for the size of the

Rob Austin:

company, how much companies were spending on IT, and then they

Rob Austin:

plotted it against productivity increases, and you do get an

Rob Austin:

upward sloping line. But the data of course, if you plot the

Rob Austin:

data as a scatter graph, on the against the two axes, it's of

Rob Austin:

course, not a perfect line, it's more like a football, right?

Rob Austin:

It's like a upwardly sloping football. And one of the things

Rob Austin:

that is always been important in the way to seemed important to

Rob Austin:

me, is if you draw a straight line vertically through that

Rob Austin:

football, there are some people who are well above the average

Rob Austin:

line, and some people who are well below the average line, in

Rob Austin:

terms of the value they're extracting, but they're both

Rob Austin:

spending the same amount of money, you know, normalized for

Rob Austin:

size of company. So, so, you know, for any amount of money

Rob Austin:

you spend, there's you you might spend, there are some companies

Rob Austin:

that are putting it together into an in a very effective way.

Rob Austin:

And there are other companies that are underperforming, given

Rob Austin:

the amount that they're spending. So it kind of goes to

Rob Austin:

the point of what you were just saying, It matters how, right,

Rob Austin:

doesn't matter how much you're spending, if you're not also

Rob Austin:

thinking about how you're spending it.

Dr. Dave Chatterjee:

You know, recently I was speaking with a

Dr. Dave Chatterjee:

legal expert. And she made a very telling point, she said,

Dr. Dave Chatterjee:

Dave, when cybersecurity breaches go to a court of law,

Dr. Dave Chatterjee:

and the judge or the jury are evaluating whether an

Dr. Dave Chatterjee:

organization had done their due diligence, had made the

Dr. Dave Chatterjee:

necessary investments, they take into consideration the

Dr. Dave Chatterjee:

organization size, and the expectations are very

Dr. Dave Chatterjee:

reasonable. So there is no expectation that a company that

Dr. Dave Chatterjee:

is, say, half the size of GE or has half the resources of GE

Dr. Dave Chatterjee:

should have the same level of investments in cybersecurity as

Dr. Dave Chatterjee:

GE. I'm just using a hypothetical example here. And

Dr. Dave Chatterjee:

that's kind of the the way to approach it as a very realistic,

Dr. Dave Chatterjee:

very practical approach as to who we are, what's our context?

Dr. Dave Chatterjee:

What can we afford? And, most importantly, how well are we

Dr. Dave Chatterjee:

doing these things? Whether it's training, whether it's

Dr. Dave Chatterjee:

simulation, whether it's enhancing awareness, you know,

Dr. Dave Chatterjee:

there is a method to all of this, you mentioned a couple of

Dr. Dave Chatterjee:

frameworks, there are lots of guidance out there. One thing is

Dr. Dave Chatterjee:

to have the guidance, the other thing is to follow them well,

Dr. Dave Chatterjee:

assess the effectiveness of the implementation, make make

Dr. Dave Chatterjee:

adjustments, and it's a continuous process. And that's

Dr. Dave Chatterjee:

where I think the difference lies with companies who are more

Dr. Dave Chatterjee:

likely to be resilient and recover a lot faster than

Dr. Dave Chatterjee:

others. So that's kind of the way I see it.

Rob Austin:

Yeah. Well, and as you said, before receipt, we see

Rob Austin:

things a lot the same way.

Dr. Dave Chatterjee:

So moving along, Rob, from the stand up,

Dr. Dave Chatterjee:

do you have any thoughts on shared ownership and

Dr. Dave Chatterjee:

responsibility, you, you mentioned about this vendor

Dr. Dave Chatterjee:

helping out a company that almost went underground, and was

Dr. Dave Chatterjee:

able to get their operations started up again, because they

Dr. Dave Chatterjee:

had a copy of their instance of their technology instance. In

Dr. Dave Chatterjee:

that spirit, and especially in a highly networked economy, you

Dr. Dave Chatterjee:

talked about network effects, platform economics, you'll agree

Dr. Dave Chatterjee:

that in today's day and age, it's not company A competing

Dr. Dave Chatterjee:

against company B, it's the network of Company A versus the

Dr. Dave Chatterjee:

network of Company B. So in that kind of a highly networked,

Dr. Dave Chatterjee:

distributed kind of an environment what what structures

Dr. Dave Chatterjee:

or mechanisms could be in place so that business leaders,

Dr. Dave Chatterjee:

technology leaders, security leaders, work together, they're

Dr. Dave Chatterjee:

incentivized to work together as opposed to taking the approach

Dr. Dave Chatterjee:

that it is your problem, not mine.

Rob Austin:

Yeah, I, I don't again, I don't really think I

Rob Austin:

have the silver bullet for this. But, I do think one of the

Rob Austin:

things that can help with this is what I might call an

Rob Austin:

ecosystem mindset. And, you know, I'm encouraged a bit,

Rob Austin:

because people are talking a lot more about ecosystems, it seems

Rob Austin:

to me these days business ecosystems, and, you know, the

Rob Austin:

idea that our ability to do well with business models and with a

Rob Austin:

lot of other things are interdependent, right. One of

Rob Austin:

the one of the things that reminds me of is Mirko Iansiti,

Rob Austin:

who is a professor at Harvard Business School, wrote a book, I

Rob Austin:

couldn't, I can't tell you, off the top of my head, the name or

Rob Austin:

the year. But it was about it was about this before everybody

Rob Austin:

was talking about ecosystems. And it was comparing a lot of

Rob Austin:

business systems to biological systems. And one of the points

Rob Austin:

that I remember coming out, or, you know, leaping out at me

Rob Austin:

about that, is that we don't see biological ecosystems flourish,

Rob Austin:

when one party within the ecosystem, you know, succeeds at

Rob Austin:

the expense of the others, right, that the if if a, if a

Rob Austin:

powerful member of an ecosystem succeeds in gaining most of the

Rob Austin:

advantage that's available in the ecosystem, then the

Rob Austin:

ecosystem becomes unhealthy. Instead, so this attitude that,

Rob Austin:

you know, to do well, ourselves, we must all do well, is, I

Rob Austin:

think, a general principle that is worth thinking about in our,

Rob Austin:

you know, kind of increasingly interconnected world, that seems

Rob Austin:

to be one of the themes of recent events. And I'm talking

Rob Austin:

now about things like the pandemic, is it we're all more

Rob Austin:

connected than we thought we were. And so there are these,

Rob Austin:

you know, these social collective social good problems

Rob Austin:

where, you know, we used to be able to assume that we could

Rob Austin:

just pursue our own interests, and everything would be fine.

Rob Austin:

But now we discover that our interests interact with other

Rob Austin:

people's interests. And I think that's true in business

Rob Austin:

ecosystems as well. But it is it is definitely true in

Rob Austin:

cybersecurity, right. I mean, I think you'll, you'll have

Rob Austin:

probably a lot of experience with this. But if you've got

Rob Austin:

really great cyber defenses, but one of your business partners

Rob Austin:

has really bad cyber defenses, that's an entry point into your

Rob Austin:

company as well, right, that's a that's a risk factor for your

Rob Austin:

company.

Dr. Dave Chatterjee:

Well, that's spot on, means I think

Dr. Dave Chatterjee:

this pandemic has shown us clearly how connected we are,

Dr. Dave Chatterjee:

whether we like it or don't like it globally. Cybersecurity is

Dr. Dave Chatterjee:

also showing us the same reality, and to your point, we

Dr. Dave Chatterjee:

can still compete. But we need to leverage each other's

Dr. Dave Chatterjee:

competencies to deal with problems of this magnitude, that

Dr. Dave Chatterjee:

could consume us all, for lack of a better word. You know, it

Dr. Dave Chatterjee:

reminds me of an initiative that Cisco runs, and I'm sure many

Dr. Dave Chatterjee:

other companies do as well. If I remember correctly, it's called

Dr. Dave Chatterjee:

the CHILL initiative, HyperInnovation Living Lab,

Dr. Dave Chatterjee:

Cisco's HyperInnovation Living Lab. And the whole idea is to

Dr. Dave Chatterjee:

bring together some of the best minds from competing companies

Dr. Dave Chatterjee:

to a location for a week let's say, and have them brainstorm

Dr. Dave Chatterjee:

ideas about pressing issues. But the important thing is, at the

Dr. Dave Chatterjee:

end of the week, at the end of the retreat, they have to come

Dr. Dave Chatterjee:

up with something that is, you know, that is converted to a

Dr. Dave Chatterjee:

product that is marketable. So in other words, come up with a

Dr. Dave Chatterjee:

solution, which is supported by that by that team of

Dr. Dave Chatterjee:

representatives from different companies. So it's like creating

Dr. Dave Chatterjee:

a collaborative solution to deal with a larger problem than what

Dr. Dave Chatterjee:

they could handle by themselves. And I think that kind of a

Dr. Dave Chatterjee:

collaborative partnership mindset has to prevail, if we

Dr. Dave Chatterjee:

want to succeed against these kinds of problems, which is kind

Dr. Dave Chatterjee:

of you know, which is engulfing everybody, every possible

Dr. Dave Chatterjee:

network, every possible node. So that's, that's, that's so spot

Dr. Dave Chatterjee:

on.

Rob Austin:

Yeah, no, I agree. You know, the way I like to

Rob Austin:

think about it sometimes and the way I, I put it to people

Rob Austin:

sometimes is it's better to going forward as you move into

Rob Austin:

the future. It's better to have a smaller portion of an

Rob Austin:

expanding pie than to have an expanding portion of a shrinking

Rob Austin:

pie. And I think if we don't watch out if we continue to

Rob Austin:

behave in many of the ways that have worked well for us in the

Rob Austin:

past, you know, these very independent ways, then we're in

Rob Austin:

the future going to find ourselves, yeah, we're gonna

Rob Austin:

have a bigger, bigger portion of that pie, but the pie is going

Rob Austin:

to be shrinking. And so as you know, I think we need to adopt

Rob Austin:

different mindsets. I worked in the auto industry for a long

Rob Austin:

time. And one of the things the auto industry's not so good at

Rob Austin:

in my view is, and I discovered this in one of my jobs there, I

Rob Austin:

had a job there where I had to interact a lot with our

Rob Austin:

suppliers. And I discovered, we weren't very popular with them.

Rob Austin:

Because we were much bigger. And we were, you know, we were

Rob Austin:

pounding the pounding the crap out of them, right. I mean,

Rob Austin:

anytime they figured out a new way to get some more margin, we

Rob Austin:

took the biggest part of it from them. And so I think that kind

Rob Austin:

of that kind of, you know, behavior is not going to be

Rob Austin:

healthy for ecosystems. And I mean, we're getting a bit far

Rob Austin:

field of cybersecurity here, but, but I think the principles

Rob Austin:

are the same.

Dr. Dave Chatterjee:

Absolutely, the principles are very much the

Dr. Dave Chatterjee:

same. The, you know, as you may have seen in my book on

Dr. Dave Chatterjee:

cybersecurity readiness, the the commitment, preparedness and

Dr. Dave Chatterjee:

discipline framework that I came up with, that that identifies

Dr. Dave Chatterjee:

17, cybersecurity success factors, when I look at these

Dr. Dave Chatterjee:

factors, at a very high level, we are talking about people

Dr. Dave Chatterjee:

process and technology issues. When you take a deeper dive,

Dr. Dave Chatterjee:

then you get more specific about what these factors entail, and

Dr. Dave Chatterjee:

how how you address them. But at a higher level, it's still, for

Dr. Dave Chatterjee:

lack of a better word, a game of finding the right set, the right

Dr. Dave Chatterjee:

balance between the people element, the process element and

Dr. Dave Chatterjee:

the technology element, and how we find the balance, and how we

Dr. Dave Chatterjee:

sustain it, that's what's gonna make the difference. It is one

Dr. Dave Chatterjee:

thing to come up with a solution and implement it, it is another

Dr. Dave Chatterjee:

thing to be able to sustain it. And that's why I am big on

Dr. Dave Chatterjee:

creating and sustaining a high- performance information security

Dr. Dave Chatterjee:

culture, because unless you create that kind of an

Dr. Dave Chatterjee:

environment, you kind of etch it in the DNA of the organization,

Dr. Dave Chatterjee:

you're unlikely to sustain the good work that got started,

Dr. Dave Chatterjee:

because of say, X, Y, and Z, who may have moved on, the good work

Dr. Dave Chatterjee:

has to go on. So how are you going to embed that fabric of

Dr. Dave Chatterjee:

the blueprint of robust cybersecurity practices? How do

Dr. Dave Chatterjee:

you do that, and that's where you have to work on the cultural

Dr. Dave Chatterjee:

aspects. And these are tough challenges. So they often get

Dr. Dave Chatterjee:

ignored. And we try to get away by focusing on, you know,

Dr. Dave Chatterjee:

specific controls, and making sure those controls are in

Dr. Dave Chatterjee:

place, especially the technical ones. And I'm all for controls,

Dr. Dave Chatterjee:

but do recognize that controls are also on the people side of

Dr. Dave Chatterjee:

things, on the governance side of things. So the human factor

Dr. Dave Chatterjee:

plays a huge role. Just a little while ago, I was talking with a

Dr. Dave Chatterjee:

human factors expert from NATO. She advises NATO on how to

Dr. Dave Chatterjee:

manage the human involvement in cybersecurity strategies. And

Dr. Dave Chatterjee:

she made a very interesting point, she says, Dave, just

Dr. Dave Chatterjee:

imagine somebody holding a key position in cybersecurity, but

Dr. Dave Chatterjee:

has gets intimidated. And so it's like the example you shared

Dr. Dave Chatterjee:

about this belligerent CEO. So the cybersecurity guy had to

Dr. Dave Chatterjee:

deal with a boss who was kind of overly dominating. And as a

Dr. Dave Chatterjee:

result, even when they were receiving good intelligence that

Dr. Dave Chatterjee:

should have been passed on to the right channels, they were

Dr. Dave Chatterjee:

scared of the repercussions and when silent on some of these

Dr. Dave Chatterjee:

alerts, that that could hurt the company. As an I'm not going to

Dr. Dave Chatterjee:

take the name of some of these companies, but that's precisely

Dr. Dave Chatterjee:

what has happened with some of the major breaches. I'm not

Dr. Dave Chatterjee:

saying it has happened because of the human personality trait,

Dr. Dave Chatterjee:

but it is because someone dropped the ball even after

Dr. Dave Chatterjee:

receiving the intelligence. So So yeah, that's kind of any

Dr. Dave Chatterjee:

Yeah, please,

Rob Austin:

Let me just say that , aagin, we're agreeing, but

Rob Austin:

,you know, one of my jobs somewhat early in my career was

Rob Austin:

I was in an automaker. And I was managing a group of really

Rob Austin:

talented software developers that were responsible for a lot

Rob Austin:

of the systems that were inside the assembly plant. So these are

Rob Austin:

the production critical systems. And, you know, this is back to

Rob Austin:

your point about controls, right. So that, yeah, we had

Rob Austin:

controls in place, but you know, and we'd have people come around

Rob Austin:

from time to time at regular intervals, who were certifying

Rob Austin:

that the controls were in place. But you know, the guys who, who

Rob Austin:

worked for me at the time, they that we would sit around at

Rob Austin:

lunch, sometimes and chuckle, right. So like, if every single

Rob Austin:

one of them with their knowledge of the production critical

Rob Austin:

systems used to talk about if we put together a list of the 20

Rob Austin:

top ways to take down an assembly plant, none of those

Rob Austin:

would be would be, you know, would be addressed by any of the

Rob Austin:

controls that that the the auditors were basically spending

Rob Austin:

a lot of time thinking about, which is not to say those aren't

Rob Austin:

important, too. But I guess, I guess what I'm saying. And I

Rob Austin:

think I'm agreeing with something you said a few minutes

Rob Austin:

ago, which is the people side is super important. And this isn't

Rob Austin:

just the people side is important because there's

Rob Austin:

weaknesses there, you need the very resourceful people like the

Rob Austin:

ones that I'm talking about, who knew everything about the, you

Rob Austin:

know, the code and the software that was running this company's

Rob Austin:

assembly plants. And you needed those guys, because just doing a

Rob Austin:

formal analysis of controls and what controls were in place,

Rob Austin:

left huge gaping holes without the the deep knowledge of these

Rob Austin:

talented individuals who were, you know, really close to the

Rob Austin:

systems, what they could do and where they might get in trouble.

Rob Austin:

So yeah, I couldn't agree more that it's not just, it's not

Rob Austin:

just a technical problem, right.

Dr. Dave Chatterjee:

Well, Rob, I think we can end on that note.

Dr. Dave Chatterjee:

Once again, thank you very much for your time. It's truly a

Dr. Dave Chatterjee:

pleasure to have you come on board and share your wisdom with

Dr. Dave Chatterjee:

with me and my listeners. It's been a pleasure.

Rob Austin:

Yeah, I've enjoyed it a lot, too. So thank you for

Rob Austin:

inviting me. best, best to you and going forward.

Dr. Dave Chatterjee:

Thank you very much,

Rob Austin:

and your listeners. Yeah.

Dr. Dave Chatterjee:

A special thanks to Professor Robert

Dr. Dave Chatterjee:

Austin for his time and insights. If you liked what you

Dr. Dave Chatterjee:

heard, please leave the podcast a rating and share it with your

Dr. Dave Chatterjee:

network. Also subscribe to the show, so you don't miss any new

Dr. Dave Chatterjee:

episodes. Thank you for listening, and I'll see you in

Dr. Dave Chatterjee:

the next episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only, the discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.