Episode 44

From Law Enforcement Officer to Chief Information Security Officer

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.


Time Stamps

02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?

09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?

16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?

19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?

21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?

22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?

23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?

27:03 -- What's the reality around passwordless authentication?

28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.


Memorable Brian Penders Quotes/Statements

"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering."

"Incident response is really a great way to learn the environment and build partnerships across an organization."

"The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward."

"If I had 30 seconds with a group, I would tell them to keep their software updated."

"We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft."

"We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies, and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast series. Today, I have as my guest, Brian Penders, Chief

Dr. Dave Chatterjee:

Information Security Officer of the School of Medicine at the

Dr. Dave Chatterjee:

University of North Carolina, Chapel Hill. I had the pleasure

Dr. Dave Chatterjee:

of meeting Brian at a cybersecurity conference hosted

Dr. Dave Chatterjee:

by UNC's World View program. And I really enjoyed his

Dr. Dave Chatterjee:

presentation. So I felt that all of you would enjoy hearing what

Dr. Dave Chatterjee:

Brian has to share by way of his experiences and perspectives in

Dr. Dave Chatterjee:

cybersecurity. While I was learning about Brian, the

Dr. Dave Chatterjee:

professional, I was super intrigued by his background, he

Dr. Dave Chatterjee:

has a very interesting journey that began in law enforcement.

Dr. Dave Chatterjee:

In fact, it began in the US Nuclear Navy. And today, he is a

Dr. Dave Chatterjee:

senior information security governance officer, a leader.

Dr. Dave Chatterjee:

It's a fascinating story, a story that he needs to share

Dr. Dave Chatterjee:

himself, not me on his behalf. But bottom line, it's a great

Dr. Dave Chatterjee:

honor and a privilege to have Brian on the show today. Brian,

Dr. Dave Chatterjee:

welcome!

Brian Penders:

Thank you, Dave. It's great to be here. I really

Brian Penders:

appreciate the invite. And yes, it was. It was great meeting you

Brian Penders:

at the conference and having lunch and getting to know each

Brian Penders:

other.

Dr. Dave Chatterjee:

It really was. So Brian, as I just

Dr. Dave Chatterjee:

mentioned in my intro, you have a very interesting professional

Dr. Dave Chatterjee:

background, you worked as a lab technician in the US Navy

Dr. Dave Chatterjee:

Nuclear Submarine for six years, then you were a law enforcement

Dr. Dave Chatterjee:

officer for 15 years before transitioning to incident

Dr. Dave Chatterjee:

response and digital forensics. And now you are the chief

Dr. Dave Chatterjee:

information security officer at UNC School of Medicine. Wow,

Dr. Dave Chatterjee:

what a journey! Take us behind the scenes and share with us

Dr. Dave Chatterjee:

some highlights. What were the drivers? What were the

Dr. Dave Chatterjee:

motivators? What can listeners take away from your experience?

Brian Penders:

Yes, happy to do so. I know, you know many people

Brian Penders:

in the cybersecurity field as I do, I've been amazed at the

Brian Penders:

different backgrounds of these professionals, particularly

Brian Penders:

security leaders, I'm not sure if it's true in other fields,

Brian Penders:

but vast differences, no two are the same. And I love reading

Brian Penders:

about about background of these folks. And mine was like many

Brian Penders:

people in this field, I didn't think about getting into

Brian Penders:

cybersecurity way back. It was something where I wanted to I

Brian Penders:

when I was in college, I took liberal arts and humanities

Brian Penders:

courses. And I was interested in science, but I more read about

Brian Penders:

science on my own. I you know, didn't really do well in science

Brian Penders:

courses in universities, because it seemed a bit more a bit

Brian Penders:

abstract to me. And so after college, my father and my few

Brian Penders:

uncles were veterans, so that influence may. And so I went

Brian Penders:

into this program, I did some research, and I wanted to do

Brian Penders:

some traveling and really get into something that was

Brian Penders:

challenging academically and to serve served my country. And so

Brian Penders:

I looked into this program and went into the six year tour for

Brian Penders:

this naval nuclear propulsion. The first two years is in

Brian Penders:

schools, engineering schools, very challenging curriculums and

Brian Penders:

then went to my duty station, which was a fast attack

Brian Penders:

submarine out of Pearl Harbor. Hawaii. Wow. Very difficult

Brian Penders:

duty. Yeah, a gorgeous place to live no doubt but very difficult

Brian Penders:

duty, was at sea quite a bit. And the work life balance was

Brian Penders:

tough. That's why I can't really recommend this path, I should

Brian Penders:

say because some of these positions were very tough on on

Brian Penders:

the home life, as you can understand. So after the

Brian Penders:

military, I had an interest in law enforcement and you know,

Brian Penders:

people were scratching their heads. Why didn't you use this

Brian Penders:

training? Why didn't you get into civilian nuclear power. And

Brian Penders:

you know, I didn't really have an interest. And for me, and we

Brian Penders:

will talk about this a bit more later, for me, it was about the

Brian Penders:

Navy taught me how to learn. And that was more valuable to me at

Brian Penders:

the time than anything I learned about nuclear engineering. And

Brian Penders:

so that's really threaded through a lot of this journey.

Brian Penders:

And so I went and applied for and got a position with the

Brian Penders:

Vermont State Police after that, and like, like most like every

Brian Penders:

other person, you do patrol work for several years. And then I

Brian Penders:

did some executive protection with the governor's security

Brian Penders:

unit. And then I started to get the itch for technology and

Brian Penders:

something a little more intense and some training. And at first,

Brian Penders:

I looked at a polygraph examiner position, because that had

Brian Penders:

significant training, and was pretty complex and difficult job

Brian Penders:

that didn't work out. And then a Computer Crimes Unit position

Brian Penders:

opened up a very small unit. And keep in mind, this is in 2007,

Brian Penders:

which is when the iPhone came out. So this is when everybody

Brian Penders:

had computers at home. Everybody's got cell phones with

Brian Penders:

them. And as you can imagine, every crime just about had a had

Brian Penders:

a digital component to it. Huge demand for for expertise in this

Brian Penders:

area. So I was fortunate. And you and I talked about this

Brian Penders:

school last time we spoke to be able to go to this amazing

Brian Penders:

facility down in Hoover, Alabama, that's called the

Brian Penders:

National Computer forensics Institute, NCFI. It's literally

Brian Penders:

for state and local law enforcement to learn digital

Brian Penders:

forensics and prosecutors. It's run by the Department of

Brian Penders:

Homeland Security. The first course I was there for a total

Brian Penders:

of 11 weeks. The first course is five weeks where you learn from

Brian Penders:

the ground up about how computers work, how networks

Brian Penders:

operate, and then you get into forensic software and doing

Brian Penders:

forensic exams and writing reports. And then the great

Brian Penders:

thing about it is you go back to your department, with the

Brian Penders:

equipment and the software to get going from day one. And so

Brian Penders:

anyway, those first few years were were I can't say enough

Brian Penders:

about how steep learning curve was. And my biggest takeaway

Brian Penders:

from this position that I brought to North Carolina was

Brian Penders:

there's nothing more terrifying preparing for a trial where the

Brian Penders:

stakes are high. These are many of our victims were children,

Brian Penders:

heinous crimes, you need to get this right. And so it was a lot

Brian Penders:

of, you know, checking and double checking in reaching out

Brian Penders:

to anybody I could. To make sure I got this right, I needed to be

Brian Penders:

able to present data to an older jury, because I think keeping my

Brian Penders:

Vermont as an older state juries are older, a lot of them were

Brian Penders:

not familiar with technology, and then also be technical

Brian Penders:

enough so that the defense examiner, the defense attorney,

Brian Penders:

who also has a defense forensic examiner, you can survive that

Brian Penders:

cross examination. So it was really a way to not only learn

Brian Penders:

the material, but how do I document it? How do I present

Brian Penders:

this to different audiences. That was a really great takeaway

Brian Penders:

from me, when I moved on from Vermont to down here in North

Brian Penders:

Carolina, we had, we had wanted to move south for a couple of

Brian Penders:

years. And I wanted to stay in the field. But I didn't put the

Brian Penders:

work cases were pretty heavy and stressful. And so my wife had

Brian Penders:

always worked in higher education. So I had an interest

Brian Penders:

in trying to work at a university and this worked out

Brian Penders:

at Chapel Hill, like you said, I came down into a digital

Brian Penders:

forensics incident response team lead role, and I really found a

Brian Penders:

home here and it, there's, you know, I was, you know, one

Brian Penders:

flight of stairs away from experts in storage, and servers

Brian Penders:

and emails, Splunk pretty much everything. And incident

Brian Penders:

response is a really great way to learn and environment and

Brian Penders:

build partnerships across an organization. And then after

Brian Penders:

five years there, this position opened up in School of Medicine,

Brian Penders:

where I could do security more across across the board. And

Brian Penders:

it's been great. I've been here almost four years. So that's

Brian Penders:

kind of the journey in a nutshell.

Dr. Dave Chatterjee:

Fascinating. Thank you for your service. I

Dr. Dave Chatterjee:

have many former students who have been in the nuclear navy

Dr. Dave Chatterjee:

vessels, and I've heard a lot of stories. So hats off to you

Dr. Dave Chatterjee:

guys. I believe the training, the expectations are quite

Dr. Dave Chatterjee:

steep. And it really gets everything out of you. So So

Dr. Dave Chatterjee:

yes, you know, we all have our journeys. They're almost meant

Dr. Dave Chatterjee:

to be and we learn. So this is fabulous that I'm able to talk

Dr. Dave Chatterjee:

to you. The US Nuclear Navy Propulsion Program, which

Dr. Dave Chatterjee:

Admiral Hyman Rickover launched, he's considered the founding

Dr. Dave Chatterjee:

father. There was an article written about the culture that

Dr. Dave Chatterjee:

he established, which enabled the program to avoid

Dr. Dave Chatterjee:

catastrophic losses for a long period of time. And this culture

Dr. Dave Chatterjee:

that Admiral Rickover established is characterized by

Dr. Dave Chatterjee:

five or six principles. such as integrity, depth of knowledge,

Dr. Dave Chatterjee:

procedural compliance, forceful backup, questioning attitude,

Dr. Dave Chatterjee:

and formality in communications. So when I was reading this

Dr. Dave Chatterjee:

article about the culture that he had established, and I was

Dr. Dave Chatterjee:

learning about these principles, it dawned on me that why don't

Dr. Dave Chatterjee:

we apply those principles in the private sector in the context of

Dr. Dave Chatterjee:

cybersecurity governance, and try to execute them as best as

Dr. Dave Chatterjee:

we can, as they did, or as they do in the nuclear Navy world.

Dr. Dave Chatterjee:

And we in the private sector will do a lot better. So that

Dr. Dave Chatterjee:

was almost the start of my journey into cybersecurity

Dr. Dave Chatterjee:

research. And in fact that that framework helped me develop my

Dr. Dave Chatterjee:

cybersecurity, holistic governance framework, which is

Dr. Dave Chatterjee:

in my book. So I'm so glad that you are here, Brian, to talk to

Dr. Dave Chatterjee:

us about your variety of experiences. But let me first

Dr. Dave Chatterjee:

focus on that high-reliability, organizational culture that was

Dr. Dave Chatterjee:

established in the US nuclear Navy, and you have lived in that

Dr. Dave Chatterjee:

culture. Share a bit about what it is like and what could be

Dr. Dave Chatterjee:

some takeaways that are relatable or applicable in the

Dr. Dave Chatterjee:

world of cybersecurity governance?

Brian Penders:

Yes, I'll be honest, I had not really thought

Brian Penders:

about tying these principles to my current role until we spoke

Brian Penders:

about this. And you're right, these. First of all, it's

Brian Penders:

probably the least talked about success story. As you know,

Brian Penders:

this, the Nuclear Propulsion Program that was that began with

Brian Penders:

Admiral Rickover. And we're talking about this is now 40

Brian Penders:

years after he retired, and this program is still going strong,

Brian Penders:

as you said, accident free. It's really incredible. But you're

Brian Penders:

right, these principles could probably apply to many

Brian Penders:

industries, but they certainly can for this field. And I would

Brian Penders:

like to touch on a couple things that were a part of Admiral

Brian Penders:

Rickover principles and, and that I saw in my experience

Brian Penders:

there that I've that have stayed with me. One of them is depth of

Brian Penders:

knowledge. That is one thing that I mentioned, the Navy

Brian Penders:

taught me how to learn the way that Admiral Rickover thought

Brian Penders:

through individuals gaining technical knowledge was really

Brian Penders:

amazing it was it was based on if you could not draw and

Brian Penders:

explain something to a group of experts sufficiently, then you

Brian Penders:

are not going to move forward. And this is everything from the

Brian Penders:

micro to the macro, this is this could be drawn explain a

Brian Penders:

particular valve and up to a system, and then how systems

Brian Penders:

work together or an evolution like an engine room startup,

Brian Penders:

talk us through that. And that stays the same not just in the

Brian Penders:

two years of school. But when you get to your duty station,

Brian Penders:

you really are just beginning your training, it doesn't end

Brian Penders:

fact, I think I thought through all of the oral boards that I

Brian Penders:

went through before I was fully qualified as a essentially a

Brian Penders:

junior person in the engineering department and it was around 10.

Brian Penders:

Those are formal ones. That is something that I think he

Brian Penders:

doesn't want, he wanted you to move away from memorization to

Brian Penders:

understand, once you understand there was no need to memorize.

Brian Penders:

But that was a big one. And the other was his focus generally

Brian Penders:

just on people, I think he was the first military person to

Brian Penders:

this is post-WW II. So he's trying to move away from the

Brian Penders:

brawny warrior type to the thoughtful engineer type. I

Brian Penders:

don't think anyone had done that before. And how rank actually

Brian Penders:

took a backseat to knowledge. Many people may not know this,

Brian Penders:

when you stand a watch on a submarine, you may outrank

Brian Penders:

administratively people on that watch, and it seemed to work.

Brian Penders:

When you got off watch you were back in your administrative

Brian Penders:

rank. You didn't have as many privileges as that person but on

Brian Penders:

watch if, if you proved your superior knowledge and qualify

Brian Penders:

that watch station, you were over them operationally. So that

Brian Penders:

was that's fascinating. And then, lastly, another thing he

Brian Penders:

talked about was a preoccupation with failure, thinking about

Brian Penders:

failure, and this is where in cybersecurity, you get to this

Brian Penders:

idea of assume breach, and really zero-Trust is based on

Brian Penders:

having a failure already. So and then, you know, he stressed

Brian Penders:

people before the idea of people, process, and technology,

Brian Penders:

which we know today is very important in that order. And he

Brian Penders:

really stressed that early on.

Dr. Dave Chatterjee:

Sure, sure. I'd like to share something that

Dr. Dave Chatterjee:

was shared by one of my former students, and he said Dr.

Dr. Dave Chatterjee:

Chatterjee in the nuclear Navy vessel when we were given a

Dr. Dave Chatterjee:

command to do something we were required to repeat the command

Dr. Dave Chatterjee:

verbatim, before we executed. And he said, it kind of felt

Dr. Dave Chatterjee:

really awkward. We felt like we are really dumb people, as if we

Dr. Dave Chatterjee:

don't follow, but you realized how much importance and emphasis

Dr. Dave Chatterjee:

was given to communication accuracy, communication

Dr. Dave Chatterjee:

integrity, and that stayed with me as well. When you talk about

Dr. Dave Chatterjee:

cybersecurity governance, and you know it better than anybody

Dr. Dave Chatterjee:

else, because you do it for a living, a lot of it is

Dr. Dave Chatterjee:

communication, but effective communication. And one of the

Dr. Dave Chatterjee:

hallmarks of effective communication is when if you are

Dr. Dave Chatterjee:

communicating something, there has to be a mechanism whereby

Dr. Dave Chatterjee:

you know, that your communication is being received

Dr. Dave Chatterjee:

appropriately. And how do you do that? So that was one way of

Dr. Dave Chatterjee:

doing it is just tell me what I told you. And now that you've

Dr. Dave Chatterjee:

told me what I've told you, and I believe you get it, now go

Dr. Dave Chatterjee:

ahead and execute it. I think that's fabulous.

Brian Penders:

I agree. 100%, it takes out of the equation, one

Brian Penders:

error that could be costly, for sure. Yeah,

Dr. Dave Chatterjee:

exactly. Let's switch gears a little bit,

Dr. Dave Chatterjee:

you are managing the security environment in a medical school

Dr. Dave Chatterjee:

at a large institution, a very reputed medical school. That's

Dr. Dave Chatterjee:

quite the responsibility. I've had CISOs on my podcast, who've

Dr. Dave Chatterjee:

talked about the various challenges that academic

Dr. Dave Chatterjee:

institutions face, and they have shared solutions, best

Dr. Dave Chatterjee:

practices. There are many units within an academic institution,

Dr. Dave Chatterjee:

and you focus on a particular unit, the medical school, are

Dr. Dave Chatterjee:

there any unique challenges that medical school faces compared to

Dr. Dave Chatterjee:

the other units? And if so, how do you go about dealing with

Dr. Dave Chatterjee:

them?

Brian Penders:

Yes, there are. And there's a couple I'd like to

Brian Penders:

talk about. One is really true for all Health Affairs schools.

Brian Penders:

And it's something that a lot of people don't think about. And it

Brian Penders:

has to do with something simple that there are high earners in

Brian Penders:

Health Affairs. And what this means is, we're targeted for a

Brian Penders:

lot of these, what I'll call money grab type scams and

Brian Penders:

attacks. So specifically, years ago, there was a phishing

Brian Penders:

campaign around stealing W2s for tax fraud purposes, and a large

Brian Penders:

percentage of those accounts were from the School of

Brian Penders:

Medicine. Other attacks involving social engineering to

Brian Penders:

get into retirement accounts, we get, I think, we get a large

Brian Penders:

portion of the tech support scams, which really try to get a

Brian Penders:

credit card number, get a credit card number from a

Brian Penders:

doctor, it's different from others, and also just

Brian Penders:

credentials, or medical email credentials are more valuable,

Brian Penders:

frankly, on the dark web to sell. So that's something that

Brian Penders:

we talk to right from when students get here all the way

Brian Penders:

through is be careful, you may be caught up in this. And

Brian Penders:

honestly, those are really have really been the root cause for

Brian Penders:

our incidents that involve regulated data PHI, because

Brian Penders:

there really isn't an interest in the PHI. But because these

Brian Penders:

attacks happen, there may be an email, an exposure of email that

Brian Penders:

contains regulated data. So it's a real headache. It's very risky

Brian Penders:

for us. So we try to talk to our users, our faculty, staff and

Brian Penders:

students about that. The second big category is really around

Brian Penders:

governance risk. There's, if you can imagine the Venn diagram,

Brian Penders:

the School of Medicine is one of the HIPAA covered components of

Brian Penders:

the university. But we are also tied to UNC Health, our partners

Brian Penders:

there, and that's by statute, the Dean of the School of

Brian Penders:

Medicine is also the CEO of UNC Health. We are separate legal

Brian Penders:

organizations, but we share our clinical faculty. You're a

Brian Penders:

faculty members. Well, Dr. Chatterjee. So you know, as a

Brian Penders:

faculty member, you want to be available to people, you want

Brian Penders:

your work to be known. You want people to be able to get in

Brian Penders:

touch with you. And it's particularly easy in that

Brian Penders:

regard, because we're a public university. And when you add the

Brian Penders:

fact that these are also our clinicians who are working with

Brian Penders:

regulated data, they're doing research that involves health

Brian Penders:

information. It's very challenging when you get that

Brian Penders:

mix together. It takes a lot of communication with our faculty

Brian Penders:

to understand the differences and to be able to work with our

Brian Penders:

partners and UNC Health to make sure that there aren't any gaps

Brian Penders:

there that could expose data. So those are the two two big

Brian Penders:

differences here in School of Medicine.

Dr. Dave Chatterjee:

Yeah, thanks for sharing. I'll take

Dr. Dave Chatterjee:

this opportunity to share with the listeners some common

Dr. Dave Chatterjee:

cybersecurity challenges that plague educational institutions.

Dr. Dave Chatterjee:

I talked about these in my talk at UNC where I met Brian. One of

Dr. Dave Chatterjee:

the challenges is dealing with legacy systems, numerous remote

Dr. Dave Chatterjee:

endpoint devices is another challenge, securing students

Dr. Dave Chatterjee:

student body lack of incident response plans, no budget line

Dr. Dave Chatterjee:

item for cybersecurity. yhat's more true for the community

Dr. Dave Chatterjee:

colleges difficulty keeping up with emerging threats. And

Dr. Dave Chatterjee:

finally, the ability to hire and retain staff because

Dr. Dave Chatterjee:

cybersecurity jobs can be exciting, but they can also

Dr. Dave Chatterjee:

cause burnouts. So there can be a high turnover. You emphasize

Dr. Dave Chatterjee:

incident response plans, and research finds that in general,

Dr. Dave Chatterjee:

organizations don't do a very good job of rehearsing their

Dr. Dave Chatterjee:

incident response plan, sometimes they don't even have a

Dr. Dave Chatterjee:

good plan in place. I'm not going to ask you to speak

Dr. Dave Chatterjee:

specifically to your organization. But generically,

Dr. Dave Chatterjee:

Brian, as a practitioner, what's feasible and what's ideal? Yeah,

Brian Penders:

it's a good question. And you're right,

Brian Penders:

these things can slip away as everyone gets busy. But but

Brian Penders:

they're very important. I think the trick is to not think you

Brian Penders:

have to go to the nth degree with this, you know, ideally, we

Brian Penders:

would have something that involve the entire university,

Brian Penders:

UNC Health School of Medicine, and we would get all get

Brian Penders:

together, you don't have to go right there, you could just do

Brian Penders:

something as simple as when you actually have an incident, you

Brian Penders:

can actually use that as an example of checking it against

Brian Penders:

your plans. And when we work with third parties, that's their

Brian Penders:

recommendation to you know, take advantage when things come in to

Brian Penders:

run through your plan. And then honestly, working with third

Brian Penders:

parties to help with tabletops. And reviewing Incident Response

Brian Penders:

Plans, I think is is a great way to go that, you know, they can

Brian Penders:

provide some great expertise, they can sort of sit from the

Brian Penders:

outside and tell you what how you're doing and the direction

Brian Penders:

you need to go.

Dr. Dave Chatterjee:

Okay, good to know ransomware attacks are a

Dr. Dave Chatterjee:

threat to all organizations, academic institutions are no

Dr. Dave Chatterjee:

exception. In fact, they are being hit very heavily. So is it

Dr. Dave Chatterjee:

fair to assume that institutions engage in rehearsing how to

Dr. Dave Chatterjee:

recover from a ransomware attack?

Brian Penders:

Yes, I think it's done under the umbrella of

Brian Penders:

disaster recovery generally, which isn't really specific to

Brian Penders:

ransomware, you usually your infrastructure teams are in

Brian Penders:

charge of developing your business continuity and disaster

Brian Penders:

recovery plans. And they periodically do test restores of

Brian Penders:

systems that would help with ransomware incident or after it.

Dr. Dave Chatterjee:

Okay, that's good to know as well. So

Dr. Dave Chatterjee:

as a faculty member, we get communication from the

Dr. Dave Chatterjee:

Technology Office, the Security Office, from time to time, I

Dr. Dave Chatterjee:

don't recollect any communication or guidance, where

Dr. Dave Chatterjee:

they are proactively preparing us from a ransomware attack that

Dr. Dave Chatterjee:

could freeze our systems, compromise our data. So what I'm

Dr. Dave Chatterjee:

trying to understand is this rehearsal of proactively or

Dr. Dave Chatterjee:

reactively, responding to ransomware attacks, is this

Dr. Dave Chatterjee:

rehearsal taking place at a certain level, and not at all

Dr. Dave Chatterjee:

levels. What would be, I'm just trying to get a better sense,

Dr. Dave Chatterjee:

from your perspective,

Brian Penders:

right? It wouldn't be something that would

Brian Penders:

rise to the user level, it could certainly be an attack and

Brian Penders:

certainly start there. But it'd be more about when a ransomware

Brian Penders:

actors are looking at a large organization, they're not as

Brian Penders:

focused on doing a whole lot with individual users

Brian Penders:

workstations, they're going to use that as possibly an entry

Brian Penders:

point. But it would be taking some time using different

Brian Penders:

malware to move across an organization to get to something

Brian Penders:

that they want could be domain controllers, or could be bigger

Brian Penders:

servers and storage arrays, something that can really hamper

Brian Penders:

the organization such that a payment would be feasible, it

Brian Penders:

wouldn't be something that a user would really get involved

Brian Penders:

with in terms of testing those programs.

Dr. Dave Chatterjee:

So moving on to cybersecurity governance,

Dr. Dave Chatterjee:

best practices, there are several out there, would you

Dr. Dave Chatterjee:

like to highlight a few that you are really big on?

Brian Penders:

Yes, I mean, considering I mentioned, we've,

Brian Penders:

we've had some incidents with phishing and social engineering,

Brian Penders:

our best practices, the last couple of years have focused in

Brian Penders:

those areas in what I'll call a good better best type scenario,

Brian Penders:

where in terms of, let's say passwords, we talked to our

Brian Penders:

users about strong and unique passwords. Now, some of their

Brian Penders:

university accounts are automatically done, but their

Brian Penders:

own accounts. And we focus on things like think about your

Brian Penders:

primary personal email account, and how important that is. You

Brian Penders:

need a strong and unique password. And you need multi

Brian Penders:

factor authentication, because that could be the key to all of

Brian Penders:

your other accounts, least the ones that don't have multi

Brian Penders:

factor authentication. And beyond that, we say now look at

Brian Penders:

your finance, banking, retirement, and then look at

Brian Penders:

your social media. And then if you can, make sure you do that

Brian Penders:

for all them, use passphrases and a lot of those general

Brian Penders:

password guidance but lay lately because of the nuances of the

Brian Penders:

attacks, especially in terms of multifactor workarounds, our

Brian Penders:

exact playbooks of guidance don't really work with our

Brian Penders:

users. So we've been talking to them about this idea of having

Brian Penders:

situational awareness in terms of are you already logged in,

Brian Penders:

you are going to you may get an email, you should look to see if

Brian Penders:

is an external from an external source. And if there is a link

Brian Penders:

there, and if there is you should have, you should be very

Brian Penders:

careful about that link. And if you do, click the link, and

Brian Penders:

you're asked to log in, why would you need to login. And so

Brian Penders:

we use two different MFA solutions here, but the one we

Brian Penders:

use for Microsoft, they should not have to log in as you know,

Brian Penders:

when you log in, you get a session token, it should last a

Brian Penders:

while. So you should really think through why you're being

Brian Penders:

asked to put your credentials in here. Because some of the ones

Brian Penders:

we've seen have been this attack where there's a credential turn

Brian Penders:

around where attackers take the credentials in real time log in,

Brian Penders:

and that will generate a push. So the advice to our users to

Brian Penders:

only accept push notifications that they expect, doesn't work,

Brian Penders:

because they did expect one. So that's when we have had to back

Brian Penders:

up and talk to them about situational awareness. So those

Brian Penders:

are some of the big ones around passwords and MFA, and the other

Brian Penders:

one is updating software, I'll say if I had 30 seconds with a

Brian Penders:

group, I would tell them to keep their software updated. And what

Brian Penders:

we're talking to our users about is they don't really know a lot

Brian Penders:

about the software release cycles and how the software is

Brian Penders:

likely a combination of security updates and new features. Our

Brian Penders:

users get lulled into thinking that it's only new features. And

Brian Penders:

they, you know, hit remind me tomorrow, and they don't quite

Brian Penders:

understand that the updates are security patches for the

Brian Penders:

previous update. And so again, it's a good better best, we

Brian Penders:

don't expect everyone to stop what they're doing. People are

Brian Penders:

busy, but we say as soon as possible. But if you can, within

Brian Penders:

a couple of weeks, get that new software installed, you're going

Brian Penders:

to have the security updates that you need. So those are just

Brian Penders:

a few of the big ones we've been talking about.

Dr. Dave Chatterjee:

Absolutely makes sense. I'd like to react

Dr. Dave Chatterjee:

to a couple of things. When you mentioned multifactor

Dr. Dave Chatterjee:

authentication. Recently, I did an episode on multifactor

Dr. Dave Chatterjee:

authentication fatigue, and that the guest was talking about how

Dr. Dave Chatterjee:

developers detest having to authenticate time and again,

Dr. Dave Chatterjee:

when they're working on 50 different applications that

Dr. Dave Chatterjee:

they're having to go back and forth. And then there are human

Dr. Dave Chatterjee:

beings who are also at times unwilling to have it have to

Dr. Dave Chatterjee:

authenticate every time they are having to log into a system. I

Dr. Dave Chatterjee:

will I will admit that initially, I belonged to that

Dr. Dave Chatterjee:

camp. But I've changed since because I now recognize how

Dr. Dave Chatterjee:

important that security feature is. I also wonder about these

Dr. Dave Chatterjee:

passwords, you know, we're tired of remembering passwords, tired,

Dr. Dave Chatterjee:

tired of trying to save passwords, password protection

Dr. Dave Chatterjee:

managers don't work, they get hacked. We hear about them all

Dr. Dave Chatterjee:

the time. So there's a huge push towards passwordless

Dr. Dave Chatterjee:

authentication, I guess curious, what are your thoughts? What's

Dr. Dave Chatterjee:

the reality around password less authentication?

Brian Penders:

when I think about the big defenses that have

Brian Penders:

come out around identity, certainly MFA years ago was one

Brian Penders:

and I think we're on the cusp of another with web auth. And and

Brian Penders:

using biometrics on your system to prevent this idea of a shared

Brian Penders:

secret, right, we need to get out of the business of the

Brian Penders:

shared secret. And so UNC is moving to offering passwordless

Brian Penders:

authentication this year, we have a strategy to roll it out.

Brian Penders:

And I think it's going to be well received. And we'll see how

Brian Penders:

it goes. But this is going to be attackers will pivot it'll be

Brian Penders:

they may go back to malware, or they may, you know, use malware

Brian Penders:

to grab session tokens. And so there might be a new thing. But

Brian Penders:

this I think is a big new defense to credential theft.

Dr. Dave Chatterjee:

Excellent. Wonderful. So Brian, we are kind

Dr. Dave Chatterjee:

of coming towards the end of our episode here. I wish we could

Dr. Dave Chatterjee:

continue the conversation, but we will have to wrap it up. So

Dr. Dave Chatterjee:

I'd like to give you the opportunity to share some final

Dr. Dave Chatterjee:

thoughts with the listeners.

Brian Penders:

Yeah, I just wanted to spend a few minutes

Brian Penders:

talking a little bit about building teams. You and I

Brian Penders:

discussed this a bit. Last time we talked some of the things

Brian Penders:

that we look for in terms of when we're looking at someone

Brian Penders:

from IT, who's interested in coming to cyber security. We

Brian Penders:

look at Service Desk experience system and server administrators

Brian Penders:

and developers. But it's also important we have found in

Brian Penders:

addition to traditional diversity, diversity of

Brian Penders:

background, we have found that our folks from liberal arts and

Brian Penders:

humanities hat can be extremely valuable to supplement and

Brian Penders:

sometimes lead our cybersecurity teams. I'm generalizing but

Brian Penders:

they're good problem solvers. They're able to see the big

Brian Penders:

picture and they're excellent communicators, all amazing

Brian Penders:

skills. And if they have a propensity and an interest in

Brian Penders:

being technical, that just makes it all the better. And then the

Brian Penders:

other thing is for any folks who are trying to, to get into

Brian Penders:

cybersecurity, it can be really hard. It's easy for us to say,

Brian Penders:

well, you know, just take an entry level IT job and move from

Brian Penders:

there. But that's not feasible for some people. And so the only

Brian Penders:

advice I have is to bug your IT teams wherever you are. And if

Brian Penders:

you're in IT, bug, your security team, I'm, I'm surprised more

Brian Penders:

people don't come and talk to us just knock on our door and say,

Brian Penders:

can you tell us what you do? Show me, show me some of the

Brian Penders:

things that you all do. So I know a lot of my colleagues

Brian Penders:

would welcome would welcome that. So just a few tips for

Brian Penders:

anyone looking to get into cyber

Dr. Dave Chatterjee:

fantastic. In fact, I'd like to reiterate

Dr. Dave Chatterjee:

what you just said that even if you coming from a non technical

Dr. Dave Chatterjee:

background, and there is no reason to shy away from a field

Dr. Dave Chatterjee:

like cybersecurity because the field could benefit from people

Dr. Dave Chatterjee:

bringing in different perspectives, different

Dr. Dave Chatterjee:

expertise. And there are numerous instances of people

Dr. Dave Chatterjee:

with liberal arts degrees. I had a subject matter expert on

Dr. Dave Chatterjee:

another episode, she has a PhD in philosophy, phenomenology was

Dr. Dave Chatterjee:

was the focus of her dissertation. She's a real

Dr. Dave Chatterjee:

techie, she assessed cybersecurity technologies for

Dr. Dave Chatterjee:

the government. So there's nothing that you can't learn,

Dr. Dave Chatterjee:

even if you didn't have the traditional technical training

Dr. Dave Chatterjee:

or technical foundation, it's all a matter of interest and

Dr. Dave Chatterjee:

willing to be curious and being willing to adapt. So I think

Dr. Dave Chatterjee:

there are several other skill sets that come into play,

Dr. Dave Chatterjee:

Brian's own journey, where he himself mentioned coming from a

Dr. Dave Chatterjee:

liberal arts background and how he literally stumbled into these

Dr. Dave Chatterjee:

roles, and then he grew with them. I'm sure he'll be the

Dr. Dave Chatterjee:

first person to agree that he didn't envision himself doing

Dr. Dave Chatterjee:

what he is doing today, when he got out of college with a

Dr. Dave Chatterjee:

liberal arts degree. So do keep that in mind. For those of you

Dr. Dave Chatterjee:

who are aspiring to pursue a career in cybersecurity and

Dr. Dave Chatterjee:

you're sitting on the sidelines, wondering if that would be a

Dr. Dave Chatterjee:

good career move or not, I think it'll be a great career move.

Dr. Dave Chatterjee:

More importantly, there is also the opportunity to secure the

Dr. Dave Chatterjee:

enterprise secure the nation, there is the other aspect to

Dr. Dave Chatterjee:

this job. That makes it very noble. I want to take this

Dr. Dave Chatterjee:

opportunity to thank all the cybersecurity professionals out

Dr. Dave Chatterjee:

there who do this job and they often are never recognized. They

Dr. Dave Chatterjee:

do it behind the scenes. The purpose of podcasts like mine,

Dr. Dave Chatterjee:

is to try to bring them out of their cubicles and share with

Dr. Dave Chatterjee:

the world the realities behind cybersecurity governance, and

Dr. Dave Chatterjee:

all the great things they do. So, Brian, thank you again for

Dr. Dave Chatterjee:

your time. It has been a real pleasure.

Brian Penders:

Thank you very much. I enjoyed the

Brian Penders:

conversation.

Dr. Dave Chatterjee:

A special thanks to Brian Penders for his

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.