Episode 12
Ignorance is not bliss: A Whole-of-Enterprise Approach to Threat Management
The incredibly articulate Anne Leslie, Threat Management Consultant, IBM Security, shares some powerful messages and recommendations on threat management. One such message is to nurture a Whole-of-Enterprise approach where "leaders believe that the people who work for them are not just as important as the systems and the data, they're more important." Anne also emphasizes the importance of "looking within and knowing what it is that we have, why people might want that, and how they might go about getting it."
Time Stamps
00:42 -- So, let's begin by talking about the major information security threats out there and you being in Europe, we'd love to get that perspective.
05:49 -- Anything that you see out there by way of best practices, in terms of staying on top of the latest attack vectors and methods.
10:43 -- I'd love to hear your perspective on a human-centered cyber defense strategy.
19:20 -- I read in the media reports that organizations are often slow, and for lack of a better word, negligent in promptly and effectively responding to cyber intelligence. This is definitely a weakness that no organization can afford. What are your thoughts?
29:38 -- I'd love to get your thoughts on joint ownership and accountability, or shared ownership and accountability?
38:44 -- Any final thoughts?
Memorable Anne Leslie Quotes
"So one of the things that I notice in our industry, across businesses, is that we have a tendency to look outwards before we look inwards. And in practical terms, what that means is, we're not very clear collectively about what it is in our organizations and our businesses that adversaries might want."
"Let's start with looking within and knowing what it is that we have, why people might want that, and how they might go about getting it. If we already have answers to those questions, we're on a good footing."
"I believe that people come to work every day with an often unarticulated aspiration to be useful. And it just seems to me that we're totally missing out on capitalizing on people's best intentions and their creativity and their motivation - when we label them weak when we label them as a vulnerability against which we need to defend."
"People want to contribute, people want to be helpful, they want to be united in something that's a little bit bigger than themselves. And security practitioners, in particular, maybe not all of them, but the majority that I've interacted with, are driven by a desire to protect, they're driven by a cause. To them, security is more than a job, it's a cause they want to defend."
"It's not just about buying more technology, It's about doing more with what we have, where we are. And making the most of the capability that we can get from our people is a key factor in that."
"I loved what you just said about the impact of security being positively correlated with the health of the culture in the organization. Yes, a million times, yes! Because when you have a healthy organization - which is built up consistently, with consistent behaviors, consistent attitudes, consistent interventions on the part of leadership - what it instills, in people at every level of the organization, is a sense of accountability, a sense of responsibility, a sense of pride. And most importantly, it instills a desire to protect, because people have an emotional connection to their organization and an emotional connection to the leadership, even if they've never spoken to them."
----------------------------------------------
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach by SAGE publishing. He has been studying cybersecurity
Cybersecurity Readiness:for over a decade, authored and edited scholarly papers,
Cybersecurity Readiness:delivered talks, conducted webinars, consulted with
Cybersecurity Readiness:companies, and served on a cybersecurity SWAT team with
Cybersecurity Readiness:chief information security officers. Dr. Chatterjee is an
Cybersecurity Readiness:Associate Professor of Management Information Systems
Cybersecurity Readiness:at the Terry College of Business, the University of
Cybersecurity Readiness:Georgia, and Visiting Professor at Duke University's Pratt
Cybersecurity Readiness:School of Engineering.
Dr. Dave Chatterjee:Hello, folks, I'm delighted to welcome
Dr. Dave Chatterjee:you to this episode of the Cybersecurity Readiness Podcast
Dr. Dave Chatterjee:Series. Today, I will be talking with Anne Leslie of IBM, about
Dr. Dave Chatterjee:threat management and security, intelligence and operations best
Dr. Dave Chatterjee:practices. It's going to be a very exciting conversation, Anne
Dr. Dave Chatterjee:is a terrific speaker. I've heard her many times. And I know
Dr. Dave Chatterjee:you'll enjoy listening to what she has to offer. A little bit
Dr. Dave Chatterjee:about Anne. She is a Senior Managing Consultant for Threat
Dr. Dave Chatterjee:Management in the IBM Security Center of Competency. Within the
Dr. Dave Chatterjee:center of competency, Anne leads the application of Garage and
Dr. Dave Chatterjee:Design Thinking to some of the most wicked problems facing
Dr. Dave Chatterjee:security practitioners. And she is a fervent champion of human
Dr. Dave Chatterjee:centered approaches to improving security outcomes. Prior to
Dr. Dave Chatterjee:joining IBM, Anne's career spanned the intersection of
Dr. Dave Chatterjee:financial services, European regulatory policy, blockchain
Dr. Dave Chatterjee:and IT in leadership roles in both sales and advisory.
Dr. Dave Chatterjee:Bilingual in French and English, she holds an executive MBA from
Dr. Dave Chatterjee:the HEC Business School in Paris, and also has several
Dr. Dave Chatterjee:technology and cybersecurity certifications. Anne was born
Dr. Dave Chatterjee:and raised in the Republic of Ireland, and currently resides
Dr. Dave Chatterjee:in Paris, France, which has been her home now for over 20 years.
Dr. Dave Chatterjee:Anne welcome! thanks for making time to share your expertise
Dr. Dave Chatterjee:with our listeners here. So, let's begin by talking about the
Dr. Dave Chatterjee:major information security threats out there and you being
Dr. Dave Chatterjee:in Europe, we'd love to get that perspective.
Anne Leslie:Thanks, Dave, I'm absolutely delighted to be with
Anne Leslie:you. And I really appreciate the invitation. So the threats that
Anne Leslie:are, you know, prevalent. It's very easy in cybersecurity, to
Anne Leslie:feel constantly overwhelmed. There are threats everywhere,
Anne Leslie:affecting every industry. And they just you know that the
Anne Leslie:headlines just seem to give us this impression that it's an
Anne Leslie:unfightable wave, you know, that almost sort of resistance is
Anne Leslie:futile that there are threats coming at us from every
Anne Leslie:direction. And it's just all terrible. Now, that's not a
Anne Leslie:helpful state of affairs. And I'm not here to tell you that
Anne Leslie:there aren't threats. I'm not here to tell you that, you know,
Anne Leslie:we're not facing things that are serious, we are. But we're not
Anne Leslie:all facing the same threats. And that's one of the things that I
Anne Leslie:think is really important to emphasize is that all of the
Anne Leslie:headlines that are coming out and the bulletins and the
Anne Leslie:warnings, they don't apply to everybody. And it's knowing how
Anne Leslie:to sift through that mass of information, and to not get
Anne Leslie:lulled by fear into inertia, that that's that's really where
Anne Leslie:the secret sauce is in all of this. It's knowing how to
Anne Leslie:distill out of all of that, what is the intelligence that matters
Anne Leslie:to me, my team, my organization, what are the threats that
Anne Leslie:matter? And, one of the things that I've noticed in my time in
Anne Leslie:security is that the people who have real expertise in this the
Anne Leslie:people who have real mastery, and I'm not putting myself in
Anne Leslie:that category, right? I'm looking at sort of, you know,
Anne Leslie:Katie Nickels, for example, who's now at Red Canary and used
Anne Leslie:to be at MITRE, now an instructor at SANS. I'd look to
Anne Leslie:her often right, as a teacher in this space, and I've noticed
Anne Leslie:that the people in in cybersecurity who do have
Anne Leslie:mastery of their domain, they have no problem simplifying it.
Anne Leslie:They have no problem asking simple questions as a way of
Anne Leslie:getting started. And having that ability to ask simple but
Anne Leslie:targeted questions, it seems to come with confidence. I think
Anne Leslie:that's one of the things that we really need to help each other
Anne Leslie:do better in security is as practitioners, we need to help
Anne Leslie:each other, build the confidence to ask better questions, simpler
Anne Leslie:questions, more targeted questions as a way of starting,
Anne Leslie:and then getting incrementally better at identifying and then
Anne Leslie:defending against the threats that matter.
Dr. Dave Chatterjee:Excellent. Yes, that's precisely the way to
Dr. Dave Chatterjee:go about staying up on things. Talking about staying abreast of
Dr. Dave Chatterjee:the latest attack vectors and methods, like you said, every
Dr. Dave Chatterjee:organization needs to be able to filter through all the messaging
Dr. Dave Chatterjee:out there, all the information out there, all the intelligence
Dr. Dave Chatterjee:out there, and taking what is most relevant to their context
Dr. Dave Chatterjee:to their organizational needs. You know, anything that you see
Dr. Dave Chatterjee:out there by way of best practices, in terms of staying
Dr. Dave Chatterjee:on top of the latest attack vectors and methods?
Anne Leslie:So a personal life hack that I use, as a way of
Anne Leslie:filtering through, just there's too much information out there
Anne Leslie:right now on every single topic. And as a way for me, to manage
Anne Leslie:that information, what I have a tendency to do is go back to
Anne Leslie:timeless pieces of writing. And what I mean by that, I go back
Anne Leslie:to writings of stoic philosophers, I go back to the
Anne Leslie:Art of War by Sun Tzu. And the reason I do that is because
Anne Leslie:there is wisdom in there, that is applicable everywhere, in our
Anne Leslie:personal lives, and in our professional lives, and two
Anne Leslie:particular aspects of those writings stick with me. So from
Anne Leslie:the art of war, I would look for example, at the wisdom about
Anne Leslie:knowing yourself and knowing your enemy. And from the stoic
Anne Leslie:philosophers, this idea that we can't choose our circumstances,
Anne Leslie:but we always have a choice in response. So one of the things,
Anne Leslie:again, that I noticed in our industry, across businesses, is
Anne Leslie:that we have a tendency to look outwards before we look inwards.
Anne Leslie:And in practical terms, what that means is, we're not very
Anne Leslie:clear collectively about what it is in our organizations and our
Anne Leslie:businesses that adversaries might want. What do we have
Anne Leslie:that's valuable? Have we catalogued it? Have we
Anne Leslie:inventoried it? Do we know precisely what it is that
Anne Leslie:adversaries might want to steal from us? Do we know precisely
Anne Leslie:what are the systems, information assets, the
Anne Leslie:infrastructure that if it was attacked, or if it was subject
Anne Leslie:to some kind of harm, what parts of our business would cripple us
Anne Leslie:if they were attacked? And it's a simple question, getting the
Anne Leslie:answer isn't always easy. But it does blew my mind a little bit
Anne Leslie:that we are so bad in some ways as having an answer to it. And
Anne Leslie:not knowing is not a crime, right? I'm not trying to
Anne Leslie:castigate anybody here for not knowing but skirting around it
Anne Leslie:is negligence. You know, not asking that question is
Anne Leslie:negligence. So I always encourage, when I get the
Anne Leslie:opportunity, starts by looking within, start by talking to the
Anne Leslie:people, if you've got experienced people who've been
Anne Leslie:in your organization, system administrators, for example, go
Anne Leslie:talk to them. They're going to know, for example, what your
Anne Leslie:network looks like, they'll probably have a pretty good idea
Anne Leslie:of where you're vulnerable. Start there. Start by collecting
Anne Leslie:the intelligence that the people in your organization already
Anne Leslie:have about you. And once you've exhausted what you can get from
Anne Leslie:within your organization, then start looking out. But it's a
Anne Leslie:question of knowing what to look for. And you know, when we talk
Anne Leslie:about intelligence, there's the the framework of the
Anne Leslie:intelligence cycle, the first and the last stages of that are
Anne Leslie:the ones where I sort of see the most most problems. So we'd be
Anne Leslie:talking about to the planning and direction. You know, what,
Anne Leslie:what intelligence are we trying to gather for what purpose. And
Anne Leslie:that requires making choices. And as humans, we're not great
Anne Leslie:at making choices because choices imply risk, that always
Anne Leslie:the risk that we might get it wrong. But starting with looking
Anne Leslie:within and knowing what it is that we have, why people might
Anne Leslie:want that, and how they might go about getting it. If we already
Anne Leslie:have answers to those questions, we're on a good footing.
Dr. Dave Chatterjee:I love it, I'd like to re emphasize what
Dr. Dave Chatterjee:you just said. The two things that came to mind, first is,
Dr. Dave Chatterjee:ignorance is not bliss, when it comes to cybersecurity
Dr. Dave Chatterjee:management. I like the way you framed it, you have to look
Dr. Dave Chatterjee:inside first, you have to know what your vulnerabilities are as
Dr. Dave Chatterjee:an organization. And who's you? I guess it starts all at the
Dr. Dave Chatterjee:top, the senior management, the top management. Now, are we
Dr. Dave Chatterjee:expecting top management to know everything about security?
Dr. Dave Chatterjee:Absolutely not. But are we expecting them to be on top of
Dr. Dave Chatterjee:it to make every effort, like you said that it's not
Dr. Dave Chatterjee:acceptable to not know or make no effort to know. I think
Dr. Dave Chatterjee:that's probably the more appropriate word that and again,
Dr. Dave Chatterjee:negligence is a very powerful word, we'll talk about that as
Dr. Dave Chatterjee:we go along in this conversation. But at the onset,
Dr. Dave Chatterjee:as a senior executive, I would make every effort to know as
Dr. Dave Chatterjee:much as I can about the security threats that plague my
Dr. Dave Chatterjee:organization, or that could potentially affect my
Dr. Dave Chatterjee:organization, and how best I could organize to defend against
Dr. Dave Chatterjee:those threats. I would make every effort, so later on, if
Dr. Dave Chatterjee:something were to go wrong, and there's no guarantee that an
Dr. Dave Chatterjee:organization won't be hacked, so that is a possibility. If that
Dr. Dave Chatterjee:were to happen, I have a much stronger case, I can at least
Dr. Dave Chatterjee:emphatically state that I did everything I possibly could.
Dr. Dave Chatterjee:There are no dearth of resources, there are no dearth
Dr. Dave Chatterjee:of expertise out there. You have to make the effort to plug into
Dr. Dave Chatterjee:those resources, plug into those expertise. You're not, you know,
Dr. Dave Chatterjee:likely to have everyone that you would like, who are experts in
Dr. Dave Chatterjee:the field, but there are many who are really good. And there
Dr. Dave Chatterjee:is a lot of advice that is out there that you could benefit
Dr. Dave Chatterjee:from. So ultimately, it comes down to the will, the desire to
Dr. Dave Chatterjee:want to be on top of things. Fantastic. The next thing I want
Dr. Dave Chatterjee:to talk about, I loved reading this in your bio, you state that
Dr. Dave Chatterjee:you are a fervent champion of human centered approaches to
Dr. Dave Chatterjee:improving security outcomes. And you know, human element is such
Dr. Dave Chatterjee:an important element. You can't overemphasize the significance
Dr. Dave Chatterjee:of the human factor. I'd love to hear your perspective on a
Dr. Dave Chatterjee:human-centered cyber defense strategy.
Anne Leslie:Thank you so much for asking that question. So I,
Anne Leslie:I noticed when I first started working in security, that
Anne Leslie:frequently, we'd hear about how the human element was the
Anne Leslie:weakest element, how people are the achilles heel of the best
Anne Leslie:laid plans in security, how people make mistakes, how people
Anne Leslie:click on links, how people are what makes our organizations
Anne Leslie:vulnerable. Now, that grinds my gears on so many levels, because
Anne Leslie:I do believe that organizations depend on people, no! We live in
Anne Leslie:a world where organizations are fueled by human endeavor. And I
Anne Leslie:believe that people come to work every day with sometimes an
Anne Leslie:unarticulated aspiration but to be useful. And it just seems to
Anne Leslie:me that we're totally missing out on capitalizing on people's
Anne Leslie:best intentions and their creativity and their motivation,
Anne Leslie:when we label them weak when we label them as a vulnerability
Anne Leslie:against which we need to defend. So there are a few layers on
Anne Leslie:this. The first is that I am always positively blown away
Anne Leslie:when I get the chance to go and speak to security practitioners
Anne Leslie:in different organizations, and even not just security
Anne Leslie:practitioners, just people in general. People want to
Anne Leslie:contribute, people want to be helpful, they want to be united
Anne Leslie:in something that's a little bit bigger than themselves. And
Anne Leslie:security people in particular, maybe not all of them, but the
Anne Leslie:majority that I've interacted with, are driven by a desire to
Anne Leslie:protect, they're driven by a cause security is more than a
Anne Leslie:job, it's a cause they want to defend. And when I talk about
Anne Leslie:utilizing human centered methods, it's going and actually
Anne Leslie:interacting with these people and saying to them, how could we
Anne Leslie:go about making your day go better? How could we go about
Anne Leslie:allowing you to have more impact? What might we be able to
Anne Leslie:do to take obstacles out of your way? And those are simple
Anne Leslie:questions, but they don't get asked very often. And one of the
Anne Leslie:the experiences that I had earlier this year was talking to
Anne Leslie:a Level II SOC (security and operations center) analyst. And
Anne Leslie:I was interviewing him asking him, you know about process and
Anne Leslie:you know, how his day is structured. And we're talking
Anne Leslie:about systems he uses. And he was very suspicious initially in
Anne Leslie:the interview, a bit cagey and I, you know, I really had to
Anne Leslie:work hard to try and build up a bit of a rapport, put him at
Anne Leslie:ease. And eventually I just said it to myself, you seem to be,
Anne Leslie:you know, very wary of me. I'm not trying to catch you out. He
Anne Leslie:looked at me and said, well, okay, it's just nobody's ever
Anne Leslie:asked me before. Nobody's ever really seem to care. You know,
Anne Leslie:as I used to be a level one analyst and I got promoted to
Anne Leslie:level two. But, you know, we're kind of looked as though we're
Anne Leslie:grunts. We're kind of looked at as though, well, we can't
Anne Leslie:replace you yet with bots. But if we could, we would. And it
Anne Leslie:made me sad. It made me sad that there is so much potential
Anne Leslie:there. There are so many great people being thwarted for the
Anne Leslie:impact that they would be able to have for their organizations'
Anne Leslie:because we don't try to help them enough to actually do the
Anne Leslie:jobs, but deep down, they really want to do, they want to defend,
Anne Leslie:they want to protect, they want to feel that they're doing
Anne Leslie:something positive and constructive. And yet, too
Anne Leslie:often, they feel that it's futile, that the work they're
Anne Leslie:doing is a) unnoticed, b) unremarkable, and c) just
Anne Leslie:thankless.
Anne Leslie:And it shouldn't be that way. What we're up against
Anne Leslie:individually in organizations and collectively is too
Anne Leslie:important for us to miss out on leveraging all of that human
Anne Leslie:potential. So where I get the opportunity, I try to do
Anne Leslie:discovery around what's really going on for these
Anne Leslie:practitioners. And I do my utmost to then communicate it to
Anne Leslie:the leaders in those organizations, to translate it
Anne Leslie:into business terms, risk impact, and say, if we did this,
Anne Leslie:it will allow you from an executive perspective, to have
Anne Leslie:these, this impact and these outcomes which matter to you
Anne Leslie:from an executive perspective. But it's not just about buying
Anne Leslie:more technology. It's about doing more with what we have,
Anne Leslie:where we are. And instrumentalizing capability
Anne Leslie:that we can get from our people is a key key factor in that.
Dr. Dave Chatterjee:Wonderful, very well articulated, in fact,
Dr. Dave Chatterjee:several thoughts come to mind, as I hear your take on
Dr. Dave Chatterjee:involving, engaging humans; as you've heard me mentioned
Dr. Dave Chatterjee:several times and in my talks, I'm a huge fan of theme or
Dr. Dave Chatterjee:statement that cybersecurity or cybersecurity readiness is
Dr. Dave Chatterjee:everyone's business. This is not just a domain for technology
Dr. Dave Chatterjee:experts. This is not just a domain for information security
Dr. Dave Chatterjee:experts. Everyone needs to get involved. And I couldn't agree
Dr. Dave Chatterjee:with you more when you said that people come to work with great
Dr. Dave Chatterjee:intentions, they want to do great things. The exact same
Dr. Dave Chatterjee:view was articulated in my first podcast, with the president of
Dr. Dave Chatterjee:an insurance company, he said exactly the same thing. We must
Dr. Dave Chatterjee:trust in the people in our organization, they can do great
Dr. Dave Chatterjee:things, we are not asking them to all become cybersecurity
Dr. Dave Chatterjee:experts, we should not frighten them away by making them think
Dr. Dave Chatterjee:that they have to learn all these technical details. But we
Dr. Dave Chatterjee:can definitely equip them with the necessary knowledge that
Dr. Dave Chatterjee:could help us deal with one of the key threats in cyber
Dr. Dave Chatterjee:security, which is hacking, and as you know, 99% of the hacks
Dr. Dave Chatterjee:are focused on the vulnerable humans. Along those lines,
Dr. Dave Chatterjee:there's one more thing I'd like to share with our listeners, I
Dr. Dave Chatterjee:talked about it in my book. And that relates to how do you
Dr. Dave Chatterjee:create a cohesive culture, a human-centered
Dr. Dave Chatterjee:We-Are-In-It-Together culture? Whenever we use the word
Dr. Dave Chatterjee:culture, you know, it's kind of abstract. People like to stay
Dr. Dave Chatterjee:away from it, because it's easier said than done. But as
Dr. Dave Chatterjee:you know, there's a lot of research, backed by great
Dr. Dave Chatterjee:evidence, case studies, that the more high-performing the
Dr. Dave Chatterjee:culture, the more effective the firm performance. So what how do
Dr. Dave Chatterjee:you create this high-performance information security culture, I
Dr. Dave Chatterjee:won't get into all the details of it. But one thing I'm going
Dr. Dave Chatterjee:to mention, and that is striving to build emotional capital, over
Dr. Dave Chatterjee:a period of time, where employees feel valued, and
Dr. Dave Chatterjee:develop a sense of belonging, they take pride in their work.
Dr. Dave Chatterjee:They're having fun. And last, but not the least, they perceive
Dr. Dave Chatterjee:leadership to be genuine and authentic. We've touched upon
Dr. Dave Chatterjee:this earlier, we will touch upon it again. At the end of the day,
Dr. Dave Chatterjee:I'm convinced that it really boils down to how committed, how
Dr. Dave Chatterjee:involved, how engaged, top management is, because then
Dr. Dave Chatterjee:that's the spirit that spreads throughout the organization that
Dr. Dave Chatterjee:infuses people to do great things. And the result is
Dr. Dave Chatterjee:generally great. Fabulous, you really got me going here Anne.
Dr. Dave Chatterjee:I'm not the guest, but I'm going to switch it back to you
Dr. Dave Chatterjee:shortly. So let's talk about what you do at IBM, in the area
Dr. Dave Chatterjee:of security, intelligence and operations. By way of a prompt,
Dr. Dave Chatterjee:and again, feel free to deviate from it. One of the things that,
Dr. Dave Chatterjee:once again, strikes me as extremely important is, I read
Dr. Dave Chatterjee:in the media reports that organizations are often slow,
Dr. Dave Chatterjee:and for lack of a better word, negligent in promptly and
Dr. Dave Chatterjee:effectively responding to cyber intelligence. This is definitely
Dr. Dave Chatterjee:a weakness that no organization can afford. What are your
Dr. Dave Chatterjee:thoughts?
Anne Leslie:So there are a few aspects to that. The first one
Anne Leslie:is that we have, and I mean that in the broader sense that we as
Anne Leslie:a society, we love to, we love to blame. We love victim
Anne Leslie:blaming. Yeah. And yes, there's always they're always
Anne Leslie:contributing factors. We need to look at root causes, we need to
Anne Leslie:find out what happened. But the tendency that we have to try and
Anne Leslie:pin blame frequently on an individual in my view is
Anne Leslie:unhelpful and we do it way too often. There are some been some
Anne Leslie:very, very high profile breaches where responsibility was
Anne Leslie:assigned to the chief information security officer.
Anne Leslie:Generally that person gets dismissed in disgrace. Okay. Is
Anne Leslie:it an appropriate response? That's probably a conversation
Anne Leslie:for another time, but the thing that really bothers me about
Anne Leslie:that approach is that, were any real changes made to the
Anne Leslie:fundamental systemic problems that exists in those
Anne Leslie:organizations. Was there any organizational cultural change?
Anne Leslie:Were there any leadership changes? Did we really exercise
Anne Leslie:due diligence in being disciplined? And looking at why,
Anne Leslie:from a systemic perspective, that breach happened? And I
Anne Leslie:would hazard a guess, and say, No. That's the problem. That's
Anne Leslie:where leadership is absolutely essential. Because it doesn't
Anne Leslie:matter how great we have, how great the people we have lower
Anne Leslie:down the organization, if the culture is one of blame, if the
Anne Leslie:culture is one of making individuals responsible for
Anne Leslie:organizational failure, then security will never be able to
Anne Leslie:deliver. So I loved what you just said about the the impact
Anne Leslie:of security being positively correlated with the health of
Anne Leslie:the culture in the organization. Yes, a million times, yes.
Anne Leslie:Because when you have a healthy organization, which is built up
Anne Leslie:consistently, with consistent behaviors, consistent attitudes,
Anne Leslie:consistent interventions on the part of leadership, what it
Anne Leslie:instills, in people at every level of the organization, is a
Anne Leslie:sense of accountability, a sense of responsibility, a sense of
Anne Leslie:pride, and most importantly, a desire to protect, because they
Anne Leslie:have an emotional connection to their organization, an emotional
Anne Leslie:connection to the leadership, even if they've never spoken to
Anne Leslie:them. There's an emotional connection, which says, I feel
Anne Leslie:responsible for the person to the left of me, the person to
Anne Leslie:the right of me, I feel responsible for the things that
Anne Leslie:we work on, the data, the systems, I'm going to make an
Anne Leslie:effort that if I see something that's a bit odd, a bit of
Anne Leslie:scans, I could just walk on by. But if I care, if I feel that
Anne Leslie:emotional connection, I won't walk on by, I'll find a way of
Anne Leslie:alerting somebody who can do something about it. And people
Anne Leslie:who are disengaged from the organization, don't care. They
Anne Leslie:don't have that emotional connection. So they won't make
Anne Leslie:the effort. And in the worst cases, that's where you get your
Anne Leslie:insider threats is where people are so, so resentful, so bitter,
Anne Leslie:so disenchanted. That they want to hurt the organization that
Anne Leslie:they work for. So security, yes, we have systems, we have
Anne Leslie:technology, we have processes, we have security operation
Anne Leslie:centers, we have all of the component parts of security as a
Anne Leslie:domain, but for security to really infuse the fabric of an
Anne Leslie:organization.
Anne Leslie:It will never have the impact it needs to have unless the
Anne Leslie:organization as a whole is already functioning well as a
Anne Leslie:collective body, with leaders who care leaders who connect
Anne Leslie:leaders who believe that the people who work for them are not
Anne Leslie:just as important as the systems and the data, they're more
Anne Leslie:important. And we try them to enable them. We try to protect
Anne Leslie:those people. And there is a real difference in in the the
Anne Leslie:outcomes that you will see in companies where the leadership
Anne Leslie:embodies this belief that people matter. That's an organization
Anne Leslie:where you can do amazing things with security, because it will
Anne Leslie:be a whole of enterprise initiative. And like you say, We
Anne Leslie:don't need everybody in the organization to know all the
Anne Leslie:specifics of what happens on the back -end of security. We have
Anne Leslie:experts to do that. But we need to have a whole of enterprise
Anne Leslie:approach so that people care.
Dr. Dave Chatterjee:Love it, love it. The whole of enterprise
Dr. Dave Chatterjee:approach. That makes so much sense. In fact, I'd like to
Dr. Dave Chatterjee:again, highlight a few things that you talked about. I
Dr. Dave Chatterjee:believe, you emphasized the importance of getting away from
Dr. Dave Chatterjee:the scapegoating culture. We don't need that. I think as you
Dr. Dave Chatterjee:said, brilliantly, when a problem happens, when there's a
Dr. Dave Chatterjee:major breach, the easy part is to point to an individual, blame
Dr. Dave Chatterjee:that person person, fire him or her. And often the organization
Dr. Dave Chatterjee:comes across as very responsive, acting promptly and often the
Dr. Dave Chatterjee:organization is rewarded by the financial markets. But even I am
Dr. Dave Chatterjee:of the opinion as you that that may not be the right approach,
Dr. Dave Chatterjee:the organization has to look deeper. Root cause analysis is
Dr. Dave Chatterjee:an approach or method that is widely touted whatever the name
Dr. Dave Chatterjee:whatever the acronym bottom line is, you've got to look deeper
Dr. Dave Chatterjee:into your systems and processes to see what went wrong. As
Dr. Dave Chatterjee:compared to just blaming one person, by replacing that person
Dr. Dave Chatterjee:really would you have solved the problem that caused the breach,
Dr. Dave Chatterjee:let's say; that may not be the case, there might be a need for
Dr. Dave Chatterjee:bringing about more systemic changes in structure, in
Dr. Dave Chatterjee:processes, in training. So it has to be an organization- wide
Dr. Dave Chatterjee:effort. So we've got to be much more substantive in our
Dr. Dave Chatterjee:approach, and not being very superficial. So that's kind of,
Dr. Dave Chatterjee:it is important to remind folks, that, at the end of the day, we
Dr. Dave Chatterjee:want an organization, like you said, where everyone comes
Dr. Dave Chatterjee:together as a team, and wants to do their best to protect. In
Dr. Dave Chatterjee:return, there is an expectation that while I do my best to
Dr. Dave Chatterjee:protect the organization from getting breached, the
Dr. Dave Chatterjee:organization also has a responsibility to give me the
Dr. Dave Chatterjee:benefit of the doubt and protect me. And I know that we might be
Dr. Dave Chatterjee:entering a territory that has its pros and cons. So not trying
Dr. Dave Chatterjee:to suggest that there is this one right approach, but at least
Dr. Dave Chatterjee:trying to alert the leadership that you've got to look at it
Dr. Dave Chatterjee:more holistically. Along those lines, and the next thing I
Dr. Dave Chatterjee:wanted to discuss with you and you touched upon it, which is
Dr. Dave Chatterjee:about joint ownership and accountability, or shared
Dr. Dave Chatterjee:ownership and accountability. Easier said than done. But if
Dr. Dave Chatterjee:there are structures and mechanisms through which this
Dr. Dave Chatterjee:can be accomplished, that's another way of bringing the
Dr. Dave Chatterjee:business people, the operations people, together with the
Dr. Dave Chatterjee:security people. And I also include the vendors, the service
Dr. Dave Chatterjee:providers, because organizations are often leveraging their
Dr. Dave Chatterjee:services, it's very important to create a true partnership, where
Dr. Dave Chatterjee:everyone has a stake in the game, as opposed to, here are my
Dr. Dave Chatterjee:services you've paid for it. So you have access to these
Dr. Dave Chatterjee:servers. Here is how you set the security for the servers. Now,
Dr. Dave Chatterjee:now that I have trained you, I've given you some tutorial,
Dr. Dave Chatterjee:it's your problem, nnd not mine. Instead of taking that approach,
Dr. Dave Chatterjee:being there and saying, yes, we will support you as you manage.
Dr. Dave Chatterjee:That is how I look at it. I'd love to get your perspective,
Dr. Dave Chatterjee:your thoughts?
Anne Leslie:Great question. One of the real obstacles to
Anne Leslie:security delivering outcomes that are positive for the
Anne Leslie:business, visible to the business, is that security in a
Anne Leslie:lot of organizations is still very much siloed. The security
Anne Leslie:team does security. And you'll have the ops team and the
Anne Leslie:infrastructure team doing their thing, separately. And, it gets
Anne Leslie:even more complicated, if for example, in the mix, you have a
Anne Leslie:managed security provider from an external organization and an
Anne Leslie:external infrastructure provider. And one of the things
Anne Leslie:that I've seen again and again and again is massive, massive
Anne Leslie:frustration in security teams saying we know where the
Anne Leslie:vulnerabilities are. We keep flagging them. Can't do anything
Anne Leslie:about them. Because we don't have access to the
Anne Leslie:infrastructure. We don't have access to those assets. So what
Anne Leslie:frequently happens is that they alert and it kind of, for want
Anne Leslie:of a better expression, gets thrown over the fence to the
Anne Leslie:infrastructure team. But the thing is, is that the security
Anne Leslie:team is measured on a certain set of metrics and KPIs, the
Anne Leslie:infrastructure team is managed on something completely
Anne Leslie:different. And if the infrastructure team took
Anne Leslie:instruction already, that's one of the things they don't want to
Anne Leslie:take instruction from the security team, who are you to
Anne Leslie:tell me how I should be doing my work. So you have that problem,
Anne Leslie:there's an interpersonal issue there. And they frequently
Anne Leslie:fight, they hate each other. But the the impact in terms of
Anne Leslie:security is that the infrastructure team gets
Anne Leslie:measured on uptime, and they have their own set of
Anne Leslie:performance metrics and implementing the best advice
Anne Leslie:coming from the security team would actually adversely affect
Anne Leslie:their performance metrics.
Anne Leslie:So what happens is that you end up having a false view from an
Anne Leslie:executive level, because both teams are probably doing vanity
Anne Leslie:reporting, because they don't want to look bad, you know,
Anne Leslie:their metrics, and their dashboards are probably green.
Anne Leslie:And yet, the enterprise is probably pretty vulnerable.
Anne Leslie:Because alerts are coming in, there are known vulnerabilities,
Anne Leslie:but they're not being fixed, because there's no incentive to
Anne Leslie:actually go fix them because it will actually adversely affect
Anne Leslie:the metrics against which people are measured and incentivized.
Anne Leslie:So again, leadership problem, we're not measuring the right
Anne Leslie:things. And we're not incentivizing the right types of
Anne Leslie:behaviors, to get the teams who have dependencies on each other,
Anne Leslie:to deliver an outcome that matters for the business. We're
Anne Leslie:not enabling them to do that we're actually setting them up
Anne Leslie:for conflict and failure, because they have antagonistic
Anne Leslie:incentives, they have antagonistic performance
Anne Leslie:metrics. So what would need to happen and again, you know, sort
Anne Leslie:of human centered approaches, but it's like design thinking is
Anne Leslie:bringing those people together, allow them to actually build a
Anne Leslie:relationship, get them talking, allow them to express what it
Anne Leslie:is, that frustrates them about the people on the other side of
Anne Leslie:the fence, and then explain much you probably don't even need to
Anne Leslie:explain to them right, people aren't stupid. They know,
Anne Leslie:intuitively what needs to be done. But it's let's find a way
Anne Leslie:again, you know, your analogy of we're all in it together a team
Anne Leslie:sport. Nobody comes to work. I really don't believe this, that
Anne Leslie:people come to work wanting to fight, right. And yet we do in
Anne Leslie:companies, we spend a lot of time with turf wars and
Anne Leslie:politics; wouldn't it be great if we could actually focus on
Anne Leslie:something that was much more positive, much more
Anne Leslie:constructive. So trying to get the security teams with the
Anne Leslie:infrastructure teams and with leadership, so that the
Anne Leslie:leadership actually realizes how badly aligned incentives cause
Anne Leslie:people's days to be full of hostility and aggression,
Anne Leslie:friction, and bad outcomes. How might we go about actually
Anne Leslie:instilling something much more productive, where there are
Anne Leslie:aligned incentives towards a shared objective, which is one
Anne Leslie:of risk reduction and better defense?
Dr. Dave Chatterjee:Well, wow! Totally agree, in fact, what a
Dr. Dave Chatterjee:great segue way to the next topic, and probably the final
Dr. Dave Chatterjee:topic of our discussion, we can go on and on. But in the
Dr. Dave Chatterjee:interest of time, we'll probably have to draw a line somewhere.
Dr. Dave Chatterjee:But I wanted to touch upon performance measures before we
Dr. Dave Chatterjee:ended this episode. And you already talked about it, and
Dr. Dave Chatterjee:you're such a great articulator of these very important trends
Dr. Dave Chatterjee:principles. I'd like to say a few things about performance
Dr. Dave Chatterjee:measures, what I have found in my research and work with
Dr. Dave Chatterjee:organizations, unfortunately, often what gets measured is what
Dr. Dave Chatterjee:is convenient to measure measure, not what needs to be
Dr. Dave Chatterjee:measured. And I have seen that problem with e-business
Dr. Dave Chatterjee:initiatives. And I wouldn't be surprised if that problem
Dr. Dave Chatterjee:transcends and also exists in the cybersecurity governance
Dr. Dave Chatterjee:space. Once again, referring to my book in the appendix, I share
Dr. Dave Chatterjee:some examples of cybersecurity KPIs and I come at it
Dr. Dave Chatterjee:holistically, because as you know, when you are assessing or
Dr. Dave Chatterjee:evaluating performance, it cannot be unit dimensional, it
Dr. Dave Chatterjee:has to be multi dimensional. So from the standpoint of cyber,
Dr. Dave Chatterjee:you have to look at the business value impact, you have to look
Dr. Dave Chatterjee:at the productivity impact. You also have to assess extent of
Dr. Dave Chatterjee:preparedness, nature of incidents frequency of
Dr. Dave Chatterjee:occurrence, compliance. So there are various aspects that needs
Dr. Dave Chatterjee:to be monitored, and you need good measures to monitor. And
Dr. Dave Chatterjee:you put it so well when you said your call to align these
Dr. Dave Chatterjee:incentives. Because if I'm doing these things, if I'm attending
Dr. Dave Chatterjee:Cybersecurity Awareness classes, and if I'm being able to apply
Dr. Dave Chatterjee:some of the training in practice, who's watching, who's
Dr. Dave Chatterjee:recognizing, so at the end of the year, or whenever the
Dr. Dave Chatterjee:performance review happens, are my efforts in becoming a better
Dr. Dave Chatterjee:cybersecurity citizen are my efforts being recognized. And at
Dr. Dave Chatterjee:the end of the day, like you said, when people come to the
Dr. Dave Chatterjee:organization, they all want to do great things. But it is also
Dr. Dave Chatterjee:human nature, to want to be recognized to want to be
Dr. Dave Chatterjee:appreciated, and there's nothing wrong with that. And often, I'll
Dr. Dave Chatterjee:hear somebody say, well, they get paid. And I don't think
Dr. Dave Chatterjee:that's good enough, we all get paid to do what we do. But
Dr. Dave Chatterjee:there's something to be said for the other forms of recognition.
Dr. Dave Chatterjee:And that comes through some of these measures, and you're
Dr. Dave Chatterjee:tapping into the findings. And then accordingly, making
Dr. Dave Chatterjee:adjustments where you need to praise the person, please do so
Dr. Dave Chatterjee:praise a function, please do so. There, you need to change
Dr. Dave Chatterjee:tactics, you somebody needs more counseling, more help make those
Dr. Dave Chatterjee:efforts. And along those lines, there's something else that I
Dr. Dave Chatterjee:have often preached shared with whoever wishes to listen. And
Dr. Dave Chatterjee:that is, we have our annual reports, where the key aspects
Dr. Dave Chatterjee:of performance are highlighted for the shareholders. And I feel
Dr. Dave Chatterjee:that there should be a line in there are a couple of lines in
Dr. Dave Chatterjee:there, where the cyber performance should be talked
Dr. Dave Chatterjee:about. Especially when there are no breaches to report, it has
Dr. Dave Chatterjee:been an uneventful year, doesn't mean you go silent. let's
Dr. Dave Chatterjee:recognize the people who are behind the scenes, doing the
Dr. Dave Chatterjee:good good work. And for all, you know, that's the reason why
Dr. Dave Chatterjee:there has been no incidents. So as organizational leaders, we
Dr. Dave Chatterjee:have to be very mindful of these things. And once again, take a
Dr. Dave Chatterjee:very holistic approach to readiness to preparedness,
Dr. Dave Chatterjee:because that's how we are going to bring the best out of of
Dr. Dave Chatterjee:people. So and as we are coming to the end of this discussion,
Dr. Dave Chatterjee:share with the audience any final words, any final thoughts,
Dr. Dave Chatterjee:reflections?
Anne Leslie:Absolutely. So I'd love to just to jump on what you
Anne Leslie:just said, which is reflecting as well, in the context of
Anne Leslie:Mental Health Awareness Day, right? So mental health is an
Anne Leslie:issue in cyber, and it's linked to the stress. And there's also
Anne Leslie:an aspect of the futility, there can be a sometimes feeling that
Anne Leslie:resistance is futile, that what we're doing is futile. We only
Anne Leslie:ever get noticed when things go wrong. We never get acknowledged
Anne Leslie:for all of the things we're doing to reverse the breaches to
Anne Leslie:avert the terrible headlines. So I love what you just said, it's
Anne Leslie:super important to acknowledge what didn't go wrong. If things
Anne Leslie:have been quiet, fantastic, well done. And I think it's really
Anne Leslie:important to bring the cyber security teams the information
Anne Leslie:security teams, into things like reporting on customer
Anne Leslie:satisfaction. So for example, you know, I've been doing some
Anne Leslie:work in the banking industry, we'd be looking at Net Promoter
Anne Leslie:scores, okay, that's an imperfect measure, but for the
Anne Leslie:volume that it does where customers are satisfied? Well,
Anne Leslie:it's because they feel secure doing their banking. It's
Anne Leslie:because they've been able to access their bank accounts, it's
Anne Leslie:because they trust that the balance that they're seeing in
Anne Leslie:their mobile app is actually the money that they have. Security
Anne Leslie:is instrumental in that. So when a business is reporting the fact
Anne Leslie:that customers are happy, we need to also acknowledge that
Anne Leslie:security paid played a role in that, where business continuity
Anne Leslie:hasn't been impacted, adversely impacted adversely. Again, same
Anne Leslie:thing. So anytime we're reporting on things that are
Anne Leslie:going well, let's emphasize them, let's accentuate them. And
Anne Leslie:let's acknowledge all of the contributors to that, including
Anne Leslie:security, we tend to only talk about security when things have
Anne Leslie:gone wrong. But no, you know, this whole of enterprise
Anne Leslie:approach that I mentioned earlier, customer satisfaction
Anne Leslie:in a digital enterprise, which is increasingly every enterprise
Anne Leslie:these days, security is a key player in that. So where things
Anne Leslie:are going wrong, let's fix them. Let's be curious about them.
Anne Leslie:Let's be disciplined and intellectually honest, when
Anne Leslie:we're looking for root causes, and how we can better address
Anne Leslie:them. But let's not just focus on the negative, let's celebrate
Anne Leslie:small wins. And it's super important for operational teams
Anne Leslie:who often feel overwhelmed, unloved, and thanked. Let's find
Anne Leslie:metrics for executive level reporting. It's important for
Anne Leslie:securing it's important for investment. But let's also have
Anne Leslie:metrics that allow the people who are turning up every day to
Anne Leslie:do security, to provide defense, let's find some way of taking
Anne Leslie:the futility out of their day to day, let's take away some of the
Anne Leslie:frustration. Let's find a way of celebrating the things that are
Anne Leslie:going well, the things that we've managed to achieve.
Anne Leslie:Because it's really important from a mental health
Anne Leslie:perspective, from a motivational perspective, from an engagement
Anne Leslie:perspective, people are the core of security. So let's celebrate
Anne Leslie:them. Let's celebrate us. And let's find a way of
Anne Leslie:communicating the value that we bring individually and
Anne Leslie:collectively at our level, and then amplify it and defuse it
Anne Leslie:and give it to our leadership in a way that helps them secure the
Anne Leslie:business. But let's not underestimate how important
Anne Leslie:small wins are, we can find something to celebrate every
Anne Leslie:day.
Dr. Dave Chatterjee:Well, thank you. And thank you very much for
Dr. Dave Chatterjee:your time, your insights or perspectives. It is much
Dr. Dave Chatterjee:appreciated, and I hope you will come back again to share your
Dr. Dave Chatterjee:thoughts and perspective. Thanks again.
Anne Leslie:Thank you so much Dave.
Dr. Dave Chatterjee:A special thanks to Anne Leslie, for her
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an AS IS BASIS with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
