Episode 18

Securing the Smart Supply Chain

In episode 18, Alan Mihalic, President IoT Security Institute, speaks to the challenges and success factors associated with securing Internet-of-Things (IoT) devices in smart supply chains. He draws upon the IoT Security Framework to share some guiding principles and practices to help supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely for smart cities and critical infrastructure.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-18-securing-the-smart-supply-chain/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone. I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I will be talking with Alan Mihalic,

Dr. Dave Chatterjee:

Founder and President IoT Security Institute. Alan,

Dr. Dave Chatterjee:

welcome. It's great to have you as a guest. Thanks for making

Dr. Dave Chatterjee:

time to share your thoughts and perspectives with our listeners.

Dr. Dave Chatterjee:

So let's get started with you sharing with the listeners a bit

Dr. Dave Chatterjee:

about your cybersecurity journey.

Alan Mihalic:

Well, firstly, thank you, Dave, for inviting

Alan Mihalic:

me, it's a pleasure to be here. My journey is a long one. It

Alan Mihalic:

started off very much in a technical realm, working with

Alan Mihalic:

security, security services that evolved over time into

Alan Mihalic:

architecture, governance, risk management, subsequently, it

Alan Mihalic:

moved into advisory services. And that's spanned a period of

Alan Mihalic:

over 20 years now. Of late, relatively, I suppose, the the

Alan Mihalic:

emergence of smart technologies and smart cyber has drawn me

Alan Mihalic:

into that area, because it's at firstly, it's a particular

Alan Mihalic:

interest. And secondly, it is certainly the the challenges of

Alan Mihalic:

the future and as many cyber professionals will state that

Alan Mihalic:

the future is far more interesting than the past.

Dr. Dave Chatterjee:

True, very true. And in fact, when we were

Dr. Dave Chatterjee:

discussing about this podcast, and we are talking about

Dr. Dave Chatterjee:

securing the smart supply chain, and you are talking about your

Dr. Dave Chatterjee:

IoT security Institute, the Internet of Things security

Dr. Dave Chatterjee:

Institute, it, it kind of brought to mind the the reality

Dr. Dave Chatterjee:

that we face today, where the more digitized we get, the more

Dr. Dave Chatterjee:

smarter we get, so to speak, the more vulnerable we are. While

Dr. Dave Chatterjee:

these smart devices offer many benefits and capabilities, they

Dr. Dave Chatterjee:

are known to have weaker security protections. They're

Dr. Dave Chatterjee:

often not easily patchable, or updatable. So there are lots of

Dr. Dave Chatterjee:

challenges in front of us. You know, how would you define or

Dr. Dave Chatterjee:

describe the challenges of smart supply chains?

Alan Mihalic:

Well, I think firstly, we can we just look at

Alan Mihalic:

IoT and devices at first, as part of that overall picture, I

Alan Mihalic:

think that it's not just a technological change, but it's

Alan Mihalic:

societal change. And the emergence of IoT has affected

Alan Mihalic:

urban planning, engineering as much as it's impacted network

Alan Mihalic:

computing services and traditional services delivery. I

Alan Mihalic:

mean, effectively, IoT is at the core of our smart cities we live

Alan Mihalic:

in, the smart buildings we occupy, and, and even even the

Alan Mihalic:

smart bodies we inhabit. And as a result of the sheer number of

Alan Mihalic:

these devices, and the increasing dependency upon these

Alan Mihalic:

devices to function in an expected manner, especially in

Alan Mihalic:

critical environments, bring forward a scenario where the

Alan Mihalic:

ramifications of failure or compromise are incredibly

Alan Mihalic:

significant. We cannot afford to be complacent when it comes to

Alan Mihalic:

this type of security, particularly IoT security. So

Alan Mihalic:

the interesting thing that that could effectively be looked upon

Alan Mihalic:

as somewhat technology restraint. But this shift has

Alan Mihalic:

also caused a great deal of change in the way we just view

Alan Mihalic:

security and national security in a way that perhaps we never

Alan Mihalic:

had before. And I just like to extrapolate, like, extrapolate

Alan Mihalic:

upon that a little bit. The notion of protecting a nation or

Alan Mihalic:

protecting our critical assets is generally being thought of as

Alan Mihalic:

a government responsibility. Now from a military perspective, if

Alan Mihalic:

our nation is at threat, we have an army we have an air force, we

Alan Mihalic:

have a navy And the government is tasked with making sure that

Alan Mihalic:

that meets the the challenges ahead and the potential

Alan Mihalic:

adversaries that may threaten our, our existence. To put it

Alan Mihalic:

that way. This technology, it needs to be understood and many

Alan Mihalic:

are coming to it now is that it is defined security and national

Alan Mihalic:

security, not simply can no longer be a government

Alan Mihalic:

responsibility. And you're seeing that in the changes in

Alan Mihalic:

the way that legislation is produced the way we approach the

Alan Mihalic:

whole notion of being a secure society. Now, let me give you an

Alan Mihalic:

example. Governments have been briefed, and are well aware now

Alan Mihalic:

that they cannot, as, as previously mentioned, secure us

Alan Mihalic:

they need to rely on both the public and the private sector.

Alan Mihalic:

So cybersecurity is as as has been given a responsibility now

Alan Mihalic:

on corporations and institutions got a responsibility. And

Alan Mihalic:

governments are driving this down very strongly to ensure

Alan Mihalic:

that they meet, as you mentioned, those security

Alan Mihalic:

challenges that are emerging out of the IoT or, you know, bigger

Alan Mihalic:

picture smart technologies. So to protect a smart grid or water

Alan Mihalic:

supply or things of that nature, the government can't just do it,

Alan Mihalic:

the government relies on the community and corporations to

Alan Mihalic:

ensure they do their part. Now that ostensibly may seem a very

Alan Mihalic:

logical thing and it certainly is, but from from a practical

Alan Mihalic:

from the deployment from an accountability perspective, it

Alan Mihalic:

is a seismic shift in the way we look at security. So, we may

Alan Mihalic:

come in and say IoT devices, but when we look at how they are

Alan Mihalic:

deployed, and the sheer number of them, and the omnipresent

Alan Mihalic:

nature, it becomes quite a challenge. So we can say that

Alan Mihalic:

the conversation can be can be had at multiple tiers, with with

Alan Mihalic:

similar considerations.

Dr. Dave Chatterjee:

Absolutely. In fact, you know, it is really,

Dr. Dave Chatterjee:

you need to take a holistic approach a people process and

Dr. Dave Chatterjee:

technology approach, you need to involve the various

Dr. Dave Chatterjee:

stakeholders, like you said, government alone is incapable of

Dr. Dave Chatterjee:

securing the critical infrastructure, the partnership

Dr. Dave Chatterjee:

with the private sector is essential. I have to mention, in

Dr. Dave Chatterjee:

the context of this discussion, in March of 2018, my city of

Dr. Dave Chatterjee:

Atlanta suffered one of the largest and most expensive

Dr. Dave Chatterjee:

ransomware attacks, costing upwards of $17 million. The city

Dr. Dave Chatterjee:

and its services came literally to a standstill. You know, all

Dr. Dave Chatterjee:

the automated operations were kind of crippled, everything had

Dr. Dave Chatterjee:

to be handled by paper, in person payment of water bills,

Dr. Dave Chatterjee:

renewals of business lines, licenses, payment of parking

Dr. Dave Chatterjee:

tickets, you know, everything got affected. And, and that's

Dr. Dave Chatterjee:

just a, well, I don't want to use the word just But that's an

Dr. Dave Chatterjee:

example of a city getting breached. Now, think about our

Dr. Dave Chatterjee:

nuclear infrastructure. Think about, like you mentioned, the

Dr. Dave Chatterjee:

water systems, the natural gas resources, we are deploying

Dr. Dave Chatterjee:

smart technologies everywhere, to enhance efficiency, enhance

Dr. Dave Chatterjee:

effectiveness. But along, you know, while we do that, unless

Dr. Dave Chatterjee:

we are extremely security conscious, it's going to be it

Dr. Dave Chatterjee:

is a huge challenge. It's not easy to handle. In fact, you

Dr. Dave Chatterjee:

mentioned during our prior discussion about the security by

Dr. Dave Chatterjee:

design approach, and that really appeals to me, I'd love for you

Dr. Dave Chatterjee:

to expand on that for our listeners.

Alan Mihalic:

Okay, well, security by design is

Alan Mihalic:

effectively ensuring that cyber security and principles of

Alan Mihalic:

privacy are included in all all stages of the design build run

Alan Mihalic:

process. Now. We that means that security is not factored in,

Alan Mihalic:

after a building or a city solution has been implemented,

Alan Mihalic:

but it's very much part of the entire process. And because

Alan Mihalic:

urban urban planning and engineering is such a

Alan Mihalic:

complicated area, because both in the physical and virtual

Alan Mihalic:

aspects, it's paramount that these checks and balances are

Alan Mihalic:

maintained through the process. And we can take that as simply

Alan Mihalic:

as saying that, again, coming back to the idea of IoT devices,

Alan Mihalic:

ensuring that they're appropriately sourced for their

Alan Mihalic:

purpose, not simply as a case of the beneficial price points and

Alan Mihalic:

equally, the standards need to ensure that, that the privacy of

Alan Mihalic:

the of the community and of the individual is protected. Now you

Alan Mihalic:

can, you can take that out from a device to, to the philosophy

Alan Mihalic:

of the city, you can take that out to the, to the risk appetite

Alan Mihalic:

of the community. And so security by design means to

Alan Mihalic:

factor in, the considerations that you would, when assessing

Alan Mihalic:

the risk profile, the security controls required to protect a

Alan Mihalic:

given asset. Now, I'd like to sort of take a little bit

Alan Mihalic:

further than that. Now, we often you know, for those of us that

Alan Mihalic:

have been around long enough and have always defined security as

Alan Mihalic:

securing an asset, and that asset is often taken a physical

Alan Mihalic:

form, but just on the previous point that, that security by

Alan Mihalic:

design can be taken to the investment can be taken to a

Alan Mihalic:

community say the state of self. Now, let me give you an example.

Alan Mihalic:

Um, you know, we look at the stock market, and we look at the

Alan Mihalic:

the stability of institutions to be able to provide a service

Alan Mihalic:

step that has a return on investment. Now, if we look at

Alan Mihalic:

that, in this context, communities, cities, have a

Alan Mihalic:

responsibility to ensure that they can provide all of the

Alan Mihalic:

services required for a day to day operation. Now, from a

Alan Mihalic:

business perspective, you were talking about bringing down the

Alan Mihalic:

services in Atlanta now, look at the look at the investment. If

Alan Mihalic:

we look at that meeting followed with the investment implement,

Alan Mihalic:

implement implications, and the associated risks associated with

Alan Mihalic:

doing business as we evolve into a smarter and smarter world. I

Alan Mihalic:

mean, would you invest into an organization or a city that has

Alan Mihalic:

such a potential bad record, you would have to consider that you

Alan Mihalic:

would have to say, well, what's their infrastructure like? What?

Alan Mihalic:

What happens if it all falls over? And when we speak about

Alan Mihalic:

the energy sector, we know that minutes is millions, we're not

Alan Mihalic:

talking about small sums of money. Additionally, from a

Alan Mihalic:

society point of view from from the welfare or mental health of

Alan Mihalic:

their citizens, as we ask them more and more to be participants

Alan Mihalic:

into this smart world, we have to understand that people by the

Alan Mihalic:

nature requires stability and security to function properly.

Alan Mihalic:

Now, if we live in a society that that has these disruptions

Alan Mihalic:

that there is also an a follow on effect to the community. And

Alan Mihalic:

just may I finish off that point by saying that often these

Alan Mihalic:

concerns are difficult to communicate across the table,

Alan Mihalic:

especially at this time in the story. In the future, obviously,

Alan Mihalic:

it will become easier as it becomes more prevalent. But the

Alan Mihalic:

argument for smart technology, we know the benefits, we know

Alan Mihalic:

what can be done, and we know the potential that it has. But

Alan Mihalic:

from a business, if I might just wear a business hat for a

Alan Mihalic:

moment, as cyber professionals, we need to ensure that it's not

Alan Mihalic:

the technology alone that needs to be positioned, but we have to

Alan Mihalic:

understand the core of what makes a successful

Alan Mihalic:

implementation. And one of those, of course is return on

Alan Mihalic:

investment. Now businesses, communities, government, all

Alan Mihalic:

look at return on investment, we provide a service as we get a

Alan Mihalic:

return on investment. And we we decide whether there is positive

Alan Mihalic:

or negative nature. No more is that

Alan Mihalic:

applicable to the smart technology sector. In other

Alan Mihalic:

words, the underpinning success story of any smart technology

Alan Mihalic:

implementation is to trust more. We can stand up a server if it

Alan Mihalic:

gets knocked out, we can stand up a power plant if it gets

Alan Mihalic:

knocked down, but when the trust of the community is knocked

Alan Mihalic:

over, and because of its by its very nature, smart technologies

Alan Mihalic:

require the participation and engagement of a broad number of

Alan Mihalic:

people across an array of areas, if trust is lost, that somewhat

Alan Mihalic:

comes back to my original point about the psychology of

Alan Mihalic:

communities, then that's a very hard thing to get back Dave.

Alan Mihalic:

It's very hard to ask someone to provide all the privacy

Alan Mihalic:

information, all of the access to things that that can be

Alan Mihalic:

aggregated and circulated, when that's abused. And that's

Alan Mihalic:

becoming another very critical area. So once again, a point for

Alan Mihalic:

consideration.

Dr. Dave Chatterjee:

Absolutely. In fact, your point is your

Dr. Dave Chatterjee:

points are very well made. Security has to be etched not

Dr. Dave Chatterjee:

only in the organizational DNA, but also in the human mindset.

Dr. Dave Chatterjee:

It might sound a little odd, but that's the environment we live

Dr. Dave Chatterjee:

in. Because every step we take, whether in the capacity of a

Dr. Dave Chatterjee:

professional or in our personal capacity, the security

Dr. Dave Chatterjee:

implications have to be considered and I'm trying to

Dr. Dave Chatterjee:

keep it at a level that everybody can relate to. I can

Dr. Dave Chatterjee:

get a little more technical if I wanted to but I don't want to at

Dr. Dave Chatterjee:

this time. But But yes, at a high level, literally every

Dr. Dave Chatterjee:

aspect of our life, professional, personal are

Dr. Dave Chatterjee:

getting affected. And it's a very, very difficult, formidable

Dr. Dave Chatterjee:

challenge to get everyone to do their part. You know, I've been

Dr. Dave Chatterjee:

saying this for a long time that cybersecurity is everybody's

Dr. Dave Chatterjee:

business, we can have the best of cybersecurity professionals,

Dr. Dave Chatterjee:

we can have a great design in place, we can even implement as

Dr. Dave Chatterjee:

per plan, but to be able to sustain it to achieve almost

Dr. Dave Chatterjee:

like a high level of precision, and, you know, to make it as

Dr. Dave Chatterjee:

fail proof as possible, many, many things have to come

Dr. Dave Chatterjee:

together. And that makes it a formidable challenge. While I

Dr. Dave Chatterjee:

think of challenges, one thing that comes to mind is vendor

Dr. Dave Chatterjee:

selection, vendor management, I've learned that the IoT

Dr. Dave Chatterjee:

vendors don't have a great reputation of providing very

Dr. Dave Chatterjee:

robust devices, once they have sold something, they kind of

Dr. Dave Chatterjee:

would like to walk away from it. Given the proliferation of the

Dr. Dave Chatterjee:

devices, the fact that we will be using such devices more and

Dr. Dave Chatterjee:

more, what are your thoughts and recommendations on vendor

Dr. Dave Chatterjee:

selection and vendor management in the context of IoT devices?

Alan Mihalic:

Yes, of course. Well, I mean, from the outset,

Alan Mihalic:

it's effectively a case of buyer beware. And as the as the, as

Alan Mihalic:

the evolution of these devices has has moved forward, people

Alan Mihalic:

are becoming more aware. And some of the key areas, of

Alan Mihalic:

course, as I touched on previously was to understand

Alan Mihalic:

that it's not about price point. You know, we are talking to

Alan Mihalic:

naturally it's a consideration, we were talking about 1000s of

Alan Mihalic:

devices here, millions of devices. And it's not difficult

Alan Mihalic:

to understand that the procurement department when it

Alan Mihalic:

sees the orders, and sees what the associated costs may be,

Alan Mihalic:

they certainly there's a push that, you know, let's buy cheap,

Alan Mihalic:

it's effective, let's buy cheap. But we've quickly understood

Alan Mihalic:

that the first thing we need to understand is, as I mentioned,

Alan Mihalic:

is that IoT device has to fit be fit for purpose, it needs to be

Alan Mihalic:

able to maintain a baseline security that is in accordance

Alan Mihalic:

with the data that it's collecting, aggregating,

Alan Mihalic:

filtering, analyzing, etc. It cannot simply be a, a, let's

Alan Mihalic:

call it a dumb device for want of a better word that has no

Alan Mihalic:

inherent security controls. Because, you know, there's that

Alan Mihalic:

old, you could spend an awful lot of money on security

Alan Mihalic:

controls, but be undermined and undone by a $10 IoT device.

Alan Mihalic:

Yeah, there's the old you know, this the old story about the the

Alan Mihalic:

goldfish bowl, you know, what a temperature sensor in the casino

Alan Mihalic:

where they brought down the casino through that, and that's

Alan Mihalic:

it's been overly used and, obviously, overly referenced.

Alan Mihalic:

But it's, it's applicable. And so I think that to your

Alan Mihalic:

question, what needs to be done is that organizations,

Alan Mihalic:

government, need to provide assessments and checklists to

Alan Mihalic:

ensure that the purchasing process is aligned to what the

Alan Mihalic:

product will be exposed to, and the and the risk associated to

Alan Mihalic:

that, to that product. And that can be driven by a, as I said,

Alan Mihalic:

buyer beware, we have better educated people that can make

Alan Mihalic:

those decisions, get the can put in the appropriate standards and

Alan Mihalic:

checklists that ensure that this is what we need. And that step

Alan Mihalic:

one will have to be a compliance governance model against these

Alan Mihalic:

devices, you cannot simply go out and procure something

Alan Mihalic:

because you think it's the best product, we need to take that

Alan Mihalic:

GRC component into, into effect. Equally, governments are now

Alan Mihalic:

around the world starting to look at actually mandating that

Alan Mihalic:

you know, that it has to, for a particular organization to to

Alan Mihalic:

procure a particular device for a particular purpose needs to

Alan Mihalic:

adhere to this mandated standard. So that's that they

Alan Mihalic:

are the positive things that need to be done. And, and I was

Alan Mihalic:

on a few weeks back on a bit of a bit of a panel and even

Alan Mihalic:

looking at the potential of labeling requirements for

Alan Mihalic:

products both in the let's say business sector and but also in

Alan Mihalic:

the privacy sector. I'm sorry, in the in the in the public

Alan Mihalic:

community sector, whereby and it's a challenge, we won't go

Alan Mihalic:

into that detail because the time isn't necessarily here to

Alan Mihalic:

have that break that down. But But effectively, it's a

Alan Mihalic:

communication education tool that enables people to make

Alan Mihalic:

informed decisions on what they are buying. Now if we take that

Alan Mihalic:

into the home for a moment, you go off Dave in to the local

Alan Mihalic:

store and you want to buy a device you can read on the side

Alan Mihalic:

of the box. This has been rated ABC And it cost 2995. The other

Alan Mihalic:

one hasn't been rated ABC and it costs 1095. You are then put in

Alan Mihalic:

a position to say, Well, what does that mean, to my family to

Alan Mihalic:

myself to my privacy? What does it to us? What does it mean to

Alan Mihalic:

us? So that's another aspect of potential labeling could could

Alan Mihalic:

be a way and that labeling could be interpreted within a business

Alan Mihalic:

context in another way. But to round off your question, it's

Alan Mihalic:

effectively self knowledge, corporate knowledge, standards

Alan Mihalic:

and legislation that ensure that we aren't always buy cheap,

Alan Mihalic:

because it's some, it's an easier decision to make.

Dr. Dave Chatterjee:

To add to that, we have to have a rigorous

Dr. Dave Chatterjee:

selection and evaluation process. In my book, I talk

Dr. Dave Chatterjee:

about the commitment, preparedness and discipline

Dr. Dave Chatterjee:

framework of creating a high-performance information

Dr. Dave Chatterjee:

security culture, and one of the themes of that framework or the

Dr. Dave Chatterjee:

framework speaks to creating this culture where every step

Dr. Dave Chatterjee:

that an organization takes, and in this context, the one that

Dr. Dave Chatterjee:

comes to mind is, is developing the business case for buying

Dr. Dave Chatterjee:

anything. And business case, as you know, has several evaluation

Dr. Dave Chatterjee:

criteria. And security has to feature very prominently,

Dr. Dave Chatterjee:

whoever is sponsoring a particular purchase needs to

Dr. Dave Chatterjee:

clearly articulate and know which devices are being bought

Dr. Dave Chatterjee:

from whom, why, what steps have been taken to review, to

Dr. Dave Chatterjee:

validate. So it has to be a very comprehensive process, it has to

Dr. Dave Chatterjee:

be institutionalized, so it's as fail-proof as possible. Well,

Dr. Dave Chatterjee:

yes,

Alan Mihalic:

sorry. And I think to take a point further, that

Alan Mihalic:

that is the business case, that needs to consider, as I said,

Alan Mihalic:

that the trust models underpinning the return on

Alan Mihalic:

investment, it's pointless being a medical clinic, that can,

Alan Mihalic:

having enormous service benefit health service benefits in

Alan Mihalic:

adopting this technology. And equally, it reduce it will be

Alan Mihalic:

more cost efficient, but at the cost of losing the trust and

Alan Mihalic:

breaching the law, then the business case for for the

Alan Mihalic:

selection process of vendors, etc, takes a different turn,

Alan Mihalic:

equally, equally. And I think this is one point that I tend to

Alan Mihalic:

really focus on is that there is a community expectation in all

Alan Mihalic:

of this. When you work for company A, and you sign your

Alan Mihalic:

paperwork saying I adhere to employment policies and so

Alan Mihalic:

forth, there's an HR department there, you know, there are

Alan Mihalic:

aspects that protect you as an individual, not just as an

Alan Mihalic:

employee, equally, these technologies that are out there

Alan Mihalic:

in the community, to be absorbed and utilized by the community

Alan Mihalic:

has an underlying community expectation as to what they do

Alan Mihalic:

and how they do it. And we need to assume, well, I don't have

Alan Mihalic:

given us yet, like most of us, we don't really know how the

Alan Mihalic:

traffic system works. You know, red lights come tell us to stop

Alan Mihalic:

and green lights tell us to go but behind all of that there is

Alan Mihalic:

a great deal of due diligence around that particular service,

Alan Mihalic:

there's, you know, we have a community expectation that when

Alan Mihalic:

one light turns red, the other one turns green. And you know,

Alan Mihalic:

and as I said previously, the assumption is, well, the most

Alan Mihalic:

people don't know how all of that works. And equally, what

Alan Mihalic:

we're proposing here with smart technologies, we have to

Alan Mihalic:

appreciate that the majority of people have stuck know how it

Alan Mihalic:

all works. Not all same way, I don't know the trend, how the

Alan Mihalic:

transmission works in my car, I just assume that somebody does.

Alan Mihalic:

And I think that that's part of our business case, and that's

Alan Mihalic:

part of our community obligations as we move forward.

Alan Mihalic:

And, you know, this is a heady time, there's a lot of money to

Alan Mihalic:

be made, there's a lot of benefits to be had. And it's a

Alan Mihalic:

bit like a new frontier, you know, we want to rush out there

Alan Mihalic:

and get a plot of land, you know, and put a stake in it, you

Alan Mihalic:

know, and I think that we need to be very mindful of that.

Dr. Dave Chatterjee:

Absolutely. Just imagine we go out there and

Dr. Dave Chatterjee:

be buy these smart devices to install at our homes, we get

Dr. Dave Chatterjee:

excited about the product, we get excited about the benefits.

Dr. Dave Chatterjee:

But are we also thinking about the security aspects, the

Dr. Dave Chatterjee:

security implications, that level of awareness, I don't

Dr. Dave Chatterjee:

believe is there and you know, it's not even a fair expectation

Dr. Dave Chatterjee:

that it should be there. And that's where the education has

Dr. Dave Chatterjee:

to be more widespread. You know, I'm big on making cybersecurity

Dr. Dave Chatterjee:

part of the core curriculum. So you know, anybody who's

Dr. Dave Chatterjee:

graduating from college with an undergraduate degree, at least

Dr. Dave Chatterjee:

has had one course on security because you want to change the

Dr. Dave Chatterjee:

mindset. You want to ensure people are constantly thinking

Dr. Dave Chatterjee:

about the security implications because if that's not happening,

Dr. Dave Chatterjee:

and if people still are a very important part of the process,

Dr. Dave Chatterjee:

they're unlikely to achieve the due diligence that you talk

Dr. Dave Chatterjee:

about. Because it has to, it has to feature not only in the

Dr. Dave Chatterjee:

mindset of the senior leadership, but across all

Dr. Dave Chatterjee:

levels of the organizational hierarchy.

Alan Mihalic:

And may I, just quickly on that point, which is

Alan Mihalic:

extremely relevant, I would extend that education out to the

Alan Mihalic:

executives, to board executives, you and I have grown up in a

Alan Mihalic:

time when we both heard the words well, you know, that's,

Alan Mihalic:

that's the chief executive for this, and they don't know

Alan Mihalic:

anything about technology, or that's not their problem. Well,

Alan Mihalic:

I don't think that it's no longer a sustainable argument.

Alan Mihalic:

They certainly understand how e commerce works. They certainly

Alan Mihalic:

how their supply chain works, how transport and logistics

Alan Mihalic:

work, or they may not be truck drivers. I think it's a it's a

Alan Mihalic:

poor excuse. And I think it's it's imperative that

Alan Mihalic:

cybersecurity courses at the appropriate level, be at

Alan Mihalic:

business risk be assigned, risk exposures conducted in a way

Alan Mihalic:

that's applicable to the audience, of course, but it

Alan Mihalic:

needs to be brought to the to the board level to the executive

Alan Mihalic:

level. That argument of well, I don't know much, much about

Alan Mihalic:

security, that's not my area. I don't think that floats anymore.

Alan Mihalic:

I mean, that they aren't you know, executives need to

Alan Mihalic:

understand price to market ratios, they need to understand

Alan Mihalic:

the share market, they need to understand, you know, the the

Alan Mihalic:

aspects of business administration. I think

Alan Mihalic:

cybersecurity and its obviously its financial and regulatory and

Alan Mihalic:

other requirements, it again puts it clearly a module on the

Alan Mihalic:

on the curriculum, I would say, albeit a small one, but it

Alan Mihalic:

certainly I think has has a place.

Dr. Dave Chatterjee:

I couldn't agree with you more, in fact,

Dr. Dave Chatterjee:

many years ago, and I was having this discussion with the senior

Dr. Dave Chatterjee:

executive of a large organization who said, Dave I

Dr. Dave Chatterjee:

don't have time for cybersecurity, I have to run

Dr. Dave Chatterjee:

billion dollar operation, that security has to be handled by

Dr. Dave Chatterjee:

the Department. And so I told him, I said, you know, I get it,

Dr. Dave Chatterjee:

that it's you don't have to be that doesn't have to be your

Dr. Dave Chatterjee:

focus. But you have to provide the support, provide the

Dr. Dave Chatterjee:

commitment, because at the end of the day, if that security

Dr. Dave Chatterjee:

fails, the implications can be severe. Now, if I were to have

Dr. Dave Chatterjee:

the same conversation with him today, I promise you, he would

Dr. Dave Chatterjee:

be saying something different. But it's taken a while for even

Dr. Dave Chatterjee:

the leadership to recognize how significant and how critical

Dr. Dave Chatterjee:

information security competency is, it often takes,

Dr. Dave Chatterjee:

unfortunately, takes government mandates it takes legislation to

Dr. Dave Chatterjee:

get the organizational commitment, that is the

Dr. Dave Chatterjee:

necessory. And whichever way it is, the sooner it happens, the

Dr. Dave Chatterjee:

better. And as you and I know, the tone has to be set at the

Dr. Dave Chatterjee:

top, if there's Yes.

Alan Mihalic:

And if we take that. And if we take that,

Alan Mihalic:

logically, back and forward, as we've been conducting this

Alan Mihalic:

conversation, governments are legislating to the point where

Alan Mihalic:

they're requiring that critical infrastructure executives to do

Alan Mihalic:

something about situational awareness they need it's part of

Alan Mihalic:

a defense strategy now. And governments are clearly saying

Alan Mihalic:

if you're not educating yourself, and if you're not

Alan Mihalic:

doing that, which is required, we will come in through some

Alan Mihalic:

sort of regulatory means and do it for you now that that that

Alan Mihalic:

sets off the bells in the beltway in the boardroom,

Alan Mihalic:

because nobody wants to regulate it coming around and talking

Alan Mihalic:

about what you're doing, or you're not doing. So. So to your

Alan Mihalic:

point, the initial conversation was it's not my business. That's

Alan Mihalic:

the that's the security department. The follow up

Alan Mihalic:

conversation is, I am being made accountable. And these are

Alan Mihalic:

intelligent people we're talking about, they do what they do very

Alan Mihalic:

well. And when they understand that accountability is

Alan Mihalic:

associated with their actions, then then the mind shift

Alan Mihalic:

changes. But until we, we start through education legislation,

Alan Mihalic:

to apportion responsibility, there'll be a slow trend coming.

Dr. Dave Chatterjee:

Very true. And you know what, what worries

Dr. Dave Chatterjee:

me is, unfortunately, we we have a proven track record of being

Dr. Dave Chatterjee:

reactive, catastrophes have to happen before we get all serious

Dr. Dave Chatterjee:

about it and do things. We are right now going through this

Dr. Dave Chatterjee:

pandemic, without trying, trying to put blame on any

Dr. Dave Chatterjee:

organization, it is still my conjecture that we should have

Dr. Dave Chatterjee:

been better prepared, given the investments we had in place, the

Dr. Dave Chatterjee:

resources we had in place, but we were unfortunately caught

Dr. Dave Chatterjee:

napping And we were reactive. And I worry that through

Dr. Dave Chatterjee:

breaches, we could have even more severe catastrophe. And I

Dr. Dave Chatterjee:

hope that never happens. So we can't afford to be reactive, I

Dr. Dave Chatterjee:

hope, whether it's the government, whether it's the

Dr. Dave Chatterjee:

private sector, they truly form this partnership, this global

Dr. Dave Chatterjee:

network, and they approach cybersecurity as one global

Dr. Dave Chatterjee:

team, as opposed to taking a isolated, regional national

Dr. Dave Chatterjee:

approach. I think cybersecurity is such a challenge that has to

Dr. Dave Chatterjee:

be addressed holistically with all the key players coming

Dr. Dave Chatterjee:

together banding together. And that leads to the next

Dr. Dave Chatterjee:

discussion I want to have with you is about the IoT Security

Dr. Dave Chatterjee:

Institute that you run. And it comes to mind because of the

Dr. Dave Chatterjee:

global nature of the organization and how it

Dr. Dave Chatterjee:

encourages partnerships. And I believe that we need more of

Dr. Dave Chatterjee:

that. Can you speak to the Institute its offerings, its

Dr. Dave Chatterjee:

benefits?

Alan Mihalic:

Yes. And it's, it moves nicely from it, we move

Alan Mihalic:

nicely into it from your previous statement in that part

Alan Mihalic:

of the smart technology sector is that we work with so many

Alan Mihalic:

different people, cyber professionals originally and to

Alan Mihalic:

generalize somewhat, worked within the IT groups, they had a

Alan Mihalic:

perimeter. And they ensured that the outside was out in the

Alan Mihalic:

inside was in with smart technologies, IoT critical

Alan Mihalic:

infrastructure, we see more and more cybersecurity professionals

Alan Mihalic:

working with urban planners, engineers, industry leaders and

Alan Mihalic:

then an array of transport and other essential services

Alan Mihalic:

sectors. So the the IoT really came about because we did

Alan Mihalic:

research and we looked at there was no shortage of documentation

Alan Mihalic:

or white papers that said, Oh, look at these are all the issues

Alan Mihalic:

you need to be mindful of. So we we, as an institute, we started

Alan Mihalic:

looking at a means by which that we could come up with a with a

Alan Mihalic:

with a framework or effectively a guideline that would provide a

Alan Mihalic:

cyber and privacy principles to professionals that could be

Alan Mihalic:

implemented from a base build through to build completion. So

Alan Mihalic:

in other words, it's a way of establishing a comprehensive set

Alan Mihalic:

of guidelines to help to help each of the supply chain

Alan Mihalic:

participants to specify, procure, install, integrate, and

Alan Mihalic:

maintain IoT security within smart technology ecosystems.

Alan Mihalic:

Now, that's a big statement. And but But what it's saying is,

Alan Mihalic:

there's, it's there's a lot that happens in a Smart Security IoT

Alan Mihalic:

environment. So we we wrote a framework through through global

Alan Mihalic:

global contributions. And we utilize aspects of NIST and

Alan Mihalic:

Carnegie Mellon. And we put together a workflow methodology

Alan Mihalic:

with that allowed for cyber professionals to step through a

Alan Mihalic:

series of domains. Now all of this is available freely to

Alan Mihalic:

download by the IoT security Institute website. And I

Alan Mihalic:

encourage people who are interested to do so. And it has

Alan Mihalic:

a series of let's call them domains or actors with

Alan Mihalic:

associated activities that ensure all of those aspects of

Alan Mihalic:

security by design, are factored into the process and considered.

Alan Mihalic:

Now, it's not a standard that stipulates you will do it this

Alan Mihalic:

way. It is very much consultative in nature, because

Alan Mihalic:

we're mindful that a white paper is a white paper. But a person

Alan Mihalic:

tasked with doing a job within an organization needs to have a

Alan Mihalic:

methodology by which to work through and engage. So the

Alan Mihalic:

framework is very much that, it identifies areas of concern, it

Alan Mihalic:

qualifies them, it provides action plans. It's all done by a

Alan Mihalic:

facilitation guide, which ultimately ends up in a final

Alan Mihalic:

report. So what does that all mean. It it says at the end of

Alan Mihalic:

the process, this is where we are; there. this is what we we

Alan Mihalic:

want to be. And these are all of the security and privacy aspects

Alan Mihalic:

that we've had to take onboard. Now, I won't go into elaboration

Alan Mihalic:

as I said, it's freely downloadable. But two of the

Alan Mihalic:

components that are there might be privacy, that might be one

Alan Mihalic:

looking at the privacy experts on it. We also have a domain

Alan Mihalic:

that covers Building Information Modeling, Building Information

Alan Mihalic:

Modeling takes into account the relationships that organizations

Alan Mihalic:

have with third parties and providers. So if you are looking

Alan Mihalic:

at a particularly critical infrastructure that relies on a

Alan Mihalic:

third party, what are the security controls, information

Alan Mihalic:

flows all the security components in that; it is

Alan Mihalic:

pointless you having a moat and a 50 foot wall around your

Alan Mihalic:

organization, when you're buying blueprints for an Hvac system,

Alan Mihalic:

or some other aspect or some sort of design principle from a

Alan Mihalic:

third party that's working out of a shared office. I mean, we

Alan Mihalic:

know where the criminals are going to go first, right. So

Alan Mihalic:

that's, that's, I mean, a little bit off track there. But But

Alan Mihalic:

what I'm saying is that that's an example of the process. So it

Alan Mihalic:

may not be applicable in your instance. But that may be

Alan Mihalic:

applicable in someone else's. And finally. And finally, it

Alan Mihalic:

even works with other standards. So it's not exclusive. If you

Alan Mihalic:

wish to utilize the framework and incorporate other aspects of

Alan Mihalic:

standards that may be applicable to your organization, you're

Alan Mihalic:

certainly capable to do so. But I think finally, that the whole

Alan Mihalic:

point is to provide a a guideline, a methodology

Alan Mihalic:

workflow, that allows cyber professionals to work through a

Alan Mihalic:

series of challenges, let's say.

Dr. Dave Chatterjee:

Appreciate that ,thanks. But as I think

Dr. Dave Chatterjee:

about frameworks, and there are several of them out there, I

Dr. Dave Chatterjee:

think you put it rather well, that frameworks are not meant to

Dr. Dave Chatterjee:

be followed blindly. They are meant to be contextualized. They

Dr. Dave Chatterjee:

are meant to be looked at, from the perspective of the

Dr. Dave Chatterjee:

organization, the organization culture, they need to be

Dr. Dave Chatterjee:

compared with other frameworks. But it definitely offers an

Dr. Dave Chatterjee:

excellent starting point, a checklist, a baseline to help

Dr. Dave Chatterjee:

organizations kind of shore up their defenses. You know, you

Dr. Dave Chatterjee:

mentioned about about vendors, buying Hvac devices from

Dr. Dave Chatterjee:

vendors, one of the breaches that come to mind is the Target

Dr. Dave Chatterjee:

breach. And the hackers were able to get in by compromising

Dr. Dave Chatterjee:

one of the the one of one of Target's business partners. And

Dr. Dave Chatterjee:

that's what's what's making our environment so difficult to

Dr. Dave Chatterjee:

secure. Because you're no longer talking about an individual

Dr. Dave Chatterjee:

organization, we're talking about the organization and its

Dr. Dave Chatterjee:

network of partners, the supply chain. And, and so therefore,

Dr. Dave Chatterjee:

unless every organization has the right security posture, it's

Dr. Dave Chatterjee:

going to be a challenge, because there's always going to be

Dr. Dave Chatterjee:

vulnerabilities, you know, this. Today we're talking about

Dr. Dave Chatterjee:

vulnerabilities associated with IoT devices. I've had several

Dr. Dave Chatterjee:

conversations about vulnerabilities where people are

Dr. Dave Chatterjee:

the focus, but people are also part of this buying process of

Dr. Dave Chatterjee:

IoT devices, people are part of the implementation process of

Dr. Dave Chatterjee:

the IoT devices. So just like you said earlier, you just can't

Dr. Dave Chatterjee:

focus on the technology, you have to focus on the other

Dr. Dave Chatterjee:

aspects, the governance aspects, the people the process.

Alan Mihalic:

Exactly right. And you make a very good point here.

Alan Mihalic:

Numerous examples come to mind, a transport company moving

Alan Mihalic:

refrigerated content around the country is escaping,

Alan Mihalic:

temperatures are being commuted routes are being committed,

Alan Mihalic:

communicated and and beyond the company's control. I mean,

Alan Mihalic:

that's the solution. That's the that's the how they operate. But

Alan Mihalic:

third parties who who potentially support those IoT

Alan Mihalic:

devices who who manage and so forth, how secure are they

Alan Mihalic:

because if they're compromised, and it's, it's unknown for a

Alan Mihalic:

period of time, it's a direct impact upon the company. I mean,

Alan Mihalic:

if things are not going right, in that context, if you look at

Alan Mihalic:

sustainability within buildings, lighting is a very costly aspect

Alan Mihalic:

of doing business. That that is a very critical area that that

Alan Mihalic:

touches the bottom line, again, dependency against third parties

Alan Mihalic:

potentially, who are supporting that in some shape or form. So

Alan Mihalic:

So when when conducting if we were to look at the framework,

Alan Mihalic:

we would say, there's a very strong, you know, there's an IoT

Alan Mihalic:

device checklist Incorporated. Within that that comes to points

Alan Mihalic:

we spoke earlier. But there's also a whole lot of other

Alan Mihalic:

security practices, there might be IP involved. And I just like

Alan Mihalic:

to touch on this if I have a minute. I see that, you know, as

Alan Mihalic:

we have buildings that are certified for fire and water

Alan Mihalic:

damage, I envisage that in the near future, we will have

Alan Mihalic:

buildings that are certified for cybersecurity. And people say,

Alan Mihalic:

Well, why is that? Because remember, IP is one of the

Alan Mihalic:

greatest things you're going to have. And if that stolen from

Alan Mihalic:

you, then then you potentially lose your business, your

Alan Mihalic:

organization goes down. So you could spend millions of millions

Alan Mihalic:

of dollars in r&d to come up with something which is

Alan Mihalic:

innovative and progressive, have it stolen rebadged and sold at

Alan Mihalic:

1/5 of the cost because that organization that stole it, or

Alan Mihalic:

perhaps the the organizational crime unit that stole it and

Alan Mihalic:

moved it on, didn't have any of the r&d costs. So when we are

Alan Mihalic:

talking about this, we're not we're talking about so many

Alan Mihalic:

levels of interaction. So when I say the cyber safe building, if

Alan Mihalic:

you were to take an office, in some building in downtown,

Alan Mihalic:

today, you probably wouldn't think about you think, Oh, I've

Alan Mihalic:

got, you know, good encryption or good HTTP. But there are all

Alan Mihalic:

the aspects of a smart building that play into that into

Alan Mihalic:

interconnected world that needs to be factored into your

Alan Mihalic:

decision. And how are you going to factor that into your

Alan Mihalic:

decision. Organizations or corporation buildings or

Alan Mihalic:

precincts are going to smart certify their building to a

Alan Mihalic:

certain rating, so that certain companies will feel comfortable

Alan Mihalic:

doing business within that, within that, within that

Alan Mihalic:

building? So this thing just keeps unfolding Dave, it depends

Alan Mihalic:

how you want to look at it, but again, it's another

Alan Mihalic:

consideration of cybersecurity, as you said, as everyone's

Alan Mihalic:

concern, but it impacts us on so many levels, that, potentially,

Alan Mihalic:

we're not considering as much as we should.

Dr. Dave Chatterjee:

And, you know, that's precisely why I'm

Dr. Dave Chatterjee:

also very big on cybersecurity drills. We have fire drills,

Dr. Dave Chatterjee:

that's very popular. But I'm not sure we have information

Dr. Dave Chatterjee:

security drills at that level or at that scale. And I think,

Dr. Dave Chatterjee:

whether it's implementing smart devices, whether it's expanding

Dr. Dave Chatterjee:

your smart supply chain, you have to constantly test to

Dr. Dave Chatterjee:

assess where the vulnerabilities are, again, easier said than

Dr. Dave Chatterjee:

done. Many organizations do tabletop exercises, I'd say

Dr. Dave Chatterjee:

something is better than nothing. But it has to be part

Dr. Dave Chatterjee:

of the organizational consciousness, it has to be part

Dr. Dave Chatterjee:

of the organizational governance, infrastructure

Dr. Dave Chatterjee:

governance design, where there has to be constant testing, you

Dr. Dave Chatterjee:

know, you cannot again, leave things to chance, like you said,

Dr. Dave Chatterjee:

we will be adopting these smart devices, there's no going back,

Dr. Dave Chatterjee:

we will enable our supply chains, there's no going back.

Dr. Dave Chatterjee:

But we have to have that security layer in place. And we

Dr. Dave Chatterjee:

have to constantly test to assure we have the level of

Dr. Dave Chatterjee:

robustness that we desire. So so this has been a fabulous

Dr. Dave Chatterjee:

discussion, I'd like to give you the opportunity to close it out

Dr. Dave Chatterjee:

with some key messages for our listeners, as you know, our

Dr. Dave Chatterjee:

listeners range from business leaders, cybersecurity

Dr. Dave Chatterjee:

professionals, students, teachers, so you have a lot of

Dr. Dave Chatterjee:

people to potentially influence here. Well, I'd like

Alan Mihalic:

to sort of break it down on a couple of things

Alan Mihalic:

that were involved with, obviously, the first is the free

Alan Mihalic:

download of the IoT OSI framework. Now that can be as I

Alan Mihalic:

said, freely downloaded and applied and dissected as as

Alan Mihalic:

individuals or organizations see fit. Part of what we did though,

Alan Mihalic:

was you know very much with an understanding of how the real

Alan Mihalic:

world works, is that part of the IoT OSI is also a Education Lab

Alan Mihalic:

or the educational initiative, then, which is the SSP campus.

Alan Mihalic:

Now, the SSP campus provides cyber certification for the next

Alan Mihalic:

generation of cyber professional covering a lot of what we

Alan Mihalic:

discussed, you know, talking about all of that involvement

Alan Mihalic:

and industrial control systems and the convergence of it, you

Alan Mihalic:

know, to things we haven't touched on today, but they don't

Alan Mihalic:

assure a well known by your audience. So what we do there,

Alan Mihalic:

we have a series of certification programs that

Alan Mihalic:

provide Yes, the future cyber professional the opportunity to

Alan Mihalic:

take all of this onboard and, and take this much sought after

Alan Mihalic:

skill set now as obviously, as we progress and receive some,

Alan Mihalic:

some very real world training as well as good academic uplift as

Alan Mihalic:

to how to apply that. So that's the aspect of of the educational

Alan Mihalic:

arm of that. And we also have the opportunity for people to

Alan Mihalic:

join the IoT cyber network, and be part of that. So if they wish

Alan Mihalic:

to sort of bump heads and exchange ideas, it's certainly

Alan Mihalic:

worth it. We're also very much a believer in in supporting up and

Alan Mihalic:

coming cyber professionals and, and we also have scholarships

Alan Mihalic:

through the SS campus. We've recently entered into a

Alan Mihalic:

scholarship with wom see a Latin America, which is an

Alan Mihalic:

organization that facilitates inclusion of more women into

Alan Mihalic:

cyber and to to make it much more of an inclusive industry

Alan Mihalic:

and that we're very, we're very proud to be part of that. We've

Alan Mihalic:

also launched a scholarship program for African women and

Alan Mihalic:

we're trying to work that through the campus as well. And

Alan Mihalic:

finally, without too much going on about things. We also had,

Alan Mihalic:

you know, part about involvement. As you know, what

Alan Mihalic:

you were talking about is we were working with companies,

Alan Mihalic:

organizations that are involved in the very nature of

Alan Mihalic:

cybersecurity services and so forth. Our SSP campus provides

Alan Mihalic:

authorized training partnerships with these organizations, which

Alan Mihalic:

you know, if I give you an example, you know, one of ours

Alan Mihalic:

is wellness tech group, which is a leading smart technology

Alan Mihalic:

service provider in the public lighting infrastructure and, and

Alan Mihalic:

other services and, and their brand. Iris Sentinel is their

Alan Mihalic:

cybersecurity unit. And then one of the assists campus authorized

Alan Mihalic:

training partners. So the objective there is they take

Alan Mihalic:

their cybersecurity suite of services, but they also provide

Alan Mihalic:

training and certification, where required are wanted by the

Alan Mihalic:

clients so that they leave something behind, so that the

Alan Mihalic:

people within the organization have the smart technology, smart

Alan Mihalic:

cyber skills. So that's a bit of a round up. But, you know,

Alan Mihalic:

welcome everybody to go to the website and get a lot more

Alan Mihalic:

information about all of that. And if you have any questions,

Alan Mihalic:

of course, you can always reach out through the various traps.

Dr. Dave Chatterjee:

Fantastic, Allen that was great. I'd like

Dr. Dave Chatterjee:

to commend you for running this nonprofit organization, we can

Dr. Dave Chatterjee:

do with all the help the cybersecurity community I mean,

Dr. Dave Chatterjee:

and why the cybersecurity the global community, we could do up

Dr. Dave Chatterjee:

with all the help. And I would encourage the listeners in their

Dr. Dave Chatterjee:

respective capacities to become, but to be more security

Dr. Dave Chatterjee:

conscious, never to leave anything to chance, explore and

Dr. Dave Chatterjee:

leverage the best possible resources out there, constantly

Dr. Dave Chatterjee:

reflect, examine, analyze possibilities, because these

Dr. Dave Chatterjee:

efforts are all well worth it. Because if we don't do that, the

Dr. Dave Chatterjee:

consequences can be very, very undesirable. So once again,

Dr. Dave Chatterjee:

thanks for talking to my listeners talking to me. It's

Dr. Dave Chatterjee:

been a pleasure, Alan, and hope to bring you back again

Dr. Dave Chatterjee:

sometime.

Alan Mihalic:

Thank you very much, Dave. It's been a

Alan Mihalic:

pleasure. I thoroughly enjoyed it.

Dr. Dave Chatterjee:

A special thanks to Alan Mihalic for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.