Episode 24

Thinking Like A Hacker

Using compelling stories and metaphors, Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments.


Time Stamps

01:59 -- So let's talk about hacking. For the benefit of the listeners, provide an overview of hacking like hacking 101, what is it? What are the many consequences?

04:30 -- Shed some light on why hackers might be interested in breaching the systems of certain types of organizations over others. And related to that, are any organization types more vulnerable than others?

08:18 -- We hear the phrase 'thinking like a hacker' a lot. The ability to think like a hacker is considered a best practice in cybersecurity governance. I'd like to probe a little deeper into it. Can you shed some light on that?

11:32 -- What are your thoughts and perspectives on the other group, the folks who are not very security savvy and generally get compromised. You would not recommend or expect them to think like a hacker. What advice do you have for them?

15:55 -- Maybe we need the media to help popularize thinking like a hacker, so literally everyone on the street has some sense of what these guys are up to, how they are thinking, how they try to attack. Not to suggest that this exposure would make everyone an expert. But at least it whets the appetite, it gives them a basic understanding. And that would help mobilize organization-wide support. Thoughts, reactions?

22:09 -- Let's talk about security assessments. It's reasonable to assume that most organizations are engaging in security assessments. But the more nuanced question is, are they engaging in the right kinds of security assessments, with methodologies that best align with their desired outcomes? What are your thoughts?

32:40 -- What are you seeing out there in terms of top management commitment to information security?

37:37 -- What is so difficult or challenging about patch management, vulnerability management?

42:10 -- What lessons do organizations refuse to learn?


Memorable Ted Harrington Quotes

"The term hacker is neutral. It's neither good nor bad.

"A hacker is someone who is a problem solver. They're creative. They're someone who looks at the way a system works and says, you know, can it behave differently than what it was intended to do?"

"To defend against an attacker, we need to think like an attacker."

"Most people think about security as avoiding a bad thing. Let's not get hacked. That is a good way to think about security, but it's incomplete. We need to think about not just how do we avoid a bad thing, but also how do we get a good thing? Not just how we do not get hacked, but how can we gain an advantage?"


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

Officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia, and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with Ted

Dr. Dave Chatterjee:

Harrington, Executive Partner at Independent Security Evaluators

Dr. Dave Chatterjee:

and he's also the author of Hackable: How To Do Application

Dr. Dave Chatterjee:

Security Right. His company, made up of ethical hackers was

Dr. Dave Chatterjee:

born out of the Ph. D. Program at the Johns Hopkins University.

Dr. Dave Chatterjee:

They have been doing security assessments and security

Dr. Dave Chatterjee:

consulting for a long time for both large enterprises and

Dr. Dave Chatterjee:

funded startups and everyone in between. Since 2005, they have

Dr. Dave Chatterjee:

been hired by hundreds of companies, and they have helped

Dr. Dave Chatterjee:

discover 10s of 1000s of security vulnerabilities. Their

Dr. Dave Chatterjee:

work has appeared in The New York Times, Wall Street Journal,

Dr. Dave Chatterjee:

Washington Post, USA Today, Financial Times, Wired, and CBS

Dr. Dave Chatterjee:

News on Assignment. Hey, Ted, welcome.

Ted Harrington:

Thanks for having me. Excited to be here.

Dr. Dave Chatterjee:

So let's talk about hacking. For the

Dr. Dave Chatterjee:

benefit of the listeners, provide an overview of hacking

Dr. Dave Chatterjee:

like hacking 101, what is it? What are the many consequences?

Ted Harrington:

Sure, so I like this question a lot, because the

Ted Harrington:

concept of hacking and the concept of hackers is pretty

Ted Harrington:

misunderstood. So maybe we start there, like what is what is

Ted Harrington:

hacking? What is a hacker and a lot of times people talk about

Ted Harrington:

this idea, you know, hackers as if they're bad, right? That the

Ted Harrington:

hackers are malicious, or associated with wrongdoing or

Ted Harrington:

evil or whatever. And that's only partly true, because that's

Ted Harrington:

a certain that is certainly a type of hacker. But hackers, the

Ted Harrington:

term hacker is neutral. It's neither good nor bad. It's a

Ted Harrington:

hacker is someone who is a problem solver. They're

Ted Harrington:

creative. They're someone who looks at the way a system works

Ted Harrington:

and says, you know, can it behave differently than what was

Ted Harrington:

intended to do? Can I create something. So that's really what

Ted Harrington:

hackers are, and then the fork in the road comes to motivation,

Ted Harrington:

right? So if someone is doing this, because they want to

Ted Harrington:

obtain some sort of personal gain, they want to harm others.

Ted Harrington:

That's what attackers would be certainly. But the other forks

Ted Harrington:

of the road are ethical hackers, people who do the same things

Ted Harrington:

use the same tools, the same techniques, still want to find

Ted Harrington:

those issues with how a system works. But they do it because

Ted Harrington:

they want to fix the system, they want to make it better,

Ted Harrington:

they want to improve it. And that's the corner of the world

Ted Harrington:

that I come from, that our people all come from. And both

Ted Harrington:

are hackers. So really fundamentally, that's what

Ted Harrington:

hacking is hacking is looking at something and saying, you know,

Ted Harrington:

can it be differently, and there's this classic TV series

Ted Harrington:

called MacGyver that, you know, maybe younger generations might

Ted Harrington:

not be familiar with. I've never even actually really seen

Ted Harrington:

MacGyver myself. But I'm very familiar with the concept of

Ted Harrington:

MacGyver. And he's, you know, this dude, who would just he

Ted Harrington:

create things out of, he'd take things that were supposed to do

Ted Harrington:

one thing and make it do something else. Like if there

Ted Harrington:

was one episode where he, I think he needed to start a car

Ted Harrington:

or something and he took a paperclip, which the purpose of

Ted Harrington:

a paperclip is to clip together paper. And he used this to like

Ted Harrington:

somehow, you know, ignite the engine in a vehicle. That's a

Ted Harrington:

hacker that's someone who says, you know, things supposed to

Ted Harrington:

work in a certain way, can I make it behave differently, and

Ted Harrington:

then motivation determines whether that's a good thing or a

Ted Harrington:

bad thing.

Dr. Dave Chatterjee:

That's interesting. That's an

Dr. Dave Chatterjee:

interesting way of looking at hacking. I never thought about

Dr. Dave Chatterjee:

it as hackers as problem solvers. But I see from where

Dr. Dave Chatterjee:

you're coming. With the growing expansion of attack surfaces and

Dr. Dave Chatterjee:

evolution of attack vectors. It's hard for organizations to

Dr. Dave Chatterjee:

keep up with the latest hacking methods and techniques. And

Dr. Dave Chatterjee:

that's why companies often hire organizations that are made up

Dr. Dave Chatterjee:

of ethical hackers to help them stay on top of information

Dr. Dave Chatterjee:

security management to the extent possible. So shed some

Dr. Dave Chatterjee:

light on why hackers might be interested in breaching systems

Dr. Dave Chatterjee:

of certain types of organizations over others, if

Dr. Dave Chatterjee:

that's the case, that may not be the case. And related to that,

Dr. Dave Chatterjee:

are any organization types more vulnerable than others? Yeah,

Ted Harrington:

let's tackle those separately, because they

Ted Harrington:

let's

Ted Harrington:

are two slightly different questions. But that can be

Ted Harrington:

conflated. So why would an attacker attack a specific

Ted Harrington:

organization? I think this is a wonderful question. And it goes

Ted Harrington:

to the heart of one of the very common misunderstandings that

Ted Harrington:

people have about attackers. Most people think that this idea

Ted Harrington:

of we've already broken down that there's, you know, hackers

Ted Harrington:

can be good, or hackers can be bad. But even amongst the bad

Ted Harrington:

hackers, they're not all the same thing. But we often talk

Ted Harrington:

about them as if they're all the same thing. And that's actually

Ted Harrington:

not true. So different attacker groups, they're motivated to

Ted Harrington:

achieve different outcomes. So the most common one, almost

Ted Harrington:

everybody talks about hackers as being profit motivated. And that

Ted Harrington:

is indeed a very compelling motivation for many types of

Ted Harrington:

attackers. I mean, basically, anyone who engages in ransomware

Ted Harrington:

profit is the motive. Almost everyone, there's, there's cases

Ted Harrington:

where maybe you use that to hide your other motive, but so

Ted Harrington:

someone who wants to make money that's like organized crime as

Ted Harrington:

an example, they are attacking because they want to make money.

Ted Harrington:

But then you've got groups that are more interested in

Ted Harrington:

notoriety, right. So maybe it's someone who just they want to

Ted Harrington:

prove they can do it, or they want to go to brag about it, or

Ted Harrington:

they want to, yeah, they just want the notoriety associated

Ted Harrington:

with it. That's a different motivation from someone who may

Ted Harrington:

be like anonymous, the hacker collective that fits in the

Ted Harrington:

group of what are called hacktivists, which they attack

Ted Harrington:

organizations in order to make a statement. And then there's

Ted Harrington:

nation states that attack organizations in order to pursue

Ted Harrington:

their geopolitical objectives. And so when we think about

Ted Harrington:

different attackers having different motivations that comes

Ted Harrington:

into play, in terms of how we now think about how we defend,

Ted Harrington:

because we think about, well, what are we trying to protect,

Ted Harrington:

and is what we have something that an attacker could pursue

Ted Harrington:

their specific motivation for. So they want to feel like a lot

Ted Harrington:

of companies, they'll say, Well, I don't have anything valuable,

Ted Harrington:

I don't protect any valuable data. So no one's going to

Ted Harrington:

attack me because I don't have valuable data and no one's gonna

Ted Harrington:

make money off of attacking me. And hopefully, what I just

Ted Harrington:

illustrated makes it clear that that's actually not the case.

Ted Harrington:

You know, you might not have valuable data, but maybe you

Ted Harrington:

have, maybe your organization can be swept up in a botnet.

Ted Harrington:

Your computational power can be used in a broader DDoS type

Ted Harrington:

attack. Maybe your organization has some sort of influential

Ted Harrington:

information on maybe population trends or things that are

Ted Harrington:

happening on a national level that another nation might want

Ted Harrington:

to understand. So we have to understand the attacker, why

Ted Harrington:

they're motivated in order to help ourselves think about what

Ted Harrington:

do we need? Why would someone attack us?

Dr. Dave Chatterjee:

Very true, very true. We hear this phrase

Dr. Dave Chatterjee:

'thinking like a hacker' a lot. The ability to think like a

Dr. Dave Chatterjee:

hacker is considered a best practice in cybersecurity

Dr. Dave Chatterjee:

governance. I'd like to probe a little deeper into it. Can you

Dr. Dave Chatterjee:

shed some light on that?

Ted Harrington:

Yeah, I'm, I'm definitely one of those people

Ted Harrington:

who's out there banging this drum. I say this to anyone who

Ted Harrington:

will listen that Yeah, to defend against an attacker, we need to

Ted Harrington:

think like an attacker. Um, and this this idea of more

Ted Harrington:

generally, you know, think like a hacker, whether that's a you

Ted Harrington:

know, good type of hacker or a bad type Agere. This is

Ted Harrington:

absolutely mission critical for organizations to be able to

Ted Harrington:

secure their what it is, whatever it is, they're trying

Ted Harrington:

to protect the most, they really need to think like, someone who

Ted Harrington:

would attack a system. And that's not very easy actually to

Ted Harrington:

do. And most people aren't wired that way. I often think of this,

Ted Harrington:

like the movie, The Matrix. Maybe this is a little bit of a

Ted Harrington:

spoiler, but the movie has been out for, like 25 years. So if

Ted Harrington:

you haven't seen it yet, that's on you. And then I'm spoiling

Ted Harrington:

it. You know, you find out partway through this movie, that

Ted Harrington:

you know, everyone who's living normal life, like we live normal

Ted Harrington:

life, you know, here on Earth, all of a sudden, you're actually

Ted Harrington:

in a simulation. And when you unplug from the matrix, you

Ted Harrington:

realize you're, you're now living reality, but the reality

Ted Harrington:

is really ugly. You're in this like post apocalyptic world and

Ted Harrington:

it's like everything cold your food is basically like eating

Ted Harrington:

dust. It's, it's a terrible life, but you have freedom. And

Ted Harrington:

I often think of that's what it's like, once you can think

Ted Harrington:

like a hacker is like once you unplug from the matrix, and you

Ted Harrington:

see kind of all the darkness in the world. Hold, there's no

Ted Harrington:

going back. And so it's not for everybody, not everybody should

Ted Harrington:

not think that everybody doesn't have the capability to see the

Ted Harrington:

world that way. And most people probably don't want to see the

Ted Harrington:

world that way. But those of us who are engaged in this as a

Ted Harrington:

profession, or even as a hobby, this is the way that we see it.

Ted Harrington:

And the reason that this is important is, I guess, think of

Ted Harrington:

it like, what's any metaphor, I don't know, think of a sports

Ted Harrington:

metaphor, right? If you're, if you're playing against an

Ted Harrington:

opponent coming up this weekend, how are they going to think

Ted Harrington:

about their plan to try to win the game against you, right, you

Ted Harrington:

have to put yourself in the shoes of your opponent, in order

Ted Harrington:

to be able to understand how will you like what's, what's the

Ted Harrington:

lens through which they see you, and how will you be attacked.

Ted Harrington:

And that's why this idea of thinking like a hacker is

Ted Harrington:

really, really important. Because, again, to use a sports

Ted Harrington:

metaphor, like when when we think as defenders, that sort of

Ted Harrington:

like someone who's, you know, playing basketball, and they're,

Ted Harrington:

they're playing defense on their heels, right. And so anyone

Ted Harrington:

who's played really any ball sports, any team sports knows

Ted Harrington:

that if your weight is on your heels, it's really, really hard

Ted Harrington:

to react to the ball coming at you. And so the advice is, you

Ted Harrington:

always have to be on your toes, you have to be leaning forward,

Ted Harrington:

not leaning backwards. And so when we think like defenders,

Ted Harrington:

we're leaning backwards, we're sort of like waiting for the

Ted Harrington:

world to come to us. But that makes it really hard to react.

Ted Harrington:

Instead, we should be leaning forward, we should be on our

Ted Harrington:

toes. And we should be thinking like, Hey, we're actually on the

Ted Harrington:

offense, not on the defense. And that's what think like a hacker

Ted Harrington:

helps you do.

Dr. Dave Chatterjee:

And so, you know, as you said, that you

Dr. Dave Chatterjee:

don't expect everyone to think like a hacker. Now, maybe the

Dr. Dave Chatterjee:

cybersecurity professionals in the organization, who are paid

Dr. Dave Chatterjee:

to, you know, be proactive, make recommendations on how to secure

Dr. Dave Chatterjee:

the organization, from new attack types, maybe they are the

Dr. Dave Chatterjee:

ones who should be thinking like a hacker. But I'm just curious

Dr. Dave Chatterjee:

to know, your thoughts and perspectives on the other group,

Dr. Dave Chatterjee:

the folks who generally get compromised, they are not very

Dr. Dave Chatterjee:

security savvy, they learn as best they can, what they're told

Dr. Dave Chatterjee:

by the organization. For those folks, obviously, they are not

Dr. Dave Chatterjee:

the type that you'd recommend, think like a hacker. But what

Dr. Dave Chatterjee:

advice do you have for them?

Ted Harrington:

Yeah, so as you can, as you're gonna see,

Ted Harrington:

throughout the crowd, I'm big on metaphors. So let's, let's use

Ted Harrington:

the metaphor of someone who builds skyscrapers, right? So

Ted Harrington:

that particular type of contractor that takes a specific

Ted Harrington:

skill set, developed over a long period of time, you know, how to

Ted Harrington:

build a skyscraper. Now, if someone comes to you and says,

Ted Harrington:

Hey, we've got this other skyscraper over here, and we

Ted Harrington:

need to demo it, we need to demolish it. You know how these

Ted Harrington:

things, you build these things all day? Can you demolish this

Ted Harrington:

one? They'd be like, maybe like, I guess I know the fundamentals

Ted Harrington:

of how it's built. But like, that's not what I do. That's not

Ted Harrington:

my profession. That's not my chosen craft. So what do they

Ted Harrington:

do? They say, Well, why don't we get a demo expert in here to do

Ted Harrington:

the demo, and I'll work with them. And I'll say, you know,

Ted Harrington:

we'll, we'll talk through the mechanics of this building. And,

Ted Harrington:

and that's how we'll have a successful demolition. But

Ted Harrington:

they're two completely different crafts. So the first piece of

Ted Harrington:

advice is, you need to work with somebody, like you're the

Ted Harrington:

builder, you need to work with a breaker, right? So companies who

Ted Harrington:

are out there building, whatever system that you're building, you

Ted Harrington:

definitely want to work with ethical hackers, because they

Ted Harrington:

help you because they bring that expertise, that, as you

Ted Harrington:

correctly noted, isn't necessarily the core part of

Ted Harrington:

what it is that you're doing. It's similar to like any

Ted Harrington:

expertise that you would partner with externally, so companies

Ted Harrington:

all the time will partner with, you know, outside counsel,

Ted Harrington:

outside accountants outside, you know, pick your expertise,

Ted Harrington:

they'll, they'll say, Hey, you're gonna come and sort of be

Ted Harrington:

the surgical strike that does this specific thing that we

Ted Harrington:

don't actually fully staffing out. So that's the first thing

Ted Harrington:

is, you know, work with outside organizations. Second thing is

Ted Harrington:

to, even though that that's what has to happen is you have to

Ted Harrington:

work with outside organizations who specialize in this thing.

Ted Harrington:

You want to also make sure that you understand the principles.

Ted Harrington:

So if we use that, the skyscraper metaphor, the guy who

Ted Harrington:

or the guy or the gal who builds a skyscraper should also know

Ted Harrington:

where the weaknesses are and know and know how it might

Ted Harrington:

crumble if it's not built correctly. Now, that doesn't

Ted Harrington:

mean they're gonna go out and do demo, but they're going to know

Ted Harrington:

like, Hey, this is a, you know, this type of joint stresses in a

Ted Harrington:

in a bad way, we should make sure we don't use that type of

Ted Harrington:

joint. And I'm way oversimplifying the practice of

Ted Harrington:

building a skyscraper for sure. But you know, it's for

Ted Harrington:

illustrative purposes. And so that's the second piece of

Ted Harrington:

advice is make sure you understand the principles so

Ted Harrington:

your work with someone else, but still, you have to make sure

Ted Harrington:

that they understand the principles yourself. And then

Ted Harrington:

the third is this. It's abstract, but it's keep asking

Ted Harrington:

these questions, right? It's your whatever it is that you do

Ted Harrington:

in any profession, your core expertise, you're going to, you

Ted Harrington:

know, that's where the focus of your develop effort developing

Ted Harrington:

yourself is going to be. But there's always going to be these

Ted Harrington:

things on the periphery that like, oh, I should probably know

Ted Harrington:

about that. But maybe I'm not the expert in that. But by

Ted Harrington:

asking the questions of what do I need to know about x? So the

Ted Harrington:

person who's listening to this right now, who builds systems

Ted Harrington:

and says, What do I need to know about security? That question is

Ted Harrington:

so important, it's so powerful, because just by asking it, it

Ted Harrington:

leads you to the type of growth that is necessary, in order to

Ted Harrington:

make sure you understand the principles even though the, the

Ted Harrington:

entity or the person who's going to be responsible for this is

Ted Harrington:

going to be someone else, you can't completely delegate it to

Ted Harrington:

someone else.

Dr. Dave Chatterjee:

I agree. I wholeheartedly agree. In fact,

Dr. Dave Chatterjee:

as you were talking, a thought came to mind. I wish you know,

Dr. Dave Chatterjee:

that. There are more demonstrations, visual

Dr. Dave Chatterjee:

demonstrations, graphical illustrations, and various forms

Dr. Dave Chatterjee:

of presentations made available to the masses, where people get

Dr. Dave Chatterjee:

to see how hackers think, how hackers act. And I realized that

Dr. Dave Chatterjee:

can get very technical, but that's where the skill lies. Can

Dr. Dave Chatterjee:

we present the technical stuff in a non technical way you, you

Dr. Dave Chatterjee:

use metaphors and you, you know, kind of talked about several

Dr. Dave Chatterjee:

movies. So maybe we need more media help here to popularize

Dr. Dave Chatterjee:

thinking like a hacker. So everyone on the street literally

Dr. Dave Chatterjee:

has some sense of what these guys are up to how they are

Dr. Dave Chatterjee:

thinking how they try to attack, not to suggest that this would

Dr. Dave Chatterjee:

make everyone an expert, but at least it whets the appetite, it

Dr. Dave Chatterjee:

gives them a basic understanding. And that would

Dr. Dave Chatterjee:

help the organization to mobilize support from from all

Dr. Dave Chatterjee:

parts of the organization. Thoughts, reactions?

Ted Harrington:

Yeah, well, let me try to illustrate with maybe

Ted Harrington:

a metaphor that most people can relate to. Most people don't

Ted Harrington:

like waiting in line. Right? I think that's just, even though

Ted Harrington:

everyone does wait in line, like people literally spend money and

Ted Harrington:

vacation time to go to places like Disneyland, because they

Ted Harrington:

want to wait in line all day. So they can, you know, wait in line

Ted Harrington:

for an hour to take a three minute ride. Not for me, but

Ted Harrington:

hey, you know, whatever floats your boat, but I think but, but

Ted Harrington:

most people, even though they wait in those lines, they pay to

Ted Harrington:

wait in those lines, they take time off their job to wait in

Ted Harrington:

those lines, people would still say they don't like waiting in

Ted Harrington:

the line. I think that's sort of a universal human condition. No

Ted Harrington:

one, no one is enjoying the line. So let me tell you about a

Ted Harrington:

story that I had involving a line and this is this story

Ted Harrington:

actually is a form of social engineering. But the components

Ted Harrington:

to it describe exactly the process that an attacker would

Ted Harrington:

go through. So if we can imagine a bar, and the bar is going to

Ted Harrington:

be you know, a bar, like a nightclub. This bar represents

Ted Harrington:

our, it represents a, a system that someone is building. So I

Ted Harrington:

this was a few years ago, I wound up going to this, this

Ted Harrington:

bar, and I was meeting up with some friends. And I can't

Ted Harrington:

remember why I needed to go to this specific bar. But I mean,

Ted Harrington:

it was like someone's birthday, but I had to go to this. It

Ted Harrington:

wasn't like, we'll just go to another bar, and there was this

Ted Harrington:

huge line. And then when you you get through this whole long line

Ted Harrington:

takes a half an hour or whatever, then you pay a cover

Ted Harrington:

charge to get in. And I didn't want anything to do with either

Ted Harrington:

of those. I was like I don't want to wait in line and then

Ted Harrington:

pay you know, whatever. 20 bucks just just for the right to now

Ted Harrington:

go in and I'll spend more money. So I did what you know, really

Ted Harrington:

any hacker minded person does the first thing I did was I

Ted Harrington:

assessed the system I looked at how does the system work? Okay,

Ted Harrington:

well, there's a line that gets you in and, and then you pay a

Ted Harrington:

cover when you're in and that grants you access. But I noticed

Ted Harrington:

there's also this other area for a VIP entrance. And that VIP

Ted Harrington:

entrance, you can only there's no line, there's no cover, but

Ted Harrington:

you can only go in if you're on the list. So that's the second

Ted Harrington:

thing I did was I said alright, well, how could the challenge

Ted Harrington:

question was how can I make them believe I'm on the list? I'm not

Ted Harrington:

on the list, but how can I make them believe it? So that's the

Ted Harrington:

second thing that attackers will do, though. They'll essentially

Ted Harrington:

set out a challenge statement for themselves. Like what's the

Ted Harrington:

goal? What am I trying to do? And in this case, I was trying

Ted Harrington:

to get the privileges of someone on the VIP list when I didn't

Ted Harrington:

have those privileges. That's called privilege escalation. So

Ted Harrington:

then the next thing I did was what any attacker Do I, I probed

Ted Harrington:

some I established some assumptions about how the system

Ted Harrington:

worked. And my assumption was, if I can produce the name of

Ted Harrington:

someone on that list, they will assume I'm on the list. So that

Ted Harrington:

was my goal, I needed to produce a name on the list. I did not

Ted Harrington:

know any names. So here's what I did. So I walk right up to the

Ted Harrington:

VIP hostess, and I say, Hi, I'm on the list. Now, again, I just

Ted Harrington:

told you I'm not I'm not listed. She doesn't know this, but I'm

Ted Harrington:

not on the list. So I said, Hi, I'm on the list. So when she

Ted Harrington:

asks me, What My name is telling her my name wasn't going to

Ted Harrington:

help, because I'm not on the list. And guessing is like,

Ted Harrington:

what's the chances? I guess somebody's name, right? Like,

Ted Harrington:

it's so like, why even bother? So I'm not gonna guess. So

Ted Harrington:

instead, I issue what's called a specially crafted input. Now,

Ted Harrington:

this is when an attacker is probing a system to see how it's

Ted Harrington:

going to react. And in this case, a specially crafted input

Ted Harrington:

was I said, Well, I'm with the group, I made an assumption that

Ted Harrington:

the there was going to be a group, and the group would be on

Ted Harrington:

the VIP list. And so when she said which group again, I

Ted Harrington:

didn't, you know, same problems, I didn't know the names of any

Ted Harrington:

group guessing wasn't going to help. So again, I asked, I

Ted Harrington:

issued another specially crafted input, and I said, I'm with the

Ted Harrington:

big group. And I was making an assumption that that would be

Ted Harrington:

something that would be on the list, there would be one group

Ted Harrington:

larger than others. And with that, she looks down at her

Ted Harrington:

clipboard, she flips a couple pages, and she says, Oh, the

Ted Harrington:

Smith party. And I said, Yes, I am with the Smith party. And

Ted Harrington:

with that, I had achieved the goal, I associated myself with a

Ted Harrington:

name on the list, she opens the velvet rope escorts, we passed

Ted Harrington:

the law and pass the cover charge. And, you know, I went

Ted Harrington:

into the bar, I should say, as a sidebar, I am an ethical hacker.

Ted Harrington:

So even though I did not pay the cover charge, I'm more than made

Ted Harrington:

up for it with over tipping my bar staff, everyone, the only

Ted Harrington:

person who lost money that night was probably me, like everyone

Ted Harrington:

made out. But I didn't have to wait in line, which is what I

Ted Harrington:

didn't want to do. But the point of that story, whether you like

Ted Harrington:

going to bars or not, or you've never even been to a bar, we've

Ted Harrington:

all been in situations we don't like waiting in line. And that

Ted Harrington:

story can illustrate in a way that I think everyone can relate

Ted Harrington:

to the process that attackers go through.

Dr. Dave Chatterjee:

Excellent. That's a very, very interesting

Dr. Dave Chatterjee:

and telling story. In fact, that reminds me, this is not so much

Dr. Dave Chatterjee:

about how hackers hack, but how to be on your guard to be on

Dr. Dave Chatterjee:

your defense. And I wasn't that night, where I went to a

Dr. Dave Chatterjee:

restaurant at great city, I won't name it here. And it was a

Dr. Dave Chatterjee:

Halloween, I think, and it was a haunted restaurant. So we were

Dr. Dave Chatterjee:

having dinner there. And the lights were very dim. And you

Dr. Dave Chatterjee:

know, they were trying to create that atmosphere I was in my

Dr. Dave Chatterjee:

family. So we had dinner. And then when the waitress came up

Dr. Dave Chatterjee:

asking for the credit card, I gave it to her without thinking

Dr. Dave Chatterjee:

twice that I should be scanning the card right there. And then I

Dr. Dave Chatterjee:

shouldn't be giving it to somebody. And next moment. Well,

Dr. Dave Chatterjee:

you know, that night, everything went off. Well, we checked out

Dr. Dave Chatterjee:

and we had a good night's rest. Next morning, I was driving my

Dr. Dave Chatterjee:

son for his tennis match. And then I got a call. I was not

Dr. Dave Chatterjee:

planning to take the call. It was an 800 number call. But then

Dr. Dave Chatterjee:

I did. I'm glad I did. It was a Bank of America representatives

Dr. Dave Chatterjee:

asking where I was the previous night. And then he was able to

Dr. Dave Chatterjee:

share some data and facts that told me that my card got hacked.

Dr. Dave Chatterjee:

And it was already being used in the state of California. And I

Dr. Dave Chatterjee:

was on the eastern part of the country. So I knew that somebody

Dr. Dave Chatterjee:

had gotten access to it. So this is an example where even those

Dr. Dave Chatterjee:

of us who are conscious about this phenomenon will play a

Dr. Dave Chatterjee:

role. Even they can get caught napping and they can get

Dr. Dave Chatterjee:

compromised, and which has happened to me not once but

Dr. Dave Chatterjee:

several times. And that's all the more I believe the need for

Dr. Dave Chatterjee:

reiterating reinforcing some fundamental principles, some

Dr. Dave Chatterjee:

guidelines and recommendations. Because I believe that the very

Dr. Dave Chatterjee:

best of people have been, can be or will be breached in the

Dr. Dave Chatterjee:

future. So that is great. Good discussion on that topic.

Dr. Dave Chatterjee:

Switching gears a little bit. Let's talk about security

Dr. Dave Chatterjee:

assessments. It's reasonable to assume that most organizations

Dr. Dave Chatterjee:

are engaging in security assessments. But the more

Dr. Dave Chatterjee:

nuanced question is, are they engaging in the right kinds of

Dr. Dave Chatterjee:

security assessments with methodologies that best align

Dr. Dave Chatterjee:

with their desired outcomes? What are your thoughts?

Ted Harrington:

You are preaching to the choir right

Ted Harrington:

now? That is that is the question in that matter that

Ted Harrington:

absolutely is the question that matters. Wow. So the way you

Ted Harrington:

actually framed the question first was, you know, we're

Ted Harrington:

assuming that most organizations are getting security

Ted Harrington:

assessments. I hope that is true. I guess it should be

Ted Harrington:

stated that that's assuming an organization is something worth

Ted Harrington:

protecting, that is actually an important item to note. So if

Ted Harrington:

you don't have something worth protecting, then like, why would

Ted Harrington:

you invest in protecting it doesn't matter. But assuming you

Ted Harrington:

do, I mean, someone who's listening to a show like this,

Ted Harrington:

you probably do. Right? You wouldn't be investing your time,

Ted Harrington:

in listening to Ted ramble until random metaphors, if you didn't

Ted Harrington:

have something to protect, so we're assuming have something to

Ted Harrington:

protect, you're getting these security assessments done. And

Ted Harrington:

the real problem that I see, I mean, one of the motivations to

Ted Harrington:

want to write a book was because I saw this rampant problem all

Ted Harrington:

over the place, which is that the way that we talk about

Ted Harrington:

security testing, and we I'm talking about collectively, the

Ted Harrington:

security community, but also those who engage with security

Ted Harrington:

community who hire security professionals to do security

Ted Harrington:

testing, we talk about it in very imprecise ways. And it

Ted Harrington:

winds up leading to some really bad outcomes. So what most

Ted Harrington:

people want when they're hiring, security testing? Well, there

Ted Harrington:

are different motivations for why someone would go hire one.

Ted Harrington:

But they're usually something like, well, I need to prove it

Ted Harrington:

to someone else. And I need to actually secure the thing. So

Ted Harrington:

those are, sometimes hopefully, it's both sometimes it's just

Ted Harrington:

one, like, I need to prove this, I don't care what it is, I need

Ted Harrington:

to prove it to someone else that I did a security test. But In

Ted Harrington:

but in the case of, you know, the more progressive companies

Ted Harrington:

definitely, they're actually trying to improve the security

Ted Harrington:

of the system. They're not just going through the motions. But

Ted Harrington:

the problem is, the way we talk about security testing is we use

Ted Harrington:

terms incorrectly all the time. So people often will ask for

Ted Harrington:

penetration testing. That's sort of the term that's become the

Ted Harrington:

catch all. But penetration testing is a very specific type

Ted Harrington:

of thing. But complicating that problem, they're asking for

Ted Harrington:

penetration testing, they're usually sold something else.

Ted Harrington:

Like if you Google that term, right now, almost all the

Ted Harrington:

results you're gonna get, not all of them, but at least three

Ted Harrington:

quarters of them are something else, they're going to be

Ted Harrington:

vulnerability scanning, they're not penetration testing. But

Ted Harrington:

then what makes it even more complicated is that what people

Ted Harrington:

actually need usually isn't actually penetration testing at

Ted Harrington:

all. What they usually need is what's called vulnerability

Ted Harrington:

assessments. And I can definitely I've, of course, I've

Ted Harrington:

metaphors, I can explain the difference between these these

Ted Harrington:

three types. But the point that I want to leave on answering

Ted Harrington:

your question here is that those are three really different

Ted Harrington:

things. They entail different investments of time, and money

Ted Harrington:

and person power, and they deliver different things. So

Ted Harrington:

when people are asking for something, they're getting

Ted Harrington:

something else, and yet they actually needed a third thing

Ted Harrington:

altogether, have we actually achieved the mission? Right?

Ted Harrington:

Have we actually accomplished what we set out to accomplish,

Ted Harrington:

and that is a really big problem.

Dr. Dave Chatterjee:

There are a few things that you've mentioned

Dr. Dave Chatterjee:

more than once now, and I believe it, it's worth

Dr. Dave Chatterjee:

reiterating, re emphasizing, and that is, an organization needs

Dr. Dave Chatterjee:

to know, or needs to have a good understanding of what it wants

Dr. Dave Chatterjee:

to secure. And what are the tools, the methodologies, the

Dr. Dave Chatterjee:

techniques that are out there? Now, one is not expecting an

Dr. Dave Chatterjee:

organization, especially smaller organizations resource

Dr. Dave Chatterjee:

constrained to have the kinds of expertise to make those calls,

Dr. Dave Chatterjee:

but they need to reach out and get help. Again, you know,

Dr. Dave Chatterjee:

trying to follow your example of using a metaphor. It's like,

Dr. Dave Chatterjee:

when you go to a doctor, and or you're, you're thinking of going

Dr. Dave Chatterjee:

to a doctor, because you feel there is an issue. And so you're

Dr. Dave Chatterjee:

doing your best due diligence possible, doing your searches,

Dr. Dave Chatterjee:

you know, talking to people getting advice. So you have a

Dr. Dave Chatterjee:

planning process in place. And it's important, why is it

Dr. Dave Chatterjee:

important because it's your health. And I like to use the

Dr. Dave Chatterjee:

health metaphor, because when it comes to security, that's the

Dr. Dave Chatterjee:

security is the health of the organization. It is I believe

Dr. Dave Chatterjee:

that there is not far where we'll be ranking organizations

Dr. Dave Chatterjee:

on their security health rating. So therefore, developing an

Dr. Dave Chatterjee:

understanding of what the security needs are, and who is

Dr. Dave Chatterjee:

the right person who can provide the help or who are the right

Dr. Dave Chatterjee:

people who can deliver the goods is absolutely mission critical.

Dr. Dave Chatterjee:

So therefore, your points are very well made that to recognize

Dr. Dave Chatterjee:

what kind of help you need from a security standpoint. And that

Dr. Dave Chatterjee:

will immediately help align what you get by way of security

Dr. Dave Chatterjee:

mechanisms, along with your overall organizational goals and

Dr. Dave Chatterjee:

strategies. So I just wanted to re emphasize there anything else

Dr. Dave Chatterjee:

you'd like to add to that?

Ted Harrington:

Well, just that the doctor patient metaphor for

Ted Harrington:

security is so good. And there's so many aspects of that

Ted Harrington:

relationship that we can, you know, tie back to security, and

Ted Harrington:

I'm just deciding whether or not to go down all those different

Ted Harrington:

rabbit holes right now. But I'll definitely tie back to one or

Ted Harrington:

more of them as as we go. But, um, if we want to use the doctor

Ted Harrington:

metaphor, and the context of the question that you're asking

Ted Harrington:

about, like, how do we make sure we're getting the right thing? I

Ted Harrington:

think it's, that's actually, maybe that's a good metaphor for

Ted Harrington:

us to use, because it's like when people go into the doctor's

Ted Harrington:

office, and they're like, Oh, I checked on WebMD, my, you know,

Ted Harrington:

my symptoms or whatever. And so they, they've self diagnosed, so

Ted Harrington:

they go into the doctor, and they're like, I need a, I don't

Ted Harrington:

know, insert jargon, technical term right now. And the doctor

Ted Harrington:

is like, we'll get to that limit. Let me instead, evaluate

Ted Harrington:

your symptoms, see where we're at. And I'll tell you, then, you

Ted Harrington:

know, what we need. But the problem that happens in security

Ted Harrington:

would be like, so doctors, I guess I don't know what I'm

Ted Harrington:

about to say for 100% Certain, because I am not a doctor. But

Ted Harrington:

my understanding is that in medicine, a procedure has a

Ted Harrington:

name. And that's a universally understood procedure. The

Ted Harrington:

problem with what's happening with security. So let's say I

Ted Harrington:

don't know what the technical term would be, let's just say

Ted Harrington:

it's called knee replacement. You know, someone goes in, and

Ted Harrington:

they're like, I think I might, you know, my knees bother me, I

Ted Harrington:

need some help with my knee. And then a doctor is like, you need

Ted Harrington:

a knee replacement. The problem, insecurity would be like, when

Ted Harrington:

one doctor says knee replacement, he means I'm going

Ted Harrington:

to replace your knee, another doctor means I'm going to give

Ted Harrington:

you orange juice. And a third doctor means I'm going to give

Ted Harrington:

you a physical, and you're like, these are all using the same

Ted Harrington:

term to describe really, really different things. And the

Ted Harrington:

patient doesn't know any better to like, because the patient's

Ted Harrington:

going to the expert. That's why this is a real problem. Like if

Ted Harrington:

you went to the doctor, and three different doctors said the

Ted Harrington:

same term, but they meant three different things. You probably

Ted Harrington:

wouldn't go to the doctor anymore. And that's why is such

Ted Harrington:

a significant problem.

Dr. Dave Chatterjee:

Yep, very cool. You know, I, I authored a

Dr. Dave Chatterjee:

book, which, which was published by SAGE last year on

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. In that book, I, I presented a framework, it's

Cybersecurity Readiness:

called the Commitment, Preparedness and Discipline

Cybersecurity Readiness:

framework that is associated with 17 cybersecurity readiness

Cybersecurity Readiness:

success factors. And I'm not going to go down that list, but

Cybersecurity Readiness:

I wanted your thoughts on some of them, which I have found to

Cybersecurity Readiness:

be very important for an organization to secure

Cybersecurity Readiness:

themselves or get the resources they need to secure themselves.

Cybersecurity Readiness:

And one of those success factors happens to be hands-on top

Cybersecurity Readiness:

management. And it's a challenge out there. In terms of how to

Cybersecurity Readiness:

get top management attention, how to get top management

Cybersecurity Readiness:

actively engaged in cybersecurity planning,

Cybersecurity Readiness:

execution, monitoring. Just curious because you're in the

Cybersecurity Readiness:

field, and you are you and your company are engaging in engaging

Cybersecurity Readiness:

with numerous organizations. What are you seeing out there,

Cybersecurity Readiness:

in terms of top management commitment to information

Cybersecurity Readiness:

security?

Ted Harrington:

Well, it's it's definitely becoming more and

Ted Harrington:

more of a priority for executive leadership. I think you probably

Ted Harrington:

could have any number of security professionals on here

Ted Harrington:

to answer that question that would probably all say, some

Ted Harrington:

version of the same thing, right, which is like, security

Ted Harrington:

is a business problem, not a technical problem. We need to

Ted Harrington:

speak in the language of leaders, which is, you know, in

Ted Harrington:

terms of numbers and outcomes, and all that stuff. And we need

Ted Harrington:

to make sure that we, you know, don't make it technical and all

Ted Harrington:

that. So I would say all those things, too. But instead, what I

Ted Harrington:

want to share is something that I see the most progressive

Ted Harrington:

organizations doing that are the ones who are getting it right.

Ted Harrington:

And they're currently in the minority. They're on if we think

Ted Harrington:

about, you know, a bell curve. They're on the early early

Ted Harrington:

adopter side. And my hope is that eventually we're going to

Ted Harrington:

get the whole world thinking this way. And the way is this

Ted Harrington:

one Most people think about security as avoid a bad thing,

Ted Harrington:

right, let's not get hacked. That is, in fact, a good way to

Ted Harrington:

think about security. But it's incomplete. We also need to

Ted Harrington:

think about not just how do we avoid a bad thing? But how do we

Ted Harrington:

get a good thing? So not just how do we not get hacked? But

Ted Harrington:

how do we gain an advantage. And one of the things that is very,

Ted Harrington:

very obvious to me, as I look at the companies really across

Ted Harrington:

industries across sectors, the ones who do two things, first,

Ted Harrington:

actually secure their systems. And then secondly, in an

Ted Harrington:

authentic and credible way, prove it, they gain this

Ted Harrington:

incredible competitive advantage over their competitors. So if

Ted Harrington:

that's a company, they're competing the way a company

Ted Harrington:

will, you know, for customers and market share. But there's

Ted Harrington:

other ways you can compete, too, whether that's maybe you're a

Ted Harrington:

nonprofit, and you need donors, maybe you're a government, and

Ted Harrington:

you need your political influence, or whatever. people

Ted Harrington:

and companies and organizations, they want to do business with

Ted Harrington:

organizations that are secure, they want trust is the

Ted Harrington:

foundation of so they trust someone, they're going to want

Ted Harrington:

to work with them, or at least if they don't trust them,

Ted Harrington:

they're going to be hesitant to work with them. And so this is

Ted Harrington:

one of the things that I see executives at the more

Ted Harrington:

progressive organizations capturing, they see it, they

Ted Harrington:

look at it, and they're like, if we only think of security as a

Ted Harrington:

bad avoid a bad thing, what we're going to do is we're going

Ted Harrington:

to make some risk based decisions about, look, this is

Ted Harrington:

just a tax on the business. How do we reduce the tax to the

Ted Harrington:

right amount that's not so low that we expose ourselves to huge

Ted Harrington:

risk, but we're not overspending? That's the way

Ted Harrington:

that's the way most people actually think about security,

Ted Harrington:

when it's the idea of avoid a bad thing. But now when you

Ted Harrington:

change the frame, and you say, Well, how do we get a good

Ted Harrington:

thing? How do we get this competitive advantage? Now

Ted Harrington:

you're looking at it as an investment. And you're saying

Ted Harrington:

it's no longer a cost center to reduce? It's an advantage to

Ted Harrington:

optimize? How do we spend in a way that helps us beat the

Ted Harrington:

competition? How do we move faster? How do we get more

Ted Harrington:

enterprises using us than someone else? And I found that

Ted Harrington:

to be the thing that really gets leaders excited, because it's no

Ted Harrington:

longer this, like, this is annoying, I don't want to talk

Ted Harrington:

about this, make make this problem go away. That's the way

Ted Harrington:

most people think about security. Now it is, oh, wait a

Ted Harrington:

minute, there is an untapped opportunity to gain a

Ted Harrington:

competitive edge. No one else is doing it or not enough people

Ted Harrington:

are doing it. Talk to me about that. That's what progressive

Ted Harrington:

organizations are doing right now.

Dr. Dave Chatterjee:

brilliant, absolutely brilliant. I love the

Dr. Dave Chatterjee:

way you put it. One has to look at information security

Dr. Dave Chatterjee:

capability as a distinctive competency. And focusing on

Dr. Dave Chatterjee:

developing the competency, using that competency or leveraging

Dr. Dave Chatterjee:

that competency to achieve a competitive edge is the way to

Dr. Dave Chatterjee:

go. The moment you are thinking of security ah that's one more

Dr. Dave Chatterjee:

thing we have to do, we don't have a choice, that really

Dr. Dave Chatterjee:

doesn't cut it. Rather, taking a very optimistic approach, and

Dr. Dave Chatterjee:

saying -- yes, there is this is a problem. This is a constant

Dr. Dave Chatterjee:

issue that we have to deal with. So let's see, we can convert the

Dr. Dave Chatterjee:

so called problem into an opportunity and be the best we

Dr. Dave Chatterjee:

can be in managing this risk. I love that kind of a mindset,

Dr. Dave Chatterjee:

that kind of approach. And I'm sure people who are listening

Dr. Dave Chatterjee:

are making note of it. I'm sure many, many organizations, many

Dr. Dave Chatterjee:

senior executives approach it that way. So, Ted, a couple of

Dr. Dave Chatterjee:

months ago, probably in a podcast session, a renowned

Dr. Dave Chatterjee:

cybersecurity expert lamented that companies keep making the

Dr. Dave Chatterjee:

same mistakes over and over again. So I asked him, I said,

Dr. Dave Chatterjee:

What kind of mistakes are they making over and over again? And

Dr. Dave Chatterjee:

he talked about vulnerability management, patch management.

Dr. Dave Chatterjee:

And, you know, you being in the business, leading a team of

Dr. Dave Chatterjee:

ethical hackers, I'm sure you see that a lot. What are your

Dr. Dave Chatterjee:

thoughts about what is so difficult or challenging about

Dr. Dave Chatterjee:

patch management, vulnerability management, that to use his

Dr. Dave Chatterjee:

words again, that companies keep making the same mistakes?

Ted Harrington:

Well, I definitely agree with the

Ted Harrington:

problem that companies continue making the same mistakes over

Ted Harrington:

and over again, I would not limit it just to this particular

Ted Harrington:

issue of patch management. I'm a little befuddled myself as to

Ted Harrington:

why patch management continues to be such an issue. And that's

Ted Harrington:

not to diminish how hard it is. It's hard. Patch management is

Ted Harrington:

difficult. What I, for me personally, like if my job was

Ted Harrington:

to be In charge of patch management, I'd be terrible at

Ted Harrington:

it. Because what it requires for patch management are the kinds

Ted Harrington:

of things that like the your brain is wired in a certain way

Ted Harrington:

to excel at that I think the kind of person who's really good

Ted Harrington:

at like, maybe accounting, the kind of person who wants to make

Ted Harrington:

sure that the numbers perfectly zero out and everything's like

Ted Harrington:

exactly an order the way that should be. Patch management is

Ted Harrington:

kinda like that to like you have that absolute overriding drive

Ted Harrington:

for the perfection. But you can take that you combine it with

Ted Harrington:

the fact that patches, sometimes break systems and braking

Ted Harrington:

systems gets in the way of operational uptime, and

Ted Harrington:

operational uptime, and a lot of situations is non negotiable, or

Ted Harrington:

operational downtime is not allowable. So there's all these

Ted Harrington:

complexities to it. But really, I think that what's happening if

Ted Harrington:

we go broader than just patch management, and we say, well,

Ted Harrington:

why do we keep making the same problem, like making the same

Ted Harrington:

mistakes over and over and over again? And I think it's because

Ted Harrington:

we don't necessarily truly understand the problem. And we

Ted Harrington:

don't truly understand the solution. And the we I'm

Ted Harrington:

describing here is the people who have the problem, and

Ted Harrington:

certain corners of the security community who are willing to

Ted Harrington:

present the incorrect solution. We talked about penetration

Ted Harrington:

testing before. And that's a great example of where, you

Ted Harrington:

know, there are people willing to sell companies a penetration

Ted Harrington:

test, that isn't a penetration test, they're willing to do

Ted Harrington:

that. Now, maybe they don't know that there's a difference.

Ted Harrington:

That's negative, that's negligent. Or they do know

Ted Harrington:

there's a difference, and they're misrepresenting it

Ted Harrington:

anyway. That's irresponsible. So whichever it is, is not good.

Ted Harrington:

But the problem is, that's a two sided problem, right? That

Ted Harrington:

companies were building things like we talked about before,

Ted Harrington:

it's not there every moment of every day working on how do you

Ted Harrington:

break things, they're looking to their expert partners to help

Ted Harrington:

them and the expert partner isn't actually presenting the

Ted Harrington:

appropriate solution, those two issues combined become this

Ted Harrington:

like, kind of catastrophic problem.

Dr. Dave Chatterjee:

Yep. True. So here comes my final two

Dr. Dave Chatterjee:

questions. First one is, What lessons do organizations refuse

Dr. Dave Chatterjee:

to learn? Have you come across anything like that? Do you have

Dr. Dave Chatterjee:

any thoughts on that? And I don't mean to stump you. So feel

Dr. Dave Chatterjee:

free to say what's the next one? And I'm happy to throw out the

Dr. Dave Chatterjee:

next one.

Ted Harrington:

No, I like that question. Actually, a lot. I

Ted Harrington:

would the way I would answer that, though, is I don't think

Ted Harrington:

you could say there's a universal, there's not like one

Ted Harrington:

lesson that everybody refuses to learn. But within every

Ted Harrington:

organization, there is at least one lesson that everybody that

Ted Harrington:

that organization refuses to learn. The one that as an

Ted Harrington:

example, that it saddens me actually, I was gonna say it

Ted Harrington:

irritates me or angers me. I was like, what's the right word for

Ted Harrington:

this? But I think it saddens me is the way that sometimes

Ted Harrington:

politics work in large enterprises. I've seen it happen

Ted Harrington:

time and time again, where, you know, one executive will build a

Ted Harrington:

program in a certain way. And that program is succeeding in

Ted Harrington:

some way. And then the next, you know, that executive either gets

Ted Harrington:

promoted or gets poached go somewhere else. And then the

Ted Harrington:

next executive comes in, and the way that exec, that new

Ted Harrington:

executive is going to quote unquote, create their own thing,

Ted Harrington:

right, is going to create their opportunity to get promoted, or

Ted Harrington:

get poached to go somewhere else. They need to do something

Ted Harrington:

unique. They can't just do what's already been done. And so

Ted Harrington:

that, what do they have to do? They have to look at the this

Ted Harrington:

program that's already been built, and say, we're gonna do

Ted Harrington:

it totally differently, because I know a better way. But if it's

Ted Harrington:

already working, why are you tearing it down? And that is

Ted Harrington:

actually a pretty significant problem in corporate America

Ted Harrington:

today, that that sort of political need, which I

Ted Harrington:

actually, I have no problem with someone needing to say, I need

Ted Harrington:

to make my mark on this organization so that I can make

Ted Harrington:

more money and provide more for my family. And like, what's

Ted Harrington:

wrong with that? That's amazing. But unfortunately, the way that

Ted Harrington:

it typically has to play out is by dismantling some other thing

Ted Harrington:

that already worked. And so now you have in these, it's kind of

Ted Harrington:

amazing when you see large enterprises, how inefficient

Ted Harrington:

they can be. Because every few years as there's this turnover,

Ted Harrington:

and you know, executive positions. You You've, you're

Ted Harrington:

kind of starting things all over again. And I mean, how many

Ted Harrington:

people listening right now work in a large enterprise and go

Ted Harrington:

through a reorganization? Like every three or four years,

Ted Harrington:

you're like, I'll just wait this out, because by the time it

Ted Harrington:

actually is implemented, there's going to be a reorg you know.

Dr. Dave Chatterjee:

Yep. So let me give you my answer to the

Dr. Dave Chatterjee:

question I posed to you. So, you know, two things happen, as your

Dr. Dave Chatterjee:

probably aware, it is the medium sized organizations that

Dr. Dave Chatterjee:

generally capitulate after a major cyber attack, they go out

Dr. Dave Chatterjee:

of business, there is data to support that. 60 to 70%, of

Dr. Dave Chatterjee:

small and medium sized enterprises cease to exist,

Dr. Dave Chatterjee:

which is a very rough consequence, probably the most

Dr. Dave Chatterjee:

severe consequence. But then there are large organizations.

Dr. Dave Chatterjee:

And again, I won't take any names here, who, for lack of a

Dr. Dave Chatterjee:

better word, made some very reckless mistakes, that

Dr. Dave Chatterjee:

borderlines gross negligence, and breach has happened. There

Dr. Dave Chatterjee:

were severe consequences. But they get bailed out for a

Dr. Dave Chatterjee:

variety of reasons. And that's where my concern lies. Not that

Dr. Dave Chatterjee:

we're going to solve this problem here, and neither am I

Dr. Dave Chatterjee:

trying for you to suggest what the solution should be. But

Dr. Dave Chatterjee:

that's where my concern is that when these organizations get

Dr. Dave Chatterjee:

bailed out, do they learn the lessons and they or are they do

Dr. Dave Chatterjee:

they make the necessary changes. And these are not symbolic

Dr. Dave Chatterjee:

things that you put out there to impress the media and impress

Dr. Dave Chatterjee:

your investors. But it goes deeper into their processes into

Dr. Dave Chatterjee:

how security is approached by the organization, whether

Dr. Dave Chatterjee:

security is built into their organizational culture. In my

Dr. Dave Chatterjee:

book, I talk about creating and sustaining a high-performance

Dr. Dave Chatterjee:

information security culture, it's hard to do. But it is

Dr. Dave Chatterjee:

definitely something that organizations should, should

Dr. Dave Chatterjee:

strive towards. So that's from where I was coming, when I asked

Dr. Dave Chatterjee:

you that question.

Ted Harrington:

It's hard to say without being on the inside of

Ted Harrington:

every organization, right, whether they've learned their

Ted Harrington:

lesson or not, but you see plenty of cool success stories,

Ted Harrington:

you know, I'm in the aftermath of major breaches, including the

Ted Harrington:

industry around whoever the victim was, you know, the movie

Ted Harrington:

business is a great example. Sony, you know, went through

Ted Harrington:

that really very public. You know, that was a real bummer

Ted Harrington:

that that breach for everyone who not just the people at Sony,

Ted Harrington:

but the people who work with Sony in the movie business is a

Ted Harrington:

it's kind of a small world, everyone kind of knows everyone.

Ted Harrington:

And, you know, there was a lot of a lot of hearts went out for

Ted Harrington:

that. That was a really tough time for a lot of people. But

Ted Harrington:

it's really cool to see in the aftermath, how the security

Ted Harrington:

programs at different studios, got more funding got more

Ted Harrington:

people, they got more sophisticated. And that's a cool

Ted Harrington:

aftermath. I mean, yeah, you don't want a company to go

Ted Harrington:

through what Sony went through. That's, that's terrible. But if

Ted Harrington:

it has to happen, then let's make sure that some really

Ted Harrington:

positive result. And that's, that's definitely what's been

Ted Harrington:

happening. So that was pretty cool. That was pretty cool to

Ted Harrington:

see that.

Dr. Dave Chatterjee:

That's great to hear. I'm glad you

Dr. Dave Chatterjee:

shared that with us. There are I'm sure many, many positive

Dr. Dave Chatterjee:

stories of recovery, and, you know, coming back revitalized

Dr. Dave Chatterjee:

and in ways that has made the organization better. So that's

Dr. Dave Chatterjee:

good to hear. Hey, as much as I would like to keep talking with

Dr. Dave Chatterjee:

you, I've been enjoying this, you know, we are getting to the

Dr. Dave Chatterjee:

end of our time here. So let's try to wrap things up with you

Dr. Dave Chatterjee:

sharing any final takeaways for the audience. Any final thoughts

Dr. Dave Chatterjee:

for the audience?

Ted Harrington:

Yeah, I mean, I definitely always like to end on

Ted Harrington:

a high note. And I feel like the story I just told was, was a

Ted Harrington:

high note. So there we go, you already have your high note. You

Ted Harrington:

know, we're seeing industries react really well in the

Ted Harrington:

aftermath of, of breaches. But I think that I would just leave

Ted Harrington:

people with this fact that the security community is a

Ted Harrington:

passionate one that really is trying to improve things every

Ted Harrington:

day. Ethical hackers included amongst that, and that, to me is

Ted Harrington:

really exciting to live in it and to see it and to those of

Ted Harrington:

you who maybe are wanting to join security, or maybe you are

Ted Harrington:

not in security, but you work with security companies, just

Ted Harrington:

know that there's a really passionate group, let's move

Ted Harrington:

forward. And yeah, I mean, that just we can end on that note,

Ted Harrington:

and if anyone wants to know anything more about, you know,

Ted Harrington:

if any of the ideas we talked about you wanted to ask me

Ted Harrington:

about, personally, you want to follow me on social media, you

Ted Harrington:

want to know more about my book, you you want help with your

Ted Harrington:

security testing program. Just hit me up, I'm easy to find at

Ted Harrington:

Ted harrington.com. And everything you could need to

Ted Harrington:

know is right there.

Dr. Dave Chatterjee:

Fantastic Ted, thank you again for your

Dr. Dave Chatterjee:

time. It's been a pleasure.

Ted Harrington:

Thank you for having me.

Dr. Dave Chatterjee:

A special thanks to Ted Harrington for his

Dr. Dave Chatterjee:

time and insights. If you like what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.