EPISODE 104
 

Easy Target due to Corporate Identity Crisis

EP 104: Easy Target due to Corporate Identity Crisis

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

April 26, 2022

Can an identity crisis make organizations an easy target for cyber-criminals? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 104 of the Cyber Risk Management Podcast?

Kip Boyle: You're getting good at that. You're really getting good at remembering which episode it is, and I'm glad started numbering them.

Jake Bernstein: Well, it helps that it's in the script.

Kip Boyle: Yeah. Well, we started numbering them, right?

Jake Bernstein: Yeah.

Kip Boyle: We always numbered them, but we just never told anybody what the number was. So I'm glad we're doing that now. It's going to make everything easier. But to answer your question, today we're going to look at how a lot of organizations are having an identity crisis. You and I have seen this over and over again. And this is causing them to become an easy target for cyber criminals.

Jake Bernstein: So this is interesting. Can an organization have an identity crisis?

Kip Boyle: It can. And in fact, this happens a lot. There are many examples, and some of them are really amazing. So I figured in order to really make the point, I would pull the biggest example of a recent example of an identity crisis that I know of, and that's Kodak. So Kodak, that's the camera/film people, right? Well, a lot of people apparently don't know this, but they actually blew the chance to lead the digital photography revolution. And it was all because of an identity crisis. So let me ask you a question. Did you know that a Kodak engineer in the company's research and development labs actually invented the digital camera in 1975? Did you know that?

Jake Bernstein: No. 1975?

Kip Boyle: Yeah.

Jake Bernstein: I mean, when did the first digital camera really come out and start to become... I mean, it was way after that.

Kip Boyle: Yeah, it was commercialized about 10 years later. So about 1985, I think, is when they first started commercializing them. But it was really around like the early '90s, like 1995, 1994, 1996, kind of around there, is when the first consumer grade digital cameras started to make their appearance. So it took about 20 years for it to actually get into consumer's hands.

Jake Bernstein: So when we say a Kodak engineer invented the digital camera, we mean that they had a lab version. Yeah.

Kip Boyle: Yeah. And they had patents.

Jake Bernstein: Seriously? They had patents?

Kip Boyle: Yes.

Jake Bernstein: So what happened?

Kip Boyle: Yeah, yeah, yeah. Okay. So here's Kodak, right? They have patents, they have working prototypes. They've got everything figured out. But Kodak was founded in 1892 and they had spent almost a hundred years in the film business. Right? First they started with dry plate photography, right? Where like Ansel Adams would take a big glass plate that had some chemicals smeared on it, and that's what he used to make his amazing photographs. And then Kodak's... So they made those, and then they switched to film. But the company leaders just saw themselves as a film company. Right? Like, "We supply film."

They had like an 80% whatever market share. And they were dominating, making tons of money. But by 2012 they filed for bankruptcy because they just could not shake this identity. Right? Like, "We are film people." And really what they were is the snapshot picture company of the world. Right? Because people wanted snapshots. It was never about the film, but they got so hyper focused on the film that they just couldn't let go of it. Right? They just-

Jake Bernstein: Yeah. That's got to go down in-

Kip Boyle: And then everybody ate their lunch.

Jake Bernstein: That's got to go down in history is one of the biggest misses, corporate misses, of all time.

Kip Boyle: You know? It was one of the biggest ones. Absolutely it was. But this happens a lot. I mean, think about oil companies like Exxon. Well, Exxon and Chevron and all these oil companies, well, they're really not oil companies; is what they've been recently figuring out. They're energy companies. But they're so fixated on oil that they have a hard time seeing that there's other ways to generate electricity that they could get involved in and still make money. People just get hyper focused on something and they can't see the broader picture. And that's unfortunately what happened to Kodak. So, yeah, there's your example.

Jake Bernstein: Okay. So this... I mean, I think we've got your point there. The organizations definitely can have an identity crisis. But what does this have to do with cyber crime or cyber risk management?

Kip Boyle: Yeah. So every-

Jake Bernstein: You could almost see the slow pitch there. Right, folks?

Kip Boyle: Yeah.

Jake Bernstein: You almost just see it.

Kip Boyle: Here's the wind up. Every organization today is in fact a technology company. They are. And that's because they can't serve their customers either partially or at all without their computers. Right? They have computerized everything and they can't do anything without them. And what's shocking though is that most of their senior decision makers just persist in denying this. They just will not true up to the fact that they are technology companies that happen to know something about making consumer beverage cups or growing crops or whatever. But nothing really in the modern world can get done without computers. And because of that, they can't see themselves the way cyber criminals do. Cyber criminals see them as an organization that cannot perform its primary function without computers, and that is what makes them a prime target for things like ransomware attacks.

Jake Bernstein: Okay. So this is very interesting and I get what you're saying in concept. And I think we should look at some real world examples, but before we do that, I think it's worth pointing out to everyone that there's lots of different types of "technology companies." And I think we have to be... You know me, I like to define terms. Right?

Kip Boyle: Yeah.

Jake Bernstein: And I think what I would like to maybe slightly modify our statement is that every company is whatever they are and a technology company. Right? Kind of like it's both. Right? Because I think we want to be able to have a label for those companies that are truly just "technology companies." And they exist, right?

Kip Boyle: Mm-hmm (affirmative).

Jake Bernstein: But I think that... You know? And it's not just the operational component. Like data... You know? We've got two different sayings here. Data is the new oil and the new nuclear waste. It's really both.

Kip Boyle: Mm-hmm (affirmative). Yeah.

Jake Bernstein: And there's a lot of companies that are data companies in addition to being technology and whatever else company they are. So yeah, this is really fascinating. See? Yeah. Let's go ahead and let's look at some real world examples.

Kip Boyle: Yeah. And I affirm your point, which is they're not just technology companies, they're technology and. But I just really think that the order matters. Right? Because I think everybody recognizes that they use computers. I just don't think they recognize how dependent they are and-

Jake Bernstein: That I think is true.

Kip Boyle: ... and how much more competency they need in having resilient systems. But anyway-

Jake Bernstein: Yep.

Kip Boyle: Okay. So I have two real world examples that I want to cover with you and I want the audience to hear. And the first one was recently published. And this is kind of what got me going on this topic lately. Of course, I've been on this topic for a long time, but The Wall Street Journal on January 12th of this year published a story. And then I had a recent personal experience that I think would be helpful to cover as well. Which one you want to do first?

Jake Bernstein: All right. Let's start with the Journal.

Kip Boyle: Okay. So on December 1st, 2021, although it wasn't reported in the Journal till about six weeks later, but Nordic Choice Hotels... So this is a hotel chain in Europe. They have about 200 properties and they had a ransomware attack. And so at this point, it's pretty vanilla, right? So ransomware attack, they shut down and disconnect all their computers from the internet, and then they go into like a business continuity mode. And so what happens? You read the story here. And it's, again, it's very vanilla. Hotel staff shift over to pens and paper. And because the door locks to the rooms are computer controlled, they couldn't create digital key cards. And even if they could, they wouldn't work because the computers controlling the doors were down.

And so if you stayed in the hotel, the staff had to actually escort you to your room and let you in. Now, I don't know how in the world that was tenable over time because I would imagine guests could lock themselves out very easily. I don't even know-

Jake Bernstein: Probably routinely.

Kip Boyle: Yeah. I don't really know how they managed this, but suffice it to say that the critical systems that they needed to conduct business were unavailable and everything went back to manual efforts. And in the article, it talked about how the hotel management was really frustrated with this because here the pandemic lockdowns were kind of lifting. Right?

Jake Bernstein: Yep.

Kip Boyle: And they've been suffering as a business for months and months and months, and were probably just glad to still be in business. And here it was, five, six weeks later, and all of these computers that provided door locks, inaudible, music. I mean, all these guest services, and they either weren't working or they were unreliable. And so just a typical ransomware story so far. Right?

Jake Bernstein: Yep. So far. So this is a... How did they actually get the ransomware, I guess, is the best question to start with because there's a lot of ways to get ransomware.

Kip Boyle: Yeah. Well, the story said that based on forensic analysis, it was a phishing email. So again, pretty vanilla, right? But we also know that people sometimes get ransomware attacked because they left some remote desktop protocols unsecured, or they have got a VPN with very weak credentialing, or a computer just might be missing a key patch for a well known vulnerability. Right? Those are all very common in this case. It was phishing. And it came from a tour operator, which makes sense. Right? I mean, I'm a hotel, I talk to tour operators, and that's how they think it got in.

Jake Bernstein: Yeah. So you could call that spear phishing if you wanted to.

Kip Boyle: Yeah. Yeah, absolutely. Maybe it was, right?

Jake Bernstein: Yeah.

Kip Boyle: But the point is it was an email.

Jake Bernstein: And it's a super common way to get hit. So how much was the ransom and did they pay it?

Kip Boyle: So they wanted $5 million and they figured out that it was the-

Jake Bernstein: Yeah. Hold on. I'm going to stop you right there for just a second.

Kip Boyle: Okay.

Jake Bernstein: $5 million. I just want to... I mean, two or three years ago, you were seeing ransoms in the $10,000 to $50,000 range.

Kip Boyle: Yep.

Jake Bernstein: Just that the fact that... You know? This ain't just inflation, folks. And I know inflation's been a problem recently, but $50,000 to $5 million in really a handful of years, that really is something else going on. And we haven't talked about it recently, but I think a lot of it is it's because people pay, Kip.

Kip Boyle: Yeah.

Jake Bernstein: It's because people pay.

Kip Boyle: That's right. And insurance companies aid and abet that payment.

Jake Bernstein: They do. They do.

Kip Boyle: Not so much anymore though.

Jake Bernstein: No. No, not so much anymore. It has changed. Okay. So did Nordic Choice pay?

Kip Boyle: Well... So I want to make another comment about the $5 million and the fact that we have so much ransom inflation going on right now. Tremendous ransom inflation. Well, it's because it was Conti. C-O-N-T-I. They-

Jake Bernstein: Oh, they're Russian, aren't they?

Kip Boyle: Yeah, I think so. But-

Jake Bernstein: I'm pretty sure they are.

Kip Boyle: But the point about Conti being involved is the fact that they are known to be by far the most profitable ransomware gang of them all. They're not the most prolific. They're like the iPhone, right? They're the most profitable handset, but it's actually Android that's the most prolific. Right? And Conti crosstalk-

Jake Bernstein: Yeah. By a significant margins too.

Kip Boyle: ... in the same way. Yeah, yeah, yeah, exactly. Yeah. And Conti is the same way. They're wildly profitable because they do their homework and they make demands. So $5 million bucks. But I got to applaud Nordic Choice. They chose not to pay. And it wasn't easy.

Jake Bernstein: Surely there were consequences to not paying Conti?

Kip Boyle: Yeah. See, Conti is really good at extortion because it's not just about getting your data unencrypted. It's also about, they will threaten to release the data that they have on the open internet as a way of convincing you that you really do need to pay them. And that's exactly what happened. So they said, "Nope," and Conti said, "All right. We're going to leak personal data about your employees, and not just their personal information, but also their bank accounts and their government issued identification numbers and all this stuff." And they did. Conti let it all go. And Nordic Choice stood firm. And instead of giving in, they actually called their employees together and said, "Okay. This has happened. Now, what we want to do is train you to protect yourself from identity theft. We're sorry this happened. And oh, by the way, we're also going to do a GDPR notification to the Norwegian Data Protection Regulator, because, guess what, that's the law of the land." So yeah. They went the full distance.

Jake Bernstein: Yeah. Okay. So this is very fascinating, but where does the identity crisis come into play here?

Kip Boyle: Yeah, that's right. We are talking about identity crisis. All right. Here's the punchline. So if you go read the article, at the end... Right? And most people don't read all the way to the end, right? I'm one of the weirdo nerds that do. And the reporter is writing about how Nordic Choice is training its employees to prevent this kind of ransomware from happening again. And they had a quote from the vice president of technology of Nordic Choice. And the VP said, "Most people just can't keep up." Right? Because the VP was talking about the difficulty of training people, right? And then the VP continued to say, "It's just not what they know. We're hoteliers. We're not tech experts."

And the hair on the back of my neck went up as I read that. That was like the last line of this article. And I went, "Holy moly. That's ridiculous." You know? I mean, that is just... And I just thought, "Well, this is a fricking perfect example of what I see and you see all the time, Jake." And I'm sure plenty of people in our audience see this all the time. And whether it's just base cluelessness or willful ignorance, I don't know. You know? I don't think there's a common explanation, but this, I think, is the definition of an identity crisis. And it's causing organizations to assume way more cyber risk than they need to.

Jake Bernstein: Well, just for sake of discussion here, on the one hand, the vice president's statement is not necessarily factually incorrect. It's actually factually correct. Right?

Kip Boyle: Yeah.

Jake Bernstein: Most people just can't keep up. True. It's just not what they know. True.

Kip Boyle: Yeah.

Jake Bernstein: We're hotelers and we're not tech experts. True and true. But the problem here is that you can't do business in today's world without having some tech experts within the business who can keep track of these things. I mean, I just don't think it's optional.

Kip Boyle: It's got to be more than that though.

Jake Bernstein: It does. Well, and-

Kip Boyle: It has to be, right? I mean, you have to have more than a silo of tech experts.

Jake Bernstein: You do. And I was going to say is where it starts is with the top end of the leadership pyramid.

Kip Boyle: Yeah.

Jake Bernstein: And there has to be... And as we've gone through this episode, I really like the idea of identity crisis, and just identity. How you see yourself matters a great deal, right?

Kip Boyle: It does.

Jake Bernstein: Whether you're an individual or a company.

Kip Boyle: Yeah.

Jake Bernstein: And I think that companies need to understand what we've been saying throughout this episode, which is that you might not consider yourself a tech company, but that doesn't mean you aren't one.

Kip Boyle: And it doesn't mean that the criminals will say, "Oh, they're just hotel people. They're not worth attacking."

Jake Bernstein: Yeah. And a theme that you and I have talked about many times and that has come up a lot is that, in fact... I mean, I think the two of us have worked more incidents and more ransomware attacks on "non-tech companies" than "tech companies."

Kip Boyle: Oh yeah.

Jake Bernstein: And this is why. I mean, quite simply, this is why. And when you treat the technology that underpins your company as, not window dressing, but as like furniture-

Kip Boyle: No. It's just a cost.

Jake Bernstein: Yeah.

Kip Boyle: It's just a cost.

Jake Bernstein: You treat it as... Yeah. It's like furniture, right?

Kip Boyle: Yeah.

Jake Bernstein: Just a cost, but you need it. Then you really open yourself up to this kind of thing.

Kip Boyle: Yeah.

Jake Bernstein: And it's really interesting because I think... You know? Let's think back a little ways. Let's just say 22 years ago. So turn of the millennium.

Kip Boyle: Yeah.

Jake Bernstein: You know? Almost universally, IT was a little siloed section. It was probably small. And I think probably most offices by that point were mostly computerized. At least email was very, very common. But it certainly wasn't to the level that it is today where-

Kip Boyle: No, we still had fax machines.

Jake Bernstein: You still had fax machines. There was still... I mean, look, man.

Kip Boyle: Zoom wasn't there yet.

Jake Bernstein: I worked even in 2004, right before I went to law school, I worked in an office setting. And one of my tasks was to get the mail and go through it and make sure that everything relevant was distributed properly. And I haven't worked in an office environment in that capacity for some time now, but there's a lot more paperless functionality these days.

Kip Boyle: Yeah. Yeah, yeah. In fact-

Jake Bernstein: And that's all because of tech.

Kip Boyle: Yeah. If you rewind the clock even more, let's go back to the mid 1960s. Well, okay. Companies... I think the whole reason why we see computers as chairs and as desks and as expense items is because they kind of were in the beginning. Right? The whole idea of having a computer in private industry was just to make certain things more efficient and more accurate. Payroll, for example. I can do my payroll in the 1960s by hand, but I can be more efficient and I can issue more accurate checks if I get one of those newfangled mainframes. And I think that's kind of where this comes from, right? It's like, I don't need a computer, but it creates efficiencies. And people don't care that their payroll is calculated using a computer. They just care that they get a pay stub and a check that they can cash. Right?

And I would say that back then companies didn't need to be tech companies because they still hadn't computerized everything that they did. Fast forward today, and you can't... You know? There's just so much you cannot do. Look at this example in Wall Street Journal. You can't just hand somebody a key and say, "Your room is 201. Have a pleasant stay." You've got to escort them to the room and open the door for them. And if they get locked out of their room, you got to send a person down, then you got to open it again. That's not tenable. Right?

Jake Bernstein: No, I'm trying to-

Kip Boyle: Even in old days, you could hand somebody like a metallic key and they could get in and out of their room on our own.

Jake Bernstein: Hey, I'm trying to remember if the last time I went to a hotel and I got a key; a physical key.

Kip Boyle: Like a metallic key?

Jake Bernstein: Like a metallic key.

Kip Boyle: Oh I can't remember.

Jake Bernstein: I think it's been a long time since that. But those credit card style swipe keys, I don't think they used to always be networked.

Kip Boyle: No.

Jake Bernstein: At some point, they became networked as they are now.

Kip Boyle: Yeah.

Jake Bernstein: But we definitely have had those that you just swiped and they were not-

Kip Boyle: Yeah. Yeah. That's common. And these days, now they got near field. Right?

Jake Bernstein: Yeah.

Kip Boyle: NFC based keys where you don't have to swipe them. You just hold it near-

Jake Bernstein: You just hold it near. Yeah.

Kip Boyle: ... the reader. And the then of course, smartphones, right? Now you're getting keys on smartphones where you download an app.

Jake Bernstein: Yeah.

Kip Boyle: And they just put the key on your app, and then you just press a button on your app and your door opens. And that stuff's not going to work if the computer system's down. Right?

Jake Bernstein: No.

Kip Boyle: So anyway, so that's the point, is that I know we started with computers as expense items, but there's still a lot of people in the world who see it that way. And it's just not. And I think this Wall Street Journal article is a good example of, "We're hoteliers." Right? In other words, "That's our identity; is we know hotels. We're not tech experts." Well, that's too bad because you can't have a hotel without tech. You know? Because it's not going to be profitable. You can't staff for it. You know? You don't even have the infrastructure for it. So anyway.

Jake Bernstein: Okay. So you mentioned at the top of the show that you had another real world example. So let's spill it. Let's hear it.

Kip Boyle: Okay. Yeah, that's right. I did. Okay. So at the risk of beating this thing totally to death, I did want to share one more story because the hotel, they were kind of limping along a little bit. Right? They sort of figured out how to limp along. But I've got a customer, right? And I have many customers like this. And it was a confidential conversation, so I'm not going to tell you who the customer was. I'll tell you they're in the agriculture industry. I'll say that. Right?

So I was talking to the chief financial officer about their top cyber risks, right? This is what we do, right? We tell our customers what their top cyber risks are, we make them a prioritized mitigation plan, and we make them an implementation roadmap. So I was going through all this with the CFO who had hired us. And I could see the CFO was just following the conversation. And then at some point, the CFO had this look on their face, and it was weird. And I stopped talking and I just waited a moment because it felt to me like the CFO wanted to say something, but they were just struggling for words. And then finally they looked at me and they said, "I can't believe I'm having this conversation." And that caused me to be really confused. I wasn't sure.

Jake Bernstein: Oh, I could see why.

Kip Boyle: I wasn't sure what I was about to hear.

Jake Bernstein: There's a lot of different ways to take that.

Kip Boyle: Yeah. Especially with the weird look. And I thought, "Well, maybe our work was just off base, like the mitigation plan, whatever." You know? Maybe we were just completely off base and the CFO just realized it and has to now say like, "No, this is schlock. You have to start over again." I don't know what. But I just kept being patient. And then the CFO said, "We're not tech experts. We're just farmers." And I was just like, "Oh, not again."

Jake Bernstein: No. I mean, that's fascinating, and really, I'm sure, incredibly common. You know? You get people out of their comfort zone, and for a lot of people, this feels like it's way out of their comfort zone.

Kip Boyle: Yeah.

Jake Bernstein: Okay. So-

Kip Boyle: And that's personal identity, right? This is a CFO who says to themselves, "I'm not a tech expert," and doesn't even create the possibility that they could be, that they could partially be. You know? It's an identity. So I think this is an identity crisis on an individual level, but it is affecting the entire organization.

Jake Bernstein: It is. And you know, it's interesting because I think we say something like tech experts, and I think maybe part of the problem is people misunderstand the level-

Kip Boyle: What it means?

Jake Bernstein: ... what it means. Because I mean, look. If I'm the CFO, it's probably true that I'm not going to go back to school and get a computer science degree and learn how to code and do that kind of stuff, whether it's writing a web app or learning how to set up rules for a firewall.

Kip Boyle: For sure.

Jake Bernstein: And I think when someone says that type of thing, "We're not tech experts. We're just farmers," they're probably thinking along they... Well, they might be thinking along those lines. And I think on that level, they're correct. Right?

Kip Boyle: Mm-hmm (affirmative). Mm-hmm (affirmative).

Jake Bernstein: They're not tech experts and they're not going to become tech experts, but I don't think that's what you mean when we're talking about this.

Kip Boyle: No. No.

Jake Bernstein: So maybe explain that.

Kip Boyle: Sure.

Jake Bernstein: What does this mean to you?

Kip Boyle: Yeah. What it means to me is when a CFO says, "We're not tech experts," what I interpret that to mean as, "I don't have to pay attention to tech because I've got a team of people who pay attention to tech. And I'm just going to assume that they're doing what they need to do. I'm not going to get involved." Not even to have good governance, right? Let alone good supervision. And I remember one time I was talking to another business leader about the ability to detect intruders on their network. And I remember they were like, "Well, why is that so important?"

And I was like, "Well, you have a warehouse full of stuff, right? You have a warehouse where people are assembling stuff that you're going to sell and so forth." I said, "Don't you have video surveillance cameras in your warehouse? Wouldn't you want to know if somebody is in there and they're not supposed to be? And isn't that important to you that only authorized people can be in that warehouse?" And they're like, "Well, yeah." And I was like, "Well, then why don't you feel the same way about your network? Shouldn't you? Because you have all these assets on your network, but you have no idea who's actually on it. And it seems to me, you should feel just as protective about your network as you do with your warehouse."

Jake Bernstein: Yeah. That's a blind spot for sure. And it's interesting. I was on the The Shrimp Tank Podcast recently with our friend-

Kip Boyle: That's a good one.

Jake Bernstein: It is. With our friend day Dan Weedin, who has also been a guest on this show.

Kip Boyle: Yeah.

Jake Bernstein: And they asked me an interesting question, which was, "What do you think the biggest blind spot for small medium-sized business is with respect to cyber security?" And what I said I think applies very much here, which is that I think a lot of people assume that they're "IT guy." Everybody has an IT guy.

Kip Boyle: Yeah.

Jake Bernstein: They assume that their IT guy is equivalent to a security guy.

Kip Boyle: Oh my gosh yeah.

Jake Bernstein: And the fact is that they're not. Right?

Kip Boyle: Mm-hmm (affirmative). That's another example of like they don't-

Jake Bernstein: It's an identity issue.

Kip Boyle: Yeah. Yeah. And they just won't even get familiar enough with the tech as a discipline to understand the difference.

Jake Bernstein: Right. Well, and I think, quite honestly, I think there's quite a few tech people who also have an identity crisis around this.

Kip Boyle: Yeah.

Jake Bernstein: Specifically IT guys who want to say they're security guys, but aren't.

Kip Boyle: Not yet.

Jake Bernstein: Not yet. But anyway, I just think that's an interesting kind of corollary to this, which is the identity crisis can extend to the people that you think are taking care of it and they're not. So given all this, how do you think an organization resolves an identity crisis like this?

Kip Boyle: This is tough.

Jake Bernstein: Tell us how to fix it, Kip. How to fix it.

Kip Boyle: Yeah. This is tough. I wish I had a magic wand. I need a bag of magic pixie dust that I can just sprinkle on the org and make this go away. But it doesn't. I mean, this is the same problem. I'll tell you how I got sensitized to this in the context of cyber security. I was reading about habits. I was reading about like why do people have bad habits, certain bad habits, whether it's smoking or drinking or whatever. Whatever it is, whatever bad habit. Right? Or maybe the lack of good habits like lack of exercise and eating correctly, whatever. And I was reading about this and the book said, the author asserted that a lot of it has to do with identity.

So for example, if you're a drinker and you want to quit drinking, you've got to first see yourself as not a drinker. Right? You've got to like have an identity that says "I don't have to drink to live my life." And if you overeat, you have to somehow reorient your identity to, "I'm a person who eats healthy." So I just thought that was really fascinating. You know? This idea that identity is such a foundational aspect to habits, to whether you can lose bad habits or gain good habits.

But I think the point that I want to make by exploring that is that it all has to come back to senior decision makers. They set the tone at the top. If they declare that, "We are not tech experts because I'm not a tech expert," then the entire organization is going to adopt that view, that worldview. And so I think in order to get out of this, senior decision makers have to become self-aware that it's possible for them to have some technical expertise, that they don't have to be a techie, but that they can associate themselves with technology, and that it's impossible for them to think about their network the same way they think about their warehouse. Right? That it's a space that's important to them, and that should be guarded, and you should know who's in there and you, and you should toss out the people who don't belong.

So I really do think it starts with senior decision makers. And I think that you and I can help ripen this idea in their minds. Right? We do it all the time. Right? We take calls from people and they say, "What about cyber security?" And we talk with them. And some people just persist on either saying that it's not a problem, but they have to ask the question anyway because their auditors are on their case or they just sort of cast it all as a technology issue. And you know, "Can you just come and make my tech people do what they're supposed to do?" And really, I can plant some seeds and encourage them to think bigger about it. But I know from hard experience that I can't just flick a switch. Right? It just doesn't work that way. And I think you and I agree on that, right?

Jake Bernstein: Yeah. We do agree on that. You know? These are oftentimes significant, like any real identity crisis, change is going to be gradual.

Kip Boyle: Yeah.

Jake Bernstein: It's going to be.... It's never going to feel fast enough if you're in the middle of a crisis, but it isn't going to be done quickly.

Kip Boyle: No.

Jake Bernstein: And it's going to take intentionality and mindfulness about these issues. And I think that there's no way to shift culture quickly.

Kip Boyle: No. And you can't shift it unless the senior most decision makers want it to shift.

Jake Bernstein: They have to want to.

Kip Boyle: And even that is hard. It's really hard, right?

Jake Bernstein: It is.

Kip Boyle: Like, I'm thinking about IBM in the 1990s. They realized. Senior leadership realized that their future was not going to be hardware. They had been a hardware company that also made software. And they needed to pivot and become services. And it was very difficult. Even though they knew it and they did it, they had to disappoint a lot of people on their workforce who really loved what they did in terms of hardware engineering. Microsoft went through it. Bill Gates finally got the memo that the internet was the thing, and he pivoted the entire company towards the internet with a memo and in short order. So it can be done, but the only way it's going to get done is by the senior most people.

Jake Bernstein: And that's unusual.

Kip Boyle: It is unusual.

Jake Bernstein: And it's unusual. Yeah.

Kip Boyle: It is. It is. But they had an identity crisis and they took action. So I share those examples because I want listeners to realize that while it's tough, it's doable. Right? In fact, there are organizational change management experts all over the world that know how to make culture shift happen once senior decision makers decide that they're going to take that challenge on head on. And there's a lot of disappointment. And one of the definitions of leadership that I really like that I think really nails it is you're disappointing people at a rate they can handle.

Jake Bernstein: Yeah. No, that's very true. Very true.

Kip Boyle: So you can't rush it. I agree with you. You cannot rush it. And you can't even start it without senior decision makers recognizing that it's a thing. But having said that, we have had people come to us and say, "We want to shift our culture." I've had senior decision makers come and say that, "We want to shift our culture towards reasonable cybersecurity," and we certainly can help. Right? We do organization change management in that context. Like, I can't help you pivot your company-

Jake Bernstein: Well, if somebody asked-

Kip Boyle: ... crosstalk-

Jake Bernstein: ... in other ways, yeah, we can help them do it for sure.

Kip Boyle: Yeah.

Jake Bernstein: I think what's going to be interesting is it'll be interesting to see if any boards start driving this kind of identity transformation.

Kip Boyle: I hope they do because I think that would be a great place to start it.

Jake Bernstein: I mean, it would certainly be listened to. I mean, that's the ultimate control mechanism.

Kip Boyle: Yeah. Or they'd have to change the executive directors or the CEOs. Right?

Jake Bernstein: Yep.

Kip Boyle: Because sometimes boards say, "Do this," and the senior people say, "No, I don't think that's right." And you got to change out the CEO because where you want to take the company just does not play to the strengths of that person or that person just could do it, but just chooses not to.

Jake Bernstein: Yep.

Kip Boyle: Anyway, that's a whole corporate governance conversation, but I think it's time to wrap up the episode. What do you think?

Jake Bernstein: I think we're good.

Kip Boyle: Okay. So I think that senior decision makers would make their organizations a lot less vulnerable to cyber attack if they would just acknowledge that they are very, very dependent on computers, and then level up their management of the business risks that that dependency brings. Did you have any final thoughts on all this, Jake?

Jake Bernstein: Yes, but they're probably whole episodes in and of themselves. So I think we'll call it there.

Kip Boyle: Put a pin in it and we'll pick it up later. All right. Well, then that really does wrap up this episode of the Cyber Risk Management Podcast. And today, we explored how a lot of organizations are having an identity crisis, they don't even always know it, and how that's making them an easy target for cyber criminals. Thanks everybody for being here. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.