EPISODE 105
Your IT Person is Not Your Cybersecurity Person

EP 105: Your IT Person is Not Your Cybersecurity Person

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 10, 2022

IT and cybersecurity actually have very little overlap. The people performing them have similar skills but they have very different goals and very different ways of thinking. Let’s find out how different with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L gates. Visit them cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in episode 105 of the Cyber Risk Management Podcast?

Kip Boyle: I just love how you kick it off. This is episode 105, which still is causing my head to spend a little bit at how cool that is. But let's get to it. Today we're going to explore something that maybe most of our listeners already understand, but I don't know that they all do, which is your IT person, your guy or your gal that's providing it services to your company isn't your cybersecurity person.

Jake Bernstein: Yeah, isn't that obvious? Maybe it is to us.

Kip Boyle: I thought it was obvious, but recently I've learned that it's not. It's not obvious to everybody. It's certainly not obvious to every senior decision maker that I've been encountering. So I thought we should probably just make this a very explicit conversation.

Jake Bernstein: Well, I think it's worthwhile, and for a number of reasons, one is I love it when I have a link to an episode that I can just send to someone to explain something rather than repeat myself. And hey, listeners, if you already know this, that's what you can do with this episode is send a link to someone who doesn't already understand, and hopefully we can try to make that clear. So anyway, how did you learn this this time, because this seems like it's something recent.

Kip Boyle: So it's an inflection point. I mean, this is something that I've known for a long time, so what's happening with me... And again, I'm a practitioner, I'm a virtual chief information security officer who also teaches. And my podcast is part of how I teach. So I practice and I teach. And recently I've been helping a lot of companies either apply for or submit an application to renew their cyber insurance policy.

Jake Bernstein: Oh boy, that's exciting these days. It's much harder than it was a year ago.

Kip Boyle: Oh man. Yeah, definitely. There's so many changes. The need to have help from somebody like me has really intensified because the market has hardened. That's a little twist of phrase that I've been learning lately, which means it's getting harder and harder to get approved for cyber insurance. And if you are approved, the amount that you're going to pay is going to go up, and in some cases substantially. The amount of coverage that you is going to go down. And the amount of deductible that you're going to have to pay is going to go up. And then as part of that, what we're also seeing is that insurance carriers are being completely ruthless about who's in, who can get insurance, and who's out.

And I've definitely seen cases where the quote to get a policy was so absurd. I mean, it just wasn't economical to get a million dollars of coverage costs, and I'm just throwing out some figures here to illustrate the point, but to get a million dollars of coverage you'll spend $200,000 of premium, and this is just for a year, and you'll have a quarter million dollars of retention, which is the fancy word for deductible. So it's chief financial officers are looking at that going, "This doesn't make any sense."

Jake Bernstein: I mean, I don't want to go off on a tangent, but of course that's what we do here on the Cyber Risk Management Podcast.

Kip Boyle: Which is why we have a script.

Jake Bernstein: Which is why we have a script. And maybe this is just a teaser for another episode, but that is starting to... I mean even last year, we would say without any hesitation that cybersecurity liability insurance is a no brainer, automatic, almost minimum viable component of risk management. But what you just said starts to throw that into at least a little bit of doubt.

Kip Boyle: I think so. I think we were even getting to the point where we were saying that it's unreasonable not to have.

Jake Bernstein: Oh we did. We totally did.

Kip Boyle: Not to have it. Per se unreasonable. But now the economics of it are shifting because insurance companies have had their rear ends handed to them on a silver platter in the last couple of years, they're losing money left and right. A product that used to be highly profitable with large profit margins has suddenly turned sour and they've got to figure out how to deal with this. Some carriers are exiting the market because they're like, "Hey, this is too much for us. We don't have the stomach for this." And the ones that are staying are really rolling up their sleeves and getting super, super serious about this. So we had a billion dollar company ring us up the other day, it was a referral from a insurance broker, and they got one of these outrageous quotes for renewal. They'd had cyber insurance for 10 years and the CFO said, "This is ridiculous. We're going to self-insure for cyber. Go find somebody that'll help us do that."

And I thought that was absolutely fascinating when I started talking to them and I thought to myself I've never heard anybody call it self-insuring for cyber before, but then as I reflected on it, I thought, you know what, anybody who doesn't have cyber insurance going back 10, 20 years is self-insuring by definition, but I've just never looked... That's like looking at it through the wrong end of the telescope. It is.

Jake Bernstein: And this is really fascinating, too. I think we've mentioned it in, I'm sure a relatively recent episode or two, but I remember Kip, not that long ago, 2017-ish, maybe it was 2018, where you and I were doing a presentation with one of our broker friends, and we had planned to ask this question and it didn't go so well for us at the time. We said, "So, broker friend," name being protected to protect the... Withheld to protect the innocent." "What kind of questions is the insurance company going to ask you when you're trying to get into cyber insurance?" And he said, "Well, really not that many. They're not going to look too much at you back in 2018." And let's just say that things have changed.

Kip Boyle: It was a single page of questions. Most of the questions were silly and it seemed like almost anything you put down there you'd be approved. I mean, unless you egregiously said something that was just so awful.

Jake Bernstein: We have no firewalls. In fact, we let people come in and do whatever they like on our network. That might have gotten you.

Kip Boyle: Because we're a university.

Jake Bernstein: Yeah, yeah, yeah. Exactly.

Kip Boyle: But it was just super, super easy. With that context, I will now answer the question that you just raised, which is why is it so front of mind for me right now that your IT person isn't your cybersecurity person? Well, again, I've been helping with these insurance applications, and what I've noticed is that most of the people that are filling out the applications work in IT, but they're not dedicated to IT security. And some of them, in fact, are the owners or the senior technology people at an outsourced IT company that's actually filling out these applications. And I was kind of stunned by that.

Jake Bernstein: Oh man, that's a little distressing. There's a couple of issues there. The thing about... So let me ask you this. In the situations where you're seeing the outsourced IT company filling out these applications, are they the... what kind of networks do these companies have? I mean, do they have any, or are they quote modern cloud first being minded inaudible.

Kip Boyle: No, these tend to be more well established companies with what I would call legacy networks, local area networks, extensive local area networks, hardware on-premise, in racks. Maybe they have a data center or they rent colo facilities, or maybe the outsourced IT provider actually has their hardware in racks in their controlled data space. So these are companies that have older architectures. They are not cloud first companies. They do use a lot of software as a service, but they have a lot of legacy IT, and that's why they need outsourced IT service providers, because they've got a lot to manage. Because what I've noticed is that our cloud first customers don't tend to have a managed service provider because they just don't need that much help.

Jake Bernstein: Fascinating. So I guess the other component is why does it matter if these IT folks aren't also the dedicated IT security. What is that going to do on the insurance applications?

Kip Boyle: I'm seeing all kinds of things. Let me just give you a couple of examples. So first of all, the questions, they don't understand all the questions. So the answers that they're putting down are the result of an incorrect interpretation of the question. So just to give you a silly example, the question might be... And by the way, the insurance carriers are their own worst enemy when it comes to this sort of thing. But the question might be, "Do you use multifactor authentication," question mark, blank line. That's it, that's all it asked. Well you and I both know that you need to enable multifactor authentication on a platform by platform basis. There's no one single switch that you can go to flick to enable MFA everywhere that an organization has sensitive data. It doesn't matter what your IT architecture is.

So IT people look at that and they have a couple of reactions. One reaction is that they know it's a silly question because there's no easy answer and they get frozen. They get a little analysis paralysis because that little teeny weeny line that's about four inches long on the application is not enough space to describe just how complicated the answer really is. So that's one problem is they get stuck because the answers can't be as simple as the questions.

Jake Bernstein: Yeah, that's very true.

Kip Boyle: And then you get other things like do you have DLP? Well, most IT people don't even know what DLP is, and I don't even know if anybody listening to this podcast even knows what DLP is. It's data loss prevention. And most people think that data loss prevention is a category of product that you have to purchase, blinky-lights and Rackit and that sort of thing. And that's one way to do it. But data loss prevention is a lot of things. It doesn't have to be a single product that you buy from a single vendor. It it can be all kinds of things. But that's a nuance that most IT people, first of all, don't understand what the acronym is, but then beyond that, they don't understand that there's nuance. And I feel bad for them because nobody's really set them up for success.

Jake Bernstein: So there's this live session that you did called Cyber Security for Insurance Professionals.

Kip Boyle: I just did it. Last week.

Jake Bernstein: Last week, even. And tell me about how you started off that session. And let's talk about that.

Kip Boyle: So first of all, the way I prepped for that session, and this is what I try to do with all the sessions that I facilitate is I was talking to the conference organizer and I said for the people who are planning to attend, what is it that they're struggling with? What do they want to know? So the conference organizer did a wonderful job of prepping me. And as I was listening to the response, I realized, "Oh my gosh, these are insurance brokers. These are representatives from insurance carriers." And I thought, "Well, they're all struggling with this problem." Because they're having such a hard time, so if you're a broker, you've got to sell policies, you've got to place insureds with insurance carriers, you have to bind insurance policies, and then you get a commission. That's how brokers make money.

But they're having a really hard time right now because the questionnaires are getting longer and longer and longer from the insurance carriers. A lot of the questions are obtuse or over oversimplified, and then they're trying to get these applications filled out, but they're having a really hard time getting them filled out because the people responding to them... See the previous five minutes of conversation you and I just had for why they're struggling. So it just became obvious to me that that there's this mismatch. They're assuming that the IT people are the cybersecurity people and that they can answer all these questions.

So there are about a hundred people in the audience when I opened up my session and I just said, "Hi, it's great to be here. Hope you're doing well. I want to ask you a question to get everything started." And I said, "Raise your hand if you know that your IT guy or IT gal isn't your cybersecurity person." And about 40% of the people in the room raised their hand as saying, "Yeah, I know that." But 60% of the people didn't raise their hand and most of them had a very confused look on their face.

Jake Bernstein: So now it's very, very clear why we're talking about this. So just to be clear, your IT guy or gal isn't your cybersecurity person. Now Kip, that might sound... Even though we know that, that can still sound odd. So why is it that the two functions actually don't have that much overlap?

Kip Boyle: Well, it's funny because if you're a senior decision maker who... Let's say you're a CFO and you came up through the ranks in the finance department, you're a chief operating officer and you came up that way, or you're chief marketing officer, chief revenue officer, whatever. And you've never come up through systems right, through the IT department. You've never really had any substantive interaction with them. You think that all IT people know everything in equal measure. Because you just don't understand the nuances and why should you. You just haven't had that experience. So here I am to tell you that there's a lot of nuance. Just like a person who's really great at networking generally doesn't know anything about databases. You're going to take a networking problem to a network person and a database problem to a database person. And it's the same thing with cybersecurity.

Cybersecurity people know a lot about what network people know and database people know. They have a lot of similar skills and conceptually they understand how systems work and how tech works and that sort of thing. But what differentiates them is that they have very different goals and they have very different ways of thinking, which is... Once we impact this, I think people will go, "Oh, that's why the cybersecurity people are so weird."

Jake Bernstein: Hey man. I guess we are guilty as charged there. I mean, you're right. The goal of IT is to keep systems running for customers and staff, whatever it takes. In other words, keep the lights on-

Kip Boyle: That's what they get beat up over.

Jake Bernstein: Yeah, exactly. And to bring this into the CIA triad, and I know that there are other ways of thinking about it, but IT is really focused on availability first and confidentiality and integrity are... Frankly, it's probably integrity as a second place, and then as a distant third would be confidentiality.

Kip Boyle: I would almost say they don't have a triad, they have a monopod.

Jake Bernstein: I think that is true of a lot of IT departments. In fact, if they even recognize the triad, then they are more of a hybrid department then we're talking about, but I think most aren't.

Kip Boyle: Or they work in the defense sector.

Jake Bernstein: Yes. So the default security posture is tilted towards openness because that's the easiest way to avoid support calls. Keep systems up and running and reduce support calls. And the thing is this isn't laziness. They're metrics. The IT departments are often measured on number of support calls, meantime to recovery, getting things back up. This is not an accident.

Kip Boyle: No, it's not. I mean, think about how many times you've heard somebody say... And for those of you in the audience that have never heard this, here you go, five nines of availability. 99.999% uptime. Or six nines or whatever. I mean, there is this fascination with how available can systems be, and vendors of IT services will talk about their high availability and how many nines of availability and so forth. So it's almost a fetish in a way at how focused we are in uptime, but it makes sense. Uptime is important, and I can tell you that security does sometimes work things up.

We just migrated to a new web server and we had some technicians build it out. And then I said, "Tell me about the security of this thing." And they went, "Oh, right, security." So then they went and did a whole bunch of security work. It annoyed me because I'm like, "Duh, you don't bolt on security later on. That's not the way to do it." So here's what happened is they went off and they did a whole bunch of vulnerability scans and so forth and ran a whole bunch of checklists, and they put the the security layers on after they had the thing running. And guess what? They broke a piece of core functionality and we couldn't send emails for several days because when they applied the security blanket, they actually broke a core piece... It was a Linux server and they actually broke the cron function. These little behind the scenes pieces of code called daemons weren't running and weren't sending the email and receiving the email, and they had to do an extensive troubleshooting session in order to figure that out.

And how do you avoid that? Well, you avoid that by baking security in from the beginning, rather than trying to wrap a security blanket on it after it's running. But I can understand why IT people often see security controls as interfering with their work. So they want to keep everything open and default. Because if I had never asked them, "Hey, what have you done for security," they wouldn't have done anything more than they had done, which wasn't much, and they never would've broken the emailer and we never would've had a service interruption because of that. In fact, I was the one that opened up the ticket that said, "How come the emails aren't sending?" And then that's how they figured out the security blanket that they put on messed it up. So IT people want it to be open and they don't necessarily realize it, but they're taking on a lot of technical risk when they do that. And the data's clear that a lot of the vulnerabilities that are at the root of a lot of the digital crimes that we're seeing as a direct result of this openness.

Jake Bernstein: Well, in contrast, cybersecurity people want to keep systems from being violated and we want to keep digital assets from being destroyed or stolen, which really indicates the opposite of openness. We want to be locked down and closed.

Kip Boyle: Yeah, exactly. We're thinking like, "Let's not have ransomware on our network. It's super expensive when that happens. It's is super disruptive to the business." And it's funny because it actually cuts against the availability objective that IT people have, but there's still a disconnect. They still think that the chance of getting ransomware is like super remote or will never happen. But I can tell you, I've spent a lot of time cleaning up after ransomware, so it absolutely happens and it completely destroys the uptime metrics.

Jake Bernstein: So that mini discussion right there really does indicate to me that when you dig deeper, IT and security really are on the same... They should be on the same... They could be on the same page.

Kip Boyle: Well that's why we have a triad and they have a monopod, but it turns out availability both is a concern that we both have, but we're also trying to balance integrity and confidentiality as well. And then we end up getting twitchy and we want to say no a lot because we already... Because just looking around, we see all this risk because of all this openness. So when somebody comes to us and says, "Well, we want to do something else," I'm already getting twitchy because I know how open everything is already, and I'm feeling like our digital assets are probably overly at risk already. Go to a twitchy person and ask them to take more risk and see what kind of response you get.

Jake Bernstein: And let's be honest, at least currently there aren't that many consequences... There aren't a lot of external... I don't want to say that. That's not quite true. There are a lot more regulatory consequences for losing confidentiality, and mostly confidentiality over availability. Although it does depend on the situation. I want to be careful there.

Kip Boyle: Well I would say there's a lot of contractual consequences. You can't fulfill orders you've taken if you have no systems to enable you to fulfill orders. So that's not a regulatory consequence, but really just a contractual one where your customers will walk away from you because you can't deliver. And I want to share a story about what happened, an incident with the manufacturer, because I think this is illustrative of just how awful this can go. You want to talk about availability. It was in January that somebody passed to me a bankruptcy declaration that had been recently filed. And I want to read some quotes out of that. So are you ready?

Jake Bernstein: Let's do it.

Kip Boyle: All right, here we go. So a ransomware attack recently caused a Texas based steel structure manufacturer to file for bankruptcy. So a steel structure manufacturer. Think of those steel buildings that you see that are used as shops to repair cars or whatever. That's what we're talking about here. Now the company's name is United Structures of America, USA, or it was, and they got a piece of ransomware on their systems and they paid it, but guess what, they didn't get their data back. So in the chapter 11 bankruptcy declaration, he here's what it said. And by the way, this was filed on January 11th, 2022. So this is very recent. "On or about May 25th, 2019 hackers remotely installed ransomware on the company's computer network and destroyed all the information on its servers, more than 400 computers, as well as its computerized numerical control equipment and machinery, CNC. Many of these devices were not only wiped out, but rendered unusable by the malware."

So a CNC is like... If you have a piece of raw material, like a piece of steel or something, and you want to change that into a part, like a screw or whatever, or you want it to be bent into a certain shape so that you can build a building with it, these computerized numeric controlled equipment, CNCs, will do that so that a person doesn't have to do it, but a computer will do it and it'll bend it and mill it and make it precise. It's a very important piece of machinery. These days you really can't build things without these CNC pieces of equipment.

So I'm almost done. Then it says, "The company alerted authorities and ultimately paid the attackers the requested ransom, but it's data was not returned. The ransomware attack cost the company significant sums of money and it lost its data relating to accounts receivable, accounts payable, current orders, customer information, current CNC machinery configuration files, along with essentially all of its business data. After the ransomware attack the company has been methodically winding down its operations," and listen to this," at the height of the company's business, it had over 450 employees and annual revenues of over $100 million.

Jake Bernstein: Gosh, that's tragic. I wonder how often this happens, and I'm guessing this is not an isolated story. We know it's not an isolated story and-

Kip Boyle: It's an extreme story.

Jake Bernstein: It is an extreme story.

Kip Boyle: inaudible.

Jake Bernstein: But they're not the only one. Here's my guess, honestly, is that this thing happens a lot more often... Look at the dates. This happened originally on or about May 25th, 2019. The chapter 11 bankruptcy declaration wasn't filed until January 11th, 2022. You're talking, what is that, two and a half years later. And what's interesting to me about that is that a lot of this stuff... Maybe there's a news release about a breach, and for a week or less it's the talk of the security town. What I don't think we're very good at is following that story to the conclusion. And this is a really good example. You hear about a ransomware attack, I mean, they happen all the time. I mean just constantly.

Kip Boyle: Legion.

Jake Bernstein: Legion. And to give you some idea of the numbers, one of our newish associates used to work at basically an insurance defense firm that basically specialized in incident response. And at the height a couple years ago she was opening 6 to 10 ransomware matters per day. And that's just her, that's just one associate at one of these firms. And all of them are going to be this bad. This one, as you said, is an extreme situation.

Kip Boyle: It's illustrative, right?

Jake Bernstein: It is very illustrative.

Kip Boyle: How you don't want ransomware on your network.

Jake Bernstein: Oh, you really don't. And I think what's particularly interesting to me about this one is the CNC machines. I didn't even think about that as a risk, but there is a lot of industrial machinery out there that recovering it if it's wiped is probably extraordinarily difficult to impossible, and that kind of stuff isn't going to be... That's not going to be backed up on the cloud by default. You're going to have to have had a very intentional disaster recovery business continuity plan in place with careful backup strategies. I mean, this is really just sad.

Kip Boyle: It's very sad. 450 employees. That's 450 families who had somebody who lost their job.

Jake Bernstein: Well, it's really a lot more than that, because in a company like this, think of the economic follow on effects of all of those... This is a manufacturer. This is like the base of an economy. And that means that all the service industry folks... I mean hopefully a lot of these people were able to go get new jobs, but it's a hit for sure.

Kip Boyle: And how many of them were close to retirement and can't get another job?

Jake Bernstein: At any event. Why do we think this happened, or maybe a better question is how do you think this relates to what we're talking about today, about the IT people?

Kip Boyle: Well, there's a couple of things. So first of all, I want to harken back to episode 104, where we talked about identity crisis and how the fact that companies who are so dependent on computers to do the work of their company, but don't take it seriously enough. That was the whole episode that we did in 104 was about that. And I would say that's one of the things that is absolutely in play with this ransomware attack against United Structures of America, is they were 100% dependent on their computers, and when they lost control of them, their company failed. So I think that's something in play. But as far as what is it about your IT person is not your cyber security person? Well, I'd be shocked if United Structures of America, even that $100 million of annual revenue, had even one person whose full-time job was to focus on cybersecurity. I just don't see that. Especially in the manufacturing space.

I don't know how to find out for sure, but, but I'm pretty sure they don't, because I've, I've, I've talked with a lot of manufacturers over the years, big ones, and they tend to see it as a cost center, something that needs to be tightly controlled and minimized as much as possible. So I think it's a reasonable assumption that they made that same mistake here. So that's what I think. What do you think?

Jake Bernstein: I mean, I think that's probably correct, and I think, too, that until something like this happens to a non-security business executive, I don't think enough people understand what it feels like. Because let's be honest about something. If we could magically share the emotional experience of a ransomware attack with an executive, that person I promise you would .sign off on nearly any expense to prevent them from having to go through that experience.

Kip Boyle: It's awful. Even if you don't go bankrupt.

Jake Bernstein: It's awful no matter what. I'm dealing with one right now, and one of the people involved was like, "I haven't slept the last three days." It's awful. But we can't do that. And we certainly try to get people to understand. But I think what happens is that... And this really goes to the way that we measure cybersecurity. We have a 0 to 10 scale when we do our assessments. And I think what's challenging is that it's not your typical 0 to 10 scale where it's just this linear-

Kip Boyle: Where 10 is great.

Jake Bernstein: Where 10 is great. 10 is actually bad. The 5 to 8 is good, 8 being the best. 9 and 10 though, and the reason we do... I mean, there's, I'm sure, a number of reasons we do it this way, but we do it this way because visually it makes a lot of sense to think about how you can get ideal security when it's... An ideal security is invisible. It's doing its thing, but it's not in your face. The second it starts to get in your face, that either means it's not optimized at all or things have gone too far. And we all know what this looks like. A 9 is when you're just like, "Oh, these security guys, it's so annoying. Why are we doing this?" And then 10 is like... You're so frustrated that you go off and engage in shadow IT behaviors.

Kip Boyle: Because the main systems are so hard to use and clunky, you can't even get home for dinner just to get your work done.

Jake Bernstein: And I think it's in this zone where IT and cybersecurity can really clash the most. Because IT wants people to be happy and to use the systems without making support ticket request every 10 seconds. One of my colleagues put it so well in the not too distant past, which is that... Actually this may have been a client who said this, but IT and cybersecurity need to be able to disagree and talk things out. And when they're collapsed, either because they're collapsed into the same people, or they're collapsed into the same reporting structure, you lose that. And that tension is a lot of what can actually produce best outcomes.

Kip Boyle: When it's really healthy, and I agree with that, and by the way, clients can be colleagues. I like to think of them as colleagues. But when it's really good, I call it a creative tension. So good things come from it and nobody takes it personally and it's healthy. When it's unhealthy it devolves into disgust and contempt and people can't work with each other and it's awful. I've been in both situations. So I think that is a great example, Jake, of people on the outside looking in might see a cybersecurity person arguing with an IT person and they might be scratching their head going, "What the heck are they arguing about? They're both on the same team. They're both just doing all the IT work that needs to be done."

And that goes back to my opening comment that, yes, we often are on the same team. Yes, we do understand how all the systems work. But no, we don't have the same goals and we don't have the same ways of thinking. I'm always thinking about what could go wrong. My IT friends are always thinking about how great it's going to be when the system is up and running and is doing all these wonderful things that it was designed to do. Happy path. And I'm over here doing my Chicken Little impression, trying to think of how the sky's going to fall, and what are we going to do to protect these digital assets? So there's absolutely a different way of looking at it. So we just want people to have enough permissions to do their job and nothing more, and that takes a little extra effort rather than just handing out admin accounts to everybody.

Jake Bernstein: Okay, so what action should a senior decision maker take if they have suddenly realized that their IT guy or gal isn't their cybersecurity guy or gal?

Kip Boyle: That's my vision for senior decision makers is that they will have this recognition, but many of them... As we've talked about, many of them don't, and it's a very difficult thing for them to come around to. But one thing that I definitely see them doing that is not helpful is they're looking for an easy button. It's like, "Oh, okay, we've got some cybersecurity problems. Let's just buy Norton Antivirus, install it, and get on with our lives." Many of them are stuck in that paradigm.

Jake Bernstein: Those were the days.

Kip Boyle: It used to be the case that you could, in the late 1980s and early 1990s, even into the early 2000s, you could just buy a piece of software and install it and then walk away from it, and inaudible-

Jake Bernstein: It probably came in a box.

Kip Boyle: Sit there and do it. It did. Yeah, it absolutely did. And it was it was very well graphically designed, and if it was Norton antivirus, it actually had a picture of Peter Norton on the cover with his little stethoscope around his neck, and it was very cool. But these days that's a fantasy. There is no easy button that anybody can use these days in reality. The only one I know of in fact is just don't use the internet, but that's not very practical, is it?

Jake Bernstein: It is not.

Kip Boyle: No, it's totally impractical. So that's a problem that I see with senior decision makers, even when they admit that they have a lot of cyber risk, and particularly for the ones that haven't admitted, that is that they just think there's an easy button, and there isn't. And the ones that haven't admitted that they have a lot of cyber risk, man, they just have this attitude that they're immortal and nothing bad will ever happen to them or their organizations. And when I talk to people like this, I very quickly get the feeling that I'm trying to sell life insurance to Zeus. When I get that feeling, I know that I can't do anything. There's nothing I can say.

And it goes back to what you said a moment ago, if I could only put them in a ransomware simulator. So they would know what it's like to lose control of all their equipment to a ransomware attack. That might help them turn the corner. But I can't do that. I don't know how to do that. So I just wish them well. And I excuse myself from the conversation and I just get on with my day.

Jake Bernstein: Okay, so what about the senior decision maker that does realize their IT guy or gal isn't their cybersecurity person? What should they do?

Kip Boyle: All right, so if you have this realization and you realize there's not an easy button, then this is going to sound familiar, because I've said this before, but they should treat cyber as the general business risk that it's become. It's not just a tech thing. It's actually a major risk to their organization success, just like risks in sales, in order fulfillment, and accounts receivable. If you can't sell, you're not in business. If you can't fulfill, you're not in business. If you can't collect money that people owe, you're not in business.

Jake Bernstein: Not for very long, anyway.

Kip Boyle: Yeah, not for very long. So I know any senior decision maker who was having problems selling, fulfilling, or collecting money would be all over it, because it would realize what an existential problem that is. And I would say that that's where they have to get to with cyber. Now let's assume that they accept that. Yes, it's a general business risk and I should treat it with that sense of gravity. Well, the next goal for them, the next thing I want them to think about is that they shouldn't be looking for perfect security. Don't say to me, "Make us like Fort Knox." Or," Make us as good as the NSA," or anything like that. Because if there's anything Edward Snowden taught us, there's no such thing as perfect security or world class security, because he worked for the NSA and look what he was able to do. He was an insider and he completely compromised the NSA.

So it's not reasonable. If the NSA with, for all practical purposes, infinite resources, can't get world class security going for themselves, we have no chance. The rest of us have no chance. So the goal is to make yourself a difficult target. So if you think about this product called The Club, I don't know if anybody remembers this, but it was a red bar, you put it on your steering wheel. I don't even if you could buy these things anymore, but I used to see them everywhere.

Jake Bernstein: I bet you can still buy them.

Kip Boyle: Probably you can, but I haven't seen one in a long time. But the idea is you put this club on your steering wheel, and the idea was that if I stole your car, I wouldn't be able to drive it because this piece of steel would keep me from turning the steering wheel in full revolutions. So I would look through the window, I'm a car thief, I look through the window and I see this thing on your steering wheel, and I'm like, "I'm not going to steal this car. What a pain in the ass. It'll take me forever." I can defeat that club, but I can't stand here and try to defeat it in such an obvious way. I'm just going to move on to another car.

And that's what I encourage customers to do. Just become a difficult target. Just make it a little bit more difficult to attack you than it is to attack somebody else. This is really the only practical response to what's going on in the world right now. We're all badly outgunned by the cyber criminals. And this I think is reasonable. So there you go, that's what they should do.

Jake Bernstein: I think that is reasonable as well. And I think we could dig into the how to do that, but I think we need to wrap up because we are running to almost 42 minutes here.

Kip Boyle: Yeah, we really do need to wrap it up. For those of you who are sitting in your car because your commute has come to an end and you're like, "Come on, guys. Shut up already. I got to get into work." That's what we're going to do right now. So that wraps up this episode of The Cyber Risk Management Podcast, and today we explored why your IT or gal isn't your cyber security person and what you can and should do about it. Thanks everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.