Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: I'm Jake Bernstein, cyber security counsel at the law firm of Newman Du Wors.

Kip Boyle: This is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities-

Kip Boyle: And if you want to manage your cyber risks just as thoughtfully as you manage risks in other areas of your business such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Jake, what are we going to talk about today?

Jake Bernstein: Today Kip, we're going to talk about your new book and how it can help our listeners.

Kip Boyle: Oh yeah, that's right. This is great. I'm really excited because not only is this my new book, but it's actually my first published book so it's so cool. It's on my bucket list to be a published author so I'm really excited.

Jake Bernstein: I think the obvious first question is what is your first published book called?

Kip Boyle: Okay. It's called Fire Doesn't Innovate.

Jake Bernstein: Is this a book about cyber risk?

Kip Boyle: It is a book about cyber risk. There's so much about book publishing I don't understand that I've been learning about. And one of the things about book publishing is that you want to have a catchy distinctive title and the title should actually tell a story.

Jake Bernstein: Wow. That is a distinctive title. What's the story?

Kip Boyle: All right. One of the things that I've learned over the course of my career working in cyber is that the nature of cyber threats and therefore cyber risks is very different than what business leaders are used to facing.

By comparison, risk to sales, order fulfillment, accounts receivable, those risks are pretty well understood and there's standard mitigations that can be used to deal with and manage the risks in those areas. But cyber is very different and what I've noticed is that a lot of business leaders try to use a checklist approach to managing cyber risks as if they were managing other risks.

I really focused on fire as a static risks. In other words, the properties of fire are pretty much immutable on planet earth. We know what it takes for fire to start. It needs heat, it needs oxygen and it needs fuel.

Because we understand fire really well, we know how to disrupt fire. We know how to keep it from starting. We know how to stop it once it's started. And so fire can do lots of really great things for us but it really doesn't change. It's essence is really the same.

And so today it's really very rare if a building catches on fire whether it's a private house or commercial space. It really doesn't happen that much. But cyber is very, very different. Cyber innovates all the time. Why? It's because cyber criminals and to another extent cyber armies, cyber soldiers are regularly trying to figure out how to attack us. How to breach our defenses. How to steal from us.

That's really the idea here. Is that fire does not innovate and so cyber does. You can't really think of cyber as a problem that we're really going to get our arms around and that we're going to control in the way that we have managed to do with just fire. Risks of fire.

Jake Bernstein: It sounds to me what you're saying is that if you make the mistake, and I think it is a mistake of thinking about cyber risk in the same way you think about natural disasters, you're really fundamentally misunderstanding the nature of the cyber threat.

Kip Boyle: Yes.

Jake Bernstein: Because it's a human generated threat and it's... Maybe what's really interesting about it is that, it's a form of security that people particularly in Western countries aren't used to because they're not used to experiencing. What I mean by that is that people are generally pretty secure in their physical safety. Whether they're at home or at work.

People are the main threat to physical safety these days and in some countries, that's still an active threat. I think what's happening here with cyber is that we have this false sense of security because we are physically safe, but we have forgotten what it's like to have to basically protect ourselves against ourselves. Against other people.

Kip Boyle: Yeah. Against a pervasive accomplished threat.

Jake Bernstein: Exactly. With cyber it pierces all those physical security boxes that we have spent a few centuries creating for ourselves. I think a lot of people don't even know what to worry about. It probably seems like a faceless, oh, it's just like the flu.

You could draw an analogy between the cyber risks and the flu and you and I talk about cyber hygiene. But that would be a wrong metaphor. The better metaphor would be trying to defend yourself against intentional biological warfare, which I think is pretty horrifying and scary to most people.

Kip Boyle: Yeah. Actually, I think the reality is a mashup of both of those things because I think about... And I talk about this in my book. I think about how good of analogy, actually.

I think that the mutations of flu the influenza really is something that people do understand. Every year there's a flu shot that comes out and the caveats that are always put out there is that the flu shot is anywhere between 30% to 60% effective at preventing you from getting the flu because the flu is constantly mutating.

And so we make our best shot at coming up with a vaccine, but it's not always the... We're not always on target. I like that metaphor because people are used to it. Nobody's ever seen a flu virus with their naked eye. We only know that the flu is around when we see people sneezing or if we get it.

That's the same with cyber. You don't really understand how much you're being targeted for ransomware, for example, until you see somebody actually struggle with it or if you actually struggle with it. But it's very hard to perceive that it's coming after you.

Jake Bernstein: Yeah. No, it is. Okay. That's Fire Doesn't Innovate. But your book has a subtitle too, doesn't it?

Kip Boyle: Yeah, it does. Because you can have a really clever title, but to your point, it's like, okay. Fire Doesn't Innovate. That does not sound on the surface like it's a book about cyber risks. And so working with my publisher they said, "Yeah. You should probably have a subtitle."
The subtitle is the Executives Practical Guide to Thriving in the Face of Evolving Cyber Risks. That subtitle I think really puts a sharp point on why I think this book can help our listeners.

Jake Bernstein: I totally agree. I think that a... It's a good subtitle to help people see what the book is about. You sent me your manuscript and I looked it over and I noticed that it was divided into two parts. The first part was basics of cyber security and the second part was your cyber security game plan.

Kip Boyle: Yeah. That's right. Yeah. The book is divided into two basic parts. That's right.

Jake Bernstein: Can you just tell us about part one?

Kip Boyle: Absolutely. Part one as you said is about the basics of cyber hygiene. Really chapter one covers some of this ground that we've been talking about which is the idea that we as people who are being attacked by cyber criminals and can get in the way of cyber battles, that we've got to constantly evolve our defenses as the adversary evolves their ability to attack us.

Then I talk about that the best defense is to really study the NIST cybersecurity framework and to use it as a guide. Because as we've talked about before in this podcast, the framework is not a checklist of very specific things that you do. Rather, it's a framework which is, it tells you what outcomes you need to be able to achieve no matter what exactly is coming at you. It's useful-

Jake Bernstein: It's a-

Kip Boyle: ... because it-

Jake Bernstein: ... inaudible.

Kip Boyle: ... allows you to change with time.

Jake Bernstein: Yeah. I like to think of it as a skeleton upon which you get to build the muscles and skin of your own cyber security program.

Kip Boyle: Yeah. That's right. And your program's going to look different than other people's programs. Then the third and fourth chapter in the first part really covers this idea of cyber hygiene and germ theory.

We talked about the influenza virus and I think germ theory is a really great metaphor for people who are struggling to understand cyber as a very abstract thing. But to make it more tangible so that people can actually internalize what cyber... What's the nature? The very nature of cyber risk and how does it compare to something that we already understand?

Then when you travel, you're very vulnerable to cyber risks when you travel. If you're an executive and you have authority over money and data in your organization, you're going to be very vulnerable. Your organization's going to be vulnerable when you travel. And so we talk about that in part one and how to protect yourself.

Jake Bernstein: That sounds good. The interesting thing I like about the cyber hygiene influenza metaphor is that, I think we can learn a lot from public health and epidemiology type disciplines when you're looking at cyber hygiene and it's... Sure.

Yes. You've put antivirus on your computer to protect that computer, but you're also doing it to protect the network as a whole and this idea of hard immunity. It actually works with computer networks just as it works with people.

Kip Boyle: Yeah. Absolutely right. We hear about things called botnets. What is a botnet? Well, it's a bunch of computers or internet of things devices like a home router or a closed-circuit TV camera that's actually been connected to a data network and these devices all have vulnerabilities.

Somebody has figured out how to exploit those vulnerabilities and then hijacks those devices and assembles this army of internet connected devices that can then do the bidding of this attacker. By you making sure that your computers and internet of things devices are configured securely, you're actually stopping criminals and cyber armies from building these botnets which can mess up our online community.

Jake Bernstein: Yep.

Kip Boyle: It's funny because I've had people say to me, "Well, I just need to take care of myself and if I want to not configure things securely because it's too expensive then, now that should be something that I get to decide."

Jake Bernstein: inaudible.

Kip Boyle: To a degree I understand the point. But I also think that it can be shortsighted because if we don't protect the online community, then the ability to conduct business online will be diminished. Because your customers won't feel comfortable about going online and commerce just won't work as well. If there's a lot of disruptive activity online, if your machines are being taken down, if your servers are being taken down, you can't conduct commerce. It's-

Jake Bernstein: Well, it's exactly like trying to conduct commerce in a civil war torn country. You just can't do it.

Kip Boyle: Yeah. You're lacking infrastructure and basic protections. People aren't going to come out of their homes because they're afraid that they're going to get robbed or caught in the crossfire.

Jake Bernstein: Yeah.

Kip Boyle: I really liked your point a moment ago about biological warfare because I think that's another thing that we're seeing where you don't have to be a target to get hurt on the internet. We've talked in a previous episode about the NotPetya cryptoworm that caused over a billion dollars worth of damage in 2017 to companies like Merck pharmaceuticals, FedEx, Maersk Shipping and a whole bunch of others.

They were not directly targeted by this cryptoworm, but they ended up getting hurt pretty badly simply because they were connected to the internet at the wrong places and at the wrong times. It's absolutely the case I think that we have this global digital commons. This space where we all are coming to and doing things and we've got to protect it because really there's no governing body out there that is doing it for us. It's just not happening.

Jake Bernstein: There's not. There's not. Okay. What about part two then? What about your cybersecurity game plan? What's up with that?

Kip Boyle: Yeah. Whereas part one is really meant to orient the reader to the nature of the threat and how cyber can affect them in different ways and the usefulness, the utility of the NIST cybersecurity framework, part two is really oriented around, okay. If I'm an executive and I've got responsibility for my organization and my organization is facing cyber risks, then what can I do about that?

I'm really tickled by part two because we're doing something that I think is really cool. I love it when companies do this. I hope that our listeners and our readers will appreciate this.

We talk about cyber risk managed programs and the fact that we offer those. And when we partner with you Jake, then we can offer privileged cyber risk managed programs which means that all your risk records become protected under attorney-client privilege.

Well, it takes a lot of energy and effort to deliver a cyber risk managed program. But for the book, what we wanted to do was we wanted to find a way to allow our listeners and our readers to enjoy some of the aspects of how we deliver cyber risk managed programs. What we did is we worked really hard and we took the basic cyber risk managed program and we tried to very smartly turn it into more of a self-service opportunity for our listeners.
Part two it really takes the three phases of the cyber risk managed program and it puts it in your hands. If you are a reader, you can actually see how we do the work for our customers. Then you can do it for yourself. You can get a team together and you can follow along in part two and you can actually create your own cyber risk program and you can use all the things that we do. Practically, all the things that we do to do that.

We've got three phases in the program. Phase one is about identifying your top cyber risks and we tell you in chapter five how to do that. We also talk about the crucial... One of the crucial parts of doing cyber risk work is to get people's buy-in. If you don't have buy-in from people, then it just not only makes discovering what your risks are really hard, it can be impossible or next to impossible to do anything about your cyber risks once you discover them.

We take all of the things that we know about it. How to get buy-in and we've put it into part two. Some of the buy-in really comes in part one of the book. Some of the things that we share in part one, our readers can use those techniques and those insights to help their teams and their organizations begin to think about cyber in a more productive way.

Jake Bernstein: Well, that sounds great. A do it yourself version of the managed program and I think particularly great for small groups. Small teams.

Kip Boyle: Yeah.

Jake Bernstein: Small companies.

Kip Boyle: This really scales. That's one of the things that we found with the managed program is we can help organizations as small as a $2 million a year company or a nonprofit benefit, all the way up to $1 billion company and above.

It's very elastic and it's something that can be used by anybody really who's interested in doing this. I think it could even be potentially used to protect your family if you really wanted to.

Jake Bernstein: Yeah.

Kip Boyle: We help you figure out what your top risks are. Then we help you figure out what to do about that. We've taken many of the tools and techniques that we use and again, we've reshaped them so that our readers can take advantage of them.

So different ways of organizing yourself, different cost, estimating tools that we use, visualizations. We actually explain in there how to create some basic visualizations of what your cyber risks are and some basic visualizations for showing other people. Whether it's a member of the executive suite or maybe it's an investor or an important customer.

Heaven forbid if a regulator or if he ever asks you what's going on, if you ever end up standing in front of a judge and a jury, you're going to be able to show them these records and be able to explain to them, hey, you were not asleep at the switch. You actually were paying attention.

Jake Bernstein: You're articulating an argument for, as we are so fond of saying, reasonable cybersecurity.

Kip Boyle: That's right. Yeah. If you want to practice reasonable cybersecurity but you don't have the budget or there's some other reason why buying a managed cyber program doesn't make sense for you, this is really exciting. Now, once the book's published, you're going to be able to take advantage of these different techniques that we use and you can make your own. We're excited-

Jake Bernstein: Wow.

Kip Boyle: ... about that.

Jake Bernstein: I think the question now is when is your book going to be available to the readers?

Kip Boyle: Okay. The manuscript has just gone into a round of heavy technical editing and so it's nearly finished as far as the content is concerned. The target publication date is January 2019. But one of the reasons why I wanted to talk about this on the podcast is because I wanted people to know that the book's going to be available, of course, because I think it's going to help.

But also we're looking for people who might be willing to post an honest review on Amazon once our book does go on sale. Because we want to spread the word. We want to make sure that as many people are aware of the book as possible.

If any of our listeners out in the audience are interested and willing to review an advanced copy of the book in exchange for an honest review once it goes on sale, then send us an email and we'll figure that out. We'll get you an advanced copy of the manuscript. You can take a look at it.

What I want you to do is I want you to send an email to info, I-N-F-O @cyberriskopportunities.com. And in the subject line, if you would just to help us... We don't want to miss anything, but in the subject line put Fire Doesn't Innovate and then we'll respond and we'll make some arrangements. We'll get you that advanced copy so that you can take a look at it.

Jake Bernstein: Well, Kip, this is really exciting. I think it's great that we're going to have an accessible version of the managed program that's out there in addition to these really important thoughts on the nature of cyber risk and how people can protect themselves.

Kip Boyle: Yeah. It's so exciting for me. I'm really glad that I get the opportunity to share this not just with our listeners on the podcast here, but I really am looking forward to people all over the world potentially reading it and feedback.

I'm really interested in feedback because I want what we do to keep getting better for our customers and for our listeners and so to get some really thoughtful feedback on the book and our ideas and the way we do things I think is going to be just super useful. I'm really looking forward to that.

Well, that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about how executives can put together their own game plan to mitigate their top cyber risks once they get a copy of Fire Doesn't Innovate. Thanks for listening and we'll see you later.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that Cyber Risk Management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.