We are living in turbulent times.
The novel Coronavirus has up ended our organizations and home life, and now more than ever, strong leadership is required.
I sat down with Tom Koulopoulos to discuss cyber leadership in particular.
How do you lead your organization in times of uncertainty? How do you prepare for a rapidly evolving technology landscape and secure your companies?
Tom is the founder and chairman of the Delphi Group, a 30 year old Boston based think tank, and he is a renowned digital futurist.
He shared with me his insights on becoming the cyber leader we need now. He describes how to future proof your company for cyber security threats and think strategically about your own cyber leadership.
Let's hear from Tom.
Hi, Tom, and welcome to security economy.
Hi, Tom, and welcome to Security Economy.
Hey, Katelyn, thank you for having me.
I'm so excited to have you on the show today to talk about cyber leadership.
It's a cool topic. You know, I came up with this, believe it or not, as with most really good ideas, totally out of the blue a few years back - about four years or so ago. Boston University asked me to teach a course on cyber security.
And I looked at the syllabus and I thought, “This is so nuts and bolts.”
What do we do about the leaders of organizations that are threatened by cyber?
I decided to sort of change the nature of the course to one about how you lead an organization in an era of persistent cyber threats.
So, that's where cyber leadership came from.
I love the term. And oddly enough, most folks when they hear it, they sort of have to stop for a minute and ask you, “So what is that exactly?” Which is a bit scary, because every leader has to understand the risk of cyber threats and has to be involved in mitigating it.
I agree with you. And there's a mind shift change that really has to happen here, where more of the leadership team starts thinking about protecting the organization.
I mean, can you imagine a leader, a CEO, not knowing how to read a balance sheet or an income statement? Inconceivable, right?
Yet, when you get down to even sort of the first layer of detail of cyber, most of them are lost.
They think it's IT’s job, and it's not it is a business responsibility.
Risk is a business issue. It's not an IT issue.
Not that IT shouldn't be involved. It is critically involved in this.
But the leader also has to play a very important role.
Let's jump into how you think we got here?
You mentioned that a lot of business leaders are still really far behind in understanding this responsibility. What do you think has led to that?
Until you've experienced cyber security risks, you don't really appreciate the magnitude of the risk.
So, when I talk to organizations, they fall into two categories.
They've either already experienced and dealt with a cyber threat, or they haven't.
There are tose that understand the importance of bringing it to the boardroom and of making it a leadership issue.
Those who haven't, unfortunately, see it as strictly an IT issue or something relegated to the boiler room operation, right?
It's not front and center. It all comes down to: have you seen it up close and personal?
Here's where it differs from other sorts of threats. Other threats are physical in their nature, so we see them or they're tactile. We understand them; we can we can see them, smell them, feel them.
We can hear them.
Or, there are threats that are pervasive. In other words, we understand the threat because it's been around for a long time. So, it could be a threat having to do with insider trading.
You know, we understand that, and we appreciate it.
With cyber security, a lot of leaders don't understand where the threat comes from.
They don't understand the employee, who can be an insider threat versus the outside threat.
They don't get the fact that there is a real perimeter when it comes to cyber threats.
So, you can't build a fortress that's deep enough and tall enough walls deep enough and tall and not be able to see it and understand it in a very tactile way. I think makes it an invisible topic.
And as a result, leaders who haven't experienced it don't really understand the magnitude of the threats.
The core issue with cyber leadership, in my mind, comes down to: have you experienced it yet?
If you have, I'm sure you're taking an active role. If you haven't, then you're probably not being active enough. It's that simple.
We have to make this more personal, perhaps. If we could accelerate understanding just generally in the population, do you think that would start to address this issue?
I think we've started to do that. But we've done it in a way that I think is, unfortunately, quite sort of a mythology around the cyber threat.
Everyone believes that I have a virus protection program on my laptop, then I'm good. Or, as long as as my credit history is being monitored, and my laptop as has some kind of virus detection, then I'm safe.
Look, I'm starting the semester for my cyber leadership class at Boston University. One of the first things I tell them is that everyone, every company, every individual will somehow not just be threatened, but will be breached.
You will be affected by cyber crime. None of us are immune to it. So, once you adopt an attitude that says, “Hey, this will happen to me,” now you start thinking about, “So what do I do? What does that scenario look like?”
“Am I backing up and often enough, have I tried to recover stuff?”
Because here's a really cool thing to talk about public understanding and awareness. At least half the people will say, “Yes, I backed up.”
Let's say 90% of them say they backup their data. Now, I ask them, “Have you tried to recover the data from a backup?”
What they don't get is that it'll take a month to recover a terabyte of information. Right?
Can you afford to be down for a month? So, public awareness isn't quite there yet.
We began the education process, but I think we're being very naive about it.
Look, I think it's gonna take some time. I mean, that's the bottom line. I think it will take time for us to understand how we not just protect ourselves, but how we deal with a constant, persistent threat that is just not going away.
Once you've gone through it, as I was saying earlier, you have a much better sense for what you need to do and what that scenario will look like. But what happens when folks haven't gone through it, is that they scurry. It provokes a lot of anxiety when it happens, and frankly, they don't know what to do. They haven't been there before.
The education has to go beyond, “How do we protect them ourselves?” to “What do we do when we are breached?”
And that's the piece of it that we haven't really talked about yet. I think that's not part of social conversation.
We want to believe that we can protect ourselves. And the bottom line is you can't.
Everyone will be breached. Once you accept that, you know, now you suddenly start to look at the world differently.
I agree with you. You start thinking about how do you manage your risk differently?
That's right, exactly.
You know, what's the biggest risk to an organization when it comes to cybercrime? It's not the data that's being stolen. It's not the crown jewels. It is the brand and the reputation that suffers that, ultimately, is the real damage.
And that's all about how you manage the crime once it's occurred.
It's not about how you prevent the crime.
And by the way, I'm not saying we shouldn't prevent; we should do everything we can to prevent.
But we need to accept that prevention isn't enough.
So, are you doing scenario based planning? Have you gone through drills? Do you go through drills regularly? Do you know who's going to handle the PR and the legal? How about talk to the FBI, the Secret Service or law enforcement?
Unfortunately, most companies haven't done this level of planning yet.
It seems to be that only the largest companies are really tackling this. And even then, sometimes not well.
Well, the largest companies have the most to lose from the standpoint of sort a social canvas.
But, if you agree with any sort of popular numbers out there, 60 to 70% of small businesses that have a cyber crime committed against them, will be out of business within six months because of that cyber crime.
So, while a large company may have more to lose, from a social standpoint, that small business has everything to lose from the standpoint of the entirety of their business.
Well, there seems to be a cyber security accessibility issue that's driven by many factors, including ones you've brought up.
Also, the education component is lacking, and many businesses feel like they don't have the budget to tackle the issue.
Then, there is the fact that there is a skills gap in security today, which is a pretty big problem.
Well, and it's getting bigger, Katelyn, because the sophistication of the criminals is increasing.
When folks think of hackers, they think of a teenager, you know, in a second bedroom or something on their laptop.
This is a criminal network. This is a multi, multi-billion dollar enterprise. It's global. And it's very sophisticated.
Frankly, even I myself, I think about this. I live it; I breathe it all the time. I find myself sometimes being lured into phishing emails that are incredibly sophisticated.
You’ll love this. I got one not too long ago. I do a lot of public speaking. And I got an invitation from Abu Dhabi. No big deal. I've spoken in the Emirates many times.
This was a very upfront invitation. It had a contract attached to it. It had a speaking fee attached to it. And my assistant began to go down the path of negotiating the contract.
So, we got two or three emails down the road with them. and they send us a rider to the contract. The rider said, “You will also get a $10,000 a day wardrobe allowance.” That's when the breaks went on.
I’m sure there are people who get $10,000 wardrobe allowances. I'm not one of them. I may need it. I don't get it, unfortunately.
But it was so sophisticated. My point was, there was so much effort that went into this. And we came to find out later that a lot of celebrities actually bought into this.
The scam was that you'd have to donate to a charity, but they would pay you the fee to donate back to the charity.
Of course, they would send you a certified check that looked official. You would deposit the check, and you'd send them back the donation. And that’s the last you'd ever hear of them.
The sophistication of that campaign just blew me away. I mean, it was a lot of effort. A lot of time and a lot of investment went into that.
The nature of the crime is increasing in terms of sophistication.
And we will all be fooled at some point, somehow. So again, it goes back to not just how do you protect yourself from the crime, but how do you protect yourself after the crime has occurred?
To your point, the attacks are more sophisticated. And I don't think most business leaders think about what happens if a nation state actor is coming after them.
I hate to say this sometimes, because it can evoke a lot of fear. But I'm amazed, frankly, having lived in this space for as long as I have, and I haven't lived in it for as long as a lot of people have. But just in the, in the, you know, five to six years that I've been studying, I've been amazed that there hasn't been more nuclear level attacks in cyberspace, because the weapons are there.
There's no doubt the weapons are there. The question in my mind now is not the nation state to nation state attacks, because I think there is this risk of Mutually Assured annihilation as there was with nuclear weapons, which prevents us from doing full scale all out warfare against another nation.
Today, what concerns me? Are nation states attacking businesses? You know, we've seen this with Sony, we've seen this with major corporations; I think we're going to start to see this with small businesses, and you have no chance of surviving an attack from a nation state.
This is not a single hacker. This is an extremely sophisticated operation.
I think that kind of terrorism will only accelerate, and this is where I hate to be fear mongering. I'm not trying to do that, I'm trying to be practical and realistic and set expectations accordingly.
I think this is where we have to be on our guard. And you have to go through scenario-based planning, and make sure that you have backups that will provide continuity of business.
You know, take Y2K. Y2K is a great example. For those of your listeners and who are watching this who remember y2k, that was when the year 2000 was supposed to destroy every computer program that couldn't deal with a four digit year, because every year field and every database had only two digits at that point in time.
So, what do we do? What about business continuity? People invested enormous amounts of money in Y2K, because they knew it was going to happen.
My suggestion to people is to assume the attack will happen. What are you going to do? How are you preparing for the attack?
I think that has to be the attitude and the mind shift that we make as a society, and as leaders, especially.
What are your thoughts on how we go forward and what a cyber leader should be thinking about and investing in?
A cyber leader should be thinking about investing in what leadership always invests the most in, which is their people. You can never train enough. Training has to be consistent.
And it's not once. Training is not, you know, “We'll do this in January and we're good for the year.”
Training is, “We'll send out spoof emails periodically, randomly to employees and see who opens it up. And we won't punish the employee for opening up the email. By the way, we'll use it as a lesson.”
I think this is an important part of how you create a culture that's transparent.
You don't want to punish people. You want to acknowledge that we know this will happen.
We're not looking for blame. We want to prepare people for it and show you what to look for.
So, a leader should invest in his or her people. First and foremost, if I had $1 to spend, and I can only spend it on one thing, it would be on training.
The greatest source of vulnerability, whether it be error or malice, is insider vulnerability. The insider who was upset at the organization or the insider was weak and made some mistake and clicks on an email.
They shouldn't have clicked on it, and we see this regularly. It happens to people.
Don’t look for the blame. Look for opportunities to train yourself. And do it regularly, do it consistently, and do it with an eye towards giving them an understanding of both the magnitude of the threat and the ways in which that threat will manifest.
The manifesting changes, right? The nature of these emails changes.
Social engineering is one of the most frightening things when it comes to cybercrime because I can find out so much about you or you about me online.
And then I get on the phone with you, you tell me you're my bank, or you know, your law enforcement official. And you tell me all these facts about myself and about my children, about my property, and I get scared.
You can socially engineer people. Teach your employees and your team members what that looks like, what it feels like, and actually put them through the scenario and do that with them so that they understand viscerally what that will look like and what it feels like.
That will give them a radar that will immediately be sensitized to the nature of the threat because the threat changes. You've got to change that training on an ongoing basis.
There's definitely a persistent thought that personal information is safe online and that it should be safe to say things about themselves personally on Facebook or Instagram. People share their physical location to details about their children.
This is all data that bad actors could be using against you.
They are using it, you know, as we speak. This is happening obviously right now; it's not a future tense. It's happening right now, today.
Look, there's another side of this that I always try to make a point to get out there. And I'm talking about cyber threat and cyber leadership.
No technology is without risk. Every technology has risk - personal risk, organizational risk, social risk, global risk. It's the nature of technology that you can't create benefit without also creating a risk.
Our objective here is to mitigate those risks so that the benefits are greater than the risks.
You know, I can't live without GPS. I don't know if you can. I have forgotten how to read a map.
GPS is a wonderful convenience. It provides safety to my children. There are so many good things about it.
And yet it does give a lot of information about me to people that could do nefarious things with it.
But the benefit outweighs that risk, right? Our job here is to mitigate and manage the risk, understanding that every new technology will create greater transparency with the sharing of information. There'll be benefits to that, but we also have to manage the downside.
Technology creates its own set of unique threats and risks. Hopefully, the benefits are greater than those.
I agree. I think we're only now really starting to understand some of the risks, to your point, about GPS. Just recently, a report came out that GPS data is widely available and is being sold online.
You can literally track people in sensitive positions in the government, from publicly available GPS data.
Unfortunately, you come to the conclusion that everything you share online will potentially be shared with someone who has malice or bad intent behind them.
Just yesterday, I heard about a large breach of fingerprint data.
There's a provider of fingerprints that collects tens of millions of people's fingerprints, and these were obtained and are being used in all kinds of malicious ways.
Everything you give up will somehow be available to an individual or an organization that has malice and bad intent in how they're going to use that information.
What does this bring us back to? What will you do? How will you deal with that inevitability?
We don't want to accept that because we want to believe that we can build a fortress of a perimeter that somehow protects us.
I'm here to tell you that you can't; that's not possible. Understand how you will deal with the breach and how you'll deal with the cyber threat when it happens, not if it happens.
And I think that gives you the greatest opportunity to actually identify ways in which you can prepare yourself and your organization for that inevitability and frankly incur the least amount of risk in the process.
What’s your response to some leaders who say that they'll just handle this with cyber insurance?
Cyber insurance is kind of like, you know, any other kind of insurance - home insurance, health insurance. If you're not very healthy, if your home has a fire hazard, you're not going to get anyone to write you a policy, or not an affordable policy.
So as an individual, if you want to have a life insurance policy, and you have all kinds of medical conditions, I'm sure there's an insurance company that will write your policy.
But it will be astronomically expensive. And the same thing goes for cyber insurance.
No one's going to write you a reasonable policy without doing an audit of your organization and seeing what you have in place to protect yourself.
And the degree to which you've done that will actually minimize the premium that you pay for the cyber insurance as well.
We get into these artificial conversations about insurance. I heard some people say, “Well, isn't insurance going to sort of encourage cyber threats now that an insurance company wants to make sure you're protected?”
I don't subscribe to that school of thought that says insurance is going to make this worse. I think insurance is necessary. It plays a role, but that doesn't mean you can't be prepared. That doesn't mean you can be negligent in any way.
And frankly, I think a leader who was not actively involved in protecting and in doing scenario-based planning around cyber threats is being negligent. I think that is negligence.
How would you reshape things as we go forward? Tom, what do you think we should be doing to be more secure?
I'm going to start from the ground up.
I think we need to be teaching our kids how to be safe online. In schools, very few K through 12 curriculum have anything that really talks about the specifics of cyber security.
We expect that they're going to learn it and that's as stupid as thinking that they're going to learn about, reproductive health on their own.
We do that in classrooms for a reason, because it's an important part of life.
Unfortunately, cyber threats are an important part of life. So, we have to teach that in K through 12.
Begin to educate children on what that looks like and what that feels like.
Secondly, we have to do more education at the university level. Just teaching engineers how to protect organizations is wonderful, but it's woefully inadequate.
We have to teach leaders how to lead a cyber threatened organization.
What that means is that those who are mitigating risk and managing risk need more education.
I think we also have to do a much better job socially in creating transparency around these risks.
You can't see a cyber attack the same way you can see a nuclear weapon go off.
But people also don't want to talk about it. So as a society, we have to sort of let this out of the closet and talk about it much more openly than we have.
We need to talk about this as a very personal, individual threat, organizational threat, social threat, and not just the technological threat. All that takes time.
And unfortunately, it will happen because crises force us to have those conversations. That is the reality of virtually any risk until it happens on a large enough scale. We don't talk about it enough. We don't think it's going to potentially affect us as individuals.
I think we've got a ways to go.
None of that says as a leader, you shouldn't begin that process and start moving your organization more in that in that direction.
That's the definition of leadership - bring people to a place that they have not yet arrived and give them clarity of vision that will allow them to understand what that looks like. A
Leaders here have to be the ones who create the cultural imperative to understand and to deal with cyber threats.
How would you coach a leader that's just getting started in this process? What top pieces of advice would you have?
I have three pieces of advice for leaders.
Number one is educate yourself. You can never know enough about the space. You can never be as up to date as you need to be. So be relentless in your pursuit of knowledge, understand the threats, do what you can to at least create your own ability to talk about this in a knowledgeable way.
So that's first and foremost, and that's a responsibility that leadership has. You can't sidestep that. You have to have some baseline knowledge about what cyber threats look like and the toll that they can take.
Number two is to make sure that whoever is responsible for cyber security in the organization reports directly to you.
It's not a technology thing. It's not a legal thing. It's not an accounting thing. It's a leadership issue.
So, make sure that person, he or she, reports directly to you.
And number three, be vocal about this in the same way that leaders are accustomed to talking about those things that are most important.
Within your organization, when you give a speech, when you have a town hall meeting, whatever the case might be, as a leader, make this part of your vocabulary.
And what you talk about, what you put emphasis on is what your people will put emphasis on.
I think that those are the three things that I would first and foremost culturally do.
The other thing, and this isn't a top three, that I think any leader should be doing, no matter what, is make sure you are involved in regular scenario-based planning that looks at how your organization will respond to a threat once it occurs.
Because when that threat happens, I will tell you right now that you will be dragged into it kicking or screaming. You’ll be dragged into it; you won't be immune from it.
All those concerns and those risks will come back and reside on your doorstep.
So, make sure you've pulled together a team that really understands how to deal with that threat and that the policies and the procedures are clear.
That only happens through scenario-based planning, and you need to be part of that scenario based plan. Don't leave that to someone else - be part of that to show how serious your intent is and how important it is.
That's great advice, Tom. Thank you.
You're welcome. You know, I don't think we can do enough is the bottom line.
Unfortunately, I think we're at a period right now, where a lot of this is still taking shape.
From a leadership standpoint, there are enough examples of it. And as a leader, what I tell my students in my class, is that as a leader, the responsibility really falls on your shoulders.
You're the one who has to set the tone, the cultural tone, for the organization to help them better understand. With this threat, that's what leadership is all about.
I completely agree. Thank you so much for being on the show today to share your perspective.
Hey, thanks for doing this. I think it's a cool thing that you're doing, Katelyn. It was a pleasure being here with you. Thank you.
Thank you. And that's a wrap.
Thank you for joining us for this episode of Security Economy. Check out our episode lineup at https://battleshipsecurity.com/blog and don't forget to subscribe. See you next time.