Cyber Crime Junkies

How to Measure Cyber Risk Today: Guidelines for Leaders

Cyber Crime Junkies-David Mauro Season 5 Episode 22

What can we learn from some of the largest breaches in the news? That is what we will cover today in one of the most practical inside looks at the cutting edge of cyber security today. Understanding Cyber Risk Today: Top Security Guidelines Every CISO Needs to Know

Ryan Leirvik who joins us in the studio. Ryan is the CEO of Neuvik & author of Understand, Manage, and Measure Cyber Risk®,Practical Solutions for Creating a 

Ryan has decades of experience as a Cyber Expert for McKinsey & Company and was formerly with the US Dept of Defense at the Pentagon where he served as Associate Director of Cyber and Chief of Staff.

Grab your copy of Ryan’s Book: https://link.springer.com/book/10.1007/978-1-4842-9319-5

Check out Neuvik Security: https://www.neuvik.com/

Topics: what cyber risk really means today, how to pick best security guidelines to follow today, top security guidelines to use today, top security guidelines are best to use today, which security controls are best, what cisos need know to reduce effects of cyber crime, what top standards cisos need know, best security guidelines to use today, how to best understand cyber risk, how to understand cyber risk today, how businesses should understand cyber risk today, how businesses should understand cyber risk, practical understanding of cyber risk today,



Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

What Cyber Risk Really Means Today

 

What can we learn from some of the largest breaches in the news? That is what we will cover today in one of the most practical inside looks at the cutting edge of cyber security today.

Ryan Leirvik who joins us in the studio. Ryan is the CEO of Neuvik & author of Understand, Manage, and Measure Cyber Risk®,Practical Solutions for Creating a 

Ryan has decades of experience as a Cyber Expert for McKinsey & Company and was formerly with the US Dept of Defense at the Pentagon where he served as Associate Director of Cyber and Chief of Staff.

Grab your copy of Ryan’s Book: https://link.springer.com/book/10.1007/978-1-4842-9319-5

Check out Neuvik Security: https://www.neuvik.com/

Topics: what cyber risk really means today, how to pick best security guidelines to follow today, top security guidelines to use today, top security guidelines are best to use today, which security controls are best, what cisos need know to reduce effects of cyber crime, what top standards cisos need know, best security guidelines to use today, how to best understand cyber risk, how to understand cyber risk today, how businesses should understand cyber risk today, how businesses should understand cyber risk, practical understanding of cyber risk today,

Subscribe to our YouTube Channel for Behind-Scenes and Better Content. It's FREE. @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg 

Want more true cyber crime stories? Check out Https://cybercrimejunkies.com

[00:00:00] 

All right, well, welcome everybody to another episode of Cyber Crime Junkies. I am your host, David Mauro, and very excited today. We've got Ryan Leirvik, joins us in the studio. He's the CEO of, of Neuvik and author of Understand, Manage, and Measure. Cyber Risk, Practical Solutions for Creating a Sustainable Cyber Program.

Ryan's got decades of experience as a cyber expert, worked for McKinsey and company, and was formerly with the U. S. Department of Defense at the Pentagon, where he served as associate director of cyber and chief of staff. Ryan, welcome to the studio. Very excited to have you, man. Thanks for having me, David.

I'm very happy to be here. Oh, that's great. And if you ever want me to attend all of your Zoom meetings and do that intro for you, I'm happy to do that. You do it so nicely. Thanks. It's, you know, and then I can just be like, and here's Ryan, and then I'll just drop off the studio. Oh, well, you have much more to contribute than that, but I appreciate the intro.

It's so eloquent. That's, that's great. So you've got a, you've got a [00:01:00] new book, and we're going to get to that in just a second, or you got an update for, for a book that is really interesting and right along the lines of everything that we talk about, in this platform. But, so we were talking backstage about, about musical theory and learning instruments and how learning the fundamentals and the.

You know, like learning music, it's so much easier when we learn how to read music, how to, how to play classical guitar, and then it makes it easier to do the fun things like blues and rock and things like that. And you were a drummer, your wife is a guitarist, Tell, tell the listeners a little bit about that.

Yeah, and for those that don't know, David plays, learned classical guitar early on and then made all the other derivatives, easy. And we were talking about this and the reality is like, it's very much like, like any practice, but not that different than cyber, right? The more that you know, the, the strict fundamentals.

It makes everything that sits on top of those fundamentals much easier to understand, right? Like, one way to look at it is, [00:02:00] like, from the cyber security space, we can come at it and look at it just from the threat side, right? And it's like, hey, let's look at all the threats in the world. Okay, well, you can go crazy trying to figure out all of...

It's a great rabbit hole to go down to. Like, it's just amazing. Yeah, super fun, right? It's like being able to play all of the solos that you want to play from all the great guitarists. That's a great analogy. That's a great analogy. That's exactly what it is. It's like, put the spotlight on, play the solo, everything else.

But if you don't know how to do rhythm, how to read the music, what the beat is, the cadence, how it's all mixed and engineered, you don't know where that fits in, right? Exactly. There's no context. Yeah. It's like, oh, that sounds great, but how does this fit into the broader, you know, song or, you know, theatrics of whatever is actually happening?

And that's kind of the way cyber is, right? If you lose the fundamentals of like, do we know, let's, let's even start with, do we know even what the risk is to know even does, does that threat even matter to us? Right. Do we have a way of managing that risk? [00:03:00] Yes or no, right? If yes, great. If no, well, we better get something.

And then of course, you know, do we have measures that tell us how are we actually managing that? And those are, you know, some of the fundamentals in cyber that very much, you know, apply to almost any practice, but also music, you know? Absolutely. So, , I want to ask you kind of, How did you first, like, was there an event when you were younger that drove you to want to be in cyber, cyber defense, be in technology generally?

Is there something? I mean, everybody has a different... Some people have like a specific event. They remember when this happened or they started gaming as a child and then they started hacking, and then the Feds knocked on their door and they realized, I don't wanna be on the wrong side. I'm gonna go be on the right side.

like one of the two is Club fed. Is not, is is nice as they make it seem in, in the movies. What is it, is what, how did you get your inspiration for it? [00:04:00] Yeah, great. My story is sort of a combination of three things. Sort of a, you know, a naturally deviant, how does this break mind with a love of technology for optimization and automation.

Right. Just leveraging the advances of it. Like Right. Exactly. Yeah. Yeah. And then layered on top of this, Oh, this is how individuals could use this for either, you know, unintended use or use it for malicious need. And that's a good point too, right? Like that, not to go down a rabbit hole here, but so many, a lot of these breaches that we read about or that we hear about, Sometimes it's, it's happened just from kind of negligence or just error as opposed to, something that has this long deviant kind of modus operandi behind it.

 I mean, maybe there's a modus operandi from the threat actor. But how it actually happens isn't necessarily always complete negligence on the, on behalf of the company or the [00:05:00] organization. Sometimes it's just pure kind of error. That's right. Yeah, it's really sort of a combination of pieces that come together that allow the attacker to take action on objectives.

I mean, that, that's, that's really it at its most fundamental level. But David, the interesting thing here is that usually there's a combination of those combination of pieces start with business decisions. Yeah. on what technology are we going to use? Okay, great. Two, have we thought through how we need to protect whatever we're connecting that technology to or using it for?

All right, and then three, okay, is it if we have we spend enough time or spend enough resources at a sufficient level to say, you know, effectively, we accept the risk that may go above or below that level. And that sounds wildly, you know, theoretical, right? But it's, it's Completely practical in a sense that, you know, the medieval folks did this a long time ago with the tower structure, right?

Thinking through, hey, [00:06:00] we need to protect the towers. So let's think through what an attacker is going to do and build that while we're building the castle. So you have stairs that go. along the wall counterclockwise because it's really hard for a right handed person to swing a sword when there's a wall against you, right?

Right, and it's just that thinking up up ahead starts at the business layer Which is what technology are we going to put in place and what's its intended purpose? What are we connecting to it? Okay, do we have a sufficient level of security? And then we just layer all those technologies on top of those technologies.

And expecting them to work properly would be, you know, somewhat of a... Wishful thinking. That's right. Yeah, if we hadn't thought through some of the ways that it might be used in unintended ways. So, let me ask you this. Does, in your consulting with organizations, and does your, does your firm consult mostly with enterprise organizations, or is it also in the SMB space?

 Anybody with a computer and a network will help. Okay, yeah, that's, that's like our team. Yeah, it's just like, are you connected? Okay, [00:07:00] let's help. Yeah, exactly. Yeah, so what is your take then about how some of the decisions were originally made when they were purchasing a lot of these platforms, a lot of this technology?

Did they have those? Were they asking the questions back when they bought it, do you feel? Or are they trying to address it post sale, post integration, on how to shore it up? Yeah, David, great question. And I would love to paint every single organization and business decision with the same brush, but it's impossible.

Right. Yeah, it is, isn't it? And this is it. And this is where we see the effects of those decisions in maturity cyber, , in organizational maturity. , for a variety of different organizations, so take for example, we all use banks as sort of the, in the commercial space, some of the most mature, right?

Largely because, they had to be, right? Like, you know, like if, if, and, and this gets into something you and, you and I have been talking about, and [00:08:00] that is, There's so many rules like if, if you're, if you're doing something and you're going to commit a crime, you know what the law is, right? The law is pretty clear.

You can't steal. You can't do this. You can't do that. But in the cyber realm, right? An organization doesn't have a crystal clear. Now, they're like the banking industry of all, right? The finance industry of all has the most sets of, you know, regulations and, and rules in which to have those guardrails are, but most organizations, at least here in the U S don't really have that.

We have a lot of guides. We have a lot of controls. We have a lot of ideas. And some organizations apply NIST. Some will apply SIS. Some will apply this one, that one. And it's confusing to a lot of. leaders. A hundred percent. And, and directionless a lot of times, you know, so in the banking world, there's an easy side, which don't [00:09:00] kick me, everybody who's in the banking side, that you have those regulations and oversight to sort of keep, you know, the banking system working the way it is on the management side, that'll drive you completely insane because of all of the regulation you have to point to.

And if you spend all your resources there, guess what? The attackers know that you're. Paying attention to those and they'll just slip right past them, but it's easier in the sense that you have direction and guidance and at least a scaffolding. Then there's sort of what now it's changing, right? We see the SEC laws, we know New York department of financial services and some California piece, like they've been changing, but for everyone else that isn't in a heavily regulated environment, right?

To include oil and gas and energy production, right? They were regulated on the, on different sides, but not necessarily on the IT or OT space. Right, right. And the challenge for that is. you know, as mind numbing as it is, as it can be in sort of the banking and over regulated space for IT, in the rest of the world, the rest of the industries, if you will, there's this challenge of like, well, what do I do?

And so, you know, if we look sort of [00:10:00] historically into the decision making that, that, you know, may have been going on, your question is, Well, who's making the decisions, right? And, and how informed are they and what the impact to the business is? Because you have these competing drivers for business, right?

One is, we need to maximize our mission, whatever that is, right? You know, revenue share, Growth, market share, market cap, whatever it is. That's right, yeah. And even for, for non profits, you know, we want to advance our mission of whatever social piece you're doing. And you're not thinking about, oh... what do I need to do this business?

Well, what will impact my business? Should it not be available? Right. You know, or be disrupted in some way. And then what are the technologies I'm putting in place and how are they protecting? It's not really top of mind, right? Decision makers, right? And so you get this conflation of, you know, the it person's like, Hey, we want to, we want this because I really like it.

It works well, whatever. Or as a business decision, what's like, well, What's [00:11:00] the cost? And how is it going to help me advance my mission? And somewhere in there, unless there's a security minded individual that says, Hey, we're going to put some really important information on this or connected to it, right?

Or connected to something that is actually important to the business. Then the security thinking sort of gets lost. Or is assumed, right? Like, Oh, I'm going to buy this it product, right? From this it vendor who's pretty well known, they must've thought through security, right? And, and we all know, like, you know, checking the assumptions is where the real power lives, right?

But, but the issue there is like the, the security thinking isn't really. You know, there in the beginning. So we we've seen this maturity using various industries as examples. And then, you know, the fines and regulations have come helped with the guidance piece, and you've got this conflation of all those categories and.

You know, for one decision of what particular, you know networking gear should we use or how should we set up our, our internal network in the first place, which [00:12:00] may or may not even been a business decision, but more of a tech decision, right? So it's, it's, it's challenging for a lot of organizations with, without any guidance you know to, to do To understand what the fundamentals might be and what needs to be paid attention to.

Yeah. So, your book Understand, Manage, and Measure Cyber Risk I will tell you that it is really practical. Like, it really is. Like, I'm reading it and I'm like, Yeah, it's like, it's like a book. Like if I was going to synthesize everything I've been learning and we, Mark and I have been learning in our team as we digest all these episodes, right?

Like, we could have your book up almost next to it. Like, I'm like, this is really good. Like it's, so congratulations on that. Oh man, David, thanks so much. Yeah, it's a great book. Tons of success on it. And we'll have links to it in the show notes. And I'll tell you this is a book that's really.

Interesting, like for if you're not super technical, or even if you are, [00:13:00] you really lay it out in very realistic terms like this is what this means. This is why we need to make this change. It was really good. I wanted to ask you, what drove you to, to write it? Other than being like, You have incredible background in history and I, I know there's some things you can't talk about from being in the Department of Defense, but I'm going to get into those because I've got to ask some things about it.

But what drove you to, to write a book in the first place? Like, what was it? It was the absence of this kind of practical thinking that was out there coming out of the department, right, which is highly regulated, very specific, right? And you have rules and regulations on all sides of you into the corporate space to, you know, the banking, we had it, but didn't have it a hundred percent.

And then to the rest of the community, like, wow, there's, there's really this missing, this very practical thinking of like, At whatever point of the problem I'm in as a [00:14:00] practitioner, I need a guidance. I need some sort of guidance to go to just to orient me in some direction or provide scaffolding of like, this is a way of thinking about it, you know, categorically to then bring it back to the business and start to put those things in.

I just, I noticed after three to.

I track it, but somewhere around 300 to 400 CISOs legitimately, individually, right? And, and practitioners, there was this budding question of like, how do I communicate to the business? What the impact is of the work that I'm doing. It's exactly right. That, that making of an internal business case. Right.

It's, it's, it's that, it's that explaining all this complex, right? All this complexity of systems and platforms and controls and guidance and the people and the staff and all of that into what it really means for the business. And, and, and I think that's one of the biggest struggles. [00:15:00] It's what it appears to me.

It is. And this is where, just like you've experienced, I was experiencing the same thing and I thought, you know, I started to write these pieces down and make the construct of like, all right, what's the risk? How are we managing it? How are we measuring it? In all of my conversations. So honestly I just started to write it all down and put it down in pieces and use it as a guide.

So when I was having conversations with those struggling with these problems, I could provide them with some guidance and then realized, You know, it was actually took a friend of mine was just like, Hey, you need to publish this book. I'm like, okay, great. Sounds, sounds good. A lot easier said than done, isn't it?

Oh my gosh. It's like, dude, you had no idea of recommending that. Like the rabbit hole I had to go down to make that happen. Wow. That is right. And thank you for the compliments like that. I hope. Every reader gets that out of it because that was what the thinking that went into it It's like if I'm gonna spend this kind of time like producing something that you know Somebody's gonna have to pick up and read it better hit the [00:16:00] point fast Right, and so so I spent a lot of time synthesizing the points to say, okay Where in the problem are you and here's some guidance to it?

So hopefully, you know, it's it's meant to be wildly fundamentally practical, right? and not a recipe for you know, this is the way to, you know, make this particular, bake this particular pie. It's like, Hey, you need ingredients. Ingredients might look like this, right? Pies, you know, the ingredients are going to react in these different ways.

Like here's how to actually put it all together, depending on who you're serving and what their tastes are, which is every business is different. Yeah, it is without a guide like that, though, without some synthesis of what is going on. I don't know how business leaders Right? Those are the, the captains of industry that are driving our economy.

I don't know how they would know where to start. Because if you pick up, if you get online or you pick up a magazine or whatever, there's like, well, [00:17:00] MFA is really important. And then this is really important. And do we have move it? And do we have this? And like, there's so many different things. You don't know what is going to be, what you need to do next.

What do we do now? What do we plan for next year? And you break it up into a host of different sections. The three that I found really important was like, what is the problem? Why is it complicated? And then a great section was like questions boards should ask. I thought that was really practical, like kind of what should business.

Leaders, right? The ones that are actually ultimately decision makers or voting makers. What should they be asking their CISOs? Right. Tell us a little bit about that. What do you, how do you boil that down? Kind of like in questions boards should ask? Yeah, David, thanks for teasing that particular part out.

Cause that's a big question that almost everybody's asking, right? The board member, because think of, think of, I think of it this way. right? To your point, it's [00:18:00] almost like it's hard to understand this space as it's continuing to mature if you haven't been around it a long time, right? So in the absence of real information, like, okay, what's the reality of the problem I'm trying to solve?

Imagine this way, right? You have board members out there that are really smart people. That's why typically they're on the board. but may not have an understanding of this problem so well. So they're asking questions like, Hey, what do I really need to do to understand that the organization is.

understands the risk well and is mitigating it in a way that's sufficient because as a board member, I'm, you know, providing oversight, right, to the C suite, which is, Hey, we've got a business to run, right? And we got to make sure that we don't have a risk that takes us out, right? I mean, move it is You know, you've seen the I've been following MoveIt from the beginning.

As soon as I saw, as soon as we saw it, we kind of got together and we're like, holy cow, this is, this has potential to be like another SolarWinds or worse because of where everybody [00:19:00] was using this. And MoveIt, for those that don't know, is that file transfer platform that sends highly confidential information encrypted on both ends.

The problem was is it's been exploited. Vulnerability that occurred last spring got exploited by none other than Klop, the Russian based ransomware gang. And they've been, they haven't really even been launching their ransomware through it. They've just been stealing it and extorting and then leaking.

The data and it's widespread. It's growing like a mushroom cloud. Yeah. Unbelievable. Yeah. Your coverage on this has been unbelievable. So for any of those that haven't seen it, like go back to previous episodes and listen to David's coverage on this has been great. And it's like, that's it. So, and that is a, was a widely used platform.

So you can think of business leaders were like, Hey, you know, other people are using it. Great. Let's, let's. Let's use this. So you have the decision makers at the executives trying to figure out, Hey, how my CISO or CIO or, you know, CTO or [00:20:00] whomever is actually making, you know, making the recommendations on IT infrastructure, right?

Coming to me that these thoughts. Okay, great. Like I'm going to do the economics right from the business side, but I may not be asking the security questions. Right? And then you've got the CISO, right? Or, or, sorry, I keep saying that as a general term, but like a Director of Information, you know, Security.

Yeah, it's, it's the, the, the security IT decision maker, right? Exactly. Who are the, that advisor, that consigliere for, for IT and security. And they're, imagine where they are like, what does the board need to hear? Cause I can bring him a whole bunch of data and I can put him to sleep for seven days straight, just, you know, telling him all of the different network and, you know, cloud infrastructure and you know, SOC data that I have, you know, and just that I really like, but they're going to be bored.

And so that particular part. of, you know, the section of the book, it's just like, look, the boards, if they ask these questions from a top down point of view, right, give you an indication of probing into [00:21:00] the organization to say, are, is the organization thinking about security in a way That impacts the business so that they can mitigate it properly.

And there's a handful of questions in that particular tear sheet, really, to like, for any board member to say, Hey, this is, these are the questions I could ask. It's like an investigation, right? Yeah, it's really good because what I liked about it is kind of like a tear sheet. Like any board, even a SMB, ownership in an SMB could kind of take that.

And then when their IT advisor, whether it's an MSSP or an MSP or, or their IT guy or whatever, even at that, even at the SMB level, they can ask those same questions and then at least be able to make more I don't want to say educated, but more better advised business decisions. Mm hmm. That's exactly it.

Start somewhere. It's the, it's the starting sheet. And many organizations may say like, Oh yeah, we're way past this. Great. [00:22:00] Good. Right. Keep going. Right. Others, and especially in the SMB space, you know, they're not even, they don't know to ask some of these questions. Yeah. It hasn't filtered all the way down to those that are like very mature to, you know to those that can actually come together.

And those three pieces normally don't talk except at the board meetings. Right? And you get this filtered game of telephone sometimes of like, well, the board asked for this and the executives want to sort of say this and, you know, and the, you know, the engineers typically and the IT folks underneath want to present that.

And there's this immediate tussle between all three of them. And so, you know, that was simply meant to be. These are the categorical things to ask for. Probe deeply and especially if you're in the small medium business side of the house, it's like, Hey, start here. And all of a sudden you get everybody on the same page.

Now you can start to move forward. I mean, there's no sense to quote, like reinvent the wheel and do what everybody has been doing, just start there and then, you know, [00:23:00] and then refine it over time, right? It's, you know, it's not this list of like, these are the things you always ask, start there, you get going.

And then from there, as you say, you start to learn, Oh, these are the types of risks. that the business should be paying attention to. Oh, these are the types of threats that actually can exploit certain types of vulnerabilities that we have that have impact on the business. Oh, that's what our risk is. Yes.

Yeah. That's the risk. Okay. Now we're on the same page. Yeah, that's exactly right. So let me ask you, let's, let's, before we jump back, I wanted to ask you about move it. We were talking about move it and it was, it was a zero day. kind of vulnerability that, that occurred. And then they came out and they patched it and then they were still getting exploited.

And it's just, it just keeps growing and it just keeps getting worse. And it's, it's really not good. It's affected. Every single industry, including three of the four biggest consulting firms, even the stocking [00:24:00] consulting firms like Deloitte, Ernst Young, you name it. And then also the there's Class Action Suit that got filed last week by a consumer rights firm, I think in New York or Boston, I think Boston.

And then the The US government's got like a $10 million bounty on the heads of anybody that can lead to an arrest or, or indictment of somebody involved in clop, which is great to hear, but we all know that's very rare to happen unless somebody actually travels to, makes a mistake, right? One of these guys gets on a plane, goes to Miami, Hey, we got you.

Lemme ask you this, what, in your section of the book where you talk about what is the problem and you point to some of these things, but. What, how could that have been avoided? How do we avoid a future Move It or SolarWinds event? What are your thoughts? Or Log4J. Yeah. Or Log4J. Yeah, exactly. And this is the challenge.

So I'm going to flip it, I'm [00:25:00] going to answer the question, I'm going to flip it through a different lens. Makes sense. Back to the fundamental pieces, right? These are really challenging because we rely heavily on our third parties, right, to provide. You know, either, either IT infrastructure, right, or services.

And we know from the Defense Industrial Base, you know, Lockheed sort of helped kick this off years ago in 2014, I think, of like, hey, okay, third party risk is a big deal. You know, when, when one of our fighters... I think that wasn't the target breach. The target breach occurred from the HVAC vendor, not from Target.

That's right. Yeah. And then, and then we had the target one later on. So, so the, yes. So quickly on third party risk. Yeah. The first was sort of like the defense industrial base. Hey, you know, China just showed a fighter that looks a lot like one of ours. What happened? Oh, okay. That was found on you know, somewhere.

And it's because of a third party to the DOD. Right. Then later that was sort of, that's a. Big one because it has to deal with national defense. That's second [00:26:00] big sort of monumental one was the target breach which was you know, the black point of sale used or black POS that had a couple different names used on the on the point of sale systems, right that sort of leaked data low and slow that's Theoretically came from an HVAC vendor plugging into the system, right?

And what's interesting there though in that latter part is that now all of a sudden board members became I don't think liable is the right term, but like one or two people lost, I mean, we saw the CEOs got, so get, get, get fired and you know, be frazzled on TV, which is, you know, that, that taught us, hey, we need to be prepared for these type of things.

But two board members had fiduciary responsibilities, and that sort of put the board... on the map or in the target zone, no pun intended, of third party risk, right? Or of a cyber breach. So all of a sudden it spun off this whole third party risk management piece, like almost immediately where all, all the organizations, big organizations got together and said, all right, how do we look through our, you know, our third parties that includes supply chain?

[00:27:00] by the way, right? I nest them together. The community hasn't quite, you know, isn't, is divided on that. And my view of this, just for everybody listening, it's like, you know, third party risk includes supply chain, you know, risk management, because that's third parties and fourth parties and end parties, right down the line.

And the issue then becomes, well, how do we have confidence in the systems and the technologies, or even the people and the services that we're bringing into the organization? Right? That they have a sufficient level of security. Now that's a really hard question because we haven't even at that point, you haven't even figured it out for the organization yet.

Now you're going to ask other organizations to do it. Right. Yeah. And is that through policy or is that through in the, in the vendor selection process? Like, how did they, how does, how does an organization do that? Great question. And, and not easily because you have to apply resources to it. But there's, there's three major things [00:28:00] that matter, right?

One is... What are we buying? Right? And, and why? Right. That's a business decision, right? We need to outsource this or we need to purchase that. I mean, effectively, those are the two big categories, right? Outsource services or, or, or products. Right. Build or buy, right? That's right. Exactly. It's either build or buy, right?

Precisely. Yeah. And then it's like, okay, well how do we know that they're doing. What they say they're doing when it comes to you know security, right? In the absence of real third party risk management problems, right? We started with sort of the questionnaires, right? And then some people wanted to ask 800 questions.

It's like, well, you're going to crush. your, your vendors, because they're going to be spending all this time answering questions. So we learned that's not working so well, right? We try footprinting a little bit like, hey, you know, if you can go out and footprint them and try to get an understanding of who they're talking to and see if there's any red flags there.

And so there's all these sort of techniques out there. The three major things that really matter are one, [00:29:00] What do they have access to, right? It all goes back to like knowing your critical assets, right? Or assets. Do you even know what you have? That's a whole different category. And that's a whole, yeah, that we've had some episodes where people like, you don't understand, people don't even know what they have on their network.

And I'm like, come on. And they're like, no, really, like really getting a real practical knowledge of not only what is that? have access to all that whole visibility. A lot of organizations simply don't have it. David, that's a spot on. It's really hard. I would say almost nobody, except for very small businesses who are just getting started, have a real understanding of what their asset inventory looks like, much less what's critical, like to the business, business processes, and also the data that are on it.

And so back to the main point, that's the problem. Alright, if we think about it through the lens of, like, the problem solving, right? Like, what's the problem? Problem is, we don't have a good grip on our assets, okay? Why is that [00:30:00] complicated? Well, if we don't know what we own and what's important, we don't know what to defend.

Right, which means we don't know what our third parties are connecting to. I mean, we may or we may not, right, but we don't know holistically. We may or may not know what we rely on as a business to keep the business going, right? And if we don't know that, there's no way to manage it. And that's why we That's exactly right.

Yeah, that's exactly right. And then layer number two is or layer number three is if we don't know how to manage it, we can't certainly can't measure it. So, I mean, that always creeps into the conversation at some point. It's like, well, if you don't know how to manage it, if you don't know what you're managing, then you certainly don't know how to measure it.

And now all of a sudden, there's no way of knowing whether what we're doing is good or not. Precisely. Right. Yeah. Or, or, or if it's enough, because, and that, and that, that's why it's complicated because when we think of Every organization has, you know, their security and it's almost like a set of dials for risk, right?

Some [00:31:00] organizations are like, we're in growth mode, dial that risk up. We're going to take the risk because we've got to grow, right? We're not going to invest here. We're going to invest here. But then at a certain point they have to protect it. And then they're their security will increase or they're going to dial down that risk.

They're going to invest, put layers, resources, et cetera. But they won't know what, how to do that or what to do if they don't know those things. If they don't know what they have, what their vendors have, what they have access to, how to measure it, how to, how to, how to manage it. They're, they're kind of flying blind, aren't they?

David, that's a hundred percent. And think of it just, and this applies everywhere. If we don't know what's critical to the business, Right? We don't know how to protect it, and we certainly don't know how to apply resources against it. Right? And we don't know what third parties are connecting to it. And, and this is the challenge, right?

And it's really hard, but it's, it's, I don't want to say you make a business case for like 100% great [00:32:00] asset inventory, which, you know, I'd love to make, right? But the reality is if we don't know what's important to the business, we don't know what we're protecting. And then we, we can't, we certainly can't provide insights on them.

And this is the same for all things. Cause we think about the threat, let's, let's run some quick scenarios. Like think about where everybody's sitting. right now in security. We all have a different lens. Let's say this this way. We're all looking at it from a slightly different lens, right? And we're all, we all have different responsibilities to manage our one area in that, right?

Be it the network, be it assets, be it the management side, be it third party risk, be it disaster recovery, like whatever, right? We haven't even talked compliance and GRC, right? But the issue is we all have, and we're all looking at it slightly differently. And what was missing is that view of like, okay, what problem?

Are we actually solving, we're solving a risk problem that has to do with impact to the organization. Will the organization be hurt, [00:33:00] right? By an activity, right, on, in cyber, right, an information technology issue, right, that is a security issue that will raise the, the level of cost to the business higher than, than, than the business is ready to afford.

Right. The ROI. Like, what is the ROI to solving the problem? And that is, that's where we end up, right? What is, how much are we willing to invest? Right? To get, to get a cost avoidance return on that investment so we can reduce the quote, you know, material impact to the business. And, and, and with that, we start to get into the conversation of risk thresholds, right?

How much is enough, but you need a calculus to get there. Right. Or not even calculus, just straight math. You know, this is, this is how much these type of, you know, incidents, these, these are assets that these go down, right? These, these [00:34:00] are the things that are going to impact the business in, in negative ways.

They're going to, they're going to increase the cost to the business, right? Which matters because in business, you want to keep your revenue high and your costs low. If you're going to drive up your costs more than revenue, right? You, you really get upset out, right? And then are we managing those properly?

And if we understand that, that's like the through line, right? If we understand that, no matter where we are in the business, whether we're in disaster recovery, whether we're in compliance, whether we're at, in the SOC, or we're at the executive level, right, or we're at the oversight board level, if we understand what's important to the business, guess what?

We know how to protect it, right? Well, at least we know what the problem looks like, and we know where we can go to try to protect it. Now, the wrinkle here that's really interesting, is this gets into the third party risk and the threat side that we talked about earlier. What the business thinks is important to, to individuals may not be.

What the attacker thinks is important. [00:35:00] Explain that. That's an interesting view of it. I don't hear a lot of people looking at it through that lens. Yeah. And the great example here is like, I've said this a number of times in other forums. Good point. When I think about it, you're right. Because... The business might think, well, these designs for a new product are really what matters to the hacker.

So we're going to lock these down. But our employee rosters and our employee HR stuff is just kind of protected. And the attacker is like, I can extort you really well just getting that. Is that kind of what you're talking about? That's precisely it. Understanding what the attacker finds valuable, right, is important.

Because do they want those designs? Well, I mean, maybe if they're a nation state, sure, right? Because that saves billions of dollars of R& D. But most attackers can't sell that. Yeah, exactly. But they can sell your information. They can sell the employee list to those that want [00:36:00] to, you know, do other things.

Customer lists, customer data, all that. That's the unintuitive part, right? It's what the attacker finds important. That they're going to then either monetize or use for whatever nefarious gain. And David, that's the key, right? And if we think about it through that lens, now all of a sudden, our problem becomes slightly smaller, right?

In that we start saying, are you protecting the right data or information systems or whatever? Yeah, we're right. Exactly. Exactly. Interesting. Yeah. And this is why, so we've seen this, we've seen this huge uptick in ransomware since like, I think Atlanta, right? And what's interesting is that was a dying art.

I know. It was kind of like trailing off there and now it's like they have like matching jackets and their names are, you know what I mean? They're all like high fiving themselves and like buying, you know, different Bugattis to match each other with like the ransomware name on the Lysa plate. I'm like, what is going on [00:37:00] here?

Like, it's crazy. It's a business. Yeah. It's a huge business. Yeah. And when we boil it down, it's like, this is an interesting policy decision. that helped to create the business, right? Like, nobody throws, like, I'm gonna, I could see people wanting to throw stones at this, but the reality is, like, it was dying before all this because no one was, not no one, paying the ransom wasn't a thing.

Most advice, and most executives, let's say most, the growing thinking at the time was don't pay it because you don't know if they have the keys. Right. And so you may pay the ransom and it was happening, right? Because on the flip side of that, the attackers weren't buying the keys. They were like, we're going to lock it up, you know, get the cash and run away and meh, sorry, can't unlock your systems.

So that word got out and it's like, oh, don't pay it. Then all of a sudden. You know. They evolved. They, they went up, they moved up that maturity scale. They have these platforms where they give you proof of life if you don't believe that we have it. Here's a screenshot of [00:38:00] this. Here's a inbox. All that stuff.

That's right. And that's the supply side of the equation. They have your information and could possibly unencrypted and unlock it, right? So you can get it back if you pay the fine. That's the price point. But on the demand side, where the company's making the decision on whether or not to pay the ransom.

And if you pay it, chances are that business is going to go up. Prices will go up, right? If you continue to provide the demand for that service and pay for it, the price will go up. And guess what? More people will get into the game. And effectively, that's what's happened, right? And that's part of the reason why the FBI from the beginning was saying, Please don't pay this.

Yeah, that is one big piece of the reason. Absolutely. It's like, it's the same reason, you know, this is interesting in today's day and age, but like as in the United States of America, you know, there's a policy that says we don't negotiate with terrorists. Exactly. Right. [00:39:00] And the reason is this, this is an example of why, right.

Same way, right. You don't want to meet a SEAL team. You go hijack a ship off the coast of Somalia. Right. It's like, it's the same thing. It's like, you just don't negotiate. And that way you kill the business model, but if you do negotiate, you've now legitimized the business model. And guess what?

You've got supply demand and price points right in the center. The more the demand goes up for it, the higher the price goes. And that's effectively where we are. And now you see, David, your point, like, wow, are they sophisticated. Right. And even I think Klopp, you brought up Klopp with the movie thing. Well, and LockBit and like some of their platforms are ridiculously advanced.

That's right. Although, although, we just, we recently had on John DiMaggio and he was explaining that LockBit, their system, their infrastructure might take some time. It's kind of cracking a little. Like they're, they're claiming they're going to leak data and it's not even leaked. Right. So it's, it's kind of interesting.

And [00:40:00] it is, and this is what's interesting, even Kloppen, I think, made, you know, over, there's, there's a lot of money out there. I think they made over half a billion dollars, right, at this point, and that's climbing, and the others, what happens is, if, you know, when you see is a criminal who may or may not have the laws behind you to say this is illegal, or even worse, you may have incentives to do it.

Right? If there's a half a billion dollars sitting out there across, you know, You're getting into that game. If where you live it's not, or it's decriminalized essentially, so long as you don't target, you know, the people that are making the laws, then you, then what is the disincentive? That's right. To have some of the brightest minds in that field.

And that's what we're kind of up against. And this is it. And then think about it from a social standpoint. Now you're sitting there and your friends are, you know, driving wicked expensive cars, buying all the expensive watches because there's a ton of money out there. Now you're even more incentivized to do it.

And do [00:41:00] you really care what the impact of the business is? Right. No. I mean, you brought up a little while ago, it's a great episode on, you know, the first recorded death of, of you know, of, of the baby at the hospital, right? Because of, because of ransomware attack, like, do they care? I mean, it's hard to say that cause I don't know the people, but like, well, they say they do.

They, from what I understand socially, they have to say they do because they want to attract more affiliates about, we're just doing. Good work here. We're pen testers. You know, we're really, this is just a financial play. Don't you worry. You're not going to get your hands dirty. But at the end of the day, various affiliates are out there and they don't care.

The assumption is that they don't, because you look at it from a system standpoint, like, Hey, I'm going to blast. I've got access to all these areas. I can see a flaw or a vulnerability in this. You know, if I burn a zero day or I SQL injection. Boom. Gone. Blast. You know, yeah. shoot the big blast and see [00:42:00] what comes back, right?

So I, who knows that the calculus is in there of like, Oh, there might be human on the other side of here. That's really going to be impacted. And, and honestly, that's less of the concern from us, from the threat side. And the way I think the business side can be thinking about this, right. Is more like, look, what do we need to protect?

So that whoever the threat is. Yeah. That comes at us. We're at least, we've got a sufficient level of security to defend on most of the attacks we're going to get. And if we get the one off, we're ready to respond. Yeah. And this is the thinking that it's so much fun. Look, I love this space, right? And like I can go down the rabbit hole and all these really fast and it's so much fun because it's, it's, it's inquisitive sort of, you know, What's the mystery and how do I solve it?

Right. But what's, what's really challenging for business leaders and especially those in the space is to pull back and say, okay, what does this have to do with my systems [00:43:00] and my networks and my business? Right. Right. What's my risk in light of all of this? Precisely. Yeah. And I know it's, it's, it's boring.

You know, it's not, it's, it's not super attractive. Like, Oh, this is cool. This is how, you know, this is how the market's moving. But the reality is. If we just have that fundamental through line sort of pulled through, it's like, okay, at the end of the day, we can come back and say, does this threat actually matter to us?

Like, is this type of ransomware group a problem for us? Are they targeting vulnerabilities in our systems that we rely on that we might have? If no, Then cool. And you know, from a board perspective, David, or even a briefing perspective, that's actually a really strong argument for some to make. Hey, you know, move it was a big deal.

Here's what happened. You know, educate, maybe even, I'm kind of thinking through a board discussion here, right? Right. Think through like, hey, educate the board on what's going on, because they're going to go out and propagate this information to the road, you know, to their... Yep. You can say, look, here's what's going on.

The good news is we don't [00:44:00] use moving. We don't use that file transfer protocol. In fact, in fact, in, we only use axe for file transfer and here's how we encrypt it and all the things that we actually do. So it doesn't matter. So now that we've had that fun conversation, can we get to, you know, how we're managing our program and what we're doing?

And it's, it's a real easy way to pivot. Yeah, exactly. And well, and I don't know that a lot of, I think that's so important for CISOs or leaders of. of security teams to really make that case of Look at the silence that we've avoided. That's a success. That's a security success that we've had. Because we chose as a team not to select, not to take risk over here, or not to select this vulnerable product, or not to...

Some of it was luck, right? Oh, we chose a different vendor rather than move it. So, Hey, we're lucky. But some of it is also like we chose to buckle down and not take risk over here and look, [00:45:00] what's happening to maybe some of our competitors or others in the industry that took that risk, right? There's a business impact and that's a celebration for them, right?

So that can help them make a business case for investing in an initiative that, that CISO is trying to drive. Yeah, it's almost the, don't let a good incident go to waste. Yeah. But like everything else, bad incidents make, make news, right? Like it's, it's when it goes south, that's what makes news. And so. The board, if anything went wrong internally, they're going to want to talk about that.

But it's like, it started off with explaining all of the good things that have been avoided. Right? It's always a challenge, right? Because when they're doing their job great, nobody ever hears about them. Nobody hears from them. It's silence. And that's what you want. Right? You want to be out of the news for anything bad.

Right? You want to be out of the news. You want silence. Because that means it's working. I love the idea of celebrating the [00:46:00] wins. I mean, think of the construct there. You laid it out perfectly, which is this sort of, it gets to the ROI you were mentioning earlier. It's like, okay, this is what happened to, you know, and move it.

Here's what we bought and here's what we're doing. And we didn't, you know, you know, We made a decision to go in this direction, largely because we were concerned about encryption or we were concerned about whatever, blah, blah, blah, right? And we made this direction. So we kind of avoided this huge mass, right?

Celebrate that win, right? That's, that's, that has a business impact to the board because. You didn't have an interruption, right? You didn't have an interruption. You chose the cloud vendor. You spent a little more, but the cloud vendor, let's say, right, has a really good SLA and doesn't have downtime. Look at what's happening over here.

They're down for two, three weeks a year, unexpected, right? We avoided that because of good, sound decisions. We spent a little more, but we [00:47:00] were able to stay profitable and stay productive during that time. Nobody ever brings that up, right? Like it's, or it's very rare that they do. And that's something that they need to capture, right?

Cause that can be measured. Yeah. Cost avoidance is a thing. Cost avoidance. Yeah. And it's a great example of why we exist in the world, right? Yeah. Keep the cost low, keep the impact costs low while spending resources, right? It's hard to make those business cases of. R. O. I. When you're, when you're talking, you know, like it's, it's hard because cyber security is expensive.

Like the, some of the, the practitioners are some of the brightest minds in technology. Right. And they're really good. And, and to, to have that you know, it costs a little more, but if you can make that ROI and point to it, I think it's so critical. Yeah, that's just amazing. So tell us a little bit before we go just in.

And again, I want to urge [00:48:00] everybody to check out Ryan's book, Understand, Manage and Measure Cyber Risk, because it's practical. It's even called a practical solutions for creating a sustainable cyber program. Forget the buzzwords there. Like, it's really good, Ryan. Like, you synthesize things and you give people practical kind of tear sheets that they can use today.

They can use it this week in, in, in their organization. Really good stuff. So link is in the show notes. I encourage you guys to, to check it out because it's, it's really good. Whether you're in technology, whether you're a business owner. Decision maker, a leader in a larger organization. Just check it out.

It's really good. I'm telling you. Share with us. You were in the Pentagon. How did you how did you start? How'd you get to the Pentagon? Yeah, kind of a cool gig man. I'm just saying like it's pretty cool. Yeah Walk us through it Perfect. Thanks for that. And tell us all of the secrets that there are no secrets.[00:49:00] 

There's nothing to see here. Yeah, for me, it was actually you know, I don't think anybody in this space really sort of you know, I don't know. It's, it's hard when you get into the space. It's like, everybody comes at it from a different angle. Right. So for mine was like, I sort of had the deviant mind, right.

I was trying to break out of stuff when I was a kid in a, you know, in a boarding school, I realized like. Oh, you know, I can get what action on objectives I want if I just do X, Y, Z and try to go stealth, right? To then fell in love with technology. And so I was building databases. I was with IBM. I went to grad school.

I was in the middle of grad school and I grew up outside of New York and the towers came down 9 11. So for those that are listening, that's a long time ago. Yeah, I'm, I'm always shocked when I have to explain. Like, I mean, yeah, we read about it in a book. I'm like, you read about it in a book? Like, I know exactly where I was when I heard about it and then I watched the second plane go into the tower.

Like, I remember it like it was yesterday. Me too. And that was a pivotal point in my life because I decided, all right, [00:50:00] you know, I want to turn my attention to the, to the federal government and, and defend against that. Like, I'm a defender at the end of the day, right? You know, drummer in a band, goalie in soccer.

Like I was feel like the person's keeping the beat and the last line of defense. So when that happens, it's like, Oh, I'm going in. And then my buddies that were in uniform are like, Oh, now you're going to put the uniform on, like, okay, fair point. And so the Dean of my university approached me, because she'd heard me talking about this and said, Hey, I can put you on this list for the presidential mission fellow program.

You know, it's sort of a two year sponsorship out of the White House and OPM runs it to go to the federal government and I'm like, sure, so I applied thinking, I mean, I'm up against like some wicked smart policy people and all this and I'm an MBA, you know, in finance and systems thinking and I'm like, there's no way I'm getting this job and and I did.

So what happened was I went to the D O D to build a that was in systems development at the time to build a database. Yeah. It had a ton of really important [00:51:00] information in it. And I wound up, so this is the third piece, right, of how I got into cyber writ large. So I was building this and I got to the point where I was gonna put it on the systems and the remember cyber was information insurance.

Mm-hmm. . And we were going through these systems checks and I'm like, I can break almost every one of those checks. And so we had built the system in a way that was, literally, I won't go through the details publicly, but built it in a way that was, quite frankly, really hard to get any information out of it.

I mean, nearly, and I know what I'm saying here, I mean, nearly impossible. Because like, that was the challenge I put to the team. I'm like, look, zero data loss, full stop. Like, that's our goal. Zero. Was that post, was that, remember the OPM breach? That was part of that whole where those indictments came down.

There was like the Equifax breach, the Anthem breach, and that. Was that after that? It's before it. It was before it. Yeah, it's from the beginning. Yeah, literally, David, this was, this was in 2000. So this goes to the deviant mind side. It's like, oh, I know how I would break this. So no matter what I'm building, if I'm responsible [00:52:00] for it, I'm protecting it.

Full stop. Yeah. And so, and so later this was in 2002. Oh my gosh. This is okay. Wow. This is more than a decade earlier. Okay. And that's why this is before they started tightening up the IA stuff. So I'm like, wait a minute. I'm like, this information assurance isn't really information assurance. It's like a check block and like, guys, we got to do better.

So that got me pulled into you know, at the time was called Cyber Warfare highly classified at the time because it wasn't, it was before 2011 when we decided to, the Department of Defense came out and said, yep, we do offensive cyber operations. Yeah. So I went Into that for about eight years and it was fun.

Yeah, that's phenomenal and Nuvik today, what are where's your footprint? Where's your market? What are you? What all are you doing? I know that we got introduced by my buddy Josh Mason who's a phenomenal great guy and human but also brilliant mind Yeah. No, he's, he's so much fun. [00:53:00] He's really cool. I could sit and talk to him for an hour and a half.

I know I have to. Yeah. I mean, I think our episode was like an hour or something, but we could have gone on for like three, four hours. It was just tons of stories. I know. So great. Like, I love that thinking, right? Cause you can see, and you see how it all gets pieced together. Like, wow, that's brilliant. Yeah.

And he has facial expressions. Sorry, Josh, but he's facial expressions. So when he's thinking, you can kind of see it, you're like, Oh, something else is coming. You know? And it's like, it's really interesting. Yeah, it's like, wait for it. Wait for it. Yeah, exactly. Yeah, no, he's great. Loving the death. So I forgot the question.

What's the question? Oh, Nuvik, what, what's your footprint? What are, what are, what are you guys, what initiatives are you guys driving? Do you guys do, , consulting, leadership advice? Are you doing pen testing for organizations? What, what all are you doing for organizations in this space? Yeah, we do. We think the three fundamental pieces are right.

We do the vulnerability assessments. That's the pen testing, but mostly red teaming, you know, run by Dave, Dave Mayer. And, you know, he's a SANS [00:54:00] instructor. , Moses Ross also teaches, of the SANS courses, , and is there in Josh Mason who we just picked up also there. So we do a lot of that sort of advanced, we call it advanced assessment.

So wherever you're trying to look for vulnerabilities, like, you know, we'll point at them and find where the vulnerability is. Now here, this is the important piece. We didn't take that and pull it through risk management. So why do these vulnerabilities matter? Why, what, yeah, that's right. It's like what, why does this matter to you?

And more importantly, how can you fix them? And when do you need to fix them? Right, right. The pieces that are like, Oh, right. I've got to actually remediate these at some level. Yes, you do. And here's when, and here's how, and here's specifically like how to do it. So that's our risk management piece, right?

 

People on this episode