January 24, 2024

00:45:18

Episode 238 Deep Dive: Alex Tilley | Building a Stronger Cyber Culture: Expert Advice on Collaboration and Ownership in Security

Episode 238 Deep Dive: Alex Tilley | Building a Stronger Cyber Culture: Expert Advice on Collaboration and Ownership in Security
KBKAST
Episode 238 Deep Dive: Alex Tilley | Building a Stronger Cyber Culture: Expert Advice on Collaboration and Ownership in Security

Jan 24 2024 | 00:45:18

/

Show Notes

In this episode, we are joined by Alex Tilley (Head of Threat Intelligence, Asia Pacific and Japan – Secureworks) as we dive deep into the challenges that come with fostering a strong security culture within organizations. We explore the importance of cross-departmental collaboration, the need for clear and engaging cybersecurity training, and the emotional hurdles of dealing with security incidents.

Alex shares valuable insights in handling crises, addressing ego-driven conflicts, and the crucial role of the board in cyber. Join us as we unravel the intricate layers of today’s security culture and learn from his experiences and expertise.

With over 20 years of experience in computer security and cybercrime, Alex Tilley is a highly awarded cybercrime researcher. Beginning his career in the online casino industry on Australia’s Gold Coast, Alex went on to implement and administer many varieties of network security technologies within Australia’s banking industry. Alex was on the forefront of research and countermeasures when phishing and malware first began to attack banking platforms and customers. When he later became the Australian Federal Police’s senior cybercrime technical analyst, he combined his technical background with an analytical approach to discover “who” the cybercriminals were, why they were attacking specific targets, and what they were looking for. This included identifying exposing online child predators as well as cybercriminals.  During this time Alex become a key member of the operations team responsible for many high profile cases.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: When you're briefing the board and you've got this thing you want to talk about, this initiative or whatever it is that you want to drive, run your pitch past people from other teams, because if you run up past people who are in your peer group, they'll understand your jargon. But the guy from accounts payable is going to look to you and go, I have no idea what you just said to me. All you said is that we're at risk and you need $6 million. I don't understand why. And that is very valuable feedback. And the board has got a billion things to worry about and the C suite's got a billion things to worry about. So spend time to fine tune your message. [00:00:40] Speaker B: This is KBCat as a primary target for ransomware campaigns, security and testing and performance risk and compliance. [00:00:49] Speaker A: We can actually automate that, take that. [00:00:51] Speaker B: Data and use it. Joining me today is Alex Tilley, head of threat intelligence Asia Pacific and Japan for Secureworks. And today we're discussing the mistakes businesses make around their internal security culture. So, Alex, thanks for joining and welcome. [00:01:10] Speaker A: Thanks for having me. It's great to be here. [00:01:12] Speaker B: Now, cyber culture, this is something that gets thrown around a lot in the industry, and sometimes I don't know specifically what people are talking about when they say it's about cyberculture. So I'm really keen to maybe start with your definition or your version of cyberculture. And what does that mean for you, Alex? [00:01:32] Speaker A: Yeah, so I think that's a massive question. And do we have half a day to go through it? I think it's an interesting one, though, because it's definitely a term that's changing over the years. I think back when I was a younger lad with hair and less gray in my beard, cyberculture was very much a technical problem. We've got some nerds and we've got some boxes in server act with blinking lights, and they take care of computers and the security. So we're cybersecure. That's where our cyber culture ends, is that we have a security function, basically, or we have a couple of guys who part time manage antivirus console. What we're seeing these days, when I say these days, I mean maybe say, let's say the last five to eight years, being generous, and I'm going to use a dirty word here, I'm going to sort of say the explosion of ransomware, but things like ransomware, which is where the bad guys will lock up your business, encrypt everything so you can't function as a business. And things like extortion and theft of data for extortion and embarrassment. All of these nasty. What I class as existential business issues have brought cyberculture now down to permeate every aspect of business. Basically, what we're seeing now is that the cybersecurity of an organization, at whatever level you can envisage that for yourself, has become everyone's problem. Because at the end of the day, with the current threats and the emerging threats, it's almost. It's your job on the line. Whether or not you work in a security function. You may be. I hesitate to use the word weak link, because we don't want to associate shame with actions, but you may be the one who has an oversight that starts a chain of events that does lead to some sort of catastrophe for your business. So therefore, in 2023, I think that idea of everyone having a buy in to the cybersecurity of an organization from the board level down to a starting eight employee, is where we're at these days with cyber culture, when we sort of talk about that as a holistic concept. [00:03:55] Speaker B: Yeah, that's interesting. And you raise a great point. Buy in. So what does buy in look like from your point of view? Because sometimes the only argument I have is questioning maybe the validity or how genuine is it? Because everyone can say, oh, of course we care about cyber culture and we care about cybersecurity, Alex. But are they backing it up with action? [00:04:17] Speaker A: Yeah. So what I'm seeing personally, as I do briefings for various company boards and C suites, is there's starting to be that understanding very slowly, mind you, because they have other things to worry about. I'm not casting blame, I'm just sort of saying that one of the million things that a board of directors has to worry about now is the existential risk to the business from cybersecurity. Right. That's just one more thing to worry about. So I think that in helping them understand at the highest levels of the organization, what these threats mean to them, and we can get into that a little bit later on, but that's sort of just as much psychology as it is art, is to sort of help them make informed decisions, because that's what they're there for, right. They are the ones who are guiding the business and helping the business grow and avoid risk. But if they aren't given clear messaging, they can't instill that cyber culture from the top down. But if they can help, if the board buys in and says, okay, we understand. Now, you haven't just come in here and told us that the sky is falling and asked us for millions of dollars. You've helped us understand the problem. Now we can work to get some sort of program of instilling a sense of ownership in our staff, in the security of the business, because it's everyone's problem. [00:05:41] Speaker B: Yeah, great points. And do you understand what you're saying around the whole fud thing and fear, uncertainty and doubt that people do default to? So how do you sort of instill that ownership in employees? I mean, I've heard extreme levels of people saying, well, if you don't do security awareness training, for example, you're fired. Now that did work. Some people went against it. Some people I think were outrageous. They were raged about it online. So I mean, look, strokes for different folks, as they say, different things for different companies. But what would be your view with your experience on how do you get that ownership for an employee? Because there is enough stress for an employee day to day and they're like, okay, well, now I've got to think about cybersecurity. What does that look like? [00:06:27] Speaker A: Yeah, it's like, okay, here's another thing you got to worry about. [00:06:31] Speaker B: You're like, I'm just the finance guy, now I've got to worry about this? [00:06:34] Speaker A: Yeah, I just got to make my books balanced, man. Don't put the whole fate of the company on my shoulders. I think it's very much around how we deliver the message. And you made a really good point there where you mentioned security training is part of your compliance training. What does everyone do? They just click next, right? They just try and get the right answer just to get back to their day because they've got their books to balance. They've got whatever their day job is and security just chucks a whole other module at them. This will help them understand phishing and this will help them understand bad URLs and that sort of stuff. But let's be honest here. A lot of people do just next three of these things to get on with their day. [00:07:14] Speaker B: And I think, have you ever done that, Alex, be honest because I have. [00:07:17] Speaker A: Yeah. [00:07:19] Speaker B: And I was in security in an internal function. [00:07:23] Speaker A: Yeah, I must admit I was back at banks and there was a couple of modules that just literally had nothing to do with anything, actually goes to this topic, really literally had nothing to do with my job. They were sort of finance topics and I was in security at the time, which is probably the wrong thing to do. But I was like, I'm not going to read about export law to Iran. I just got to get this firewall rule burnt. So I did. Next. Next. It. Got it first time as well. Not that I'm saying you should do. [00:07:53] Speaker B: That, but this is the reality of what people are doing. Right? Like, we're just painting a picture. I've done it. I failed it. I was on the non compliant list. Yeah. And I was insecurity myself, which I should be practicing when I pitch. But I found the trainings boring. The banal. They went for too long. There were these creepy little characters that walked out. I just didn't like it. [00:08:10] Speaker A: Yeah. One good thing, this is just a real microcosm, and it's just something that one of our smart guys did back at a bank. Back when I was a younger man, we did a security superheroes thing and it was just like pop art images of random superheroes and we put them up around the building and it was just to keep it sort of front of mind, but not in like a negative way. It was more of a positive way. People seem to comment on them. So at least being positive in the messaging sort of got some sort of response apart from just next and off I go. I think one problem that I see a lot and that we see through our IR practice and doing tabletop exercises and that sort of stuff, sort of planning out what you'll do in the situation of a bad thing is two things that don't work are blame culture and being punitive in nature when someone makes a mistake. And I might be jumping a little bit ahead here that it does sort of fit in with your question. I think inasmuch as if people feel scared to stand up and say, I think something's weird just happened because they've scared for their job, or they're going to get sanctioned or dragged through the town square or whatever it may be, they're maybe less likely either to a come forward and they may be more likely to try and cover it up. And we've seen both happen quite a bit, both in my previous life in law enforcement and in my current life here, doing intelligence and sort of obviously shadowing with the incident response guys. So when people don't feel confident that they can come forward without, obviously, in cases of malpractice and stuff, that's a whole other kettle of fish that we're not going to get into. But if you've just fallen for a scam and changed an invoice number, or you've just clicked on a link in an email, there is that human nature of that sort of pit of the stomach, it may not happen that minute, it might happen that night where you sort of sit there and go, that was a bit weird. That company has never asked to change that destination bank account. I probably should talk to someone about that. But if they don't feel like they can confidently go to their manager the next morning and say, hey, boss, yesterday I may have dropped a clanger. Here's what happened. That could be the difference between getting millions of dollars back and losing it all. You know what I mean? That goes few hours. So I think instilling in staff a positive mindset. And part of that is if someone does a good job, maybe if they're comfortable with it. Obviously, everyone has their own level of comfort around these things. But at your next team meeting or at your next whatever gathering, say, hey, this is Carol. Carol noticed this was strange. She put a hand up, or Carol made a change to an invoice. She thought it was weird. She put a hand up, and the company saved x $100,000. Let's hear for Carol. You know what I mean? Like positive reinforcement rather than just click next. It'll all be over soon. [00:11:22] Speaker B: Yes. Or getting on the non compliant list that get read out, and then you feel like you just want to find a hole and bury it, and everyone looks at you, right, like, oh, you didn't do it. And you're. Look, I think, again, it goes back to strokes for different folks. I definitely understand it. I'm just trying to obviously get some intel from you with your experience. What is it that's working? There are a couple of other things that I want to ask you about as well. Alex is before, when I was asking you around ownership for security. So then the other side of the equation is, well, and again, if you're a salesperson, this makes sense, but it's like, well, is the CFO coming down and saying, well, you're responsible for generating revenue. Yes. If you're a salesperson, that's your job. When you're in business development or something of that nature. Yes. But for someone who's just the accounts payable person, is that their ownership, too, to be like, hey, well, you got to be doing billable hours, because it's this more so me looking at it like devil's advocate on the other side of it that, yes, we want security to be everyone's ownership. And I'm not negating that. It's just more so saying. But then will every function in every business be, everyone will have to own it then as well. I'm just trying to see it from maybe a different perspective. [00:12:30] Speaker A: Yeah, no, definitely. And I think my friends who are still in enterprise security, and I hate me for saying this, but I think oftentimes security as a function forgets that they work for a larger company. It's like, what's a bank's job? A bank's job is to make money. Well, you, as the security team's job, is to, a, protect the money that we have made, but also b, help us make more money. And that's true for any business, right? That's true across the board. That's just business, right? I'm not a business man, but that sounds like business to me. I think it's a case of sort of saying, well, what resources do we have? And are we deploying them properly to help this business grow whilst securing it? Now, those two can be diametrically opposed, but I remember I was working at an insurance company at the time. This is way back when, I think it was called Evdo. It was like the forerunner to like really slow digital audio, digital Internet over rf, basically over the phone network. And we, as a security function, just said, no, you can't have tablets with evideo. We don't know anything about it. It's ridiculous thought it's going to expose us and it's going to widen our threat. All those words security people use. And then the guy, because they were going to be used by agricultural business lenders to go out on farms and help farmers with insurance claims for flood damage and whatever the case may be. And we got, quite rightfully so, a bit of addressing down from the head of agribusiness, sort of saying, find a way to make it work. Okay, you don't like this one? This is the function that we need as a business to happen. Your job now is to find a secure way that you're comfortable with to make it work. It is not just to sit here and say, no, it's to help us do this business and help these customers. And that was, for me, one of those real light bulb moments where it was like, yeah, this organization is a lot bigger than just the network that I'm protecting. There's a lot more going on here that we need to be aware of rather than just trying to. And this is, as you will know, when you're a gatekeeper, what do people try and do? First is get around the gate. I found some of those sort of interesting little things over the years that sort of come through. But for the other areas, it is just about if you do what security says and if you feel confident to speak up and you feel like you've got the right training. If you don't feel like you've been trained properly, that's also a problem. That's also something to put your hand up and say, I don't really understand this Bec thing. I work in accounts payable. I don't really understand how or what I should be looking out for. And I tell you what happens is your organization gets hit by a business email compromise, like an invoice alteration scam, and you figure it out pretty quick. But you don't want to figure it out then you want to figure it out the day before. [00:15:26] Speaker B: Yeah, those are great points, and I do agree with you. Would you also say that perhaps security people lose sight of, well, what are we here to do? And I mean, I've spoken about this at length on this show, like security people, we're not there to practice security. Right. Like, you're. There is a function to secure the business, the business that makes money, which pays your salary. Do you think people get lost maybe in the day to day, and they're not thinking about the overall vision? And I've even interviewed people, and then one lady, actually, which was very, a great way of looking at it, was, well, we tell people that caring about security all day long, but do we actually even know how the business makes money? A lot of people can't answer that. She was saying that I go and ask, how does our business operate? So do you think that people lose sight? Perhaps, and then maybe this is why we have some of the issues that we have around culture and blame culture and all those types of things. [00:16:24] Speaker A: Yeah. And I think it's a situation of people don't know people. You obviously know your peer group and you know your friends and people who like the same stuff as you do, and they oftentimes will do a similar job to you. So they're the people that you will gravitate towards. What I found very helpful from the opposite side is things like brown bag lunches where it's obviously your staff have to give you their time. So you got to make it interesting. But it's like, come along and hear about a couple of recent near misses that we've had or some of our peers getting hit by security events. So you can understand what we do as security people and how it works. But then I would flip it and say the same thing needs to be done by the other business units. It's like, come along and hear what, in the case that I just referenced, come along and hear what the agribusiness people do and why they might need this stuff. Let's open our doors a bit and sort of reach out and get that understanding, as you're saying. Just get that understanding that, yes, my mum thinks I'm important, so I must be an important cog in a wheel. But at the same time, it is a big wheel. And if I can understand it, that could help, because the amount of times that we've been in, again, these tabletop exercises or going through scenarios, and someone at the table from completely different area has gone, well, I've got tech that can do that. Like the marketing team has tech that can follow who clicks on what link on your website, right? Because that's how they do marketing stuff. So it's like when you're sort of saying, well, we need to map the path the attacker took through all the things. She was just like, yeah, I've got that right here. I can just bring that up. And the security team was like, what is this black magic of which you speak? And she was like, it's marketing tools. But having the people in the room to have those discussions is what made that realization come to the fore and save them x hours on the response. So this is definitely reaching out and understanding who around you does what and what the organization does really helps the security team, especially buy into the business, because they already want things to be perfect. Because that's what security people want. Right. We want things to be buttoned up tight, but we need to understand why we're buttoning things up, I think. [00:18:46] Speaker B: Great point. So one of the things I'm hearing from what you're saying is two way street. Would you say historically, security people like, well, everyone must understand what we do, must understand what we do innately and intrinsically. But maybe it's not reciprocal. Maybe it's not like the security guy or girl isn't asking, well, how does finance work? How does the whole HR department operate? What are the mechanics of that business unit look like? So maybe there needs to be more two way street. So the brown bag session you gave, great example, but are you also saying that security people in an internal function need to understand how the other business units work? Because maybe, like you said before, with the marketing example, maybe there's some things that they can start to integrate. Know they didn't know before because they didn't talk to one another. They didn't understand how their independent business units operating. [00:19:36] Speaker A: Without a doubt. And this comes back to. It's literally the exact same discussion. Know, Clive, from accounts saying, yeah, well, I've got to do this security training, I've got my own job to do. So security people, and I use that term generically and broadly and I am aware of that. It's a very broad church. I am aware of that. Some people just like to stay in their corner and do their thing, and that's totally fine. Everyone can do what they like in that respect. But security people are innately inquisitive people. They want to understand things and how things work. So oftentimes what I've found works quite well is go and spend a half a day with that lady from marketing, go and spend half a day with that person from the fraud department, go and spend half a day with the person from accounts payable or whatever the area may be, and just learn what they do with their daily tasks and what they access and how they go through it. The problem becomes a some people just are quite happy just in their own little world. That's a management issue. The other problem is getting the time away because you've got your day job to do as well. So it's like. Yet I would love to go and sit with the person from accounts payable so I can understand why we keep getting these small business email compromising invoice alterations happening, so I can understand their process and then we can work together to try and fix it. But at the same time I can't help to understand how to better secure that thing or at least understand how the process flow works. So I can understand how the attack may happen to us. If I don't sit there and watch someone actually use it day to day, they can draw it on a whiteboard for me or send me a mind map. But actually watching that person do their job, you get a lot more out of it for a lot less time. So it's hard with schedules, but I would say try and schedule at best. I'd like to say once a week, but I'll be realistic, maybe once a month. Each staff member gets 3 hours to go and sit with a different business unit, obviously with permission, and sort of just get taken through, sort of shadow someone for a bit of time to learn how that aspect of the business works. And it won't take long before the team is discussing. Oh yeah, I was down with that area and they do it this way and so much good will come out of it. And plus those individuals and those teams you go to visit get to know and feel comfortable with the security team because people chat, so you get comfortable with them. So it's a bit of a win win. Yeah. [00:22:16] Speaker B: And it generates sort of that camaraderie between the teams as well. And I know historically of people feeling like other parts of the business, feeling that security is like the police, and you're telling us no, and then you're scolding us and you're saying that we're silly because we didn't know about the thing that we're not even a professional at, and we're supposed to know about the thing that you can't explain anyway. So on that note, going back to your brown bag sessions, is there anything that when you're talking to people, maybe outside of, you know, outside of the different business units there, is there anything specific that really gets people interested? So sometimes I'm in an Uber and people start asking me what I do, then they'll either start sharing their own story about something. I don't know whether it's directly related or tangentially related to what they do around. I don't know. My friend was on Tinder and then there was a catfish and then they got scammed or something happened. Does they find a way to relate it back to your profession? Right. So is there anything that you've spoken about yourself that has made other people across the business really lean in? [00:23:14] Speaker A: Yeah, definitely the two dirty words, BC and ransomware. But it makes people lean in because it's not just me talking about some sort of ephemeral technical threat. It's about, here's how these people lost their jobs in as much as their company went away. Or here's how this poor person was duped into sending $2 million to a different account than they meant to. And people lean in, and you really heavily front load the abstract and the invitation with that information. Because then anyone who has any dealings with the company, finances, accounts payable, incoming and outgoings, whatever it may be, will look at that and go, well, I don't want to be that person. And after a couple, they get to know you as a speaker and they're like, oh, it's going to be a good show anyway. So I'll give them 45 minutes of my day. And that stuff really makes people stand up and pay attention. You get a bit more of the technical crew across for the ransomware ones, which is fair enough, but again, you sort of really heavily front load that with. This is what happens when a business stops, and this is what happens to your job when this business stops. I find that one goes very well with, as I said, a bit more technical, but everyone's interested in it because everyone's reading the headlines and hearing about it. So they want to understand how it works. But I run a whole session for boards and C suites only on ransomware. I've got a whole thing just on that to help them understand. This is the reality of not just recovery. I try and sort of just use. You don't want to go in there and scare people, but you want to give them facts that are realistic. But it's around preparation. Here are some things that your organization can do starting the second I leave this room. To put yourself in a better position for when or if the bad day happens and those sessions get loved because it's just giving people information that's real because people think that I understand and it's like, well, no, here's six IR jobs that we did on ransomware in the last three months. Here's how they played out and here's how the recovery worked. And once you sort of lay it out to people what the reality looks like to their business, they tend to stand up and pay attention pretty quick. But from a staff member brownback lunch point of view, definitely the things that they could accidentally do to affect their company and their role are things that are most of interest to them. [00:25:52] Speaker B: So what about when people make mistakes? Now, again, we're herd creatures, if you want to describe it like that. No one wants to be wrong. And you made a great point before. Of course we want to try to cover it up because it depends on how the company responds. And you feel like you're getting fired or something's happening, your bonus is gone. And look, I understand it, again, strokes are different, folks. Sometimes these things are needed. But again, if you're doing something wrong, it's hard to handle that emotionally. Or you don't want to feel like you let the company down or you don't want to feel like your manager thinks you're a fool now because you did something you shouldn't have done, because maybe you weren't paying attention because you're a hungover because you went out the night before, like, who knows, right? [00:26:33] Speaker A: Yeah. [00:26:33] Speaker B: So how does that then all look? Because how do we generate, if you do make a mistake, it's know, this has to be some sort of guardrails for people because again, no one wants to come forward and say, hey, I made a mistake, Alex, I completely bankrupted. [00:26:52] Speaker A: The, like, what do we, and, and shame is a massive motivator in this. Obviously, I've been dealing with criminals for far too long, so I've got a bit of a warped worldview. But as the criminal enterprises have matured, as they have massively matured, like, if you think back to, let's cast our minds back to spanish lottery and nigerian prints, faxes and letters and stuff, right? So if we start there and we move towards the current day stuff, which is just wild, technically, but still a lot of the same tricks, what they're learning is they're getting much better at dealing with people, right, and the psychology of victimhood. And that's victimhood from a business point of view, and victimhood from an individual point of view. And part of victimhood is shame. It is the feeling that this is my fault, rather than, okay, what gaps do we need to fill? We'll worry about what happened once we know what happened. I'm not going to sit here and yell at you like the trusty lieutenant in an american cop movie. Get the hell out of my office. You know what I mean? I'm not going to do anything like that. We're just going to say, okay, what happened has happened. You need to sit down and document everything that's happened. We need to go through this. This is where I would fall back on a bit of my time and law enforcement, which is document everything. Just start writing it down. And then when it comes time to put things together formally, you've at least got it. So it's about that first initial interaction with the person who's done the mistake or the oversight, or hopefully not malpractice, but let's add any sort of value judgment to what may or may not have happened. But it's that initial interaction, it's like, okay, we need to know everything. We'll start the investigation. Have you changed anything? Have you hidden anything? Now's the time to say it. We just need to get this rolling. Once we've done the report, you've got secureworks in, or you've got someone else in, or you've done it yourself, and you've got that understanding of what actually happened because you're practicing good security hygiene and you got good logs and your texts are all on top of it. Isn't that always true? But then once you've got the full story now it's like, okay, what happened here? Well, it looks like we should implement a second check of any change to an invoice over $30,000 at this point in this process flow, because that's where the bad guy used psychology against our poor staff member to push them to change it by pretending to be the CFO or one of the billion tricks they've got. But it's not until that point where you can sort of say, okay, well, now that we have the facts, we can understand if they walk in and say, boss, I think I made a mistake, we may have just had 800 grand walk out the door because I made a change that I think may have been wrong, and you immediately launch at them and suspension and all that, whatever, what's going to happen to the next person who's outside watching that happen? They're going to try and cover that up as much as possible. I'll bet you they may not. I am passing value judgments on other people, I don't know, who don't exist, but stereotyping and that's fine example purposes. But the rest of the staff members see that and they see that happen and they'll file that away for next time or for when it happens to them. And the reason why it becomes so crucial, especially in cases of business, email compromise or invoice alteration or whatever the name du jour is, is that you've only got a certain amount of time to try and recover those funds, right? So every hour that is wasted by not telling and you not reaching out to your bank, who can then reach out to swift and do all that sort of stuff. Every hour that passes, that window closes a little bit until you may have been able to get the entire lot back 7 hours ago. But as of now, we can get you half or we can get you none because the time frames, and it's public holiday Monday in Melbourne or whatever it may be. So, yeah, in some cases the clock is ticking and the same can also be true with ransomware. It's like you've got x amount of days to make your mind up before we dump this highly embarrassing data. Now that's a whole other discussion around that. We can have that another time, but these decisions around payment, et cetera, the clock starts ticking. So it's always about time pressure. So people feeling that they can come forward and then obviously deal with it later on. And I would always err on the side of non punitive, non blame based culture, but people have their own way of doing things. But I think just having people have that confidence that they're not going to come out of that boss's office in tears is probably a good start. [00:31:56] Speaker B: Okay, so there's a couple of things in there that I want to explore a little bit more. Just my curious mind going 100 miles an hour. So why do people default to, hey, boss, lost 800 grand. Look, I get that that's not an ideal thing. No one wants to wake up to that problem. That 800 grand is coming from somewhere at the end of that bottom line, from somewhere. But why do people in the past, or they probably still are, defaulting to the scolding, the yelling, the finger pointing, the blaming, no bonus for you, you're fired, Jeff. Where does that come from, though? Is it because they're like, well, now on, my job's at risk. I now need to explain to my boss what happened to that. [00:32:34] Speaker A: Think there's a bit of that. I think KPIs can get rolled up and ultimately that boss may be responsible for that money or for those transactions, and there will be an element of personal, what's the word? Protection involved in that. And that's, again, casting aspersions on a person who doesn't exist. But if I can make you look really bad, make this really your problem, then I can deflect onto you. And that's toxic. Obviously, that's not what we want to do as management. But I think what we're also seeing a little bit of in, well, not a little bit of, but we're seeing a fair bit of across certain verticals is, as we said at the top of our little chat here, things have changed and boards have got a lot to worry about. So if they don't understand what's happened, all they understand is at the board meeting, someone told them that they've lost 800 grand to some guy because someone's got an email. And the next part of that story is, and we don't know how it happened, that's a key bit, they're going to hit the roof worse. [00:33:45] Speaker B: Right? [00:33:46] Speaker A: Yeah. Right. Because I always say it's best that it never happens, but you got to expect that something may happen. But then the next thing is how you deal with it. And part of that is being able to at least put a narrative together that says that we know what happened or we've got enough to form a working inference as to what happened. It's not as good as the bad thing not happening, but being able to explain this is what happened is actually probably your best win in one of these terrible situations. And that does come back to that mention. I made know as much psychology as it is art, especially if we're going to that sort of higher level, because obviously any sort of sanctions will be passed down through the c suite, border C suite, down to the GM or the EGM and whatever the case may be there. So as long as they understand and you can get that information across to whatever level of management. Clearly it shows that you understand it, which I think is a key message. I think if you can't explain even the most technical of concepts, or I would say the most not complex but involved of criminal acts, if you can't explain it in clear terms, maybe you don't understand it yourself. And that's, again, another massive statement to make. But it's like once you've gone through this process of basically pulling your entire network apart with a fine tooth comb and figuring what happened, you should be able to say, yeah, the thing did the thing, and then the thing and the person broke that. And that happened all the way down to, here's the IP address, here's the malware, and here's the line on logs that shows that the thing was changed and everything in between, because you should live and breathe that incident, or someone should to be able to understand and answer those questions when they come up, because that shows that you're competent to all levels of your management chain up to the very top. Because it's like, yeah, I got this. I understand what happened. I can't unmake it happen, but I can tell you exactly what happened, and that's probably your second best outcome, apart from it not happening in the first place. [00:35:54] Speaker B: Do you think as well, maybe that reaction could be stemmed from it's just the straw that broke the camel's back? Maybe it's like, I've got so much on, I'm not performing. Something happened. I've had a rough day. My kid didn't sleep. I haven't slept. And then it's like, now you've lost the 800,000, and now it's more of a knee jerk reaction of, this is just too much for me to handle. So maybe it's just bubbles over and then an explosion happens with someone responding. Like, that way. I mean, these are human beings, right? Like, everyone has bad days. [00:36:22] Speaker A: Yeah, 100%. And if we take the position of our fictitious manager, who's just had the person come in and say, hey, I've just lost 800 grand, they're going to scream, you know what I mean? Like, you what? And as you say, that's just human nature. But it's about how this is a whole other discussion around psychology, but it's around how we deal with stress and how we take on bad news and how we then go, okay, where's that ir plan we did that we put in a drawer and forgot about? Where's that contact number for our retainer? People, where's that tabletop exercise that we did? Get me these people. What I'm saying there is. Hopefully you will have a lot of the things that can help you in that situation to hand. That's the whole idea, right? They may not be on your desk. They may be in a filing cabinet somewhere or scanned into sharepoint somewhere, but when all you want to do as a manager is run and hide under your desk because of human nature and a really bad thing just happened on your watch, having those little documents and those little touch points to say, okay, yep, all right, good lord, this is the worst thing. But we've got a place to start. We start with that guy calls this guy and we call them in and we start going through what happened. And at least then you've got steps because you do. Like, I've been in war rooms with massive incidents at medium sized companies where people have been screaming at each other because everyone is terrified for their jobs, then it's going to be their fault. So when I give this advice, it comes from I've sat quietly in a lot of rooms while a lot of people have yelled at each other. [00:38:11] Speaker B: So how do you handle that, though? What do you do? You're obviously an external party. How do you control that? Because, look, I'm not surprised, and I get it. And it goes back to all the stress and all that, but you're also like, okay, we need to get this sorted. We need to understand what's happening. But what does that look like? [00:38:29] Speaker A: Well, let me tell you that it was easier in law enforcement because I didn't have a badge, but the guys in my team did. And it was like, well, we're here to help you. You just need to let us help you. We're going to tell you some things to do. I'm hesitant to make the joke like it's the wolf out of pulp fiction, but I just watched it the other night, so it's fresh in my head. You just sort of four dudes rock up in suits and say, hey, we hear you've had a bad day. And then it's about just guiding them through the process. And the same is true in the corporate world, doing ir services. And we have what we call incident commanders who do that job a lot of the time on voice bridges at 03:00 a.m. And it's just about helping people through the process of, here's what we need to happen next. Here's what we need to happen next. Because they're just looking for someone to help point them in the right direction and then it's about dealing with those interpersonal issues. And I've literally seen million dollar companies bought down because two coworkers couldn't get along and one would just ignore what the other one asked him to do. And when we were in this discussion, this came out after many, many discussions in meetings and it was hell. But the manager is like, oh yeah, we knew they didn't get along but we just thought we'd just jam together and they'd make it work. And I remember I was very unprofessional but we knew them pretty well by this stage. And I said, well that worked out well for you, didn't it? And he just sort of laughed and walked off. [00:39:56] Speaker B: At least he laughed. [00:39:58] Speaker A: Yeah, we were at that stage in our relationship, stress tends to breed dark humor. My gosh, it was definitely a case of had those two got on and that guy was comfortably doing what the other guy asked him to do. This never would have everyone and that was coming quite clear as things went along. [00:40:16] Speaker B: So that was more ego driven than anything else about, oh, I don't like James and I don't like Sam, so too bad, I'm going to ignore James. Then all of a sudden we get a big blow up. [00:40:24] Speaker A: Yeah, right. So these things can happen with the smallest of things all the way up to. We haven't updated that customer portal in 15 years and the guy who built it died seven years ago and no one knows how it works, you know what I mean? And everything in between. [00:40:41] Speaker B: Yeah. So this is real stuff that absolutely does happen and that's why I want to talk in practical terms, not in theories. I want to talk that people can relate to. Like there is a Sam and a john and a James and a business. These things do happen. People aren't listening because of egos or yes, there was. Know something hasn't been updated, looked at patch, no one knows. No one even knew it existed. The guy did like, these are real case scenarios. This is what I find interesting about it and this is what I want to get into and understand it on how we can be better. So is there anything specific, Alex, you'd like to leave our audience with any closing comments or final thoughts? Look, I know went on a bit of a tangent, but again, you've brought a lot of light to the things that are happening out there and what people can do to get better at building their cyber. [00:41:33] Speaker A: I mean, I think to distill it down and this is going to sound so trite and I really apologize but I can't think of a better way to say it. It's a bottom up top down approach at the same time. And what I mean by that is if we take the technical analysts and the technical people and they're not the bottom, it's just in this particular inverted pyramid, or this particular pyramid, they're the ones doing the work and actually working to secure the network. And it goes all the way up through every layer of business to the board. And then the board gets correct advice from either all the layers in the middle around how this particular change will affect them or whatever is relevant to the cyber culture of the company and where there's gaps, and then the board being well informed, and that is a key. I use that term very advisedly, the board being well informed, meaning that it's been unexplained to them. Clearly, they've got the notes and then they make a decision that then filters down and that can help to change the culture. And I would say management stress training, but stress training around acute stress of this bad thing has happened. Here's what our company approach is. Incorporate that into some of your management training. Personally, I think it's sort of invaluable. One thing that I will say that I'd love to have a chat with you about again in the future is around when you're briefing the board, when you've been blessed with your 20 minutes next Wednesday or Wednesday, two months more likely, and you've got this thing you want to talk about, this initiative or whatever it is that you want to drive and whatever function you're in, if you're in service desk, if you're in it, if you're in security, if you're in fraud, whatever your function may be, run your pitch past people from other teams, find someone you know from marketing, find someone you know from accounts, find someone you know from any other, your writing staff, and run your pitch past them. Run your patter of what you're going to say past them, because if you run up past people who are in your peer group, they'll understand your jargon, understand all those little tangents that asides and quips you make and whatever, but the guy from accounts payable is going to look to you and go, I have no idea what you just said to me. All you said is that we're at risk and you need $6 million. I don't understand why. And that is very valuable feedback to then go away and retool your messaging, because someone who doesn't understand your world is telling you. I don't understand what you're trying to tell me. And the board has got a billion things to worry about, and the C suite's got a billion things to worry about, so they need to understand it in that 20 minutes spot. So spend time to fine tune your message. [00:44:31] Speaker B: This is KBcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. This episode is brought to you by Mercksec, your smarter route to security talent. Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today our.

Other Episodes