A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST

B

welcome to Cybersecurity Today, the weekend Edition. I'm your host, David Shipley. And today I get to do something I genuinely love. Sit down with someone I've known for more than a decade, someone who was a mentor to me when I was just finding my footing in cybersecurity. Jeff Gardner was the CISO of a Canadian university. When I was leading the security team at unb, we worked side by side in a national group, supporting teams across the country in maturing cybersecurity programs and responding to the latest threats. But here's the cool thing about Jeff. He didn't just accumulate experience as a ciso. He went and studied some of the most important parts and problems in our field rigorously, academically. The result is a fascinating doctoral dissertation that I think is going to make a lot of people in this industry uncomfortable. And I mean that in a good way. What Jeff has found is a structural flaw in the very foundation of how we train, certify, and deploy cybersecurity professionals. Not a gap, not just a curriculum problem, a misclassification, one that many frameworks, the certifications and the credentials that go with them have been quietly reinforcing accidentally for years. I'm so excited to share with you this conversation. Let's get started. All right, we'll just start off with Jeff with a little bit about you. So I'm going to throw the easy opener, which is tell me the story of Jeff and your journey towards doing a PhD on how cybersecurity and information security professionals handle risk management. So, like, where do we start? How long have you been in the field?

A

Well, David, why don't we start with how we know each other? You and I worked together when we were both CISOs in the university environment, and we knew each other through the Canadian University Council of CIOs Cybersecurity SIG. And it was a little bit like herding cats. And so we. What we tried to do is we were all extremely unpopular because we had corporate titles in a. In an academic environment. And we were all trying to be change advocates in these organizations that think themselves progressive but are actually change resistant. And we were trying to teach them that safeguarding data was actually a good exercise, not a bad exercise. And so that's where you and I met. And Then I left. I left. I was CISO at Western and I left Western to go to Carleton where I was CISO there. And then I did my mba and I loved the, everything about the mba. I did a finance course and heavenly angels sang and I said, where has this subject been my whole life? And, and so I really liked the business side of it. And then from there I became Director of Cybersecurity for COMPUTE Canada. And then, and then I went on to become a consultant and now I met Morgan Stanley. The thing that got me into the subject though was I saw cybersecurity analysts making decisions that didn't make sense to me. As an example, I saw in a company when I was a consultant, they had a platform that they had a very rigorous, secure development process and cybersecurity analysts had to look at the controls in place before they would bless it to go into production. And here was like the latest version of a really important system that was being held up because the cybersecurity analyst said that it was extremely high risk and that they were running the wrong version of Transport Layer Security. TLS 1.2 versus TLS 1.3. For those technical people that are listening, I went to the decision makers on the cybersecurity side and I said, this, this exploit that you're talking about, tls, it's been shown academically true. And when you look at exploits globally, there's maybe less than a handful of cases. And the instance we're talking about is a system that's not even exposed to the Internet. So let's walk through this. Is this discoverable? Is it exploitable? No. And you went through and I said, given all of these things, is it likely that this exploit will happen? No, it's unlikely. And then I said, okay, if it does happen, what's the risk? Is it going to kill the company? Is it going to kill a part of the company, like a business function or a business unit? Maybe a business unit. I said, okay, so let's take out a risk matrix and using your own words, see what the risk is extremely unlikely. And moderate risk is moderate risk and moderate impact is moderate risk. So it occurred to me that cybersecurity professionals were making risk management decisions but not doing the risk calculus. And that, that, that was really kind of an important epiphany for me. And that's what led me to do my dissertation.

B

That's it. I just want to unpack a little bit about the journey. So we started in higher ed and that was one challenge. Then you went into banking. So you decided to up it. And you mentioned earlier, before I forget you mentioned earlier, you are part of an organization called COMPUTE Canada. And for our American listeners, and probably a great deal of Canadians listening, what exactly was COMPUTE Canada?

A

COMPUTE Canada was a collaboration of high performance computing across the country. All of the major universities and some private research institutes that build up supercomputing basically came together under the umbrella of COMPUTE Canada. And my job was to give them a cybersecurity program with the assistance of cybersecurity reps, LOC at each of the regions. And for the American listeners, you have supercomputing facilities like San Diego Supercomputing Computing Facility and a couple of other examples that Canada emulated. And so when you actually put your supercomputing facilities together, you get the ability to do computing on a massive scale. And that's what COMPUTE Canada was. They rebranded themselves. They're now called the Digital Research alliance of Canada. So same idea.

B

No, no. Okay, thank you. Thanks for that. So then you land at this small bank known as Morgan Stanley and you decide to, because of this journey that you just talked about, get into this risk management side. And for those who are listening watching, I've actually had a chance to take a quick read through quick your 300 plus page work. There's a lot of work here. If I had to ask you in a sentence, how would you rate the cybersecurity industry today and its ability to understand and communicate risk?

A

There's a fundamental. So I would say that the motivation is high and I would also say that cybersecurity training is very effective. Like one of the things I looked at was competency translated into workforce practice. The problem is fundamentally that what we call risk management only we call risk management. When you look at auditors, when you look at project managers, when you look at doctors and actuarialists who work for the insurance industry, they all go off the same song sheet. Where risk is an expected loss calculation. It's impact times likelihood. And our origins. Like if you look back at the Department of Commerce when it first introduced the concept of cybersecurity all the way back in the 70s, the definition of risk was impact times likelihood. And then in 1988, something happened. It was called, I think it was 1988, it was the Morris worm. And cert stood up and introduced like an incident response process that got us focusing on the technology. And this had the impact in the profession at least of taking our eyes off of how everyone else defined risk. And it made our approach to Defining risk, look at configuration state, look at vulnerabilities, look at exploitability, look at adversarial agents. So we redefined risk and our definition of risk is not like anybody else's definition of risk, which means it's really not risk. And this is the fundamental problem was what we think is risk is not risk, it's threat management. And that means that I think that we are the profession to do technical risk management. But we've got to first recognize that what we call risk management isn't and accept what is, and then be willing to take our lumps and learn new skills.

B

And let's step back for a second. I'm a, I'm running a small managed service provider. I'm the IT lead for a 25 person company. Why, why do I care about all the labels? But I just want to patch my stuff. I just want to turn on MFA. I just want to get to the 200 long list of to DOS that keep getting added to every day, including all this AI shenanigans. Why do we need to care about getting risk management?

A

Because at the end of the day, and this was another part of my research, I interviewed senior VPs, a bunch of CISOs, directors, a CIO and I asked them the question, what do you expect of your cybersecurity professionals? Do you think that they're risk managers? A hundred percent of them said yes, we believe that they are risk managers, they manage technical risk. These are our expectations. And that's concerning because it means that when you hire cybersecurity professionals, you employ them, you believe like this is at the level of the board and the C suite. You believe that you're hiring people that can contribute to managing technical risk. But they're using the language, they're saying the right things, but they're not. That's why you should care. So the question really is if the people who are talking like their risk managers aren't, who is managing technical risk? That's the question.

B

And I would assume right now, if everyone thinks that someone's doing it, but they're not actually doing it, is it the safe answer to say it's not being done?

A

You know you asked me earlier why I got thinking about this. Another element to this is I saw these, if you look, just Google the top 20 breaches in the last 20 years, things like Equifax got breached because of patch management and they had a hundred person team responsible for patch management. You saw the target breach which actually had the alert detected by a human. That was the exploit and it wasn't acted upon. So there's a kind of an ambiguous question here. If large companies and small companies and medium sized companies are investing in cybersecurity, why isn't cybersecurity being showing the results in the news of greater success than they're showing? It's not from a lack of technical know how, it's not from a lack of resources. It's because of this anomaly that I've exposed in my research that all of these companies think they're doing technical risk management and their teams are actually doing threat management and not looking at like expected impact to a company. And like one of the things I focus on my research myopically is the issue of likelihood. Like for example, and this is a good example, I might say to you the most impactful breach isn't the highest risk. And as an example, I'll give you two examples. If I were to get hit by a meteor, a hundred times out of a hundred, I would die. No question. Yet the likelihood of that happening is like laughably small. So here's an incredibly impactful risk that is incredibly impactful event that is low risk or non existent risk. Whereas a car crash happens all the time and people survive car crashes all the time, you've got more chances of surviving a car crash than not. And yet it's a higher risk because its likelihood is higher and its impact is higher. So when you actually do risk calculation, you can see that the highest impact event is not the highest risk event. And our profession needs to understand this. Go back to the example I gave you where they were holding up putting the system into production because of like a laughably impossible exploit that wasn't a high risk and they were calling it a high risk. So they were using the language of risk, but they weren't using the math of risk.

B

How do we understand likelihood when we're one creative kid or one new AI, generative AI clever trick away from something we need never imagined being possible. Like how do you mentioned you wrestled around with likelihood. So I'm poking the bear intentionally on this. Like how do I get my head around anything could happen?

A

Yeah, I'll ask a slightly different question and then I'll answer you. I've been challenged with this, is that to do risk calculations is too technical. The average cybersecurity professional cannot. Even though my dissertation looks like it's banging the profession, I'm not really. I greatly esteem the people that I work with, the people that I've met through my career. So let's look at that. I have taught cybersecurity professionals how to do risk calculations qualitatively. And this is how you do it. You say to the average technical person, given what you know about this exploit, because there's the knowledge they do have, how likely do you think this is? I'm going to give you five choices. Is it inevitable? Is it likely? Is it so? Is it unlikely? Is it impossible? You tell me. And almost every cybersecurity professional can qualitatively tell you that. Similarly, when you talk impact, another criticism that came out of not a criticism, but an observation is the leaders that I spoke to all said that our cybersecurity professionals just don't get the big picture. They don't think the way leaders of the of a company thinks. So let's talk about that one is impact. I can teach cybersecurity professionals how to think the same way. Is this going to impact a couple of individuals? Is it going to impact a business unit or business function? Is it going to impact the whole company? What's the impact here? Is it severe? Is it moderate? Is it low? Is it really low? And they can give you that qualitatively. And if you can get qualitative assessments from them as to likelihood and impact, you can throw it to a risk matrix and get a quantity. And then if you get a quantity, you can make a decision like, can we accept this risk? Can we lower this risk? Do we mitigate this risk? Do we transfer this risk? Is there a means of hedging the risk which is really okay, we can't lower it. We have to accept that whether we want to or not. Can we find another suitable compensation should this risk be realized? So it's true that the profession right now isn't thinking in these terms, but I think it's like the ability to do risk calculation is actually something we already possess. You just have to frame how you ask the question. And even with technologies like AI, I've met a lot of people working with agentic AI. I've spent the last year looking at emerging technologies. And even if they're not cybersecurity professionals, but they understand the technology, you can ask them the same question. So here you've got an AI agent. It's got like a policy framework around it. What's the likelihood that this thing is going to be able to break out of that policy framework? And they can give you like a qualitative assessment. And as long as that's what you're getting, you can apply it to a risk matrix. And understand the risk in a reasonable way.

B

I'm going to ask the dumb question because I think it's relevant. It's like why do we need risk prioritization? Why don't we just treat everything as a risk and just try and do it all?

A

Because companies have a limited amount of resources. And the resources that a company has is earmarked primarily for creating value. And that's what companies do is they create value. And in exchange for that value, they got customers that esteem what value they're creating. But here's the thing. The value creation is not like a no risk event. Think of getting on a train. A train has brakes. The goal on a train isn't to experience the brakes. The goal on a train is to go from point A to point B. But you can't safely go from point A to point B without effective risk management. So if companies are serious about creating value, they have to do it in a risk managed way, which means they have a limited number of resources. And when you don't prioritize risk, when you treat everything like a risk, you're not applying those resources in a, in an intelligent way. What you really want to do is you want to apply the resources to the greatest risks, the risks that have the greatest likelihood of impacting the company.

B

No, it's. And I think it's just useful because it gets the point. We cannot, and particularly every single day we see the speed of potential bad things happening accelerate. The the average time from an exploit being published as a CVE to workable malicious code has gone from two point something years to less than a day according to the zero day clock. So it's. Yeah, we are under pressure even more than ever before. So that's why I wanted to set up that sort of picture. We have to make choices and the way that we make those choices can be irrational. Like your example of the I'm going to hyper focus on the TLS version between 1.2 and 1.3 and I'm not actually stepping back to look at that wider picture. Or I could actually be spending time making sure that if I have an Intune admin and if we're going to delete 80,000 devices using intune or Stryker, I'm not trying to make light of that that maybe it's a good idea that two people have to approve the deletion of more than one device at a time. I don't know. Crazy thought, but I'm curious where disasters like that fit within the research and story that you're You've been exploring.

A

Go back to your comment that technology is moving at a break nest, breakneck neck pace. I agree with that completely. I think, and David, I think you've probably heard me say this metaphor before. Think of this as the, think of the metaphor of a child. A child initially rolls around in one spot, and then they learn to sit up, and then they learn to stand tentatively at a table, and then they learn to walk, and then they learn to run. So they learn the skills. And that's where we're at. Like when you talk about technology advancing at a breakneck pace, we're learning the skills and then somebody teaches them, don't chase the ball onto the road. Risk management comes after skills. And if it's true, and I believe it is, that technology is moving at a breakneck neck pace, at some point we have to work in that the, our development of risk management skills has to also happen at the same pace. And if we, if we're not willing to take that first step in terms of risk management, we'll never be there. Like the technology will outpace us.

B

Hmm. You and I share the same belief. Like there is in no way stretch your imagination. You can look at the increase in global spending on cybersecurity, which over the span of our careers went from a couple dozen billion dollars to upwards of 400 billion dol. And the losses are growing four times faster than the, in the investment. So like in any other field of business, if you went to a CEO and said, I'm gonna need you to spend 10 times as much over the next 10 years, okay, what am I gonna get in return? Five times worse results. You'd be tossed out the door.

A

Yeah.

B

How do we get away with that?

A

I don't know how we get away with that. And I have to be honest. When I first encountered risk management, like a risk matrix and a risk assessment, as a cybersecurity professional, I wanted to drop something heavy on my foot or gouge my eyes out. I really thought to myself, what the heck am I doing in this, being exposed to this content. The irony is that when I realized that risk management was the secret to making technically sound decisions and the ability to prioritize my attitude towards risk management completely switched. And now, obviously, after 400 pages writing on the subject, I have to say this is, I can't say cybersecurity is failing, but I can say this. Within cybersecurity, our ability to manage risk is not where it should be at. It's not focused correctly. And I think if we do that. Then all of these things you talk about like emerging technologies that we can't anticipate and how they're used, we'll be in a better position to guardrail them.

B

We've seen an entire industry develop both in the private sector, the public sector, post secondary education certification bodies like sans, like isaca, IC Squared. I could rattle off all the names. How many haven't figured this out?

A

That's a good question. It's because it's a self perpetuating problem. In other words, the training foundations themselves teach threat management, not risk management. When I look through nist, nice framework. For example, if you look at, okay, set that aside for just one minute. Look at all of the risk management frameworks in the world. Look at ISO 31000. Look at NIST Cyber Security, NIST Risk Management framework. Look at fair. Look at kaso. Every one of them defines the same set of core competencies and the same definition of risk. Risk is an expected loss calculation impact times likelihood. So when you look at how other professions are using risk, they're all using risk in a consistent way only. We differ. When you look at how we train our cybersecurity professionals, you look at NIST Nice. For example, the word likelihood doesn't even appear in the framework. And it's a bedrock of assessing risk. And the other thing that it does is when it talks about risk, it anchors risk to looking at systems. A CEO doesn't care about a system, he cares about whether his company still runs. So the fundamental reference point for a cybersecurity analyst shouldn't be even if they're technically capable and they're looking at a system, they have to fundamentally anchor their assessment to what impact does it have on the company? To its finances, to its reputation, to its legislative or its compliance requirements. And starting at the low level, our training doesn't give us the right tools. When I looked at the profession and competency, I found two interesting things. First of all, only about 11% of cybersecurity professionals think in risk management ways do a risk calculation. 11%. That's one out of eight. That's very interesting. The second thing I found was when I compared cybersecurity professionals competency to non cybersecurity professionals, there was no statistical difference. So right now, because we're tooling ourselves, we're calling ourselves risk managers, but we're actually threat managers. We don't actually demonstrate more competency in this than than the average than your neighbor. And so our training doesn't recognize this. It doesn't impart skills to our competency. And then most alarmingly, when you get to the level of the leaders, all leaders can see the gap. They can all see it. Every one of them saw it. They said yeah, our cybersecurity, when you, I asked the question in my interviews. When you see cybersecurity professionals give you a report, let's say a good one, think of a bad one, what makes it bad. Every, every one of them said the same thing. They don't get it. They don't frame their reports to us about cybersecurity things. In terms of the business, it's always about a system or a tool. So it's self perpetuating. But I also measured in this, in the leaders, if they themselves knew the definition of risk as likelihood times impact. And only two of the seven were able to get that. And, and I, and related to this, I found kind of a complimentary result when I looked at two control variables. One was whether training actually imparts this thinking and whether. And that was have you been trained in risk management specifically? And there is a relationship, a very small relationship between yes, I have been the more intelligent or the more significant relationship was do you use risk management on a regular basis in your thinking? And that was massive in terms of impacting competency. So it's not just receiving training you have to the skills that you're being imparted to. Finally, and I don't want to hammer this on this too long, but the other interesting thing about cybersecurity training and its impact on the profession is cybersecurity is actually, or risk management is actually four things. It's calculating risk, it's prioritizing based on risk. It's justifying to some other non proficient audience why a high risk is a high risk because its impact is high and its likelihood is high. And then finally, and I always forget the last one, it's in my dissertation, but anyway, when I measured that those specific skills in cybersecurity professionals, my model failed. And I thought I had done something wrong and it took me three days to figure it out. The reason that it failed is because we talk about risk management as one thing, not as specific actions. And once I realized that, I realized that the failure of that model was really profound.

B

What was the most frustrating aspect of your research coming through the other side of it going, geez, is it this that we just we missed the ball or is it something else?

A

I okay, there's a couple of things. One was I spoke to a CISO that I didn't interview a CISO that was very interested in what I was doing and why. And when I presented my preliminary results, this CISO said to me, threat management is enough. Like we don't need risk management. Our profession is not trying to make risk managers. And I had done research as to what constitutes success in cybersecurity and what accounts for failure. Two other studies, I didn't do them, but I read them and they were shocking. One was a study by Webb and all and the other study was a dissertation by a guy named Baden. And he actually asked the question, of all the things that can contribute to cybersecurity success, what is the most influential? And he found that it was risk management. And not by marginal, but by orders of magnitude. And so effective risk management is what leads to successful cybersecurity operations. And then webinall asked a different question, why does cybersecurity fail? And four of their six items was lack of effective risk management. So when I get attitudes like this, maybe the profession only needs to be threat managers, not risk managers, my head explodes. If you want to be successful as a profession, you need risk management. If you want to fail, ignore it.

B

What's interesting to me is to juxtapose your point with every year I see the same depressing statistics. It seems 50% of CISOs want to quit. Your average tenure is 18 to 24 months. There's a lot of no happy people leading cybersecurity and essentially having to be compensated to be miserable. And maybe we don't have to be miserable. Maybe there's a better way than threat. Is that the hidden cost of the threat, the threat management versus risk management, you'd actually make end up happier.

A

I think that this explains why the job is so difficult because we're tr. We're using risk management language but not using the skills. So I do think that like my findings relate to that. I always joke I've been a CISO twice for more than a decade. I always joke that CISO stands for career is soon over. But if you actually. But if you actually think about the problem like this is the problem. The problem is that if CISOs think like risk managers and they can start speaking the language when I'm. I came from a technical background and I as you. As I told you, I didn't think highly of risk management even though I had been exposed to it until the light bulb went off in my head. Once I started speaking the language of risk management, true risk management, and I could show people that this isn't actually a high risk, you can accept this. All of a sudden the. The other executives started taking me very seriously because I could rationally explain why an investment would be good or not. This investment is going to decrease the likelihood that this is going to happen. This investment is going to decrease the impact it'll have to the company, should it happen. When I started actually understanding risk and using the risk language, not as a threat manager, but as a risk manager, the relationship I had with others changed. And the last thing I'd say to your point, and this has got nothing to do with my dissertation, but I tried having the same impact on two separate organizations. One, I didn't have a business analyst working for me, and the second, I did. And I felt as a ciso, without a business analyst, I was a bull in a china shop. But when I had a business analyst who understood the relationship between process and governance, again, it was like angels singing from heaven. I was able to make small, little important changes with minimal effort that had massive impact, positive impact. So if you are a ciso, get yourself a business analyst, someone who understands process and governance.

B

It's more than just firewalls, threat hunters, SOCs and vendors. Like you might want to do some thinking and some calculus and some. That sounds like fancy. We're both MBA graduates. Fancy business talk there. But I think you've said a couple of interesting things that I just want to unpack. And one of the things I want to ask is should we be teaching risk management to the entire IT team, not just those responsible to cybersecurity, so that they can make better choices that even lead to better resilience, that lead to better business outcomes? Is this something that needs to be broader into all of it?

A

This is a controversial question I have been asked, okay, fair, your observations are fair about the profession, but do the juniors need to get it? And you're asking a broader question still, do others need to get it? I look at accounting. Accountants learn risk management whether they go into audit or not. It's embedded in their profession. So if you want to know where I lay now, having been converted, I do think that all cybersecurity professionals need risk management. And I would go so far as to say non cybersecurity professionals need to understand the basics. How do you calculate risk? What is risk?

B

No, it's. In fact, I'm going to scroll some notes away and maybe we can do our part through Boseron and be part of your revolution. And maybe we're going to a Risk management basics module and sneak IT into the curriculum, all over the place. And I've got some crazy ways of measuring impact, but I would love that,

A

I would absolutely love that.

B

Maybe a little bit of postdoc work on that because I do think you're on to something. Like obviously I run a 50 person company every single day. I feel like quoting Captain Kirk from the original Star Trek. I don't know if you're familiar with this scene, but this is a great William Shatner scene and, and I'm not going to do it credit but he looks around to his senior officers and he's risk is our business. And that's true. Right, you do. There is no reward in business without risk. And so you have to have a certain amount of risk otherwise it's not worth doing. It's just not. So you have to have that. Now you can be cavalier about risk, which way too many startups I'm looking at you AI companies are. Or you can be responsible with risk. What's interesting, and I'll get to my question on this, is that you've gone on this interesting path from your MBA down into this risk management PhD and I've been playing around now in psychology and neuroscience and behavioral economics. And what's interesting is risk management does not come naturally for humans. We are terrible by design at understanding risk because we have this force known as optimism bias. So we start off, we're not neutral, we're not like computers waiting for the inputs to do the calculus. We're going to say because of optimism bias, it's more likely something bad is going to happen to Jeff than it is to David. And that's just how we protect ourselves, because we're mortal. So how do we overcome, as you've been studying this, the fact that humans suck at risk management until we learn how to do risk management.

A

You've said it, you've answered your own question. If people are asked to appraise a risk, just pull a risk determination out of the air. Optimism bias rules the day. If you break the question down into what do you. How likely do you think this is really? And you and you express the desire to make a sound judgment and how impactful relative to the company or our strategic goals is going to be really. And you limit the choices. It turns out people are actually very good risk managers. But you have to actually force them to do the two step engagement because then optimism bias can't rule the day. And this is why your whole comment about optimism bias is also why that ciso's comment that maybe threat management is enough really is profoundly wrong. Because optimism bias works the other way. If you ask a cybersecurity professional how risky something is going to be, they're going to overestimate risk 100% of the time if they don't. If they don't break it down.

B

No, I don't know if there's a right term for it, but I'm just going to call it the er, tendency. Right. It's all bad. We're going to get hacked. And I don't know if this is like just the PTSD that happens inside of our space because you're just, you're doom scrolling the latest Stryker medical hack or the new iOS exploit kit and it's just like Biden is. And I guess maybe that's a bit of confirmation bias, right? Like we just keep seeing the same bad things and so we overestimate the frequency, the likelihood, the impact, all of these things. Because that's top of mind front of the process. It's. But it's interesting, right, because it's this idea that a formal process, it's not that complicated. Like you've said the formula a couple of times. It's. So let's cover it one more time. It is likelihood and impact relative to

A

the company or what? Yeah, there has to be a frame of reference not relative to the system, but relative to the company or its strategic goals.

B

So if you're out there listening this weekend and you have tens of thousands of devices registered in intune and if having those devices wiped out would really have a high impact, we now know likelihood of someone wanting to try this is now probably increasing because it just happened. Maybe Monday morning you're like, you know what, that, that advice from CISA about maybe two admins approving it. Maybe this should be higher on my list of priorities for my scarce look of time versus worrying about I'm going to pick on my friends in Quantum. Could we shut up about post quantum encryption for a little bit and be like, okay, we' got a handle on that. We have a plan. I have managed that risk. I need to take my attention to other things. But I wonder, and this is in the question because you've also had some military service as well. Is it the adrenaline, is it that we're drawn to the sexy scary and then we want to focus our time on that versus the mundane scary that might actually be more pragmatic.

A

Well, I a hundred percent believe that, David. But the problem is sometimes the sexy scary isn't actually sexy or scary like I gave you A. An example earlier about what's the higher risk, the meteor or the car crash? The meteor sounds amazing, but it's actually a lower risk, so we are absolutely drawn to it. But if we understand the risk, I think it's better to be grounded in reality. Okay, so maybe car crashes are really where my attention lies, and this is where I'm going to get noticed. Making a difference. And it doesn't sound sexy, but in terms of risk management, like, you can show that it is by far a bigger deal. Did you ever see that movie? I think it's eleven Angry Men. It was in black and white from the 50s about one guy who thinks they're a jury, and one guy thinks the guy is innocent, and the rest of them think he's guilty. And eventually that one guy changes the rest of their minds. Have you ever seen that movie?

B

Yeah. So I think it might be 12 angry men.

A

12?

B

Because it's a jury. Yes. And it's a famous play, and it's been done a couple times, I think. Yeah, no, I have. And what's interesting is that, like, they all just want to go home. They all just want to, like, just be done. They've made their minds up. Like, it's done. It's clear, man, what are you doing? Why are you being opposite? So where do you want to go with that? Is. Is that, like, the risk manager needs to be that. That one man.

A

He or she does. But I had a moment like that where I was in a meeting, and I was in mind, like, I. I was in a very important meeting with people who were more senior than me, had bigger titles, titles than me, made more money than me, and I was just there as an observer. And they were talking about this catastrophic thing that had come to their attention, and they were worrying about, like, financial consequences or whatever. And then because I didn't have a speaking role, I just shut my mouth. And then someone asked me my opinion, and I said. And I thought about it for a minute before opening my mouth. And then I said. And I did a risk calculation. I think the likelihood is this. I think the impact is this. According to your own documentation, that's this risk. I think it's a risk that can be accepted. You've accepted this falls below your risk tolerance level. And I saw one person blink. The person that was in charge of the meeting blinked, was not expecting one person to say, we can accept this risk. And then they debated for another 20 minutes, and eventually they all came to the same conclusion I did. And they were thankful, but it was that experience of 12 angry men.

B

And you know it's interesting, my experience has been a little bit different in and so I have some mixed feelings about project management and project management risk registers. And of course my background in my undergraduate is information and communication studies. And so the medium is the message, Marshall McLuhan, all that kind of fun stuff and the way that information can get transformed along a process. And so I often feel like executive stakeholders accept a lot of risks that they that were poorly communicated. And so it's interesting like your experience was it took a lot of communications to get a group of people to accept risk. And my experience has been sometimes people are way too quick to accept it to get things done. Does that mean can both forces exist?

A

If the risk itself hasn't actually been calculated like rationalized then you can talk about it till you're blue in the face. It's not really like they're accepting thing risks that aren't really, aren't really, they're not poorly, they've been poorly communicated because someone doesn't rationalize them. When you actually break down how you've come to the conclusion that this risk is this, you're actually equipping them with better decision making tools.

B

So I guess for folks listening to this who are cybersecurity professionals and they're like I think I'm a threat manager. Where do they start? Where do they go?

A

Start with the simple calculation, estimate the likelihood, use your judgment and then if you can estimate a likelihood in a five point scale, estimate the impact in a five point scale where one is it's only going to affect a few individuals or nothing at all and five is it's going to impact the whole company. Do a simple risk calculation, then explain to others why you think it is what it is and realize that cybersecurity professionals have more tools in their toolbox than just avoiding risk. We can accept risk and we do all the time. I think David, you said to me one time the only true way to have a risk free company is to shut it down. So we have to, we leave our house each day because we accept risks. So I think the profession pick up a risk framework, NIST Risk Management framework. They have a couple of good documents on this. Find out its risk assessing process. How do you determine likelihood? How do you determine impact? Can I use this in my thinking

B

so I, I don't need to run out and buy a $5,000 cert? I can start simple.

A

Yep, sorry about that. I don't have any certs in Risk management, none.

B

But you've got practical experience in it and you've been in the rooms making decisions and you've influenced. Yeah, the expression, I think we used to say was the hippos. Right. The highest paid person in the room or the highest influential person in the room. So you've been in with the hippos and survived the tale, which I can tell you. Like, there's quite a few cybersecurity professionals that go in and they don't have that risk management background. And they go in and they attempt to FUD decision makers like, we need $2 million right now. And they're like, no, I'm not socialized to this. I'm not bought in. You haven't clearly communicated the risk. I feel like you're the risk now I have to manage you. Because I think that's the other side that we get into in this profession. I may have walked that line a few times. The CIO at UNB where it was like, all right, David, rein it in. Probably could have benefited from being a rhetoric risk manager, I think. I think always loved the ability to foresee what could be, but lacked until I did. Some elements of my CISM taught me again the framework that you've mentioned. So I was like, okay, there's a better way to math this out. But if I had to compare this and maybe I'm right, maybe I'm wrong, could we use this risk management framework and something like the Eisenhower decision matrix to kind of place these things right? Like the, the delegate the delete the action immediately. That, that kind of framework is that what. How do you, how should we organize? If we do the 5 by 5 math? Where do we put these things?

A

They're simplify it to 2 by 2. There's high impact or low impact, there's high probability, there's low probability. If you can put a risk in one of those quadrants, high impact, high probability or high impact, low probability or low impact, low probability, whatever, you can make decisions around it. So anything in the upper right hand quadrant, high impact, high probability, you want to manage, you want to avoid anything in the high impact, but low probability, you might want to reduce anything in the low you can accept. So what this. So you can actually put these things together is you can use your ability to do basic risk calculations to make decisions. And that includes the things you mentioned delegating. Can we delegate this risk management piece to so and so or this group who needs to own this decision? Think of for example, an enterprise risk management policy. It can Delegate lower risk management decisions based on the risk assessment to operational groups, but then the executive management team retains the right to manage the high risk things. So I think that this gives you the ability to put structure around how and why you make the decisions that you do.

B

We, it's interesting. We exist in an industry that wants to find the bad guy, wants to stop the hack, wants to get that adrenaline, dopamine, cortisol cocktail. This stuff sounds pretty academic, pretty spreadsheet, pretty dry. Is it?

A

I don't think so. Obviously a dissertation has to be by necessity because you're presenting it to other academics, but at the end of the day, if cybersecurity professionals want a seat at the table and they want their not only their recommendations to be sound and their voice to be heard, and they want to be effective professionally, it's a competency they need to learn. And it's not hard to learn. Like I learned it begrudgingly.

B

I appreciate your candor. It's like I didn't willingly embrace this, but once I found it was useful to me, I have converted on the road to Damascus. I'm gonna, I'm gonna be the next great disciple, which is just phenomenal. Lastly, if we had to give people advice about where things fit in that impact and likelihood size, we always say the same few things. Multi factor authentication, password managers, patch your stuff. Is there something we're missing?

A

If we did this better, all of those things are. I'm not throwing them out the door. Like the calculus, let's say, I know people don't like the word, the math. The process is very simple. It's impact times likelihood. The business unit can help you understand impact. This system is more important than that system because here's the function that it produces. So the decisions you are, the conversations you're already having feed into this. When you look at things like vulnerability, exposure, are there patches available? Those things all feed into how you calculate likelihood. If you've got an unpatched system but there's a patch available, you can reduce the likelihood. So my recommendation would be learn the calculus, the math, not just the vocabulary. And the credential tells you what threats look like, it doesn't teach you how to price them. And what I'm advocating is to learn actually how to do what's called like an expected loss, estimation or calculation. That's what really what risk is. If the probability is realized, what do we lose? And that's really what everything needs to be predicated around.

B

I think the last thing that I wanted to cover on this side is what if you had to go back to our days at universities, to the higher ed world, to us 15 years ago, how would you convince us to get on that road to Damascus on risk management?

A

I would answer you by saying 15 years ago, I'd like to have been a better mentor. And I think the way to be a better mentor is to provide an example. And I think the way to provide an example as a CISO is to actually live and eat and breathe this stuff without question, and then people will absorb it by osmosis. That's how to make an immediate like a. Sometimes you just have to make one small difference at a time. And if you're doing that within an organization or an organizational unit, then you're making a difference. And that's where really where I would put my focus on is like how to be a mentor mentor, how to make. Because there's a gap. When I came up through the profession, I had a technical background. I was a sysadmin. I loved everything technical. And then when I hit my first job as a manager, the inability to speak the language of ROI and to understand truly what the risk was an impediment. And the epiphany that I've had, the road to Damascus moment was not only like an epiphany for my career, but it was an epiphany for how CISOs our profession can make a difference in a company. And so if you can just embrace that early and teach it to the profession, then it's gonna propagate out.

B

No, that's. That's awesome. Thank you so much for your time. I Hope after your PhD is properly given all the celebration and time, I hope you give some thought to maybe turning it into something that us regular peeps can use. I'm sure you've got that in mind.

A

What I am doing though is NIST is very aware of this and I have been in weekly meeting with them for about six months. They really want to. The I. I sound like I'm banging on the nice framework, but I really love it. Like it's comprehensive, it's very good. And they really want to start working towards version three. And so they want to take what I've learned and try to make it a better product. And I. It's. It influences 14,000 certification courses includes including CISSP, all of them. CISA.

B

Wow. You. Yeah. Awesome. But Jeff, thanks so much for your time. Thanks for taking. What's fascinating is what seems like a really intimidating topic, risk management. Highlighting that we're not doing it even though we say we're doing it. Showing us how easy it could be and the first steps. I think you gave that analogy earlier in the interview about this. Here's the skills development path. Start with the simple math. Start making these decisions. Win friends and influence executives. Win from success. So thank you so much. It is wonderful to see you. And I am jealous that you're doing your PhD. Someday I hope to do mine. I'm an aspiring academic, but thank you so much, David.

A

Anytime. It's been a pleasure. Thank you.

B

Take care. Cheers. Bye.

A

We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST.