Larry Clinton: "The Essence of Cybersecurity is that All the Incentives Favor the Bad Guys."

Boardroom Governance with Evan Epstein

Dec 19 2023 • 1 hr 3 mins

(0:00) Intro.

(1:21) About the podcast sponsor: The American College of Governance Counsel.

(2:08) Start of interview.

(2:49) Larry's "origin story."

(4:49) About the Internet Security Alliance (ISA). Founded in 2000 by former Congressman Dave McCurdy, former chairman of the House Intelligence Committee. Larry joined as CEO from the beginning.

"The ISA view is that we need to look at not just how the attacks are occurring, we also need to look at why the attacks occur.
Because unless we understand why the attacks occur, we're never going to be able to create a truly sustainable system."

"Cyberattacks are cheap, easy to acquire, they're incredibly profitable, trillions of dollars a year in damage. The business plan is fabulous, same attacks all over the world constantly. It's hard for on the defense side, we're defending an incredibly porous perimeter. It's hard to show return on investment to things you've prevented, and there's no law enforcement. We prosecute maybe 1% of cybercrimes. So it's that imbalance in the economics of cybersecurity that ISA focuses on."

"The reason that we have all these attacks is because it is such a profitable endeavor to do these attacks."

(10:19) China's threat in cybersecurity.

(12:07) About the NACD/ISA Director's Handbook on Cyber-Risk Oversight.

(15:36) On the evolution of the Directors' Handbook since it's first version in 2014. International editions, and adding a 6th ESG principle ("the systemic resilience and and collaboration principle").

(20:20) On the cost of cyber crimes: expected to cost the world ~$8 trillion dollars in 2023 (per the WEC).

"The narrative is that the export controls and sanctions and de-risking coming out of Washington DC is simply pushing China to be more self-sufficient." "This has to be seen as a temporary measure, that gives us time to resolve the actual conflicts that exist."

(24:40)  Principle 1: Cybersecurity from IT risk to a strategic, enterprise risk.

"We would argue that cybersecurity should be considered in the same sense by a board, that they would consider finance and legal. So the board does not make any decision, any important decision, without consulting with legal and finance. We would argue in the 21st century, there's not a single important decision the board makes, major decision, that does not have a cybersecurity component to it."

(27:12)  Principle 2: Legal and Disclosure Obligations.

(28:05)  Principle 3: Board Oversight Structure and Access to Expertise.

"[I]t is probably not necessary, it may not even be a good thing, to have a cyber experts, so to speak, on the board. We think that this is a full board responsibility."

(29:43)  Principle 4: Enterprise Framework for Managing Cyber Risk.

(31:03)  Principle 5: Cybersecurity Measurement and Reporting.

"[T]he core definition of what a cyber risk is, is how much money is this going to cost our firm over a certain period of time.
That's a definition of risk. And you need to be able to figure out what this means to the business. [T]here is all sorts of spending, you know, in cybersecurity. We are now seeing exhaustion with that. We're seeing boards saying, hey, we're not going to increase your budget by 200% every year. Can't do it."

(33:53)  On the SEC mandating cybersecurity experts in the boardroom..

"ISA's number one legislative agenda is we need much more cybersecurity people. You know, one of the reasons that we can't have a cyber expert on every board is we don't have enough cyber experts for every board."

(36:53) On SolarWinds' CISO enforcement action, and the case of Uber's CISO conviction.

(41:40)  How should boards think about China risk ("digital silk road")

"I think it was General Alexander who commented that the theft of intellectual property from cyber means is the largest single theft in world history."

(45:36) Regulating Artificial Intelligence (AI) and OpenAI's case.

"Dave McCurdy used to say that Congress does two things well, nothing and overreact. So we're in that do nothing space with AI now. We don't want to overreact."

(49:28) Three other issues for boards to consider: 1) The cybersecurity personnel shortage (we currently have a shortage of about 750,000 cybersecurity jobs we can't fill); 2) We should create an economic cyber security model; and 3) Challenges to Government regulation of cybersecurity.

(53:08) Books that have greatly influenced his life:

  1. Working by Stud Turkel (1974)

(53:47) His mentor: his father.

(54:49)  Quotes that he thinks of often or lives her life by: "This argument has the added benefit of being true" by Henry Kissinger. "The Godfather is never afraid to demonstrate his friendship first." from The Godfather book by Mario Puzo.

(56:12) An unusual habit or absurd thing that he loves: "(Post COVID) I spend an hour a day just with my son, an hour a day just with my wife and an hour a day working out for my own health."

(58:00) The living person he most admires: Barack Obama.

(59:43) About his new TV show "Fixing Cybersecurity" (launching in January 2024).

Larry Clinton is the President and CEO of the Internet Security Alliance.

__

This podcast is sponsored by the American College of Governance Counsel.

You can follow Evan on social media at:

Twitter: @evanepstein

LinkedIn: https://www.linkedin.com/in/epsteinevan/

Substack: https://evanepstein.substack.com/

__

You can join as a Patron of the Boardroom Governance Podcast at:

Patreon: patreon.com/BoardroomGovernancePod

__

Music/Soundtrack (found via Free Music Archive): Seeing The Future by Dexter Britain is licensed under a Attribution-Noncommercial-Share Alike 3.0 United States License