Research finds that there was a 44% increase in insider threat incidents across all types of organizations, and 56% of the reported incidents were due to negligence. Equally alarming is that the average annual cost to remediate a negligence incident was $6.6 million. Dr. Eric Lang, Ph.D., Director, Personnel and Security Research Center (PERSEREC), United States Department of Defense, draws upon his research to share some of the (science-based) commandments for understanding and countering insider threats. Emphasizing the criticality of human factors, Dr. Lang contends that "without individuals’ sincere commitments, the most extensive insider threat policies will fail."Time Stamps02:27 -- So Eric, let's first talk about yourself and your professional journey.04:36 -- What motivated you to write the article Seven [ Science-Based] Commandments for Understanding and Countering Insider Threats?07:51 -- The first commandment states that "Human factors are paramount. Thou shalt not worship technology above personal and social dynamics solutions." Tell us more about it.15:16 -- Moving along to your second commandment, you say, "Employees are an organization's greatest strength, especially for identifying insider threats. Thou shalt improve supervisory and co-worker reporting." Many employees are reluctant to report potential threats they encounter. I would assume organizations recognize the challenges and have appropriate structures and mechanisms in place to encourage more honest reporting. Your thoughts?20:45 -- Many psychological factors could come in the way of somebody alerting the organization about a possible insider threat. Thoughts?26:36 -- I will be very surprised if great organizations, when they make decisions to improve cybersecurity, governance, cybersecurity readiness, those decisions are not influenced by experts in human psychology, the clinical psychologist, or whoever the right person is. Thoughts?31:07 -- A reactive approach to cybersecurity governance doesn't cut it. Thoughts?38:37 -- So let me ask you, what do you think are any of the top three things that most employees care about for their job?43:33 -- Before we conclude, if you'd like to share a few final thoughts.Memorable Eric Lang Quotes/Statements"73% of the successful exfiltration incidents were conducted without using technology.""Technology is necessary but not sufficient, humans will find a way around it. And in this case, 73% succeeded in the exfiltration.""What was a common successful method for foreign adversaries to get sensitive US industrial information? The answer is they asked for it. It was a form of social engineering in very many cases.""Technology [often] misperforms not because of malicious intent, but because it was ill-developed.""So why do employees in an organization with a See Something Say Something policy, often hesitate to report? There are a number of social psychological factors such as 'don't be a snitch' cultural norm. They don't want a coworker to lose their job. They might have a fear of retaliation."Social psychologists often note an effect called "diffusion of responsibility" when people don't report a potential exfiltration incident."If you are aware of something of potential concern, and there are many other people also in the environment, you might think that many people have the same awareness I do, I'm sure someone else will report it. This is called "diffusion of responsibility" in social psychological research.""Policy is important, but the execution of it, and bringing employees into correct awareness and engagement is the most important...

Significant fines in excess of $2 billion have been levied on organizations in the financial services sector for failing to capture, retain and supervise communications. This crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that still haven't addressed supervision and record-keeping risks that were exacerbated by the pandemic. In this episode, Garth Landers, Director of Global Product Marketing at Theta Lake, discusses how businesses can mitigate risks from unmonitored communication channels.Time Stamps02:20 -- Please share some highlights of your professional journey with the listeners.05:10 -- Different types of modern communication tools.12:05 -- The 2022 Modern Communications Compliance and Security report(produced by Theta Lake) finds that unmonitored communication channels remain the biggest risk. What are these risks?21:19-- What are some best practices in securing the different communication channels?28:47 -- Do you think an organization would be well served if they had written guidelines of the do's and don'ts when using certain channels and making that document readily available to all organizational members?34:09 -- It's about helping individuals do the right things so that the communication is secure, as compared to gotcha, you made a mistake, and you should have done better. Thoughts?36:51 -- I emphasize the importance of creating and sustaining a high-performance information security culture. Only when you create that culture, that work ethic, securing communication channels is sustainable in the long run.40:43 -- We are talking about a proactive approach driven by a change in the mind shift where the leaders are looking at this apparent challenge (securing communication channels) as a strategic opportunity.45:11 -- Can you address the archival and retrieval challenges? 52:00 -- If there were three or four takeaways that listeners should walk away with from today's discussion, what should they be?Memorable Garth Landers Quotes/Statements"Two-thirds of an organization believe that inside their organization, employees are using unmonitored communication channels.""Unmonitored communication channels pop up because, in many cases, organizations decide not to empower their employees, they give them a Zoom, or a Cisco WebEx or a Microsoft Teams, or a RingCentral, or a Slack, etc., but they don't fully enable them. They don't turn on chat, or they don't allow file sharing, polls, or whiteboards. This forces employees to adopt and use unmonitored communication channels.""From a process standpoint, don't take a top-down approach to implement modern collaboration platforms.""Research shows that, on average, at least four different unified/modern communication tools are being used by organizations.""Most end users are not engineered towards malfeasance and bad behavior, it's carelessness. And the greatest insider threat is that sort of carelessness, and lack of awareness.""Policy works best when it's not some sort of abstract reality that you pull out when a bad thing happens." "Technology is out there to get to that balance point of maximum productivity, productive IT but productive and efficient and compliant work as well." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these...

Traditional authentication methods are outdated and need many layers of code, which can take time and resources away from developer teams. If developments like FIDO2, WebAuthn, and passkeys are to be the cornerstones of a passwordless future, then every application (not just Apple, Google, and Microsoft) needs an easy way to adopt these methods and weave them into current user authentication flows. Slavik Markovich, Co-founder and CEO, Descope, discusses current and future authentication trends and the importance of building a low-code/no-code passwordless authentication solution for app developers.Time Stamps02:52 -- Slavic, share with us some background information, some highlights of your professional journey.04:19 -- What are the pain points when it comes to authentication?09:55 -- So Slavik, where are we headed in terms of the next stage or the next phase of evolution when it comes to more sophisticated authentication systems?16:01 -- What is that low code, no code, passwordless authentication solution that would make it feasible for developers to focus on developing solutions and functionalities?25:00 -- There are products in the market, open source or proprietary, that can help take away that additional pain or challenge of developing the authentication part of the solution. The developers can then focus on what they are good at, developing the product functionalities. Is that a fair, high-level representation of what you said?26:17 -- So where are we with biometric authentication? Have we made more progress?33:53 -- Are we further along in getting to that ideal goal where just compromising an account doesn't mean the end of the world or doesn't mean a major problem?36:55 -- Please share some final thoughts.Memorable Slavik Markovich Quotes/Statements"If you have a token that you use to authenticate, that's pretty secure, it's very hard to phish it, and it's very hard to steal it.""A lot of effort is being made in creating authentication around who you are versus what you know. So using biometrics-based authentication is a big step in that direction." "Use of passkeys, which allow a secure and somewhat frictionless way of authenticating, without having to remember anything." [Note: "With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords"] (https://developers.google.com/identity/passkeys#)"Like everything in security, the devil is in the details.""There is an inherent tension between the security teams and the developers. You kind of try to solve it by bringing security into the development teams.""Security shouldn't become a bolt-on process but should be part of the architecture, design, review, and implementation.""Security doesn't sell your product. Eventually, features will sell your product.""Most developers are not security experts. So, if they implement authentication, there might be big holes that they cannot catch. Then, you end up with account compromises and stolen data from the application.""The biggest obstacle to biometric authentication is actually education.""The best password is no password."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:...

It is well known that a proactive intelligence-driven approach to cyber governance is the way to go. But it is easier said than done. Embracing and sustaining such an approach requires high commitment, preparedness, and discipline. Kriti Arora, Security Global Black Belt, Threat Intelligence and Enterprise Attack Surface Management, Microsoft, shares her experiences guiding clients to adopt an intelligence-driven proactive approach to thwarting attacks. She also shares her passion for the field and the satisfaction of training and serving as a cyberwarrior.Time Stamps00:48 -- Before we get into the details of a proactive resilient approach to cybersecurity, how about sharing your professional journey? What got you into this field?03:58 -- You described yourself as a first-generation cyberwarrior during our planning meeting. I found that quite intriguing. Please expand.06:54 -- Can you shed some light on the different types of opportunities that a cybersecurity career can present to the first generation (of cyber warriors) or people trying to pivot from their existing careers into cybersecurity?11:14 -- Kriti, share with us briefly about your role at Microsoft? At a generic level, could you share what you do at Microsoft with the listeners?15:16 -- What is a proactive, resilient approach?18:08 -- Why do organizations vary in their level of proactiveness? What are some reasons?21:10 -- What are the five or six things one should do to get started on the path of proactiveness?27:43 -- Maintaining a log of security intelligence received, and actions taken might be very useful, especially when an organization is trying to defend itself in a court of law. What are your thoughts?34:24 -- Every organizational member has a role to play in securing the organization. Do you agree?36:28 -- Asset prioritization and data retention strategies are key aspects of proactive cybersecurity governance. What are your thoughts?40:59 -- What measures or metrics are useful in assessing proactive resilience?45:02 -- Please share some final thoughts and key messages for our listeners.Memorable Kriti Arora Quotes/Statements"So, at one moment, you're fighting crimes, doing these investigations like a detective, and researching a problem to find a solution. At another time, you could be troubleshooting a typical problem and providing customer support services.""The adaptive quality of the field is what makes it thrilling. That's what excites us, the cyber warriors, who are trying to experiment, learn new things, and save the world with different techniques and tactics.""I consider a proactive approach to be intelligence-driven and holistic. It represents a mind shift on how cyber threats are thwarted.""In this proactive approach, we focus on indicators of attackers; we try to keep a watch on the entire network and its processes. It's a holistic approach. I would not call it a technique; I would call it a mind shift because you need that mind shift to understand proactiveness. It's like being alert, thinking about the worst-case scenario, trying to prevent it or be prepared to recover from it quickly.""It's very important to focus on the attack surfaces, whether internal or external. A full or 360 view of your attack surface is very important." "Successful implementation and sustenance of a proactive resilient approach depend on a high level of cybersecurity awareness and knowledge.""Organizations must strive to be both secure and productive." Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe...

“While developed markets may today bear the brunt of cyber breaches, emerging markets are no less vulnerable. Their risks arise from weak processes and governance, the complexity of global supply chains, the need to remain low cost to attract investment, and the rapid adoption of technology without adequate cyber defenses.” Andre Keartland, Solutions Architect at Netsurit, Johannesburg, South Africa, speaks to these realities and offers guidance on managing cyber risks and implementing robust security solutions.Time Stamps00:49 -- We have a lot to talk about. But let's first talk about your professional journey.04:05 -- It would be beneficial if you shared with listeners what we mean by emerging markets. You could talk about that first before talking about the trends.07:20 -- Bottom line, it is my hunch that the cybersecurity phenomenon doesn't discriminate, every country, whether they are part of the emerging block or the developed block, the experiences are kind of similar. What do you think? What are your reactions?09:54 -- Research finds that risks to emerging markets arise from four areas: 1) the complexity of supply chains; 2) the need to remain low cost to attract investments; 3) the rapid spread of technology without adequate availability or awareness of training; and 4) weak regulations. Would you agree with these?15:46 -- Andre, you're based in South Africa. Let's say some of the listeners might be interested in working or starting a venture there. As they evaluate the business scene, the pros and cons, how should they look at cyber security as a risk factor? What would be your message to them?20:57 -- The initial bonding and acquaintance phase is challenging when establishing reliable outsourcing relationships. Andre, any thoughts on that?25:09 -- What can organizations in the developed world learn from organizations managing cybersecurity in emerging markets? 32:05 -- In developing markets, organizations are more alert, more hungry, and more motivated in putting in place the best possible cyber governance practices. So, the sharing of knowledge, the sharing of experiences can be hugely beneficial. Your thoughts?43:20 -- I always like to give my guests the final word. So now is your time for some final thoughts.Memorable Andre Keartland Quotes/Statements"There might be a perception that developed markets aren't as much of a target, which makes them more of a target because it makes it appealing for the attackers.""There's even a trend of attackers doing proof of concept of the threats inside an emerging market before they go mainstream and try to attack Fortune 500 companies in North America.""Threats have no boundaries; once they get going, they affect everybody.""A low cost model often drives economies in the developing markets. That leads to a mentality and an approach where the organizations will then say, well, let's try and cut our costs as much as possible; let's invest in the core of our products, product development, building, the factory. Supporting functions, like cybersecurity, like governance, become de-prioritized.""What I recommend in general, when going into any emerging market, and as somebody who's now done business in many, many different countries, you need to take a view of the legislative framework. You need to understand whether the local legal system enforces things like copyright, intellectual property, and privacy laws; sometimes, those are not high priorities in emerging markets.""The best way to get your skills is to build your skills, get the people in the door, put in place training programs, put in place...

In this episode, Pamela Senegal, President, Piedmont Community College, shares several best practices, including having an information technology presence in each of the college-wide committees. I had the pleasure of meeting Pamela at a cybersecurity symposium organized by the World View Program at the University of North Carolina-Chapel Hill. Charle LaMonica, the Director of UNC's World View Program, also shared her thoughts and perspectives during this very engaging discussion. Driven by the belief that students and instructors must actively engage in cybersecurity governance discussions, she and her team organized a conference to create such knowledge-sharing opportunities. Time Stamps00:49 -- To set the stage and get things rolling, Charle please provide listeners with an overview of the symposium.03:56 -- I'd like to welcome Pamela Senegal, the President of Piedmont Community College; Pamela, share with the listeners some highlights of your professional career.06:07 -- Pam, how do you relate to these cybersecurity challenges plaguing community colleges?11:52 -- How do you manage providing oversight to cybersecurity governance?16:04 -- Charle, I'd like you to reflect on the cybersecurity symposium. What did you expect the conference to be? And what did it turn out?20:44 -- What are your thoughts on the out-of-the-box methods (such as the cybersecurity carnival hosted by the University of Notre Dame) of making cybersecurity awareness and training a fun experience? 25:43 -- Sometimes, you learn best when you fail. What do you think, Pam?30:47 -- It is very important to go beyond your current domain and learn what others are doing in their respective fields. What are your thoughts, Charlie and Pamela?34:34 -- What are your thoughts about having a proactive and hands-on top management team?39:13 -- I'd like to give both of you an opportunity to share some final words with the listeners,Memorable Pamela Senegal Quotes/Statements"Every president, every CIO, at every community college, we all have a card; we printed them in several different formats -- poster size versions, business card versions. When you believe you are experiencing a cyber attack, you call that number 24 hours a day, seven days a week, 365 days a year, and it will activate an entire team of resources to help your institution recover.""Our systems are set such that you cannot install unauthorized software that has not gone through a proper vetting process. And so things are a little less convenient. But it's a trade-off. And I think it's an important trade-off we've made, where the benefits outweigh the negatives.""We're at a point now as an organization where I don't know how we would survive, quite frankly, without that CIO role being one of my direct reports."Memorable Charle LaMonica Quotes/Statements"Good educators constantly want to learn.""One of the interesting takeaways (from the cybersecurity symposium) was when an instructor walked up to me at the end of the day and said, "I really thought this was going to be IT. But I learned how important it is for students to know as much about cybersecurity as I learned today.""If we don't start listening to what students want and also hear about the world they're creating for themselves, we're all missing out."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease...

In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.Time Stamps02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?27:03 -- What's the reality around passwordless authentication?28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.Memorable Brian Penders Quotes/Statements"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering.""Incident response is really a great way to learn the environment and build partnerships across an organization.""The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward.""If I had 30 seconds with a group, I would tell them to keep their software updated.""We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft.""We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn:

Clinical psychologist Beatrice Cadet, Scientist Integrator at Netherland's Organization for Applied Scientific Research (TNO), draws upon multiple concepts such as 'learned helplessness' to explain why people still fall for phishing attacks despite the training. Beatrice emphasizes the need to factor in human behavioral traits and motivational triggers when developing social engineering solutions and training. Time Stamps00:49 -- Please share some highlights of your professional journey.03:51 -- From a psychologist's lens, what do the social engineering trends look like? What can we expect in the future?08:13 -- You talked about the need for socio-technical solutions to counter social engineering, and there are a lot of solutions out there. What are some of these solutions?10:17 -- Unfortunately, we are in an environment where we have to be mindful, we have to be careful, and we have to prioritize. Your thoughts?13:20 -- Do you think we'll ever get to that stage where humans don't have to worry about making mistakes; because we have great technologies that will cover us? 16:48 -- We are naturally not inclined to be proactive. Your thoughts?18:56 -- You said, "I want to debunk the emotional aspects of social engineering. We need to be more pragmatic about it. We all fall for it at some point. But how to best avoid it and recover." Expand a little bit about the emotional aspects of social engineering.24:35 -- From a psychologist's standpoint, what are your thoughts on the Zero Trust approach to cybersecurity governance?27:37 -- It is so important that human psychology is taken into consideration by involving subject matter experts, such as yourself when training programs are developed. Would you like to add to that?34:41 -- The more I think about it, it makes sense to have a Zero Trust approach. Your thoughts?37:17 -- I'd like to give you the opportunity to share some final words.Memorable Beatrice Cadet Quotes/Statements"I think deep fakes are here to stay. They are likely to be used (by criminals) more and more.""Social engineering can be approached in two ways -- using psychology, i.e., human manipulation to conduct technical cyber-attacks, and using technologies and technical tricks to manipulate people.""Social engineering is nothing new, and we're still falling for the same old trick.""Technology is being increasingly used to manipulate people even more effectively.""When I think of social solutions, I refer to the awareness that comes with training. ""With so much social engineering going on, we cannot expect everyone to always be at their best and ready to check everything.""If you don't have awareness and mindset, you can do every possible training you want, it won't have the desired effect.""People really need to understand why cybersecurity training is important; if you don't get their buy-in, the training will be ineffective.""It has been shown in cybersecurity research that the reason why sometimes things don't work, or people still fall for phishing, is because they know that no matter what they do, or they think that no matter what they do, they will get scammed anyway.""Beyond being well aware of social engineering campaigns and cybercrime in general, it's also very important to be self-aware, and to know your limits, to know that sometimes you might be overstressed and overwhelmed. And you're not going to be able to make the same type of decision as if you're perfectly healthy and mentally well-balanced.""The only generalization we can make is that there are no generalizations that can be made."

In this episode, Patricia Muoio, Ph.D., Partner at SineWave Ventures and Former Chief of Trusted Systems Research Group, National Security Agency, sheds light on the cybersecurity technology landscape and emphasizes the need to develop technologies that are attack agnostic. Some of the questions driving the discussion include: a) what progress has been made in the development and use of cybersecurity technologies? b) What does it mean to be attack agnostic? c) how near or far are we from taking the burden off people trying to protect themselves from different cyber attacks? and d) the ideal government and industry partnership model to develop innovative solutions. Time Stamps02:34 -- How about sharing with listeners some professional highlights? 04:12 -- I'm really intrigued to learn about your career trajectory, considering that you got your doctorate in philosophy, so was it on the liberal side of things? 05:35 -- What's your assessment of the cybersecurity technology landscape? 08:12 -- During our planning meeting, you said, "we need to be able to develop technologies that are attack agnostic." Please expand on that. 12:50 -- While you're saying that it doesn't matter how the hackers get into your system, wouldn't I want to know how they are conducting the attack to be able to prevent it from happening in the future? 14:54 -- If I'm a developer listening in on this conversation, what should be some focus areas for new technology development? And if I'm a consumer of these technologies, how should I approach cybersecurity governance? 27:23 -- Will there ever come a day when I could be as carefree as possible, and click on anything I want, knowing that there is technology that will not allow the perpetrators to exploit that and do damage? Will we ever get to that world?31:57 -- What is your assessment of the government-industry partnership?38:19 -- Please share some final thoughts and key messages for the listeners. Memorable Pat Muoio Quotes/Statements"I think that many problems like endpoint protection, network segmentation, authentication, encryption are essentially solved. There are technologies that do these kinds of things and do them well.""I think where a lot of the work needs to be done is making these technologies work together and work appropriately for the system in which they are used.""We need to be able to develop technologies that should be attack agnostic.""What it means to be attack agnostic -- you stop attackers from getting in, you stop them from moving around, you stop them from getting out, exfiltrating your data, or encrypting your data, executing their payload in any important way. And the details of how they choose to do them, the shape of the malware they choose to execute simply doesn't matter. What matters is that these actions can be identified in the system and stopped in a more general way.""Users ought to know when less is more.""I think people need to be careful to understand when risks that sound very very different in their effect, are actually the same in their cause, and that their solution space needs to address the causes and not the effects.""As these technologies develop, as people become more comfortable with the notion of self- protecting self-healing systems, we will be able to take some of the burden of the users.""Understand solutions that are based on your system, and not concentrated on what the attack looks like; but what is my system and more importantly, my business workflows, what do they look like, and build solutions that protect them, and not solutions that are based on...

Threat modeling is an intrinsic part of information security governance and needs to be done well. However, research finds that many organizations don't do it well, some are pretty haphazard or chaotic in their approach. In this episode, Marcos Lira, Lead Solutions Engineer at Halo Security, sheds light on how to do threat modeling the right way. The key questions driving the discussion were: a) what is the scope and purpose of threat modeling? b) what have people and organizations been getting wrong about threat modeling? c) what is the right way of doing threat modeling? and d) what is the future of threat modeling? Time Stamps01:45 -- Please share with listeners some highlights of your professional journey.03:52 -- Marcus, please provide listeners with an overview of Threat Modeling. What is it? What is its purpose?08:13 -- Threat Modeling is such an intrinsic part of information security governance, and it is so important that it's done well. However, my research finds that many organizations don't do it well. Some are pretty haphazard or chaotic about it. Some want to focus on a few applications and are hasty about it. Your thoughts?14:06 -- There's a lot of guidance out there. But that can be overwhelming and create confusion regarding the right way to do threat modeling. Can you provide some clarity?22:19 -- As a practitioner, what are your thoughts about the future of threat modeling?24:23 -- Please share your final thoughts and help us wrap up the episode for today.Memorable Marcos Lira Quotes/Statements"You can't make informed decisions about business without threat modeling.""What most organizations get wrong is that they believe threat modeling will slow the business down.""What most people get wrong about threat modeling is that it is time-consuming, cumbersome, and confusing because there are so many methodologies out there.""Threat modeling is a proactive approach. It's going to help the organization decrease costs over time.""The threat modeling manifesto said it best -- the right way of doing threat modeling is by answering four questions: a)what are we currently working on? b) What can go wrong? c) What are we going to do about it? d) And if we did a good enough job?"Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

The Cybersecurity and Infrastructure Security Agency (CISA) recently (Oct 31, 2022) released fact sheets urging all organizations to implement phishing-resistant multi-factor authentication (MFA). In this episode, George Gerchow, Chief Security Officer and Senior Vice President of IT, Sumo Logic, and I have an in-depth discussion on this very important security subject matter. The scope of coverage ranges from providing an overview of MFA and its benefits to discussing the challenges and hurdles of implementing phishing-resistant MFA, recommended implementation approaches, and the future of MFA.Time Stamps01:53 -- Please share with listeners some highlights of your professional journey.02:51 -- Please provide listeners with an overview of what multifactor authentication is.03:52 -- A recently published article on Dark Reading reports that a massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and the two-factor authentication code, leading to the theft of at least 130 software code repositories. Essentially, the perpetrators exploited the multi-factor authentication fatigue. George, your reactions.06:51 -- You said that many organizations don't even have multifactor authentication. That begs the question, why is that the case? Is there a technology aspect to it, a technological complexity of having multifactor authentication integrated into existing legacy systems? Is there a cost aspect to it, is it very expensive? What does your experience tell you?08:30 -- From personal experience, I haven't felt the fatigue. Even if I had to review several times or take that extra step to authenticate, I would because I am paranoid about ensuring that access is very secure. So I have brought about a change in my own mindset. I'm just curious to know if organizations are striving to bring about a change in the multifactor authentication mindset. What are your thoughts?12:23 -- As humans, it is our natural tendency to assume, Oh, it's not going to happen to me. And if it does, we'll deal with it then. And I know that organizations also often have that mindset, some organizations know they will get bailed out. George, what are your thoughts?22:21 -- Would you like to expand on how organizations go about implementing phishing-resistant MFA? What solutions are available out there?25:09 -- George, I read about this FIDO authentication, the FIDO Alliance, where they have developed this protocol to enable phishing-resistant authentication. Can you expand on that? 26:50 -- During our planning meeting, you made a couple of very poignant statements, one of which is, "leaders should create a culture where employees feel they can slow down for the sake of security." Help tie this to our discussion on multifactor authentication.30:44 -- Going back to this multi-factor authentication fatigue, is there really a fatigue? Or is it being hyped up? What's the real story?35:33 -- George, I'd like to give you the opportunity to share some final words, some key messages for the listeners.Memorable George Gerchow Quotes/Statements"Absolute laziness is really what it comes down to in the beginning; I don't want to disrupt my organization by having them go through this extra step.""Development organizations that are heavy with startups, the developers do not want to take that extra step. Sometimes executives are also unwilling to follow through with that extra authentication step -- Do I really have to do this? I know it's a policy, but can't I get around this? And the answer should be flat-out No, under any...

A recent Global SMB Ransomware survey finds that nearly half of small and medium-sized businesses (SMBs) have experienced a ransomware attack, yet the majority aren't sure they are a target, and most are not confident they can fend off such an attack. Since 60% of SMBs are known to go out of business within six months of being hacked, it is a very troubling state of affairs. In this episode, Grayson Milbourne, Security Intelligence Director at OpenText Security Solutions, joins me in discussing the security challenges faced by SMBs and sharing success factors and best practices.Time Stamps02:21 -- Before we get into the details of SMB information security challenges and best practices, let's talk about you a bit. Share with listeners some highlights of your professional journey. 04:19 -- From a cybersecurity risk resiliency and defense standpoint, small and medium-sized businesses (SMBs) are often the most vulnerable and least mature. As one CIO of a midsize bank put it, "many cybercriminals are specifically targeting midsize companies that are in the cybercrime sweet spot. They are big enough to have significant bank accounts, but they often don't use the latest cybersecurity defenses. Also, middle market firms are often the gateway to bigger targets for cyber thieves." Your thoughts and reactions?10:53 -- In a study that my colleague, Mike Benz and I published, we noted that 95% of the surveyed SME IT leaders believe they have an above-average security posture. And so the concern is when you think you are prepared, but actually, you are not, that is a bigger problem. Don't you agree?17:38 -- Grayson, I'd like to go back to the ransomware report, the survey report that your organization published. It's concerning that nearly half of SMBs have experienced a ransomware attack. And yet the majority still don't think or aren't sure they are a target. Why don't you expand on this? 23:57 -- Grayson, what are the top three things that you would recommend SMBs do to protect themselves from, say, ransomware attacks, what would be those top three things?30:43 -- My research finds that time, and again, a lot of planning happens, and a lot of documentation is maintained. But when it comes to execution, that's where organizations fail time and again. Your thoughts?36:05 -- I'd like to give you the floor to wrap things up for us.Memorable Grayson Milbourne Quotes/Statements"What we see in the SMB spaces is that if they encounter ransomware, they don't report it. And they want to sweep it under the rug, move on and pretend it didn't happen. And unfortunately, that has other consequences that come along with it.""One of the biggest things that causes a headache during a ransomware incident is that it's a timed attack. They don't give you a lot of time to pay the ransom before they increase the demand because they know you're going to start scrambling, you're going to start thinking, Okay, what backups do I have in place? If you rehearsed the plan, at least you have a battle card to go to, you have some steps, and you're not scrambling because this is the worst time to be scrambling.""I think one thing that insurance probably doesn't look at is your readiness plan.""It comes down to reacting properly in that critical amount of time when you face one of these types of attacks.""Average downtime can be several weeks. It is right to look at cyber risk as any other risk to your business's continuity.""As your business grows, I think there's tremendous benefit in having an internal security-focused resource.""Ransomware reporting is vastly underreported. People don't want to have that black eye, they don't want to;...

In this episode, Kal Sambhangi, Senior Vice President, Cybersecurity Strategy and Architecture at Truist, shares his vision of the future of cyber governance. According to him, the leadership mindset needs to change whereby they are optimistic and opportunistic about cybersecurity and view developing cybersecurity capabilities as a source of competitive advantage. Kal also emphasized the importance of attracting professionals from other fields. He said, “I think cyber security as a community should start embracing people with other skills. I think there is a lot of opportunity here, for people skilled in software development, program management, product management, and data analytics.”Time Stamps01:28 -- How about providing listeners with some highlights of your professional journey?03:04 -- You said, "the security industry needs to pivot away from getting things done rather than talking about things. This is a problem that does not have a purely technological solution." Can you please expand on this statement? 08:38 -- Based on your experience Kal, having worked in different organizations, currently you're a senior leader in a very large institution, do you feel that steps are being taken to create and sustain a high-performance information security culture? Also, what are your thoughts and perspectives on the ideal CISO reporting structure?16:38 -- I have seen different views of the leadership across different industries and they are not all aligned in terms of seeing cybersecurity as part of their strategic core. What are your thoughts? 34:10 -- I'd like to give you the opportunity of sharing some final words before we call it for for today.Memorable Kal Sambhangi Quotes/Statements"The security industry needs to pivot away from talking about things and why they go wrong into getting things done and fixing things. This is not a problem that has or can have a purely technological solution.""I think the goal of securing a business is a bigger strategic decision rather than a set of technical tasks.""Cybersecurity should not be an afterthought. It should be part of the business model itself, or part of the digital strategy itself.""Cyber leadership should help embed security throughout the company's products, channels, and operations. And to do so, one has to be able to influence fellow senior leaders. It has to be a collaborative effort. If you have to influence fellow senior leaders, then you got to be talking the same language." "It's about how securely we are engaging with our customers, how securely we are running our business. So information security needs to be embedded in the culture.""Cybersecurity could be a competitive advantage.""I think the key is the ability to abstract the technical concepts into messages that would grip senior leaders, both logically and emotionally." "I think cybersecurity needs to move towards the paradigm of product management in terms of delivering cyber capabilities within the organization."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website:

Comprehensive asset discovery is foundational to robust and proactive cybersecurity governance. The Cybersecurity and Infrastructure Security Agency recently issued a directive (BOD 23-01) requiring federal enterprises (civilian executive branch) to perform automated asset discovery every 7 days. Among other things, the directive also requires federal enterprises to initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. Huxley Barbee, Security Evangelist at runZero and former Cybersecurity Practice Lead at Cisco, discusses the various methods of comprehensive asset discovery and provides guidance in selecting an appropriate asset discovery tool.Time Stamps01:33 -- Please share with the listeners some highlights of your professional journey.03:13 -- Share some stories and anecdotes of the consequences of poorly managed asset inventory.09:37 -- Why didn't organizations engage in comprehensive asset discovery? What were the hurdles, if any? Now that there is a CISA directive, what's the guarantee that organizations will be in a position to follow through with the orders?13:12 -- Let's discuss some solutions, recommendations, and approaches to better managing asset discovery.22:00 -- It seems that the unauthenticated scan is the best approach. Can you please clarify?26:16 -- It is equally important for organizations to report on the actions taken in response to the discoveries. Is there a CISA directive to that effect? Can you shed some light on that, please?33:32 -- Please summarize some of the key takeaways from our chat this morning35:42 -- How about providing listeners with some selection criteria when they're evaluating different products in the market, asset discovery products? What should they be aware of? What are the kinds of questions they should be asking? So it helps them make good selections.Memorable Huxley Barbee Quotes/Statements"The unfortunate reality is that asset inventory is still an unsolved problem for so many organizations. They might have some tooling for dealing with asset discovery, but usually, they end up with spreadsheets.""There is greater recognition, especially from government agencies, of the need for asset discovery.""Asset Inventory isn't just a list of devices that you have on your network. It's also what is on those devices, what services are on those devices, what ports are those devices listening to, and who owns those devices.""There are many hurdles associated with asset inventory management. The one that looms the largest is unmanaged devices, unmanaged assets, that is the achilles heel of any asset inventory program.""Why would the adversary go for a well-managed up to date patched machine when they can just go ahead and attack something that's out of date and unpatched, with numerous exploits that they might be able to download from the Internet.""Unmanaged devices are why customers end up using spreadsheets where the existing tooling just isn't performing as they want. And so they have to end up using spreadsheets instead.""With unauthenticated scanning, you have the best of many worlds, right, you have the ability to go out and find all the assets on the network, even if they're unmanaged. But you don't have the problems of credential spraying. And depending on how the unauthenticated scanner is implemented, you can even talk to OT devices without the fear of crashing, some sort of mission-critical function."Effectively, BOD 2301 is suggesting the use of unauthenticated scans for the asset discovery portion of this particular directive.""A customer...

In a highly engrossing and in-depth discussion, Tej Patel, Vice President, and CIO at Stevens Institute of Technology sheds light on the various information security challenges that plague academic institutions and how best to deal with them. He talks about establishing a highly collaborative and security-centric culture, structuring an ideal CIO-CISO relationship, effective execution strategies, and more.Time Stamps01:57Why don't you give listeners an overview of your professional background?02:57Let's begin by discussing the information security challenges that academic institutions face.05:17So the challenge lies in enabling the university pursue its mission as safely and securely as possible. Is that a fair understanding of the fundamental challenge?09:09How do you keep up with all the activities that are going on across campus or at satellite locations if you'll have satellite locations? What's the mechanism in place whereby you would be forewarned, people will feel the need to say, hey, we need to talk to the security office, because this has some serious security implications, and we want to make sure that we are doing it the right way.13:44How feasible is it to offer customized guidance to the various operating units at an academic institution?16:23What is your vision of an ideal CIO-CISO relationship?21:40If you could share an example of how you and your team brought about a change in the security culture at your institution25:03What steps do you all take to secure the student population as best as possible?30:25People are busy, they have to deal with so many things. So that becomes another chore where you are expected to diligently look through every email and see whether any particular email deserves to be reported. Where are you on this? What's your perspective?35:25How should organizations prepare for cyber attacks? And what does it take to execute plans effectively in a sustained manner? 39:49I'd like to give you the final word.Memorable Tej Patel Quotes/Statements"Cybersecurity is a moving target in higher education.""Cybersecurity is a shared responsibility to provide a protected cyber infrastructure on campus.""Building trust and relationship are so critical; that allows my team and me to have a conversation with our researchers to fully understand what exactly they are trying to achieve.""There are a lot of things that we have changed in our practices to ensure that we instill the culture of cybersecurity in our business from day one.""It's not so much about reporting structures, it's more about how a CISO and CIO can partner together to deliver the message that cybersecurity or security is a strategic value service for any institution or organization."Nowadays, the role of the CISO and the CIO is more geared toward reducing business risk. It's all about risk management. "Organization must spend sufficient time, effort and resources to build a security-centric culture.""It's not so much about reporting structures. It's more about how a CISO and CIO can partner together to deliver the message that cybersecurity or security is a strategic value service for any institution or organization.""The role of CISO and CIO, in my view is more towards reducing the business risk nowadays.""They expect the cybersecurity economy to grow to $10 trillion by 2025." "You have to go back to the basics, do the basics right. Make sure you're transparent, make sure you find good people on your team who are stewards of good security hygiene...

As more organizations embrace cloud-based services, securely migrating to the cloud is becoming an important capability. Keith Weller, former Vice President, Enterprise Technology Services, American Cancer Society (ACS), spearheaded a highly successful migration initiative where they transitioned a 5000-square-foot donation processing on-premise data center to the cloud. Keith and his team completed the implementation on time (in eight weeks), under budget, and helped the organization realize savings of $18 million in real estate and $2 million in technology costs (projected over three years). In this podcast, Keith shares some highlights of this cloud migration best practice. Time Stamps00:49 -- Keith, share some highlights of your professional journey.03:27 -- Provide the listeners with a context for what led the American Cancer Society to consider moving to the cloud.07:56 -- Based on a discussion that we were having to plan this podcast, you mentioned that you will have to get it done in about three months. Is that correct?11:03 -- Is there anything else that you would like to share, by way of highlights, when you all were planning the migration and then implementing it?15:52 -- Talking about the security aspect of the migration, you mentioned following the NIST cybersecurity framework, and complying with the PCI DSS requirements. During our planning meeting, you shared some of the accomplishments under the categories of identify, protect, detect, respond, and recover. Would you like to provide listeners with certain specifics, like what they should be mindful of when they have to undertake such an initiative?18:04 -- You mentioned the migration vendor. I'm sure listeners might be curious to know how to identify such a vendor. And what factors go into the selection process? And how valuable did you find their service? 20:59 -- For this particular migration initiative, you all decided to go with Microsoft Azure. I assume that is because American Cancer Society was heavily invested in the Microsoft platform, and it made logical sense to stay with the same ecosystem to reduce application dependency-related challenges. Is that what your advice will be for organizations looking to identify a suitable cloud service provider? How should they go about the cloud vendor selection process?23:15 -- Keith, what is your thought on the challenges that I gleaned from the State of the Cloud report? Do you agree with them?28:25 -- I think that maybe the SLAs should be written up in a manner and a fashion whereby there should be more joint responsibility and joint accountability. The service provider and client should work as a team to ensure the data is safe, and secure, and there's a constant review to ensure the security level and posture are being maintained. What are your thoughts?31:57 -- Anything in particular that you want to touch upon in the context of the phased migration effort?37:47 -- So Keith, I'd like to give you the opportunity to say a few final words before we close our discussion for today. Memorable Keith Weller Quotes/Statements"Being in the cloud actually makes it a lot easier to govern your security, have better visibility of your assets, and make quicker security improvements.""If you're trying to do very challenging, time-constrained work, having everyone engaged and bought into the process is very important. And having a clear vision and goals is also important.""It would be nice if the three big cloud providers were more engaged as a team, securing data and helping make sure that they partner with their customers to ensure that's done...

Insider threats are often considered the biggest risk for organizations because they can cause the most destruction. Survey reports, and studies, have found that organizations have spent millions of dollars to recover from insider threat attacks. Proactively detecting and thwarting such threats is a critical aspect of robust information security governance. Doron Hendler, CEO, and Co-Founder at RevealSecurity, sheds light on a context-based detection model that analyzes activity sequences performed when using an application. According to Doron, this User Journey Analytics method is a ubiquitous detection model that can be applied to any SaaS and custom-built application. Since no rules are required, it eliminates the need to fully understand the application business logic.Time Stamps01:23First, let's talk about your professional journey before we get into the details of insider threats, detection challenges, and solutions.03:27Doron, would you like to add to the reasons why we are having this discussion?07:29So, Doron, going back to monitoring using technology, share with the listeners what was the traditional method, what were some of the weaknesses of the traditional method, and what you and your company are offering by way of your platform.12:23So given this move to these more advanced, more sophisticated solutions, for folks who are listening in on this conversation, CISOs of companies who have the authority to make purchasing decisions, how do they go about evaluating the different products out there? What should they be looking for in terms of what would work best for their context for their environment? Any advice? Any suggestions?14:34What could be possible shortcomings of the user journey analytics approach?17:26If a company was going to adopt this (User Journey Analytics) technology platform, what kind of changes does it require? From a change management standpoint, what should an organization be prepared for? 19:13When the user journey is different from the normal user journey, let's say abnormal user journeys are detected, how does the alert system work? Who is alerted? And is there a way of capturing or documenting whether organizations respond to those alerts?21:57How do you convince a potential buyer or potential customer to adopt this new technology solution? What does it take to convince them? What have you experienced when you have engaged with prospective customers? What are their concerns when they're evaluating such platforms?24:53I'd like to give you the opportunity to wrap it up for us with some final thoughts and advice.Memorable Doron Hendler Quotes/Statements"The highest risk in today's organizations, in our digital transformation, is our identities.""If you cannot trust anyone, you have to monitor, you have to track, and you have to learn how to do this quickly, accurately, and automatically.""Today's solution around detections, which are based on rules, basically provide very, very limited, ineffective detection, in the application layer.""Accuracy comes with context, if you understand the context, you will have much better accuracy.""This technology will offer a solution which is frictionless, that doesn't require major (organizational) changes or any changes."Connect with Host Dr. Dave Chatterjee and Subscribe to the PodcastPlease subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New...

The Security Operations Center (SOC) is at the heart of an organization's cyber defense system. Highly skilled and motivated personnel must work in these centers. James Risler, Senior Manager, Cisco Learning and Certifications, discussed the roles of the security engineer and the security analyst and the hard and soft skills needed to be effective in those functions. While the ability to code, learn computer forensics techniques, and know how to operationalize MITRE attacks are top skills, the ability to communicate effectively is equally important. Jim strongly recommends that academic institutions partner up with industry to provide hands-on training opportunities and also engage in security solutions-focused research. Time Stamps01:24 -- Please share with listeners some highlights of your professional journey.03:27 -- So Jim, for the benefit of our listeners, many of whom may not have a good insight on SOC (Security Operations Center), let's give them a bit of an overview of SOC. Why don't you start, and if I want to plug anything in, I will.05:09 -- Jim, when we were having our planning meeting, we kind of agreed that we wanted to focus this discussion on the skill sets that need to be in place for effective SOC operations. So why don't you talk a little bit about that?09:21 -- I'd like your thoughts on how threat intelligence should be managed and governed, from logging it to acting on it. What are some best practices out there?12:29 -- People who are strong technically often are not the greatest communicator, and vice versa. What are your thoughts? 15:33 -- How should someone decide whether they would like to follow the track of an engineer or the track of an analyst?19:24 -- Let me share another interesting finding from the Voice of the SOC Analyst report. The top three skills needed to succeed as an analyst came out to be: 1) learning to code, 2) learning computer forensics techniques, and 3) knowing how to operationalize MITRE attacks Jim, your reactions and thoughts, you'd like to add to that?24:01 -- What advice do you have for the directors of these cyber security programs, whether they are housed in the business school or the engineering school? 30:44 -- So I'd like to give you the remaining time to sum it up for us, maybe share some key messages, and some final thoughts with the listeners.35:27 -- Jim, I said you would have the last word; you still get to have the last word. And after that, we'll pack it up.Memorable James Risler QuotesThe people that work in SOC, I call them the gatekeepers of this castle that the security engineers have built. They got to protect the castle against threats, both internal and external.Some companies just want a SOC to check off the box. Oh, we have a SOC; ensure we follow HIPAA compliance and all other compliance requirements. And then there's some SOC out there that literally go on the offensive following leading threat hunters out there, finding the latest threats, and then taking those threats and going back and seeing if they've been successful in their organization or not.If you look back at one of the most successful attacks that impacted many people with their credit cards, that retail organization was getting alerts about the intrusion on their network, but somebody went in to investigate it and said it was a false positive. You have to get down and find out what to your organization is a false positive and what's not a false positive, but what's a true positive indicator, and what's critical to communicate.Playbooks inside SOCs are critical because they tell you the quality assurance of your process.My number one recommendation is to...

Daniela Almeida Lourenco, Chief Information Security Officer (CISO) at Tinka, firmly believes that CISOs have the very best of intentions -- "we all mean the best; we all want to protect the organization, and that is all we want to do." However, often the reality of the Board's lack of a cybersecurity mindset coupled with insufficient budget and resources results "in a reactive posture, unpreparedness, unclear risk management strategy, and low response maturity." She also highlights "the misinterpretation and implementation of the lines of defense model" to be another reason why right intentions do not get translated into good practices. Advocating for a more hands-on senior management role, Daniela says, "if you're on the second line of defense, you're not supposed to just sit on your highchair and disconnect from Operation." She also expresses concern about the excessive use of the 'fear factor' in cybersecurity communications. Finally, Daniela recommends against reinventing the current culture but making suitable adaptations by embedding new practices.Time Stamps01:15 -- Share with us a bit about your professional journey.04:26 -- Share with the listeners why this topic or theme appealed to you.07:56 -- What's stopping an organization from being proactive?12:55 -- Based on your experience and your understanding of sociology and psychology, what recommendations do you have to change things up, make them (senior leadership) more optimistic, make them more proactive, make the stance (cybersecurity stance and approach) more optimistic, make the stance more proactive?18:54 -- Cybersecurity is everyone's business, and everyone has a role to play. It's just like the way we are fighting the pandemic. We cannot just rely on the healthcare professionals to do everything for us, we also have to do our part. And I think that's kind of similar to how we need to deal with the cyber attacks epidemic. What do you think?21:17 -- Gamification can be perceived in some cultures, such as the German culture, as something not very serious; you're not being serious about it. Is that a fair interpretation?22:37 -- What are your thoughts on the check-the-box mentality toward cybersecurity governance?27:09 -- In my book, I talk about creating structures and mechanisms that will enable shared ownership and responsibility of cybersecurity initiatives. What are your thoughts?30:53 -- What are your thoughts about the significance of prompt threat intelligence processing?36:13 -- Please share your final thoughts and any additional points that are very relevant to this conversation.Memorable Daniela Almeida Quotes"Most practitioners say that they fell into information security by accident.""There is a major or official priority over information security, but it's usually reactive.""One of the things I do see with my peers in the industry is that we all mean the best; we all want to protect the organization, and that is all we want to do.""Only after major breaches and losses does information security come to the agenda. So it's an afterthought.""We've been building an ivory tower, and this ivory tower increases the gap between them and us, and I kind of tend to blame it on the misinterpretation and implementation of the lines of defense model. So you know, the first line as being Operation, and if you're on the second line, in my view, you're not supposed to just sit on your high chair and just disconnect from Operation.""One of my favorite pain points is the excessive use of the fear factor in cybersecurity communications.""One of the major...

With the growing move towards a hybrid and remote work environment, more and more people are relying on their smart devices to get work done. Keeping track of all of these devices, and ensuring that they are being used in a very secure manner, can be a challenging proposition. A recent survey finds organizations unprepared and overwhelmed with managing thousands or hundreds of thousands of these endpoint devices. Mike McNeill, CEO, Fleet Device Management, sheds light on some of these critical security issues and addresses questions such as: How does an organization manage its devices? Do they know if their devices are compliant and secure? Do they have ways to query them to learn more about their status in real-time? Mike also offers recommendations on how to prepare for the future of device management.Time Stamps01:28 -- Share with the listeners some highlights of your professional journey. 02:11 -- Let's talk about the motivation for the study.03:54 -- The study is fairly recent; it was started on February 25, 2022. It was conducted online via Pollfish using organic sampling. And when I look at the industry is represented. It's pretty comprehensive. You all didn't leave out any sector. Am I correct?04:52 -- Were you surprised by the survey findings relating to the state of device management?06:48 -- Talking about managing the devices and keeping track of the devices, I read here that only a quarter of the sample population said that their devices are fully enrolled and upgraded. You know, that's worrisome. Why do you think organizations would allow that to happen?07:54 -- So, if I'm understanding you correctly, the use of multiple operating systems and multiple platforms is part of the problem when it comes to tracking the devices, right?08:33 -- Another finding that got my attention is that one of the best practices is to have a good Bring-Your-Own-Device (BYOD) policy. And to be more specific, 32% said, having a documented BYOD policy is a crucial best practice for their MDM (mobile device management) strategy. Can you expand on this?09:57 -- BYOD, Bring Your Own devices, as an approach has its pros and cons. It was interesting to read that 32% of the respondents felt that having a documented BYOD policy is a crucial best practice for their MDM strategy. What are your thoughts?11:49-- Another best practice documented here is measuring point-in-time compliance across all devices. Share with the listeners what you mean by point-in-time compliance or real-time compliance across devices.13:56 -- How feasible is it to try and automate the patching process and thereby remove the responsibility (of patching) from the users?17:51 -- Another finding that I find interesting is that multi-factor authentication becoming a top priority for 2022. The reason I find it interesting is I would assume that by now, multi-factor authentication would be a standard. I wonder why the delay in the adoption of a security mechanism that is universally accepted to be a very robust protective measure. What are your thoughts?19:35 -- What were some unanticipated or unexpected findings?20:59 -- I think the extent to which security and IT teams can work together and appreciate the significance of each other's work would make the development and implementation process more effective and efficient. What do you think?23:12 -- What would you say to organizations interested in improving device management? How should they prepare themselves? 25:46 -- Going back to the report, where you're talking about preparing for the future of device management, you have several recommendations, one of which is to start managing containers. Can you expand on that? 28:21 --...