Podcast 009 Getting Started with Cybersecurity
009 Getting Started with Cybersecurity Transcript
Heather McKee: Welcome to The Modern Polymath, where we discuss topics in technology, economics, marketing, organizational behavior, market research, human resources, psychology, algorithms, higher education, cyber security…
Heather McKee: Hey, podcast universe. Thanks for tuning. In on today’s episode of The Modern Polymath, we’re going to close out cybersecurity awareness month by giving you a quick overview of cybersecurity and tell you what you need to know to at least get familiar with it and the potential risks for ignoring it.
Heather McKee: Today with us, we have Dr. John Christiansen, John David McKee, Will Callaway, and I’m Heather McKee. Let’s get this podcast started.
Will Callaway: All right, so this month is cybersecurity awareness month, and so although we were originally going to talk about this anyways, we will talk about it a little more in depth. Cybersecurity, what is it? How do we look at it as an organization? How do we approach it? What lens do we look at it? I think you could start out by saying it used to be a back office process and now we view it as kind of a business risk.
John-David M.: Yes, it’s definitely a risk piece of this that everybody has to understand across the board. It can’t just be a back office something that people focus on when it’s convenient. It’s got to be a primary risk because everybody has sensitive data. Everybody is a target in one way or another, whether it’s a direct target or ancillary through just being exposed. And it’s critical that leaders understand the importance of cyber even if they’re not in a technical back office role.
Will Callaway: Yeah, yeah. Some of the qualifiers we would say is we say that in we’re talking about a company that’s pushing the digital economy, digitalization of their services or products. They need to be more on the forefront of paying attention to cyber security, then maybe somebody who’s running a farmer’s market.
John-David M.: Absolutely. Of course, of course. Yes.
Will Callaway: So those are kind of the qualifiers, but I mean we would say that it has become something that leaders need to pay attention to from a business risk because of the digital economy.
John-David M.: And also to point out the highlight or positives of this, we’ve made this point in other places and things we’ve written in other podcasts. Even if you’re in a less what you would call traditional data-driven business, like your farmer’s market, there are significant opportunities to gain significant market share and make moves in your industry, whatever it is with the usage of data. And even in very businesses where data hasn’t played a part or at least much of a part, a lot of businesses are now adopting that. But with that upside comes a downside and you really need to understand how to protect your data if you’re going to use it.
Will Callaway: That’s where the digital economy today, I mean a lot of it, how we interact with people is high speed market driven. It’s not necessarily focused on security. If you and another company are going head to head both pushing out similar products and you can speed up your timeline by six months by not really checking all the security bugs and working through that stuff. Then that’s advantageous to you because you might start gaining market share. People will adopt you sooner. You could become the standard, that’s great for your business. Is it great for the security aspect of that service of that product for your customers? Maybe not. Will they see that up front? Probably not. But in the long run it could hurt them, it could hurt your business. And that’s where the digital economy right now, some of it is great. It’s great for e-commerce, it’s great for you know, different services and everything like that. But until we start paying attention to the security aspect of it and find some happy equilibrium, they’re still going to be those risks for your business.
John-David M.: Yeah, I mean absolutely. It’s not like you have to stop everything you’re doing and lock everything down. It just needs to be within your consideration set within your strategic decision making. Right? I mean it has to be a variable that you account for. The word keeps coming up risk, understand that there is a risk for downplaying it and understand what that could come back to do to you if you don’t properly account for that risk and do something about it.
Will Callaway: As well as some of the impact that these breaches are having. Right? So the regulations that are starting to be formulated with GDPR and the California regulations. As well as just reputational damage, right? If you have a huge breach, people are going to remember that, right? You’re going to have lawsuits, you’re going to have government crackdown on some form of fine and such. And those things can negatively affect you for years.
John-David M.: Not to mention if you are in an industry where somebody else ends up being exposed, they’re going to crack down on your industry. And if you’re not ready to handle that and having to start from scratch, you well may be the next scapegoat or target.
Will Callaway: Different verticals, different companies are going to have different attack surfaces, different things that people are trying to go after, right? If they’re a bleeding edge tech firm, people might be trying to steal their IP. And that’s where you have to know like who, who the attackers are.
Will Callaway: So there are probably like three forms of attackers, right? You have your script kitties who are relying on really great tools that other hackers have built, and they’re just repurposing and pointing and shooting. They might not know how the tools work. They might not really know the end result of what the tool does, but they’ll use and get some results. Then you have the other hacker who probably knows a decent amount, can write some of his own scripts, knows how different services work. But is probably not willing to go that extra mile, not really willing to go to jail. Right. Not really wanting to test the waters. If there’s some low hanging fruit, he’ll scoop it up, but probably not going after anything too crazy. And then you have the true, let’s say talented hacker or the nation state who is not going to stop until they get exactly what they want.
John-David M.: Which is no different than like typical crime.
Will Callaway: Yeah, absolutely.
John-David M.: You would have the petty person, the cat burglar who’s very okay with taking 20 bucks here or there, but they’re not trying to rob a bank. You have the bank robbers and then you have the the, the huge international robberies that make it in the movies and stuff. Right.
Will Callaway: Yeah, yeah.
John-David M.: It’s the same deal. It’s all within the scale of what they’re willing to do and what they’re willing to accomplish. But any of those can hurt you significantly.
Will Callaway: Right. Yeah.
John-David M.: Would you go back to that first term that you used though, kitty? That’s just new to me. I’d like to hear what is that?
Will Callaway: Oh, so like a script kitty. It’s just like somebody who doesn’t know how to write. It’s like a noob, right? Like when you’re playing Call Of Duty and somebody’s a level one and gets popped into a 55 game. It’s like they don’t really know what they’re doing, but they’ve got guns.
John-David M.: Okay.
Will Callaway: You know what I mean? It’s like they’ve got tools, they’re just spraying and praying.
John-David M.: They also everybody else is annoyed by them, right?
Will Callaway: They can do damage, but there’s no plan of attack. There’s nothing to it. It’s just like, “Oh cool, I got this weapon. Who should I pointed at?”
John-David M.: It’s that dude in blackjack who’s hitting every time and ruining it for everybody.
Will Callaway: Yeah, yeah, yeah, yeah.
John-David M.: Got you. Okay, cool. Thanks.
Heather McKee: Well and similar in the field of data science, there is a talent shortage out there for cybersecurity. So companies are being forced to turn to products to help them combat their risk and put together their defense plan. But part of the problem is that until they actually begin filling their seats with actual people, they’re going to have a harder time scaling their cyber department linearly.
Will Callaway: I mean that’s a great point Heather, because just like we’ve seen with a lot of companies using visualization tools or data mining tools. Those are just crutches if you don’t have the people who can actually do the tasks, right? And then you’re dependent on those crutches. So if one of those companies goes out of business or they change their products or something happens and one of those crutches gets kicked out from under you. What’s your plan then?
Heather McKee: you’re up the creek without a paddle.
Will Callaway: Right.
Dr. Jon C.: I want to back up a bit how fast cyber got to be relevant to us. It tends to be that higher ed tends to kind of follow job trends. And I think in ’14 Bureau Labor Statistics put out, the new and emerging jobs, the pride outlooks, who’s going to have a rapid growth in a high number of new jobs available. And the five degree programs that we saw starting ’15 and on and really doing concept testing for new degree programs at schools were data science, which we’ve talked a lot about. RN and BSN, so registered nurse to getting a bachelor’s of science in nursing. Health informatics and bioinformatics. Physical therapy, occupational therapy. But the huge and a big one was cybersecurity and a lot we’re wrapping it up into Homeland Security. But from there I kind of want to back into like what the labor market looks like. Because what I had noted up front was higher ed tends to kind of jump on the back of wherever we think the jobs are. And that was one of the five that we were seeing.
Dr. Jon C.: So the big job that’s coming out is what’s called an information security analyst. It’s considered bright outlook because it’s expected to grow more than 15% over a 10 year period and it’s actually closer to about 28. Other job titles you might see, data security administrator, information security officer, information security specialist, those types of things. And they’re doing very well once you get up there. So these are people that mostly are self reported to have a bachelor’s degree. About 23% have post-back certificates and even 13% have associates degrees. And the median salary with somebody in a job of this level, now mind you, a bulk of these jobs are in more high costs of living environments, but still well above the median if you randomly pulled a job. You’re looking at just shy of six figures at about 98 grand a year annually. And we expect that to grow, and actually JD is going to talk about some of the job titles that when polled actually are doing even more so than that. But this is just the median on the one major job title that’s tying into cyber.
John-David M.: So there’s some big companies out there that can deal with this stuff better than most. I mean, most companies out in our country and beyond are small businesses are startups and things like that. Everything now for the most part, has some element of technology to it. I mean, even if you’re a retail shop, you’re going to have technology, you’re going to have data flowing in and out. You’re going to have some level of exposure regardless. But if you’re a startup, you have to prioritize your investment, your resources, your time, your attention.
John-David M.: And having been a multiple time entrepreneur, I understand how this works. But it is a tough challenge to get your head around because if you are a startup of your small business, you’re worried about developing the right product, getting it to the right customer, the marketing elements of that, hiring the right staff, meeting demand, fundraising, all of those types of things. It’s hard to find time and budget to worry about the security side of this. But the more sophisticated and nuanced the hackers get, well the more that it freaks me out to where I’m going back to a pen and paper and nothing smart because it’s crazy how accessible this stuff is.
John-David M.: So that brings up the importance of a smaller business, prioritizing cyber and getting their ducks in a row while doing this with limited resources. And what’s interesting about that is it really presents an entrepreneurial conundrum, I guess you say, because a lot of these bigger businesses create opportunities for smaller companies to come in for groups that are agile with a better mouse trap and things like that. And one of the big reasons is they’re big and they’re bloated and they have a lot of legacy systems. And what they’ve done is patched this system to this system to make that work, built up a firewall around that, patch this to this. You have a bunch of bandaids or continue to put duct tape on the pipes and hope it doesn’t explode.
John-David M.: The opportunity that an entrepreneur has in many cases is a come in, be lean, agile, build a better product without any of that legacy technology holding it back and then beat out the bigger player in the space. But if you start trying to throw band AIDS on it from the start, you’re putting yourself in a tough position to actually compete with those bigger players because they can expose you easily.
John-David M.: And this is especially important to differentiate between competence and the appearance of competence. This needs to be taken seriously enough by executives, by anyone who has any decision in a company where you have things you don’t want to get leaked out there. Not to appear competent to check those boxes for shareholders and things like that, but literally to protect your assets, to protect your integrity as a company, your relationship with your customers, your proprietary recipe or whatever your IP may be like. These are things that have to be critically considered no matter what it looks like. It’s not a pretty picture. You’re trying to paint your, you need to cover the bases.
Dr. Jon C.: Well, and even in a small scale, let’s say you have a server that shuts down and then you look around, we’ve got a bunch of people doing nothing. Like what is that costing you? If you’re down a week, what does that cost you? Like, “I have to pay these people?”
John-David M.: How many mad customers do you have? You’re servicing somebody who’s not getting serviced.
Dr. Jon C.: Exactly. So, you’ve like one small, whatever, in a lapse in business continuity where you didn’t even check to see whether or not this was potentially a threat.
John-David M.: Yeah. I mean those are all great points and it’s really interesting to see how this field continues to grow and a lot of people don’t really know what it is. And it is an intimidating term. I mean, cybersecurity sounds scary, information security, all that. But what you can see in any graphs you look at the rise of cyber and the need for cyber directly correlates with the rise of big data and the understanding of big data.
John-David M.: As John pointed out in 2014, 15 those years as we alluded to earlier data and the application of data goes from a back office technical element to being an important strategic consideration from the C suite on down. So the strategic side of that is that all the different departments within the company contribute their domain knowledge specifically to the strategy. So ideally in what we would call cyber aware organization, it starts with the CEO and it moves its way down from there to the COO, obviously running the operations, the CIO, chief information officer, the CTO, chief technology officer. In certain organizations there’s going to be a chief risk officer, a chief information security officer and the like and continue to go down.
Will Callaway: Right. And ideally that is the case, but sometimes it looks more like the CISO or the chief risk officer is bringing a use case to the CEO and trying to get the board to pay attention to a lot of these risks. Now that companies are pushing towards digital and really honing data they’re moving to cloud or hybrid solutions where these things need to be paid attention to a lot more.
John-David M.: Yeah, that’s right. I completely agree. It doesn’t matter necessarily if it’s top down or bottom up. Just what’s key is that every different department and all the major players involved understand the importance of this. And make sure that it’s dispersed across the organization, so that you have an organizational awareness across the board.
John-David M.: You said two things there that are really, I think, important to one, you’re viewing it through a cyber lens. I think that’s one of the points that we’re making. Everything’s got to be prioritized and balanced out.
Will Callaway: Right.
John-David M.: But this has to be one of the lenses you see it through. And then to some of this stuff doesn’t have to be that complex. You’re talking about the employees training an employee not to leave their browser open on on on things that can be hacked.
Dr. Jon C.: Just lock you screen.
John-David M.: I think people hear cybersecurity and they’re thinking a bunch of ones and zeros, a lot of coding, a lot of backend stuff.
Dr. Jon C.: It’s digital fortress.
John-David M.: Exactly, yeah. I mean it doesn’t have to be in anything as complex as what Dan Brown talked about in his Digital Fortress book. But like we alluded to in the quick cyber tips podcast from a couple of weeks back. There’s a lot of things you can do that seems simplistic but have a major impact on your overall protection.
John-David M.: Well, and mitigating that risk is, blows my mind when you think about how sophisticated it’s getting and that you’re not just safe protecting your own company you’re not just safe within the constraints of what you as an entity are protecting. Because one of the new trends that you’re going to talk about is how they’re targeting people in your supply chain. Other companies you work with, right?
Will Callaway: Yeah. And the supply chain attacks and such that are becoming popular now are they’re just attacking someone who you do business with that is less secure or maybe less cyber resilient. They’re in essence, just leveraging digital trust. Because you do business with these people on a regular basis they’re leveraging the fact that you’ll overlook them from a potential threat. It’s a mild form of I guess social engineering, but it’s, it’s really just they’re leveraging a business relationship that you already have with one of your supply chain and they’re going to come after you through them. They’re almost like a proxy.
John-David M.: And that’s just one of the many examples of how you can be exposed and why you should really be paying attention to cyber. We call this a crash course because we really wanted to highlight a lot of the concepts and the things that you should be concerned with, but it’s probably not as technical as you were expecting and honestly not as technical as we initially planned to go into. But at the end of the day you have to start with a logical approach to understand the different pieces and how they fit together to start to build a plan. And this doesn’t start at a highly technical level. This looks at your different assets and your partners and who could have access to your data and doing those things that are more logical than they are technical. And then building out an increasingly robust and complex plan as you get there to further your security and how important that security is to your overall business.
John-David M.: And hopefully we’re able to illustrate some of that today in this episode. There’s a lot more we can say and a lot more we will say in future episodes. We have planned discussions with true experts in this area that are going to give some really interesting insights into what they’ve seen. And different ways that the principals we’ve discussed here can be applied in a more technical way and that’ll be coming up in the next couple months. But in the meantime, use this information that we’ve given you as a frame of reference to start to see where you may be vulnerable and how a potential attack that you may have never thought you were a target for it could be aimed at you. And how could you do those small things to protect yourself against those? Because those small things will add up to a much more robust security platform.
Heather McKee: Well, that’s it for our cybersecurity episode today. We hope that you were able to take away some new information about cybersecurity and have a little bit better understanding of why it’s important not to ignore. Don’t forget that you can always check out our website, insandouts.org for more information on this topic and all things we discuss on the podcasts. Catch you later.