Bridging the Cybersecurity Gap: From Tech Rooms to Boardrooms | Interview with Paul C Dwyer
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisor and the host of Secure and Simple podcast. Today, we have very, very interesting guest.
Dejan Kosutic:His name is Paul C Dwyer, and he's the founder and CEO of Cyber Risk International consultancy based in Ireland, and also the founder and president of ICTTF, International Cyber Threat Task Force. Now Paul has held various positions, so I'll try to read all of them. There are many here. So chairman of the UK National Crime Agency Industry Group, also advisor to National Counter Terrorism Security Office, advisor to NATO on countering cyber threats, advisor to UK Defence Committee DEFCOM in Parliament, Deputy Chair of Organized Crime Task Force Industry Group and also Interim Global CISO for numerous multinational organizations. So a huge and very, very successful career.
Dejan Kosutic:So in today's podcast, you'll learn about digital resilience from the business and strategic point of view and what is the role of company boards with regards to resilience and cybersecurity. So welcome to the show, Paul.
Paul C Dwyer:Thank you so much, and I really appreciate the invitation. I'm looking forward to this.
Dejan Kosutic:Great to have you here. So you know you have obviously a big experience more than thirty years and across all these military and law enforcement and also business organizations. And was there any particular experience which actually drove you towards this thinking of actually that connecting the boards and resiliency is one of the key things to do?
Paul C Dwyer:Yeah, there's probably many different instances where I realized that coming from my career started in the server room and I've ended up in the boardroom. So coming from that perspective, you realize that you may have amazing technical abilities and you can see all of the problems and so on. But the frustration comes when the leaders and those empowered to make the decisions to fix or mitigate risks don't understand. And I think that that creates a communication gap. And I really realized that was there for many, many years.
Paul C Dwyer:So as my career developed and I got more into the areas of regulations and more into communication and education, I realized that this was, if you like, a weak muscle that I needed to build up was the ability to communicate at that level. So I took a very conscious effort to start looking like a board member, dressed like a board member, I would appear like a board member, everything else. That helped even with the communication style. It kind of boils down to this, which is, you know, the tail never wags the dog. Right?
Paul C Dwyer:So the answer lies in the head. You have to get leadership involved. If you don't, you're not going to succeed. Full stop. You're just not going to succeed because leaders set policy, policy sets culture and culture is going to be how the organization deals with cyber security, information security, digital resilience, take your flavor.
Paul C Dwyer:It's all going to come from leadership down. The leadership don't understand to empower with enough knowledge and that communication piece isn't there. It's not going to work well, if at all. So that's something we focused on and we thought, well, look, how do you demystify this? How do you distill this down into a way?
Paul C Dwyer:And we would use case studies. For example, somebody coming into the board with a vulnerability scan report saying, hey, look, there's 50,000 vulnerabilities. Some of them are level five, some level four. And that's the what moment. And that's the what moment is that the techie who comes into the board with a vulnerability scanner doesn't realize that board members simply looking at them and going great, but still what?
Paul C Dwyer:What does that mean? Make it relate back to the business, make it relate back to the individual. And some of the skills or techniques, if you like, that, that, that I, I developed on the way was if I was going to meet a board and I knew I was meeting, for example, the risk officer or the CFO or the CEO, I would have a different message for each of them because humans are innately selfish and they only care what affects them. So I would have a different message for the marketing officer or a different message for the CFO, a different one for the CEO. So they all got it and they all, we have to take action on this.
Paul C Dwyer:But when you're briefing a board, when you're trying to communicate at that highest level, everything has to be related to the business. If you're not giving them the, what the risk is, what the downsides of it are and what their options are. Well, then you're failing in your job to do what you're meant to do. You know, whether you're coming from a consultancy aspect or a service aspect or somebody internally in the organization is trying to communicate to that poor level, you have to be able to give them those options because they want to go wham, bam, make a decision and either accept the risk, mitigate a risk, transfer risk, but they can make decisions, you know? And so it's great from a governance and oversight perspective that.
Paul C Dwyer:So we found a real game changer was making sure that the boards had bought in. We have a phrase here now on skin in the game. If they didn't have skin in the game, then they either committed time or money to this process. We would simply jog on. Come to a point of view.
Paul C Dwyer:Also, there's plenty of other people need our help need to work with us and everything else like that. But if the leaders aren't engaging, then a way it's kind of futile for everybody to survive. In fact, you know, even within our own courses or leadership courses like the CSERO course, I've often been asked by, by CISOs to say, well, how do I engage my board? So on. But if you fail to engage the board, they're simply not engaging.
Paul C Dwyer:You might want to update your CV and go work for a company that appreciates it and needs some help garnish that forward. But the flip side of that, if I may, is the amount of times I've met with senior cybersecurity people, let's say a CISO in a bank. And so they'll be introduced to get to know each other a little bit. And you say to the CISO, oh, congratulations on the new role. How does this how does this organization make money?
Paul C Dwyer:Shrugs their shoulders? No. They're they they said their mortgages, wealth management, private banking. I don't know. Okay.
Paul C Dwyer:So you don't know what's going on in a boardroom level, strategic level. Is the business going to go digital? Are they getting rid of all the retail banks? You don't know any of this, but you're somehow responsible for securing the digital future of that organization. That's big disconnect.
Paul C Dwyer:It has to be at the table. You have to be at the top table And the board needs to understand that. So whether you're sitting at the top table or at least you're communicating with the top table, that's a key to success.
Dejan Kosutic:Now, how do security professionals have to then grasp this business side of the company, this core business and the strategic decisions that are made in the company. So how basically to get to all this information and understand them?
Paul C Dwyer:Okay. So, so a lot of this is down to people skills. It's down to more soft skills in relation to building trust, building rapport with existing leaders out there. The default mode for most leaders in an organization is that, you know, an IT department or a security department, they're no different than the department that cleans the toilets, their service department, whatever that organization is. You're not a fee earner, you're not generating wealth for that company.
Paul C Dwyer:So until they understand that you're an integral part delivering something important and valuable to the organization, they're probably not going to give you a whole lot of airtime, a whole lot of space to get it. So that takes time to build that up. But if it gets even into the optics of this, if someone is turning up in an engineer's t shirt into an environment or a culture where they're all wearing, you know, boots in a boardroom meeting or whatever happens to be, there's going be massive even hopeful disconnect there for them to take that person seriously. So they need to understand that they understand that. And then they need to understand the language of it.
Paul C Dwyer:What's a business value chain? If they can't answer that and they go and they get it confused with a supply chain, how are they communicating with the business when the business is talking about things like, if they're not aware of it, they could be technically brilliant around the technical aspects of cybersecurity. But if they don't understand that that organization has to be combined with GDPR, PCI, DORA, UK operation resilience framework and IS2, and they don't understand what these things are, then they're always going to just be in the lens of tech. Therefore, the people who are looking at them and talking to them are just going to see them as techies because it's not their comfort zone. So there's the middle ground they have to meet.
Paul C Dwyer:And that's, you know, a lot of the work we do is empowering the boards to be able to understand what the techies are talking about. But if you like, I don't mean techies in an disparaging way, but this is all about language communications. If you go, if somebody's walking into a boardroom or they talk to senior leaders in an organization and they're using acronyms, They're gone. Know, they're not going to understand what they're talking about. You need to find the middle ground in language and get those two things aligned.
Paul C Dwyer:I mean, that's what makes things like, for example, DORA, the Digital Operation Resilience Act really interesting because it's making these things legal mandates, you know, a DORS document, know, Digital Operation Resilience Strategy document. It's jockeying with this simply says that, you know, the business is going to do for the next few years and you know, your digital strategy is for the next few years. It's a no brainer. But yet this has become a legal mandate. And so I think those softer skills, those people skills, too easy for people to get comfortable in the server room and the back room, quite honestly give themselves grandiose titles as they get longer into their careers.
Paul C Dwyer:So they go from a network manager to an IT manager to CIO and then call themselves a CISO. What are they really? Because if we look transatlantic at a CISO, CISO is probably on the 7 figure salary and stringing to the board and taking those kinds of responsibilities. A lot of the CISOs we'll see across Europe are essentially senior people that have worked in the ICT industry or IT industry. But they haven't developed also the skills, the political skill.
Paul C Dwyer:How do you lead? How do you sell? How do you sell an idea in a meeting? So to get those levels, you have to have sales skills. And I don't mean that you're going in saying, Hey, this week only one ninety nine, that kind of sales.
Paul C Dwyer:It's selling your passion, it's selling your idea and convincing someone there's a problem and convincing someone you have a solution. That's communication.
Dejan Kosutic:Okay. Does this mean that let's say CISO should go for a training like an MBA or maybe to some more communication related training?
Paul C Dwyer:Well, I kind of have an extreme view on this and I think most academia is a waste of time in the industry we work in. It's so old, it's so out of date by the time somebody learns that it's not what the industry needs. I'm a big, big advocate of, micro credentials, short term courses, those kinds of things. Because if somebody knows they're missing a particular skill in this day and age with online academies and so on, they can get those skills and upskill themselves really quickly in a really flexible way. Get the skill and move on.
Paul C Dwyer:Don't necessarily need to change career path completely or dedicate a few years of their life to developing one skill when potentially a weekend course could do it.
Dejan Kosutic:Okay, you also mentioned that when you actually are meeting some senior executive or a board that you're actually preparing a different for each person depending on what, let's say, area they cover. So how do we actually do our research and then how do you, based on this research, develop a specific message, let's say, for the chief sales executive or chief financial officer or something like this?
Paul C Dwyer:So, I mean, in many ways it's good old open source intelligence on LinkedIn. It's good old doxing. It's working with the board members. The, you know, what's that phrase where you've got five hours to go down a tree, spend four hours sharpening the axe, whatever, putting down the tree or whatever, you know, it's about preparation. And that limited amount of time you spend preparing for that meeting means that you're not going in with, against your hubris into a meeting thing.
Paul C Dwyer:And I know it all, I'll handle this meeting with these guys in here. They haven't got a clue and all that kind of stuff. You're you're parking that and you're paying it the respect to do the research and understand, well, this individual who may be involved in their career in that company at a big instant. So I'm going to mention something maybe about ransomware. I want to trigger their emotional points.
Paul C Dwyer:I'm going go, as you know, an instant happens in ransomware, can be significant, ultimate risk, quantum risk, all those kind of things. And you'll make those. But there are bog standard things you can say to people. Know CFO is going to be worried about money. So you're going talk about audits.
Paul C Dwyer:So the marketing officer, chief marketing officer is going be talking about, you know, qualitative risk and reputational damage and trust in the community and stakeholders and so on like that. You're going to get onto the risk officer maybe about regulations and maybe losing your operating license. And the CEO is worried about it all. And also worried about their bonuses. Are they going to deliver?
Paul C Dwyer:And when you start there's a great term, which is an automatic governance event, that when you tell a board something that is a real material risk to their organization, they have a duty to respond to that. And the response can be, we accept. But most cases response will be we need to mitigate this and we need to transfer this risk. So if you're walking into an organization and you said, well, we've identified your critical important business function is your banking app, but actually one of your key suppliers is failing their assessment. That's something the board needs to know.
Paul C Dwyer:They need to deal with it. Now it could be something even their own architecture where you've been to and you explain from a technical perspective and say, guys, look, your risk levels here are three, your controls are at two, the gap is residual risk and that the legal mandate that they need to be informed on that. So even these basic terms, what's a threat, what's a vulnerability, what's the risk? How many people working in the world of cybersecurity really know the difference between that. You know, this is the basic business language so that they need to understand these things and not just throw jargon around for the sake of it and understand the difference between quantitative and qualitative risk and be able to provide examples of them and never get emotional and always be factual.
Paul C Dwyer:And remember when they're communicating in that level, it's macro level. You're literally going in with sound bites and you're throwing sound bites, but you're ready for the retort. If they say you said this, back it up. And this is what, this is what a leadership meeting is like. It's a challenge.
Paul C Dwyer:And you go, well, I'm glad you asked me that because this is what happened in this company, this company, this company. And of course the next phase of that question will always be, so what do you think we should do? You know, and it's, you know, this is about communication through that communication, you're establishing trust and they will trust the individual more, whether you're a vendor or whether you're an employee, whatever they're going to trust more that, that you know, your subjects matter, you know, you know, their organization, you care. The most important of the people, I always say this with organizations, when I'm advising them is the people that can help you most within your organization. They're the ones that they're the ones that maybe even love the organization.
Paul C Dwyer:They may have dedicated twenty years of the life of that organization. Consultant in a shiny suit tie coming in is there for the money. Right. They may have expertise and experience from elsewhere and they can guide you and they have value. But do they care what happens as much as the people internally?
Paul C Dwyer:Do they know where the skeletons are? Do they know, do you know where the issues are? The legacy systems, culturally what the challenges are? But all of those answers are internally. So it's why why I admire the work you do and your organization as well, because anybody who shares knowledge and empowers people out there, that's a really good thing to do because we should be teaching people how to fish, you know, we should be empowering them, you know, and be able to give them the tools and guidance that they need.
Paul C Dwyer:They will need people like us at times as advisors and stuff, but they don't need body shopping. They don't need teams turning up with Excel spreadsheets and Microsoft Word and starting off and writing assignments, pretending that they know at this organization better than the people that have worked there for fifteen years. Just that that
Dejan Kosutic:No, empowerment, I would say empowerment and basically this transfer of towards know the people that work in the companies is very important.
Paul C Dwyer:Exactly. Then trust at that level between like, you know, I act as a mentor for a lot of CISOs and CIOs of organizations as well, because sometimes they just want thirty minutes to bounce something off you or just run something by you. It could be a five minute phone call, it could be anything, but choose to be happy to have people in the loop that you can go, hey, this is complex, looking at this, how do we do it? You know, those kind of scenarios.
Paul C Dwyer:The human network that people will build in their career is the most important part of their career. I would say it's up there with education because what you don't know and you haven't educated yourself through you've learned online or in college or whatever it must be and what you've experienced, that's one side of it. But being able to leverage people you trust that have that experience and have that knowledge, that's golden. If I had an ISO 27,001 and I've lots of companies search for whatever, I can default, I'd reach out to you. I know everybody has the wheelhouse and everybody has their specialty areas and all that kind of stuff.
Paul C Dwyer:It's it's knowing that you don't have to know everything, but you have access to those experts as well.
Dejan Kosutic:Now, what I see very often CISOs have a problem on how to connect actually this, well, technical part of cybersecurity with the strategic business part and basically how to make actually cyber something that is actively supporting the business strategy and the vision of the company. Do you have any suggestions here on how to Yeah, do this
Paul C Dwyer:I think it's actually got a lot easier recently. And that's because of DORA. And they've often, you know, suggested organizations who aren't in the financial sector that they should adopt DORA. Now DORA is horrible. Don't get me wrong.
Paul C Dwyer:That's horrible document. And the level one, the level twos aren't much nicer. It's all ugly. But all the concepts that they have and all the pieces that need to do are all relevant for a digital business or a business operating in the digital economy. If you're aviation, there's lots of everything, pretty much everything adorable still, you know, okay, you're in retail.
Paul C Dwyer:I mean, would Marks and Spencer's or Land Rover have issues with their adorable compliance? I don't think so. You know, so, I mean, it's a blueprint of cyber security with governance and oversight. And it's the governance and oversight has been the weakest part of, you know, there've been many brilliant cybersecurity people who have worked night and day to implement cybersecurity frameworks or information security management systems into organizations. But if the, if the oversight and governance is not there and the accountability piece is not there, ultimately they will fizzle out or they may not develop.
Paul C Dwyer:You know, so it's, yeah, it's an important one. But I would say that piece of connecting it up is it gets real with the business when, you know, some of the talks I've done recently have been about trust. So when you trust something, you make yourself vulnerable to it. And I often talk about the financial sector. So the financial sector traditionally to establish trust with their clients so that they, you know, cause if you trust them, you make yourself vulnerable to them.
Paul C Dwyer:So you're handing them your, your, your hard earned physical act back in the day, that's going into a bank vault. They work off the Fiat system. And when you walk into that bank, they had big majestic columns outside the big doors of the bank. They had marble floors, brass fittings. All of these are those signals.
Paul C Dwyer:You can trust us and give us your money. We'll mind your money and it's okay. You work away and have all your wages put in and you can trust us. Now in the world now that we live in of digital trust, how do you go from marble marble floors to mobile and have digital trust? Success stories here, Revolut, 40,000,000 customers.
Paul C Dwyer:And you know, this is what the holy grail of what everybody's had in business now is like, how do I digitize and bring my business online digital transformation, what key trust with the customers? And that is about having effective, effective cyber risk management. Now whether that's built on ISO 27,001 or DORA or NISCSF or whatever it happens to be, whatever the framework hybrid model is that you do, it's better to be understand what your business is, understand where your assets are, understand this governance and accountability, understand your supply chain and know have it all connected. It can't be in silos.
Dejan Kosutic:Especially if if, you know, cyber professionals or, let's say, CISOs can actually recognize how this this cyber component, especially if you you, let's say, kind of translate it into trust element, can actually support all kinds of these digital initiatives. And this could be in general, let's say, trust. Can also be a trust issue of a particular product and these kind of things. Basically it's then it actually becomes then cyber actually becomes a, I would say, active participant in supporting a business strategy.
Paul C Dwyer:A 100% because trust is an asset. And if the organization's, you look at any brand and they have a logo and that logo has a ridiculous value on it because of what that logo means to somebody is a trust, you know, has Marks and Sparks and Marks and Spencer taken hit on the trust people will have in that brand and that logo and everything else like that. And people need to understand that if you trust an organisation is able to handle a digital infrastructure and a digital business. So when things go wrong, they can handle them. And we all know things will go wrong.
Paul C Dwyer:It could be all hazards approach. It could be mother nature, global warming. It could be a nation state attack. It could be critical infrastructure. Things will go wrong.
Paul C Dwyer:How do you handle it? How do you respond? How do you recover? And that's resilience. So, you know, it's the bigger part.
Paul C Dwyer:I think the smart companies and the smart providers have realized that those companies who are investing in digital trust are the ones that will survive and thrive because they're going to be able to grow and grow their client base and grow their service base and so on exponentially because they can innovate and they can adopt technology and not be fearful of, well, we're not quite sure what that means. You don't know what the foundations are in your digital infrastructure and you're not confident of how actual applications being delivered. And let's be honest, that's the way it's a lot of organizations. How are you going to embrace AI? You know, because they're not sure, is that the straw that'll break the camel's back?
Paul C Dwyer:What will really happen? A lot of organizations don't, aren't even sure of data flow, ingress points, egress points on the network. It's fundamental stuff, you know, and that's why something like regulatory framework puts manners on a situation and whatever the reality is, is reality and it's working with that, bring it forward.
Dejan Kosutic:Let's kind of try to clarify some basic terms here. So you mentioned resilience very often, and of course, Dora, Digital Operations Resilience Act is about resilience. So how is resilience different from business continuity or from cybersecurity?
Paul C Dwyer:Okay. Great question. So, so we would see cybersecurity as mainly being defensive. So it's actually a term that I hate the term cybersecurity. And let me explain why, because it's the reason why our company became cyber risk and the reason being fiber means internet means computer based secure.
Paul C Dwyer:The word security means free from risk. So how can you use the internet? How can you use all of the ICT services that are provided around the world and services and integrate with them and exchange data all over and be free from risk? So it's a kind of an oxymoron. It's kind of a lie in itself, the term, using cyber free from risk.
Paul C Dwyer:Now cyber risk management is about using all of this and managing the risks associated with it. So we've got our cybersecurity, we've our risk management. Now digital resilient is being able to prove that and being able to minimize, mainly being able to prove that you can detect if something goes wrong, being able to respond to it, being able to recover. It's the acknowledgement. If you think back to, about a decade ago, maybe even a little bit longer than that, one of the first companies in the world to come out and acknowledge that, and it was going back to this kind of FBI quote about those companies that know they've been hacked, those ones that don't.
Paul C Dwyer:And there's this realisation that, hacks are inevitable, instances are inevitable. They could be operational ones. I mean, I often use cases of operational resilience where a CIO, for example, the plus two savings bank in 2018 messed up an update, took the bank down for two thirty two days, 80,000 customers walked away. That bank went from profit making bank to a loss making bank over one incident, but he personally got fined £81,000. So, when you start looking at things like that, you realize, so, so things will happen.
Paul C Dwyer:We need to know who's responsible for them, but we also need to know when they happen. Go back to those horrible statistics that we often see about, oh, the majority of of hacks that have happened in, you know, the global companies in this world, the bad guys were on the network for an average of seven months or nine months, and they didn't know. What did they know? So being able to detect something has gone wrong, being able to detect your out of disk space, being able to detect the servers down, being able to detect your out of bandwidth. These are all operational, digital operational issues.
Paul C Dwyer:It's not all about the GRU hacking into a system or unit six thirteen ninety eight or something. It's not about, you know, the nation state hackers, just that element of it. That's often what people just think cybersecurity is, but we wrap that into digital resilience. The business is much more interested in digital resilience than they are on cybersecurity because the cybersecurity headline, it's kind of, it's kind of sexy, steal the money and all that kind of stuff. And they think that that's what it's all about, but it's very hard to wrap your head around big business decisions around that.
Paul C Dwyer:Well-being able to say that you can make a business resilient, all of the institutional infrastructure that you are prepared for things to go wrong, that you will detect and you respond to your report. Aspects, and it's a great question because you've asked about disaster recovery and business continuity. They're clutziness of each other and they're often very confused in an organisation, especially when you talk to IT departments. They think that the same thing. So business continuity will be about reducing the likelihood of something happening and improving your chances from or from them based on a BIA.
Paul C Dwyer:That's the heart and soul of DORA, by the way. You know, that is the heart and soul of DORA. Though people have been doing that with ISO standards great, you know, because they're a long way there. Disaster recovery is often what gets the focus from a CIO IT perspective, where they think it's just about going back to the day of old tapes. Something going on, can get systems back up.
Paul C Dwyer:It's much broader than that. It's the legal side of it. It's the communication side of it. It's the optics. It's all of these things. And it means that it's managed holistically in the organization as well.
Dejan Kosutic:Yeah, it's very comprehensive. As you mentioned, DORA actually already, of course, requires not only resilience, but actually requires active participation from the boards, the senior management in actually making this resilience happen. These two are also up to the point, not maybe so much, but it's also going in this direction. Now, how do you actually get the boards to actually accept this idea that they are also responsible, not only the boards, the senior executives? How do you actually make them understand that they also have to participate actively in this resilience?
Paul C Dwyer:So what I found the most effective thing to do is, and I'm not a religious person, but sometimes you have put the hands into the wound of Jesus because you'll always have a doubt and combat there from the point of view of believing that this is there. So you can talk ad nauseam about the benefits of digital resilience, why it's a great idea, fantastic, blah, blah, But get back to the point I made earlier about people being selfish. And all of a sudden you bring up a slide, you take a quote out of Dora, which is unambiguous, article five or whatever. And you say, here you go, guys, you're on the hook for this. And then they go, really?
Paul C Dwyer:So they'll never do that. That's going be like GDPR, know, they're never really going to do anything about it. And then you bring up an example, like I just mentioned, said the trustee savings bank and somebody can find £81,000. Personal accountability. I have one slide.
Paul C Dwyer:There's only two words on it. And I use the reports, personal accountability. Everything stopped in the room then because they realized we're personally accountable for this. And it's a pause. We've got to the point where we're, for example, we run these two day bootcamp briefings for board level, you know, they're certified digital operations in itself.
Paul C Dwyer:And the reason we do that piece is it's we understand that there's a challenge in getting the time to maybe do courseware and work your way through and so on. So we round them up and get them in a room with your group and we say, okay guys, 08:00 in the morning start, 03:00 finish. We're doing nothing but this. UK operation Resilience Framework, NIS2, DORA, throw the stones at us, let's get through this and let's understand what we're meant to do legally, what the law says, as opposed to, you know, what is good advice from a good advisor or something that could be subjective. How do we actually get through this stuff?
Paul C Dwyer:You can't leave it grey with a board. It has to be black and white. You've got to hammer it, hammer it and say, the law says you need to do this and you're personally accountable. It literally needs to distill it down to that level. Something like a directive in this too.
Paul C Dwyer:I can understand busy, arrogant business leaders maybe just go, yeah, we'll see. And they kind of their experience has taught them that that's that's going to take a little while before they feel the bite off something like that. But with Dora, it's a different attitude, you know, validation assessments already taking place. You know, the ESAs are well lined up, the competent authorities are well lined up. And the knee jerk reaction I'm seeing anyway is when INED's executive directors and so on are all gone. Hang on a second. I'm on the hook for this stuff.
Dejan Kosutic:Yeah. And do you find these kind of workshops with the senior management enough or is there anything else that needs to be done to kind of make this shift?
Paul C Dwyer:So I think that the shift piece is there's a realization that to my point about skin in the game is they've dedicated two days of their life maybe to go into a workshop like that. So they focused. They're walking away then with the ongoing ability to engage with not just a peer group or a vendor who's obviously we've got skin in the game, we're trying to sell more services, more education, all those kind of things. But they have that ongoing support piece and they need to realize that it's their show to run and who they choose to help them. It's up to them.
Paul C Dwyer:But if you empower leaders properly, that's it. They buy, you don't sell to them. Even an idea, never mind a service. They get it. They're successful.
Paul C Dwyer:They're at the top of their game. They're leaders of maybe a financial organization. So what they're looking for is the continuity of knowledge, the continuity of care, the continuity of somebody with their finger on the pulse, being able to be their guide and their go to person on something, you know, very much akin to even a personal trainer in a gym. They just want to know that they have a go to person on a specific subject. Their mindset is I have an expert on that. That's why they're successful.
Dejan Kosutic:Okay, great. Okay, in most cases, these larger companies have already some kind of enterprise risk management and they manage financial risk, currency risk, market risk, all of these kinds of risks. Now, how to actually integrate cyber risk into this enterprise risk management? From your point of view, what kind of techniques are needed to actually integrate all of these?
Paul C Dwyer:So with large organizations, it's primarily going to be run from the out. So whatever they're doing, you're not going to reinvent it for them. So what we tend to do is have a harmonization approach where we will explain what the terminology and the definitions are within something like DORA, for example, would come up and pretty well aware of the definition of resilience in DORA, the four AA four page of what they see as being legalese at all statement. And then turning that organisation, they may have a different term. So we need to make sure terms like significant, terms like critical, really key piece, how do you grade things, all of those things.
Paul C Dwyer:So the commonality of the languages for a speed, the commonality of the understanding of the piece, the rest of it follows through then because if the side of the house understands that this regulation, these systems, and they can do it in this way, it's again that collective effort of working holistically where the teams internally integrate and they work at how they're going to do this. It is on a case for case basis, but the principles are exactly the same. It's you can't walk into an organization, start telling them a mature system that invest in billions and millions in years and years of work and then tell them, oh no, no, that's all rubbish. It has to done this way for Dora. It's often a nexus of mapping as well, you know, and it's even for example, when we're working with organizations, we'll often take, if they haven't an established framework in place, we'll often say, well, okay, use the NIST CSF2.0 framework.
Paul C Dwyer:Now let's map that out. Let's map that to DORA. Let's map that to The UK operations, you know, so you're not operating then in silos and all those kind of things. The same with enterprise risk management. If you got the terminology, how does that relate? And where does that fit into into DORA as well?
Dejan Kosutic:And I've seen some financial institutions that actually place cybersecurity functions within, let's say, bigger part of the organization which is focused on risks. So let's say that they have a risk, I don't know, business unit that handles all kinds of risks, then they put cyber under that risk, let's say business unit. So do you think it's a good practice actually to have cyber under a general risk business unit or?
Paul C Dwyer:That's a tricky one. I think what we've seen recently, certainly I've come across recently, findings, auditors and competent authorities where they're not happy where cyber is sitting in organisations. And I think to say point blank is to sit under risk nine times out 10, that may be fine. But in certain environments that may not be fine. But certainly it shouldn't sit under the CIO.
Paul C Dwyer:You know, that's But yet the amount of organisations walk into and say, where did cybersecurity sit? And let's say it's a legal firm. The legal firm doesn't really differentiate their mind between IT and cybersecurity. And they go, we'll put cybersecurity under our throw geeks. We'll just put it all under the CAO because we only have to see one geek at the board, you know, sort of somebody else does that.
Paul C Dwyer:But I, I, I think, you know, realistically it's a risk function. It's probably closest to sitting with there. I find when I deal with CROs, they get it faster than anybody else. CIOs aren't as fast in my experience of understanding what we're talking about because they're delivering services, they're delivering innovation. And for them, it's keeping a system on the pain of regulation, pedestrian level of writing policies and procedures and tying up resources and budgeting that, they just don't see the benefit in most cases until they need them.
Dejan Kosutic:It's keeping them down, yeah.
Paul C Dwyer:I mean, even like if you go to a CIO, the question about level four evidence, They're looking at you like it's the first time they've ever heard the term. It isn't fundamental for any of these regulations is, you know, where's your evidence that you do what you say you do? And often the fines come from not being not cyber resilient, not being digital resilient, not being able to prove you are. And I think that's on a board level to revert back to what we spoke about earlier. On a board level, although many people say that I'm going through details sometimes when I'm talking to the board at these levels, I do take the opportunity to explain to them the difference between a policy process and a procedure and what a level four level is.
Paul C Dwyer:Go to the document pyramid so you understand this stuff a little bit. Said just be hand dirty a little bit on this and understand because you may have a false sense of security that everything is fine because you know, they got some documents and you know, they created some policies and something that gave them that comfort that everything is fine. But you know, I know it's about running and operating a management system around those things, making sure they are being operated, that they are producing the evidence. I use mundane examples, Jason, where I'll say to them, if it's a small company, I'll say, you know, they have a server room, say, who has access to server room? With great, you know, pride, they'll tell me, oh, you can't go into the server room unless you sign into the log.
Paul C Dwyer:I go, okay, we'll show you the last time somebody signed in. And you find out nobody signed in two weeks. They go, well, you have no evidence. And then to me, you told me your board was trained. Where's the training records?
Paul C Dwyer:Oh, we don't have those training records. So you don't have the evidence. These things are done. Okay, well, when's the last time you patched your system? Oh, we patched them every time.
Paul C Dwyer:Every month we do patching. Okay. Show me the change management records. It all happened. Yeah.
Dejan Kosutic:Yep. Okay. One of the biggest challenges now and is really supply chain risks, right? And actually, this is the whole chapter within DORA. One of the main four chapters is about supply chain.
Dejan Kosutic:And I mean, this risk is obviously bigger and bigger, more companies are dependent on each other. So how to actually graph, how to actually tackle this problem? Because it's obviously not only security that is involved here, it's also a purchasing department, it's also, I don't know, IT department, obviously. So what actually role do the boards need to have when it comes to supply chain security and resilience to make this right?
Paul C Dwyer:Okay. This is good because this is about meaningful metrics. Okay. So I personally, it's kind of a bug on the supply chain piece because there's so many bullshit systems out there being sold that say they will assess a vendor and give you a score. And they're just, they're just algorithms with dashboards and stuff like this.
Paul C Dwyer:And yeah, we could talk through what they actually do, but do they have anything meaningful to that organisation in the context of the organisation, everything else like that? Is it really there? Is it not there? So when you think of how this works traditionally in an organisation, I will bring this up at board level and walk through to an example, which will be somebody, let's say at a senior management level wants an application or a piece of software technology installed. They go, okay, that's great.
Paul C Dwyer:We have a procurement process. And part of that procurement process is they're going to send out a spreadsheet of questions to the vendor and the vendor knows to get the sale, they have to answer pretty much everything. They'll answer things, but there'll be open subjective questions. They're not going to be declarative statements. They're going be an infestation.
Paul C Dwyer:It's going be, do you have anti malware? Do you take backups? It's going be, it's not of any real value to discuss. And then when it comes back in, who evaluates that spreadsheet? It gets sent down to not the highest level of the IT department, but somebody may be the IT department that just goes, is that okay?
Paul C Dwyer:So someone in procurement will then say, is this okay? You're the IT geek. Can you tell me, can you bless this and tell me it's okay for us to order this system? Are they going to push back and say that the senior manager can't have the new toy they want? No.
Paul C Dwyer:So they just go for an easy life. Yes, that's okay. That goes in. Five years, ten years later, that system is now being used by a 100 people or a 100 employees in the organization. It's helped in the organization and a key piece.
Paul C Dwyer:So, so there's a massive failure piece on that. So there's an opportunity here for organizations to take a fresh look at all of this and say, how are we doing this? It's not good. It's not good enough. Procurement is now a regulated function under DORA.
Paul C Dwyer:So whoever's head of procurement is is responsible for everything that goes on there and they need to trust the metrics. So when I say meaningful metrics, if if the people in procurement don't know how that metric came about, then it's rubbish. They need to understand the scoring. How it was how it came about and is it something they trust? Because nobody's going to be a 100% perfect.
Paul C Dwyer:You know, they're going to need to trust what what those findings are and say, well, look, this is a supplier that we're working with and we see that they're not great maybe around security awareness training in their organisation, but we still want to deal with them. But we're going to give them three months or six months to get their act together and to improve their posture because we don't just want to leave them and fight, you know, and not terrorists. So those kind of collaboration pieces are really really important. I also think this brings about an amazing opportunity for smaller companies and mid sized companies, although have less budgets and sometimes less resources. They tend to take this a lot more seriously and they can demonstrate a stronger case than the bigger companies.
Paul C Dwyer:The bigger companies don't be able to just smash door and go, yeah, we've got this, that and the other. But it just doesn't need to be like that. And they will be caught in a different net with the ESAs anyway. But so I think there's an opportunity here for those smaller companies to thrive if it didn't get in front of this, going back to my terminology in reference to trust, if they can sell trust to their client base and say, you can come and deal with us because we are DORA compliant and we do this, we understand it, we can report on it and we can even make your regulation reporting easier because we're going to be able to find everything to you. That's a great opportunity for businesses to make themselves stronger and to win more business as well.
Paul C Dwyer:So yeah, I think the whole pillar on that within Dover itself, it's not perfect, but it's a lot. It's a good guideline for people to work their way through. And again, because it's a regulated function, it's integrated with everything else within DORA holistically. It's something that can certainly be, I struggle to think of any organisation I've come across that couldn't improve in this area. Again, as I said, as I started that conversation off with this, I think it's because it's a pain.
Paul C Dwyer:It's just a lot of processes involved. There's a lot of different moving parts. And if someone comes along and goes, Hey, buy this tool over here. And all you do is type in the company name and press the button and we'll give you a score. Magic beans.
Paul C Dwyer:Anybody want to buy some magic beans?
Dejan Kosutic:Yeah. And there is actually a very good regulatory technology standard related to DORA, which actually explains the details on how to handle suppliers. It's also a very good, I would say, guidance on how to do it. Okay, so to wrap up the call today, so what would be your main, let's say, suggestions to CISOs on how to deal with boards when it comes to cyber security or resilience?
Paul C Dwyer:I think there's probably a couple of different things I could say here, Dejean, but I would say that the step one, if we were talking to CISOs on this call, that level and they want to communicate with the board, I would say do first step one, do some navel gazing and self reflection. What's your communication style and ability like? Are you going in there and impressing them with acronyms and all these kinds of things? Or do you really know the business? Know the business, know your audience even more than your own subject matter.
Paul C Dwyer:You have your subject matter, you know what you're trying to say and you have the subject matter of, you know, being a CISO within an organization where the risks are, where the pain points are, all those things, but you have to know your audience and you have to know how to best to communicate with them. It even goes back. I mean, I remember this in the early days of my career and start to go into boards, you're intimidated by the environment, you're intimidated by level of people and so on like that. And it's set like that on purpose, let's be honest. And so I went, okay, where do these guys buy their suits?
Paul C Dwyer:Because I thought it was a nice suit. And then I found out the very best tailor in Europe happened to be in Ireland and visit all of these guys that they went to this particular tailor. So I started going, buying all these fancy suits and stuff like that. So when I walked in, I go, yeah, I'm your peer. I'm at your level.
Paul C Dwyer:Right? Let's have the conversation. I cannot tell you the difference in the reception you get than if you walk in and say polo shirts, t shirts or, or now it's a little bit different since COVID. They don't expect to die. Okay.
Paul C Dwyer:All right. That's great. But that's their ilk. That's what that's their culture. That's what they've come from.
Paul C Dwyer:That's what they expect to see. Now, if I was dealing with a company in California and I turned a masseuse or if I was in Dubai, I'm gonna be laughed out of it. So you just need to know your audience and where you're going, try and relate to them as much as possible. Empathy relating to them. You already have the knowledge.
Paul C Dwyer:You need to relate to your audience and understand the background of these people, where they're coming from. Trust the process. Convey the information. Do the best job you can do. Your job is to empower them, share knowledge with them and have to make decisions.
Paul C Dwyer:And if you and then during that naval gazing, you realize you're not the best communicator in with writing skills, you're not the best communicator in a room, then work on that. Know people are hard to believe, but I was once very shy and was not great at public speaking and all those good things and that were around the world public speaking and things like that because I focused on the weak muscle. I focused on where I needed prove upon it as much as possible. I was in the server room being a genius that no networks, no, I was going. I need to tell these people what they need to do.
Paul C Dwyer:Then found the voice through the confidence of being able to do that. And so that would be my my killer tip for CSOs. They have the knowledge of being a CSO in cybersecurity and the different standards and regulations and all that, I'm sure. It's more that human communication element is a piece that's missing. Last point of that is, it's a particular issue and challenge around leadership at the moment, which ends the, in the workplace and now they're finding on these large organisations that there's no leaders.
Paul C Dwyer:You're a CISO, you're a leader. You know, so where's your leadership skills coming from? Are you a natural leader or is this something you have You to work on every know, do you have natural charisma or, you know, and all those kinds of things. These are things that can be I won't say faked, but they're to be improved upon. They can improve the skills.
Paul C Dwyer:But it's definitely something that's been noticed in the market. It's not necessarily subject matter. It's a challenge for you to learn. It's being able to harness people. What kind of individual can walk into a room, have a lawyer, head of procurement, CEO, maybe CIO, all in the room, all listen to you, all agree with you or at least be a politician to be able to get them to agree to the next step. Communication skills.
Dejan Kosutic:Okay, great. Thank you. These are really great insights, and it's been a pleasure talking to you.
Paul C Dwyer:Been a real pleasure, thank you so much, really enjoyed it.
Dejan Kosutic:Thanks again Paul and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisor website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:White label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And the learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
