Managing Risk Using Cybersecurity Frameworks

Patrick Spencer 0:24 

Everybody, welcome back to another Kitecast episode. We’re really excited to have you on today’s episode, we have a fabulous guest, you’re going to find this conversation. Very useful. It’s going to be information that talks at a strategic level but also a tactical level in terms of how do you implement risk management governance, risk, and compliance within your organization. Before we do.

Hey, Tim, how are you doing today?

Tim Freestone 0:49 

Good Patrick, do you have a trivia question for me today? Are we going to skip through that again?

Patrick Spencer 0:54 

I should have come up with one something about music. I don’t know. We have with us Taiye Lambo, who is the founder and head of HISPI. I’ll let him introduce what the organization does. We have some questions for him around HISPI. Because not everyone in our audience may be familiar with HISPI. But he does a boatload of other things. And we’ll talk about some of those as well. He’s the founder, he’s the CTO and he’s the president of several different organizations. Taiye, when do you sleep?

Taiye Lambo 1:23 

Wow. When I’m tired.

Patrick Spencer 1:27 

You find time to sleep with all the things you do.

Taiye Lambo 1:29 

Yeah, only when I’m tired. Like I always consider sleep a luxury until I realized that they say the older you get, the less sleep you need. I don’t really believe that I think I actually need more sleep as I get older. But I do find time to sleep when I’m tired.

Patrick Spencer 1:47 

A good starting point, I think for both Tim and myself as well as their audiences for you to talk a bit about HISPI You guys have been around for to nonprofit for I think over a decade. Now. You know, what precipitated the founding of the organization? What is your charter look like? What are you guys? How do you serve the cybersecurity community?

Taiye Lambo 2:06 

Thank you so much, Patrick. And thank you, TIM for having me. HISPI has been like you said for over a decade. Who’s counting but it’s been about 17 years? Well, I’d say almost 18 years, since the program started initially started as a training program. And quite frankly, I already had all the certifications, you know, the acronyms, typically three to five letter acronyms, I just still, I kept singing the song, I still haven’t found what I’m looking for. Right. So I saw the need to fill the gap from an educational standpoint, in and out, I’ll shed a little bit more light on what that gap was as we progress. But I really saw the need to create an educational content like a foundational training that teaches more the fundamentals of cybersecurity leadership, without getting into the technical weeds. And I felt like the other programs pretty much didn’t fill that gap. So in 2005, which would be I think it’d be 18 years in March, we launched the training program, and it was actually hosted by Georgia Tech. In Atlanta, Georgia, I’m based out of Atlanta. And pretty much three years into my journey as an immigrant to the US, relocating from Atlanta, London to Atlanta, Georgia, we found that the program and you said that, you know, they always say build it, and they will come. And they try and tell you, that doesn’t happen. It did happen. In our case, we built the training. First class, we had like 30 Something people, we actually ended up having two instructors because it was too much. For one, it was too many people for one instructor. And so we found out the training program in March 2005, again, three years after moving to Atlanta from London, and we had, say 15, maybe fortune 500 sent the employees to the class and it was all word of mouth and referrals. And then within a year or two of our early adopters, Microsoft in North America kind of pushed us in a good way to create a certification because they saw so much value in the training. And they also needed a way to validate the knowledge transfer, even though they really saw the value in the curriculum itself. But they wanted a way to prove that, you know, their money was very well spent. So they actually created the first test pool of the training. So the name is holistic Africa, as you can see from you know, the backdrop behind me, holistic information security practitioner. And one of the needs I saw was everybody said, we always said holistic security, but then the conversation turns into firewalls and intrusion detection systems and honey pots, which is my background. You know, I’m an engineer by training electrical engineer. But it’s like holistic can’t just be about technology. And then we’ll keep saying security is about people, process, technology, but we kind of ignore the people side. And we ignore the process side. And we’re like, oh, let’s do this technology, because it’s more fun, it’s more, you know, we use the word back then more sexy, right? So I saw the industry’s really there was a need to focus more on the people process, you know, I always call it the capital P capital, people for capital P, capital P process, and a little bit less about technology. So this training program really started defining what holistic security actually means. But also breaking down the silos between cybersecurity practitioners, you know, CISOs, CISO roles were fairly few and far between, at the time, there were probably less than 100 CISOs worldwide that actually had the official title. Now, we obviously have 1000s, maybe 10s of 1000s, or maybe even 100,000 Plus worldwide, but the whole idea was to educate not only the practitioners, but also kind of help them understand the auditors, you know, the auditors playbook was typically COBIT, and maybe a little bit of ITIL, and COSO, you know, all these different frameworks and security practitioners were mostly focused on ISO, NIST, right, some of the regulations like HIPAA, Sarbanes-Oxley (SOX) so the whole idea was to bring everybody together and kind of help each everybody kind of harmonize all the different efforts, you know, whether your CISO or your Chief Auditor, you know, for a company or chief risk officer just kind of bringing everybody together to not only appreciate all the define what I call playbooks that we all use, which is basically the frameworks, but understand the perspective of each framework, and been able to harmonize our like different efforts under one umbrella. So it was three things we set out to achieve, it was kind of breaking down the compliance silos, breaking down the professional silos, you know, for practitioners, you know, security practitioners, auditors, you know, leadership, but the third one was also aligning any cybersecurity program with the business, right. So I would say, we probably achieved all that within that first 10 years, you know, with membership, you know, membership being, you know, security leaders that work for, you know, I’d say six to 10 of the Fortune 500. So once we got to that stage, where we actually were able to provide what I call the method to the compliance madness, we then decided, okay, there’s another gap we see. And in the past five years, we’ve been really trying to fill that gap, which is the lack of diversity in our industry. And it’s just not diversity from a racial standpoint. You know, obviously, that’s there as well. But it’s mostly diversity from us what I call a school of thoughts.

Patrick Spencer 8:14 

Try that’s really interesting. So you guys, the last few years have been focusing on issues around diversity, and it’s just not racial diversity. But it’s much broader than that. Can you talk a bit about what you’ve been doing in that arena?

Taiye Lambo 8:29

Thank you. So it’s, it’s like, I grew up in cybersecurity because I grew up as an engineer, right. So 20 years ago, when I had more hair, right, I almost had an afro back then. Another one of my head jokes. I was very technical. I mean, Patrick, I literally carried a screwdriver. Even in my suitcase, remember, the days were briefcase, when we had briefcase, we carried briefcase to the office. Those days are gone. Now. It’s backpacks, right? And who knows whatever else. I literally will carry like a screwdriver. It was one of those screwdrivers with like different I call them beats, maybe they still call them beats, where, you know, you asked me to open anything. I already have the right you know, style or flat, you know, flat head I think it’s called for all in my briefcase, my suitcase and my briefcase. Sorry, I keep saying suitcase. Those days are gone. You know, where as a cybersecurity leader, you you’re a techie now it’s about knowing the business right aligned in what you’re doing with the business and I think that’s been the challenge I’ve seen in our industry a lot of us come from very technical background like me, but that means we’re really good on the technology side and maybe we’re good on the process side. You know, if we’re, you know, no retentive, like me, we made a very good process wise but where we fall short is the people. And when I say that people, we keep blaming our users, oh, these users don’t get, we don’t use phrases like that don’t use that as right, just because they’re not as educated as we are in cybersecurity or as informed. Right. But a lot of that stems from, quite frankly, just arrogance, because we think we know, and they don’t. But I bet if you ask the CFO about balance sheets, you know, P&L, cash flow statement, they can probably lecture you like for a whole week on what that actually means. Just like I can about state inspection and APT and zero day, you know, what’s the other one, zero trust and all these phrases that we come up with? Right? So it’s all about, okay, how do we take people from any background, any background, because the bad actors, from any background, they come across every type of nationality, any type of race, color, gender, any type of people, but they also have diverse backgrounds. They’re not all engineers like me. They’re not all CISSP and HISPI and CISM, quite frankly, I don’t care about getting certifications, right. They just, it just motivated by either it’s, you know, fame, or fortune, you know, mixture, you know, all the things, but something motivates them. In some cases, if their nation state, they’re motivated by the loyalty or their patriotism, you know, to the nations, they they’re representing. So on our side, which is I consider the good side, we have to be as resourceful as they are, but we also have to be as diverse as they are. And I think that’s the challenge we’ve had in our industry. And I’ll be the first to admit it, we were all techies, you know, back in the day, right. And we knew less about the business. And we were, you know, a lot of cybersecurity leaders have grown. And in some cases, they’ve been pushed into leadership roles. Right? We went from the IT guys, if you’ve seen the UK episode, the IT guy, right? You know, we lived in the basement, right? Nobody wants to see us, right? I mean, that we

Patrick Spencer 12:17 

recorded to the CIO. So they needed to present to the CIO, is that right on what was going on the security front? Yeah. Now, they’re not only reporting to the CEO, and the CFO, the COO, they’re reporting to the board of directors as well, right. So they need new skill sets. And I assume that’s where one of the reasons for the founding of your organization is to help them up level those skill sets so they can have those tasks?

Taiye Lambo 12:41 

Absolutely. But some of those skill sets come natural for some people like the soft skills, right? I’m an introvert by nature. But I’m a learned extrovert, because I found the topic I’m really excited about. But if it asked me to talk about, I didn’t know, genealogy, right? I’d be like, what, like, I would just fall asleep, you know, like, within the first five minutes, if we’re talking about it, because that’s just not something I’m passionate about, right. Having said that, I feel like as an industry, you know, a lot of security leaders have technical backgrounds that passionate about the technology side, but they may, they may be missing something from in other areas. And I think that’s why them having diverse teams can really help them bring like perspective, you know, some of the best CISOs I know have history, you know, they studied history. In college, some of them studied Spanish, you know, they’re not engineers like me. So just having those types of people on your team, if you don’t have that kind of non-technical background is extremely helpful, because they’re going to bring a fresh perspective, because I always say, just because I’ve been doing something for 20 years doesn’t make me good at it. Well, doesn’t make me an expert. It just means I’m good at doing it doesn’t mean I’m good at doing it the right way. Because I’ve been doing it for 20 years, right? So if somebody is on my team that says, hey, we need to take a different approach to our let’s just take security awareness training. I think this is boring. This is cut and dry. And we need to make it more fun. I need to be open to that. You know, it doesn’t matter whether they have a technical background, or they have, you know, an art background. I need to just hear them out because they may bring some fresh perspective that because I’ve been doing this stuff for 25 years or so. I may not even see that maybe like wow, that is a really good point. Like I’ve we’ve been doing it one way and maybe it’s just not quite working the way we expect it to work. So I know that it’s a breath of fresh air because suddenly now something that could be a blocker could be a roadblock. They’ve managed to help us overcome that roadblock. As far as training I use as making them aware. So that’s why I’m very big on that. Because on the other side, the folks we’re up against, they have everything. And we don’t.

Tim Freestone 15:11 

Yeah. Taiye, I have a question for you on that. Are we winning? Oh, gosh, are we winning? No, no, we are we are we on the path to win? Like I asked the question, because I wonder to what degree when you decided I still haven’t found what I was looking for was part of that. And it’s totally deflating, because I don’t see how we can come out ahead. You know, was there any bit of that thread in there?

Taiye Lambo 15:36 

It was, it was. I mean, things things were bad. 17, 18 years ago, things have really worse now, like we didn’t have. Maybe we had ransomware. But it was, it was just very, it wasn’t as good. It wasn’t like ransomware has become a whole new, like, I don’t even know how big the market is. But I’m sure it’s 10s of billions of dollars. It’s like an economy.

Tim Freestone 16:05 

Right? Yeah, totally. Absolutely. Right. We didn’t have

Patrick Spencer 16:09 

servers, right? You go by the service, you don’t even need to develop the threat and malware yourself.

Taiye Lambo 16:14 

Yes, yes. So we’re not to answer your question, Tim. I would say we’re not just losing, weight losing. We’re so far behind.

Tim Freestone 16:25 

So what’s the angle? What’s the angle? Throw it all out? Start over do what the hackers do?

Taiye Lambo 16:30 

No, no, no. I think we need to find a way to make… And this is probably going to be sound crazy. And I always say

Tim Freestone 16:39 

you have to be crazy in this scenario to have an answer. That’s actually even a Go Go for it. Basically, it’s

Taiye Lambo 16:45 

It got to be very radical. So I’ve even applique that for, okay, we have 3 million unfilled jobs worldwide in cybersecurity. 3.5 million by 2025. I mean, there are cybersecurity roles that don’t really require. I’ll go on a limb and say probably don’t even require, like being in an office, where it’s mostly research and just doing like, mundane things. A lot of those jobs can be, you don’t have to be an expert to do a lot of those jobs, especially when it comes to like, process related things. You’re basically just following processes and making sure people follow processes. I’ve even gone as far as saying it for us to fill these jobs, especially in the US. How about we actually just reach out to folks that maybe have saved time? And because those guys, some of those guys really no, like ways around things, you know, depending on what are convicted for their company, they would probably want to make sure that they’ve actually changed.

Taiye Lambo 17:18 

Do you need you need bodies is what your body’s going to have a certain skill set, right?

Taiye Lambo 18:00 

Absolutely. But we need to find unconventional ways to hire those bodies. It’s not going to be like, entry level with CISSP. No, I’m not picking on CISSP. I’m a CISSP. But with five years’ experience, that’s not an entry level job. Right? That’s when I had five years, I was already an expert, right? We just need to find very unconventional ways, obviously, still legal still within the parameters, you know, from an HR standpoint, to hire people that if they’re hungry enough, and they have the right work ethic, and they’re willing to learn, I think we need to find those ways, maybe apprenticeships, right, maybe internships to bring people into the industry that not only can help fill the gap, but can also bring something unique.

Tim Freestone 18:53 

One of the biggest things is resources, we just were so far behind and resources that that’s the first thing that has to be solved.

Patrick Spencer 19:00 

There’s like 2 million a few years ago, then it’s 2.5 3.0. There’s going to be 3.5 in terms of the shortage, it seems to, we talk about it, but we’re not solving the problem.

Tim Freestone 19:12 

Alright, so how about how about this, you use the word people, and I’m going to get on my soapbox a little bit here with AI. But you know, for years, we talked about AI and it really kind of never, it was actually it was more of a marketing phrase, as far as I can tell in cybersecurity, like, if any tool had any ability to process anything, it was AI, right. I’m not sure if you’re familiar with, you know, just recently the open AI project and they released something called Chat GPT. And they’ve actually gotten AI to a point where it genuinely can think and act like a human and I feel like that you were three, four or five years out from where you can stand the AI up in place of humans. In certain in certain scenarios, where they’re going to be able to do, let’s just say doo, doo, not physical things, but processing things better than humans. So do you think there’s an angle there where you can close that gap with legitimately trained AI? You know, do you see that in the future?

Taiye Lambo 20:22 

I do. But I feel like we need to approach it with caution. Because if I have to think like a bad actor, right, I mean, I actually got into cybersecurity. My first cybersecurity task was doing Ethical Hacking for a major phone company in Europe. That’s how I got into cybersecurity trying to find, though. So I know a thing or two about, you know, hacking, right, ethical hacking. The challenge with AI? Well, first of all, I know it’s a huge opportunity. Like I’m leveraging AI have a platform I use as a virtual CISO that I built. And now we’re trying to automate assessments, right? document review, like, I usually have a poor soul, you know, that is an entry level person, combing through hundreds of pages’ worth of documents, and it takes them 20 hours to do an assessment. We’re leveraging AI to reduce that to two hours. And that to us will be the Q&A by a human. So I’m all for AI. The challenge I have is some things like if so if I’m using AI for let’s say, something that you know, in the hospital, that is has an impact on life, I think they say is it life and limb, you know, somebody can die or somebody could be injured, right? I’m going to have to do a bit more due diligence, because the bad actors are going to think about how to exploit AI to use it against us. They will just like with any other technology. So my concern is, while there’s opportunities to leverage AI, I also see, and I’m very good at kind of predicting these types of trends, I can see a situation where the bad actors are going to actually leverage it more than we do. And they’re going to start automating things like ransomware attacks, as well, as you know, the collection of money. Like what’s to say, that’s not even happening yet. But also, how do we make sure that the tools we’re using from a security standpoint, couldn’t be used against us? That would be my concern. So I think there needs to be governance around it. You know, I’m not saying stop it. But there needs to be at least tollgates on how AI is being used to make sure that, first of all, it’s been used from an ethical standpoint, but also making sure that from a security standpoint, the risks are addressed and not completely, completely eliminated, but at least reduced down to like an acceptable level. That’s my concern, like, what if we do it without the I call it guardrails and tollgates, I’m afraid we may end up in may end up being used against us as a security community. So that will be the only caution. Opportunity is huge. Like there’s a lot of very manual things we do a very mundane that we can if we can teach an AI engine how to do it, we can save a ton of time, and I’m just giving you the example of you know, each take us 160 hours to do assessments for enterprises. For small medium sized businesses. My virtuosi, so practice does that now in 20 hours using humor, I noticed that are highly trained, highly skilled, and they pay attention to detail. But even that 20 hours for a small business, that translates to 1000s of dollars, right? So for us to be able to reduce the cost to them, which is a huge barrier, we got to figure out a way to automate those types of processes. So that’s why I see good use of AI. But if this was like a mission critical system that can impact lives, and cause injury to lives, I would be a little bit less hesitant to use AI.

Patrick Spencer 24:11 

There’s the transactional workflow element AI, but there’s also the threat mitigation or the Advanced Threat identification or detection component, you see AI playing a bigger and bigger role in that arena.

Taiye Lambo 24:27 

Absolutely. Absolutely. I mean, even with that, like as long as there’s still a human element involved, right? So if you just purely relying on the AI without actually having somebody reviewed the output of the AI or at least the team, maybe a sock, maybe it helps spot check just to make sure that there is no compromise right because if you can’t compromise the integrity of the output, the actor bad actors could make you see what they want you to see. Right just like you’d love On the system, right? Exactly, right. Right, right. So as long as we still have humans, I don’t think AI would ever replace humans because there’s just something about humans that maybe some intuition like something’s, I may have a gut feeling about something that I don’t know if a machine because at the end of the day of AI, software hardware algorithms, would be able to make those types of judgment calls. And so yeah, I’m not against it. I mean, just like, you know, we’re talking about Cloud 12 years ago, and I was like, I’m going to be the first one of the first few CISOs, to say, let’s move everything to the cloud. Even though it sounds it sounded scary at the time, because my thinking is, if the users are already doing it, and the business is, you know, the departments doing it, you know, Shadow IT, you might as well just get on the train. So it left the station, so let’s just help them do it safely.

Tim Freestone 26:03 

What do you think? So all that aside, what’s the, I mean? What is driving the success of hackers, the bad actors versus the good actors? I just I challenged the notion of people doing it as much as is it a financial reward, like if someone with the skills looks this way, and says, I can make this much money and validate myself or I can go this way and make this much money, which is a lot less, and it’s a lot more work? You think that’s the ultimate driver? It’s

Patrick Spencer 26:36 

Why are they turning to the dark side? Yeah, that’s a trick question. So

Taiye Lambo 26:41 

all right, so you touched on very, this is awesome, awesome. Questions. Tim, this is a really good question. And I hope I don’t end up spending too much time on this one. So I’ll give you the short version, like, attribution. So that’s one of actually my favorite topic. So I’m a perfect example of that. I mean, 42, for the one for the two years ago, at the age of 10, I realized I had a knack for breaking and fixing things, what was actually more breaking than fixing, but anyway, looking at fixing, I like to just put things apart. And my parents, both my parents are retired professors at the time, they were professors very patient, you know, especially my dad, it worked. Mom was really concerned, like, what’s wrong with him, like, you know, like, there’s something wrong with him. That was like, Don’t worry, he knows what he’s doing. So I like tinkering. And at that time, I would build things just by I see something, and I’ll build it, you know, like the next day, just by using it for a split second, you know, put together at that time, we call them like, transistor radios, in the call my fire or something like that, though. Hi, Fi. And I’ll try and bring it back together. Same thing with Compute as any company dies. So any TV, I always like to pick it apart. And nine out of 10 times I was able to put it back together. And that ultimately led me to say okay, I want to become an engineer and issues aeronautical engineer, and then I set up for electrical company don’t have enough time to talk about how it why went for electrical. But I knew I had a knack for this. Just breaking things like I was really good at putting things apart. And ultimately, 10 years later that maybe it was less than 10 years, more than 10 years. I’ve said above 1415 years, I got into cybersecurity. I think I was about, Gosh, about 25 maybe 26 or 27, when in my 20s. And if I look back over that, like from 10 years to like 21 those were those 11 years of my what I consider my foundational years that I chose to use everything good and any knowledge I acquired for good. So it was a choice. But it wasn’t, you know, they always say is it nature? Or is it NACHA? Right? For me it was a mixture because I knew if I did anything bad, I’ll bring shame on my family. Right? And I have to change my last name, right? So for me, just to fail, breaking my parents was the fair of my parents, especially my mom. But it was also a fear of not breaking their heart, if that makes sense. Like I don’t want to let them down like they work so hard. I mean, they’ve invested so much in me and my twin sister and my two younger sisters, my siblings and I just don’t want to let them down. And that for the most part kept me on the straight and narrow right now. I had friends who just didn’t have that Right, and they decided they wanted to do whatever they felt like doing. I couldn’t. The other thing is I just is couldn’t easily get away with doing anything bad. You know, like, at some point my parents are going to find out. Sometimes they know, but they don’t they don’t represent like, they don’t know. I mean, like little things you do, I try and cross the line and you realize they actually somebody’s going to tell them we lived in an academic community. But all that culminated in me, when I left home at 21 and moved to the UK, I kind of carried the same mindset. So when I got into cybersecurity, you know, five years later, I already knew I was going to continue to be on the good side, right? I there was just, you couldn’t pay me like I always said, back then if you paid me a million dollars, I wasn’t going to go, I just wasn’t going to compromise. Now it’s a billion dollars, because a million now is like, that was 2 billion now. So that stayed with me. And I say all that to say, I don’t know how people easily turn to like doing, I guess it’s a slippery slope, where they try one thing, they don’t get caught. Or maybe they get caught, they got get slapped on the wrist. And I decided, wow, this is fun, this is exciting. Maybe it’s the rush they get from it. And then before they know it, they’re like, gosh, they’re major, you know, part of a major ransomware. You know, I don’t know, I just don’t know how a lot of this story started. But I also know, everything starts with once you’ve made a decision, you want to this is the path you want to follow. If you have it, it really all boils down to your character, like what are your values, right? If you have values that has been instilled in you, especially from you know, raised being raised and the environment you’re raised in, if your values are strong, it’s going to be very hard to deviate. Having said that there are people who have come from like great families like me, that still turned to crime. You know, I was talking to Oh, I didn’t I was talking to an FBI, retired FBI, and he was telling me about one of his folks he was investigating, he eventually met this guy that prosecuted him for business email compromise. And he said, strangely, we became friends. And I’m like, you mean, like, catch me? If you can, you know, Frank Abbott nail, isn’t it something like that? And I said, why he goes, because this guy was actually a good guy. Like, you know, as soon as he told me his story about he said, When I when we caught him, or when we finally nabbed him, his biggest regret was letting down his parents wasn’t going to jail. Right? His biggest concern, sorry, it wasn’t about him going to jail. It’s like, gosh, I’m going to let down my parents, because that’s just not how I was raised. But and so I think that kind of gave him develop some sort of affinity, you know, to really see this guy as a human being and, you know, say that became friends, even though he was the one that kind of nabbed him.

Tim Freestone 33:11 

Right? Well, and also, when you when you look at, I totally agree with the ethics dilemma. Most of the times you can boil it down to someone of bad character. But in there’s also these instances, and I don’t know, have numbers on it, but we use the phrase nation state, which to me, is sort of a characterization of grooming into the role, you know, where there’s validation 1000s and 1000s of people get groomed into an attack that’s validated by some sort of nation state basically, that that’s that what we’re doing, even though judged on a moral plane could be judged as bad is good, because we’re propping up our, you know, our need our desire and our desire to Trump’s the desire of the of the targets, right. And I just, I never see that going away. I mean, obviously, it’s been since the beginning of time, us versus them, right.

Taiye Lambo 34:17 

Absolutely. And then way we think nation states, we have to think about, if, if I worked for a three letter agency, and I was attacking, I’ll just pick a country, you know, maybe an Eastern European country that you know, invaded another country right next to them. Right. Right. Right. So if I was working for three letter agency in the United States attacking them, so damn, that’s a nation state attack, right. So we have to think about it from I actually have a very different perspective about nation state. I think it’s just a way of putting them in a category because I think even friendlies or friendly nations hack each other. right all the time. Right? I think we rise to this to like nation state is when the intent like what is the intent? Is the intent just like intelligence in general? Or is it something more like sinister like we want to destroy that country? Right and destroy the economy. So when I worked for the city of Atlanta, two years, almost two years after I left, they were hit by ransomware. I was there first see, so, and within nine months, I actually was like, six, seven months, it was attribute that to two Iranians. They were part of the SamSam ransomware group. That’s really I don’t know if that’s a nation state. Yeah. Obviously, Iran is a sworn enemy of the US, right. I mean, they’ve made that list the government. But it could just be individuals that are patriotic, right. So they may be thinking they were doing their country. And this is not to justify, you know, I’m not in no way. I’m not in any way. Justifying criminality. criminality is criminality. Right. What they did was bad, and it was wrong. But in their mind, maybe that’s how they kind of rationalized what they were doing. Like, we’re going to shut down the city. And we’re going to demand money. But we’re still helping that country. Maybe that’s the deal. Exactly. So nation state is my corrections. Exec. Exactly, exactly. I think the ones that most enterprises need to be concerned about are just the ones that do it for purely money. If money is the motivation, they’re going to go to any extent, to be successful, right? Because they know they’re going to get paid for doing what they do. And to your point, Patrick, there’s ransomware as a service, now, it’s become so much easier. You know, 20 years ago, you needed the technical skills to be able to, you know, even scan a system. Right now, everything’s on, especially on the dark web, it’s a service. Right? So I think those are the ones you know, especially enterprises need to be worried about that. These folks are motivated by money, they used to be motivated by fame, they can brag. Back in the 90s, it was 26 hundred.org. Please don’t go to that website. I don’t know who owns it now. But 26 hundred.org was a website that if your website that they face, they put a mirror image of that defacement on their site. And that’s basically how communist found out they’ve been hacked. But it was mostly hacktivist. So folks who would hack, maybe they hack into the US government website, and they post the Chinese flag or Islamic Wasn’t Islamic State back then or, you know, some, you know, you know, it could be free Palestine, you know, some political message, you know, they’re trying to get out. And that’s why they had sites back then. Now, it’s like, they hack, they wait, they move around, they steal data, they lock the data, and then they say, Pay us. Like, I mean, it’s a completely different motivation back, then, they hack the site, they put the message out, they move on to the next target. So it’s a very, very different motivation now, because it’s so much more profitable now. And it’s so much, much, in my opinion, easier than it used to be.

Patrick Spencer 38:38 

So in light of that, you used to be able to measure risk in a more simplistic way than we do today. You need a different model, I assume that’s part of the training that you deliver, you know, when you’ve been a, you know, on site CISO, a number of different places like you’ve mentioned, you’ve been a virtual CISO and some roles as well. How do you go about measuring risk in light of the fact that that landscape is dynamic, it’s constantly changing, it’s constantly becoming more complex, more sophisticated, in the ways in which they’re identifying vulnerabilities, developing malware, and then actually instigating attacks?

Taiye Lambo 39:20 

You know, the funny thing is, even without the sophistication, even without the outside advancement on the other side, the dark side of the bad side, the fundamentals still remain the same. Lock your doors, close your windows. So as a CISO, and even as a bachelor, see, so within my first 100 days, I’ve said 30-100 days, there’s one thing I want to know, where are my gaps, but it’s mostly about control gaps, right? So I think any framework NIST cybersecurity framework, ISO 27,000 And then 27001, 27002, CMMC which is obviously the one the DoD is pushing out, do a do a baseline assessment, gap assessment, gap analysis, you know, maturity assessment, where are they on the journey? You know, they’re trying to go from point A, B, C, D, E, from a maturity standpoint, say one to five, where are they in that journey? Are they at point one? You know, which is maturity? Level one, which is very, you know, not, well, not proactive. So very ad hoc, I think ad hoc is the what, you know, they react to the ad, everything’s done in an ad hoc fashion, where they in that journey. So there’s my presentation, probably, and so forth. Right, exactly. So just roadmap in, you know, where they are, where they need to be, what is the timeline? You’d be amazed that when you have taken kind of that methodical approach, many things are now going to be like, it’s going to be hard for you to be surprised, like, if there’s a breach, you already know where that weakness is. It’s a sign that, I mean, you can say, Yeah, we wish I had a bit more time to get to that to implement the same, you know, to implement zero trust, you know, by you that least know where your gaps are, what are the open windows? What are the closed open doors within the environment? Honestly, I hate to oversimplify it. But it really is that simple. Most companies would say, oh, let’s go buy a bunch of technology. Let’s go buy a bunch of products, because the salespeople told us this product is going to solve every single problem that we have. Right? Now, you know, I always liken this, too. I’m not a DIY guy. But yeah, I change the light bulb every now and then. But if he asked me to cut the lawn, I’m just not the guy for it. Because I’m probably going to end up injuring myself in the process, because that’s just not my expertise. But if my wife says, Okay, you need to cut the line, you know, she insists she’s very patient with me. So she’s never done that, you know, the grass is tall. And I just go to a store, you know, maybe a home departmental store, like the one headquartered in Atlanta. And I go buy the latest and the greatest lawn mower, maybe it’s a smart lawn mower as well. And I bring it home, and it’s still in the box, and I live in in the garage, and I go, Hey, honey, I fixed the problem. looks out the window, the grass is still tall, she’s probably going to call me an idiot, and rightly so. And a lot of times we do that in the security industry, we buy the technology, we, we haven’t even unboxed the technology, right? If I can use that technology, it’s still sitting in the garage. And the grass is still tall. And we’d like oh, yeah, we just embed and then we brag. Like, it’s just amazing. When I run across my colleagues in the industry bragging about, oh, we just bought x and we just bought. And I feel like saying, okay, so you bought it? What are you actually doing with it? Like, how is it? What does your matrix say like that has helped you to move the needle, like, has your metrics improved, because of that product you just bought? Maybe the example I gave is like an extreme example, you know, on box lawn mower and sitting in the garage. But that’s usually where it’s that it’s that mindset, like, why just go out and buy something without actually doing your homework on what you actually need. The people or the process to support that piece of technology,

Patrick Spencer 43:48 

That just happen oftentimes or organizations or security compliance leaders going out and buying software without doing due diligence. And then they end up with something they don’t fully utilize, you know, what percentage of the time is that the case based on? What you’ve seen,

Taiye Lambo 44:03 

In my experience spanning outside the past 10 years, especially 50% of the time? Yeah. And usually it’s because they also listening to the experts. They read some report that puts that vendor at like the top of the list, you know, without mentioning and especially quadrants. And they buy from that. And I would say security people do less of that, but the CIOs do more of that. And this is not a I’m not trying to slag off CIOs. I love them. You know, I I’ve never been a CIO myself, but I’ve worked for CIOs, really good CIOs, but it’s also because they don’t know right? To me, they don’t know any better. They trust those sources to say these are the best products that may be the best product for somebody else, but maybe not for your company. Maybe there’s still a lot more work you need to do to be ready for those products, there’s more people you need to hire. Right?

Tim Freestone 45:06 

I imagine there’s, to some degree a fair amount of CYA and that that mindset as well, like I, I bought everything I can, and therefore I’ve done everything I can. So when something inevitably happens, which is right, you can stand on something and say there’s nothing, I got the best in this quadrant the best in this quadrant the best in this, you know what I mean? There’s got to be some motivation for that piece. And that’s not it and security alone. I mean, that’s most companies with most departments are looking to make sure they’ve done everything they can, especially if they’re in a leadership role. So I feel for them, but it’s still it’s back to the whole resources standpoint, we still have 3.5 million jobs to fill you. You put the lawnmower in front of a, you know, no one. Right? Yeah, absolutely. Yeah,

Taiye Lambo 46:05 

Exactly. Well, the approach I’ve always taken is, I have like a ratio. So if I get a million dollars for my program, I don’t want to spend more than and this may sound very radical 20% on technology in the first year, the 80% goes into people, process. Most ROI for that million dollars.

Patrick Spencer 46:29 

you have industry averages, what that typically looks like Taiye

Taiye Lambo 46:33 

No, this is just from experience, I would probably say it’s probably the opposite. In the industry, I haven’t seen anyone put out the data for that, not to say there isn’t. And actually, that would be a very interesting piece of research for us to maybe I probably do it the reverse way, I’m sure it’s usually I call it my 8020 rule, I guess I’m applying the 8020 rule in an in a non-conventional way, but 80% on people process 20% on technology. Now in year two, year three, it may actually change. But then I’ll feel like I build the foundation for people process. Right, because the people process cost becomes more like a recurring cost. And then I can ask for more money when I know we need the technology. But by that time, the program is mature enough to make the best use of the technology investments. It’s a very simplistic way of looking at things. But it’s, it’s, I can tell you, at least my two enterprises. So rose, how that pretty much kept the organization’s out of the headlines. And in some cases, I had the people doing things that the products we had would we’re kind of without getting into the specifics, the technologies were already there. But the people weren’t really using the technology. So I just had them invest more time on actually understanding the technology and making the optimizing the use of the products we already had before buying any more products.

Patrick Spencer 48:14 

Interesting. Now when someone engages HISPI for assistance, you know, in signs up for training, what’s the commitment? What’s the timeline look like? What are they going to learn? Are they going to learn how to get more mileage out of their existing security investments, for example, they’re going to learn leadership skills in terms of how they interface with the Board of Directors, the CEO? What do they get? What should they expect? And you know, how do they get in touch with you?

Taiye Lambo 48:40 

That’s an awesome question. So the HISPI website is HISPI.ORG So that’s usually the best way. You can also reach me on LinkedIn. You know, I’m very active on LinkedIn, I have a number of community groups

Patrick Spencer 48:58 

by 100,000 followers with one of them. Yeah,

Taiye Lambo 49:02 

they won that just, you know, 7000. In May, I was sharing this with Patrick, team, and now it’s like 100,000, almost 110,000. Thank you, and I just did a name change. That’s all I did damage is just blew up in a good way. So what they’re going to get if there’s one thing I would say they’ll get from engagement with history is understanding the why behind everything we do. And I think a lot of times, people at the entry level leader CISOs sometimes may forget the why. But it’s not the why from our viewpoint. It’s the why from a business standpoint, it’s really about the business of cybersecurity. How does cybersecurity actually enable the business to the point where before you spend a single dollar on cybersecurity you thinking about what is the benefit So I’m not talking about being cheap. And just being too like, Yeah, I’m not talking about penny pinching. We don’t teach people to panic things. But it’s about seeing every cybersecurity investment as something that enables the business, how do you actually take it from, because most cybersecurity budgets come out of it. And for many decades, it was seen as a black hole, we’re spending all this money, they’re not making us any money. Now, with the pandemic, and everything we’ve seen acceleration of digital, digital transformation, almost every company now is a technology company, because they’ve come to rely so much on technology. And thankfully, we have the cloud because they don’t have to build it themselves, right? Public Cloud, especially public cloud services. So it’s really about teaching the why. And but it’s not the why of cybersecurity in general, but why cybersecurity needs to align with the business and how you can almost trace every dollar you invest to a business outcome. But it doesn’t have to be a business outcome in terms of for every dollar you spend, you get $2 back. No, it’s about for every dollar you spend. You’re enabling maybe $100 worth of revenue. Maybe it’s $5 of profit.

Tim Freestone 51:29 

Sure, enabling the revenue versus return on investment. Yeah, that makes sense. Exactly. I’ve actually never heard it that way. That’s a good way to put it in the context of that. Yeah. And

Patrick Spencer 51:39 

how long does it take to get all the certification? Yeah, What’s that process like Ty,

Taiye Lambo 51:44 

okay, it’s as quick as five days, we have a four-day class. And then there’s an optional exam. At the end of the five days, the certification exam, everything is now back show. So it’s done through, we have a learning management system. So there’s on demand self-paced classes, including the exam are proctored AI Yeah, it’s proctored by using AI. So we don’t, you know, going to have the days where you send somebody to a test and send out your proctor in an examiner room. It’s all virtual. Now we’re trying to bring back like in person classes, but it will still be five days. So most of our classes either in Atlanta, Redmond /Seattle, Washington. We’ve had classes in other parts of the world as well like Greece in the UK, a few other places, South Africa, but we’re moving everything, eventually to virtual. And then there’s like in-person class, we’ll probably do like a special class for them or we go to their facility to teach the class. But we also have a 12-month program for people who don’t have IT backgrounds or technical backgrounds or they just already in cybersecurity, but they want to become a CISO. So the program is the first phase of the program is the training and the certification, which is for three months. And then we for entry level, folks, we have a phase two, which is basically mentoring, internship, apprenticeship, and then job placement. But all that happens in nine months. So over a period of phase one is three months. Phase two is nine months. Within a year, we’ve taken people from an employment no IT background, no technical background, like me to negotiate in like a six figure salary entry level job, which is still below the average, the average is 105. But we kind of position them to get a job like negotiate, sometimes they’ll get like maybe 80,000. And then they’ll negotiate like a sign on bonus, but we’ve been pretty close to getting them like the 100 Grand for an entry level role, which for some of those folks. We have folks that never made barely made above minimum wage. Before they started the program. We had folks that were unemployed, started the program and in 12 months it will gainfully employed. So it’s been very for me, it’s been a very rewarding journey, just seeing lives like just completely transforming their lives, their families. It’s just been very, very rewarding. And so I spend 50% of my time with HISPI. And then the other 50% of my 80-hour week with my virtual CISO. So helping small medium sized businesses to achieve what I call gold level security. So achieving the same level of maturity like big companies at a fraction of the cost. I do the batch you’ll see. So we’re very fractional, like I typically only spend 20 hours a month for each on each customer so that way I can still help multiple customers without being in the hot seat as well. The V makes a big difference. Because I’m on a I’m advising rights and advisory role. So it’s more like an enterprise CISO right away if they had a breach, whether I’m doing a good job or not, they can try and still try and make me the fall guy, you know, so I always say, E-CISO which is enterprise CISO, vs V-CISO, so I would pick V-CISO any day.

Patrick Spencer 55:35 

Taiye we’re out of time. Unfortunately, we got to have him back for another conversation. Tim, we just touched on a few things that are just fascinating about Ty’s background, starting with the fact that we even get to this company has won a Gartner cool vendor award. I want to hear about that in our next podcast. So Taiye, thanks for your time today. We really appreciate it. You’re

Taiye Lambo 55:56 

most welcome. And it’s funny, I didn’t even get to talk about my book, Attribution. I think I talked about Attribution briefly. But it’s a book I wrote to just get younger folks interested in cybersecurity. So teenagers, just trying to get them into the good side right before the bad actors, recruit them. So it’s a book I’m really passionate about. It’s a series. It’s a Novella series, which I’m currently working on the third book in the series. So the goal is to published one book a year to 2030 in the same series.

Patrick Spencer 56:37 

 That’s why I said, we got to have another conversation with you. That’ll be part two or Part Three, parts two and three, are podcast with Taiye. That will be I want to thank our audience. We really appreciate you tuning in to another kite cast episode. You can find this episode as well as others at kiteworks.com/kitecast. Thanks for joining us. Have a great day. Thanks