Full Transcript

George Kamide:
Welcome back to another episode of the Zero Hour brought to you by SafeGuard Cyber. I'm George Kamide.
 
Ashley Stone:
I'm Ashley Stone.
 
George Kamide:
Today's guest is Dr. Eric Cole, CEO, and founder of Secure Anchor consulting. And the man's career is pretty crazy, he started at the CIA all the way through Lockheed, McAfee, and now is advising fortune 500 companies and has a really unique perspective on security.
 
Ashley Stone:
He has the energy that helps bridge the security and business gap and also plays out some risk scenarios with us.
 
George Kamide:
Yeah, he was a good sport about that. So without further ado, let's get into it with Dr. Eric Cole. Dr. Eric Cole, welcome to the Zero Hour. So excited to have you.
 
Dr. Eric Cole:
It is a pleasure to be here.
 
George Kamide:
Yeah, very engaging on social. That's where I first caught wind of you. We're really excited to dig in, to get to know you in terms of your experience, but also want to, put you through the ringer, so to speak.
 
I got a few, real world examples when, you wanna test your knowledge and also get, really get feedback on what, you might have clients to do.
 
So let's start at the beginning. you have, storied career starting in the CIA, various sectors in the private space and the public space, including Lockheed Martin Mac, given the breadth of that career, I'm curious to know what. Are some of the key lessons you've learned along the way as you've progressed through those stages. That you now take into your advisory business?
 
Dr. Eric Cole:
Absolutely. So the first one is to me in security to be really good at the defense, you have to understand the offense. So I spent eight years at the CIA as a professional hacker, breaking into systems, compromising systems.
 
And what I realized is it's not this magical mystical thing that some people think of. It's very systematic of how you go about breaking in and compromising a system. And to me, it really comes down to three fundamentals: if you're going to compromise any system, you need a visible IP, you need an open port and vulnerability to service.
 
Now. Yes, if you're compromising a user, it's still the same things where you need to have a user or a target. You need to have an Avenue in and you need to have a compromise point.
 
So after doing that for eight years, I'll be honest with you. I got bored. Because it's easy, right? It's easy to always break in and that's when I really switched to the defense. And I learned my second big lesson, which is you're never going to have a hundred percent security if you have functionality. It's the only way to be 100% secure is to give up technology, shut it off. I sometimes jokingly say, if you want to be a hundred percent secure, it's easy. Become Amish, right? Buggy candles, no electricity. And you're good to go.
 
And I think a lot of people miss that even today where I still get clients and customers were like, we want to be a hundred percent secure. We want to make sure an attack never, and that's just not realistic in what happens out there.
 
So that's the second big one. The other big one, which is less security, but more personal growth: I believe everyone in here side them has a technical side and a business side. The one thing I really try to push people is to tap into that entrepreneurial spirit. A lot of geeks love being safe and comfortable and working for these big companies, which is great, but essentially one of my favorite quotes is if you're not willing to work hard and live your dream, somebody will pay you to fulfill their dream. And I feel that so many technical people are getting paid 120, $130,000. And they're making somebody else two to three million. They're making somebody else rich fulfilling their dreams.
 
And I'm like, start your own company. You don't have to go in and be a billion-dollar company, but at least if you earn a dollar, keep a dollar, as opposed to most techies earn a dollar for their company and they're keeping 10 or 20 cents of that dollar. So that's my other big thing is really encouraging people to tap in and explore. It's funny, cause in cybersecurity was supposed to be risk adverse, but when it comes to my life and the business. I'm taking risks all the time. So it's this contrary to this cybersecurity geek where I love extreme sports. I love base jumping a level of those things. So it's with my clients I'm like, don't take risks, but in my personal life, like it's this interesting balance that I think that's the final lesson learned is you got to have balance in life. Cause I see some of these really smart techies. And they just get totally and completely burned out. One of my favorite mentors, brilliant guy, but just burnt themselves out.
 
Was John McAfee. that guy was brilliant, but he just pushed himself too hard and never had an outlet. So to me, as security professionals in any field, you gotta make sure you have that balance where you work super hard, but you have some release outside of work to keep things in perspective.
 
George Kamide:
I think that's also, we're going to explore that risk reward a little bit more. I think that's the metaphor. There is like, how are you balancing risk in the organization? But I did want to go back to this idea of a hundred percent security because it strikes me that one, the mental model, if you think you can achieve a hundred percent security, you're probably under prepared for the breach that does inevitably happen.
 
If you're working towards 100%, you're not managing the 50 to 80% as well, because you're striving for the near impossible.
 
Dr. Eric Cole:
And to me, I think part of it is how we've evolved in the real physical world, because most of us, if we really break it down, We'll recognize that when you get an automobile or when you walk across the street, there are risks associated with that.
 
Every time you get in the car, there's a chance you can get in an accident. Every time you walk across the street, there's a chance, somebody can run you over, but we've developed such good adaptive patterns that many of us don't think about that. When we get in a car, we don't think about we're going to get into it an accident.
 
I do, but I'm a weird guy, but when we work across the street without so many, who's going to run us over. We just, we look left, we look right. We wait for the crosswalk. So we tend to forget about the risk, but we don't realize is. In cyberspace, it's very immature still.
 
We don't have those controls. So many people just assume I'm setting up a website, I'm going online, I'm doing e-commerce, it's gotta be safe and it's gotta be a hundred percent secure, but they realize nothing in life in the physical or cyber space is a hundred percent secure, but they forget many of those fundamental lessons.
 
Ashley Stone: I love that. And things are constantly changing. So if you can't, if you're not adapting or ready to respond to that, You can't be a hundred percent secure.
 
Dr. Eric Cole:
Yeah. And that's a funny thing. Cause I had a client, I just got off the call with them. I did an assessment for them a year ago and we found a bunch of vulnerabilities.
 
We fixed them and we said, you have appropriate level of security. And they were PCI companies. So they said, can you just give us another letter that was still secure? And I said, no. And they said, well you told us last year, we were. Like, yeah. But a lot of things that are checking in, and this is the best part you guys are going to love this.
 
They're like, "we didn't change anything over the last 12 months. So we're still secure." And I'm like, Oh no. Every moment of every day you change.
 
George Kamide:
Yeah. And it's a little thing happened this year. It's a small thing, the pandemic, I'm sure it completely altered like business processes and new technologies that needed to be licensed and stuff. So yeah, for sure. No changes needed.
 
Dr. Eric Cole:
Oh, are we even going to go into the COVID?
 
Ashley Stone:
So before we dig into some specific issues, knowing what you know, and the work that you're doing for your clients, what is top of mind for you in terms of what security professionals should be tackling in the near term?
 
Dr. Eric Cole:
To me, it's really what I call back to the basics, because I feel like today we're so enamored with the latest and greatest, like I talk to tech folks and they're like, Oh, we got to get the latest AI, artificial intelligence, behavioral analytics in place. And to me, when I'm seeing organizations getting compromised is they have unpatched systems, they don't know where their data is, and their users are still clicking on links. And that's the basics.
 
So I had an interview earlier today where a report came out and they're like, attackers are getting so sophisticated and advanced. And I said, I don't think that word means what you think it means.
 
Yes. Attacks are causing more damage. Attacks are making more money, but I do not believe any of them at hype that the adversary is getting more sophisticated. I actually think they're getting less sophisticated because let's face it. If you're a cybercriminal and you want to break in, you're going to do the easiest, simplest, most straightforward method that gives you the best results.
 
And why should I go in and try to build zero-day exploits when I can send an email with a link? And I'll tell you. If I do a subject line that says three of your coworkers got infected with COVID click this link to see if you had exposure. 99% of the population is clicking on that link and you're in their system.
 
So to me, the adversary is getting less sophisticated, but we're getting sloppy and we're not just doing the basic measures. And one thing I pushed with my clients all the time is why do we use email as a file transfer mechanism? Why are we allowing the attachments? And in what way? I've had clients where they've had so much attacks that we actually block all embedded links and we block all attachments coming from external unknown addresses.
 
And most of the time, what the impact of the organization is. Zero. Nobody even notices. So we tend to make this bigger deal of how critical it is to run the business. When in reality, it's just about, we got to get back to the fundamental blocking and tackling patching systems, encrypting data, protecting the keys and controlling our end users.
 
George Kamide:
What about in the longer term. We have more channels than we did say in the 90s and even the early 2000s. So is it, if the attacks aren't more sophisticated, is it that the threat surface is fragmented? So it's kind of distracting like it's pulling the attention of security teams in multiple directions.
 
So they forget to apply the basics to each channel and then come back to deal with the zero days. They're just, I get the sense that it could be the struggle is that they don't know what to concentrate on in the threat surface.
 
Dr. Eric Cole:
Yeah. And to me, it's what I've nicknamed the rule of 90%.
 
And what I mean by that is this. If we look at any of the big companies and I don't like naming names, does that mean people know who they are, but it's not our business to point fingers cause everyone can have exposures. But if you look at some of the big breaches where 500 million records were stolen, 700 million records and it was because they had an unpatched system that contained critical data that wasn't properly encrypted. Now let's be honest. Do we believe that company that was spending $20 million on security a year and had, 300 people on their security team was doing no patching, they were doing no configuration management and they were doing no protection of data.
 
No. But what it came down to is 90% of their servers were patched. 90% of their data was protected. And when you have a big company where things are changing so quickly and rolling out new systems, 90% is pretty good. My daughter's a freshman in college. She just got a 90% on her math test and she was thrilled.
 
So people are super happy with a 90, that's an A, A-, depending on the grading curve. The problem is when you're looking at a company that has thousands of servers. When you have 90%, that could still be 20 or 30 services, that can still be a pretty large amount. And that's where I think the issue is where people confuse a hundred percent patching with a hundred percent security.
 
I have clients come back when I say 100%. Of your internet facing systems need to be fully patched. Oh, but Eric, you said we can't do a hundred percent. No, I said you can't do a hundred percent security, but you can absolutely have a hundred percent inventory and a hundred percent patching of external systems.
 
So I think we're making it more complicated. And what I always recommend to clients is start with the big attack vector, which is going to be external servers. Make sure those are fully patched and then create rules. One of my rules is any system that's visible from the internet never contains critical data.
 
That's a non-negotiable. If companies followed that one simple rule. The breach of 500 million records wouldn't have happened. The breach of 700 million records wouldn't have happened because they violated a fundamental rule. So to me, we have to start making cybersecurity simpler, fundamental rules, and then push those out to all the business units.
 
George Kamide:
Yeah. In the words of a former strength training coach it's brilliance in the basics. Right? It's you could, you could do power cleans and snatches all day long, but maybe you can't do 25 pushups. So just don't feel brilliant in the basics.
 
Cool. So I wanna change direction here a little bit to tackle some of the big business issues behind security.
 
Some current trends, a little bit of the zeitgeist. Lately, we've seen a lot about how the rapid transition to remote work, elevated CISOs and CIOs in terms of board profile. In fact, wall Street Journal was coming. A lot of CIOs are now going to get a seat at the table because their value has been recognized in making the business just operate. Continuity, agility, but paradoxically, we're also seeing articles that a lot of those boards lack tech savvy. So it strikes me as there's going to be this big disconnect between I got to bring the CIO on cause we've got to get information about the technical systems, but if board can't digest that information or that reporting, that seems like a critical piece.
 
So what would be your advice in terms of to those CIOs, how to bridge that divide, how to make this translations to a business audience?
 
Dr. Eric Cole:
To me, when you're looking at a really good CIO or CISO or anyone in the technology security with the chief in front of their name. Their main job is to focus on strategy and translation.
 
So if you're a CIO or a CISO, what you need to be able to do is talk techie with the engineers, translated into business language, and then communicate that to the executive team. To me, the big problem we have. Is CIO or CISO is an advancement for technical people. So if you look at a technical engineer, they feel the way they get promoted is to move up to the ranks and eventually become a CIO or a CISO in the organization and to me, see that is the big problem or issue out there.
 
If you have a CIO or CISO, that is very, the color technical they're going to fail because they're going to go in to the executive team and geek out. And the executives are just going to be like, what are you talking about? But the test I always give to folks is, and this shows whether you're going to be a good CISO or not.
 
If you're sitting there right now and you hear about one of your servers in the data center, just got compromised. One of your servers in the data center just got popped and data is being exfiltrated out of the organization. What do you do? And if your answer is I run into the data center and I jump on the keyboard, you would be an awful CISO.
 
If your answer was, I step back, I pick up the phone and I call my team, and implement the incident response plan and focus on strategy. You would be a great CISO. But the problem is too many CISOs. Can't speak the language and therefore they've had seats at the table and have been kicked out.
 
And I talked to a lot of CEOs and what CEOs tell me the two things they can't stand about chief information security officer says they don't speak English, and they don't understand business. And that's what you have to do. If you're going to sit in the board room and you're going to have a seat at the table, you better recognize it's all about dollars and cents.
 
It's all about running a business, profitability, dollars and cents. And when I go in and brief boards, I have a single slide. And that single slide says, here's the top risks. Here's the likelihood of occurring. Here's the cost of it occurs and here's the cost to fix it. It's all financial because that's the language of executives.
 
And if you can't speak financial, you're not going to be a good chief.
 
George Kamide:
That's interesting. Yeah, we had, previously talked to two CISOs, Anthony Johnson, Larry Whiteside, Jr. They had a similar test, which was, they would ask CISOs in an interview: Tell me how you sell your products, and it's like, if they can't answer the fundamental questions about what do you sell and how do you sell it means that they don't have a foot inside the P&L of the business that just like on the architecture side. So that's an interesting distinction.
 
Dr. Eric Cole:
Yeah. Yeah. I do a lot of visa. So when help companies hire CISOs, and one of the things I always do during the interview is I'll take a profit and loss statement and I'll put it in front of them and I'll say, okay, tell me which business unit is the most profitable for the company. Tell me which business unit you're going to spend the most money on. And if they can't very quickly and navigate and see how to do it, then I'm not gonna hire them. Now once again, I don't expect them to be an accountant - you shouldn't know how to create it, but you should know how to read basic financial statements if you're going to have a seat at the executive table.
 
Ashley Stone:
Speaking of the finances of the business Dell recently published the 2020 edition of their digital transformation index.
 
A lot of interesting shifts, clearly brought on by the pandemic, such as the acceleration of remote work technology and strengthening cybersecurity defenses. And yet in that same survey, it's still the same barrier to progress that shows up every year: the lack of budget. what is your advice to clients on this tug of war between wanting more cyber-defense and funding it appropriately?
 
Dr. Eric Cole:
Yeah, that's a great question. Cause that's the problem: a lot of security people will bankrupt the company to be secure. They want more, they want more, they want more. But one of my things that I specialize in and it always fascinates executives and tends to piss off technical people that don't understand it.
 
I go into most companies, and right now I'm gonna frustrate a lot of security people. I think most companies are overspending on security, not underspending. I think where they're spending money is not very productive and here's a simple test. Look at all the technology that your company has purchased over the last five years.
 
And how much of it are you really using? How much of that functionality is really in play? Because you buy a tech and then two years later, when there's a new problem, you don't go back to the old tech and say, can it get us 70, 80% of the way there? We buy something new. And in my experience, most companies are using between 27 to 32% of the technology they purchase.
 
So they need to do a better job of utilizing what they have. And here's the real issue. The reason why I say they're overspending is because that when you spend enough money, you need people to support it. So let's look at the basic problem. The basic problem is if you go back to any major breach and you do post-mortem.
 
The technology they had in place detected the attack. Every single time. If you go and know what to look for, they had technology in place that alerted. What was the issue? They were sending a thousand alerts, but their team could only handle 50. So if you're getting a thousand alerts and you can only handle 50, what's going to happen, you're not going to respond to the right ones.
 
So check this out: the way they solve the problem, when that breach occurs is they give them more money. So now you buy more tech and now you have 5,000 alerts instead of a thousand, and you still have the same team. So to me, what you need to do is decrease the tech. And if your team can only handle 50 alerts a day, you need to tune it down to only get the highest priority 50.
 
And then what it comes down to is this. Show the execs, the value: this is what you're spending, and this is what you're getting. If you want us to get more stuff, then you increase the spend. And then this way it's a pay as you go. So as they increase the security budget, they're seeing the value.
 
But I will tell you right now today, most companies spend more on security. And if you ask the executive team, they don't see any value. So I think a lot of that stuff where we're underspending I think is wrong. We're under utilizing the tech we have and would not showing a proper return on investment.
 
Cause let's ask a real simple question. If you could show real value, wouldn't the executive spend more money. If you can go in and increase profitability, if you can increase revenue, then you, they would spend money on that. So the reality that we don't like to talk about, cause it's sometimes painful is the reason why security is not getting the budget and the resources they want is because we're not doing a good job of showing the return on investment that we're currently getting.
 
George Kamide:
Yeah, I think that comes back to your point about the business acumen, right? if you can't articulate to a board or the executive leadership team, the business outcomes that are derived from securing, X part of your architecture, then it's harder to justify. That's very abstract and despite all the technology, our brains are still hard, wired from 150,000 years ago. And it's to see how I need to see it in front of me. I need to see something concrete. yeah, that's it. That's a good point.
 
That actually brings me to this portion of the interview. So we're very keen to get your insights on two different risk scenarios that are tied to business outcomes. So I was going to take the first, which has to do with roles and responsibilities. and then Ashley will take the second.
 
So if you're game. We'll put you in the hot seat here for a second.
 
Dr. Eric Cole:
Let's go! I love the hot seat. It's great!
 
George Kamide:
So yeah, and I think this there's also, this speaks to a lot of what we've already covered. We've seen companies you know, as Ashley said, adopt a lot of technologies needed to suddenly shift from office to remote work. And so one example would be the IT team is responsible for procuring a collaboration platform, say Slack or Microsoft Teams, something to just connect the workforce. And then there's confusion about who's responsible for certain risks inside that platform.
 
So for example, IT procures the licenses is HR then responsible for like conduct issues inside of the chats is compliance monitoring for PII is legal dealing with IP or data loss, security monitoring?
 
So I'm talking about these technologies that come in through one department and then there's this confusion and the flow chart between who owns what part of it. So how do you advise your clients on how to coordinate on those issues? Because these new digital technologies seem to really blow your traditional silos to pieces.
 
Dr. Eric Cole:
To me, what I always go back to is: the fundamental unit in any company are your different BUs, your different business units. So if you look at your high level org chart, you have your different business units, your engineering, each of your product lines, HR, and each of those.
 
What has worked really well is giving them key performance indicators. So you go in and marketing has key performance indicators, sales has key KPIs and each of the business units do. And to me, that's the model we need to follow with security. So if you go in and we say, okay, we need Slack. In place to support a remote workforce. Then HR should go and write policy. Security should go in and say, okay, here's what they have to do.
 
And then we create KPIs to measure each of those business units. So now if we go in and a business unit is allowing people to send sensitive proprietary data over Slack. That VP of that business unit gets penalized in his performance review. Just like if he missed margins, if he missed profitability, or other areas.
 
So to me, I'm very big on putting KPIs in place because where the model is broken in most companies is the business units have all of the authority and security has all of the responsibility.
 
George Kamide:
Yeah it's like the CISO is sometimes the chief incident scapegoat officer is the joke.
 
Dr. Eric Cole:
Exactly. The funniest one was, we've been a bit alluding to the hotel breach of 500 million records. That's a perfect example that CISO was telling that director who was responsible for that server. This is an exposure. This is a vulnerability. Fix it, fix it. And they basically gave him the virtual middle finger. That CISO went to the board of directors and said, this is a huge exposure, this is going to cause major problems.
 
And they're like that business unit is making 40% margins leave them alone. The breach happens exactly as the CISO predicted. And what did they do? They fired the CISO. So that model is broken where you have that responsibility. So we need to go in and do a better job of pushing the responsibility with KPIs, to the people that have the authority.
 
The other big one is and this is one where, of course, hindsight is 20-20, but if we really, we went back to 2018 and we saw where things are going, maybe we didn't predict the pandemic, maybe it was going to be something different. But as a really good strategy and forward-looking person, we should have recognized that a remote workforce was inevitable.
 
We should have been more proactive in pushing. And we've had clients where we had what we call vision 2020. Where by January 1st, 2020, we had them completely to an environment and we called it location agnostic. So whether you were in the office, whether you were at home, whether you were in a hotel, it was the same exact experience.
 
We had things in the cloud, we had VPNs, and we just recognized that was going to be in the future. Now, we didn't really predict the epidemic, but they were prepared. So when March and April of 2020 happened, they were already there. So to me, a lot out of this just shows gaps and not being forward, thinking enough as a security person because what you got to recognize is if you wait for a crisis, functionality leads, security will always be left behind. So the trick of a leader is you need to predict where the future's going and minimizes those crises. So security can be baked in.
 
George Kamide:
I think that, also coming back to the KPI thing makes a lot of sense because you frequently hear the refrain like "cyber security is everyone's problem."  that's like in every awareness training module ever, but unless you put real pain to it, like your money where your mouth is, it's going to be difficult to hold those units accountable. For sure.
 
Ashley Stone:
So that lines up nicely with our second scenario if we're thinking about risk versus revenue. You gave a good example of the hotel breach, and we often see instances where security or compliance are seen as blockers by growth teams like marketing and sales. In one instance, we had a customer where sales needed to adopt WhatsApp in Latin America and for months security said no.
 
Then some teams went rogue and did it anyway and made a lot of money. It's natural for security to hesitate since they're going to bear the responsibility for breaches or data loss, but what is your advice to security leaders confronting this issue of balancing risk and revenue?
 
Dr. Eric Cole:
Yeah, to me. And I'll explain it, but the short answer is always say yes.
 
George Kamide:
Wow. We have never heard that answer.
 
Dr. Eric Cole:
I'll give you a quick story. When I started working at the CIA and this was back in the early 90s and I was working in the department of security. After I went through all the briefing, my trainer was an older gentleman. He put his arm around me. He said, Son, we're going to send you to a lot of meetings.
 
The first meeting you go to, they're going to go in and explain a lot of stuff so sort of act like you're thinking really hard. Sort of hold your head a little bit, take some notes. And then when they ask you, can we do this in the name of security? Look down at your pad and always say no. Your initial answer to everything is always say no, and they'll usually go away.
 
He goes then if they ask you to a second meeting, this time really act engaged, take even more notes, act like you're really thinking, think about it and when they ask you, can we do it? Say no again. Then if they ask you a third time, come to me and we'll consider it. But that's essentially how we did security in the 90s.
 
Here's the problem today: technology is so easy to acquire. You can move data to the cloud for $79 a month and put it on your credit card. So this whole idea of corporate reporting and channels, it's out. People can do what they want so if you go in and you say, no, they're going to do it anyway.
 
Your WhatsApp example is a perfect example. So what I would have done there is I would say absolutely. You have a problem that you need to solve but before we go down WhatsApp, can you tell me what's the problem you're trying to solve? Because there might be a better way. There might be something that allows you to be even more productive and helpful in that process and go in and solve it that way, where you say, okay, let's not go in with solution mind but let's figure out root cause problem. And then most of the time we can go in and figure out a solution.
 
Now let's say that we won't and WhatsApp's the best. In that situation and then go back and say, okay, here's the risk involved with that: you might think that it's encrypted between parties, but it gets decrypted at the end points and there's still exposure factors.
 
So my recommendation is to put this policy in place that says you're not going to do it for any sensitive data. And then just so you know, Mr. and Mrs. Executive, I'm going to go in and right, my team's going to write this up and we're going to transfer the risk to you.
 
So at the next board meeting, I'm going to go in and say, Vice President Ashley wants to use WhatsApp. We let her know some of the risks and some concerns. We gave her alternatives, and she needs to run her business. So we're going to support her and running it, but just so the board recognizes; this is the risk that her team is accepting and here's what we recommend to mitigate it and then she has to determine whether that budget makes sense or not.
 
So now what we're doing is we're playing the role of the honest broker, where we're giving you all the information you need to make decisions. And if you and the board decide to still do it anyway, because let's face it in order to run a business you've got to take risks.
 
So that this idea that security people think that we should be risk-free and any time a VP is taking a risk, that's crazy. No. That's how you run a business. That's how you grow. Our job as security people is to explain to them the risk in terms they understand and then if they choose to accept it, that even though you don't like it, you're letting them make the decision. But you're making everyone aware that they accepted that risk and not you, because our job is not to make the organization a 100% secure. Our job is to make everyone aware of the risks so they can decide whether they want to take those risks or not.
 
George Kamide:
Yeah. Risk management rather than just building the great wall and just blocking it all. Yeah and I think that really ties back to, making sure that the business unit has skin in the game that it's, and I think to be fair, the security team is risk averse because they know the responsibility for the ransomware laced PDF or the malicious link is going to fall on them. But I like that idea of risk transfer. I think that makes a lot of sense if you were to couple it with the KPI model also.
 
Dr. Eric Cole:
Yeah. Cause my rule that I always train my staff to train CISOs on and it just helps you to think about things.
 
If security negatively affects the business, security is wrong. Okay. And you just have to recognize that if you're going to go in and you're going to cost the company money, you're going to cost the company clients, and you're going to cost the company revenue or profitability. You need to recognize from the CEO, COO, and executive team's perspective, you are always going to be wrong.
 
So if you go in and approach it as: we're going to allow you to make money, win new clients and grow the business, but we're going to make you aware of the risks and give you solutions so you can make better decisions. That's to me how we win as a strategic cybersecurity thinker.
 
George Kamide:
Yeah, that makes sense that you're going to have to tie; what is the risk management protocol? What is the security in place that is going to enable better customer experience drive growth? Enable agility, not just lock it down and tighten all the windows and not let anyone out of the house.
 
Yeah, that makes sense that's very sensible. Yet here we are talking about it because I feel like it's not happening.
 
Is that just a cultural inertia? Is that it feels like we're dealing with lots of really big competing forces. We're dealing with security teams that as you pointed out are largely technical and maybe don't see the business side. We're dealing with corporate structures that are left over from the 90s where you could have these clear divisions and approvals. What is your sense of the big picture in terms of the factors that we're wrestling with?
 
Dr. Eric Cole:
Yeah, to me, I think it comes down to a lot of cultural issues where security was always this little kingdom that was isolated and a bunch of geeks that never really communicated or trained people up and was this isolated unit. And to me, it's what I go in and call that the fundamental problem is what I call the second question.
 
The second question is this: most executives, people when they make decisions, they ask one question. And the question they always ask is "What is the value or benefit?" So if you're an executive what's the value or benefit of using WhatsApp, what's the value or benefit of putting an Alexa in your home? What's the value or benefit of setting up a new website? When you ask that one question, you're always going to be driven by functionality and if there's value benefit to the organization, you're always going to say yes.
 
To me as security people we know to train executives to ask a second question. And the second question is "What is the risk or exposure?" What is the risk or exposure to the business? And then if they can go in and honestly look me in the eyes and say, "Eric, we know this is the value and benefit. We know this is the risk and exposure, but we feel this value and benefit is so great that we are willing to accept this risk of exposure."
 
Then honestly, I'm happy. I was because it's the awareness that's critical. And the awareness that's important to me, the thing we have to avoid is what happened with Alexa, where everybody is this is so cool. Alexa, what's the weather place of music and everyone puts Alexa in their house.
 
Then two or three years later, they start asking the question going, wait a second. Alexa is listening to everything I'm saying Alexa is recording. And now all of a sudden people are ripping Alexa out of the house because they asked the second question too late. So to me, what I was trying to do when I work with companies is let their executives and folks be self-sufficient and train them on how to ask that second question, because at the end of the day, our security people, as long as somebody is fully aware of what the risks and exposures are, then we're good. Right? Because risks are necessary in business. The thing I don't like are the blind risk where they don't think there's any exposures and they do it anyway.
 
George Kamide:
Oh, that's a really good, that's a good, really good framework. Bringing risk to the level of your front consciousness is going to make you more aware of the behaviors that are maladaptive to that technology. That's a good point.
 
Okay, cool. that is the time that we have talked to Eric Cole. Thank you so much for lending your time and expertise. We really appreciate it. 
 
Dr. Eric Cole:
George and Ashley, it was a pleasure. Thank you so much for having me on the show.