Dan Lohrmann is the award-winning CISO and co-author along with Shamane Tan of Cyber Mayday: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions (Wiley, 2021). He joined the CISO Sandbox to discuss lessons from his book on incident response and cybersecurity strategy, as well as the virtues of awareness training to prevent ransomware attacks and other incidents delivered by phishing. This one is a lot of fun. Dan is a natural communicator, and his stories offer real expert insights!
This wide-ranging talk with the author of Cyber Mayday: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions covers everything from cybersecurity weather and football metaphors to the rising threat of ransomware, and on to developing effective cybersecurity strategies based around cyber-incidents. He also is a big believer in cybersecurity awareness training!
Some of the following Q&A key takeaways have been edited for flow. But make sure to watch the video! There's an amazing story at 30:17 where Dan recounts the time he almost got fired in 2004 for resisting implementation of WiFi in Michigan State Government conference rooms. It's a great story. He shares important lessons learned on re-thinking his CISO role as an enabler tasked with getting to "yes," and not a blocker overly comfortable with "no" on new projects.
Dan Lohrmann: It is! It affects every area of life. Cybersecurity is involved in every area of technology, whether you’re talking autonomous vehicles, you’re talking hospitals, or advances in space… In all these different things there’s a cybersecurity component to it. And with all these people talking about it, who do you trust? It’s like who do you trust for the weather forecast? Who do you trust (to predict) the future? Ultimately we’re looking for trusted voices because there’s so many different voices out there on the internet. Who do you trust to tell you what's going on and what to do to protect yourself?
DL: There are loads of great resources and checklists publicly available, but what we felt was missing in the literature out there were stories about security through the eyes of CXOs, and not just security pros. The audience is really anybody who could be impacted by a cyber incident, and that’s certainly the case in leadership and business… If you tell a story it’s going to have more impact and also be more memorable… People need to hear what is happening in their particular industry, or their particular focus area, whether it’s government or banks or hospitals, they want to hear it in their context… The goal was to take readers through the phases of incident response but not just make it a boring set of checklists. But also spice it up and really make it real because we have many stories from many, many pros. We have CISOs, CTOs, CEOs and all sorts of business leaders who have told these stories through their eyes.
DL: Absolutely. Offense and defense, attack and defend. You have to know your adversary, you have to prepare. You can underestimate your opponent and not properly prepare or you can prepare but not bring your A-game or your B-game or bring your C-team, and you see that a lot in the industry. A team comes in and they’re integrating a new system and the vendor brings in a great team but then they pull them all out and they bring in the B-Team or the C-Team and things go awry. The same kind of things happen in football. We can learn a lot from sports.
DL: It has to be ransomware, Ransomware from 2021 was the #1 threat out there. A congressional report out there said there were as many ransomware events in 2021 as in the last 10 years combined. It’s hard to believe, and it’s scary. Public sector and private sector, at home and at work, the numbers are growing and no one is immune.
DL: You’re dealing with pros. It’s not kids in some basement. You can get a ransomware kit for $100 on the dark web so that is out there as well, but many times they’ve done their homework. They’ve been in environments for weeks and months. They know the financials very well of the company they’re hitting. They’re very targeted. They oftentimes will know what they’re going after and why they’re doing it… It’s not just multi-nationals, it’s small businesses and local governments.
DL: The number one way is still phishing. They say that cybersecurity is about people, processes, and technology. I was just on a (confidential) call with a global group of CISOs and CEOs and they’re saying the hardest piece is always the people part. By far, it’s not even close. Certainly there are processes and technology we need to put into place and make it repeatable. But whether it be people clicking on links, whether it be not using 2 factor authentication, whether it be re-using passwords between your personal and professional accounts, basic cyber hygiene is often the culprit.
DL: Absolutely. Security awareness training is vitally important. It’s not a silver bullet that solves all of our problems, but it’s like (prevention and) our health. If you stay healthy, if you sleep well and exercise and eat right and wash your hands and do all those kinds of kinds of things you’re going to be much more healthy in general (and avoid an incident). It’s the same thing for cybersecurity hygiene.
I think it’s very true: effective security awareness training works. When it’s effective is where they’re teaching people things they don’t already know, and making it engaging, making it interactive, and not some boring checklist. Make it fun! And if you can do that and teach people things they dono’t already know and keept them coming back, that can be very, very effective and to me it’s vital. It’s not nice to have, it’s a must-have.
Dan Lohrmann is the award-winning CISO and co-author along with Shamane Tan of Cyber Mayday: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions (Wiley, 2021). This is an outstanding book for anyone whose personal or professional life could be touched by a cyber incident which, spoiler alert, is everyone. But Cyber Mayday is especially useful for leaders of business and information security. It combines cybersecurity playbook expertise with real in-the-trenches storytelling to make the topic relevant to all, sometimes with pulse-pounding effect.
Dan has served in top positions of security leadership in both the private and public sectors, from the state of Michigan to Presidio, and that experience shines through the expert advice of Cyber Mayday. The focus on building cybersecurity strategy around incident response--before, during, and after--provides a powerful philosophical foundation for weathering the increasingly hard cyber-storms assailing organizations. Dan is also a natural communicator, which comes through clearly in his arrangement of story-telling to contextualize Cyber Mayday's lessons and insights.
At 256 pages of well-written feature-journalism style prose, Cyber Mayday can be finished over a weekend. But its enduring lessons are worth re-reading as CXOs work with their infosec teams to build a security system that is ready to answer the call when someone shouts, Mayday!