198. What Business Leaders need to know about cybersecurity risk

We love hearing from our readers and listeners. So if you have questions about the content or working with us, just get in touch on [email protected]

Say hi to Sophia on Twitter and follow her on LinkedIn.

Following us on YouTube, Facebook, Instagram and TikTok will make you smarter. 

Interview Transcript

Sophia Matveeva 
Hello Josiah Dykstra and welcome to the Tech from on Techies podcast.

Josiah Dykstra
Hello, it's a pleasure to be here. Thank you for having me.

Sophia Matveeva 
to talk to you about cybersecurity today because honestly, I don't know much about it, but I think like many of my listeners, I know that it exists and if you get it wrong, then bad things happen. So I'm really looking forward to demystifying what actually is genuinely a threat and you know, what's a great press headline. But first of all, let's just start with the definition of cybersecurity. What is it?

Josiah Dykstra
Definitions are a great place for us to start. And I think you're 100 % right that everybody hears about cybersecurity. That word is commonplace in vocabulary and conversation. And I will tell you that even those of us who are experts in cybersecurity have different definitions. I think we all agree with the general population in the intuitive sense of how do we protect data, information, computers.

Where that starts to get important, the definition is in how we measure and define and track the progress of those things. There is, for example, in the United States, the National Institutes for Standards and Technology, NIST, which has a very formal definition of cybersecurity. I'm not even going to read it to you. It is long and complicated, and it is different than the one that I learned in school, and it is different than the one that government organizations sometimes use for other guidance.

And those things do matter a little bit. Lots of people, I think, hear of the quote unquote CIA triad, not CIA, the spy agency, but CIA as in confidentiality, integrity, and availability. Those are three important attributes, things we care about lots of times about is my data visible to the public or not? That's a measure of confidentiality for existence. What that's difficult in is when I say, well, we need more confidentiality.

What is two units of confidentiality mean? How can I buy you more of that if I wanted to? So that's why that sort of matters. I also want to say there's three sort of attributes of that definition that I think are worth briefly highlighting. One is that cybersecurity is not just about computers. Yes, it covers computers. It covers your Wi -Fi network. It covers iPhones and all of those kinds of things. But that's necessary, but not sufficient. So it's also about protecting

data information. Most of the things on the device sitting in front of you doesn't have a lot of cool information. Most of that stored online. That data is the really valuable thing. Second, that is the cloud. And more and more that is where my email is. It's where my banking information is. I might have some private files, but we need to care about where that data live, wherever it is.

Sophia Matveeva 
So that's the cloud. That's basically the data that's stored in the cloud.

when you're talking about cyber security and the actual security of our data do you also mean just like physically protecting the data centers as well?

Josiah Dykstra
I do, in fact. The digital world does live in the physical world. We think it's cloud as an abstraction, which is why we talk about that, where location sometimes doesn't matter. If I can get to my email, I don't exactly care where that server is, but it does matter. It does matter in terms of me protecting my physical device. If somebody walks away with my phone, maybe they can get into it and access that data. Maybe somebody could, a terrorist could blow up a data center.

And if there's not other copies of it, maybe that data gets destroyed. And in the legal sense, laws are bound to geography. So for someone to do forensic investigation, they might have to follow the laws of where the physical data center is. So there are considerations here in physics.

Sophia Matveeva
So this is getting increasingly complicated.

Josiah Dykstra 
It is complicated and we have to start prioritizing our concern. So there's been a long history in cybersecurity, I'm sorry, on behalf of my field, about prioritizing fear, but it's not really about fear. It's much more about understanding traditional risk. What is the risk? We can't get cyber risk to zero in the same way that we can't get physical risk to zero. But if we understand that, well, our data are stored in a cloud,

Sophia Matveeva 
Mm -hmm.

Josiah Dykstra 
What are the different ways that we can help manage that risk? But that was my second point, which is this isn't just about computers. It's also about people. And I would argue cybersecurity is primarily about people. So that often gets overlooked as well.

Sophia Matveeva
And so.

Interesting. And when you said that, what made me think of is that, I mean, sometimes, you know, when you have to update your password and you've updated, you've got so many different passwords around and, and you don't even know what's going on. There have been some times when I've written it down on a Post -it and then, you know, then you kind of get rid of the Post -it or, or, you know, you most likely, you forget your password again, and then you have to change it and the Post -it is obsolete. But that to me is just.

An example of, okay, well, you've got all of this technology and then you still have humans with Post -its. Is that what you're talking about? That it's a human problem, not so much a technology problem.

Josiah Dykstra 
Absolutely. And users, end users who use their computers like you and me, we feel this varies sort of concretely. Passwords are one example. I will tell you there's a myth about changing passwords. NIST, I talked about earlier, changed their guidance more than eight years ago to say, don't make people change their passwords unless there's been a problem.

Sophia Matveeva 
Mm -hmm.

Why? Why is this not law? I mean, I think kind of it is a modern bane of existence, right? All the passwords and trying to figure out what you've got stored where.

Josiah Dykstra
Yeah, this was an acknowledgement that people pick worse passwords when they have to change them all the time.

Sophia Matveeva 
That's true, it just becomes one, two, three.

Josiah Dykstra 
But you, but use, and those end users aren't the only ones. And there's a really famous example of the solar winds attack. Some people will have heard about this solar winds was a very popular piece of software that companies purchased to help do security in their networks. And it is normally cited as an example of a supply chain attack where an outsider was able to manipulate that code and take it and take over company government networks really bad. It turns out there were lots of human failures in this system.

Sophia Matveeva 
Mm -hmm.

Josiah Dykstra 
The attackers are humans. I think that is often overlooked. They make choices and decisions and they also get tired and they have to eat. And there's an interesting line of research about manipulating them as humans. But the CEO of the SolarWinds company,

Sophia Matveeva
Oh, interesting. And how do you manipulate them? Or actually, no, tell me, tell me this, and then we'll talk about how you manipulate cyber attackers.

Josiah Dykstra
Yeah, let's come back to that. The CEO of the SolarWinds company at the time was in a congressional hearing and said a statement like, this was a mistake an intern made. Because what had happened was the password was like SolarWinds123. Well, that's not great. And that did lead to compromise. But why did the system allow that person even to pick that password? Is that a fault of the user or a fault of the design of the system? Needless to say that there are just many humans in here who

Sophia Matveeva 
Mm -hmm.

Josiah Dykstra 
created that computer, configured that computer, managed that computer. It's not just the person who picked the password. The fault is not only on us.

Sophia Matveeva 
so when business leaders are thinking about cyber security is your stipulation therefore that just take sensible decisions about who has control to the data sets and essentially.

you're allowing to make these decisions because if somebody is, you know, really lower down the totem pole, then they shouldn't be the person who is even doing things like updating passwords. Is that kind of the crux of it? The first thing that people should really remember from this episode?

Josiah Dykstra 
I might take that idea and extrapolate it a little bit to the fact that context matters in all decisions. So there's no universal one size fits all. And one myth that I propagate, that I try and dispel a lot is that there are best, quote unquote, best practices. There are lots of those in cybersecurity, but they're not one size fits all. So your organization, your individual context matters. It's not that there's black and white rules. Even things like you should automatically update

the software on your computer, that is highly recommended. It is highly effective. And if you are the CEO of a hospital where those updates might cause the hospital network to go down, that rule should be taken differently in your context. But to your point about users, yes, this is a concept we've talked a lot about called least privilege. You should have the access and control you need to do whatever your job is. Security is there to help you do your job. Security is not the goal of.

of what you need to do. So having that context about these users need different access than another one, that should be revalidated. It shouldn't be a static rule. There's a lot of dynamism in this.

Sophia Matveeva 
And so it seems to me that in the tech press that there are lots and lots of headlines about, you know, there's been a data leak here and a data breach there. And it seems to be something that's kind of increasing. Would you say that that's true? Or would you say that for some reason, the press is now more interested in the story? That's why we're hearing more of it.

Josiah Dykstra 
There is a general myth that attackers are getting more prolific or proficient in what they do. I view that differently. I would say there's more technology than there's ever been, and there's more opportunity, we call that attack service, more things for the attackers to go after. So the fact that there are more data breaches is no surprise to me because there's more data than ever. There's more IoT devices. And they're not actually getting smarter in the general sense about how they do it. They're using the same old.

Sophia Matveeva 
So there's just more opportunity.

Josiah Dykstra 
mechanisms to get in that they always have. They haven't needed to mature their arsenal of tools very much because we, as a technology community, continue to make similar mistakes over and over again. We don't do good security cryptography in IoT devices because we're just trying to get technology out very quickly. So those attacks do seem more common, and that's true, but that isn't really the concern. It's just that...

There's more technology than ever.

Sophia Matveeva 
So I'm curious, you've spent now decades working in the cybersecurity space. Why is that something that you have decided to devote your life to?

Josiah Dykstra 
I love that continual challenge. I think it is really interesting to try and keep up with the new technology to try and make people and their data and society more secure. I think that's a fabulous challenge. I think I would get bored if it was always the same. The fact that I've had to learn data science and AI and machine learning and lots and lots of other things, that is what really appeals to me about this field.

Sophia Matveeva 
So what can you actually tell us about your work for the US government and your work in the NSA? Because I'm assuming that that's what everybody wants to know about, but what am I allowed to ask you?

Josiah Dykstra 
Sure. So I now work for a company called Trail of Bits, but I previously spent 19 and 1 1 half years with the US government. That was a job that was fabulously exciting and rewarding, and I loved every minute of it. I spent different amounts of time doing different things. So I spent about seven years in a research organization, eventually trying to understand people and their use of technology. How do we make people more effective in their jobs? Because.

The government, like everybody, uses a lot of technology. And the mistakes or errors that happen had high consequences. So the things that a company makes a mistake might have significant financial consequences. If employees in the government have mistakes or errors, they also have high consequences. So I wanted to understand those people and that situation. But I spent a lot of my time learning how to do sort of hands -on practical cybersecurity too, penetration testing.

Sophia Matveeva 
So what kind of consequences?

Josiah Dykstra 
evaluating malicious software, understanding how people were breaking into networks and how to stop them from doing that.

Sophia Matveeva 
And so can you tell us what is penetration testing?

Josiah Dykstra 
Penetration testing actually means a lot of things. What most of us think about first is sort of authorized breaking into a network. That is one example of penetration testing. So a company might.

Sophia Matveeva
Is that what people think of us white hat white hat hackers?

Josiah Dykstra 
Right, it is done with permission. Permission is a key thing here. So there are professional companies who do this as a service. You can hire them to say, please try and break into my network. I give you permission to try and break in. Why would you do that? To find the problem so that you can fix them before an actual unauthorized attacker tries to get it.

Sophia Matveeva 
Mm -hmm. Mm -hmm.

when you were doing that in the U S government, um, were you working, I'm assuming you're working with just us data or you looking at global trends.

Josiah Dykstra 
Um, the government does both and I had the opportunity to do both. So I worked on what, what is sometimes called the blue team that sort of authorized, um, penetration tests against another part of your own organization, in this case, in part of the department of defense. So, um, another part of the U S government or a part of the DOD would say, please try and break into our networks so that we can find those vulnerabilities and fix them. So that is sort of the internal cybersecurity part.

But DOD, NSA, others like that also have a foreign intelligence mission. So understanding foreign adversaries that they're legally authorized to look at, they do that as well.

Sophia Matveeva
So did you ever find something and you think, oh my god, this was so easy and like, you know, a 14 year old could get access to nukes? I don't know if you can tell me that, but I want to ask.

Josiah Dykstra 
I don't know that I encountered that particular situation, but it is very unsurprising to find easy things in cybersecurity. And I used to, I don't know, be entertained by that. And now I don't know that I find it quite so humorous that, oh, there was an easy to break password. I think how did that come to be and how can we make it better? Not just, oh, how humorous is it that that person had an easy to guess password?

Sophia Matveeva 
Mm -hmm.

So now that you're in the commercial world, when you are working with companies and talking to them about their cybersecurity, what do you think is the first kind of myth that you need to dispel?

Josiah Dykstra 
A very common one is that we are too insignificant or too small to be a victim, which is exactly the kind of thing that every victim says before they become a victim. That misconception, I think, is, well, I don't have anything of significance. Individuals say this, small businesses say this quite a bit, or people who write brand new software, like, well, nobody knows about me. I don't need to worry about that. There haven't been any attacks. Why should I prioritize that?

That line of thinking is a little bit dangerous, and it makes several assumptions. One, it assumes that the adversary knows who you are. And that is almost never true. This targeted spearfishing where they're going after Josiah specifically is relatively rare compared to attackers who are just going after everybody who happens to have an email address or a computer at all. And the attacker doesn't know who I am until maybe I fall victim to that.

Sophia Matveeva 
But what are they trying to get when they're doing that? Could you give me an example? You know, if somebody is just randomly, because literally I have that thought, I'm like, well, you know, my banking data is secure, I'm assuming in my, you know, with all my banking apps, et cetera. But, you know, if they saw my email to my mom, is that going to be particularly interesting to read? Probably not.

Josiah Dykstra 
So those small businesses are making a wrong decision.

Right, so I put myself in the shoes, if I put myself in the shoes of an attacker and I just want to make money, right? Lots of criminals are out there to make money. And so the criminal might say, well, lots of people have bank accounts. And maybe if I send them all, if I send millions and millions of people an email that looks like it comes from a particular bank, I can trick them into going into a webpage I control just to get their username and their password. But they're doing that because they don't care about you. They just care that you have.

any money and an online bank account. So there's very little cost to them to sending millions of those email addresses, but they don't really know that it is you or me or anybody else, just that you have a resource they care.

Sophia Matveeva 
And so then for larger organizations, I'm assuming it is it it basically just the same thing, you know, just a standard phishing attack that you're going to get, but you know, it's going to go to the, I don't know, head of finance, as opposed to, you know, Mrs. Mills sitting at home.

Josiah Dykstra 
Human error, like we've talked about, is an enormous risk for a company with a lot of people. The more people you have, the more possibility that that could happen. If you only had two employees, less likely than if you had 2 ,000 or 20 ,000. In reality, there is more to lose. And so security awareness does matter. We need people to be sort of careful and diligent. But the myth is that we only need to protect the CEO. We only need to protect the CFO when in fact,

A victim who works anywhere in the organization has an internal trust that the attacker could use to try and attack somebody else inside the company. So they might not go after the people who are quote unquote most protected. They would go after someone who answers the phone, right? In the call center or in accounting who gets invoices and just use that as one internal part of the company from which to attack other people.

So if that accounting professional sends an email to the CEO or the CFO, it could look more legitimate, but they're just using that email access to sort of move inside.

Sophia Matveeva 
How interesting. And so when you're working with companies, am I right to assume that the, you know, first people that you would work with are people in the actual AT department? Is that correct?

Josiah Dykstra 
That is fairly common. As a cybersecurity company, we tend to work with other cybersecurity peers. But those conversations also include their bosses and the owners of companies who have resource allocation decisions to say, software security should be a higher priority for you. And so not every engineer gets to make those decisions, but they are the ones who understand and implement.

Sophia Matveeva
Well, so this is what I was going to say that essentially if it's cybersecurity, people who obviously, you know, if there's a site like head of cybersecurity in a company, presumably they take it seriously and, you know, they know that it's important and because they have decided to spend their waking hours thinking about it. But then if it kind of just stays in the, you know, if you're basically preaching to the converted.

then how much of an impact does it really have on the company because then, you know, humans are still humans. Everybody's lazy. Everybody's got too much to do. Nobody can really remember what's kind of going on. I mean, I'm speaking about myself and now I consider myself to be a highly functioning human being. So if you are just being to the cybersecurity people, does it feel sometimes that your work is...

a thankless task and a silo and that people aren't listening to you when they should be.

Josiah Dykstra
It feels like that a lot. And that actually can be a little bit dangerous to that workforce. So those silos that exist, if the board of directors says, well, we had a data breach, we can never have that again. That can never happen to our company again. That's a dangerous thing to say to cyber employees, whose now whole job, their whole, their goal is cybersecurity. And if you give them an impossible task, we already said we can't get risk to zero. That is incredibly stressful on them. I have seen that go very poorly.

But that does raise the point that the cybersecurity organization, the CISO or the chief security officer, their goal in life is security. That's what you hired them for. That's what they're trying to do as well as they can. But that is probably not the business's entire goal. So the board, the CEO also has to weigh when is security not the most important thing today? When is it not the best use of our next dollar? When is it not worth another hour of training and awareness time?

And so those conversations need to happen across sort of people with different goals. And those of us in cybersecurity have to learn to be respectful of that too, because as we've talked about, like we think security is the most important thing, but it's one of many.

Sophia Matveeva 
You know, this reminds me of this case study we had at business school and for me business school is now almost 10 years ago. So I might get some of the details wrong, but essentially, uh, it was, there was a shop and I think it was like a grocery store and then new management took it, took it over and nothing changed. So the location was the same.

And they were still stocking the same stuff, but essentially sales went down dramatically. Like really, they just fell off a cliff. And we were asked like, what happened? What, what could have possibly happened? And apparently what happened was that the people who bought it, saw that there was stuff being stolen, which is what happens in every grocery store.

And so then they thought, well, this is so terrible. And we're so annoyed with this that we're just going to put everything behind these windows. You know, we're going to essentially kind of shield everything. And then that way, if people want something, they have to ask for it. And then we will know, you know, where the shampoo bottles are and so on. And then that way we won't have the theft problem. And so they were correct. So they did reduce the theft problem, but they also reduced the revenue problem.

And, you know, after a while they realized that like, Oh, actually it's better to have, you know, I don't know, 5 % of our stuff or, you 3 % of our stuff being stolen. It's better to have that and increased revenues than, you know, perfect security and making no money. So in a grocery store, it's very easy and kind of comical to understand, but are there equivalents of this trade off in the cyber world too?

Josiah Dykstra
Absolutely. I think that's a good case study. I should cite that more often because when I talk to people, I say, well, how many phishing victims are you willing to accept in this calendar year? The answer cannot be zero. That's an impossible goal. Now, that doesn't feel good to anybody. It certainly doesn't feel good to the CISO and the CEO and the board. But that is the reality. And we can build resilient systems to accommodate when that happens.

But that's an uncomfortable conversation about loss, which is you have to know how much loss you're willing to accept. And that's a business decision. That's not a cybersecurity decision. And you can pay more to lower that risk, whether it's with more training or insurance or something else. The same is true for patching. So in an organization of sufficient size, it takes a while to update the software on all the computers. And so you might have a business goal that's, well, we're going to have, when a new patch comes out,

We're going to have it rolled out to the whole company in 20 days. And so if there's, I'm sorry.

Sophia Matveeva
And what's a new patch? What's a new patch?

Josiah Dykstra 
A new update. So if your phone says you need to update your software or Windows says this, these things roll out all the time. But it takes a while. And if it's not done automatically, the cybersecurity organization or the IT organization has to go touch all the computers and install those software updates. But they can't do it overnight. This is a resource allocation problem. They probably start with the things that are the most important, where the secret soda recipe is.

Sophia Matveeva 
Oh, okay, a software update. Yeah, a new version. Yeah. Yeah.

Mm -hmm.

Josiah Dykstra 
and then move on to things that are less viable. But you can make a business choice that's, well, we need to have that all done, all of the computers updated in 20 days. So if there's an attack in 19 days, that is different than if there's an attack in 21 days. Those are just business decisions that we neglect sometimes to think about in cybersecurity. But that's, again, a conversation across the enterprise.

Sophia Matveeva 
Interesting. It's interesting that essentially that link between technology and business, that's, I think, where the magic always lies because I think.

The issue that we have, and this is the issue I'm trying to solve is that we have this issue in the education system, also in corporates, that we have the tokenologists on one side and we have the business people on the other side. They don't, a lot of the time they don't really understand what the other side is doing. And they also have a lot going on. And so they're just focusing on the ring task. But then as a result, you don't have these.

conversations about trade -offs and why you're doing all of this, because at the end of the day, as you said, cybersecurity for a corporate is basically so it can carry on making more money by serving their customers, by having customers in the first place. So that's a great, thank you for sharing that. So as a last thing for our listeners who are, you know, educated people, smart people who want to do the right thing.

But also, you know, some of them, I suspect, have got their passwords written down in their notes app. Some of them have them in their, you know, on post -its. I can kind of almost hear them cringing and thinking, oh, my God, this is me. You know, we're dealing with a human condition. So what would you say to those people as a parting note?

Josiah Dykstra 
Thank you for trying. People who have passwords written down, that says something to me that they care about their passwords and they're trying to do the right thing. Thank you for that. I acknowledge that. There is a spectrum of things we can do. That is not the worst end of the spectrum. The worst end would be somebody who has the word password for everything on the internet. They would not have it written down on a post -it. So congratulations for doing a good thing. And know what your other options are. Know that there are software like password managers.

that you can install to help you do your password management job better and to help you as a human prioritize the things and work on the things that matter to you. Keep updated. This whole field is changing. Two factor codes, the kind of codes you get, those numbers on your phone when you log in. From a cybersecurity side, that is very powerfully secure for you. It means if somebody happens to steal your password, they still probably don't have your mobile.

and hopefully they still can't get into your account. But this is a rapidly evolving field. I hope someday we will have things that are better than passwords. We're starting to see indications of that. So keep aware of it. Keep up with it.

Sophia Matveeva
And also I think I like your point about the trade -offs because, you know, sometimes if I forget a password to something really important, you know, like Gmail or something, then, you know, I'm going to, you know, be more careful about it. Whereas if I forget a password to, I don't know, a gym where I don't even pay membership and just pay, you know, per class, then I think I don't even know why I have a password here and why they're torturing me with this. I don't care what it's going to be.

So it's not really worth my time investing in, you know, finding something, finding something really elaborate, because if it gets broken down, somebody will see, you know, what gym classes I've gone to, which is not very interesting. Awesome. Well, thank you so much for sharing your wisdom with us and also for making us feel better about, you know, the fact that we are not failing as much as we think we are. That's always nice to know.

Thank you so much.

Josiah Dykstra 
It's a pleasure, thanks for having me.