From Law Enforcement Officer to Chief Information Security Officer
In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.
In this episode, Brian Penders, Chief Information Security Officer, at the University of North Carolina Chapel Hill Medical School, shares his exciting but challenging journey from working as an engineering lab technician in the US nuclear submarine to being a law enforcement officer with the Vermont State Police and then gravitating to his current role of Chief Information Security Officer at a major academic institution. He sheds light on the principles driving the high-reliability organizational culture in the US Nuclear Navy Propulsion Program and how those experiences influenced and shaped his growth as a cybersecurity leader.
Time Stamps
02:24 — Take us behind the scenes and share some highlights. What were the drivers? What were the motivators? What can listeners take away from your experience?
09:02 -- Let me first focus on that high-reliability, organizational culture that was established in the US nuclear Navy, and you have lived in that culture. Share a bit about what it is like and what could be some takeaways that are relatable or applicable in the world of cybersecurity governance?
16:08 — Are there any unique challenges that a medical school faces compared to the other units? And if so, how do you go about dealing with them?
19:34 — Research finds that in general, organizations don't do a very good job of rehearsing their incident response plan, sometimes they don't even have a good plan in place. Brian, as a practitioner, what's feasible and what's ideal?
21:36 — Is it fair to assume that institutions are rehearsing how to recover from a ransomware attack?
22:20 -- Is this rehearsal of proactively or reactively, responding to ransomware attacks, taking place at only certain levels, and not at all organizational levels?
23:48 -- So moving on to cybersecurity governance, best practices, there are several out there, would you like to highlight a few that you are really big on?
27:03 -- What's the reality around passwordless authentication?
28:58 -- I'd like to give you the opportunity to share some final thoughts with the listeners.
Memorable Brian Penders Quotes/Statements
"The Navy taught me how to learn, and that was more valuable to me at the time than anything I learned about nuclear engineering."
"Incident response is really a great way to learn the environment and build partnerships across an organization."
"The Navy taught me how to learn. The way admiral Rickover thought through individuals gaining technical knowledge was really amazing. It was based on if you could not draw and explain something to a group of experts sufficiently, then you are not going to move forward."
"If I had 30 seconds with a group, I would tell them to keep their software updated."
"We need to get out of the business of the shared secret. Passwordless authentication is the new and up-and-coming defense to credential theft."
"We have found that folks from liberal arts and humanities can be extremely valuable to supplement and sometimes lead our cybersecurity teams. I'm generalizing, but they're good problem-solvers. They're able to see the big picture, and they're excellent communicators, all amazing skills."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Introducer:
Welcome to the Cybersecurity Readiness Podcast
Introducer:
Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:
the book Cybersecurity Readiness: A Holistic and
Introducer:
High-Performance Approach, a SAGE publication. He has been
Introducer:
studying cybersecurity for over a decade, authored and edited
Introducer:
scholarly papers, delivered talks, conducted webinars and
Introducer:
workshops, consulted with companies, and served on a
Introducer:
cybersecurity SWAT team with Chief Information Security
Introducer:
officers. Dr. Chatterjee is Associate Professor of
Introducer:
Management Information Systems at the Terry College of
Introducer:
Business, the University of Georgia. As a Duke University
Introducer:
Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:
Engineering in Cybersecurity program at the Pratt School of
Introducer:
Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast series. Today, I have as my guest, Brian Penders, Chief
Dr. Dave Chatterjee:
Information Security Officer of the School of Medicine at the
Dr. Dave Chatterjee:
University of North Carolina, Chapel Hill. I had the pleasure
Dr. Dave Chatterjee:
of meeting Brian at a cybersecurity conference hosted
Dr. Dave Chatterjee:
by UNC's World View program. And I really enjoyed his
Dr. Dave Chatterjee:
presentation. So I felt that all of you would enjoy hearing what
Dr. Dave Chatterjee:
Brian has to share by way of his experiences and perspectives in
Dr. Dave Chatterjee:
cybersecurity. While I was learning about Brian, the
Dr. Dave Chatterjee:
professional, I was super intrigued by his background, he
Dr. Dave Chatterjee:
has a very interesting journey that began in law enforcement.
Dr. Dave Chatterjee:
In fact, it began in the US Nuclear Navy. And today, he is a
Dr. Dave Chatterjee:
senior information security governance officer, a leader.
Dr. Dave Chatterjee:
It's a fascinating story, a story that he needs to share
Dr. Dave Chatterjee:
himself, not me on his behalf. But bottom line, it's a great
Dr. Dave Chatterjee:
honor and a privilege to have Brian on the show today. Brian,
Dr. Dave Chatterjee:
welcome!
Brian Penders:
Thank you, Dave. It's great to be here. I really
Brian Penders:
appreciate the invite. And yes, it was. It was great meeting you
Brian Penders:
at the conference and having lunch and getting to know each
Brian Penders:
other.
Dr. Dave Chatterjee:
It really was. So Brian, as I just
Dr. Dave Chatterjee:
mentioned in my intro, you have a very interesting professional
Dr. Dave Chatterjee:
background, you worked as a lab technician in the US Navy
Dr. Dave Chatterjee:
Nuclear Submarine for six years, then you were a law enforcement
Dr. Dave Chatterjee:
officer for 15 years before transitioning to incident
Dr. Dave Chatterjee:
response and digital forensics. And now you are the chief
Dr. Dave Chatterjee:
information security officer at UNC School of Medicine. Wow,
Dr. Dave Chatterjee:
what a journey! Take us behind the scenes and share with us
Dr. Dave Chatterjee:
some highlights. What were the drivers? What were the
Dr. Dave Chatterjee:
motivators? What can listeners take away from your experience?
Brian Penders:
Yes, happy to do so. I know, you know many people
Brian Penders:
in the cybersecurity field as I do, I've been amazed at the
Brian Penders:
different backgrounds of these professionals, particularly
Brian Penders:
security leaders, I'm not sure if it's true in other fields,
Brian Penders:
but vast differences, no two are the same. And I love reading
Brian Penders:
about about background of these folks. And mine was like many
Brian Penders:
people in this field, I didn't think about getting into
Brian Penders:
cybersecurity way back. It was something where I wanted to I
Brian Penders:
when I was in college, I took liberal arts and humanities
Brian Penders:
courses. And I was interested in science, but I more read about
Brian Penders:
science on my own. I you know, didn't really do well in science
Brian Penders:
courses in universities, because it seemed a bit more a bit
Brian Penders:
abstract to me. And so after college, my father and my few
Brian Penders:
uncles were veterans, so that influence may. And so I went
Brian Penders:
into this program, I did some research, and I wanted to do
Brian Penders:
some traveling and really get into something that was
Brian Penders:
challenging academically and to serve served my country. And so
Brian Penders:
I looked into this program and went into the six year tour for
Brian Penders:
this naval nuclear propulsion. The first two years is in
Brian Penders:
schools, engineering schools, very challenging curriculums and
Brian Penders:
then went to my duty station, which was a fast attack
Brian Penders:
submarine out of Pearl Harbor. Hawaii. Wow. Very difficult
Brian Penders:
duty. Yeah, a gorgeous place to live no doubt but very difficult
Brian Penders:
duty, was at sea quite a bit. And the work life balance was
Brian Penders:
tough. That's why I can't really recommend this path, I should
Brian Penders:
say because some of these positions were very tough on on
Brian Penders:
the home life, as you can understand. So after the
Brian Penders:
military, I had an interest in law enforcement and you know,
Brian Penders:
people were scratching their heads. Why didn't you use this
Brian Penders:
training? Why didn't you get into civilian nuclear power. And
Brian Penders:
you know, I didn't really have an interest. And for me, and we
Brian Penders:
will talk about this a bit more later, for me, it was about the
Brian Penders:
Navy taught me how to learn. And that was more valuable to me at
Brian Penders:
the time than anything I learned about nuclear engineering. And
Brian Penders:
so that's really threaded through a lot of this journey.
Brian Penders:
And so I went and applied for and got a position with the
Brian Penders:
Vermont State Police after that, and like, like most like every
Brian Penders:
other person, you do patrol work for several years. And then I
Brian Penders:
did some executive protection with the governor's security
Brian Penders:
unit. And then I started to get the itch for technology and
Brian Penders:
something a little more intense and some training. And at first,
Brian Penders:
I looked at a polygraph examiner position, because that had
Brian Penders:
significant training, and was pretty complex and difficult job
Brian Penders:
that didn't work out. And then a Computer Crimes Unit position
Brian Penders:
opened up a very small unit. And keep in mind, this is in 2007,
Brian Penders:
which is when the iPhone came out. So this is when everybody
Brian Penders:
had computers at home. Everybody's got cell phones with
Brian Penders:
them. And as you can imagine, every crime just about had a had
Brian Penders:
a digital component to it. Huge demand for for expertise in this
Brian Penders:
area. So I was fortunate. And you and I talked about this
Brian Penders:
school last time we spoke to be able to go to this amazing
Brian Penders:
facility down in Hoover, Alabama, that's called the
Brian Penders:
National Computer forensics Institute, NCFI. It's literally
Brian Penders:
for state and local law enforcement to learn digital
Brian Penders:
forensics and prosecutors. It's run by the Department of
Brian Penders:
Homeland Security. The first course I was there for a total
Brian Penders:
of 11 weeks. The first course is five weeks where you learn from
Brian Penders:
the ground up about how computers work, how networks
Brian Penders:
operate, and then you get into forensic software and doing
Brian Penders:
forensic exams and writing reports. And then the great
Brian Penders:
thing about it is you go back to your department, with the
Brian Penders:
equipment and the software to get going from day one. And so
Brian Penders:
anyway, those first few years were were I can't say enough
Brian Penders:
about how steep learning curve was. And my biggest takeaway
Brian Penders:
from this position that I brought to North Carolina was
Brian Penders:
there's nothing more terrifying preparing for a trial where the
Brian Penders:
stakes are high. These are many of our victims were children,
Brian Penders:
heinous crimes, you need to get this right. And so it was a lot
Brian Penders:
of, you know, checking and double checking in reaching out
Brian Penders:
to anybody I could. To make sure I got this right, I needed to be
Brian Penders:
able to present data to an older jury, because I think keeping my
Brian Penders:
Vermont as an older state juries are older, a lot of them were
Brian Penders:
not familiar with technology, and then also be technical
Brian Penders:
enough so that the defense examiner, the defense attorney,
Brian Penders:
who also has a defense forensic examiner, you can survive that
Brian Penders:
cross examination. So it was really a way to not only learn
Brian Penders:
the material, but how do I document it? How do I present
Brian Penders:
this to different audiences. That was a really great takeaway
Brian Penders:
from me, when I moved on from Vermont to down here in North
Brian Penders:
Carolina, we had, we had wanted to move south for a couple of
Brian Penders:
years. And I wanted to stay in the field. But I didn't put the
Brian Penders:
work cases were pretty heavy and stressful. And so my wife had
Brian Penders:
always worked in higher education. So I had an interest
Brian Penders:
in trying to work at a university and this worked out
Brian Penders:
at Chapel Hill, like you said, I came down into a digital
Brian Penders:
forensics incident response team lead role, and I really found a
Brian Penders:
home here and it, there's, you know, I was, you know, one
Brian Penders:
flight of stairs away from experts in storage, and servers
Brian Penders:
and emails, Splunk pretty much everything. And incident
Brian Penders:
response is a really great way to learn and environment and
Brian Penders:
build partnerships across an organization. And then after
Brian Penders:
five years there, this position opened up in School of Medicine,
Brian Penders:
where I could do security more across across the board. And
Brian Penders:
it's been great. I've been here almost four years. So that's
Brian Penders:
kind of the journey in a nutshell.
Dr. Dave Chatterjee:
Fascinating. Thank you for your service. I
Dr. Dave Chatterjee:
have many former students who have been in the nuclear navy
Dr. Dave Chatterjee:
vessels, and I've heard a lot of stories. So hats off to you
Dr. Dave Chatterjee:
guys. I believe the training, the expectations are quite
Dr. Dave Chatterjee:
steep. And it really gets everything out of you. So So
Dr. Dave Chatterjee:
yes, you know, we all have our journeys. They're almost meant
Dr. Dave Chatterjee:
to be and we learn. So this is fabulous that I'm able to talk
Dr. Dave Chatterjee:
to you. The US Nuclear Navy Propulsion Program, which
Dr. Dave Chatterjee:
Admiral Hyman Rickover launched, he's considered the founding
Dr. Dave Chatterjee:
father. There was an article written about the culture that
Dr. Dave Chatterjee:
he established, which enabled the program to avoid
Dr. Dave Chatterjee:
catastrophic losses for a long period of time. And this culture
Dr. Dave Chatterjee:
that Admiral Rickover established is characterized by
Dr. Dave Chatterjee:
five or six principles. such as integrity, depth of knowledge,
Dr. Dave Chatterjee:
procedural compliance, forceful backup, questioning attitude,
Dr. Dave Chatterjee:
and formality in communications. So when I was reading this
Dr. Dave Chatterjee:
article about the culture that he had established, and I was
Dr. Dave Chatterjee:
learning about these principles, it dawned on me that why don't
Dr. Dave Chatterjee:
we apply those principles in the private sector in the context of
Dr. Dave Chatterjee:
cybersecurity governance, and try to execute them as best as
Dr. Dave Chatterjee:
we can, as they did, or as they do in the nuclear Navy world.
Dr. Dave Chatterjee:
And we in the private sector will do a lot better. So that
Dr. Dave Chatterjee:
was almost the start of my journey into cybersecurity
Dr. Dave Chatterjee:
research. And in fact that that framework helped me develop my
Dr. Dave Chatterjee:
cybersecurity, holistic governance framework, which is
Dr. Dave Chatterjee:
in my book. So I'm so glad that you are here, Brian, to talk to
Dr. Dave Chatterjee:
us about your variety of experiences. But let me first
Dr. Dave Chatterjee:
focus on that high-reliability, organizational culture that was
Dr. Dave Chatterjee:
established in the US nuclear Navy, and you have lived in that
Dr. Dave Chatterjee:
culture. Share a bit about what it is like and what could be
Dr. Dave Chatterjee:
some takeaways that are relatable or applicable in the
Dr. Dave Chatterjee:
world of cybersecurity governance?
Brian Penders:
Yes, I'll be honest, I had not really thought
Brian Penders:
about tying these principles to my current role until we spoke
Brian Penders:
about this. And you're right, these. First of all, it's
Brian Penders:
probably the least talked about success story. As you know,
Brian Penders:
this, the Nuclear Propulsion Program that was that began with
Brian Penders:
Admiral Rickover. And we're talking about this is now 40
Brian Penders:
years after he retired, and this program is still going strong,
Brian Penders:
as you said, accident free. It's really incredible. But you're
Brian Penders:
right, these principles could probably apply to many
Brian Penders:
industries, but they certainly can for this field. And I would
Brian Penders:
like to touch on a couple things that were a part of Admiral
Brian Penders:
Rickover principles and, and that I saw in my experience
Brian Penders:
there that I've that have stayed with me. One of them is depth of
Brian Penders:
knowledge. That is one thing that I mentioned, the Navy
Brian Penders:
taught me how to learn the way that Admiral Rickover thought
Brian Penders:
through individuals gaining technical knowledge was really
Brian Penders:
amazing it was it was based on if you could not draw and
Brian Penders:
explain something to a group of experts sufficiently, then you
Brian Penders:
are not going to move forward. And this is everything from the
Brian Penders:
micro to the macro, this is this could be drawn explain a
Brian Penders:
particular valve and up to a system, and then how systems
Brian Penders:
work together or an evolution like an engine room startup,
Brian Penders:
talk us through that. And that stays the same not just in the
Brian Penders:
two years of school. But when you get to your duty station,
Brian Penders:
you really are just beginning your training, it doesn't end
Brian Penders:
fact, I think I thought through all of the oral boards that I
Brian Penders:
went through before I was fully qualified as a essentially a
Brian Penders:
junior person in the engineering department and it was around 10.
Brian Penders:
Those are formal ones. That is something that I think he
Brian Penders:
doesn't want, he wanted you to move away from memorization to
Brian Penders:
understand, once you understand there was no need to memorize.
Brian Penders:
But that was a big one. And the other was his focus generally
Brian Penders:
just on people, I think he was the first military person to
Brian Penders:
this is post-WW II. So he's trying to move away from the
Brian Penders:
brawny warrior type to the thoughtful engineer type. I
Brian Penders:
don't think anyone had done that before. And how rank actually
Brian Penders:
took a backseat to knowledge. Many people may not know this,
Brian Penders:
when you stand a watch on a submarine, you may outrank
Brian Penders:
administratively people on that watch, and it seemed to work.
Brian Penders:
When you got off watch you were back in your administrative
Brian Penders:
rank. You didn't have as many privileges as that person but on
Brian Penders:
watch if, if you proved your superior knowledge and qualify
Brian Penders:
that watch station, you were over them operationally. So that
Brian Penders:
was that's fascinating. And then, lastly, another thing he
Brian Penders:
talked about was a preoccupation with failure, thinking about
Brian Penders:
failure, and this is where in cybersecurity, you get to this
Brian Penders:
idea of assume breach, and really zero-Trust is based on
Brian Penders:
having a failure already. So and then, you know, he stressed
Brian Penders:
people before the idea of people, process, and technology,
Brian Penders:
which we know today is very important in that order. And he
Brian Penders:
really stressed that early on.
Dr. Dave Chatterjee:
Sure, sure. I'd like to share something that
Dr. Dave Chatterjee:
was shared by one of my former students, and he said Dr.
Dr. Dave Chatterjee:
Chatterjee in the nuclear Navy vessel when we were given a
Dr. Dave Chatterjee:
command to do something we were required to repeat the command
Dr. Dave Chatterjee:
verbatim, before we executed. And he said, it kind of felt
Dr. Dave Chatterjee:
really awkward. We felt like we are really dumb people, as if we
Dr. Dave Chatterjee:
don't follow, but you realized how much importance and emphasis
Dr. Dave Chatterjee:
was given to communication accuracy, communication
Dr. Dave Chatterjee:
integrity, and that stayed with me as well. When you talk about
Dr. Dave Chatterjee:
cybersecurity governance, and you know it better than anybody
Dr. Dave Chatterjee:
else, because you do it for a living, a lot of it is
Dr. Dave Chatterjee:
communication, but effective communication. And one of the
Dr. Dave Chatterjee:
hallmarks of effective communication is when if you are
Dr. Dave Chatterjee:
communicating something, there has to be a mechanism whereby
Dr. Dave Chatterjee:
you know, that your communication is being received
Dr. Dave Chatterjee:
appropriately. And how do you do that? So that was one way of
Dr. Dave Chatterjee:
doing it is just tell me what I told you. And now that you've
Dr. Dave Chatterjee:
told me what I've told you, and I believe you get it, now go
Dr. Dave Chatterjee:
ahead and execute it. I think that's fabulous.
Brian Penders:
I agree. 100%, it takes out of the equation, one
Brian Penders:
error that could be costly, for sure. Yeah,
Dr. Dave Chatterjee:
exactly. Let's switch gears a little bit,
Dr. Dave Chatterjee:
you are managing the security environment in a medical school
Dr. Dave Chatterjee:
at a large institution, a very reputed medical school. That's
Dr. Dave Chatterjee:
quite the responsibility. I've had CISOs on my podcast, who've
Dr. Dave Chatterjee:
talked about the various challenges that academic
Dr. Dave Chatterjee:
institutions face, and they have shared solutions, best
Dr. Dave Chatterjee:
practices. There are many units within an academic institution,
Dr. Dave Chatterjee:
and you focus on a particular unit, the medical school, are
Dr. Dave Chatterjee:
there any unique challenges that medical school faces compared to
Dr. Dave Chatterjee:
the other units? And if so, how do you go about dealing with
Dr. Dave Chatterjee:
them?
Brian Penders:
Yes, there are. And there's a couple I'd like to
Brian Penders:
talk about. One is really true for all Health Affairs schools.
Brian Penders:
And it's something that a lot of people don't think about. And it
Brian Penders:
has to do with something simple that there are high earners in
Brian Penders:
Health Affairs. And what this means is, we're targeted for a
Brian Penders:
lot of these, what I'll call money grab type scams and
Brian Penders:
attacks. So specifically, years ago, there was a phishing
Brian Penders:
campaign around stealing W2s for tax fraud purposes, and a large
Brian Penders:
percentage of those accounts were from the School of
Brian Penders:
Medicine. Other attacks involving social engineering to
Brian Penders:
get into retirement accounts, we get, I think, we get a large
Brian Penders:
portion of the tech support scams, which really try to get a
Brian Penders:
credit card number, get a credit card number from a
Brian Penders:
doctor, it's different from others, and also just
Brian Penders:
credentials, or medical email credentials are more valuable,
Brian Penders:
frankly, on the dark web to sell. So that's something that
Brian Penders:
we talk to right from when students get here all the way
Brian Penders:
through is be careful, you may be caught up in this. And
Brian Penders:
honestly, those are really have really been the root cause for
Brian Penders:
our incidents that involve regulated data PHI, because
Brian Penders:
there really isn't an interest in the PHI. But because these
Brian Penders:
attacks happen, there may be an email, an exposure of email that
Brian Penders:
contains regulated data. So it's a real headache. It's very risky
Brian Penders:
for us. So we try to talk to our users, our faculty, staff and
Brian Penders:
students about that. The second big category is really around
Brian Penders:
governance risk. There's, if you can imagine the Venn diagram,
Brian Penders:
the School of Medicine is one of the HIPAA covered components of
Brian Penders:
the university. But we are also tied to UNC Health, our partners
Brian Penders:
there, and that's by statute, the Dean of the School of
Brian Penders:
Medicine is also the CEO of UNC Health. We are separate legal
Brian Penders:
organizations, but we share our clinical faculty. You're a
Brian Penders:
faculty members. Well, Dr. Chatterjee. So you know, as a
Brian Penders:
faculty member, you want to be available to people, you want
Brian Penders:
your work to be known. You want people to be able to get in
Brian Penders:
touch with you. And it's particularly easy in that
Brian Penders:
regard, because we're a public university. And when you add the
Brian Penders:
fact that these are also our clinicians who are working with
Brian Penders:
regulated data, they're doing research that involves health
Brian Penders:
information. It's very challenging when you get that
Brian Penders:
mix together. It takes a lot of communication with our faculty
Brian Penders:
to understand the differences and to be able to work with our
Brian Penders:
partners and UNC Health to make sure that there aren't any gaps
Brian Penders:
there that could expose data. So those are the two two big
Brian Penders:
differences here in School of Medicine.
Dr. Dave Chatterjee:
Yeah, thanks for sharing. I'll take
Dr. Dave Chatterjee:
this opportunity to share with the listeners some common
Dr. Dave Chatterjee:
cybersecurity challenges that plague educational institutions.
Dr. Dave Chatterjee:
I talked about these in my talk at UNC where I met Brian. One of
Dr. Dave Chatterjee:
the challenges is dealing with legacy systems, numerous remote
Dr. Dave Chatterjee:
endpoint devices is another challenge, securing students
Dr. Dave Chatterjee:
student body lack of incident response plans, no budget line
Dr. Dave Chatterjee:
item for cybersecurity. yhat's more true for the community
Dr. Dave Chatterjee:
colleges difficulty keeping up with emerging threats. And
Dr. Dave Chatterjee:
finally, the ability to hire and retain staff because
Dr. Dave Chatterjee:
cybersecurity jobs can be exciting, but they can also
Dr. Dave Chatterjee:
cause burnouts. So there can be a high turnover. You emphasize
Dr. Dave Chatterjee:
incident response plans, and research finds that in general,
Dr. Dave Chatterjee:
organizations don't do a very good job of rehearsing their
Dr. Dave Chatterjee:
incident response plan, sometimes they don't even have a
Dr. Dave Chatterjee:
good plan in place. I'm not going to ask you to speak
Dr. Dave Chatterjee:
specifically to your organization. But generically,
Dr. Dave Chatterjee:
Brian, as a practitioner, what's feasible and what's ideal? Yeah,
Brian Penders:
it's a good question. And you're right,
Brian Penders:
these things can slip away as everyone gets busy. But but
Brian Penders:
they're very important. I think the trick is to not think you
Brian Penders:
have to go to the nth degree with this, you know, ideally, we
Brian Penders:
would have something that involve the entire university,
Brian Penders:
UNC Health School of Medicine, and we would get all get
Brian Penders:
together, you don't have to go right there, you could just do
Brian Penders:
something as simple as when you actually have an incident, you
Brian Penders:
can actually use that as an example of checking it against
Brian Penders:
your plans. And when we work with third parties, that's their
Brian Penders:
recommendation to you know, take advantage when things come in to
Brian Penders:
run through your plan. And then honestly, working with third
Brian Penders:
parties to help with tabletops. And reviewing Incident Response
Brian Penders:
Plans, I think is is a great way to go that, you know, they can
Brian Penders:
provide some great expertise, they can sort of sit from the
Brian Penders:
outside and tell you what how you're doing and the direction
Brian Penders:
you need to go.
Dr. Dave Chatterjee:
Okay, good to know ransomware attacks are a
Dr. Dave Chatterjee:
threat to all organizations, academic institutions are no
Dr. Dave Chatterjee:
exception. In fact, they are being hit very heavily. So is it
Dr. Dave Chatterjee:
fair to assume that institutions engage in rehearsing how to
Dr. Dave Chatterjee:
recover from a ransomware attack?
Brian Penders:
Yes, I think it's done under the umbrella of
Brian Penders:
disaster recovery generally, which isn't really specific to
Brian Penders:
ransomware, you usually your infrastructure teams are in
Brian Penders:
charge of developing your business continuity and disaster
Brian Penders:
recovery plans. And they periodically do test restores of
Brian Penders:
systems that would help with ransomware incident or after it.
Dr. Dave Chatterjee:
Okay, that's good to know as well. So
Dr. Dave Chatterjee:
as a faculty member, we get communication from the
Dr. Dave Chatterjee:
Technology Office, the Security Office, from time to time, I
Dr. Dave Chatterjee:
don't recollect any communication or guidance, where
Dr. Dave Chatterjee:
they are proactively preparing us from a ransomware attack that
Dr. Dave Chatterjee:
could freeze our systems, compromise our data. So what I'm
Dr. Dave Chatterjee:
trying to understand is this rehearsal of proactively or
Dr. Dave Chatterjee:
reactively, responding to ransomware attacks, is this
Dr. Dave Chatterjee:
rehearsal taking place at a certain level, and not at all
Dr. Dave Chatterjee:
levels. What would be, I'm just trying to get a better sense,
Dr. Dave Chatterjee:
from your perspective,
Brian Penders:
right? It wouldn't be something that would
Brian Penders:
rise to the user level, it could certainly be an attack and
Brian Penders:
certainly start there. But it'd be more about when a ransomware
Brian Penders:
actors are looking at a large organization, they're not as
Brian Penders:
focused on doing a whole lot with individual users
Brian Penders:
workstations, they're going to use that as possibly an entry
Brian Penders:
point. But it would be taking some time using different
Brian Penders:
malware to move across an organization to get to something
Brian Penders:
that they want could be domain controllers, or could be bigger
Brian Penders:
servers and storage arrays, something that can really hamper
Brian Penders:
the organization such that a payment would be feasible, it
Brian Penders:
wouldn't be something that a user would really get involved
Brian Penders:
with in terms of testing those programs.
Dr. Dave Chatterjee:
So moving on to cybersecurity governance,
Dr. Dave Chatterjee:
best practices, there are several out there, would you
Dr. Dave Chatterjee:
like to highlight a few that you are really big on?
Brian Penders:
Yes, I mean, considering I mentioned, we've,
Brian Penders:
we've had some incidents with phishing and social engineering,
Brian Penders:
our best practices, the last couple of years have focused in
Brian Penders:
those areas in what I'll call a good better best type scenario,
Brian Penders:
where in terms of, let's say passwords, we talked to our
Brian Penders:
users about strong and unique passwords. Now, some of their
Brian Penders:
university accounts are automatically done, but their
Brian Penders:
own accounts. And we focus on things like think about your
Brian Penders:
primary personal email account, and how important that is. You
Brian Penders:
need a strong and unique password. And you need multi
Brian Penders:
factor authentication, because that could be the key to all of
Brian Penders:
your other accounts, least the ones that don't have multi
Brian Penders:
factor authentication. And beyond that, we say now look at
Brian Penders:
your finance, banking, retirement, and then look at
Brian Penders:
your social media. And then if you can, make sure you do that
Brian Penders:
for all them, use passphrases and a lot of those general
Brian Penders:
password guidance but lay lately because of the nuances of the
Brian Penders:
attacks, especially in terms of multifactor workarounds, our
Brian Penders:
exact playbooks of guidance don't really work with our
Brian Penders:
users. So we've been talking to them about this idea of having
Brian Penders:
situational awareness in terms of are you already logged in,
Brian Penders:
you are going to you may get an email, you should look to see if
Brian Penders:
is an external from an external source. And if there is a link
Brian Penders:
there, and if there is you should have, you should be very
Brian Penders:
careful about that link. And if you do, click the link, and
Brian Penders:
you're asked to log in, why would you need to login. And so
Brian Penders:
we use two different MFA solutions here, but the one we
Brian Penders:
use for Microsoft, they should not have to log in as you know,
Brian Penders:
when you log in, you get a session token, it should last a
Brian Penders:
while. So you should really think through why you're being
Brian Penders:
asked to put your credentials in here. Because some of the ones
Brian Penders:
we've seen have been this attack where there's a credential turn
Brian Penders:
around where attackers take the credentials in real time log in,
Brian Penders:
and that will generate a push. So the advice to our users to
Brian Penders:
only accept push notifications that they expect, doesn't work,
Brian Penders:
because they did expect one. So that's when we have had to back
Brian Penders:
up and talk to them about situational awareness. So those
Brian Penders:
are some of the big ones around passwords and MFA, and the other
Brian Penders:
one is updating software, I'll say if I had 30 seconds with a
Brian Penders:
group, I would tell them to keep their software updated. And what
Brian Penders:
we're talking to our users about is they don't really know a lot
Brian Penders:
about the software release cycles and how the software is
Brian Penders:
likely a combination of security updates and new features. Our
Brian Penders:
users get lulled into thinking that it's only new features. And
Brian Penders:
they, you know, hit remind me tomorrow, and they don't quite
Brian Penders:
understand that the updates are security patches for the
Brian Penders:
previous update. And so again, it's a good better best, we
Brian Penders:
don't expect everyone to stop what they're doing. People are
Brian Penders:
busy, but we say as soon as possible. But if you can, within
Brian Penders:
a couple of weeks, get that new software installed, you're going
Brian Penders:
to have the security updates that you need. So those are just
Brian Penders:
a few of the big ones we've been talking about.
Dr. Dave Chatterjee:
Absolutely makes sense. I'd like to react
Dr. Dave Chatterjee:
to a couple of things. When you mentioned multifactor
Dr. Dave Chatterjee:
authentication. Recently, I did an episode on multifactor
Dr. Dave Chatterjee:
authentication fatigue, and that the guest was talking about how
Dr. Dave Chatterjee:
developers detest having to authenticate time and again,
Dr. Dave Chatterjee:
when they're working on 50 different applications that
Dr. Dave Chatterjee:
they're having to go back and forth. And then there are human
Dr. Dave Chatterjee:
beings who are also at times unwilling to have it have to
Dr. Dave Chatterjee:
authenticate every time they are having to log into a system. I
Dr. Dave Chatterjee:
will I will admit that initially, I belonged to that
Dr. Dave Chatterjee:
camp. But I've changed since because I now recognize how
Dr. Dave Chatterjee:
important that security feature is. I also wonder about these
Dr. Dave Chatterjee:
passwords, you know, we're tired of remembering passwords, tired,
Dr. Dave Chatterjee:
tired of trying to save passwords, password protection
Dr. Dave Chatterjee:
managers don't work, they get hacked. We hear about them all
Dr. Dave Chatterjee:
the time. So there's a huge push towards passwordless
Dr. Dave Chatterjee:
authentication, I guess curious, what are your thoughts? What's
Dr. Dave Chatterjee:
the reality around password less authentication?
Brian Penders:
when I think about the big defenses that have
Brian Penders:
come out around identity, certainly MFA years ago was one
Brian Penders:
and I think we're on the cusp of another with web auth. And and
Brian Penders:
using biometrics on your system to prevent this idea of a shared
Brian Penders:
secret, right, we need to get out of the business of the
Brian Penders:
shared secret. And so UNC is moving to offering passwordless
Brian Penders:
authentication this year, we have a strategy to roll it out.
Brian Penders:
And I think it's going to be well received. And we'll see how
Brian Penders:
it goes. But this is going to be attackers will pivot it'll be
Brian Penders:
they may go back to malware, or they may, you know, use malware
Brian Penders:
to grab session tokens. And so there might be a new thing. But
Brian Penders:
this I think is a big new defense to credential theft.
Dr. Dave Chatterjee:
Excellent. Wonderful. So Brian, we are kind
Dr. Dave Chatterjee:
of coming towards the end of our episode here. I wish we could
Dr. Dave Chatterjee:
continue the conversation, but we will have to wrap it up. So
Dr. Dave Chatterjee:
I'd like to give you the opportunity to share some final
Dr. Dave Chatterjee:
thoughts with the listeners.
Brian Penders:
Yeah, I just wanted to spend a few minutes
Brian Penders:
talking a little bit about building teams. You and I
Brian Penders:
discussed this a bit. Last time we talked some of the things
Brian Penders:
that we look for in terms of when we're looking at someone
Brian Penders:
from IT, who's interested in coming to cyber security. We
Brian Penders:
look at Service Desk experience system and server administrators
Brian Penders:
and developers. But it's also important we have found in
Brian Penders:
addition to traditional diversity, diversity of
Brian Penders:
background, we have found that our folks from liberal arts and
Brian Penders:
humanities hat can be extremely valuable to supplement and
Brian Penders:
sometimes lead our cybersecurity teams. I'm generalizing but
Brian Penders:
they're good problem solvers. They're able to see the big
Brian Penders:
picture and they're excellent communicators, all amazing
Brian Penders:
skills. And if they have a propensity and an interest in
Brian Penders:
being technical, that just makes it all the better. And then the
Brian Penders:
other thing is for any folks who are trying to, to get into
Brian Penders:
cybersecurity, it can be really hard. It's easy for us to say,
Brian Penders:
well, you know, just take an entry level IT job and move from
Brian Penders:
there. But that's not feasible for some people. And so the only
Brian Penders:
advice I have is to bug your IT teams wherever you are. And if
Brian Penders:
you're in IT, bug, your security team, I'm, I'm surprised more
Brian Penders:
people don't come and talk to us just knock on our door and say,
Brian Penders:
can you tell us what you do? Show me, show me some of the
Brian Penders:
things that you all do. So I know a lot of my colleagues
Brian Penders:
would welcome would welcome that. So just a few tips for
Brian Penders:
anyone looking to get into cyber
Dr. Dave Chatterjee:
fantastic. In fact, I'd like to reiterate
Dr. Dave Chatterjee:
what you just said that even if you coming from a non technical
Dr. Dave Chatterjee:
background, and there is no reason to shy away from a field
Dr. Dave Chatterjee:
like cybersecurity because the field could benefit from people
Dr. Dave Chatterjee:
bringing in different perspectives, different
Dr. Dave Chatterjee:
expertise. And there are numerous instances of people
Dr. Dave Chatterjee:
with liberal arts degrees. I had a subject matter expert on
Dr. Dave Chatterjee:
another episode, she has a PhD in philosophy, phenomenology was
Dr. Dave Chatterjee:
was the focus of her dissertation. She's a real
Dr. Dave Chatterjee:
techie, she assessed cybersecurity technologies for
Dr. Dave Chatterjee:
the government. So there's nothing that you can't learn,
Dr. Dave Chatterjee:
even if you didn't have the traditional technical training
Dr. Dave Chatterjee:
or technical foundation, it's all a matter of interest and
Dr. Dave Chatterjee:
willing to be curious and being willing to adapt. So I think
Dr. Dave Chatterjee:
there are several other skill sets that come into play,
Dr. Dave Chatterjee:
Brian's own journey, where he himself mentioned coming from a
Dr. Dave Chatterjee:
liberal arts background and how he literally stumbled into these
Dr. Dave Chatterjee:
roles, and then he grew with them. I'm sure he'll be the
Dr. Dave Chatterjee:
first person to agree that he didn't envision himself doing
Dr. Dave Chatterjee:
what he is doing today, when he got out of college with a
Dr. Dave Chatterjee:
liberal arts degree. So do keep that in mind. For those of you
Dr. Dave Chatterjee:
who are aspiring to pursue a career in cybersecurity and
Dr. Dave Chatterjee:
you're sitting on the sidelines, wondering if that would be a
Dr. Dave Chatterjee:
good career move or not, I think it'll be a great career move.
Dr. Dave Chatterjee:
More importantly, there is also the opportunity to secure the
Dr. Dave Chatterjee:
enterprise secure the nation, there is the other aspect to
Dr. Dave Chatterjee:
this job. That makes it very noble. I want to take this
Dr. Dave Chatterjee:
opportunity to thank all the cybersecurity professionals out
Dr. Dave Chatterjee:
there who do this job and they often are never recognized. They
Dr. Dave Chatterjee:
do it behind the scenes. The purpose of podcasts like mine,
Dr. Dave Chatterjee:
is to try to bring them out of their cubicles and share with
Dr. Dave Chatterjee:
the world the realities behind cybersecurity governance, and
Dr. Dave Chatterjee:
all the great things they do. So, Brian, thank you again for
Dr. Dave Chatterjee:
your time. It has been a real pleasure.
Brian Penders:
Thank you very much. I enjoyed the
Brian Penders:
conversation.
Dr. Dave Chatterjee:
A special thanks to Brian Penders for his
Dr. Dave Chatterjee:
time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:
podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:
subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:
Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:
episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as-is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
Listen On
