Understanding Cybersecurity and Cutting
Through the FUD with Eric Pinkerton
Sally Parrish interviews Eric Pinkerton
Guest Cyber Expert Eric Pinkerton joins us to explore how to bridge the gap between the board of Company Directors and the Executive Team when it comes to all things Tech and Cyber. Boards don’t know what questions to ask. Executives don’t know what information to present and they want to ensure that they don't bring problems to the board.
There is no doubt that there is more and more onus on Non Executive Directors to understand the technical lay of the land and more responsibility coming their way for the safe collection and storage of data. Eric gives his frank insights into what you can do to be more effective in the area of cyber governance and how you can better engage your technical management team to work with you.
Eric cut his teeth as a technologist for the BBC World Service in London, where he learned the importance of ‘educate, inform and entertain’ he also developed his passion for emerging technologies with a bent for security. Arriving in Australia in 2003 he landed an operational role at Australia’s first IP Telco, and has since served hard time at Telstra, Stratsec/BAE Systems, Datacom, CSC and Finally Hivint/Trustwave.
Eric is a regular presented on the conference circuit, evangelises a healthy level of cynicism and speaks about privacy, security and the myth of infallibility in humans.
FURTHER INFORMATION
Meet Eric on Linkedin https://www.linkedin.com/in/epinkerton/
Follow Eric on Twitter https://twitter.com/ericpink
Click Here to View the Podcast Interview Transcript with Eric Pinkerton
Erik Pinkerton 00:00
It's not choosing what the best metrics are. It's collecting everything you can, it's knowing that not everything you can measure matters, and not everything that matters, you can measure, and then being able to take the things that are interesting, and then apply some intel to that.
Sally Parrish 00:17
Hi, I'm Sally Parrish, Amazon, Best Selling Author of the essential Field Guide for company directors and founder of the board Coaching Institute. I've been in on and around boards for over 20 years. And if you like me are passionate about the boardroom, then this podcast is for you. And I'd love you to join me on this mission to decode board success. What is it that sets some non executive directors apart from the rest? How can you enhance your leadership skills so you can be highly effective in the boardroom? And what will it take to make board success reality for you. I hope you enjoy these episodes as much as I love making them and that they unlock the secrets for you to gain a competitive advantage and have massive impact and influence in your board roles. Let's get started. Today we're joined by Eric Pinkerton of Trustwave. Hello, Eric, thanks very much for joining us.
Erik Pinkerton 01:19
Hey, Sally. Thanks for having me.
Sally Parrish 01:22
Let's start off by tell us a bit about yourself. Who are you? And what do you do?
Eric Pinkerton 01:25
Thank you. So I'm Eric, I have been working in cyber security for about 20 years in various various kinds of places and areas. Currently working for Trustwave doing security consulting, mainly specializing in things like tabletops and thought leadership, one of my favorite phrases.
Sally Parrish 01:51
Brilliant, love it. Now, there are probably 100 topics we can talk about today in the realms of cyber. One of the absolutely fascinating things that I've learned from you is the sophistication of the bad people out there, right? We have this image of a black hoodie in a basement and it's you know, a 19 year old male mom and dad upstairs tell us about the sophistication of some of these operations that we're actually fighting against right now.
Erik Pinkerton 02:25
Yes, so I spend an awful lot of time trying to change the perceptions people have from reading new stories with pictures of, you know, guys in balaclavas in the basement. And I think that if when you talk about cyber criminals, the general idea is that there are these board kids in a basement who are hacking things for fun. They're out there, I tend to think about this almost in a in a sort of graph where you have, you know, prevalence and you have sophistication. So there are lots of what we call script kiddies bored kids possibly on the spectrum, locked in their bedroom for hours on end, parents have no idea what they're doing, and they're hacking stuff for fun. At the other end of the spectrum, you've got the very, very advanced what we call nation state or advanced persistent threat. So they're like your special ops. Each country has its own team of very capable people. They have endless capabilities and resources and training at their disposal. And when you hear cybersecurity professionals saying things, absolute statements, like there is no such thing as a secure system, or if they want to get in, they will get in that that's really what we're talking about. However, they're very rare, and not many organizations will see them, you know, trying to door handles. In the middle of that you have cybercrime, so they're far more prevalent than your nation states. They're far more capable than your script, kiddies. And what we're seeing is cyber criminals sort of growing in prevalence and in sophistication. So as the spooks, and the spies on the AP Ts, develop really specific tools, sometimes they get lost and fall into the hands of cyber criminals who then are able to, you know, take them and weaponize them and use them in the pursuit of financial game rather than they asked me. And then there's a few other bits and bobs around there. So you see hacktivism is writ large at the moment. That's quite a topical thing, especially around we're seeing a real jumping hacktivism around climate issue, for instance,
Sally Parrish 04:25
and you will learn about this setup, right? They've got big office spaces. Yeah, they've got corporate departments. These are businesses, some of them. Absolutely. So
Erik Pinkerton 04:35
again, rather than thinking of one or two bored kids in a basement, these cyber criminals, which is the lion's share of the attacks that that we see, are run like businesses, they have collaboration tools, they have HR departments, they have PR people, they have payroll, people they have, you know, they've siloed the business off into different disciplines. There's the initial access broker who hands off the person who's a specialist in s escalating privileges. They have negotiators, they have insurance experts. And we found from a recent, so there was a ransomware crew that basically got very political at the time of the Ukrainian, Russian invasion of Ukraine. And as a result, all their comms got leaked. And by analyzing those communications, it was almost like the equivalent of their slack messages, we found all these different job titles and people doing these different roles. And what we what the consensus is, is that the people who were working in HR, who were working in marketing, who working in recruitment, didn't quite understand what the organization they were working for were doing, they thought they were working for an organization that was maybe selling ads online. So they were able to maintain this, this business with the illusion of of some sort of legitimate aim, which is quite fascinating.
Sally Parrish 05:52
Now, I wanted to start there, because where we're gonna go today is talk about that gap that exists between the board and the executive. And I just wanted to be really clear about the very real threat that is out there, when it comes to protection of our information. We're not talking about kids in a cellar having a crack, or we are, but as well as that we're talking about very sophisticated businesses that are out there targeting our businesses here in Australia, and in fact, around the world. So let's talk about that gap, the gap between the executive team and the board. So we know that, you know, there's some reluctance in the executive team to really tell the board any kind of negative indicators that are going on in the business. There's a what we are assuming is an inability of the board to ask the right questions right now, and whether that's because cyber is very new, whether that's because they're not trained for this, but there is this general consensus that the board aren't asking the right question. Do you have any other thoughts around that gap and why it exists right now?
Erik Pinkerton 07:04
Yeah, it's funny you asked because I've given that quite a bit of thought, as a consequence of, of being invited to speak to some of your board members. So I found that speaking to those board members directly, was kind of an empowering experience, because I was suddenly unencumbered by the normal condition that I find myself in as a consultant where I'm invited in by executives. And the task, the problem that they really want me to solve is to make them look good, you know, they need to present to the board, or they need to write a board paper. And I'm drafted in to help them do that. And their focus is sometimes you know, that their focus is to make the business more secure tomorrow than it was yesterday. But there's also that can be tainted by the need to look good, and show that they're making progress in front of the board. And sometimes those two agendas can convert right or not quite convert. Yes. So all of a sudden, I realized that I have been helping executives, you know, or a large part of my career has been helping executives guild the lily. And in some cases, I've not just been guilding the lily, but I've been helping them, you know, sprinkle some glitter on, on the turd of what's going on. And I started to realize that there's this really interesting dynamic between, you know, boards and execs. And I started thinking about how, how do we solve for that? And what I the question I had been asked a bunch of different times, is, What questions did a board need to ask in order to really get to the nub of business's cybersecurity posture is what the risks are. And, you know, I stupidly came up with my own list of the questions. And we had that discussion. And I then went away googling what questions the board should ask. And I was aghast to find that there were a billion results to that question. And so there's a billion people have independently gone, I must concoct my own list of questions that the board needs to ask. And it ranges from two questions to, I think the UK NCSC had around 170 questions in their toolkit. And I decided to take the first 30 results, the first organic Google results, take all of those questions and put them in a spreadsheet, and then sort them by category to find out how much overlap there was. So if most people were asking about 10.8 questions is about the average. And I wanted to see how common those topics came up. And what I found was that, surprisingly, there wasn't if you were to draw a Venn diagram of all these topics, they weren't all converging. You know, lots of things came up lots of times, so things like risk, how you're managing risk, or have you got insurance, you know, those types of things came up again and again, but nothing came up more than 50% of the time. And in this collection of questions, which I thought was crazy that there were people independently, claiming to be experts, were writing a list of questions the board must ask, and not mentioning things like how are you managing risk. So there's so much bad advice out there. What I ended up doing was, in order to give myself time to dig deeper into it is I put in a paper to give a talk about this at a conference in Melbourne, which gave really lit the fire end to me when I got that paper accepted, to go and do that, do the research and figure it out. And where I landed, was that there aren't, there is not a magic list of questions that you need to ask if the analogy I use is if I'm going to play chess with a chess master tomorrow, and I come to you and say, you know, what moves should I make? You're going to laugh at me, because it's an absurd question to ask. And the answer is, it depends. And that is really how I feel about this idea of what questions the board needs to ask. And I also started then thinking about this idea that a question and an answer is a straightforward process where I want to know something, I asked you a question, you give me an answer. Brilliant, let's go to the pub, everything solved. Because I knew that there were Socratic or rhetorical questions where I already know the answer. But why am I asking a question? I already know the answer. And I imagined that there'd be this whole bank of research out there where there'd be names, different Latin names for different types of questions. And I went and searched and couldn't find anything. Admittedly, I didn't spend hours and hours and read hundreds of PhD, white papers. But I knew that, you know, the first thing that came to mind was going to a Garriage. And seeing a mechanic and not wanting him to know, I don't know much about cars, in case he tries to, you know, Bill me for something like blinker fluid. And I wonder if there's a question I can ask the mechanic as I dropped my car off in the morning that makes him, you know, that makes him think, wow, this guy really knows about cars. Therefore, I'm not going to rip him off. And I thought in a fraud situation, is there a question of board member could ask of a CFO that makes the CFO think, wow, this guy really gets this? I can't. I've got to be honest, I can't flimflam it. I thought about job interviews, where often, you know, person being interviewed will give the answer that the question the interviewer wants to hear, you know, what are your major shortcomings or I'm a perfectionist, right? So you have to understand that there's a dance that you have to do when you're asking questions. And the conclusion ultimate came to is that, perhaps the problem isn't knowing what questions to ask. And don't forget, if you ask your question, you have to be able to understand the answer that it's going to elicit is to get that how do you get that cyber expertise? In order to know, you know, if what question to ask depends, then who is best placed to understand what it depends on? And how do they how do you find someone who can pull the thread on some of those answers that you're likely to get?
Sally Parrish 12:58
So there's a lot to unpack there. So we've got Sorry, that was a bit of a rant, wasn't it? No, no, I loved it. So there, there are lots of questions that the board can ask. So what questions should be two boards be asked? And there are lots of questions that boards could ask, what they should ask is really situational dependent, right? What's the situation we're in? What you know, what do we need to know? And I love that analogy of the chess master, because you could teach me 1000 chess moves. But it's my ability to pick the right next move, right when we're playing. So you could give these directors 1000 questions, but the skill or the value in the question, there's going to be around knowing which question to ask, and when to play it. But then we've also got the Why asking that question. So you gave the mechanic analogy, right. I, that resonates for me, because as a lady growing up in England, I had to have some questions about football that I could ask that made it look like that I knew the you know, the formation, was it the Christmas tree formation, I had to have a lot of questions about football just so that I could talk to the guys and make it look that I knew that like I knew enough about soccer to contend. But there's a danger there because if the director is asking questions that makes them look more knowledgeable or have more expertise, and they really have then maybe the Cesar will think he's got this or she's got this and I you know, I'll wait for my instructions. There's a danger there.
Erik Pinkerton 14:41
Yeah. How do you consume the answer that a really complex question about cybersecurity is likely to elicit because it's not just if I ask my mechanic the question that's designed to make him think this guy knows about cars, I've got no hope at all of understanding the answer to the question the answer. And if I try to get To the conversation, please immediately get into the hole, the ruse is blown. So, again, I think that question is the wrong question. And it's you need someone on your side that can ask the right questions and pull the thread on those questions. And then turn the answers into something you're able to digest that put it in terms of risk, put it in terms of the financial cost, put it in, you know, in a way that you can contextualize it with your other business risks. That is untainted by those strange dynamics that can come about by you know, an exec who's trying to manage the message and tell you what you want to hear. Because ultimately, his bonus payment at the end of the year is dependent on you feeling like he's done a great job.
Sally Parrish 15:48
Yeah, and I want to go there, I want to talk about metrics, because this is something that we get wrong so often, but just staying on the questions point there. So what I'm hearing, Eric is, you can ask all the questions in the world. But the skill really, that we're looking for directors to have is conversations about cyber. So being able to ask question, understand the answer to that question. And pose, you know, more questions from that.
Erik Pinkerton 16:17
Yeah. And it's, yeah, it's your game of chips, right, I can show you how to make a really good opening. But if the response to your really good opening is a really good response, then you have to know where to now what's the next? What's that? You know, it's pulling the thread. Love it, where do you go? And you have a limited amount of time within which to do that in in a board situation, right? You can't I can't just give you 175 questions, you got to ask and assume you're going to do that.
Sally Parrish 16:43
No. And, and it's going to be dependent on that business as well. Right? What industry? What business? Where are they in the business cycle right now? How urgent is this cyber matter that we're dealing with? And you talk about this, you can have a really urgent cyber need. But compared to what right, like there's other things that are going on in the business that are urgent that need lots of money and lots of attention?
Erik Pinkerton 17:09
Yeah, so in my line of work, what often happens is a customer will phoned me up, and he'll say, we need to do such you know, I need your help doing X. And I'll go and I'll have a coffee with them. And I'll say, why is it that you've decided that the thing you need to do is is this? And often what will happen? As I say, Well, I got in the lift the other day, and I held the door open for someone, and it happens to be the CEO, and he just watched something on channel 10, that night about something that happened? And he said, could that happen to us? And I said, No, we've all read, you know, we've looked at that, and we've got it sorted. And now I need to go and look at that and get it sorted. So rather than a comprehensive, risk based approach, which is you know, what people talk about, which is, you know, you look at all the potential risks, and you assess the ones that are, you know, salient to your organization, and where you are, and you put your focus on those, you're focusing on the thing that happens to be in the paper that we write. So I've had a number of calls about helping organizations check. They have no open API's in the past few weeks. I've had a lot of calls about tabletop exercises, can we run a tabletop exercise in the persuades all absolutely good things to do. But you probably need to have that, you know, bigger picture view, is this really the thing that is the burning issue? You know, I say to people, that really cybersecurity, like any risk is understanding what all those different risks are, and accepting the fact that there'll be a list of maybe 20 things, and you're only ever going to have a difference, maybe two or three, you know, the money and resources and time to knock three of those things off your list of 20. And risk is about that bubbling the things that really matter to the top of that list, and perhaps trying to get enough money to do five things rather than three things, and having the rationale for why you've decided to do that rather than this. Well, the reason we did that was because you never asked me about that in the lift. That's not gonna fly, right?
Sally Parrish 19:15
Yeah, it's gonna be up to you to understand that. So talking about metrics, then, how does the board effectively measure how well we're managing cyber, as an organization. So
Erik Pinkerton 19:31
we live in an age of data. And there is so much data and so much telemetry and so much fancy tooling about turning that data into, you know, pretty graphs and dashboards. And the you know, every executive at some point has arrived upon the idea that we just need a real time dashboard so we can see how well we're doing, which then kicks off a project to go and work out what are the things that we should be managing and I have seen throughout my I have been asked to help with that so many times, and I have seen so many terrible metrics presented to executives and then taken and presented to the board. And then these meaningless numbers with zero context, like the number of, you know, things that we've dropped on our firewall, or the percentage of people who've done their security awareness training. It's absolutely meaningless. It looks beautiful when put into a nice colorful graph. But it doesn't help the organization it doesn't, it doesn't lead to the decisions that needs to be made. And I think what's happening is people have this idea of a dashboard is it's a cockpit in a plane, right? And if you're the captain of a plane, and a light comes on in the cockpit, and you're What's that lightning, firing engine number four, right? So you look out the window, and you see flames coming out of engine number four. So you press the button that turns off the fuel to engine number four, and you look out the window, and the fire goes out, and you've avert the disaster, and everyone's happy, and everyone goes home. But in a business, that's not what happens. What happens is there's a fire in the proverbial engine number four. And it's three weeks before someone looks at a graph somewhere or someone looks at a metric and says, Wait a minute, you know, the plane slowed down and the temperature's going up in the cabin. What does that mean? Now you have the 30 people all pressing buttons and pulling levers trying to work out what that means. And two weeks later, the plane is the speeds back and the cabin temperature has gone down, and everyone's high fiving each other, but what's happened is somebody has pushed forward on the throttle, and somebody's turn the aircon up in the cabinet. And they everyone thinks that the problem has been averted. But you've just made things worse. And so this whole, I think this whole chasing this idea of metrics is can be a little bit flawed. And to me, it's it's about context, there's no point presenting me with a number and saying that's, here's a number I want to know where it was last week, I want to know where it is, where it's headed, what trajectory it's on, I want to want some analysis on what that actually means. I want that not just to be a static, you know, what was Charles Goodhart, who said, when a measure becomes a target, that seems to be a good measure, so often in a business where we say this is the thing we're going to monitor, then everyone starts managing the metric rather than managing the monitoring rather than monitoring the management kind of thing.
Sally Parrish 22:35
Yes, yes. becomes all about getting the metric at any Yeah, exactly.
Erik Pinkerton 22:39
Right. So what as an I'm a geeky network engineer, by trade, I used to have a page full of graphs of all the different things. And I wasn't interested in a key metric, I was interested in looking at all the graphs, and then drilling down into the things that were weird. So why is there a spike? Why is there a trough? Why is there a flatline? Why is the temperature on that particular device suddenly gone up by 20 degrees in the last hour? And because I had all that telemetry, and I was able to drive that dashboard, if you like, I was able to find it, the facilities people and going, Hey, you're right, your air comes out in that particular exchange? And they'd go, how do you know? And I said, Well, I can just see the temperature on my device has gone up. So purely by collecting all the things and having a graph, which gave me that context, I was able to, to go and ask the right questions by pulling that thread. And that's what I think for me, that's what good looks like with metrics. It's not choosing what the best metrics are. It's collecting everything you can, it's knowing that not everything you can measure matters, and not everything that matters, you can measure. And then being able to, you know, take the things that are interesting, and then apply some intel to that with reason we think this is, you know, gone this way, is because of x, y, and Zed. Here's our here's our rationale for that, here's what we think we need to do in order to, you know, here's why we need to fix that. And here's what we think we can do to fix it.
Sally Parrish 24:03
So very much like the financials of a business, you can take any line on a profit and loss statement or a balance sheet and say, yeah, look at this, we're doing really, really well. But if you actually see the picture behind more, yeah, yeah, absolutely. All right. I love that. And if a board was looking at cyber risk management and trying to prioritize their risk management around cyber, what are some of the dangers to your think when it comes to? Because we always talk about, you know, what is the likelihood of this happening? And what is the consequence of it occurring? So how variable are those two metrics when it comes to risk management for cyber, what's the likelihood What's the consequence? Yeah,
Erik Pinkerton 24:49
so what happens in cybersecurity is we've cooperated risk as a discipline from you know, finance and it's a very blunt instrument in cybersecurity. So there's two sides of risks, you've got your what we call qualitative and quantitative, right? Quantitative is where we go. And we take empirical data. And we mined that information. And we come up with really meaningful numbers. Qualitative, essentially, we, you know, we, you know, and I think I had a slide a few years back, which was, you know, what people think risk is, and it was a, you know, a fish on one of those scales kind of thing. And then what it actually is, it was a fisherman saying it was this big, right, it's just so what we do when we go and do a risk assessment, typically what we do is we come up with a list of things we think can go wrong. There are a few different frameworks for driving that. But essentially, you know, this could happen, and then we go, what's the consequence? And we go more? Once a year, maybe? And what's the likelihood once a year, what's the consequence, really bad. So we put that that is a very useful tool for that prioritization, right. So if we end up with that list of 20 things, and we say, these are the things we're going to focus on, because after putting them through that straw poll finger in the wind process, this is the thing that came out as being the most salient. The problem is when the business takes that, you know, finger in the wind assessment and tries to plug it in an existing risk register, or things that have been really quantitatively assessed, and they can really, you know, go to the bank with that risk rating. If you're competing with those things on it, the business has its own list of 20 things that of whatnot, which they all can do, and we talk about things like, you know, appetite for risk, and so on. So what happens if you're bad math, puts your risk too high on that risk register, which pushes something that is very meaningful down the list. And by pushing it down the list, it ends up not getting done or not getting attended to this month, and it gets pushed into next month. And that, you know, that risk is then realized. You know, that can be a massive problem.
Sally Parrish 27:06
So in in real world terms, we use the analogy of the hospital, right, the hospital has its risk register. Risks. Number three is we need for more beds in Ward seven. And cyber comes along and says, Oh, hang on. This is more likely to happen we'll have a bigger consequence. Yeah,
Erik Pinkerton 27:25
we use fear uncertainty and doubt we think you know, instinctively, cybersecurity people want to try and scare people into action. And cybersecurity people are often a little bit blinkered, they see cybersecurity risk wherever they go, but they don't necessarily see the other rest of the business. And people are inherently bad at understanding risk and cybersecurity people who have risk in their job title and no exception. I'll give you a good example is that all of the penetration testers or say all, a lot of the penetration testers, I know these are people who are paid to hack into organizations that are incredibly skilled, they can walk through walls will have a piece of electrical tape over the camera on their laptop. And I laugh at them constantly. Because essentially, what they're doing is they're saying, you know, I know enough about security, to know that I cannot secure my laptop. But where they've drawn the lines attacker watching them, well, if the attackers owns their laptop, he can see the keystrokes. Take the files, that that's where you've drawn the line, it's mad, but it's because their worldview is shaped by their experience and their experiences, seeing organization getting hacked day in, day out. So the story I tell is if you ask your mate, who is a fireman, what the best alarm to buy, is, he will take you to Bunnings. And they'll take you to the smoke alarms. If you tell your mate he's a copper what the best alarm is, he will take you by the hand to the burglar alarms. And it's because the fireman turns up the people's houses every day that are on fire. And the copper turns up to people's houses every day that have been burgled. So they have a different perspective on risk. And so cyber security people are all paranoid about, you know, they take over their webcams, or they won't use credit cards because they think it's a bigger risk than it actually is. Yeah,
Sally Parrish 29:16
I love that. Eric, I could talk to you about this forever. And it's an absolutely fascinating topic. Just one last thing I want to circle back on. And that was something we've talked about offline, which is when it comes to ascertaining your cyber risk, how do you quantify what the costs of breaches might actually be? What's the issue with that field? Yes. So
Erik Pinkerton 29:42
this is, again, there are lots of if you go and google that you'll find lots of different different reports with different numbers in them. And it's my view and the view number of people I respect in this industry that a lot of them are works of fiction, and all their conflicts. Seeing the cost of a breach or the cost of a cleanup. So I'll give you an example, if a company gets hacked because their security posture was very, very low, and as a result of that incident, they then need to raise that security posture very quickly, it's going to cost them an awful lot of money. So if they have to fly in consultants from overseas, and make those consultants work 16 hour days for a month, to get the company to where it should have been, arguably, before that breach, is that cost? You know, the final accounting for that exercise? Should that be something that that is then used to justify in another company? What that expenditure should have been in the first place? And no, absolutely not. This is going to cost millions. And really, that should have you know, the lesson learned was that, don't wait until you have an incident until you start spending money on security. But it's what an awful lot of organizations do. We saw a big breach, a ride sharing company earlier this year, and literally three days after it happened. There was a slew of jobs being advertised insecurity, that organization, and a lot of people on LinkedIn, were saying, Oh, well, they've sacked everyone. And they're trying to, you know, rehire security. But of course, what actually happened was, the roles were probably being requested by the internal security people. And they say, we need more headcount, we need more headcount, we're fighting fire, we're not keeping up. And somebody somewhere has hit pause on those requests, or denied those requests to make their own numbers look good. And at the point, when the breach happened, suddenly that risk dynamic has changed rapidly. And all of a sudden, those those roles opened up. So you know, there's an old joke about two types of companies, one where you've got one security guy, and one where you got 40 security guys, and the differences, the one with 40 security guys, was the one that was hacked last month.
Sally Parrish 32:02
Yeah, you know, what Hindsight is a, you know, a real a real word for the security industry, right. In hindsight, we all know how much that breach costs us. In hindsight, we should have maybe had more staff around that, in hindsight, maybe the board should have asked this. And interestingly,
Erik Pinkerton 32:19
what that leads to is, and something we talk about a lot is security becomes about having a defensible position. So it isn't about making sure you don't get hacked. It is understanding that at some point, something's going to happen. And you have to have a defensible position. And, you know, why did that happen? Well, the reason that happened is because we spent our budget, making sure something else worse didn't happen. And it's really nice to be able to say, Well, I did come to you and ask for extra headcount. And you said no. So yes.
Sally Parrish 32:53
Yeah. And the same for directors, right, in terms of defense is, it's inevitable that there will be security breaches, that's the world that we're living in right now. No one is ever going to be able to stop breaches occurring 100% of the time. But when it comes to the crunch, it's going to be around what what systems and processes did you have in place? How often did you look at security within your board meetings? And were those measures adequate? Should they have been enough to protect the company? Because it's the board that didn't look at security, it's the board that didn't get the consultant's report, it's that board that's going to be in more trouble. When it goes bad if you
Erik Pinkerton 33:40
don't have that defensible position. And with the increase in regulatory requirements, it's going to happen that somebody's going to find find themselves facing a fine or worse, it's going to be an external company that comes in and tries to make that was this. Is that is your position defensible?
Sally Parrish 34:00
Yeah, any final words for anybody listening today who is on a board or about to land? A board role? What's your parting words of wisdom?
Erik Pinkerton 34:09
My advice would be that you should assume that at some point, a cybersecurity incident is going to happen, that when it does happen, there's no shame attached to that you're joining a very Orchester panel of other organizations who've had major security incidents, you name you know, the Google, you know, Rolls Royce, Lockheed Martin, they've all had big security incidents. The difference is how you then deal with that in how you react, whether you're, you know, truthful, transparent, honest, and whether you have a defensible position, whether you can demonstrate that you did all the right things leading up into that point, then, you know, that's the difference. I think the companies that fare badly or fare really well as a result of this.
Sally Parrish 34:59
I love that Eric's Cyber is all about your defensible position. It's the steps you take to protect the business and ultimately, how you're going to respond when an incident does because it probably will when an incident does occur. It's been really great having you on this podcast episode today. Thank you so much for joining us, Eric. And I hope you'll come back again soon and keep sharing your wisdom with us because this is such a fast evolving industry. Thanks for having me. Thanks, Eric. Thanks very much for tuning in. I'd love to know what you thought of this episode and what you took away from it. I'd also love to know what topics you're interested in hearing about in the future, and which experts you think should be featured on their sports success podcast. If you enjoyed listening, please share with your colleagues who might also have an interest and make sure you click to follow or subscribe to be advised about upcoming episodes. In the meantime, if you're a leader or a successful executive, and you're looking to launch your board career, or if you're an established non Executive Director, and you're ready for the next level, check out the resources we have available for you on the website at board coaching institute.com.au. Until next time, here's to your board.