New Flight Plans: A CISO’s advice for Midwesterners to stay safe – ask more questions
Knowing what your company needs to stay secure is not easy. Do you need multiple, comprehensive tools? Do you need to spend a fortune on consultants? Can one tool do all the work? The answer you’ll likely get is, “It depends.”
Chris Roberts, founder of the HillBilly Hit Squad and CISO at Boom Supersonic, sat down with Flyover Future founder Tom Cottingham to talk about business boot camps, security culture, supply chain security, watch counterfeiters and more.
What does the C-suite need to do better?
Roberts suggested a business bootcamp for technical folks: “We obviously need a bootcamp. I don’t just need to go to a CISSP bootcamp, I need to go to a business boot camp,” he said. “Or I just need to go to a community college, for crying out loud, and actually learn it there, which will probably be a better way of doing it.”
Roberts said that blame needs to end: “It’s the silo mentality, it’s, the problem is we’ve blamed, we’ve done too many years of that. We’ve blamed the CFO for not listening to us and giving us money. We blame, maybe, chief marketing, and we still blame chief marketing, let’s be honest, for not listening.”
How do we permeate our company culture with security?
People are the biggest risk, he said. “In security, I can’t have eyes everywhere all the time,” he said. “And I can’t monitor it all the time, no matter what anybody says they can do. So why don’t I turn those risks into my resources? And I effectively train [people], I effectively work with them, I continually help them. I give them assets that they can use not just in the office, where they can take it home and help their kids understand about these things online. That they can basically help their parents, their grandparents, their family, if they’re on a farm, that they can go talk to hands out there and say, ‘Hey, what do you think about this? You’re doing this. Why?’ So you enable somebody to go from a risk to basically becoming an asset and an advocate for [security], and you do it in such a positive way. Everybody’s gonna get hit with spam. Well, rather than reprimanding you, when you turn and say, ‘Hey, look, I just got this,’ ‘Oh, you’re awesome! Hey, here’s a coffee card for Dutch Brothers, or here’s a coffee card for you know, whatever the coffee places in whatever state they’re in. Thank you for bringing that to my attention.’ Even if you get 100 of them. You know what? Those frickin 100 coffee cards are a hell of a lot cheaper than doing an incident response.”
Why is the Midwest particularly vulnerable to cyber attacks?
“Probably because again, we’re humans,” Roberts said. “We like to help, and especially we, I mean, this is all about flyover, we have the Midwest states. And with few exceptions, everybody wants to be nice and freaking help. I’ve had the best bloody times there. You all want to be nice to people. ‘Nobody’s being mean, and why would somebody come after me?’ Well, that’s the mentality we’ve got to change.”
In what ways have you helped companies with physical security?
Roberts preached the importance of asking questions of your suppliers. “First and foremost, I mean, for the stuff we’re doing inside, like, HillBilly Hit Squad, and the Dave product,” he said. “We’re building it into the Dave product. The idea is, again, you look at your data, and you go, ‘What do I care about? What happens if this gets out?’ Well, now let’s monitor it, let’s track it. Let’s see if anything outside of your control is leaking it or has leaked it; let’s see if anybody that has access to it has themselves, unfortunately, been compromised. So it’s a really nice way of sitting down with a company and going, ‘Hey, let me sniff around the internet, the good stuff and the darker side of the internet. And let’s see what our starting version is.’ So we’ve, we’ve gone out a number of times and done that and come back and said, ‘By the way, here’s all their passwords that have been breached out of this. ‘What are you doing? How did you know? Did you know?’ It’s a really nice way of saying, ‘Hey, look, it turns information, you know, into something that’s actionable and usable intelligence. And you put it in such a way that, again, the organization can take that and go, OK, great. Now we know what we can do with it. Now we know we can restrict, now we know we can manage.’”
Roberts told a really interesting story about a watch company losing inventory to counterfeiters, and you’ll have to watch the video below for that.
What advice would you give business leaders to stay safe?
“Unfortunately, question more; trust less. It sucks that we have to do that. But unfortunately, especially inside our own industry, if I come to you with my silver bullet of protection, and absolute, you know, I can keep all the bad guys at bay after tasing me and putting it up on YouTube. That’s where the question was so you come to me and you tell me that you’ve got AI? Well, I’ve got a list of 15 questions. If you can get through those 15 questions, and you can prove you have actual intelligence rather than just fuzzy programming and some good marketing, then we’ll have a conversation.”
Roberts offers plenty more insight, fun stories and advice in the full interview: