Connected & Ready

Cybersecurity: prepare and respond, with John Reed Stark

Episode Summary

As cyberthreats become increasingly complex and pervasive, companies must look for ways to remain secure and compliant while staying focused on their digital transformation. In this episode, leading cybersecurity consultant John Reed Stark talks with Connected & Ready host Gemma Milne about the latest threats and vulnerabilities, how technologies like machine learning can support security efforts, the critical importance of incident response, and which emerging cybersecurity technologies he believes will help mitigate risk. Microsoft Dynamics 365 Fraud Protection helps e-commerce, brick-and-mortar, and omni-channel merchants minimize losses, safeguard revenues, and protect their reputation. Using adaptive AI technology, Dynamics 365 continuously evolves to detect new fraud patterns and provide better business intelligence through connected knowledge generated from all Dynamics 365 Fraud Protection merchants. Request a live demo today:

Episode Notes

Host Gemma Milne talks with John Reed Stark about staying secure and compliant as organizations continue to digitally transform. They unpack the rise of ransomware, look at what companies can do to protect themselves from cybersecurity incidents, as well as how best to respond after a breach. John also discusses how organizations can take proactive and innovative measures to help remain secure and compliant while staying competitive. 

About John Reed Stark

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology, and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including four years heading its Washington, D.C. office. Mr. Stark is the author of "The Cybersecurity Due Diligence Handbook.”

Learn more about John Reed Stark:


Topics of discussion


Sponsor link

Learn how Microsoft Dynamics 365 Fraud Protection helps businesses minimize losses, safeguard revenues, and protect their reputation. Request a live demo today:


Helpful links

Follow us on social media




Episode Transcription

Gemma [00:00:05] Hello and welcome. You're listening to Connected and Ready an ongoing conversation about innovation, resilience, and our capacity to succeed brought to you by Microsoft. I'm Gemma Milne. I'm a technology journalist and author. And I'm going to be exploring trends around how companies are adapting to a disrupted world and preparing for tomorrow. We're going to speak to the innovators who are bringing products, operations, and people together in new ways. In today's episode, I'm chatting to John Reed Stark, who's a trusted advisor to boards of Directors, CEOs, CIOs, CISOs and GCs on cybersecurity insurance and digital regulatory compliance. We dive into staying secure and compliant as organizations continue to digitally transform and unpack some of the more recent and relevant threats. We look at what the C-suite can do to protect companies from and react to cybersecurity incidents. And we discuss what it means to balance being proactive and innovative in ensuring organizations remain secure and compliant while still transforming the way they operate and stay ahead of the market. 

Gemma [00:01:09] John, thank you so much for coming and joining us on the show. I wonder if you could start by just giving us a little bit of an introduction to who you are and what you do. 

John [00:01:16] I'm essentially a cyber lawyer and a cyber consultant all wrapped up in one. I've been doing cyber since probably 1994. I started at the Securities and Exchange Commission here in Washington, DC. And from there I was the chief of the Office of Internet Enforcement for 11 years at the Securities and Exchange Commission. And then I went on to run the DC office of a firm called Straus Freedberg, which is a data breach response firm. And then after, right around the time Straus Freedberg was bought by Aon I started my own business, John Reed Stark Consulting, and I just do pure cyber consulting. I'm also a law professor. I've taught at Georgetown Law School for 15 years and Duke Law School for five or six years. All courses on cyber and sort of the juxtaposition of law, cyber, business, technology, everything all wrapped up into one. 

Gemma [00:02:03] Absolutely brilliant. I mean, we're very thrilled to have you here to talk all these topics today. But let's start thinking a little bit about the past year and what's been going on. What have you seen as the biggest threats the companies should be aware of as they're using more digital tools and technologies, of course, now that everybody's working remotely? 

John [00:02:22] Well, clearly, the biggest threat in the last year is ransomware. It's grown almost exponentially. And why do I say that? Really for three reasons. First of all, ransomware was - it used to be the kind of malware where they would essentially throw paint on your data and the attacker would make you pay them to get the turpentine, to get the encryption key, to release the data so you could use it again. Well, that's changed. Now, they're not only throwing paint on your data, but they're also threatening to shame you and dump it all on social media. They're exfiltrating the data as well. So that's the first thing. The second is ransomware attacks have grown increasingly sophisticated. It's no longer just one person. There's something called ransomware-as-a-service now where they're essentially franchising out certain ransomware threat actors and ransomware, malware, and other kinds of exploits. 

John [00:03:12] So an attacker might infiltrate your system and then franchise out the actual attack and exfiltration of the data or the locking up of the data. So, much more organized, much more sophisticated. The ransomware demands used to be, you know, ten, twenty, thirty thousand dollars. Now, you know, I've worked on some as high as 50 or 60 or 70 million dollars – US dollars. So it's really grown like that as well. And finally, Bitcoin, you know, the fact that, unfortunately, Bitcoin is become more common. All the ransomware attackers collect their extortion demands in Bitcoin, which makes them very difficult to apprehend, to prosecute, to extradite, to successfully bring to justice. I was also an assistant US attorney, a federal prosecutor in the District of Columbia. So I know a lot about crime. And it really is a crime that law enforcement just can't stop. 

Gemma [00:04:06] When it comes to you said there that some of the amounts the attackers are asking for is just growing exponentially and also that there sorts of abilities of what they can do with that data has changed not from just saying we're going to steal this data, but actually we're going to plonk on social media and shame companies. Is this rise of, I guess, ransom due to the fact that, you know, people are looking at companies more around what's happening with their data and that shame factor costs a lot or is also just know simple needs for more data so that when this data is getting tarnished with the pain or stuck on social media or whatever, it has more operational costs for companies as well. Can you can unpack that that sort of change and value? 

John [00:04:49] Sure. You know what I think? I think it's just a simple business equation. When attackers used to steal data and used to attack systems, exfiltrate data, they would sell it on the dark web. And that's kind of a complicated enterprise. They'd have to organize the sale, collect money from the sale and profit from those sales. I think they realized pretty quickly that, hey, I don't have to go through I can throw out this whole sell notion of exfiltrated data and just threaten them with extortion. And it's much quicker. It's a much faster and easier way for me to commit my crime. And as I said before, with Bitcoin, you can do it so anonymously. Just like Bitcoin has enabled terrorists, drug dealers, and pedophiles to sell their wares on the dark web. The same goes for ransomware. 

Gemma [00:05:35] So in your opinion, you have organizations being good at detecting these threats? Let's talk a little bit about detection. And have any industries fared better than others, perhaps? 

John [00:05:44] I think the answer is yes and no. The reality is, if you're sending your kids to kindergarten, you know, they're going to come home with a cold sooner or later. And so I think it's the same goes for data breaches. Data breaches are just inevitable. Cybersecurity is an oxymoron. So we know that the breach is going to happen. And how is the company going to deal with that? They know they're going to detect these breaches. So it's really not about the detection of the breach, but much more about the response to the breach, I think with cyber there is an appropriate level of C-level attention and board level attention. And those industries are typically, for instance, the financial industry, which remember financial companies like Bank of America, more than 50 percent of their employees are really tech employees. So banks are really technology firms. So the privacy implications of data, the cyber implications of data, transferring data, these are all natural things for those companies to do and they're also heavily regulated. So for financial firms, safeguarding their data, safeguarding their customers financial accounts really comes natural to them. And also for retail firms, if you're accepting credit cards, there are what are called PCI standards that you have to meet. So they're very rigorous standards for that. So when you ask me the question, what industries are faring better than others? I look at the financial industry and retail industries as sort of being better equipped because by definition they have to be. Then you can look at other types of entities like hospitals and municipalities, and they have fared a lot worse. First of all, because they can't afford the talent. I mean, right now there's a tremendous dearth of cyber talent in the world. In the US alone, there are more than three million vacancies right now for cyber-related jobs. So they can't afford to compete for those jobs. These are nonprofit organizations. They have antiquated systems and they have bureaucratic management. So you take hospitals and municipalities and they are increasingly vulnerable to ransomware attacks, much more vulnerable than, say, a financial institution or an insurance company or other regulated entity. 

Gemma [00:07:46] So let's talk a little bit about new technologies and how they kind of fare in this equation, because when you start thinking about things like the automation, AI, machine learning, blockchain cloud, these technologies, of course, present opportunities for hackers, and especially when businesses are starting to adopt new things, trying new things and whatnot. Let's talk a little bit about those threats in a moment. But before we talk about that, how can these technologies be used to help prevent, spot, detect, fight these attacks that are coming in, as you say, sort of left, right and center? We can't avoid them. But how could these technologies be used to really try and do as much as businesses can and organizations can to protect what they have at the center? 

John [00:08:27] Well, that's a great question. I think, first of all, new tools are coming out every day in terms of better allowing companies to shore up their cyber a little better. I've seen end point detection and response really become a big industry in the last three or four years. So we're focused more on that end point and on that response, on setting up consoles so that when the attack occurs, you can quickly find out, for example, if there's an indicator of compromise, an IOC, a particular piece of malware, a particular file that indicates that there has been a threat actor behavior. You can quickly scan an entire system, meaning servers, iPhones, iPads, laptops, desktops to see where that indicator of compromise is. And then it becomes kind of a lather, rinse, repeat process. You then look at those new systems for other indicators of compromise and you keep when you find a new indicator of compromise, the cycle starts all over again. So there are some good end point detection tools that really allow you to do that more efficiently than running around the country, imaging all these systems and performing manual forensics on all that. So that's one area, some other areas. I think, you know, if you look at something like two-factor authentication, when I was at the Securities and Exchange Commission, we had a big summit of all the online brokerages. Those days, you kind of differentiated between traditional brokerages and online brokerages. Now they're kind of mixed together. But we brought them all in and we said, you know, why don't you have two-factor authentication for your users? Because these passwords were routinely available. My students were finding them for sale at the Dark Web and showing the examples. These passwords were available everywhere. And most of those companies just said to us, look, our customers don't want it. It's too burdensome. They want instantaneous trading. And so they made the business decision not to have two factor. But I think that's really changed. I think two-factor has become a lot more technologically feasible, a lot better. So I see that as a good thing. I think also text notifications on financial transactions, if you take all your credit cards at all your bank accounts, one of the first things I tell friends and family who will often say to me, hey, what do I need to do to make sure I don't get hacked? And first thing I would say is set up all your alerts so that anything happens on any of your financial transactions. Make sure that you get notified on any of your credit cards, your bank accounts, and otherwise. And that's a great way to get ahead of the hacker. And so you can get that chain moving so that you don't get that sudden pit in your stomach like, oh, my God, my whole bank account is gone. You notice I didn't really say, hey, go out and buy this tool or that tool. What I did was say, hey, let's enable a lot of things that will help us better manage these alerts that are going to arise. 

Ad [00:11:06] Microsoft Dynamics 365 Fraud Protection helps e-commerce, brick-and-mortar, and omni-channel merchants minimize losses, safeguard revenues, and protect their reputation. Using adaptive AI technology, Dynamics 365 continuously learns evolving fraud patterns and provides better business intelligence through connected knowledge generated from all Dynamics 365 Fraud Protection merchants.  Request a live demo today by following the link in the episode description.

Gemma [00:11:38] So you mentioned about cyber governance. And this idea of getting, you know, multiple things and monitoring alerts, et cetera, and being able to keep on top of everything, how do you ensure that all of these different systems are all working together? 

John [00:11:52] That's a big challenge, especially for companies that have experienced acquisitions and are having integration issues. So that becomes almost an application integration issue. And when I think back to the SEC, when I was chief of the Office of Internet Enforcement, the head of forensics at the SEC, who was sort of their CISO before CISOs were the real thing, he had a pager and he would get an alert he had set built to run a program that if there was some indicator of compromise, it was different. For instance, you're getting a lot of people logging onto your system at 3:00 a.m. who have an Internet protocol address in China. That's how he’d get the alerts on his pager. So and it was some sort of primitive print out, on kind of an amber screen. So we've come a long way since then. But you've got to properly archive these alerts. You've got to set up a protocol and you've got to have a professional really install the settings on whatever application you buy. It's sort of like your credit card monitoring. You could set it up so that it tells you every time you spend ten dollars or you can set it up every time it spends one hundred dollars, or you can set it up every time the credit card is used offshore outside of whatever country you're in. So you can have all kinds of settings. And if you're a company and you've got those kinds of settings on all your company credit cards, you can imagine the kind of alerts come in. So you have to set up a protocol. What gets heightened scrutiny? What are the most important red flags? When do you wake up the CEO in the middle of the night and say this is a problem? When do you not? So the proper escalation. And that all goes back to governance. So you set up, you make sure you have a system in place. It's great to have a great tool with phenomenal alerts, but if you're getting [unintelligible] of alerts, it's useless. 

Gemma [00:13:35] Would you see that there's perhaps a role for technologies like AI machine learning, for identifying threats? 

John [00:13:41] Oh, absolutely. You know, the thing is, I talked about indicators of compromise. And remember, with these indicators of compromise, they come in all shapes and sizes. It's tough to determine what malware really is sometimes. Think of it this way. If you come home to your house and it's been burglarized and you find a tool that was clearly used to jimmy the lock and get it opened and break into your house, then you know that that tool was what the criminal used, what the burglar used, to break into your house. But suppose you find a screwdriver on the floor and you think, is that one of my screwdrivers? Or did the crook use this? It gets more difficult to identify what the criminal's tool was if they use something common used every day. The same goes for cyber. There are times where some of the crooks will use very traditional files, maybe container files to move data like raw files to move data from one place to the other. And a lot of companies have normal ways of using raw files that aren't criminal or, you know, some companies will experience a lot of logging in and a lot of activity at 3:00 in the morning from foreign countries. But that's what the way those businesses are. So artificial intelligence can bring all of that together, help you identify which files are likely to be the kinds of files that an attacker will use, and integrate that into your end point detection response. So remarkable quality. Also, the way I see AI often is in the data discovery context. So if you say to me, hey, there's been a breach and 50 different systems were compromised and here are the hard drives from those fifty systems, I want to know what data was on those systems and what was exfiltrated, because we have to report that and that'll be how they figure out the fine against us, or that's what we have to tell our shareholders. Was important intellectual property stolen? Were Social Security numbers stolen? Were medical records stolen? All of those things. And that really becomes a data discovery, exfiltration analysis operation. And that's a much better thing to use technology to search those various systems and report the results, then actually have somebody manually do it. You know, there were times in data breach response where lawyers would actually fan out and interview all the different custodians of each of those systems. Think about how expensive that is. It might be programs that happen to have the whole company's Social Security numbers in them residing on your computer. You have no way of knowing so a much better and more acceptable way to go about that analysis that I think the government and judges and other interested constituencies will accept is to use artificial intelligence with a good protocol to go through all of those various systems. Spit out to you essentially what types of data is there. It's not going to be exactly correct, but it's going to be ballpark enough that everybody should accept it versus having everyone manually image all of these systems and go through the painstaking scrutiny, so a lot of what's used in electronic discovery, which is a huge area of technology with all kinds of artificial intelligence, is now being applied routinely to data breach response. And that's created, I think, really opportunities to save money for these responses, which cost typically in the millions and millions of dollars. 

Gemma [00:17:04] And it certainly sounds like what you're seeing is it's about getting an oversight or being able to make connections and automate those connections in order to just see what's going on and monitor. Of course, that's also the conversation that's used around why we should be using these new technologies to enhance business and make things better, more efficient. Let's talk a little bit about what happens when these breaches and security threats happen. Not if, but when, as I suppose we've been alluding to already. How can organizations plan and better prepare for, you know, better cyber incident response or tech related crisis management? 

John [00:17:38] The first thing you should do is evaluate your cyber insurance. And there are these items called endorsements, which are sort of addendums to your insurance policy. And you want to make sure that you have the latest endorsements that relate to cyber because again, it's changing all the time. You want to do things like tabletop exercises, you want to do some of the auditing that I mentioned. Another thing that you really have to do is form your team, not just your incident response plan. Everybody knows you need to have that. But finding an incident response expert when there's a data breach, it's like finding a plumber during a hurricane. There really aren't that many of them. So you can't immediately say, OK, I need a data breach response firm. Let's get them on the phone, get them here today and sign them up. It doesn't work that way. So you want to build those relationships early on. So all of these entities come in. Well, what does that mean? It means that just about everything you do with respect to data breaches is anticipation of litigation. So what does that mean? Well, if you hire a law firm to manage the data breach response, they will then engage different people like a digital forensics firm, malware reverse engineering firm, maybe remediation firm, and maybe even a crisis management firm. And all of those helpers will help the lawyers prepare for any potential regulatory inquiries, law enforcement inquiries, class actions, and everything. And all of that information would be covered under privilege so the lawyers could go about their business representing the company. That issue has thrown a huge wrench into response because now firms and companies don't know exactly how to prepare, how traditionally been told there's one way, but now that way has really shown some vulnerabilities. 

Gemma [00:19:14] So you mentioned these tabletop exercises a few times. You tell me what those are. 

John [00:19:18] You know what I love Gemma about tabletop exercises? So you literally sit in a conference room and you go over the incident response and you're going to discover all kinds of things. For instance, you might discover that your business continuity system is a great resource during a data breach response or during a ransomware response. You might realize that it's a lot easier to use that business continuity system and to integrate that into your incident response. You might not have ever thought of that. The other thing it allows you is the FBI here in the United States. They'll actually send someone to your tabletop to participate with you, and that can be incredibly valuable. That's one of my favorite things about tabletops, is no one wants to bring a criminal investigator into their company to see what's going on. Who knows what might accidentally come to light. But under the right circumstances, it creates a relationship with the FBI that maybe the company never had. And you get to hear the FBI's perspective on what other companies are doing. And so tabletops have really grown. And the other thing is to involve your insurance counsel, your coverage counsel in the tabletop. That's something that I always recommend because, again, nobody knows what's covered and what's not. There's so much workflow and so many different directions. And you might have to hire several incident response firms. In a retail data breach you have to hire a PCI firm, a professional forensic investigator that you have to pay for, who works for the brands, who's going to come in and make sure that your cybersecurity did not somehow cause whatever retail data breach you experienced. So those are the kinds of things that can arise during a tabletop that you can fix if you figure them out beforehand. And you can certainly plan for them. 

Gemma [00:21:04] It sounds as well that there's a bit of a balancing act here between doing what is absolutely best for customers, for the public, for the people that are engaging with the company, not as part of the business, shall we say, versus business taking action to protect itself from litigation later on. And, you know, for a sort of quote unquote, regular customer who cares about their personal data, perhaps being, you know, posted on social media somewhere, you know, I can imagine them saying, well, I don't really care about the company being sued. I just want to make sure that my data is protected and that they're doing the things that are most about security as opposed to protection. Is there a conflict here between protecting against litigation and actually just doing the best for protecting the data? Or is that just simply that because we're talking about being sued? 

John [00:21:56] No, I think you bring up a good point, because the privacy, compliance, data, privacy, compliance, and incident response are really two entirely separate fields. And there are lawyers who specialize in each one, but there are a few lawyers who do both because they've actually become inextricably linked, for example, with the GDPR. There are now international standards with respect to data and it's now been enforced for a couple of years. And you could end up just with respect to your notifications, you could spend 50 million just notifying all the different people of this potential data exfiltration. And that's a huge amount of money. That's just the GDPR. Then you have the California the CCPA, which protects privacy in California, and you've got to figure out how to manage that. And then you've got the 49 other states in the US who have different state regulators. Some of them are in their attorney general's office. Some of them are in their department of corporations. Some of them stand alone. So, again, it's impossible not to plan, not to incorporate all of those potential liabilities without thinking. And you almost have to devote your entire program to saying, well, if we do this, we won't get sued. And that's kind of sad, but that's the reality. And you also have the securities laws to thrown in there Gemma, because you put in your corporate filings, your 10Qs and your 10K, the annual filing that you filed with the SEC, you put in there what the risks are of cyber data breaches. But, you know, it's impossible to know exactly what all of these risks are. You do the best you can. And now it's pretty commonplace that class action lawyers will take a microscope to those filings and find something you said that maybe looked a little too proud. Maybe you said we consider our cyber to be top of the industry, because you really do. You're spending half your budget, your technology budget on it and you get hit with a lawsuit for that. So I think it's impossible not to do that kind of playing. This is, again, why the lawyers seem to be leading all of this, not the CISO, not the CIO, not the CFO, because there's so much liability everywhere. Just think about after a data breach, if one person sends an email to another person at the company and says, gee, you know, we forgot the patch and we should have. And that was because we never pay attention to that kind of stuff the way we should. Well, boom that's a very inculpatory piece of evidence. So you really need to have control over all of that. And everyone needs to understand that their communications are going to be under scrutiny at some point. 

Gemma [00:24:30] Let's take a little bit of a zoom back and think about, because a lot of what we've been talking about sounds and is really expensive. A lot of different parties, a lot of different moving parts. What does this mean when we're talking about smaller companies? And I don't necessarily mean one or two employees a company, but even medium sized companies or small or medium sized companies, 20 employees or 50 employees, maybe only 100 employees, where perhaps they are not a tech first company, but have been employing new, interesting technologies as they become more accessible. But then, of course, are opening themselves up to these kind of attacks, which we are seeing it with smaller and smaller companies. What kind of tactics can they be doing when they don't have these huge budgets, when they can't afford these large consultancies to come in and do these audits and have these committees? And is it the same approach but just on a smaller scale or would you say to try and do it differently? 

John [00:25:27] You know, there's a couple of things I would say. I mean, it is a major problem. First of all, it's a major problem getting talent for that small firm. They want to have a CISO or they want to have some person with great technological expertise, and they don't have a chance because they just can't pay that person enough and they can't compete enough to get those people. So they oftentimes have to offload or outsource their cyber and their data security, which can work really well. What I often tell those companies, too, is there are some affordable solutions. Some of these professional consulting firms offer what are called temporary CISO, TCISO. And that's why I often say, why don't you hire this company for twenty-five hundred a month and they'll be your CISO and they'll come in, they'll meet with the board, they'll give you recommendations. And you know, part of it is again, educating the parties that question you. It might be your regulator if you're a regulated entity or it might be your customers or whomever, your board and you're saying, look, we can't afford to do everything. There's always more you can do. It's like anything in life. You can always make yourself more healthy by doing certain things. So for one client, that was a law firm. And they were experiencing all sorts of attacks and they thought they had terrific backup systems, but it turned out that their outside vendor for backup systems was just terrible. Now, a good acting CISO would say, OK, let me look at your outside vendor and just run some tests to make sure that your backup data is all up to speed and everything is going to work in the event of an attack. No matter how rich a company you are, you just don't have the leverage to control your vendors. For instance, if you're using a major cloud vendor, you know, you don't necessarily have the ability to negotiate terms and make things the way that you are. So you just have to work carefully and understand the kinds of services that your cloud vendor provides and make those fit within your company. And they probably will, you know, because, again, cloud companies are obviously going to be focused so much more on cyber than you ever could be and there are cloud solutions for every kind of company. So you need to think about that. You need to think about your vendors. You need to think about where you have leverage and you need to be reasonable. But you can't just say we're too small and there's just nothing we can do. And if we get hacked, we don't have – I hear this from a lot of small investment companies, private equity funds, investment advisors. So nobody's going to attack us. We're too small. What are they going to get from us? Nobody's ever going to be interested in us. Well, you know, legions of soldiers are waking up every single morning thinking of ways to attack US businesses. And there's just no excuse for not considering that, you need to believe that you are going to be the next target no matter what kind of business you're in. 

Gemma [00:28:16] So thinking about the C-suite, we've spoke a bit about all the different sort of strategies and things that C-suites can think about in terms of how they approach things, who they're hiring in and so on and so forth. But what sort of considerations should they be prioritizing specifically from a tech perspective? 

John [00:28:32] Well, I think the first thing is money. You know, a lot of the times when you go into a company, there's two ways to approach it. Sometimes the IT staff will be very, very suspicious of an outside firm that comes in because they're thinking, oh, you're looking over my shoulder, going to find all these things I did wrong. And you got to point them out to the C-suite and I'm going to be in trouble. But that's really not what happens. They're so appreciative for the help because they're dramatically understaffed. So the first thing is to really dig into staffing and figure out if you're doing the best thing that you can and, you know, recruitment. You have to look at the hiring process, the actual recruitment process, the hiring process, and the retention process. You have to look at cybersecurity recruiting through each of those lenses. There are times when I was running Strauss Freedberg's DC office, we would go through all the hiring, all the recruitment, all the interviews, and the last minute the person would change their mind. Now, you've invested four months into that person, getting them on board and it didn't work out, or you get them and then they leave after six months. So I would always tell companies, look into your HR and make sure you're approaching this in the right way. And that means exit interviews and all the meaningful things and surveys that you really do to understand that side of your company that is often, too often ignored. So that's number one. Number two, the tone at the top is something that you always learn about. If anyone goes to business school, it's a big part of the culture of the company. And oftentimes you'll find that the higher you go in the company, the more likely they violate cybersecurity protocols. So the higher up you go, the more the person is going to think, you know what this is a seriously important situation. Forget about cybersecurity protocols. I need to just move forward in the best way that I can using my devices the best way that I can. I mean, I'm in the airport, I have no other choice. I'm just going to log on to the airport Wi-Fi and I'm going to communicate. This is how we do it, because this is a important piece of work. So you need to create the right tone at the top that gets rid of that notion, that cybersecurity is a top priority, not just through, you know, an hour of online training where the CEO gives a little lecture about how important, but truly demonstrating that. So I think the tone at the top, recruitment, those are the cultural things that you can do. And then as far as financial, again, the more independent your sources, the more you trust your – you can trust an independent source. It's always good to get that outside opinion. You know, if you're going to have surgery, you're always going to get that second opinion. The same would go for cyber. I think it's very important to have that independent somebody who really is really there to just seek the truth and nothing else gets paid, whether the news they tell you is good, bad or ugly. And I think that that sort of relationship, you need to have someone, some trusted advisor in that calculus who's not internal in the company. But you can rely on just like you would rely on your internist when you have a problem, even though your surgery is done somewhere else, just someone who you can rely on. So those are the kinds of things that I think most companies can do that don't necessarily cost a lot of money but will pay hefty dividends. 

Gemma [00:31:36] Last question for you, John today. I want to hear, perhaps because we've been having a very useful conversation about the threats that are there, I want to hear a little bit of what it is that's most exciting for you about the power of technology in relationship to cybersecurity and compliance and perhaps as a tool for these things as we look to the year ahead. 

John [00:31:57] Well, you know, I mentioned end point detection in response to you and having worked in this area of cyber since 1994, I get to watch these industries start from very little and build themselves up to extraordinary proportions. So the market is reacting and things are getting better in terms of the types of consultants that are out there. So I see that area getting better where I know I've told you that it's limited, is still hard to find good help when you need it. But I like to see that. I like to see that a lot of these companies have built these end point detection and response solutions that are really terrific. And integrating them with the consulting side has made companies better prepared. So you compare this to just three or four years ago. It's like night and day in terms of the way companies who really want to respond well can respond. And then, you know, when I look at things like credit monitoring and text alerts and some of the other things, I think those are amazing solutions. So for the individual, I think there's a lot of reason not to be frightened about your data, about your finances. So they're really more and more solutions for the individual. I think people are more worried now about their private emails being somehow disclosed because, and I think that's where a lot of technology is going now. So I think the future looks good. Companies are better. All this regulation has made companies better. But even the class actions are such a thorn in the side of companies, forces companies to be more responsible. So the market is really working in many respects. And I think you're absolutely right to think that there are terrific technologies out there making things better and better and certainly in the cybersecurity space. In the response side, I've seen it firsthand and I marvel at it. 

Gemma [00:33:41] Awesome job sharing, so many useful points. And I think if we don't get across the severity and size of the threat, then it will be very easy for companies to not take the steps that they need to take in order to protect themselves. And you're right that there is so much out there, so much opportunity, both in terms of technology, but also in terms of mindsets and strategies. They can make things so much better for everyone. So, John, thank you so much for coming on the show and sharing so many deep insights with us. I'm sure the audience will get a lot from that. And we really appreciate it. Thank you very much. 

John [00:34:10] Thanks. Been fantastic. I appreciate it, too. 

Gemma [00:34:15] That's it for this week. Thank you so much for tuning in. You can find out more about John's work and indeed some of the broader themes we discussed today in the show notes. If you enjoyed this episode, please do take a few moments to rate and review the podcast. It really helps other people discover the show. And don't forget to hit subscribe and tune in next time to continue our conversation about innovation, resilience, and our capacity to succeed. 

Ad [00:34:43] Learn how Microsoft Dynamics 365 Fraud Protection helps e-commerce, brick-and-mortar, and omni-channel merchants minimize losses, safeguard revenues, and protect their reputation. Request a live demo today by following the link in the episode description.