Bridging Military and Corporate Cybersecurity: Leadership and Risk Management

Welcome to the Hitchhiker’s Guide to it, brought to you by Device42. On this show, we explore the ins and outs of modern IT management and the infinite expanse of its universe. So buckle up and get ready to explore the ever changing landscape of modern IT management.

Michelle Dawn Mooney

Hello and welcome to The Hitchhiker’s Guide to It, where we explore the evolving landscape of information technology and leadership. I’m your host, Michelle Dawn Mooney, and today we are joined by a guest who brings a unique blend of military and corporate experience to the show. We are diving into cybersecurity, IT leadership, and risk management, focusing on strategies that can protect and empower businesses in today’s digital environment. I’m happy to bring on today’s guest. John Price is CEO of Subrosa and former British Army Intelligence Corps officer. John, thank you so much for being with me today.

John Price

Thank you for having me.

Michelle Dawn Mooney

Looking forward to the conversation before we kind of dive in. Can I ask you to start off by sharing a bit about your background and how your military experience has influenced your approach to cybersecurity and risk management?

John Price

Yeah, absolutely. So, um, my background, I served in the Intelligence Corps, so I was responsible for really handling and analyzing, um, sensitive data. And then on the on the flip side to that, in counterintelligence, we were focused heavily on the proactive, um, tackling of threats, um, as well as risk mitigation. So this really instilled a strong foundation in that structured, uh, decision making, strategic thinking in risk mitigation principles that have kind of translated into the cybersecurity and risk management world that I’m in right now. Um, cyber security is really all about, uh, being prepared for the unknown, anticipating threats and then ensuring that you have a solid plan to address them. And the military, as an organization, I think is um, is for the most part, uh, focused on that proactive risk identification, um, through the chain of command and crisis management. So that’s really significantly influenced how, um, I’ve structured my cybersecurity programs at Subrosa and has led me to where I am now.

Michelle Dawn Mooney

Wonderful. And a few key buzzwords there, which we will dive in a little deeper. Uh, being prepared, proactive. We’re going to touch on that and how important that is. So you’ve advised numerous fortune 500 companies and government agencies. What are some of the most common cybersecurity challenges that you’ve encountered, and then how have you helped these organizations address them?

John Price

So I think across the board, whether it’s big and small companies or organizations, um, the most common challenges that we see involve an overreliance on Reliance on reactive measures to cybersecurity. Um, the shift is changing, but, um, many companies, and especially the bigger ones, surprisingly, really tend to focus, um, on, on insulin response, uh, rather than proactive threat detection. Uh, not to say that incident response isn’t a key component of cybersecurity. Absolutely is. Um, but, uh, the, the shift, um, at least the, the, the focus, uh, for the last decade or two arguably has been really on the, on the reactive as opposed to the proactive. Um, tied in with that is the, uh, is a common issue of, of lack of communication between IT teams and leadership. Um, and then at the top, lack of understanding, uh, this can lead to, um, misaligned priorities, uh, from the top down. Um, so I’ve helped organizations really address these by, um, implementing, uh, real time threat intelligence, uh, and then fostering better collaboration between the lower level boots on the ground types up to the sea level, so that the organization from the top down has the same culture as the same understanding of what’s going on. Um, and focusing on really embedding security into the corporate DNA of an organization as opposed to being an afterthought or something that’s tackled, um, post incident or really when, you know, when, when things are going wrong. Um, that’s the that’s the worst time to be, um, to be kind of figuring out your cyber security program. So focusing on that proactive and making sure that communication from the top down is, uh, is throughout the organization.

Michelle Dawn Mooney

With your experience in British Army intelligence, I’m curious, how does translating military security principles to the corporate world impact the way companies should manage their IT operations and cyber security protocols?

John Price

So I think that translation of of those military security principles into the corporate environment offers a tremendous advantage, especially in terms of hierarchical clarity, accountability and then within incident response as well. In the military, you’ll find that everybody has a very defined role, whether in or out of a crisis. And this can really help to minimize confusion and delays during that process. Um, but this really does need to apply to corporate cybersecurity principles as well. Um, and it’s something that we see lacking, um, clear protocols define roles and then continuous training to make sure that everybody in those roles does understand that when an incident occurs, they know what they’re doing, essentially. Um, and then, uh, I think, uh, kind of a second principle that, that that would translate with a great advantage would be, um, just the constant vigilance that, um, that is adopted in the military. There is a there is a cultural sense of of there being a much higher standard of vigilance. I think that corporations should at least attempt to adopt, um, certainly in the kind of proactive space of monitoring and threat hunting, um, as opposed to relying on, um, periodic or single point in time audits and assessments.

Michelle Dawn Mooney

So what would you say? Because there are a lot of moving parts here. What are some of the key strategies you recommend for it? Leaders who want to improve their organization’s security posture.

John Price

So, um, I’ll say it again. I think really that the most critical is, is moving from the reactive to the proactive approach and leveraging technologies and methodologies to do that. Um, I think firstly, IT leaders should be looking at, um, threat detection models and threat detection technologies. Um, automated monitoring systems, particularly in, in the AI space, there’s a lot of, um, very innovative and very powerful tools out there now that are leveraging some of the kind of new AI tools that we see on the market, commercially available. Um, these things can really help cut down detection time in incident response, uh, as well as, um, help kind of alleviate some of the pressures of, of um, detecting and dealing with, with cyber threats, um, and identify potential risks really before they escalate. Um, another one I think would be, um, enforcing, uh, what’s called a zero trust model. So ensuring that no, um, user, whether inside or outside of the network, is trusted with anything sensitive by default. Um, and so that the users who do need a level of access to potentially sensitive information are given that on an as needed basis, as opposed to across the board by default. Um, that principle on that model in general is something that we are seeing, um, a big movement to, um, Who within our kind of area of, uh, of clients, um, that we service and that we work with in the industry. Um, and then finally, um, I think one of the most certainly cost effective ways of guarding your front line, um, as it pertains to cybersecurity, is is regular employee training and awareness.

John Price

Um, so building that culture ingraining the cyber security principles into the DNA of the company from everybody in the organization. Um, so making sure that staff are well educated on phishing tactics, social engineering, um, that can make a huge difference because, you know, one click of a bad link can, um, can do serious damage to an organization. And the cost to, um, to train that employee is relatively low compared to investing in infrastructure and software and hardware to tackle the similar threat. Um, and then finally, um, a big one that’s often overlooked, I think is lastly, um, is, uh, maintaining strong relationships with third party vendors and ensuring that those vendors meet, uh, security standards, um, that you as an organization would uphold as well, and to reduce supply chain vulnerabilities, uh, because there’s a significant amount of cyber attacks that happen as a result of poor vendor cyber security. Um, so you can, as an organization, invest, um, time, resources and money into building a really strong cyber security program. But if you have a vendor that has access to your network or to your data, and they’re not up to par with you as an organization, it undermines everything that you do. Um, and makes a lot of it essentially redundant.

Michelle Dawn Mooney

Yeah. And you talk about the danger of that one click. And I think we all know what that’s like, whether it’s personal or professional. Right. There’s a lot riding on. Just one click can lead to very bad things. So unfortunately we’re seeing a rapidly evolving threat landscape. So we know it’s very important, as you address, for organizations to stay proactive rather than reactive. And you mentioned some of the things that we should be aware of as far as strategies. But let’s actually go in to a little more of a granular level. And where do we start? What steps can these companies take to stay ahead of potential threats?

John Price

So I think um, implementing. So so firstly, I think there needs to be a shift in, in how people approach, um, threat detection and threat identification. And shifting to that proactive strategy, um, is a good first step there. Um, because without one right now and the rate that cyber threats are evolving and adapting, um, you’re essentially leaving yourself out to being a sitting duck. Um, so I think, um, in terms of some of the more technical activities that organizations can do, making sure that certain things are continuously included within their security program. Um, so implementing vulnerability assessments across their infrastructure, whether it’s applications or network. And I say applications because they are often overlooked element. But one of the easiest to exploit from a technical level from an attack vector. Um, so making sure that those are all included continuously in vulnerability assessments to address things as they appear, as opposed to waiting for your penetration test or waiting even, you know, even worse for a threat actor to exploit them. And then secondly, leveraging, um, leveraging threat intelligence, there are, um, an abundance of resources out there available, um, both free and paid, that companies can, um, can utilize, uh, to ingest threat intelligence so that they are able to catch potential threats before they become an issue for that company. Um, and then tied into that real time monitoring, um, which would be looking at behavioral, uh, you know, behavioral analysis potentially across a network or For architecture, applications and monitoring to detect those anomalies as soon as possible is going to be key.

John Price

Um, and one of the arguably one of the most important parts of a proactive approach to cybersecurity, um, because you really want to make sure that that threat is caught and doesn’t become an incident. Um, because once it’s an incident and there’s a breach or worse, then that’s really when the work starts. So if you can catch it before it becomes one, um, then you’re going to save yourself a lot of headache in the future. Um, and then kind of underpinning all of that, um, regular cybersecurity drills, tabletop exercises, training, it’s going to help those teams to stay sharp. So in the unfortunate event that something does happen, they are ready, uh, and ready to deal with that. Um, I think, uh, statistically speaking, most of the loss financially in an incident comes from how an incident is actually handled, not the actual incident itself. So mismanagement is really where you’re going to see the biggest impact to an organization. Mismanagement of an incident, I should say, is where you’re going to see the biggest impact to that organization. So, um, making sure your team is sharp and that they know what they’re doing so that they’re ready to address it as and when these things happen.

Michelle Dawn Mooney

And what you just said, making sure that your team is sharp because I mentioned there are a lot of moving parts here. And there’s one side you have your software and your programs, and you can make them, as I would say, durable, but as, as high level to to ward off a threat as possible. But then you also have the human side, right. One click can do a lot of damage. So how do you balance the technical and human elements in cyber security? And why is leadership so important here in creating a resilient security culture?

John Price

Yeah. So um, that’s a great question. And I think it goes back a little bit to what I was saying earlier. Um, you know, cyber security is more than just technology. It’s about the people behind the behind the systems. You can have the best tech in the world, but if your team isn’t trained both in terms of security culture as well as in the systems that they’re using, it’s not going to be effective. So this is why the security conscious leadership is crucial in instilling a security first culture. And leaders need a good model and good cyber security practices, and to invest in their teams through ongoing training or ensuring that the the staff have the latest tools or up to date tools and resources at their disposal. Um, is very is key to a successful cyber security program. Um, you also need a culture of accountability. Um, so you need to empower employees to be able to speak up if they notice something suspicious or if they notice something that, uh, seems, um, anomalous. Uh, and understand that security is the responsibility of everyone in the in the organization and not just the IT department or the security department.

Michelle Dawn Mooney

So there’s an old saying the proof is in the pudding. Can you share an example of a risk management strategy that you have implemented that had a significant impact on an organization’s security and operations?

John Price

Yeah, absolutely. Um, so, uh, a strategy that stands out for us recently is, um, it was a essentially a multi-layered defense system for a financial services firm. So, um, where they were struggling was dealing with the volume of, um, phishing attempts that they were, um, were struggling to identify, um, struggling to identify malicious attempts in real time as well as weed out the false positives from the positives, because, um, in that instance, there was an operational impact where, um, they were blocking legitimate emails coming in from vendors, from um, from partners internally as well. So it was a little bit of a mess. Um, with regards to how the organization. The impact it was having on communications, um, which I don’t think, um, you know, again. Is an overlooked thing, I think when, when when it’s mismanaged like that, it can have serious repercussions on how an organization functions. So, um, we saw, uh, we looked at that. We implemented, um, an AI driven tool that sits on the, uh, the email and the cloud apps, like, uh, like, uh, SharePoint, um, slack, teams, things like that. Um, and we were essentially able to, um, quarantine and manage the flow of email communication in and out of, of the organization, um, to, to improve the employee response. Um, I’m sorry to improve, uh, internal and external communication as well as, uh, more importantly, to filter out those malicious emails. Um, and we saw, uh, a Is significant.

John Price

I think over 90% reduction in, um, phishing attacks able to get through into the organization. Um, and kind of underpinning that, um, the organization did conduct further, uh, cyber awareness training, um, as well as, um, you know, building out that risk management program to effectively combat those issues proactively and reactively when they needed to. Um, so that they were able to kind of improve operations as a result of, um, as a result of having those lines of communication cleared up. And, um, and business could kind of continue as usual throughout the company without having to, to worry constantly about, um, these the phishing attacks, uh, within their um, as a part of that training, we did conduct, uh, phishing simulations. So to, to keep people on their toes, keep them sharp, like I said, um, and ultimately improve employee response because that’s what we we wanted was employees not clicking links, and we want of employees to be mindful of what they were looking at and report issues and report suspected phishing. Um, and that reporting rate, as well as the you know, we saw the incident rate decline and we saw the reporting rate increase. Um, which is a good trend and where we wanted to see. So it really not only improved overall, the security posture, the operational side, um, but then also reduce that downtime that they were experiencing, um, with, uh, incidents and potential breaches.

Michelle Dawn Mooney

And there will always be those threats, but having conversations like the one we’re having today, there are solutions, right. Or at least things that can hopefully lessen the threat there. So so last question. What advice do you have for businesses looking to strengthen their own cybersecurity frameworks? Try to get the positive results that you just spoke of in light of increasing digital threats.

John Price

So I think, um, you should start with the basics. So reviewing, uh, existing, uh, security infrastructure, um, taking care of, of known vulnerabilities with patches, um, certainly multi-factor authentication where possible is something that you should look to implement. Um, and then as you want to build and um, and build out a more sophisticated approach and a more sophisticated mindset. Um, the next step, I would say is certainly, um, adopt a zero trust mindset. So don’t assume that any device or user is secure by default. Um, you should adopt the opposite approach to it, um, regardless of whether they’re inside or outside the network. Um, and then, um, building on that, investing in real time threat intelligence and, um, and tools that can help detect unusual activities before they become a full blown incident is going to be key. Um, he now and and key really in the future as the way that things are going and the way that threats are evolving, um, And and in tandem with that zero trust mindset and the proactive mindset, understand that cyber security really is a marathon, not a sprint. And it is a continual process. It’s not a one and done. It’s not something that you kind of visit once a year. It’s something that has to be, um, has to be considered and has to be approached, uh, on a continuous basis. Um, otherwise, um, you know, you kind of fall short and you and you fall behind in terms of the threat environment. Um, in addition to that, you know, kind of continuous process, regularly updating your frameworks, regularly updating how you approach it to make sure you are current, um, and, um, conducting other activities outside of that, like penetration testing using third parties. Um, and then overarching, uh, ensure that employees and culture are trained and are learning and adapting to new threats, um, as much as possible.

Michelle Dawn Mooney

And that’s going to do it for this episode of The Hitchhiker’s Guide to It. Brought to you by Device42. I want to give a big thank you to John Price, CEO of Subrosa and former British Army Intelligence Corps officer. Thank you for sharing your valuable insights on cybersecurity, IT leadership, and risk management. I appreciate it. I’m sure a lot of people gain some knowledge here from this and probably have some questions to follow up, so we’ll have some information there on the show notes. Thank you for being here today John.

John Price

Great. Thanks, Michel. Thanks for having me on.

Michelle Dawn Mooney

And also want to thank all of you for tuning in and listening. We hope you found today’s discussion engaging and informative. And if you enjoyed this episode and you want to hear more thought provoking conversations like the one you heard today, be sure to subscribe to the podcast. And of course, for more information about Device42 and how their solutions can support your IT infrastructure and operations, you can visit their website. I’m your host, Michelle. Thanks again for joining us and we look forward to connecting with you on another episode soon.