Episode

14

Season

1

How CIOs Can Convince C-Suite of Cybersecurity’s Value

With
Kevin Powers
Founding Director, MS in Cybersecurity Policy & Governance at Boston College
Listen this episode on your favorite platform!
Listen in browser!

Podcast Questions

Transcript

Speaker 3 (00:15):

You're listening to the TechTables podcast, a weekly Q and A podcast dedicated to interviewing industry leaders from across the world, ranging from startups to Fortune 500 companies, mixing it up each week with topics ranging from design and product innovation, to IOT and industry 4.0. Let's do this.

Joe Toste (00:33):

Hey guys. Welcome back for another week in the world of Tech Tables with me, Joe Toste. Love to connect with you behind the scenes on LinkedIn, Twitter, and Instagram. Or you can even message me questions for future guests coming on the show. But today we're going to shift our focus to cybersecurity best practices with Kevin Powers, founding director of Masters of Science in cybersecurity policy and governance program at Boston College, research affiliate of cybersecurity at MIT and ex attorney for the US Department of Defense. Huge thank you to Kevin for taking time to come on the show and meet with me today, but that's quite enough from me. Without further ado, I'm thrilled to welcome Kevin Powers, chat all things cybersecurity. Hey Kevin, welcome to the show. Super-stoked you're on today.

Kevin Powers (01:11):

Hey, thanks, Joe. Nice to take the time and talk with you.

Joe Toste (01:15):

Love it. So let's kick off today a little bit about your background in cybersecurity, starting with your work at the Department of Defense and moving to consulting and teaching, both at Boston College and MIT. Let's start there.

Kevin Powers (01:28):

Sure. Yeah, I got involved, like everyone in my age group, with cybersecurity. You just kind of fell into it. So I've been an attorney for over 20 years, working with Department of Justice, Department of Defense, and then in private practice with firms down in DC, up here in Boston, then in-house. And I really got involved, I guess, started to fall into cybersecurity probably in the mid two thousands, where I was doing due diligence or risk analysis. And then cyber started to come into play. And then when I was working down in DC with the federal government, it really was more of access management. And that's where you're looking who has access to what and why. And without going into details, there was some issues down there that I was involved in.

Kevin Powers (02:17):

And then when I went to work for a government contractor as the general counsel and head of operations up here in Boston, I was really in the thick of it with the cyber piece. And on the teaching side of the house, I've been teaching now for over 20 years as well. And it was just one of those where I started like, again, everyone in my age bracket, you fell into it and then you just started to become the expert. So I've been doing this now for almost 10, 12 years, if not longer.

Joe Toste (02:50):

That's great. That's awesome. So I was going to ask this at the end, but I'm actually going to bump it up a little bit sooner.

Kevin Powers (02:54):

Sure, sure.

Joe Toste (02:55):

You actually run a pretty cool conference called the Boston conference on cybersecurity. Just kind of fits right in.

Kevin Powers (03:00):

Pretty cool? It's very cool.

Joe Toste (03:03):

Yeah, it's very cool. You had FBI director, James Comey speak in 2017. Tell the audience a little bit more about the Boston conference on cybersecurity, bridging technologies, company concerns, et cetera.

Kevin Powers (03:17):

Sure. So the Boston conference on cybersecurity at Boston College is a joint effort with the Federal Bureau of Investigation. So we work hand in glove with the FBI Boston division up here. So it came into creation actually with a great friend of mine and a professor at Boston College. And at the time he was supervisory special agent overseeing cyber crimes for the FBI, Boston, Kevin Swindon. And he came up with this idea of let's put a conference on similar to what they do at Fordham, which is the international conference on cybersecurity. So you can see, we matched that name, that the FBI does with them. But ours was focused really just on cybersecurity, it was a one day conference. And the goal was to bring in the leaders from industry, academia, and government. We wanted to have the right people in the room.

Kevin Powers (04:06):

We wanted to keep it small enough that people could network and that we could train them appropriately. Because you go to some of these conferences, you could have a thousand people, and it just turns into everyone networking and passing cards and drinking coffee, and then having fun at the networking events afterwards. We wanted key people in the room, focused on what we were talking about and networking together to really work collaboratively. So the first conference we came up with, the first time we had it 2017, you're right. We had Director Comey came and spoke. And since then we've had Director Wray twice and now the deputy director, Dave Bowdich came in 2019. We've had guest speakers, including Kevin Mandia, Jay Johnson, former secretary of Homeland Security and a list of others.

Kevin Powers (04:51):

We just had Helen Dixon who heads up the Data Protection Commission over in Ireland. She's one of the lead regulators on the GDPR. We had Mike Cote, who is the president and CEO of Dell Secureworks. And those two were just up here at the last conference on May 4th. And also we had the Assistant Attorney General for National Security, John Demers, who closed it out in a fireside chat. So yeah, it's a great conference. It's a lot of fun, but it's very educational.

Joe Toste (05:18):

Oh, nice. No, that's really great. So you said Fordham has a similar conference?

Kevin Powers (05:24):

I'm sure they'll say we have a similar conference to theirs. Theirs is much bigger and different. It's really different. It's a four day conference that they have. And I think they run it twice, once every two years, where we run ours once a year. And ours is much... We have 350 people in the iconic Gasson Hall at Boston College and the Irish Hall. And we have 12 people at a table, they're crammed in there, and it's really focused on the CEOs, the board of directors, senior executives and government, and then the academics as well. It's a who's who of folks in cybersecurity that's for sure.

Joe Toste (06:01):

No, that's great. Actually total random tangent, actually toured and almost went to Fordham, which is kind of funny.

Kevin Powers (06:08):

I toured there twice with my kids and none of them went. They went to BC instead. Got one going to Georgetown too.

Joe Toste (06:15):

Okay. Okay. Well you teach at BC. So that kind of makes sense, right?

Kevin Powers (06:21):

Well, it does, but I don't think they like that I'm there.

Joe Toste (06:24):

Okay. I see it.

Kevin Powers (06:25):

I think I cramp their style.

Joe Toste (06:29):

Well, that's how it goes with kids sometimes.

Kevin Powers (06:31):

Okay. I know I cramp their style.

Joe Toste (06:35):

So there's a research report out there called remote work and COVID-19 cybersecurity impact. And I was going through it and it revealed that organizations are struggling to mitigate the risks of increased COVID-19 related attacks with 58% of security issues revolving around remote workers. If you're a CISO, a CIO, director of cybersecurity, or director of dev ops, how are you positioning your company today to handle these threats?

Kevin Powers (07:06):

Difficultly. That's how you're doing it. I mean, think of how this all played off. It was hard enough to manage a cybersecurity risk while everyone was coming to the office and you had a wall around them. Now you have everyone working and everyone talks about remote working. Oh, I'm working from home. The piece here is you're in your house. And the odds are the average family is probably what, at least four people, it could be up to five? I have six in mine and think if there's little kids running around, the stress involved with COVID-19 and you're home with your laptop. And you're probably using your house printer, which is attached to your house Wi-Fi or using your home Wi-Fi and again, you're on your laptop. The odds are, you may or may not be using your VPN or anything along those lines. So you start with that. Okay.

Kevin Powers (07:56):

And then who has access to all the information that you have on your laptop or your printing out? So this is a nightmare. That's just one house. Now you take that with a company that might have a thousand employees, 10,000 employees, 20,000, spread across the United States and they're all in their homes. So how do you secure all of that? That's the question. And that's what they're dealing with right now.

Joe Toste (08:21):

Yeah. That's great. Do you have some practical suggestions on maybe some elementary ways you can protect your workers while they're at home?

Kevin Powers (08:33):

Yeah. Get a vaccine for COVID-19 and get everyone back to the office, but that's not going to happen for a while. So I think it comes down to, and I set up like the dire nightmare. It is, but it comes back to training and really hammering home best practices to your employees. All of us in the cyberverse, of course we're doing things and sometimes we don't either. But at least that's what we do for work. So we're always thinking security, making sure we have the rightful access with the key privacy. Your secretary, your administrator, your business person, your vice president, even your CEO. They might not be thinking of it when it applies to themselves. So it's really getting that training out there and hitting home that the best practices you were taught in the office, they apply at home as well.

Kevin Powers (09:20):

I'll give you an example that I saw out there without naming any company. Once everyone got pushed back out to home, there were emails going around and it was a Excel spreadsheet. Please fill in your name. Okay. Your email address, your username and the password you use for XYZ. So everyone could have access to the passwords just in case someone needed something. And they were sending that around in an email. Now, under normal circumstances, that would probably have never happened, but they did that because, "Oh my God, this is an emergency. We have to get this information." So I think it's really stepping back because I mean, think of that nightmare. I jumped in when I saw it and said, "Stop that person." And it was not at Boston College to be clear, it was outside and I was advising.

Kevin Powers (10:05):

Just to make sure. I don't want to throw Boston college under the bus. But the important piece is to look at how do you train your employees, make sure they understand the importance of this all, and then come up with ideas of like, if you're working from home, here's something you should do that's different from the office on how you protect information. I just think of privacy. I'm a professor. I run a graduate program. I deal with undergrad students. I deal with graduate students and law students. And there's a law out there, Ferpa, you have to protect the student's information. You can't share it with, unless people have the right administrative right to look or view at it. So when I'm at home, if I have a call with a student, I have to go outside because I'm at home with five other people.

Kevin Powers (10:47):

And if I'm on my phone and I'm talking and I'm in a hallway in my house, because it wasn't built for an office space, plus everyone else is using... My kids are using their rooms or whatever for homework. I have to make sure that I'm not on the phone and not paying attention, but speaking loudly or talking and giving out private information. So it's kind of like that's a nice example of something where, if you have access to private information, you're in the human resource department, make sure you're taking a calls in a place that's private. Make sure if you're printing off the home computer, you do so and you make sure that's set up. That it's not left on with a default Wi-Fi password. Make sure that when you're printing things out, that you're the one who has access to it, not other folks, if that make sense?

Joe Toste (11:32):

Oh yeah, no, no. That makes a lot of sense. You mean my Wi-Fi password of turtleswim123 isn't good enough?

Kevin Powers (11:40):

No. I think you should go just the basic 7654321. That's a good one. If you do it that way instead of doing it 1234567.

Joe Toste (11:50):

I love it. I love it. So this actually leads into the next question really well. So a big part of cybersecurity isn't actually technical, right? It's about training and teaching everyone in the organization to be proactive with what they click on. Security is a really critical component because if there's a breach, ransomware attack or worse. Really at the end of the day, if the revenue that the company is taking in gets shut down, it's going to cause a lot of pain. What advice would you give on teaching and training organizations to be proactive with security?

Kevin Powers (12:25):

Yeah. And no, you're right. I always go out there and say, "Cybersecurity is not a technical issue. It's actually a business issue that needs to be managed from the top on down." But, in reality, it is a complex technical issue, but the tech folks have that part to deal with. For the rest of us, you just hit... You're spot on. It's about training and understanding best practices. And when I look at training, it really comes down to it's everyone's job is cybersecurity. It's an all hands approach that no one's too big and no one's too small. And you have to follow the protocols that are put in place. So you talked about clicking on links and things along those lines. Understanding it's those emails you're hoping don't get through. There's a filter system in there that's going to prevent certain links from getting through.

Kevin Powers (13:15):

But then it also gets if they do get through, why are you going to click on something that someone sent you, that you don't know? Like, "Hey Joe, it's Kevin Powers. I heard you on your podcast. So I thought I'd send you this. What do you think of this screenshot or whatever it is? I got this thing on Boston College." You should think twice before you open it up because you don't know who I am, what I'm sending you. And if you do click it, it could be something that shows Boston College, or it could be packed full of malware. So you have to be careful what you click on. Also, you have to be careful, there's plenty of talk out there on the social engineering piece.

Kevin Powers (13:52):

I mean, I'll go into it if you would like, but that's where your presence is on social media. What you're putting out there. The more you put out there, the more you can become a target. And I'm not saying that you shouldn't use social media, but if you're on social media and I'm the CEO of a company, I probably shouldn't be posting every day the lead up to my vacation to the Bahamas, and when I'm going, and when I'm going to be out of the office. Because when I do, someone's probably watching that. And there's been cases where CEOs have gone on vacation or senior executives, and they posted these things on Facebook and even on LinkedIn or Instagram. And when they're away, their executive assistant gets hit with an email that looks like it's from the CEO or the senior executive saying, "Hey, I need full listing of these folks tax returns.

Kevin Powers (14:42):

Can you send these to me?" Not the returns. I'm sorry the W2's. Send those to me. I'm down on the beach. And I sent a picture of the beach too. And then the admin sends off the information, no problem, and actually clicks on the picture. And it is a picture of the CEO or the senior executive on the beach drinking cocktail. The only problem is that that picture now is full of malware. The email address that the administrative assistant sent it to was not the real CEOs or senior executives email. It was a hacker who socially engineered this whole process and they got the picture from where? Social media. That makes sense. So I guess it's really, when you talk about the training, what's the best way to approach it. It's not one of these watch this 40 minute video and you're okay. It's really looking at cyber hygiene, cyber culture, and then coming up with different type of trainings, whether they're fully online trainings, whether they're a mix of hybrid personal trainings where you're coming in, and then you're following up with online.

Kevin Powers (15:43):

But it's really making sure the employees understand their role, understand what they need to protect, how they can protect it. And why they're doing this and why there could be a consequence if they don't follow these rules. So it could be a series of different trainings over the course of a year that would be in place. And this would go a long way for companies too, when you look at it, because if something does happen, when the regulators come in, or if there's a class action lawsuit against them by a plaintiff's attorneys, they can look back and say, "Listen, we trained everyone. Okay. Someone slipped up, but listen, we were doing everything we possibly could. We weren't negligent here. Rather instead we were fulfilling our duty and we were training our people to protect the information that we've been entrusted to protect."

Joe Toste (16:30):

Yeah, no, that's really, really good. And that's actually going to follow up into the next question. When we think about laying that foundation, laying that cybersecurity culture, there's training. But when you think about companies that have, because you do a lot of consulting, you think about companies that have really good culture around cybersecurity. What are some of those traits that you consistently see?

Kevin Powers (16:54):

So companies that have good cyber hygiene, they make sure that everyone, like I said earlier, they make sure everyone understands that it's an all hands approach. They take it seriously. From access management, they make sure they have policies in place and actually follow the policies and that who has access to what? And it's a scalable approach. You have the general access, then you have protected access. And then you get all the way up to confidential and higher access. If you're looking at it that way, and then you limit it to those who need to know and need to have it. Okay. So that's the access management piece. When I'm thinking of what would they have in place? Well, they'd have multi-factor authentication, meaning that to access your laptop, it's not only username, password, but it's also going to be where there's a pin where you have to click on again, they're either going to call you, or they're going to send you a code via text message on your iPhone or your mobile device, which adds an extra step.

Kevin Powers (17:57):

And the key here is to recognize too, you're not absolutely secure. What you're doing is minimizing the risk. You'll make sure that if you're a company, and this is [inaudible 00:18:08] is that your CISO is running the tactical aspect of the security programs. That things are being patched when they need to. Everyone's uploading all the updates that need to be updated. It's not like I'm working on my laptop at home and I keep getting, "Your laptop's ready for updates." And I just don't do it. You have to make sure everyone's doing it. And you make sure you hammer that home, that everyone has to do that. Other bits of it too is, again, the social engineering. What to click on, what not to click on.

Kevin Powers (18:36):

Then you can, other practices are you do the phishing scams internally. Where you're testing the employees. When you start off with the most obvious ones. So everyone's like, "Hey, we're at 90%." And then they get tougher as you get along. So then people start to notice them and they're able to, in real time, when one comes across their desk, they know not to click on it and they know who to report it to. So I guess just having those basics in place, it's really training over and over and over and making people think before they click.

Joe Toste (19:09):

That's really great. So I had a couple other questions, but they actually merge really well. I had a CIO email me over the weekend, so I'm going to call it... Normally I have this 60 second Tech Table segment, but I'm going to call it the answer the CIO segment for today. And so I'm going to merge some of the questions together because they're pretty similar. So the first question was, what is your perspective on how to best discuss cybersecurity with board level executives? Is there an equivalent ROI calculation that is appropriate or a model that helps with the investment dollars with risk mitigation?

Kevin Powers (19:51):

Well, see, now you throwing a real technical question at me and to go with a different framework. I'll step back and give you a general way to approach it if this makes sense. So, at Boston College, I think I've talked to you about this, at the law school we're developing a board of directors college focused on cybersecurity for board members. So our approach for that too, is everyone at that level knows what cybersecurity is. But at that level they don't know how to handle it or how to invest in it. A lot of times they'll look and say, just either throw money at it or we're not going to throw any money at it. And I think the important piece when presenting to the board, if it's whether the CISO or it's the CEO looking to get more funding over to expand training or whatever, it's to make it real that, listen, we have to secure the crown jewels.

Kevin Powers (20:41):

What keeps us in business? We have to protect that. Then we have to protect all the financial information we have as well, and then the personally identifiable information of our employees or our customers as well. And the key to all of this, board members, is if we don't protect all of this, we're not going to have a company to begin with. We'll be out of business. And so when you talk about what's the metrics here and how do we invest? Well, it's a case-by-case approach. So if I'm a gigantic bank, like Bank of America I'm investing a lot more money into my security systems than I would. If I was a local bank in Boston, that's just regional. So that's how you approach it. And then it comes down to the cost benefit, the risk reward. And a key component of this too, is people always say, "As long as we're compliant, we're good to go."

Kevin Powers (21:37):

You're really not. Compliance doesn't equal security. You can check all the box and you can suffer a breach. And then when the regulators come in, they're going to ask you were you following the best practices? And sometimes best practices are higher than what the compliance standards are or the regulations are there. So it'd be like, "Hey, we're compliant." And a regulator is going to come in and say, "That's great, but you weren't following best practices here." So it's really, you look at the risk and then you figure out how much you can bear.

Joe Toste (22:07):

That's great. Do you have any experience with retail companies? And I have no idea. I'm just kind of throwing that out there. I'm just curious.

Kevin Powers (22:16):

Mainly banks.

Joe Toste (22:18):

Mainly banks. Okay. They have higher security needs.

Kevin Powers (22:22):

Yeah, they do. They have a lot and on the retail side, when you're talking about the retail, are you talking about the mom and pop shops? Are you talking about a Macy's or Nordstrom's or something like that?

Joe Toste (22:34):

Yeah. Yeah. I'm talking about retail apparel, retail grocery, retail, kind of everything that encompasses that. It could be the 500 million to maybe six billion or something right in that revenue range.

Kevin Powers (22:50):

Yes and no. So a mix of that, but what's important to understand that advising one's not really much different than advising the other. Because ultimately you're protecting information and it's how about you go doing it. Then you start looking... So if you use the retail store or even the retail sort of using the groceries, or using shirts, sneakers, or suits, you're giving information. You're giving your credit card information, you're online at your house. You're going to their webpage and they're delivering it to you. See now I'm being fully COVID-19 now. [inaudible 00:23:22] store. And the same with the grocery store. So think of all that information you're transmitting, and then they have it. How are they protecting it? How are they using it? What right do they have to use that?

Kevin Powers (23:35):

Meaning, depending on where you are in the United States or where you are in the world, they may need to get your permission to use your private information for anything they want. So for instance, if you're in Europe, they can't take your information and sell it to someone for advertising or marketing without your permission. You give them the permission for what it's used for. While here in the United States, depending on where you are, that might not be the case. That answer your question?

Joe Toste (24:01):

It does. I just want to dive one little bit layer. If you're the CIO and you go into the boardroom with the CEO and maybe the CFO and you're trying to make the case, you need-

Kevin Powers (24:14):

The business case. Yeah.

Joe Toste (24:16):

Yeah, yeah. Your business case, you need a hundred thousand dollars. You need $200,000 for your security initiative. Do you tie that to revenue? I mean, how do you make that pitch? I'm kind of trying to think what it is.

Kevin Powers (24:28):

Yeah. If I'm making that pitch and I mean, now I'm like, as a lawyer and an advocate, I would walk in there and first you start out... You'd prep it beforehand, but you're really looking at here's what happens if you don't invest in this. If you're only spending a hundred thousand dollars, and I don't mean to go only a hundred thousand, but for a company, if you can spend a hundred thousand dollars and better protect your information and it's a cost that's not going to break the company. That's something you do. Because if you look, if you don't do it and you had the ability to do it, you might be spending millions of dollars, not a hundred thousand dollars, in fines or attorney fees and against varying lawsuits that come at you.

Kevin Powers (25:13):

I always look at it, if you want to talk to the board, you want to make them aware of this is why we need this here. But when you go in too, you have to have all your facts, you have to have all the metrics. You have to have all the data in front of you to say, this is what we need. This is why we need it. If we don't get this, this is an example of what's happened to companies like us who didn't do this. And here's the fines they took on. Here's why they're filing for bankruptcy. Here's what happened to their board member. There's no interest like self-interest. So this is what happened to their board members. There was a derivative lawsuit against them because the stocks went down because they were breached. And then you talk about the other regulatory matters that coming against them, whether it's GDPR, the FTC, States Attorney Generals.

Kevin Powers (25:54):

That's how I would approach it. And this is why we need it, companies who haven't done this, this is what happened to them. So the cost benefit is here's the benefit. Yeah. There's a cost, but the benefit is we're not going to lose money in the long-term paying for lawsuits, lawyers and regulatory fines. But instead we'll have that money at hand that we can use for operations and pay our employees.

Joe Toste (26:16):

Yeah. That's really great. I'm thinking, I mean, if you had some printouts of some articles or if you even had screenshots of those, like in a deck, that would be pretty powerful as far as what has happened to other board members. [crosstalk 00:26:28].

Kevin Powers (26:26):

Yeah. Go in there like I'm teaching a class. Here you go. I want to school you and not in a bad way, but make sure they understand it so they have the full picture. And that's the key, that's their call. It might be like, "Hey, this is where we're at. Here's my opinion." And the board might look and strategically, because there's more to the business than just what a CISO or a CIO knows. There's a whole picture involved here. It might be, you know what? We're going to stay where we are right now. We'll get to that later because we have XYZ we have to take care of. But at least they know, and you have it on the record. The key here is you want to convey that, you know what? The other two things you want to do, you need to be secure first before you can do it because you might get to one, but you might suffer a breach. And because of that, you never get to two or three.

Joe Toste (27:11):

Yeah. That's really, really good. So second question that I was asked was, is the trend gap between company security programs and cyber criminals getting bigger, staying the same, or shrinking? How do you track that? Is the answer significantly different by industry and size?

Kevin Powers (27:30):

The saying you always hear, and every time I hear someone say it, I go, "Ugh." So I'll say it, of course is they only have to be right once, meaning this cyber criminal. And we have to be right all the time. Which is tough to do. So I think, cyber criminals very active and it's just not the criminal. You have the terrorist, you have cyber criminals, you have the hacktivists, we have all sorts of groups out there. But I don't think the gap is getting wider. I think it's always the same as it is. I mean, there's just so much they can do now on the... They sell crime as a service. If you're on the dark web, you can buy any type of tool you want, whether it's as a service or not, to breach and break into others' devices and companies and computers. So I don't know [crosstalk 00:28:21].

Joe Toste (28:21):

Crime as a service?

Kevin Powers (28:23):

Yeah.

Joe Toste (28:23):

I learned something new today. Oh no.

Kevin Powers (28:26):

Crime as a service. Like, well, there you go. What's the monthly rate? You pay us and there's no guarantee we'll give you the crime as a service, but we'll make some money off you. Yeah. There's stories of that on the dark web.

Joe Toste (28:39):

Yeah. That's so fun. I mean, it's not funny. It's just-

Kevin Powers (28:44):

Yeah. Yeah. So I don't know if I answered your question of like... I guess it's been the same. It's a battle that is going to be going on. And it's like anything, the defense sometime is harder than the offense. It goes down to risk mitigation, like we talked about. Me having a laptop or you having a laptop at home and you have a multifactor authentication to get in there, you use a VPN, you have other sites, you follow all the best practices. What you're doing, it doesn't make you secure, but you're dropping the risk. Because they want to go after the low-hanging fruit. So ultimately, if they want to get you, they're going to get you. But it's much easier to get folks who aren't actually following the best practices and practicing cyber hygiene.

Joe Toste (29:32):

Yeah. And I was talking to someone this morning at my company who's on the security team and their job there's prevention testing. And he was basically like, "We just try and hack our clients and make sure nothing can go wrong and we can be proactive about it." And I thought that was pretty fascinating. And then obviously there's a ton of companies out there who deploy those type of resources to better protect themselves and be proactive against that.

Kevin Powers (30:05):

Yeah. There's a course at Boston College. It's called cybersecurity offensive and defensive capabilities. And it's taught by Etay Maor, he's the chief security officer over at Insights. He used to be with IBM security. Great guy. But I go in there as a teaching assistant just because I love going in and see what he's teaching. Every time I go... This ultimately class teaches you to be a hacker. That's why I was bringing it up, so you can better defend. And I go in there and after every class, I just watch what goes on, how easy it is. I just want to take my iPhone and flush it down the toilet. I mean, I feel like, oh my gosh, this is pretty easy to do. But again, and Etay will say the same thing, is that, again, you want to lower the risk.

Kevin Powers (30:47):

So this is why you do these certain things to protect your iPhone and you protect yourself and protect your privacy. You probably think too, and I think this too, you get the question, "Hey, my personally identifiable information is all over the block. It's been breached several times. Why should I even care? Or how do I protect it?" And ultimately it comes down to, well, you should always care. It's you. You don't want someone using your information and taking credit cards on your name or accessing your financials, but how do you protect yourself? One of the key is monitoring everything you have. Monitoring your accounts. Checking in once or twice a week, looking at your bank statements, looking at your credit card statements, making sure there's alerts on there when there's too high of... You're buying a PlayStation in a Walmart that's in Texas, and you're in here in Boston, odds are you're not buying it there.

Kevin Powers (31:39):

And you want those notifications to come in and just monitor what's going on with you and your life. And give you another anecdotal story on that is, if you have your health care data. If someone gets that and they create a second Kevin Powers and they're using it for insurance purposes. And I have type bleep. I don't even know what type of blood I have. But I have type B, that person has type A, they're not allergic to penicillin. I'm allergic to penicillin, but they're the ones using my insurance. They have the card saying so. And I get in a car accident and next thing you know, they look me up and they start pumping me up with type A blood and they're shooting penicillin into me and guess what? I'm dead. So that's why you probably want to monitor what's going on with all your accounts, especially your health care accounts.

Joe Toste (32:30):

Yeah. That wouldn't be good.

Kevin Powers (32:33):

Yeah. I'm just bringing joy and love to everyone, Joe.

Joe Toste (32:36):

Exactly. Okay. So let's go to that last question I received was, if you could focus on just two security initiatives right now, what would they be and why?

Kevin Powers (32:46):

Oh, wow. That's a great one. Okay. Wait, let me back up on that. So you say cyber initiative. So is that national, local, company-wide? How do you want me to handle that?

Joe Toste (32:57):

Company. Company. Yeah, let's go company.

Kevin Powers (33:02):

Okay. Company-wide, first would be training. You have to train all the employees and you have to make it mandated training. It has to be testable training. It has to be continuous training. You got to get absolute buy-in from everyone, including the CEO. And it has to be consequences. I'm not talking about firing people or things along those lines, but if you're trained and you keep doing the same thing over and over, or you're skimping on it. Like, "We have this best practice in place. You need to follow this protocol." And the vice-presidents aren't. They're doing what they want to do because they say, "Hey, it's holding me back. I want to be more efficient." They get punished just like the administrative assistant. Okay. So I would look at that as an initiative I'd want. Then the next initiative, I think training is the most important.

Kevin Powers (33:46):

Let me think two seconds. You got me, Joe. I'm trying to... I have 20 of them spinning in my head. Another initiative for a company on security would be focused on access management. I think that's what... And that goes back to similarly with the policies and protocols. But I think it's an access management policy that's enforced where you actually make it difficult for people to get to certain information, whether it's the crown jewels of the company, personally identifiable information, financial information, anything on the systems. So you make it much more difficult for people to do that because, nine out of 10 times, most people shouldn't have access to much of the data they do have access to in a company. That's one and yeah, I guess those are the two. So training and access management. You gave me two. I was going through my head, going, what else would I do? Then you'd have me on for three hours, so I don't think you want that.

Joe Toste (34:47):

I love it. Yeah. Well, we're going to wrap it up. Where can people find you, Kevin? Do you hang out on LinkedIn, Twitter? What's your spot?

Kevin Powers (34:54):

So I'm on LinkedIn all over the place. So you can find me on LinkedIn or on Boston College's webpage. I'm there and also I am a senior advisor for the law firm of Manatt, Phelps and Phillips. So I help out there and that keeps me really sharp. It's really important. I think I told you this before, Joe, I don't want to be the professor who's teaching and giving you examples from 15 years ago, talking about a Blackberry. I'd like to stay current and up-to-date on what's going on out there.

Joe Toste (35:24):

And what's a Blackberry? No, I'm kidding. I'm just totally messing with you. I used to have one, Blackberry Pearl. Shout out to Blackberry Pearl in 2003.

Kevin Powers (35:32):

I had the Blueberry. You remember that?

Joe Toste (35:36):

Yeah, I do. Awesome. Well, thanks for coming on the show, Kevin, appreciate it. And in the show notes, I'll link to Boston College and to LinkedIn, so people can hunt you down and find you.

Kevin Powers (35:50):

Sure. And can I put a plug in for Boston College there too?

Joe Toste (35:53):

Please go for it.

Kevin Powers (35:54):

Yeah. If you're interested in more training, we do have a graduate program in cybersecurity policy and governance. It's going fully online. It was prepared to go fully online in the fall. Plus we have on-ground programming. We have two professional certificates out there. If you're not interested in getting a full academic program, there's one in cyber strategy, one in data privacy, GDPR, and HIPAA. And finally, we're launching four graduate certificates this fall. One in computer security, the other in national security and global affairs, third, cybersecurity risk management and resiliency, which Joe, you seem to be very interested in. And then lastly, cyber analytics. So got a lot going on and it's a lot of fun. And I'll give a shout out to everyone in Boston who really... Like all our professors, our friends in industry and friends with the government. They've been great to us.

Joe Toste (36:45):

Love it. Awesome. And then just last one, the next conference for the Boston cybersecurity next year, 2021, in-person? Virtual? What are you thinking right now?

Kevin Powers (36:58):

Okay. So I want to say in-person, I would love for that to happen, but I mean, I'm not going to put anyone at risk. I mean, we were there March 4th this year, so there's a great picture of me shaking Director Wray's hand. It's probably one of his last handshakes, probably one of my last too. Ever. I just don't know what's going to happen. So I would love for it to be in Boston College, but it would be so different under the current circumstances. So we're working with the FBI. Could be a webinar and hopefully we can work it out where we have the keynote from the director again. And then maybe a couple of panels that are out there. And then once everything is back to where we were pre-COVID, yeah, you bet we'll be back at Boston College in Gasson Hall, hosting the Boston conference on cybersecurity.

Joe Toste (37:46):

Love it. Awesome. Thank you, Kevin.

Kevin Powers (37:48):

Sure. Thanks, Joe. That was great.

Speaker 3 (37:51):

If you're interested in seeing what Nagarro, a high-end technology solutions company to some of the world's leading organizations, can do for your business, you can email joe@joe.toste@nagarro.com, J-O-E dot T-O-S-T-E at nagarro dot com. Or message Joe on LinkedIn. For all information on Nagarro, check out nagarro.com. That's N-A-G-A-R-R-O.com. You've been listening to the Tech Tables podcast. To make sure you never miss an episode, subscribe to the show in your favorite podcast player. If you have an iPhone we'd love for you to open the Apple podcast app and leave a review. Thank you so much for listening. To catch more Tech Tables episodes you can go to techtablespodcast.com. And to learn more about our sponsor, please visit nagarro.com. That's N-A-G-A-R-R-O.com. And of course you can find Joe Toste, your podcast host, on LinkedIn, Twitter and Instagram. That's Joe Toste, T-O-S-T-E. Thanks for listening.

Joe Toste
Joe Toste
Host of TechTables Podcast

I'm passionate about investing in communities locally and internationally across several organizations (Young Life, Compassion, and DP Basketball 🏀 (high school basketball coach). This passion intersects across technology and the public sector too.