0:30
And hello everybody, you're very welcome to a new episode of Redefining Cyber Security.
0:43
I'm Sean Martin your host where I have the pleasure of having conversations about a topic
0:51
The years and years I've been working on security from protection and detection and
0:57
response and looking at things from an operational perspective and I've landed in a world
1:03
where I believe security has a chance to do good things for the business.
1:09
Not just be a department of no and of controls but actually I'll drive business value and
1:15
protect the growth and the revenue that it generates.
1:19
And not an easy task if you're sitting in the CISO seat and my guest today sat in that
1:26
seat for quite some time and some organizations you probably are familiar with.
1:31
Roland Cluteier, how are you my friend?
1:34
Sean I am fantastic and thanks for having me.
1:37
It's a pleasure to have you on.
1:39
I forget when we chatted last but it was a good conversation and I'm happy we have a
1:43
chance to connect today.
1:45
We're going to be looking at executive and employee protection programs and kind of what
1:52
that means from a security leadership perspective and a business perspective and some of the
1:57
things you're seeing and hearing in that world and perhaps our organizations and security
2:03
leaders need to think about that stuff.
2:05
So excited to have that chat.
2:06
Maybe a few words about the things you've done in the past that led you to where you are
2:11
now or you're up to at the moment.
2:15
Well, 30 years go by really, really quick, Sean.
2:18
I think what's interesting is that I actually started out on quote unquote the other side.
2:24
So I came from the Air Force and their security police and anti-terrorist division and that
2:32
migrated into civilian law enforcement, federal law enforcement and then I got a lot of
2:39
cases that happen to have security risk and privacy issues associated with cyber and
2:44
data and all that cool stuff.
2:46
So I actually went back to school to learn about cyber and the next thing I know I fell
2:51
in love with cyber and second career, 20 years later, chief security officer for EMC, for
2:59
ADP for a decade, bite dance and for the last few years before coming into advisory road
3:06
supporting other chief security officers and CSOs in their roles.
3:10
I get to do a lot of stuff and one of my passion areas of course is being a converged
3:14
security leader wrote a book on it and it has been part of me helping other organizations
3:21
for the past several years.
3:23
Yeah, it's a good natural way I feel to establish a relationship with people and then get an
3:30
understanding of what's going on, big picture driven by real stories, reality, right?
3:37
So what are some of the things you're seeing organizations struggle with that maybe not
3:45
every organization realized they should be struggling with or may not realize they are
3:50
struggling and can't put the finger on what it is.
3:53
So you know, typically there's really three flavors of this, two are from the CSO side
3:59
and one's typically from general counsel side when I'm working with customers in this
4:06
The first is an emergent issue that happens with a business, someone threatens an executive,
4:13
the CEO, workplace, violence issue.
4:17
I mean, it could be one of several different things, a travel security issue with a lack
4:22
of operational expertise in place and they turn to the CSO and say, you do this stuff
4:27
for a living, why don't you help us and make sure we're doing this right.
4:31
So it becomes, you know, sometimes a sense of urgency to figure out what an organization
4:37
should be doing at what level and is often, you know, the normal knee jerk reaction and
4:41
then, you know, a pragmatic review.
4:44
And the second flavor is when the, it comes in a not urgent way, but a CEO or the executive
4:53
leadership team turns to a security executive on either side and says, you know, we'd like
5:00
We have costings we'd like to do and I'm tired of two different security leaders coming
5:05
to me with two different sets of risk metrics, priorities, I want one throat to choke or
5:13
one back to pet, I think I look at it and figure it out and create something that makes sense
5:20
And the third one is not much different, it comes from normally non security practitioners
5:26
on either side and comes from the CEO or general counsel that says, you know, I'm being
5:32
asked questions from the board about our ability to protect our executives, resiliency and
5:39
threats to the business, their security, I don't think we have a good handle on it.
5:44
And I would like an external view that has done this before for large companies to help
5:50
us figure figure how to do that.
5:53
And that has been, you know, kind of over the last call it three years or so, the majority
6:00
of the cases that have come to me.
6:04
And so how, I guess, like my question is, how, as with many things early days of cyber
6:13
and I think executive and high, high level employee protection programs, it's kind of a fairly
6:22
new concept in the grand scheme of things.
6:25
Security is not new, but relatively new compared to a lot of other things.
6:30
And I'm wondering, do organizations recognize this risk or are they waiting to hear that
6:42
they're counterpart or the next business sector had an issue or some news element finally
6:48
makes the mark to catch their attention?
6:51
What's the awareness of this?
6:52
I guess is the question.
6:54
I think it's becoming more and more aware since the attacks on some business executives
6:59
in the United States a couple of years ago and in ongoing cases around threats to people
7:07
I think it becomes a consistent message and quite frankly, the level of violence perpetrated
7:14
as well as tax through technology on identity and, you know, wailing and all the other things
7:20
that we've seen around best type issues, it just kind of accumulates at the same time.
7:26
I think convergence, in my opinion, of course, I'm slightly jaded, but is super important
7:32
when you think about our responsibilities as business protection executives, right?
7:38
Our jobs around ensuring the continuing operations and capability and the leadership in the
7:44
go-to-market of business or an agency or whatever we do and some of that is cyber, some
7:52
of that is resiliency and some of that is resiliency and availability of the people involved
7:59
And so it all mixes together and I think from my standpoint, from my purview, is that
8:06
we often think it's cost level, right?
8:10
Often businesses will push in this direction and say, I don't need a CSO and a CSO and
8:14
a director of corporate security in this and that and there's a lot of reasons for it,
8:19
but I think a lot of people immediately go to a cost and there is obviously cost multiples
8:25
It is the leveraging of the expertise on both sides as a force multiplier and I'll give
8:31
you a couple examples.
8:32
So most people, especially in what we do, understand that physical security and facilities defense
8:38
and public safety now has a lot of technology embedded.
8:41
And whether it's gauging large, it's technical security, whatever you want to call it or it's
8:47
the management of certain intellectual property defense or it's our phones or what have we.
8:56
There's an aspect of technology involved in physical security and our DevSecOps and our
9:03
engineering teams have been doing this stuff for a long time.
9:06
So giving them yet another discipline to add from the SOC or the CERC or the thread-in-tell
9:15
platform or an operational control platform or what AbU is saying, physical security,
9:21
device control management, PCEM, integration, it makes sense, right?
9:26
You have a set of engineers that can provide a set of services in the existing infrastructure
9:30
architecture that they know lead and manage and so you get a better quality product.
9:36
Faster to a global initiative, typically these companies are global.
9:41
Secondly, you get a better threat picture.
9:44
I mean, at the end of the day, you get a better threat picture, right?
9:47
Because there can be a threat to the business that is often you can have threat to people
9:51
and the implications of that.
9:52
So are people trying to steal data through an individual, are they trying to get through
9:56
their homes into corporate devices or just get information to hold, you know, hold them
10:02
hostage in some way, you know, or blackmail them.
10:04
I mean, there's a lot of ways to look at this.
10:07
I've seen companies have up to four different threat management platforms for their company,
10:14
including cyber, executive, brand, and customer, right?
10:19
And they all report differently.
10:21
There's no single threat view and there's no team working all the threats.
10:24
Again, it gives you this ability to consolidate the data to become a real true force multiplier
10:33
in seeing that visual picture, that threat, and then being able to prioritize those risks.
10:38
If I go in with a clear picture about a totality number of risks associated with security to
10:44
the organization and sit down and can step through them in their implications with the CEO
10:50
or executive security counselor or what have you, it's a much better conversation than
10:55
the head of risk, the head of cyber, you know, the head of physical security coming
10:59
at different times to talk to different groups without a standardized way to prioritize,
11:04
manage, and address those threats.
11:05
So again, it's a great way to do our jobs better.
11:12
For me, the natural course would be the executive leadership team would have a question or a set
11:23
of questions that are not siloed, like the teams are, right, they wouldn't go to security
11:29
and say, give me the security risk or security positive, give me the physical team, security
11:36
team, give me the challenges you're facing, they have the business view.
11:43
Tell me as an organ, as a leadership team, these things, are we at a point where executives
11:50
know how to ask that question across silo or what are some of the conversations and sound
11:58
I think they're getting better, I think they know what they don't know and they're asking
12:04
people to get the answers is the way I would look at it.
12:08
You know, for other people, it's just another GNA function that they have to, you know,
12:12
there's just a reality to that in many cases.
12:15
But most organizations have an informed board, especially public organizations or those
12:21
around critical infrastructure or those that have, just call it critical jurisdictional
12:27
oversight from different regulators.
12:30
And so those organizations are starting to hear questions from their board about the
12:35
resiliency of their people, threats to executives, threats to the company.
12:41
Others are involved in different areas.
12:43
You know, when YouTube had the shooting several years ago, they did a great job in sharing
12:49
what went well, what went wrong, and what they would do differently with other folks in
12:55
So you saw other social media companies, competitors, actually listening and learning and doing certain
13:01
So you see this industry by industry many times.
13:06
Unfortunately, some of it pops up when there's a negative impact event, you know, we saw
13:10
that a couple of years ago, you know, with the shooting in New York.
13:15
And so, you know, that industry took, took a clear and different view and learned.
13:21
But to answer your question, yeah, I think people are asking the right questions.
13:25
And one of them is, what's the right level of security for the threat to the business
13:32
and the type of people that we have working for us?
13:34
I think that's one.
13:36
The second one is, is how do we care for our employees when they're working on our behalf
13:41
I mean, think about how many people this week happened to be working somewhere in the
13:46
Middle East for their organization and found themselves in a tough situation.
13:50
Do we have the ability to provide the capability to remove our people as necessary, protect
13:56
them, facilitate, transport, medical evacuation if they need it and all those things?
14:01
And people are seeing this part of due care.
14:04
And the last component, I would say that people are learning well is, do we have the
14:11
right organizational structure, right?
14:14
Are we set up to succeed?
14:16
Most informed CEOs in general councils I talk to don't have the knee-jerk reaction.
14:23
They're taking a step back and saying, how do we measure the risk, apply a lens that's
14:30
appropriate for our organization and that we can carry forward and continue to do that
14:35
view and make those right decisions?
14:38
And I think that's a great approach.
14:40
I remember it was around the time in the pandemic and there was a lot of, I'll just say unrest
14:48
A number of years back with demonstrations and protests and whatnot.
14:53
I was speaking with a security leader at one of the large banks here in the U.S. and
14:58
she was describing this need to not just protect the banking systems but to protect the
15:05
She wanted to ensure that her employees at the bank were safe online but also at home because
15:14
they were all working from home and perhaps in areas where there was unrest as well.
15:20
And so they took this total view of how do we protect our employees digitally and from
15:27
a cyber perspective but also from a physical and even a health perspective when we tie the
15:32
COVID stuff into that.
15:33
There's an interesting conversation I had with her a couple of times and I'm wondering,
15:38
it doesn't seem like a lot of organizations have that view, right?
15:42
It's, there's the system, the person gets rights to access that system and that's the
15:47
stuff we're going to protect and we'll give them health insurance but that's the extent
15:53
of the additional care we provide and unless you're an executive then maybe you get some
15:59
detail to if you're traveling into a bad place or a risky place and we might monitor your stuff
16:08
online to make sure you're not being targeted for ransomware, extortion, whatever.
16:13
Where do we sit in terms of kind of softening things from the pure tech perspective to really
16:21
understanding and caring about our people?
16:24
So I believe that the the best in class companies that do this do it well with a risk
16:32
funds but a broader discussion on employee protection, not just executive protection.
16:40
That doesn't mean have a bodyguard for every employee that's not what I'm talking about.
16:45
What I'm talking about is have the conscious and capability to understand the environments
16:51
that the people work in and where they live and have programs that provide a level of continuity
17:00
and capability that ensures that their employees are safe, the best of the company can provide.
17:09
I think that's number one and I'll give a couple examples of that in a second.
17:12
And the second part of that is is when there is a higher level of threat,
17:16
threat against an executive threat against a key employee or a key employee who would be targeted
17:22
because quote unquote they have the keys to the kingdom or they are the only people that
17:27
understand a very sensitive part of the business is that the business takes a special view of that
17:32
and understands that the employee's ecosystem is not within the four walls of the building of the
17:37
office that they operate and but rather it is part of their home life.
17:41
What we call their total life and how they operate and the risks on their family and their home
17:47
and other things and they take an approach with higher risk issues and whether they be episodic
17:54
or they be permanent because of an individual's perspective that they offer a reasonable level
17:59
of do care and assistance to ensure that they have the necessary help that the company has put
18:06
them in because of the position that they do that's that's kind of in that area.
18:11
Now getting back to the employee area I'll give you some you know some pragmatic views of this.
18:16
Maybe an organization has a capability that's watching for major events in large
18:24
populous areas that their employees live in maybe they have you know a branch in
18:29
New York a branch in Nashville a branch in Atlanta branch in the Bay Area whatever it may be
18:35
and their their threat intel group or their employee protection teams monitor for significant
18:42
events and so not just one do they have a fire in the building are they sending out an are you okay
18:48
when there is something in a geographical region that impacts a significant employee level
18:56
they send out are you okay or maybe it's everyone then they have some great automation and play that
19:01
says hey I know you live within two miles and you're a work from home employee of you know this
19:07
major you know fired petroleum are you okay and then have assistance and operations available to
19:16
help those out whether there's a few third parties or through their own internal managed service
19:21
that's great now I happen to have worked in the past for you know a large multinational
19:27
that specialize in human capital management technology that focused on making sure that
19:33
their people were up and up and able to help and support their their customers and so they had
19:40
a massive capability initiative to be able to roll out kind of in a FEMA mode when something
19:46
major have their hurricane or you know a massive disaster to go into those areas set up capabilities
19:53
to get their people out of harm's way get them to a location that they and their families were safe
19:58
and get operations back up and running and and and it wasn't just about the business getting up
20:03
and running it's making sure their people and their families were safe and they were able to do
20:07
their jobs in a safe location and so then the two helped each other and I know the employees were
20:12
really appreciative of that and so were the clients so that's one example but I think there's two
20:18
sides to that point absolutely well we have a few minutes left here and I want to kind of bring
20:27
this back to the the security leaders who listen to this and perhaps maybe you and some of the
20:32
practitioners who may or may not see things in logs that that might make them think hmm
20:40
it doesn't it didn't trigger anything from a tech security perspective but now that I'm hearing
20:46
this conversation perhaps there's an employee human perspective we should be looking at as well so
20:52
some thoughts and comments for CSOs CISOs that maybe thinking about this this area and may not
21:00
know how to approach it with their ELT and I don't know is there are there ways to tap into the
21:07
board perhaps to make some change here as well then we started the easiest level maybe it's not
21:12
a segmentation in a coverage program maybe it's a shared program right maybe maybe we become
21:18
service providers to each other there's a CSO on one side and a director of focus security or CSO
21:23
on the other side and the CSO provides engineering and thread and tell platform services maybe there
21:33
is an opportunity for the CSO and CSO to marry up risk and threat services from a prioritization
21:46
together as they go in and look at these things maybe there are opportunities for the organization
21:53
to leverage executives going across each side so they have more rounded teams is often one of the
22:00
things that they can do frequently and I see really great leaders and executives coming from
22:07
cross-programs so that's number one number two is you know start thinking about what your business
22:13
needs where they feel gaps they're going to tell I mean these this is nothing new this is something that
22:21
I think we hear often and don't understand it so I have an open conversation with your leadership
22:32
I have an open conversation with your CEO or or whomever and and ask you know are you getting
22:42
everything you want do you think that security risk and privacy and physical security can
22:47
be providing more and if so what and then do a planning session sit back and say okay if I'm
22:52
if I'm going to jump into this what are the things the businesses asking for how does it help our
22:57
go-to market our customers our employees and our shareholders and then do a crawl walk run you get
23:03
some news done up before and and sit back and say what are the things I can do with existing people
23:09
existing programs what are short-term things that we can do as an organization to plan for
23:18
a next step to to create the level of service capability that they want and then start talking
23:25
about the importance of convergence and how to have a standard management umbrella risk view
23:30
and service delivery and financial model that makes sense for your business I think that's kind
23:35
of the best way to to start yeah yeah this is spurred by by a post you made on LinkedIn and
23:43
and I love following what you put up there and so I'll I'll link to that up that that article
23:48
slash post in the show notes and hope everybody connects with you and and follows along with all
23:54
the other stuff that you put out there it's good good to see it and thanks for thanks for
23:59
getting back to the community and Sean thanks for having me I'm glad to cut your eye and happy
24:04
to always have these chats with you so thanks so much for having the pockets likewise I
24:08
appreciate you taking the time and thanks everybody for listening and watching this episode of
24:13
redefining cyber security hopefully you open your mind a little bit more like it did for me
24:18
and I get you to think a bit then perhaps take some actions to change how we approach security
24:24
in our organization next again we're all and thanks everybody thank you
