Securing Your Business in the Digital Age: A Guide for Non-Technical Decision Makers
Securing Your Business in the Digital Age: A Guide for Non-…
In this episode, we talk to cybersecurity expert Kip Boyle about how non-technical business decision makers can understand and guard agains…
Choose your favorite podcast player
Jan. 17, 2023

Securing Your Business in the Digital Age: A Guide for Non-Technical Decision Makers

Securing Your Business in the Digital Age: A Guide for Non-Technical Decision Makers

In this episode, we talk to cybersecurity expert Kip Boyle about how non-technical business decision makers can understand and guard against cyber security risks, and how to harness the business value of digital security. He also shares insights on his ex

The player is loading ...
The Valuu Makers

In this episode, we sit down with cybersecurity expert Kip Boyle, who has been working in the field since 1992 and has held various leadership roles in the military, at a top research institute, and at a major insurance company. With his extensive experience and unique perspective, Kip shares insights on how non-technical business decision makers can understand and guard against cyber security risks, as well as how to harness the business value of digital security. He also discusses the common challenges and misconceptions that organizations face when it comes to cyber risk management and how his company, Cyber Risk Opportunities, helps executives optimize their cyber risk management programs. Kip's book, Fire Doesn't Innovate: The Executive's Practical Guide to Thriving in the Face of Evolving Cyber Risks is available as a free download for listeners of the show. This is an episode you don't want to miss if you're looking to up your cyber risk management game and safeguard your business in the digital age.

Meet Our Guest
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015 after 7 years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs, where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Show Links
Follow us on Twitter: @thedwwpodcast 

Email us: podcast@digitalworkspace.works 

Visit us: www.digitalworkspace.works 

Subscribe to the podcast: click here
YouTube channel: click here


Download your free copy of Fire Doesn't Innovate
Get in touch with Kip on LinkedIn or via email at Kip@cyberriskopportunities.com

★ Support this podcast on Patreon ★

Transcript

Ryan Purvis 0:00
Hello and welcome to the digital workspace works Podcast. I'm Ryan Purvis, your host supported by producer Heather Bicknell. In this series, you'll hear stories and opinions from experts in the field story from the frontlines. The problems they face, how they solve them. The areas they're focused on from technology, people and processes to the approaches they took, they'll help you to get to the scripts with a digital workspace inner workings.

Kip Welcome to the digital workspace works podcast, would you mind introducing yourself?

Kip Boyle 0:35
I'd be happy to do that. Thank you for having me, in the episode really appreciate it. So my name is Kip Boyle and I work as a fractional chief information security officer. Some people call it a virtual chief information security officer. It's interesting, we didn't seem to really land on the single title yet. But I live in work in the in the Seattle area, actually, we have customers all over the world. And I founded a company called Cyber Risk opportunities in 2015. And that's, that's my company have a staff of six and a bunch of subcontractors. And, and you know, and so what we do is we provide leadership to organisations that either don't have somebody who can provide strategic focus on cybersecurity, or maybe they just need some help, you know, getting certain things pulled together. But in any event, that's what I spend my time doing these days. I'm a, I'm also a husband and a dad. And I really enjoy travelling. And so thankfully, I get to do that as part of my work.

Ryan Purvis 1:47
Oh, fantastic. And, you know, our usual question is, you know, what does the digital workspace mean to you? Can you can you give us what your thoughts?

Kip Boyle 1:55
Yeah, absolutely. Well, so we're a, we're a, my company is a is a remote, only firm. So we don't have a centralised office. And I've actually been working remotely, for quite some time. Now, I think the first time that that I started working in an all digital situation was 1998, believe it or not, and, you know, I remember having to wrestle with analogue modem lines in order to be able to do that. And I remember getting our first cable modem, which was an absolute boon, it felt like I was in the office at that point, and, and it just really changed everything. So for me, you know, digital offices is really about being able to work wherever you need to be, and and to be able to get work done as though you were in, in a physical office.

Ryan Purvis 1:56
Yeah, I think the good thing about the pandemic is everyone else is understood that now with new challenges, but I mean, you know, I like you started off my career working remotely, and had these periods where I worked in an office. And I don't think either one's necessarily is better than the other one. I think, whatever suits what you do, and how you do it. But it's interesting how your comment about working anywhere, anytime, and on any device has become such a fluid thing.

Kip Boyle 3:22
Absolutely, yeah. And I feel really, really blessed. And fortunate that that I've been able to do it for so long now. Whereas other people through the pandemic, as you said, are just finding out about how amazing it can really be. And I was reading some comments recently, about just how thrilled and there was this, this one woman who was making a comment about just how tremendous it was that that the work from home opportunity for her and just how it freed her up to do so many more things. And it allowed her to stop doing things that you know, that were not value added, like commuting, for example. And, and it actually reinvigorated me because, you know, you get to a point where you sort of just accept that this is, you know, this flexibility, you know, that you have it. And it's easy to forget, that was a time when you did not have it.

Ryan Purvis 4:18
It's so true. We, as I said to you before we started recording, I mean, I'm down in fancourt in South Africa and George, and you know, three years ago, I used to fight with the boss to come out to South Africa for a month to see family. Now, it's not even a discussion. It's like, well, I'm gonna be there this week. And, and everyone else I know is also doing that. I mean, we were on a call this morning. We're one of the people saying well, you know, I'm here with my daughter, she's writing her exam. Oh, I see she's finishing early so I'm gonna guess you're gonna be driving in the car this afternoon. So I can't do any of those meetings we driving back and I go okay, cant we do the meeting from your car. No, I'm talking to my daughter, you know, we're spending quality time I can work when I get home. And it's a completely you know, these are these are, you know, culturally people that are typically would have said, you know, we have to do the meetings first and then All right to the person stuff announced that it switched around, which I think is healthier for for people generally, which means they're probably making better decisions because they're not stressing about the work before the personal stuff, right? Anyway, we Yeah, at we can talk about this one for hours. So let's check you had a book last week, obviously recording this because some audio issues. So we've had a discussion before you had a book that you've written, maybe let's start off with that. And you can frame that for us and highlight what you want people to get out of it.

Kip Boyle 5:30
Yeah, absolutely. It's called "Fire doesn't innovate". And the title of my book is really a, a reference to the fact that cyber risk, which is what I spend my time focusing on helping companies figure out, you know, what their cyber risks are, and how to deal with them. That cyber risk is a very different type of risk. It's a dynamic business risk, it's not just a technical annoyance, which it has been for the longest time, you know, we, we only really had to deal with it as Oh, somebody defaced our website, let's get it cleaned up, or, you know, Joe, and Accounting has a virus on his PC, let's get that scrubbed and cleaned so that he can work this afternoon. I mean, these were irritants, you know, but but that's not true anymore. And what I observed in my work is that senior decision makers are still think of cyber in this way, which I don't think is helpful to them, because that's just not what it is any longer. And so I wrote my book for senior decision makers, who don't have technical backgrounds, but who absolutely have to figure out how to get their arms around the topic of cyber risk, and what does it mean for their organisation? And what are they going to do about it? And so the, the title of the book, is really trying to capture trying to really hook people, right to make them realise that, you know, this is a very different type of risk. It's dynamic. It's not a static risk, which fire is a static risk. And I can unpack that metaphor, but But you know, that's kind of that was the idea.

Ryan Purvis 7:10
Yeah, I think it's I pointed, I think when we spoke last, I'd spoken to probably about a dozen CEOs, and all their dozen, eight, it had issues recently, and I've been talking down to the day with things they hadn't even conceived. And in fact, I'm now talking to a business to start in January, who wants a BCP business continuity plan to restart their entire business as a minimal viable business? If they already were hit by an incident? And it's definitely kind of thinking I had never conceived people having if you don't, I mean, like you always normally feel like you've got an educated, open, whatever. And this was just a random conversation, where they were saying, Well, you know, could you help us design our backup business? I thought they meant to BCP plan, a BCP mechanism like none other, we wanted to be able to launch a second business, if we have to, from scratch, as a sort of, you know, automated pop up and go, you know, whatever it is, you tell us how we can do this. And I was like, Well, what's driven? Is this a no, it's the risk of it. It's a risk of ransomware. It's the risk of our employees that know where all the important things are. And if if they decide to be malicious, we can do nothing about it. So, you know, and it's also the risk of legacy, you know, we're a really old organisation that's grown through attrition, attrition through acquisition. With so many complicated systems, we wouldn't even know where to start in some cases, or what to do if we lost one of these things. So we need

Kip Boyle 8:47
to it's absolutely fascinating. I love Yes. Yeah.

Ryan Purvis 8:51
So I'll give you the list as we go on that. But but it's yes, fresh.

Kip Boyle 8:54
Can I say a word about that? I want to say a word about that. Because what I tell my customers is that, and really the name of my company, I try try. I named my company what I did, because I would like it to reflect this idea that you just brought up, which is that cyber risk isn't all downside. And it isn't all just ones and zeros, that there's real opportunity in cyber risk. If you can understand it, conceptually, you don't have to understand it technologically. And if you embrace it, right, so for example, the whole idea of being resilient is cyber resilience is a tremendous opportunity for organisations, I love the example you gave where and it kind of reminds me of a PC where you get a virus on it. And instead of trying to get the virus out, you just say you know what, we let's just scrub this thing clean and start afresh because we don't know that we'll ever going to get that virus completely out of that machine. So let's just hit the reset button. And that's sort of what that sounds like and and who ever in the history of organisations before now, would have ever thought that way because you You know, the cyber risks were never present in the way they are now. And so the idea to be to be resilient to stay in business when your competitors cannot, because they've been hit by a cyber attack, and they actually stopped functioning, you might have been hit by the same cyber attack, but because you're resilient, you stayed in business. And there's a whole story in my book about how this actually happened in 2017. DHL in Europe, and TNT Express, which is owned by FedEx, they both got hit by a data wiping worm called not pecha. And one of those organisations stopped functioning, the other one didn't. And you can, What's brilliant about this case is you can look in their public financial results, and you can very clearly see, one of these organisations volumes up revenues up profits up, the other one was completely the opposite story. And, and so the company that stayed in business when the other one couldn't, has reaped long term benefits, because getting people to switch from one carrier to another carrier is very, very, very difficult. Under normal circumstances, there's so much inertia, but this event happened. And the company that stayed in business received a windfall simply because they've stayed resilient.

Ryan Purvis 11:22
Yeah, no. And I mean, I've had friends working in just a company that had the, I don't know if they will link to that one specifically. But the other the other challenge you have with the amount of technology that's floating around, people don't know how to do things manually anymore. Or they've lost that meaning on, you know, writing an order book, and all that kind of stuff. And we would we were moaning about it the other day, because we'd been to Dr. to fill in these forms, we were sort of saying, Well, we've already got everything digitally. Why do you need the forms? And someone actually said, Well, it's in the event that the computers go down, I still have the paperwork that you've signed, and filled in handwritten. And even though I have three backups, and don't let it out all the stuff, I have to meet with compliance. I've still got the paper and I was like, okay, that kinda makes sense. I mean, it's still irritating, but it kind of makes sense. And this is the thing I mean, your resilience can take different forms. Even though everything's pushed towards a digital technology, one of those things has to be consideration for paper. Good, old fashioned?

Kip Boyle 12:24
Oh, absolutely. Absolutely. I mean, even some, even a small thing, like, you know, when I talk to a new customer, and I say, Well, tell me about your did your disaster recovery plans. Tell me about your business continuity plans? And even if they have wonderful plans, they're sitting on a computer somewhere. And so I asked them, if that computer is suddenly unavailable to you, how will you reference your plan? And you can just see a little, you know, sparking light bulb over their head because they haven't thought about it.

Ryan Purvis 12:54
No one No one does. Because we get so caught, we get so comfortable with the technology. Right? So I had this this, it's funny, I was actually thinking about now I'm in this hotel, and I'm in the boardroom. So I left everything here, and I went for a walk. I mean, you know, and I was thinking, funnily enough, on my walk that I'm going to talk to you now in 20 minutes. And I suddenly thought, you know, what, I actually lived everything in the hotel room and even lock the door. I was so trusting of everyone, I couldn't go back in everything would have been gone. That happened, you know, and it didn't, it didn't happen. But but you know, it could have happened. So even even as that are supposed to be aware of these things can can fall into the the complacency problem.

Kip Boyle 13:35
Absolutely, absolutely. That can absolutely happen. So, but just to kind of the roll back, right. So you asked me about my book. And so part one of my book is really a a primer, if you will, of how should How should a senior decision maker who is not technologically accomplished? How should how should that person think about cyber risk. And so that's what part one of my book is about. Part Two of my book is actually a methodology, and a toolkit for how we actually discover the top five cyber risks for our customers, and then create a prioritised mitigation plan. And this is really important because what most people struggle with is they're facing unlimited cyber risk, but they have only a limited budget, and they don't know where to start. They're very confused about, you know, I have $1 to spend, or I've got a pound to spend, you know, what's, what's the best, you know, return for that. And I learned about this a long time ago when I worked as a chief information security officer for an insurance company, and the CFO asked me to come and speak with him one day, and I said, Well, yeah, I'll be right over Steve. And, and so he said, he said, Look, I got your budget here. And you know, this is the third time around where you've sent me your budget, you know, and and I support what you're doing, but the budget gets bigger every year, and I don't really understand it. At the same time, I've got people from marketing and sales and operations, all saying, Hey, Steve, I need money for this and that and the other thing and he goes by, but I don't know, I don't know how to tell them that I'm giving Kip $25,000 To do a whatsits. And you want $25,000 to do, you know, good things that I understand, he said, Kip help me, because I don't know how to tell them, why I'm giving you the money. And so that sort of began this very long collaborative relationship, where I got intensely focused on what is the business value of, of digital security, what is the value of that, and that was really where I had my most transformative experience in my career. And, and as a result, has informed what I'm doing today. And the book and the podcast, and the the courses that I teach, and so forth.

Ryan Purvis 16:01
And I love the you use the word business value, because that is such a nebulous term that's thrown on. And, you know, you and I have very similar pause, which we'll talk about another time. But it's this, it's exactly this problem that we, and this is why I mentioned that the education piece, because you often have to draw people you're talking to not idiots. I mean, obviously, they, they are very good at what they do, they've got there for for being good at what they do. But this is a space that and I'm talking obviously about the cyber risk space within the technology space in some respects. But it's also it's, you know, it's a, it's also a broad space, because the the vectors of attack are so diverse, you know, there is too much to be an expert in it, to be honest, I mean, you could have now an expert in a domain, maybe two or three domains if you really have the time and the expertise. But you know, it's something you got to navigate. And and this is where I mean, I'm reading the reviews in your book again, good, I think you've done that really well in providing the part one, the part two, where you've given the people without the background, something to hold on to, and then how to do it. And that's what people look forward to tell me how to do it.

Kip Boyle 17:21
Yes, and thank you for acknowledging that because that is that is my goal. And another good use case for my for my book, by the way, is I've noticed in the course of my working life, that there's this tremendous chasm between the people who are leading the technology functions in an organisation versus the people who are leading, shall we say, the non technological functions of an organisation, so sales and marketing and, and operations and so forth, there's this huge communications chasm. And I, while I'm not trying to help with that, overall, I do want to help with the cybersecurity part of it. And so a good use case for my book is if you're a senior decision maker, and you can't understand what the IT person is saying to you, because of all the ones and zeros coming out of their mouth, read my book, part one, and then give it to the IT person and say, I would like you to read part one. And then I would like to talk to you because I'm seeing things in this book that I think we are going to are struggling with. And I would like to speak to them, to you about them. And that use case goes the other way, too, if you're a senior decision maker who's very, very technical, but you don't have a great vocabulary to bring these issues up with senior decision maker, then you can give them part one of my book and say the very same thing to them. And you will then create a very, very basic bridge across that chasm which you can then build up.

Ryan Purvis 18:47
Yeah, I mean, that is the point really is it's it's building a bridge that you can strengthen for continuous working together. Because this is it's not a one and done thing I think this is the other thing people don't get often is that the reason why the budget gets bigger and bigger is because the problem doesn't go away necessarily you just mitigate some of the problem or you, you know, expose it when you expose one another.

Kip Boyle 19:12
And that's the dynamic nature of it, right? I mean, we don't really worry about fire anymore, right? London burned to the ground once upon a time, at least once Seattle where I live burnt to the ground, at least once Chicago, big cities of the world have burned to the ground because we tried to bring fire into the cities, but we didn't know how to control it. But we couldn't live without it. We had to have it and so we we sorted it out. And nowadays, it's very rare for for a fire of major fire to break out in the city. And when it does, it's contained and dealt with in a fairly efficient way. But it wasn't always like that in human history. And the reason why it is because fire is a static risk. Once once we've gotten it under control, it's going to stay under control unless we lose our grip. But show cyber is a dynamic risk and it's always going to change So we're never going to have it totally under control. Yeah,

Ryan Purvis 20:03
and actually, it's an issue. But as you were talking, I was thinking about the Grenfell fire in London. And when was that? That was probably 2017, I think. And that was a big deal. Because it not only was it a fire that a lot of people died, it was a fire that could have been avoided if they used appropriate building materials. And they use some sort of mesh that was highly flammable. And that made it worse. And then also the people living there couldn't get out fast enough. And, you know, I don't want to cheapen what happened there to those people. But it is kind of the same thing, in what we're saying, from a business value point of view, where you're explaining what the risks are, and how to get there. And if you cut corners, you end up with a bigger disaster, which in today's day and age, you know, a if you are, especially with GDPR, and those and some of the US legislations coming in, if you break, if ever privacy breach, the fine can shut you down.

Kip Boyle 21:00
Yeah, it can really, let's just say it'll be a material event for you.

Ryan Purvis 21:05
Yeah, yeah, well, exactly. And there's a lot of insurance you can buy for it either anymore, because all the insurance companies because of all the ransomware and the breaches on ensuring for certain things anymore, because there was a good also material.

Kip Boyle 21:20
Yeah, well, and so not only is cyber insurance difficult to get right now, although I think you know that that will unwind a little bit, I think it'll get a little bit better. I'm working very closely with people who are trying to get cyber insurance right now. So I'm regularly in that space. But what I want to say, though, back to your point about that fire in London, is because they cut corners and chose the wrong materials for their building project. I don't know for sure. But my guess would be that they didn't get the insurance coverage. Because they didn't, they didn't abide by the requirements of the insurance to use the correct materials. I can tell you that in a cyber insurance situation, if you say in the application that you do these things, and then you file a claim. And it turns out, you don't do those things, then you'll be given your premium back, the policy will be null, and you'll be on the hook for everything. So why would you? Why would you get a policy and then cut the corners like that? You're just not I don't think you're fully realising what you're doing to yourself. So one of the things I tell my customers about this as is that I don't want you to think about cyber security. As this cost centre, I don't want you to think about it as, as a technical thing, what I want you to do is think of it as high performance brakes on a sports car. Because if you didn't have high performance brakes on a sports car, How fast would you dare to drive it?

Ryan Purvis 22:46
No, exactly. I think that's a great analogy. I guess the only thing is, I would say we didn't buy the fancy car. But that's that's probably just

Kip Boyle 22:57
they all they all seem to want to drive a fancy car and fast and, and really the analogy right is their business, right? So it's like, if you think of your business as as you know, as something that you want to go fast, and you want it to perform well, which of course we all do, I'm a business owner, that's how I want my business to behave, I need to have a great set of breaks. Because if risk shows up, I need to be able to to respond. And I have to be able to swerve around whatever it is that's fallen in my path. And then I need to keep going again. And so So I encourage them to to slow down to go fast. Get those brakes on. And so every now and then you can tap those brakes, navigate around, whether it's something that's falling in your way, or you got to slow person you got to pass whatever it is, those brakes are going to let you get where you want to go.

Ryan Purvis 23:47
Yeah, look, I think your analogy is perfect. I mean, the the the slowest fast and fastest slow, sort of matches what I was thinking about, you're saying that and I think that is some of the other things I said, I was thinking about the ISO 27k process, we were there a few years ago, and there was this big rush to try to get as much stuff done as possible. And it kind of misses the point in some respects because yes, you need to have the building blocks in place. But you actually need to be looking at your business critically to identify where your risks are, and what you're going to do about it and that's actually the real crux of it for me because once you once you have the plan and even even though you may not have all the documentation in place, even though you have a plan to get the document into place and to do the regular reviews and the regular look backs and the and the improvements that helps you set up the organisation and also you know, we involved a lot of people across the business so it wasn't just technical people in the room it was the business people as well. And that made everyone part of solving the problem or be involved in in that journey, which made the training was actually quite light because when it came to the training area we've been to this okay, we get a deal. Yeah, you know, it was kind of like a how we got there. Whereas in other organisations we are have been when no one's been involved. And then they come in with the plan. And they run out and they're like, Okay need to learn this whole 60 slide. But the material, you can imagine what the adoption was like,

Kip Boyle 25:11
Oh, I've seen I've seen it with my own eyes, that sort of thing, you know. And so I love I love the way you did that, because it really works for me, because I believe cyber is a team sport. And I think everybody in the organisation has to have a role appropriate set of responsibilities, so that everyone's pulling on the rope in the same direction, right? I mean, it's a business risk. And so everybody has to be involved. I mean, just as much as, as you know, if you're having problems fulfilling the orders that you're taking all hands on deck, right, everybody's got to help. Otherwise, we're not going to get paid our viability as a business is going to be in jeopardy. One smart ransomware attack will take out, you know, your ability to sell your ability to fulfil your ability to collect money. And so it can be it can be the worst possible business risk. If it materialises.

Ryan Purvis 26:05
Yeah, yeah. And, as I said, I was speaking to some people that have just been through that. And, you know, the, not only does it in some cases the guys can get around it. In some cases, it's devastating to the business, and, and reputational as well, you know, some absolutely, organisations expectation, and what they signed with you, as a provider, is an expectation that you can meet their needs as from that point of view, as well. And when you call it, do it, it almost voids not only the business, but the actual, you know, reputation of stuff to,

Kip Boyle 26:39
gosh, you know, you're hitting on all the great points here. Because that's another thing I tell my customers is your number one digital asset is your reputation. Because without your reputation, nothing else matters. Nothing else you do will amount to anything. And so, so when we work with customers, one of the things we do is we inventory, their digital assets, and I always make sure reputation is on that list near the top if not the topmost item. And it's just, I think that's why people hide, or, or at least, you know, get really coy when you know when something awful happens, because they don't want the hit to their reputation. And, you know, but that's kind of something that's kind of felt in the gut more than more than brought to the front of the mind. So I like to bring it to the front of the mind.

Ryan Purvis 27:32
Yeah, yeah. And I was listening to something the other day they were talking about, I think it was one of the countries that were firing, there IT goes because they were hacked. And I was just another podcast, in fact, and the guy was saying, you know, they're getting rid of the guy IT guys, because they got hacked. But that means that no IT person will ever want to work for that country, to do any of the security stuff. So that so they're not realising that not learning, and they've been attacked, and then reputational damage that way, but they also ruin their opportunity to get out because no one want to work with them, because you're going to, if you're going to hold them to the fire, and you know, you don't know the whole story, maybe those those IT people were saying, Look, we need to do these things, we need to secure this we need to patch we need whatever it is, and they weren't getting any support. Right. Right. And, you know, the in the double whammy of not supporting and then also being fairly charged. You know,

Kip Boyle 28:25
you know, I did a podcast episode on this, and I actually made I actually talked about this on a regular basis. But your IT guy or gal is not your cybersecurity guy or gal. They're not. They really, they, you know, on the surface, you might think they're the same people, but they're not at all they they focus on different things, they think in different ways. And, and so I feel badly for it, people are held accountable for something like that, because I don't believe they were set up for success. Now, I don't know the details of that particular incident you're talking about. But I just tell you in general, IT people are not really set up for success to deal with some of this cyber risk stuff. And I feel very badly for them for that.

Ryan Purvis 29:08
And I'm actually glad you made that distinction, because I didn't make that distinction very well. And actually, if I think about it, some of the best security people I know, are not the typical IT person you'd meet. They've got degrees from different industries. I mean, some people will art majors and dancers, I mean, really different backgrounds. And that makes them kind of best attuned in a way.

Kip Boyle 29:35
Well, it keeps them from falling into the into the typical IT way of thinking, I believe is part of what's going on there. You know, the best crypto programmer I ever worked with was a guy who had a an undergraduate degree in film in you know, making movies and he was he was marvellous as a cryptographic programmer. Because IT people want things to To stay up and running, and then IT people want things to be open, because those are the easiest things to support. But but but, but open things make me twitchy. Because I know that open things are vulnerable things. And, and so you know, they're all concerned about rolling new things out, and happy path, right how great everything's going to be. And I have to do a lot of negative visualisation and figure out what could go wrong. So it's just a completely different mindset.

Ryan Purvis 30:29
Yeah, yeah. And you need this mindset, you need diversity, you need, you know, as many different perspectives as possible. I mean, even even in building, you know, a product or whatever it is. But I think the, you know, the reality is that the way that something like ransomware has grown, is, you know, there's a marketplace to go and sell a ransomware product that you can go buy it for 10 20 bucks, and you don't have to have the technical skill to roll it out and implemented. And that's a scary thing, because that turns anyone into, you know, a malicious actor, which means, yeah, it's more important that everyone's prepared for something like that to come down there. The way?

Kip Boyle 31:10
Yeah, you're actually scaling crime, right, is what that is. And one of my mentors, his name's Don Parker. And he wrote a few books and very influential guy in the 1980s and early 1990s. And one of the things that he said, and he said this to be like in 1999, is he said, he said, I predict that in the not too distant future, we will automate crime with software. And he talked a lot about, you know, what that would be like, now. Now, in 1999. That sounded like science fiction. Yeah, yeah. Well, not anymore.

Ryan Purvis 31:54
We are an analogue dial up. And in those days, I mean, you know, you couldn't even get get a stable condition to play Quake would do. In fact, those would have been doom. And now you can spin it up in the cloud and have, you know, 5000 bots running, you know, by accident.

Kip Boyle 32:09
Yeah. So it's just crazy the way that code has completely changed the nature of crime, right, because it's all still crime in the traditional sense. It's just that we've digitised it. And we've allowed it to scale. And so another thing that I tell my customers to help them understand what's going on is I say, every technology that Amazon has to terrorise Walmart is in the hands of the cyber criminals, and they can terrorise us with it, too. So, you know, think of them as a competitor, right? Because they're gonna act like a competitor.

Ryan Purvis 32:45
No, and that's it. I mean, it's reducing that friction. And if you look at there was something else that I was listening to where there's there was, it's actually a new type of bot framework that looks for pricing differences. So if you're selling a device, let's say, I'll use an example of a MacBook $1,000 on the Apple site, as an example, and you had a cycler of 799, or 399, or something like that, there's actually bosses go and look for that. And if they find it for 399, they'll go buy all of them, and then go sell them on eBay for 999 to make the difference, and the person that that's running that bot thing never actually touches the device, but it's basically a buy and sell drop shipping mechanism. And then all of the main for that. I mean, who would have thought of that as a concept.

Kip Boyle 33:30
It's just tremendous. from a career perspective, I think I remember somebody saying that, you know, five years, hence, 10 years hence, jobs will exist that we can't even imagine right now. As we lose certain jobs, you know, we're going to, we're going to find new jobs being created that are unfathomable to our minds, because just the context is going to be so different.

Ryan Purvis 33:54
Oh, yeah. I mean, it's, I mean, I think I was talking to someone else. So they're by critical thinking, and the ability to unlearn and learn things. And that kind of lives there. Because a lot of people, a lot of people, people, young people still think I'm going to be a lawyer, doctor, whatever it is, and maybe those professionals are pretty much we stay consistent. But even in those areas, the specialisations are even more nuanced than they were maybe 20 years ago, you'd have a cyber specialised attorney now. Yeah, because your example of that, but, but you know what I mean, and well, you know,

Kip Boyle 34:34
yeah, and, and other things, too, like a medical doctor, for example, is going to be working with incredibly different tools than 10 years ago, 20 years ago, right and the same profession in the same specialisation they're going to be, they're going to have completely different diagnostic equipment. They're going to think about disease in a different way. And so over the course of a 3040 50 year career in to discipline, you're going to have to take up and put down tools and take up and put down mental models and take up and put down frameworks at a at a great pace, in order to just keep up with the change in the innovation. And so it's almost like having a bunch of discrete careers, as you as you move through your life, even though you still say, I'm a doctor, I'm a lawyer. But you know, the nature of that work is just changing tremendously.

Ryan Purvis 35:28
And if you look at how I don't if you looked at chit chat GPT recently, but if you look at how that that has changed things, and you can only imagine that if that, and that's a really good example of technology being useful. And I say that a comparing to other chatbots that I've dealt with this week that have been completely useless. You know, I was I was writing code, they would have probably taken me two or three weeks to write myself. And I mean, that in the sense of having time, you know, researching stuff I was running into whatever it was to get that code out. You know, I wrote that same code, maybe an hour. And as I wrote it, I was asking questions of that, of that Chatbot. And it was given me all the samples and all the examples that I was just constructing what I needed. Now, if you take that and apply that to the medical field, where you're asking questions and getting answers around your symptoms and stuff, you know, there's still need to have the doctor interpreted and make sure you're not going down the wrong wrong path. But the model becomes more replicable as you go. And as cyber, as a knowledge base grows and grows and evolves, that becomes even better. Because you know, you could have the ask the question, I'm a business that's, that's located in the US or the UK, whatever it is, only, I've only got 200 people, what stuff I should be doing on a daily basis and giving you the the examples and helping you to, you know, plan and address issues. And I think this is that's a really exciting space to be growing.

Kip Boyle 37:00
It is exciting. It's also dreadful, in the sense that I've been talking to people who find that it's going to So change the nature of their work, that they're having a hard time envisioning what their work will be like, I was speaking to a writing professor. And there was a whole question about, you know, well, how will I know if somebody has written their own work? Or if they've, you know, gotten an AI to write the assignment for them? How will I know? And if that ends up being an acceptable way to produce written product? Well, then what am I for? Why am I here? And do I need to do something different? So it's really, I think, two sides of the same coin. The upside is is is tantalising. But but there's, you know, but for other people, there's, there's a, there's a downside, that they're, that they need to figure out what to do with.

Ryan Purvis 37:55
Yeah, sure. I mean, I think that's the reality, they need technology that comes out. I mean, you look at, you know, you know, we had sailing ships, I mean, I spoke to a guy in the, in the sauna the other night, he came to South Africa, 50 years ago, an Austrian guy. And I asked him why he came. And he said, while he was young, and he was an adventurer, and it was only a three week trip on the ship. And I was like, Oh, I hadn't thought about that, you know, we take for granted that we just fly. And, you know, he would literally, you know, he was explaining like this three week trip on the on the boat. And, you know, there was there was all this risk, and all the rest of it. And then when he got here, to go back, was another three week trip. And he decided there was, you know, there was too much opportunity here. And, you know, in the time he was here, it went from, you know, taking buses everywhere, to taking trains everywhere, to flying everywhere, to travel all over Africa, in all those different modes of transport as they became more and more prevalent. And, you know, that would have displaced so many different jobs and people who had to have changed. So I think I mean, that's it, you know, I hear I hear the argument, but I think the good side is that you've got the opportunity, if you're willing to change, you can change. Right? This is definitely the stuff not going to get off those jobs in the next 10 years. 20 years anyway,

Kip Boyle 39:11
you know, I don't I don't, I don't bring it up. Because I'm trying to disparage the change, I bring it up because you know, we're really talking about digital workspaces. And, you know, in some of these things are going to change a person's digital workspace in a way that will please them. And some of it will change their digital workspace in a way they don't know how to think about yet. And so I just think that that's just part of the landscape that we're in.

Ryan Purvis 39:33
Oh, sure. But what so what I what I was, yeah, I totally agree with you. And what I was trying to get to with that person in particular, is who cares if they use the AI to write it? Because they're still gonna look at it and make sure they understand what the AI is written. But, you know, the, the method will have to change and the mean look at it, the education system, like and this is a, you know, we could talk about this for hours, but the education system, so archaic, there Add in a neat stuff like this to, to thing. I mean, I read a very good book series, which I recommend, by reg brown or Rick Brown, called the frontier saga. And I'm on the latest book. And basically, I mean, it's a science fiction space opera just to give you some context, but they've gotten there going forward 500 years. And the population now relies on AI so much, that they don't know how to make any decisions for themselves. And that's, that's where I think is the is the line that's too far, I think you've still got to, you know, the whole point is to be a critical thinker. Yeah. and what's in front of you, that kind of stuff. But I think, you know, we value some cases, so much effort on manual labour. There, you worked 18 hours today, or what did you produce our roads? This 10,000 page thing? Okay. Was it was it any good why? I don't know. I just wrote it, you know, it was just it was a labour of love, or whatever it was that, you know, that's not necessarily conducive to quality or value. And I think this is where, hopefully, these tools will help us. And I mean, I think the reason why we need it in, especially in the cyberspace is because I think there's such a volume of stuff coming. The only way to resolve it is to have some intelligence that that doesn't sleep that's looking for, you know, and this is the Nirvana looking for the problems to help us to resolve them. Because at some point, you're going to definitely get it from the attacking side. So you need to have it on defence. I agree. So, yeah, so yeah, that I mean, I suppose it's a bit of a, obviously dystopian, but it kind of kind of made me think of the Terminator thread that we've always worried about that,

Kip Boyle 41:37
oh, my gosh, you know, you could you could use our fear of this manifests in story, and movie and there's, there's no lack, there's Terminator, there's the matrix, I think, is another really great, dystopian, you know, view of artificial intelligence and how humanity might lose control of its destiny. Gosh, innumerable, you know, standalone episodes of different shows. I mean, it's a deep fear that I think that we're grappling with as a race as humanity.

Ryan Purvis 42:15
Yeah, yeah. Well, I think it must be something inherent in us that we're always looking for something scare ourselves. Mysteries.

Kip Boyle 42:24
Well, I think there's there's no Sabre toothed Tiger, around the corner. Right. But I still think we sort of have this innate sense of, you know, what should I be afraid of, you know, like, how, how should I sensitise myself to, you know, the, what's the next threat? So that, you know, I can be prepared? I perhaps that's what it is? I don't know.

Ryan Purvis 42:44
No, I think I think you're right, I think we still have those things that are genetic, so we need to do it. somewhere or another. So So last time we spoke, you wanted to offer out a copy of the book to any listeners? Is that still something you want to do?

Kip Boyle 43:00
Oh, yes, absolutely. So so very much want to do that, Ryan. So listen, I really appreciate the fact that you, you know, have invited me to be on the episode here. And, and you gave me a chance to kind of share my perspective on cyber risk. And, and you even put up with hearing me talk about my book, well, I don't think it's fair for me to talk about my book unless I make it available to, to the folks who are listening in. And so that's, that's what I want to do. So if anybody would like a copy of my book, I'd be happy to give you a free copy. I've got a landing page, where you can go and retrieve it from, and we're going to put the URL to that in your show notes, if that's all right. And, and then people can just can just go right to it. And just, you know, give me your email address. And we'll make the book available to immediately. And I would love to get any feedback about the book that you might have after, after reading it. I love to talk to people about about this topic. And and I'm thinking about, you know, does does my book need a new version? And if it does, you know, what should change, but I'm always interested to hear what people think about it. So thank you so much for giving me the opportunity to share my book with your audience.

Ryan Purvis 44:19
No, no problem at all. And I mean, I stopped reading it, but I stopped because we had to re record. But the first two chapters I read were really good. So I recommend you that. And then if people want to get ahold of you, what's the best way?

Kip Boyle 44:31
Well, you can either send me an email Kip@cyberriskopportunities.com. Or perhaps the easier way would be to send me a message on LinkedIn. That's the social network that I spend most of my time on. And so either either of those two would work well.

Ryan Purvis 44:51
Fantastic. All right. Well, we'll put that all in the notes as well and on your profile so people get a hold of you. Thanks so much for sharing all your thoughts, and then it would be it's been a great chat. I think round two has actually been Round one in some respects, so appreciate you making more time for me.

Kip Boyle 45:04
Absolutely.

Ryan Purvis 45:08
Thank you for listening to today's episode. Hey, the big news app producer, editor. Thank you, Heather. For your hard work on this episode. Please subscribe to the series and rate us on iTunes or the Google Play Store. Follow us on Twitter at the DWW podcast. The show notes and transcripts will be available on the website www.digitalworkspace.works. Please also visit our website www.digitalworkspace.works that works and subscribe to our newsletter. And lastly, if you found this episode useful, please share with your friends and colleagues

Kip Boyle Profile Photo

Kip Boyle

Cyber Resilience Thought Leader | CEO, Cyber Risk Opportunities

I’ve been working in cybersecurity since 1992. I started as an air force officer, leading information technology teams. My assignments had us handling very sensitive information related to air-to-air weapons testing, so we were expected to practice what I now call “good cyber hygiene”. My most challenging job during this time was director of wide area network security for the F-22 “Raptor”. At the time, we were getting ready for the first production jets to come down the assembly line. It was very exciting!

After the USAF, as a project leader at Stanford Research (SRI), I helped many Fortune 100 firms grapple with cybersecurity on a large scale. The problems they were dealing with were often 5 years or more ahead of the mainstream. So, there were no “off-the-shelf” solutions and many of our customers didn’t even know where to start. With no one else to turn to, they would come to us.

Fast forward a few years and I was selected to be Chief Information Security Officer (CISO) of an insurance company. They owned a few subsidiaries, so I was also providing cybersecurity leadership to senior decision-makers of a community bank, credit union, debit/credit card transaction processor, and an IT managed service provider. I learned a lot about the business value of cybersecurity during those years.

Then, in June of 2015, I launched my own company, Cyber Risk Opportunities. These days, cyberattacks are hurting businesses, even bankrupting them. That's wrong! We help executives manage cyber as the business risk it has become. So they’ll be ready no matt… Read More