65: A New Cybersecurity Paradigm- with Ken Fanger

[: 00:00:00

[00:00:56] Erin Courtenay: Oh, this is easy. Trivial Pursuit. Total nerd. Yeah. Yeah.

Because I realized when you're a kid around sixth grade, you're learning all that stuff. So you're like an expert and all the adults are like, what was that historical? Yeah. So it was definitely Trivial Pursuit because I was a genius.

[: 00:01:21

And all I kept reading was hors d'oeuvres, and I'm like, I don't, I don't know what this is. And I couldn't, you know, I just didn't feel very smart at that moment.

[: 00:01:45

[00:01:50] Kris Harrington: Okay, good. Yeah.

[: 00:01:51

[00:01:58] Kris Harrington: But I didn't even know what it was.

I just kept reading hors d'oeuvres and I'm like, I'm blank.

[: 00:02:03

[00:02:05] Erin Courtenay: Lori, what's up?

[: 00:02:06

[00:02:15] Kris Harrington: Well, it's fun if you, you know, if your spouse really enjoys it as well, then it's something that you can enjoy together.

Yeah. I really loved playing Yahtzee. And I remember when my grandmother used to sit around the table with me and she would, you know, after dinner and things would be cleaned up and we would have games of Yahtzee and, but I was just curious, you know, are those still games? You know, the games that we mentioned, are they still games that kids love? Erin, you've got some kids.

[: 00:02:43

There's all these clever little card games that are out. I mean, there's, there's a really a lot, Kris, and I'm sure your nieces and nephews will be, but the classics have, they're just as popular as ever. So you can't go wrong.

[: 00:03:18

But this is a perfect time to introduce our guest. We have Ken Fanger here today with us. And let me just tell you a little bit about Ken. He has 30 years experience. He has an MBA. He is a CMMCRP. And if you don't know what that means, he's a Cybersecurity Maturity Model Certification Registered Practitioner. And he is part of the Cyber Reserve and a graduate of the Goldman Sachs 10K SB program. He is working on an international project to help AI increase voter engagement. He has started the movement towards humanizing security to make allies of all of us. So welcome to the show, Ken. Great to have you here.

[: 00:04:14

[00:04:16] Kris Harrington: Yeah, I am so curious. I know that this conversation probably can go into so many directions. I will tell you right off the bat that when I saw your profile, I was like, Oh, great. Maybe he can answer some questions for me because I recently attended a conference where we had a speaker who spoke about cyber security.

And the entire audience was silent because it was kind of scary. And she threw a lot of information at us in one hour, a little bit about what you can do to prevent it, but more of the scary stuff. So, I think we all have a lot to learn in this area. And with that in mind, I'm curious, what is humanizing security?

[: 00:05:00

The problem with that is that doesn't create security. It just drives people to hide and avoid telling you when bad things are happening. So I started humanizing security and I'll give you two quick stories that I think will help kind of define this. I was at a cybersecurity conference a couple years ago, and they had a white hat hacker.

And this is somebody that gets paid by large corporations to find a way to attack them. He was attacking banks at the time. And the first thing I loved was the way he attacked the bank with his most advanced technological approach was he knocked on the back door of the bank. And he kept knocking on it until somebody answered.

And then he said, I'm a contractor. I've lost my badge. I'm going to get fired. Let me in. You have an IP latency issue. The person let him in. They ended up getting to the server room and then he was free to do whatever he wanted. But he said something at the end of that, that really changed my whole mentality. Because he said, I want you all to think about this. We want people to stop being good people. That person that let him in was trying to be a good human being. And we're like, well, you can't do that. We want fear. If you do this, you're going to lose everything. And do we want to make a world where we are so afraid to be people we don't do anything. That's where humanizing security started from.

And ironically, one session later, there was a major company there and they put up you can't patch stupid. And I was like, so this is how we are defending people that count on us. We call them stupid. We say they're the weakest link. If you go out and search on Google, you'll find that 78 percent of companies think the users are the weakest link in their company.

If you are the problem, why would you want to work with me to solve the problem? That's where humanizing security is changing. We're asking those questions. How do we make people want to be part of it? And I'm going to ask you guys a quick question. How many of you at your companies have email phishing training programs where they send you fake phishings?

When you click on that, what happens?

[: 00:07:26

[00:07:32] Ken Fanger: Well, if you click it up by accident and click on the link, the next thing they do is require you probably go through remediation training. Right?

[: 00:07:40

I'm real paranoid. The fear has worked, but I love what you're saying.

[: 00:07:50

[00:08:01] Lori Highby: It's a punishment.

[: 00:08:02

At the end of the month, we give a 10 gift card to everybody that reported that there was an attack. Oh, okay. Word system, simple change.

[: 00:08:32

[00:08:37] Ken Fanger: So that's one of the ways we're trying to encourage. And one of the things, have you ever heard of the term psychological safety?

[: 00:08:44

[00:08:45] Ken Fanger: So psychological safety, Dr. Edmondson out of Harvard had a book called The Fearless Organization, and she talks about this idea, and I describe it this way real easy. Psychological safety is an environment where you can give people bad news and not be punished for it. You can see how important that would be in cybersecurity.

But we don't do that. We do a lot of the exact opposite. If you clicked on a bad link, you could get fired. If you cost the company money, you could get fired. We punish quickly and recover slowly.

[: 00:09:18

[00:09:22] Lori Highby: Yeah, my brain is just like.

[: 00:09:25

And so this is exciting and particularly in the industry we're talking about in manufacturing because the fear. The fear is real around tech, generally, that kind of pervades. And then you kind of like, amp up the fear level on something so important as cybersecurity, and then you just create chaos. I love hearing that you're working on an antidote to that. That's awesome.

[: 00:09:59

I love this. So I know that there's some new Department of Defense CMMC requirements. Can you talk a little bit about how that's going to impact manufacturing?

[: 00:10:33

So the new thing they're doing, the CMMC, is part of DFARS 7012, which says you have to be National Institute of Technology 800 171 compliant. The government has come to the decision that they are going to force every company to meet these standards. And if you don't meet the standards, they're going to come after you for three times value of contract.

So it is going to be a very major situation. And the government through my training has said we want to punish companies because that's going to get everybody else in line. It's not how I personally obviously would like to do it, but that's what's coming next. So CMMC consists of three different levels.

There's level one, which they call just good cyber hygiene. Level two is good compliance. And then level three, we have not found a company that needs level three and the government had done a very poor job of defining when you'd use it, but most companies are going to fall into what's called level two, and they're going to have what's called controlled unclassified information.

So if you're a manufacturer and you make a part for the government and you don't make that part for anybody else, you're going to have controlled unclassified information and they're going to require you to have 110 controls on how that information is maintained. And this is going to start, they're talking fourth quarter, but my feeling is there's one more act of Congress that has to happen.

So this is going to start in: 2025

And if you start in 2025 and the contracts come out, you won't have time to get into compliance. Yeah. And so that's why I'm trying to tell people take it serious. The government has pushed it off twice. But I don't think they're going to do it a third time because they really want to get this in place and they're really afraid and they have a good justification for this.

There's been a lot of information that's gone to Russia to China to North Korea, because we don't have a lot of good security around the information. And you don't want the Chinese to figure out how to sabotage because you use a radio frequency that they fund. And our drones out there are all running on radio frequency.

So it has good basis, but it's done in the government way, which means very onerous, very large, covers everything all at once.

[: 00:13:25

[00:13:39] Ken Fanger: Absolutely. So there are 117 controls, but this is what the government wants to see. They want to see past performance proof. So if you say we do backups, they're going to want to look and talk to the person who did the backups. Check the backups and then see how many months they've been actually doing it and they're going to look to four to six months of proven performance in every one of these controls.

Okay, so if you start today, if you had everything in place, then you could get that six months of past performance. If you haven't done it, then whenever you finish implementing, that's when the clock would start. So it can take anyone from 1 to 12 months to get everything in place and then you have to give it time to make past performance history.

Okay, so that's a big reason why we tell people we've helped one company get through the development in about two months, but now they're starting the clock of four to six months of past performance before they can get their assessment.

[: 00:14:38

[00:14:40] Ken Fanger: So it's not, you know, the old days you just did a checkbox, oh I have a policy, I'm done.

That's not going to be acceptable though.

[: 00:14:46

[00:14:55] Ken Fanger: So they're controlled by the CyberAB board, which is CyberAB. org. We have information on our website at OnTechnologyPartners. com. We talk about one of the most important first steps you want to do is what's called scoping.

Because you want to not spend, because if you have to get your whole company to be compliant, that's going to be extremely expensive. It's going to cost about 100, 000 just to get the assessment. And then every workstation that you have to do, you have to estimate between 2 and 4,000 a month to make it be in compliance.

So this is an expensive procedure. So what we talk about, and we're offering this scoping document to help people understand how to do it is make sure only the things that need it are getting into compliance. Don't have the secretary's computer be a compliant computer because that's not going to hold the information.

That way you can reduce it. Cause like one of the companies we're working with is a hundred person company, but only 10 people need it to be under the compliance. Sure. Instead of being 200, 000 a month, it's 20, 000 a month.

[: 00:16:00

Oh, wow. My head hurts just hearing all of it.

[: 00:16:11

[00:16:30] Ken Fanger: So yes, it's the problem is we have gotten this combative experience and the users, the people we are protecting, have one of two attitudes. Either they believe, well, it's your job to protect me. I shouldn't have to do anything in it, or I'm too afraid to do anything. And so what we end up with is this is this situation where instead of working together as one team to get to one goal, we're working apart, and you'll see this in workarounds and it's really wonderful. I'm working with Dr. Adams out of the UK, and she started kind of a lot of this journey. And the example she used in her paper, and I work for pharmaceutical so I'll share how I learned this personally is passwords. We all have passwords.

And until password managers came out, we all ended up making up the same exact password with a couple of little changes because we couldn't remember them. And when I worked for a pharmaceutical company back in the 90s, one of the requirements from the FDA was you had to have a complex password, meaning at least 12 characters, no words, letters, capitals, numbers, and non character things, and you change it every 90 days.

Well, that sounds, from a cybersecurity expert, really secure. You're never going to guess that password. The problem is, from a human being standpoint, I would go around every time I heard the FDA was coming in, and I'd have to pull off sticky notes from everybody's screens are under their keyboard.

Did we really create security or did we just think it was security? When you're talking about that, you want to make sure that you're making new and centric solutions. Yes. People to be secure. I worked with a school district recently and they had a cyber attack about two years ago. And their solution was they made a timeout on the teacher's screens after five minutes.

But think about it. Sounds awful for teachers. Oh my gosh. Oh, wow. But that feels secure, but the teachers can't use the technology because they're talking to their class. They're walking around, then they get back and they have to do a two factor authentication journey. So when we're talking about humanizing security, we're talking about making this a lion's journey.

And one of the things I love, it's a term that I've come up with, I call it mission safe. And in manufacturing, so here's the story. I had one of my engineers talking with one of my manufacturing clients and he kept telling the guy, you got to back up your server. I'm going to get you a backup for your server.

It's going to cost you $250 a month. And the guy's like, I'm not paying that. I don't want that. And finally, my engineer comes back to me and says, I don't know what to do. They need this backup and they won't do it. I said, well, let me talk with him. His name was John. I said, John, why don't you want the backup?

He said, I don't want to spend any more money backing up this technology. And I said, that's fair, but I just have a quick question for you. How do you get your orders in? He says, well, it goes into our ERP system. I said, okay, how do you get your plan to run? Well, then we put an order out from the ERP system.

I said, okay, where's your ERP system? He says, I don't know. I said, what if I told you your ERP system is that computer sitting next to your secretary, that's not backed up. He said, it is. I said, yes, you don't realize it, but we want to back up your line production. We want to make sure that if you lose it, you can keep working because you can only work for a half day before you can't do any more orders.

And he's like, Oh my gosh, that's only $250. Go pay for it. Yeah, that's one of the things that's really different. People don't care about the technology. They care about doing their mission. And when you interfere with their ability to do their mission, they're going to work around you.

And that's where we have to start as a team say, okay, If you're in sales, if you're doing marketing, how can you make sure you can keep doing your marketing, but keep the information safe?

[: 00:20:19

[00:20:21] Erin Courtenay: Wow. I love that perspective. You're not protecting the technology, you're protecting your work, but that has not been the messaging.

And I've been, I've had two rubrics of cybersecurity, you know, that implemented in places that I've worked and they've both been useful. Certainly. I feel like everybody should have those, but it was always about the technology and not about my work or my organization. So I, I love that shift.

[: 00:20:53

[00:21:09] Ken Fanger: It's Relax, A Guide to True Cybersecurity.

[: 00:21:12

[00:21:16] Ken Fanger: It's a really easy read. It's fun. I've got some really great little jokes that I put into it, some cartoons to help frame it, and it talks about email security and phishing attacks. And I'll share one of the stories. My wife always hates it. So my wife and I are in the company. She owns the company and I work for her, and I've been that way for 30 years.

So my boss at home and at work, but about six years ago, we were just starting to roll out multi factor authentication for our email. And she accidentally deleted her Outlook and she didn't want to bother the engineers. And she was actually scheduled for the very next day to get multi factor authentication activated.

mediately started sending out: 2000

But I did have one that said, how can you admit to a cyber attack? You're a cyber security company. And I told them, I said, how could I not if I'm truly a cyber security company?

[: 00:22:43

[00:22:43] Ken Fanger: Yes. And that's one of the things we have to stop this idea that somebody out there is perfect, that the cybersecurity company is completely secure. None of them are. And we all have been breached.

and that's why I actually talked to people about what I call the Triple A of Cybersecurity. It's aware, address and arise. So before you get attacked, you want to do your aware stuff. You want to make sure that you do have firewalls and antivirus and endpoint detection and response. But you also want to have the training, you want to have the conversations.

And one of the things when I do my presentations is I get people in the audience to talk about the attacks that they've either experienced or they heard about, because a lot of times when you hear how one person gets attacked, you'll know to watch for it yourself.

[: 00:23:33

[00:23:34] Kris Harrington: Yep.

[: 00:23:35

Do I call my IT company? Do I stop talking on the phone? A lot of phone and text attacks are happening. If you feel it's wrong, you're probably right. Use that feeling to just stop. Because if it is an okay call or it is an okay text, they're still going to talk to you after you've stopped and thought about it, but they want to get you emotionally high. They want to get you to act in a way that is really scared or really excited.

I always tell people, my mom always told me when I was angry, count to 10, same count to 10 right here. And then the last one is the Arise stage. And this is where we have done a terrible job. We are really good about getting the data back.

We're really good about getting money back. But we don't have any psychological counseling for somebody that's been attacked. You probably all heard about the MGM attack. Imagine being that help desk technician that thought you were following the right policies and procedures, that cost the company I think it was like 287 million by the time it was done.

That's a terrible position to be in. That is very hard. And we're actually putting together programs. I'm working with a mental health professional to be able to create psychological recovery programs to help after an attack. Because not only is a person now afraid, and if you fire the person, that's even worse.

I've seen a lot of companies that do end up firing the person because they caused the attack. All the people around them are now emotionally scarred. They're afraid to do work. They're afraid to take action. We have to help them to recover so we can arise and be better than we were before.

[: 00:25:27

And I'd love to see this campaign get more traction so that we could think about people first. It'd be way more effective.

[: 00:25:54

So, yeah, fantastic message. Love it.

[: 00:26:18

[00:26:39] Erin Courtenay: And to stay awake.

[: 00:26:41

[00:26:41] Erin Courtenay: I think one of the biggest problems with cybersecurity is boredom. You know, people are like, you know, they just deal. With this conversation, I want to ask questions. I want to learn more. I want to engage. Yeah. So that's another one of the benefits of bringing that human centered approach to cybersecurity.

[: 00:27:06

[00:27:17] Lori Highby: Okay. I'm really excited. This one's fun. Did you know that the universe has a color? It's so, but no, I know I'm like, I've read this article and I'm on the science website and I'm like, fascinated by it.

So what they did, they found an average color, just looking at all the different like hues that are in there. And they called it cosmic latte. And I love the name of it. I just think it's so fun, right? I just thought that was so cool, but it's very like a vanilla kind of off white ish color.

[: 00:27:54

[00:28:00] Lori Highby: You never know, but.

[: 00:28:02

[00:28:03] Lori Highby: Cosmic Latte.

[: 00:28:04

[00:28:05] Erin Courtenay: Wow. That's a really good one. I think that that's like. The, we're you, you get a gold star for that one. Those are great. Aw, . Yeah. Good.

[: 00:28:14

[00:28:16] Erin Courtenay: Oh, I'm just g can I, I, I learned something, but I'm gonna be transparent here. This is a rant. So, um, we, we moved into a rental house because we're doing this renovation, which everybody's heard me talk about.

And so we're trying to get internet. Internet should be a utility. That's what I believe right now, because the process of getting internet was just the whole mind blowing. And, Ken, you'll appreciate this because one of the biggest problems we had is that we attempted to get cellular internet through a large cellular phone company of which we'll go unnamed here and the fraud prevention was, was so dense and sticky that me, I'm a middle aged lady with really good credit, nope, they wouldn't, they, cause I didn't have an address, but I just moved that anyhow. And it just went on and on and on with, I went down to the utility company and I got a piece of it. I had to go through security. It was all this stuff.

[: 00:29:19

[00:29:19] Erin Courtenay: It just, it was just nuts. But there, so one of the things I did learn is that there is cellular internet, which is really interesting. And I think it's, it's a great service that should be available. Starlink is another source of internet, and then of course, there's fiber there. There may be more, but I just thought it was interesting that internet becomes like a utility and we take it in a certain sense for granted, but until you're sort of out in that marketplace, you don't realize how fragmented it is and how complex it is.

And it's a real shame because me, as I said, middle aged lady with good credit, struggled so hard. And what is it like when you're young or you know, you don't have a great credit background and you need that internet for your job or what have you. So as I said, rant, I did some learning, but I'm also ranting.

So I'm going to hand it over to you, Kris.

[: 00:30:11

So, you know, those public USB ports, airports, malls. Yes. That's right. No, no. They're saying use your own cord and plug into an electrical outlet. So I thought you know, with all the discussion we were having today, that might be a very practical one that goes along with protecting your data.

[: 00:30:56

[00:30:57] Kris Harrington: Yes, yes. Ken, what did you just learn?

[: 00:31:01

It takes a moment for us to rationally evaluate what we do emotionally. And you know, it's funny, I'm talking about AI all around the country and all around, and one of the things that I find interesting is we couldn't make decisions without our emotions. Emotions are bad. I'm a Star Trek fan. I remember the original one with Spock and how he was all logic.

If you are all logic, you can't make a decision. We need that emotion to be decision makers. We didn't go out of our way to try and get rid of it.

[: 00:31:53

[00:32:07] Kris Harrington: Yeah, and it's such a good topic to be studying when you're thinking about AI, right, and speaking about AI so often, because that's the thing that they're trying to advance in all of this, right, which, which is probably the most difficult. So, very interesting. Thank you for that. So, Ken, if people want to contact you after listening to this episode, where should they go?

[: 00:32:30

We need to not only help the ones that are doing it now, but what we're coming up with. Every job, every position in the next generation is going to require understanding AI. It's going to require cyber security. Nobody's going to be able to get away from it. So we need to change today because it'll be too late tomorrow.

[: 00:33:14

[00:33:15] Lori Highby: A hundred percent. Oh, so great. All right. Okay. Well, we'll include all that information in the show notes. Ken, thank you so much for taking the time to be on the show today with us.

[: 00:33:25

[00:33:27] Lori Highby: All right. Well, this is three broads wrapping up. Go out there and make something awesome.