VIDEO
HIGHLIGHT
Log InSign up
NACD Accelerate, Ian Furr’s Volunteer Work, & Bidemi (Bid) Ologunde Member Spotlight [RH-ISAC Podcas
SummaryTranscriptChat

NACD Accelerate, Ian Furr’s Volunteer Work, & Bidemi (Bid) Ologunde Member Spotlight [RH-ISAC Podcas

Introduction to Cybersecurity on Corporate Boards

Overview of the Podcast

  • Luke Vander Lindon introduces himself as the Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center (RHIS SAC).
  • The podcast discusses the increasing need for cybersecurity expertise on corporate boards, a topic highlighted in various publications recently.
  • RHIS SAC has partnered with the National Association of Corporate Directors (NACD) to address this gap by training cybersecurity professionals for board roles.

Training Programs for Board Members

  • The first cohort from RHIS SAC's partnership with NACD is currently undergoing a two-year program aimed at certifying individuals for board membership.
  • John Scrimshire, CISO of Contour Brands, will share his experiences as a prospective corporate board member during this episode.

Discussion on Cybersecurity Knowledge Gaps

Importance of Cybersecurity Expertise

  • John Scrimshire and Marcel Bisu from NACD join Luke to discuss the lack of cybersecurity knowledge among many corporate boards.
  • John shares his background in cybersecurity, emphasizing that he has worked across various industries over 30 years.

Insights from John's Experience

  • John reflects on how his diverse experience has shaped his understanding that security is not industry-specific; it’s about understanding business operations.
  • He stresses that effective security management involves engaging with business partners and tailoring security measures based on their concerns.

Role of Corporate Boards

Understanding Board Responsibilities

  • Marcel explains the critical role directors play in overseeing company operations and ensuring they have adequate technical expertise, particularly in cybersecurity.
  • This discussion highlights ongoing efforts to enhance board members' understanding of cybersecurity issues.

Understanding the Role of Corporate Governance

Fiduciary Duties of Executives

  • Executives have a fiduciary duty that includes specific responsibilities such as the duty of care and loyalty to the corporation.
  • Their role involves overseeing corporate management, ensuring effective strategies are in place, and managing risks appropriately.

The Complexity of Board Membership

  • Being a board member is described as both exciting and complex, carrying significant responsibility including personal liability.
  • The landscape of corporate governance has evolved from being dominated by a homogenous group ("pale, stale, and male") to incorporating diverse perspectives.

Emerging Focus Areas in Governance

  • Recent years have seen an increased focus on cybersecurity within the context of ESG (Environmental, Social, Governance).
  • Cybersecurity challenges have intensified due to pandemic-related changes in workforce dynamics and economic complexities.

Skills Required for Modern Boards

  • Directors must possess unique experiences and skills to navigate increasingly complex geopolitical environments.
  • There is a pressing need for boards to evaluate their members' skills critically to ensure they contribute positively to corporate governance amidst evolving challenges.

NACD Certification Program Overview

  • The NACD launched its Directorship Certification program in December 2019 aimed at training potential board members on their roles and responsibilities.
  • This certification process includes an exam based on insights from over a thousand directors about their roles and ongoing education requirements totaling 32 credits over two years.

Career Development and Board Service Insights

Motivation for Joining the Program

  • The speaker emphasizes a passion for continuous education, highlighting their commitment to expanding technical and IT knowledge throughout their career.
  • The opportunity to connect business relationships and expand into board service was particularly appealing as part of their career progression.

Learning Experience in the Program

  • Initial expectations about running major companies were challenged; the complexity of board dynamics became evident through program materials.
  • The speaker reflects on the differences in reporting to various boards, noting that each board has unique characteristics that influence oversight.

Depth of Study Required

  • The first 15 hours of the program provided foundational knowledge, but further study revealed an additional 50 to 70 hours were necessary for comprehensive understanding.
  • Engaging with other business leaders and board members enriched the learning experience, providing insights into real-world challenges faced by boards.

Respect for Board Member Responsibilities

  • A newfound respect emerged for the time commitment required from board members, especially those serving on multiple boards simultaneously.
  • Understanding cybersecurity's role in corporate governance is crucial; every business decision carries potential cybersecurity implications.

Enhancing Communication with Boards

  • The program aids in translating IT language into risk and financial terms familiar to board members, improving communication effectiveness.

Understanding Board Dynamics

Key Takeaways for Technology Executives

  • Recognizing the breadth of issues boards address is essential; directors focus on oversight rather than direct management or problem-solving.

Information Gaps Between Executives and Boards

  • Directors may serve on multiple boards but are not present daily at any one company, creating an information gap that requires effective communication strategies.

Understanding Cybersecurity Oversight in Boardrooms

The Challenge of Educating Board Members

  • Effective management requires significant thought and care, particularly regarding how cybersecurity is presented to board members.
  • There exists a substantial skills and knowledge gap among directors concerning cybersecurity, presenting both challenges and opportunities for improvement.

Key Insights on Cybersecurity Knowledge for Boards

  • Directors should stay informed about current cybersecurity risks and ask pertinent questions regarding reported metrics' effectiveness.
  • Presentations to the board should begin with recent headlines related to cybersecurity, illustrating their impact on the company and competitors.

Building Confidence Through Communication

  • It's crucial to address board members' concerns while avoiding fear, uncertainty, and doubt by providing clear information about risk management efforts.
  • Encouraging boards to inquire about how they can support security teams fosters a culture of shared responsibility for cybersecurity.

Relating Cybersecurity to Everyday Life

  • Using relatable analogies (e.g., locking a front door) helps demystify cybersecurity concepts for board members, making them more strategic thinkers in this area.

Best Practices for Board Engagement in Cybersecurity

  • Directors should engage in ongoing risk management processes similar to other business issues, ensuring that there are effective monitoring systems in place.
  • Sharing insights across multiple boards can enhance understanding of emerging threats and trends within the cybersecurity landscape.

Networking as a Tool for Improvement

  • Networking with other business leaders outside of security is vital; understanding broader business challenges can inform better decision-making at the board level.

Next Steps After Certification

Guidance for Board Participation

  • Understanding the thought processes of board members can enhance your own strategic thinking and decision-making.
  • Networking is crucial; reaching out to mentors or industry contacts can open doors to board opportunities.
  • It's important to reflect on what type of board role you desire and what unique contributions you can offer beyond technical skills.
  • Utilize resources like NACD (National Association of Corporate Directors) and leverage your network for guidance in pursuing board positions.
  • The journey to securing a board seat requires patience, self-awareness, and commitment but is ultimately rewarding.

Introduction of Ian Fur

Role at RHIS SAC

  • Ian Fur serves as a Security Integrations Engineer at RHIS SAC, focusing on enhancing member access to threat intelligence.
  • His responsibilities include facilitating the sharing of threat data through platforms like MISP (Malware Information Sharing Platform).
  • Ian assists members in integrating shared intelligence into their existing security tools such as antivirus software and firewalls.

Previous Experience

  • Prior to joining RHIS SAC, Ian worked as a penetration tester specializing in purple team operations, bridging red teams (offensive security) and blue teams (defensive security).

Volunteer Work with ITDRC

Involvement with IT Disaster Resource Center

  • Ian volunteers with the Information Technology Disaster Resource Center (ITDRC), where he has progressed from a tech role to Deputy Director for FEMA Region 3.
  • ITDRC provides no-cost technology solutions during disasters, helping communities recover by restoring essential technological infrastructure.
  • Their work includes deploying technology assets in disaster areas to facilitate recovery efforts impacted by events like hurricanes.

Technology in Emergency Response

Role of Technology in Communication

  • The speaker discusses the use of technology, such as radios and laptops, to establish Wi-Fi at Survivor centers for effective communication on both personal and professional levels.

Search and Rescue Exercises

  • As Deputy Director of Region 3, the speaker oversees various events, including a search and rescue exercise coordinated with the Frederick County Sheriff's Office to maintain their team's certifications.
  • The exercise involved setting up a scenario where a person was reported missing, requiring participants to follow clues through the woods to locate them.

Tools and Internet Access

  • The Sheriff's Office utilized specific tools that required internet access for tracking clues during the search operation. The speaker's role was to provide this connectivity.
  • Drones were also employed in the exercise; one was seen taking off from near the speaker's vehicle while capturing imagery related to the search.

Deployment Experiences

Previous Deployments

  • The speaker shares experiences from deployments, noting that hurricanes are rare in the Mid-Atlantic region but they have participated in significant exercises elsewhere.

Tanic State Park Exercise

  • A notable deployment occurred at Tanic State Park where Wi-Fi was set up across a gorge as part of an exercise aimed at familiarizing teams with equipment usage.

Afghan Refugee Support

  • In September 2021, during a large influx of Afghan refugees post-U.S. withdrawal from Afghanistan, Wi-Fi was established at Fort Dix, New Jersey. This allowed refugees to communicate with family members despite limited connectivity options.

Impactful Moments

  • One rewarding aspect highlighted by the speaker was setting up Wi-Fi near children attending school lessons for basic English language instruction.
  • Children responded positively when they heard "Wi-Fi," demonstrating its universal appeal regardless of cultural or language barriers.

Involvement with Volunteer Organizations

Joining ITDRC

  • The speaker explains how they discovered ITDRC through TikTok during 2020 and decided to volunteer due to their passion for helping others and utilizing their tech skills.

Progression within ITDRC

  • After signing up via ITDRC’s website, they received approval and eventually became part of the leadership team within two years.

Other Engagement Activities

  • Besides ITDRC, the speaker is also involved with Fairfax County Fire and Rescue Department while assisting Jefferson County 911 during recent events like World Games.

Training and Volunteering Insights

EMT School and Volunteer Experience

  • The speaker is currently in a training phase, preparing to start EMT school next month, with plans to join as a volunteer EMT.
  • The speaker has a history of volunteering from an early age, highlighting the importance of using professional skills for community service.

Impact of Volunteering

  • Volunteering has included both field deployments and remote responses to disasters like wildfires and tornadoes, showcasing the diverse nature of support provided.
  • Even minor technology solutions can significantly impact disaster areas by reconnecting individuals with their families, emphasizing the value of communication during crises.

Commitment and Involvement

  • The time commitment varies; leadership roles involve regular meetings while average volunteers can engage as much or as little as they wish.
  • New initiatives are being launched for situational monitoring to pre-stage resources in communities before incidents occur.

Training and Community Engagement

  • Volunteers need minimal commitment after initial training; ongoing engagement may only require a few hours monthly to connect with local emergency organizations.
  • All volunteers, regardless of experience level, can contribute meaningfully by familiarizing themselves with local needs and offering assistance.

Need for More Volunteers

  • There is an ongoing need for more volunteers nationwide; current numbers stand at approximately 3,600 but increasing this number could enhance response capabilities.
  • Diverse skill sets are welcomed—from technical roles like climbing towers post-disaster to administrative tasks such as grant writing.

How to Get Involved

  • Interested individuals can contact the speaker directly or visit the ITDRC website (itdrc.org), where they can fill out a volunteer form.
  • After signing up on the website, new volunteers receive an email outlining next steps that include training and preparation for deployment.

Contact Information

  • For inquiries about automating ingestion or sharing CTI, reach out via Slack or email (ian@rack.org).

Introduction of Guest: Bedami Olund

Podcast Background

  • Bedami Olund introduces himself as an Intel Analyst at Expedia and mentions his experience hosting his own podcast.

Introduction to the Bid Picture Podcast

Overview of the Podcast

  • The host, Bidi (also known as Bid), introduces the podcast titled "The Bid Picture," focusing on cybersecurity intelligence analysis and its daily implications.
  • The audience for the podcast is diverse, ranging from executives to parents and grandparents, indicating a broad appeal.

Guest Introduction

  • Guests often express that it's their first time on a podcast, prompting a gentle approach from the host during discussions.

Guest Background in Cybersecurity

Career Journey

  • The guest shares their background in cybersecurity, emphasizing that opinions expressed are personal and do not represent Expedia Group.
  • They began their career in Nigeria with an undergraduate degree in electrical engineering focused on wireless network security.

Transition into Cybersecurity

  • After completing graduate school in the U.S., they transitioned into cybersecurity incident response, operations, forensics, and threat intelligence.

Current Role at Expedia Group

Job Responsibilities

  • The guest has been with Expedia for about a year as an intelligence analyst, ensuring security teams have necessary tools and context regarding threats.
  • Their role involves two-way communication with security teams to provide insights on threats while receiving feedback from them.

Challenges in Cybersecurity

Evolving Threat Landscape

  • The rise of artificial intelligence presents challenges; threat actors use AI tools to enhance their attack strategies.
  • Staying ahead of these actors requires thinking like them and predicting how they might exploit similar tools used for defense.

Impact of AI Tools

  • Tools like ChatGPT have made phishing emails more sophisticated by eliminating grammatical errors, complicating detection efforts for cybersecurity professionals.

Social Engineering Tactics

Social Media Risks

  • Social engineering tactics include phishing and manipulating individuals through social media posts that reveal personal information or organizational details.

Data Exploitation

  • Information shared online can be exploited by malicious actors to gather data about targets or organizations. For example:
  • Posts about job milestones can inadvertently reveal sensitive information such as badge designs which could be replicated for unauthorized access.

Third-party Risk Management

Vendor Relationships

  • Discussion shifts towards third-party risk management within the industry. As both Expedia and its partners are vendors, understanding risks associated with vendor relationships is crucial.

Understanding Data Protection in Business

The Challenge of Managing Multiple Data Inputs

  • Organizations, such as hotel properties and aggregators like Expedia, face challenges in managing numerous data inputs from consumers and vendors.
  • Control over data is limited; similar to social media, organizations cannot fully dictate how their information is used once shared publicly.

Importance of Contracts and Security Measures

  • Establishing contracts with partners is crucial for ensuring effective data handling practices across various industries.
  • Just as one would secure their home or vehicle, businesses must implement robust security measures to protect customer data from unauthorized access.

Analogies Between Physical and Cybersecurity

  • The analogy of locking doors illustrates the need for companies to safeguard their data; a single breach can lead to wider vulnerabilities.
  • Individuals who neglect physical security often exhibit similar carelessness in digital security, such as reusing passwords.

Evolution of Threat Actors' Tactics

  • Social engineering has become easier due to the abundance of personal information available on social media platforms.
  • Bad actors adapt technology originally designed for good purposes to exploit vulnerabilities, demonstrating resourcefulness in their methods.

Password Reuse and Its Consequences

  • Reusing passwords across different sites increases vulnerability; if one site is compromised, others may be at risk too.
  • Attackers utilize software tools to automate attempts at breaching accounts using stolen credentials from less secure sites.

Gathering Information Through Social Media

  • Threat actors often gather personal details from social media profiles (e.g., family names or school mascots), which can aid in targeted attacks.
  • Posting sensitive information online can inadvertently provide attackers with insights into an organization’s network.

The Reality of Cybersecurity Challenges

  • Even with strong security measures, determined attackers may still find ways into networks; effective security merely delays them.
  • Two-factor authentication enhances security but does not eliminate risks entirely; ongoing vigilance is necessary against evolving threats.

Advice for Aspiring Cybersecurity Professionals

  • Passion for cybersecurity is evident among professionals; those considering this field should explore both academic routes and self-directed learning opportunities.

How to Cultivate Passion and Transition into Cybersecurity

Finding Your Passion

  • The speaker emphasizes the importance of discovering a passion, suggesting that individuals should fully commit to it. Personal anecdotes highlight encouragement from family members, including a four-year-old son expressing interest in speaking into a microphone.

Embracing Learning Opportunities

  • The advice given is to seize every learning opportunity available, whether through free online resources like YouTube or LinkedIn Learning, or local events and meetups related to cybersecurity.

Diverse Backgrounds in Cybersecurity

  • The speaker notes that cybersecurity encompasses various fields and backgrounds. Individuals transitioning from areas such as medicine, law, or even carpentry can leverage their existing skills in this multifaceted domain.

Understanding Your "Why"

  • Identifying personal motivations ("why") is crucial for perseverance during challenging times. This understanding helps maintain focus on goals such as community impact or educating others about cybersecurity practices.

Non-Technical Roles in Cybersecurity

  • There is a misconception that cybersecurity roles are solely technical; however, the speaker asserts that many successful professionals come from non-technical backgrounds. Various types of people contribute to the field beyond stereotypical images of hackers.

The Role of ISACs in Cybersecurity

Experience with ISACs

  • The speaker shares their experience with Information Sharing and Analysis Centers (ISAC), noting this is their first involvement with the Retail Hospitality ISAC after previously participating in financial services ISAC.

Collaboration and Curiosity

  • Active participation in ISAC platforms allows for collaboration and knowledge sharing among members. The speaker expresses enthusiasm for engaging with others and answering questions within these communities.

Importance of Guidelines for Information Sharing

  • Strict guidelines govern information sharing within ISAC environments to protect sensitive company data. Traffic Light Protocol (TLP) colors indicate levels of confidentiality regarding shared information.

Creating Trust Through Protocol Compliance

  • Adhering to established guidelines fosters trust among members by preventing unauthorized disclosure of sensitive information, which is essential for effective collaboration within the community.

Involvement in Working Groups

  • The speaker participates actively in working groups focused on specific topics like dark web threats while maintaining curiosity about other ongoing discussions within the organization’s channels.

Future Predictions in Cybersecurity

The Importance of Curiosity in Learning

  • The speaker expresses a strong desire to learn, often attending working group meetings to gain insights, even if they remain quiet and muted during discussions.

Predictions for Cybersecurity Trends

  • The speaker is asked to predict future trends in cybersecurity, highlighting the impact of AI on evolving attack methods and threat vectors.

Evolving Threats

  • Phishing attacks are expected to become more sophisticated, with emails mimicking legitimate company communications due to advanced tools that can generate realistic messages.

Social Engineering Risks

  • As social media becomes more integrated into daily life, social engineering tactics will likely become less detectable, posing greater risks for individuals and organizations.

Remote Work Vulnerabilities

  • With the shift back to office work after remote work experiments, there may be an increase in phishing emails related to job offers claiming fully remote positions. These could exploit people's eagerness for remote opportunities.

Conclusion and Acknowledgments

  • The conversation wraps up with gratitude expressed towards guests and contributors involved in the podcast. Emphasis is placed on community sharing and collaboration within the cybersecurity field.
  • A call-to-action is made for RHAC members interested in participating in the NACD's accelerate program, encouraging them to reach out via email or other communication platforms.
  • Final thanks are given to team members who assist with production quality and sound editing for the podcast.
Video description

In this episode of the Retail & Hospitality ISAC podcast, host Luke Vander Linden is joined by John Scrimsher, chief information security officer (CISO) at Kontoor Brands, Inc., and Marcel Bucsescu, senior director of credentialing and strategic engagement at NACD, to expand upon the NACD Accelerate program . Then Ian Furr, security integration engineer at RH-ISAC, talks about his volunteer work with the Information Technology Disaster Resource Center (ITDRC) and the Fairfax County Fire and Rescue Department. Finally, Luke chats with Bidemi (Bid) Ologunde, intelligence analyst at Expedia Group, about his own podcast, The Bid Picture , background, and the trajectory of cybersecurity. Thank you to Fortinet for their sponsorship of the Retail & Hospitality ISAC podcast.