Transcript
This has been generated by AI and optimized by a human.
Show ID (00:04):
The power of data is undeniable and unharnessed, it's nothing but chaos.
(00:09):
The amount of data was crazy.
(00:11):
Can I trust it?
(00:12):
You will waste money.
(00:13):
Held together with duct tape.
(00:15):
Doomed to failure.
Jess Carter (00:16):
This season, we're solving problems in real time to reveal the art of the possible. Making data your ally, using it to lead with confidence and clarity, helping communities and people thrive. This is Data-Driven Leadership, a show by Resultant.
Hey everyone. Welcome back to Data-Driven Leadership. Today we're talking about something that every leader, no matter your role, needs to care deeply about, and sometimes you don't want to: cybersecurity. Cybersecurity isn't just an IT problem anymore. It's a business issue and one of the biggest risks facing organizations today. Too often, it's still treated like a line item in a compliance report or something that the tech team will, quote, “handle.” I want to zoom out for a second. If you look at cybersecurity through the lens of history, you're going to see just how far and how fast it's evolved. In the early 2000s, threats looked like spam emails and computer viruses.
(01:11):
Maybe you remember getting the email about the queen of a country in Kenya who needed money as fast as possible. I think there's an Office episode about this. They were annoying, but they were manageable. Fast forward to now, and we're dealing with ransomware that shuts down hospitals, breaches that expose millions of records and attacks that target people just as much as systems. The tools have changed. But here's the core issue: Most breaches aren't just technical failures. They're the result of gaps in behavior, communication, and leadership due to teams that didn't know what questions to ask or didn't see security as their responsibility.
(01:47):
And that's why today's episode is so important. I'm joined by my colleague Jeff Foresman, the VP of Cybersecurity here at Resultant. Jeff has spent more than 30 years working across industries from public sector to major retailers, helping leaders understand their real risk, build proactive strategies, and recover when things go wrong.
If you can imagine talking to somebody who's spent most of their career helping companies recover after there's been a breach, he is a fascinating person to talk to. We'll get into what cybersecurity looks like from a leadership lens, why compliance isn't enough, what questions you should be asking your team and why winning sometimes means slowing down. So if you are a leader in any part of your organization, finance, HR, operations, strategy, this episode is for you because security is no longer just the CIO's job, it's everybody's business. Let's get into it.
(02:44):
Welcome back to Data-Driven Leadership. I'm your host, Jess Carter. Today we have Jeff Foresman, VP of Cybersecurity here at Resultant. Let's get into it. Welcome, Jeff.
Jeffrey Foresman (02:54):
Thanks for having me. I'm excited to chat.
Jess Carter (02:57):
Yeah, I am really excited to chat because I don't know if you realize this, I know it's going to be shocking to you, but I'm not a cybersecurity expert. In fact, I might be a key risk to our company. I don't think I've failed anything, but I am tested often.
Jeffrey Foresman (03:12):
Really good sign that you are a risk.
Jess Carter (03:16):
They keep sending me those emails and I don't click on 'em. But in all seriousness, I am not a cybersecurity wizard, and I think people think that anyone in IT is. It is sort of this interesting box where it's like cybersecurity can seem like it's someone else's problem, it's never yours. And I think that's one of the things I wanted to ask you about. Is it a business thing? Is it an IT thing? When you're helping educate people about it, where do you start?
Jeffrey Foresman (03:43):
Yes, it's all of those things.
Jess Carter (03:45):
Okay.
Jeffrey Foresman (03:46):
And that's the mistake I think so many people make is they view it as an IT thing and it really needs to be viewed as a business issue. Unfortunately, organizations don't view it as a business issue until they have a security incident and they can't do business.
Jess Carter (04:06):
To me, it's like insurance. And you should correct me—this should be an educational podcast episode—because in my head, it's hard to show the ROI when you're not being attacked or you didn't have a breach. Right?
Jeffrey Foresman (04:17):
It is, and you are exactly right. It is like buying insurance. And early in my career, I really felt like I was selling insurance and I'm trying to prevent something that may never happen. In today's world, though, it does happen and it happens often. And so maybe I move from selling life insurance to car insurance now.
Jess Carter (04:41):
Yeah, right? Analogies are going to be a really comfortable way for us to get through this conversation for me. So just permission to use the insurance analogy and any other ones you come up with, because there's also times where your own employees are breaching and don't realize. It's not necessarily with somebody, an untrusted entity, it's sharing data in the wrong ways over email or something. And so I've worked with clients before where that theoretically may or may not have happened where I had to be like, hey, you can't send that to me this way. I do need that data, but I need it encrypted or I need it sent in a very different way than however you just send it to me, right?
Jeffrey Foresman (05:19):
Yeah. I love data breach statistics. The breaches that tie back to human beings is now well over half of our breaches. I find it interesting because so many people think about vulnerabilities and system misconfigurations. It’s the people. It is the people. I have a theory of why this has happened. When we started with security, it was all about firewalls and keeping people off of our network. And organizations got pretty good about protecting their network. Attackers had to find another way in, and what they have found is it's far easier to get you to click on something you shouldn't than to circumvent your firewall or exploit a vulnerability.
Jess Carter (06:09):
That's fascinating. Okay. So that sort of introduces this whole concept that I know is always the rage of every employee engagement survey, which is how much they love compliance training. But you're basically saying the value proposition of that is so substantial because of the statistics of where breaches are occurring. Yes?
Jeffrey Foresman (06:31):
Yes. Yeah, and you hit on something when you said compliance because that's what really drove the security industry for a number of years. It wasn't that businesses wanted to become better at security, they had to become better at security. There was some regulatory standard that was forcing them to do it or a business partner or a customer. And so we saw organizations building security programs to be compliant, not necessarily secure. What we're seeing now, the good organizations that really understand security, it's about human risk and business enablement and taking care of real world threats, and it's much less about complying with some standard.
Jess Carter (07:31):
I have been in a technology consulting firm for 11 years. Every client I've worked with, every employee has kind of different sense of all of this. So one of my questions is, I know some of the stuff that they produce, Gartner and others have these sort of standards, but is there a cybersecurity maturity model that you feel strongly about or can you riff a little bit on what if I'm a ten-person company versus 50? Or maybe it's not about the heads, it's about the data. I don't know. How would you coach somebody regardless of who they are on cybersecurity maturity?
Jeffrey Foresman (08:05):
Yeah, there's a number of good standards out there, and I've worked with a lot of them. I've spent most of my career working in compliance. The reality of it is, is they're all very similar. So you've got NIST Cybersecurity Framework, you've got ISO 27001, and you've got PCI, you've got HIPAA, you've got all these various standards. They're all very similar. I would say probably the leader when an organization is just picking one standard is the NIST Cybersecurity Framework. And although it's NIST is a U.S. government organization, I've seen the NIST Cybersecurity Framework actually being used in other countries because it is a good standard security program that an organization can do a maturity assessment against, understand where their gaps are, and it's a good common way to measure companies.
Jess Carter (09:06):
I would imagine a lot of people are not as comfortable with cybersecurity as you. In this conversation, we're going to assume there's more people on my side of the fence than on yours. So one of my questions is going to be, if I'm a business leader, I can go ask, what are we doing with cybersecurity? I can go demonstrate curiosity and care, but if we're not doing enough, if I go look up NIST and I'm not comfortable with where we're at, is there a way to say in the market like, hey, of certain part of your COGS or your budget, you're going to spend, you need to be thinking about five percent, two percent. Are there some standards to help think through how we budget for cybersecurity, and are you using partners or does it make sense to bring in an expert like you? Like what does it look like to care about it well?
Jeffrey Foresman (09:51):
The one struggle I think a lot of people have when we talk about security is I don't think they understand how large it is.
(10:00):
‘Cause when we talk about security, we're talking everything. We're talking network, we're talking endpoints, we're talking data, we're talking applications, we're talking human beings, policies, procedures, all of this. And so it's a very wide set of controls that we're dealing with. So it's difficult many times for business leaders to think about this huge thing that we call security or cybersecurity or information security. The biggest recommendation I have when I talk to business leaders is to have discussions with their technical staff about current breaches and what's happening in the marketplace. What are the attack techniques that are being used? What are the problems that companies that have been breached or have had a ransomware attack? What caused those things and how does your organization align with those?
(11:02):
And so what we talked about earlier, the human aspect or what I like to call human risk management. Attackers have moved away from technical vulnerabilities into human vulnerabilities, really focusing on that. And there has been a number of large, high-profile breaches that have come through help desk, that have come to phone calls into employees. And so this idea of getting this poorly-written phishing email anymore that you just spot because it's clearly not an English-speaking person that wrote it. Those days are over with AI involved. But what we're seeing more and more is old-fashioned phone calls, someone calling, they're there to help, or they're calling a help desk to get a password reset. Perfect example, the lawsuit hit last week from Clorox, and they're suing their service provider because they provided the password to the attacker because the attacker called the help desk and asked for it.
Jess Carter (12:14):
Well, okay. I was kind of hoping when you think about things that I was hoping for this episode, I kind of wanted us to have a segment of spilling the tea where we talked about these things because that hurts, right? That is painful. And I had heard, so let's spill the tea a little bit because I wanted to ask you, too, about what are the most common ones right now? Because there’s new ones all the time. And so I had heard talking about human capital risk management. I'd heard of an entity that, it was wild to me how elaborate this was, but it was like, they hired a new employee. The new employee got their laptop, got their machine. They're like, hey, I know this is my home address, but can you send it to Florida? My father's sick and I need it there. So they sent the laptop to Florida, whatever, they're on their first client call.
(12:58):
Somebody is like, hey, something seems off here. They end up being like, I don't think this is the person that interviewed. The recruiting team had to call the person, and they were like, this is not the same person. They had gotten all the way through recruiting all the way through onboarding, and it just felt something felt a little off, and that person had access to their environments in their system for how long, and because of everything being remote and virtual, businesses have to accommodate things like that right now. So it's like, how do you accommodate that stuff but also make sure you're not letting the wrong person in? So between that and then Clorox, you're calling the help desk and you get a password. I mean, are there other new things that you want to talk about that maybe people aren't familiar with that are new approaches?
Jeffrey Foresman (13:45):
The most common successful attack for large breaches we're seeing coming into a help desk, they're posing as an employee. They got a new cell phone. They need their multifactor authentication reset to this new phone, and it's not the employee. It's an attacker. The other thing that I've seen that I've found really interesting is for those organizations that have implemented multi-factor authentication, they'll flood an employee's phone with authentication requests and it'll just be going crazy and the employee doesn't know what to do, and then the attacker calls the employee posing as information security or the help desk and saying, is your phone going crazy? Or we can help you. And then they get 'em to give them the code and push the button to allow them to log in. So whether it's going at a help desk or it's going at an employee, it is a very common attack. We saw it a couple years ago for the first time for a big breach with MGM at Caesars or attacks on their help desk. We're seeing it now. Really a new round of those types of attacks. Majority are coming from an attacker organization called Scattered Spider. They're all English speaking, it sounds like an employee dialing in. And many times they've done some basic research and they have some information on the employee.
Jess Carter (15:22):
Wow, okay. This is unbelievable. So we've now scared everyone.
Jeffrey Foresman (15:27):
Yes.
Jess Carter (15:29):
Because part of me is, so I had the privilege of working here for 11 years. I think people would know if it wasn't me, at least some people, maybe not everybody, but if you are the person getting attacked, I am someone you should not take advice from in this situation. But part of my go-to is just slow down. I'm going to stop everything because I feel like some of the movement is urgent, urgent act quickly, and I'm like, no, I'm not. If I see an email with an attachment that doesn't make sense and I don't recognize, I'm not doing anything, I'm not trying to rush and clear it out. I'm not trying to figure out. I just will sit on it for a second and wait until I have time to figure out what's going on. But do you have other advice?
Jeffrey Foresman (16:08):
Yeah. That is one of the biggest things is a way to recognize these attacks is a sense of urgency. The other is, particularly with these voice attacks, organizations have to put validation steps in place, validation steps that result in not going to share them publicly.
Jess Carter (16:30):
Yeah. Great. Love that.
Jeffrey Foresman (16:31):
We do to validate a caller is who they say they are because of these types of attacks. And so organizations have to develop processes. There is technology that can actually help validate these employees. For instance, those companies that are using multi-factor authentication, you can actually push an authentication to that employee's phone, which they then have to answer. They have to validate their face with their phone. And then that way a help desk can then validate who that is. That is something that we've actually just recently made some improvements here at Resultant because we are a target since we manage multiple client environments. But it's like anything else. It's about process. It's about technology, but it's also a lot about people.
Jess Carter (17:27):
Okay. Well, and even in your personal life, if I get an email to my Gmail account that has something in it, often I get the like, here's your invoice. And it sparks panic. Oh my gosh, should I pay for something? Where you’re excited, what did I buy? I forget, was I on my phone in bed last night and hit order? I don't remember. I think for me, part of what I try to understand, too, is like, hey, if you go back to the source. So I've also heard the stories. I had a friend who told me some story about, they called their mom and said, what are you doing? And she's like, oh, I'm at the ATM. I'm trying to take $20,000 out. I got to go into the bank. And they're like, whoa, whoa, whoa. What? And she's 70-something, 80-something. And somebody called her and said, oh my gosh, I'm a Chase Bank employee.
(18:12):
I accidentally transferred $20,000 to your account. I need it back, or I'm going to get fired. And so she's trying to help somebody out, and they caught her, and they literally were like, don't move. I'm driving to the bank. Don't do whatever you're about to do. And showed up, and they could kind of walk her off of it. But some of this is just about, it's so sophisticated that she's on the phone and they pull up, she gives them access to their website. It looks just like Chase. She thinks she's logged in. Did you go log into Chase?
Jeffrey Foresman (18:39):
That's exactly the key. And yeah, I often get asked for a personal standpoint, how do I protect myself? And that's really the key is don't trust a text message. Don't trust an email, don't trust a QR code. Go to a valid source. And so if it's a bank, you log in directly to your bank, whatever it is they emailed you, if it's real, it will be there with your bank. The other thing is you can look at where did the email actually come from, how bad some of the phishing emails are that I get it, it'll say in the display name that it's the bank or the store or whatever. But then when I actually go look at the email address, it's like, really? You couldn't have come up with a better URL?
Jess Carter (19:28):
Try harder. Yeah, because it's like you hover over it, right? And it'll be like all these random, and I'm like, okay.
Jeffrey Foresman (19:34):
Yeah. Well, as a security professional, I try to research this stuff. So I see stories about how you can use the Cyrillic alphabet and it looks just like a US letter. And then I get the phishing email with the bat, and I'm like, really? Couldn't they get a better one than this?
Jess Carter (19:52):
Right? This is challenge accepted now, Jeff. Is this going to be a problem for us? Well, and to your point, I mean, I sort of look at it too and think I'm just kind of fascinated by your career. The other thing that I think. With all of the best efforts out there, you're going to stop a whole bunch of balls going into the goal, but that doesn't mean… You could do all the right things, and that doesn't mean you're not going to have one employee who has one bad day with the right set of circumstances. There's a mistake. So back to the insurance and the ROI, how do you help manage some of the value perception of that? Because it's like, well, guys, it's almost this ghost value. If think about what would've happened if none of your employees had this training. Maybe it only happened once and it could have happened 90 times, but how do you measure stuff like that? That just sounds hard.
Jeffrey Foresman (20:42):
Yeah. Well, they all basically have three key points to them: prevention, detection, and response. And it's about putting policies and technology and people in place for those three areas. And so you have to accept that you will not prevent all attacks.
(21:05):
Just won't happen. So you have to address detection, and you have to be able to detect, again, focusing on today's types of attacks, how are attackers going to attack your organization? And you need to make sure you can detect those attacks. And then the last part is, when you detect it, when it actually happens, how do you respond to it? How do you stop it? How do you minimize what they have access to? How do you get 'em off the network? How do you recover from an attack? It's a wide variety of things depending on what happened. It's what we deal with every day here. We may have something minor, we may have something significant. How do you, as quickly as possible, minimize what they're able to do, get 'em off whatever they've gotten access to and then recover. So it's a process that you go through.
Jess Carter (22:04):
That makes so much sense. And so that was going to be my other question is if you're a leader of a company, maybe a takeaway is if you're not wildly familiar with your cybersecurity approach as a company, just asking about those three, hey, what is our approach to some of these things, whether it's internal help desk or an MSP, just understanding what their approaches are. What do they have in place, what don't they, and are they aware of any recent issues they've had where there are gaps in their approach? Might be a helpful place to start.
Jeffrey Foresman (22:34):
Yeah. Well, we talked early on about maturity. The maturity, it really ties back to those three areas. The more immature organizations will address prevention and largely ignore detection and response. And then those people in the middle will put a lot of effort to prevention, a little more effort into detection, but they usually have no idea what to do if it actually happens. And then those mature organizations will be able to address all three areas. It's really about reaching a balance. Some organizations will overspend on prevention thinking, we'll stop it, tt'll never happen to us. They're not prepared to detect and respond when it does happen.
Jess Carter (23:26):
This is amazing. You took the question right out of my mouth. I was going to ask you like, hey, if I am a company that wants to just do one thing actionable to get more preventative, but you're kind of saying, well, and you can probably still answer that question, but it's like, well, it depends on how are you putting your investments towards those three buckets, right?
Jeffrey Foresman (23:45):
I still think prevention is key, and it goes back to what we were talking about earlier. It's the human side of things. And most organizations have put effort into security awareness training. It's sending out phishing emails, but it really comes down to developing a culture of security. It needs to come from leadership. They need to impress upon the employees the importance of security and what happens to companies when somebody clicks that link and releases ransomware, and then all of a sudden all your computers are unavailable for the next two weeks. What would happen to your business if you didn't have computers for a week or three weeks or six weeks? And very few organizations think about it, and it's not uncommon for a hospital that gets hit with a ransomware attack. It's a terrible thing. It'll take them many times, two or three months to fully recover and get all systems back on line. Or what a data breach would do to an organization. Many small companies, they're out of business.
Jess Carter (25:04):
I have this very simple question. I tend to pass the phishing and all these other things. What is the best practice? If you have an employee who is just not passing, they just don't get it. In my head, I've kind of been like, there's this very scary stick coming, and if somebody just can't get it together and I don't actually understand what happens, what is the best practice there?
Jeffrey Foresman (25:25):
Yeah. I had a client once that had absolutely the best security awareness program that I'd ever seen, and the answer to your question was if they had an employee that just regularly repeatedly failed phishing tests, they looked at moving that employee into a role in the company that didn't have or had very little access to data and systems. It was a large medical manufacturing company, and they literally shared that they had reassigned some employees to the warehouse that just could not pass security awareness training. It had reached a level where they needed to reassign employee to a job that had less risk involved with it.
Jess Carter (26:19):
Yeah. I don't know. I just appreciate your posture in all of this because I think the concept, too, is in a world that is moving faster and faster where the cyber attacks are benefiting off of us needing to find another minute wherever we can, I think the sentiment is: winning is slowing down. Winning is deliberately making clicks and decisions about what you're doing that are thoughtful, and you stop before you think that doesn't make sense. Then you consider what you're going to do, and I appreciate that because even the reality check of, you're not going to stop every goal. There are things that are going to come through. So let's talk about as a maturing organization, what are the implications and how do you triage that as quickly as possible, and let's be realistic about how long it takes to come back up and when you're not fully restored for two to three months, how do you operate? And it sounds like those are things that you've lived through and experienced and coached people on. I imagine there aren't enough Jeffs in the world, and so thank goodness that you exist.
Jeffrey Foresman (27:21):
Yeah. I spent part of my career working with companies after they had been breached and helping them build a secure program to prevent the next breach, and so seeing the aftermath unfortunately, of a data breach or a ransomware attack, a full-blown attack like that is far worse than anybody can imagine. And it's really difficult to sit across the table and see an executive team being told that it's a week or two weeks before you can use your computers again.
Jess Carter (28:01):
What an unbelievable career. So I know we need to wrap up. Is there anything we haven't talked about that we super should?
Jeffrey Foresman (28:06):
The big thing I wanted to talk about was the human risk and the difficulty that organizations are facing there. The only other thing I think I would really highlight is offensive security testing or penetration testing is very valuable to organizations because emulating what an attacker is going to do, and it's something that needs to happen regularly. There are threat actors out there that just have automation in place, searching the networks for certain vulnerabilities, and they will find those vulnerabilities, and penetration testing is very effective in helping organizations understand their exposure.
Jess Carter (28:52):
Okay. That'll be a homework assignment for everyone, is to go ask about operationalizing penetration testing. We got it.
Jeffrey Foresman (28:59):
Yes.
Jess Carter (29:00):
Awesome. Jeff, thanks so much for joining me today. This is really, really interesting. Thank you.
Jeffrey Foresman (29:05):
Yeah, no, it was great to be here.
Jess Carter (29:07):
If people want to learn more, where do they learn? How do they keep up with you? Are you on LinkedIn?
Jeffrey Foresman (29:12):
I'm on LinkedIn, yes.
Jess Carter (29:13):
Okay. We will put a link to your LinkedIn in our show notes for this episode. Okay?
Jeffrey Foresman (29:17):
Great.
Jess Carter (29:18):
Awesome. Thanks again, Jeff.
Jeffrey Foresman (29:19):
Thank you.
Jess Carter (29:21):
Thank you guys for listening. I'm your host, Jess Carter. Please don't forget to follow Data-Driven Leadership wherever you get your podcast and rate and review, letting us know how these data topics are transforming your business. We can't wait for you to join us on the next episode.
Insights delivered to your inbox