ITSPmagazine Podcasts

Small Teams, Big Threats: Navigating Cybersecurity on a Budget | A Conversation with Lisa Plaggemier | The Soulful CXO Podcast with Dr. Rebecca Wynn

Episode Summary

In this episode, we celebrate Cybersecurity Awareness Month with an engaging discussion on why we continue to fall for phishing scams. Our guest delves into the psychology behind cybersecurity and shares actionable tips to improve our habits. Don’t miss this insightful episode!

Episode Notes

Guest: Lisa Plaggemier, Executive Director, National Cybersecurity Alliance

On LinkedIn | https://www.linkedin.com/in/lisaplaggemier

On Twitter | https://twitter.com/lisaplaggemier

Host: Dr. Rebecca Wynn

On ITSPmagazine  👉  https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn

________________________________

This Episode’s Sponsors

Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

________________________________

Episode Description

In this episode of the Soulful CXO, host Dr. Rebecca Wynn welcomes Lisa Plaggemier, the National Cybersecurity Alliance's Executive Director and an advisor on the U.S. Secret Service Cyber Investigations Advisory Board. Lisa shares, free resources and support for businesses and individuals from the National Cybersecurity Alliance which empowers individuals and organizations to harness the benefits of technology worry-free.

________________________________

Resources

National Cybersecurity Alliance Free Events and Programs: https://staysafeonline.org/events-programs/

CyberSecure My Business Program: https://staysafeonline.org/programs/cybersecure-my-business/

Cybersecurity Awareness Month Resources: https://staysafeonline.org/programs/cybersecurity-awareness-month/

Data Privacy Week Resources: https://staysafeonline.org/programs/data-privacy-week/
________________________________

Support:

Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo

________________________________

For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast

ITSPMagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

Episode Transcription

Small Teams, Big Threats: Navigating Cybersecurity on a Budget | A Conversation with Lisa Plaggemier | The Soulful CXO Podcast with Dr. Rebecca Wynn

Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. Please take a moment. Remember to like, subscribe, and share the show. We are pleased to have with us today Lisa Plaggemier. Lisa is the Executive Director of the National Cybersecurity Alliance and an advisor on U. S. Secret Service Cyber Investigations Advisory Board.

She's dedicated to empowering individuals and organizations to navigate the digital landscape safely and ensuring everyone can harness the benefits of technology, worry free. Her prior roles include executive positions at Ford Motor Company, CDK Global, InfoSec, and MediaPro. Lisa's recognized authority in cybersecurity and a frequent speaker at major industry events, including RSA, Gartner, and SANS.

Lisa, it's so great seeing you again. Welcome to the show.

Lisa Plaggemier: Thank you. Thanks for having me.

Dr. Rebecca Wynn: For those out there who are not familiar with the National, Cyber Security Alliance, can you [00:01:00] explain a little bit of what that is, the initiatives they have, and how you do work with small companies, , as well to these big companies on their initiatives for cyber security and protecting yourself as an individual.

Lisa Plaggemier: Yeah, so we are the founders of Cyber Security Awareness Month. We've been doing that. This is the 21st Cyber Security Awareness Month, . Um, and we've had a cooperative agreement with what was then DHS at the time, 21 years ago, what's now CISA. We've had a cooperative agreement with them for 21 years, mainly to execute on consumer awareness campaigns and industry campaigns for cyber security.

For Cybersecurity Awareness Month, but, um, aside from that, which most of us know about, and, and most of you, if you're a security professional watching this, you're pretty tired of security by the end of October. Well, you can blame us every October, but just keep in mind that people like your kids and people like your mom probably still need to hear all this stuff.

Um, so we do consumer campaigns all year round. We've done 1 in the summer. . That's the. Cybersecurity Survival Guide. [00:02:00] It's kind of got like this National Park look and feel and it, it kind of talks about what to do if, you know, you clicked on the phishing email or you've got a malware infection.

Like, what's that? What are those survival tips? Um, we're doing a campaign on all the different things that can go wrong in the process of selling and purchasing a home. From, from how busy you are getting your house prepped to, to sell and like how susceptible you might be to like a phishing email or something during that time, because you're just really distracted and incredibly busy trying to purge of all the stuff you've accumulated and get and get your house like painted and get out of there.

All the way through to, you know, things that we think about more frequently, which is the, um, fraud that can happen, you know, during the transaction itself, that money gets wired someplace it wasn't supposed to go. So, um, there's just a lot of places in that transaction that are the, where there's weak points.

So we're, we've got consumer tips about that. We talk about safe holiday shopping at the holidays. We [00:03:00] talk about, uh, usually romance scams and safe use of dating apps. Um, around Valentine's Day, um, pick any kind of topic, whether you're giving your kids their first phone, or you don't know how to use the parental, uh, control apps on devices and, and apps.

Um, any topic you can think of that has to do with your average human interacting with technology. And really, a lot of it is the same sort of four core behaviors that we preach, uh, phishing and all kinds of social engineering, using MFA, having better password habits, which probably means using a password manager, and then just keeping everything up to date and patched.

Um, it's not so much about the advice being different for different demographics. It's about, uh, customizing the message for people from different walks of life and, and different age groups and employed, not employed students, retirees, whatever it is. It's how you package that [00:04:00] advice. Um, that makes it engaging for them.

Um, and then we have some industry events that we run as well that are for executives and a lot of CISOs. We have an event at NASDAQ market site every year for cybersecurity awareness month. And we have a launch at RSA every year. Um, things like that, but our main focus. is um, educating the people who need it most like my mom and my kids.

That's two examples, 20 somethings and 80 somethings seem to, I feel like I spend a lot of my time keeping them out of trouble. A lot of us do.

Dr. Rebecca Wynn: And those resources are free. I'll make sure that we put that on the descriptions for everybody. 

Lisa Plaggemier: Right, and we have campaign kits. So if you're, if you don't have a dedicated training awareness manager, or you do, but you only have 1, you have a lot that person is trying to accomplish, or what have you, or you don't have resources to do graphics and write copy, we have campaign kits.

You can download the whole kit. You can customize it, do whatever. There's no trademark or copyright on anything. You can do whatever you want with all of it to make it fit your organization and [00:05:00] push it out with your employees. So it just makes it a lot easier to run awareness campaigns. Um, I should also mention we have a program to get.

More HBCU students in the cyber security careers. We have a small business education program that aims to teach business owners, um, how to manage cyber security as a part of their business, as opposed to like, we don't try to teach them to be technical. We teach them how to try to how to know what to questions to ask their person or their how to manage that function because they know what to say to their lawyer.

They know how to talk to their account. They have no idea how to talk to their person. So, um, so that class is going on and. Yeah, a couple other things in the works, a couple other programs. 

Dr. Rebecca Wynn: So the key point there is budgets are always tight. Here's a free resource by people who are experts in the area to help you.

And then if you don't see something that really is pertaining to you, You know, write them, um, so they can go ahead and see how they can help you. Or maybe that's something that's actually other people [00:06:00] need it as well too. And then they can help get it developed. 

Lisa Plaggemier: We look for input all the time. If there's something that you feel like would be really useful, like this year to the Cybersecurity Awareness Month Toolkit, we're going to add short how to videos.

Like, really simple things that people like my mom struggle with. How to enable MFA on Facebook, for example. Things like that. We're going to, uh, start including more video content in those toolkits. 

Dr. Rebecca Wynn: Why do you think after all these years, still going ahead and falling for. Similar type of phishing things constantly , obviously we have voice and vishing (voice phishing) and we have AI coming into the picture, which makes it more challenging.

Why is it just because humans are humans that we keep struggling with it? Why do you think we keep struggling with it? 

Lisa Plaggemier: Yeah, I think technology isn't designed to be secure. I mean, I'm a big fan of the secure by design initiative that CISA is pushing when you think about things like the safety culture in the airline business, right?

Like, how that evolved over the over over time. Um, there's a guy named [00:07:00] John Ellie that gives a really good presentation. It's probably recorded out there on the Internet somewhere about the, the, um, evolution of the culture of safety in, in airlines and you can really see, like, how we're probably on a parallel path or Bob Lord is given.

Francis has given a presentation on the auto industry and safety. I've, I've done the same thing from a little bit of a different angle because I'm a, I'm a kid from Detroit. Um, But the parallels between, like, the evolution of automotive safety and, and software safety. And I think we're, we're still at the advent of figuring out, like, how to design things that are, that are a little more foolproof than, than the way they're designed today.

The other thing I'd say is that for those 21 years of Cybersecurity Awareness Month, um. It's only been the last couple of years that we've decided that the message should be consistent every year, that we should focus on those four core behaviors. So when I first joined the National Cybersecurity Alliance, I remember seeing a document.

It was, it was, it came [00:08:00] from the technical folks at CISA that said, like, here's the things we should be focusing on for October. And it was literally like, 20 pages. And, um, any good marketer will tell you, or behavioral scientists, people can't, people can't remember all that they can't, they won't engage with it.

It's just overload. But I think we sometimes have a hard time prioritizing in security because we're thinking about all of it all the time. Um, and it, and, and, but most people aren't, you know, uh, Most people just need to know the basics. And if you think about the 3 or 4 things that would do the most good if everybody did them, it's those 4 things.

And so, um, I'm a proponent for staying really focused with the, the end consumer and everybody singing off the same song sheet and not changing that message until we see that it's made a difference. Um, because. Until we've made headway and more people have adopted those [00:09:00] behaviors, then we absolutely shouldn't be changing the message and changing the focus.

Unless we decide there's something else that's more important than MFA that people can be doing that boots it off the list, then fine. But I don't think we're there yet. So, um. It's really a matter of just good marketing practices, consistency, repetition, you know, uh, customized content, depending on the demographic that you're talking to.

It's, it's all those basics, but there's been for a long time, this, this. Communication chasm, I call it between, like, what's happening in the world of cybersecurity and your average, your average consumer. So just, just, I think we're getting better at bridging that gap. Um, we just have to stay the course.

Dr. Rebecca Wynn: I partner quite a bit with risk management if they have a risk management group.

When we talked right there about where you're paying cyber criminals or things like that. A lot of people, when they bring me in as an advisor, I immediately look at their [00:10:00] contracts. I look at their cyber liability insurance if they have that, their private equity, for example, if they are funded and what is those requirements.

So before you get to writing a policy, you need to make sure you understand what the requirements of the upstream is because one, you can find yourself in legal hot water very quickly for that. Or you might find out that they had requirements to report and you didn't think about it because you, you're downstream from them and causing chaos. Is that what you see, where they don't think holistically. 

Lisa Plaggemier: Nobody asked security to review that contract before it got signed. Yeah. Yeah. Uh, I remember being with this CISO once when he got a phone call to review, I think it was a, a sale of a subsidiary and they gave him less than 24 hours to review the, the, the deal, um, because nobody thought to talk to security before they divested themselves with that part of the company. Yeah. I mean, that's [00:11:00] unfortunate. Uh, it's a lot of that is as relationships to. Making sure that you have allies around the organization and people know who you are and what you do and what business value you bring that you're not the department of "no" that you want to work with them that you're there to protect the organization from, you know, unintended things happening.

And, um. Uh, I think the business security officer model, the more organizations I talked to that have that model, I've worked in the company with that model. Like, I think that really helps a lot. To be more embedded with the business and keep track of things like that, like contract. 

Dr. Rebecca Wynn: I'm always one of those hybrids because I have a big legal background.

And one of the examples I had as I came in after a merger and acquisition, I always tell people, let me review it before you do it, um, because things weren't adding up and I started looking at it and I found really their chief information security officer , all of the people that he had hired to do assessments of the company.

He actually [00:12:00] spun up LLCs underneath his own name. He was signing himself off. On every single thing. 

Lisa Plaggemier: I think you have to have a, a decent insider threat program. That means that, um, somebody's watching the watchers because, I've seen things kind of go sideways as well. It's just important to have transparency as much transparency as you can possibly have and that, um.

Yeah, somebody's got to watch the watchers., 

 

Dr. Rebecca Wynn: I want to thank everybody for joining us , please go ahead. If you haven't already LIKE, SUBSCRIBE, and SHARE the show, we mentioned several resources that we will get into the description. As well as Lisa's information, 

lisa, thank you so much for sharing your wisdom I've learned a lot from you and you're an inspiration to many of us out there, so keep up the great work.

Lisa Plaggemier: Thank you. Thank you. It was a pleasure.