With multiple data points that exist in organizations, how do you know what you need to protect? What constitutes reputational damage or breach for you as a company? CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, and former Homeland Security advisor Michael Balboni share insights on securing data and how to protect your most valuable assets.
JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.
JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.
JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.
Thanks for having me Jordan, and thanks for your service to the country in the military.
JM: Thank you very much, sir. I appreciate your support.
JM: You know, we haven’t even necessarily decided what to protect. One of the things that I see even as a consultant in doing CISO work for organizations is going in. The first question we’re always asking is “What are the crown jewels? What do you need to protect? What’s important to your business? What constitutes reputational damage or breach for you as a company?” You start with that question and I think often from a national defense perspective that we’re not properly gathering the data on what that answer is. I don’t think we necessarily know exactly what things are the most important to us. We look at the defense systems themselves and we look at DOD and we say, “Okay, well here are our military assets. Let’s protect those vehemently.”
JM: What about the supporting infrastructure? Are we doing enough to protect SCADA systems and critical infrastructure here in it? I think to answer to that, like you said, is it’s woefully uninvested or under-invested and we’ve seen that generally too out in the field as we go out there. We’re very often surprised as we walk into organizations who we would expect to be at a very high standard to see that the decisions around risks that are being made in those organizations are definitely not what we would expect.
MB: In the board rooms, typically board members don’t have an appreciation of the exposure that cyber provides them. They may have a pretty good understanding of what their regulatory requirements are, but they’re not in the weeds as to what steps are being done every day to make sure that their network is safe and operational. A lot of times, they believe that the mission of the corporation, the mission of the board, and that’s what you drive to, and cybersecurity is kind of a one-off. “Yeah, okay. We got to check that box,” but in checking that box, you don’t ask the deeper probing questions and that’s because it’s frankly just too complex.