Our Guest Mentor:
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI). Kip is a regular contributor to the CEOWORLD Magazine, author of “Fire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks” as well as a host of the Cyber Risk Management Podcast.
Kip is based out of Washington state, USA
Key Quotes from the Episode:
[On cyber risk] “Now, I think from a responsibility perspective, it’s not about getting permissions correct. Although that’s certainly part of the landscape, but what I would encourage a finance leaders to do is to realize something very important and then act on it, which is cyber is a material risk.” [09:50]
[On business value of cyber security] “And now you’ve got to treat those risks, right? And I know finance leaders are taught about risk and risk treatment. So this is just something else you’re going to put into your field of view as you treat it. Now that’s one thing, right? It’s that cyber is a material risk that must be treated appropriately, but there’s a second responsibility that I really want to point out, which is you have to make sure that the cybersecurity budget is creating as much business value as possible.” [10:45]
Key Points from the Episode:
- Why Cyber risk should be now treated as a material risk to the going concern of an organization.
- The important role Finance leaders can play in cyber risk management as well as the potential pitfalls to be aware of.
- Emerging trends in cyber risk management.
- And we go through a 4-dimensional model to help frame and prioritize resource allocation decisions involving cyber risk management.
Stamped Show Notes
[04:00] Kip gives a quick introduction to his career and how be backed into cyber risk management from this role as a Lieutenant in the US Air Force.
[09:16] Kip discusses the main responsibilities and potential pitfalls for finance leaders in cyber risk management.
[16:56] Kip shares the story about how a CFO played a key role in developing his cybersecurity Business Value Model to aid competing resource allocation decisions involving cyber security and other value/cost drivers in the business.
[21:17] Kip talks about emerging trends in cyber risk management.
[28:37] Kip mentions the best advice he has ever received.
[30:14] Resources that Kip recommends.
[35:29] Kip answers where we can connect with him.
[36:19] Kip gives his parting thoughts for the audience.
Fire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks Kindle Edition by Kip Boyle (Author)
Connect with today’s guest:
Free resources: https://cr-map.com/andrew/
[00:00:30] Andrew: Hi everyone. And welcome to this week, strength in the numbers show. And today we’ve really interesting topic for finance professionals and finance leaders out there. And that’s around what we really need to be.
[00:00:42] About cybersecurity and cyber risk management. So we’re very fortunate to have Kip Boyle with us today,
[00:00:49] whom I’ve gotten to know a bit over the last few weeks. Kip is not only gained this expertise since the very early days of the internet. But since then he’s authored a book. He hosts his own podcast. So it’s fantastic to have him with us because it allows us the benefit of his experience, particularly over this podcast, medium to break down how we could be looking at cyber security and cyber risk management through the lens of finance.
[00:01:18] The first topic we delve into is to why nowadays cyber. Really needs to be treated as a material risk that potentially impacts the going concern or viability of a lot of our organizations that we work in and serve.
[00:01:32] We then jump a bit further into the important. Finance leaders, professionals, accountants can play in cyber risk management, as well as some of the potential pitfalls be aware of. And actually one story on how some members of the finance team actually lost their jobs, even though they didn’t commit the fraud.
[00:01:52] We then go through the story. It actually, how Kip got into cyber risk management, which I suppose 20, 30 years ago, might’ve been an odd career choice. So I think that’s a really interesting story. How KIPP has developed his understanding in the meantime, but also how cyber risk management’s evolved. We go into the emerging trends and also because.
[00:02:15] Kips had all this experience. He recounts a fascinating story with a CFO named Steve whom he worked with when he was the chief information security officer.
[00:02:25] And it helped him.
[00:02:27] It’s Dr. Formalize a four dimensional model that helped Kip and also the CFO and fellow finance leaders. Help them frame and prioritize resource allocations involving cyber risk management, so that CFOs and finance leaders could justify why they were spending money out on new activities in this space of cyber versus traditional sales ops. And.
[00:02:52] So look, hope you find this episode. Insightful. I certainly learn so much every time I have a conversation with Kip. So again, really appreciate it having him on the show. If you want to find out more about Kips from the key quotes, timestamps, the links to some nice freebies during our conversations show notes and transcripts you can find that in firstname.lastname@example.org.
[00:03:16] So look that’s enough for me for now. So without further to over to Kip and the show,
[00:03:20] So Kip, welcome to the show.
[00:03:28] Kip: Thanks, Andrew. I really appreciate that you’ve invited me to be here and to spend a little bit of time with you and your audience.
[00:03:33] Andrew: We should be the ones appreciate that we’re with you here, Kip, because I’ve loved our conversation so far. So I’m really excited to share you with our audience. You’ve fascinating insights to share on the very important area that I think as finance professionals, leaders, CFOs, we need to understand a bit better.
[00:03:49] Because I feel it’s probably perhaps underappreciated from a business perspective. But before we get into that, would you mind maybe sharing with us how you got into your present career choice?
[00:03:58] Kip: Oh, happy to do it. Yeah. Just so everybody knows, I work in the field of cyber risk management and I’ve been doing that for a long time. And the way I got involved in this is, I was a Lieutenant in the US Air Force. And I was assigned to a unit on the Gulf Coast of Florida.
[00:04:15] And what we did there was we fired air-to-air missiles. And instead of having a warhead, they would actually have a telemetry package so that we could have a radio on the missile actually transmitting what the missile was doing as it was trying to track the target and then actually intercept the target.
[00:04:31] The whole point here was to fire the missile in a way where we would expect it to fail. And then we would learn more about its capabilities. And then we could use that information to make the missile better, ultimately.
[00:04:42] My job in the midst of all that was to make sure that the computer systems were running because we would get that telemetry stream. We digitize it and we put it into the computers. We’d have scientists evaluate it and so forth. As you can imagine that was all highly classified work. And so in order for me to do my job, I needed to learn how to protect that data, to protect those systems. And so I backed into it. And what’s funny about it when I reflect on this and think about it is, for some reason I had an affinity for the data protection part of our mission, which everybody else thought was nothing more than a giant pain in the ass and nobody wanted to do it. And so there are all these additional duties. And once they found out that I kinda liked it, they all brought me all these additional duties and I backed into this. I was the expert at all these stuff. And I don’t know, but I just really enjoyed it.
[00:05:29] And that was back in 1992. And so here I am, I’m still doing the same work. But of course, everything changes, Andrew. So the job isn’t what it was, and I love that. I love the fact that there’s so much change because there’s always new problems to solve.
[00:05:47] There are principles though, right? That are enduring. And I think that’s really a key part of my work, is knowing what the principles are and then bringing them to a new problem because that’s what really helps me get by.
[00:05:59] Andrew: Yeah, That’s a great way of summarizing it, Kip. Because the principles probably stayed the same, but you must have seen so many things change from a technological perpective.
[00:06:07] Kip: Oh, yes.
[00:06:08] Andrew: Back in the early nineties, I think from one of our previous conversations you were saying that it wasn’t even being used in any commercial way.
[00:06:14] Kip: Right. Yeah. The internet was nothing more than research network and there were defense contractors, military bases, universities and that sort of thing. In fact, the terms of service on the internet back then were such that you couldn’t sell anything, like nothing at all. Even if you had like a bicycle that you no longer wanted, you couldn’t actually say, “For sale: my bicycle” as if you could on a bulletin board. In the dormitory, if you were going to school or something, you couldn’t even sell so much as a personal item. And now look where we are, right? It’s fascinating to watch the evolution of the internet and how it has enabled so much. But has also, of course, everybody knows, has also opened the door to crime on a global scale that we’ve never seen before.
[00:06:57] Andrew: That’s it. Crime has probably for a lot of businesses has moved from something that was quite local to global. And people have already thought the international, the cloud is this sort of place, but it actually, one thing I loved again about getting to know you and your work was actually, the cloud isn’t just a place, but it’s a business model.
[00:07:14] And just like cyber risk management, this the cyber verse we’re in. It is a place where perhaps we can make some commercial gain from, but when you’re there as an opportunity to make some commercial gain as a business, there’s also the risk involved with that too, that we could perhaps make a loss from all these new places that we never had to worry about.
[00:07:31] Kip: The cloud is new and different, but at the end of the day, there’s something that’s enduring here, which I think would help people understand, which is the cloud is just somebody else’s computer. All right. At the end of the day, it’s just somebody else’s computer. And that means that you’re entrusting somebody with your digital assets.
[00:07:50] And so you’ve got to think that through. What will they do to protect my digital assets? What will they not do, and therefore are counting upon me to do, because they can’t do everything. They’re going to do a lot, which is super helpful. Like most of us don’t want to run the kind of data centers that Google and Apple and Amazon run, right? Because they’re incredibly expensive affairs. They’re enormous. We don’t want that. We don’t want to have to purchase hand geometry readers and iris scanners and all that stuff. So the cloud takes that off our plate, which is wonderful. But what cloud doesn’t take off our plate is that we’ve got to still do permission management. For example, we still need to put the right permissions on our files, but with cloud, we no longer have a small team of highly trained IT administrators who deeply understand that permission model and set it correctly. We now have everybody in the organization is now playing the role of permission manager, but none of them have been trained how to do this.
[00:08:47] Andrew: Yeah. So actually talk of that training accountants, finance professionals, we go to an awful lot of training accreditation. The cyber risk management was not an area we covered
[00:08:55] Kip: That’s true for our marketing people and data scientists.
[00:08:59] Andrew: Extrapolated across the organization. So Kip, bit of a crash course for us.
[00:09:03] As it pertains to the finance leaders listening in today in our audience, what are their sort of main responsibilities in your mind, in this place? And how could they perhaps look at digesting this in an easy manner?
[00:09:14] Kip: Yeah. Cyber risk may in the beginning seem abstract and difficult, right? And it is both of those things, but it’s not too abstract and it’s not too difficult for a finance leader because finance leaders deal with abstract things all the time.
[00:09:28] Andrew: That’s why I was thinking. Yeah.
[00:09:29] Kip: So this is just a different type of abstract. And so if you can handle preparing quarterly statements and that sort of business, and if you can look at a complicated spreadsheet and then tell a story for a business leader about what this spreadsheets really saying, if you can do that, then I would say that you have the skills to actually approach cyber risk.
[00:09:48] Now, I think from a responsibility perspective, it’s not about getting permissions correct. Although that’s certainly part of the landscape, but what I would encourage a finance leaders to do is to realize something very important and then act on it, which is cyber is a material risk.
[00:10:03] It hasn’t always been as material risk. All right. And I think that the folks who are in finance leadership jobs today, 20 years ago, 25 years ago, whenever they started their career, cyber was not a material risk. And so they didn’t get sensitized to this, but it’s become a material risk. It’s actually an existential risk. And so if you don’t manage risks to your sales pipeline, your order fulfillment capability, and your accounts receivable, right? So if you mess up in any one of those areas, if you can’t sell ship orders or collect money due, you’re going out of business, right? And now you have to put cyber on the same tier of importance as risks in those other areas.
[00:10:43] And now you’ve got to treat those risks, right? And I know finance leaders are taught about risk and risk treatment. So this is just something else you’re going to put into your field of view as you treat it. Now that’s one thing, right? It’s that cyber is a material risk that must be treated appropriately, but there’s a second responsibility that I really want to point out, which is you have to make sure that the cybersecurity budget is creating as much business value as possible.
[00:11:09] Andrew: Exactly because that’s probably what comes. Okay. So this is the risk. How much is it going to cost me to go solve it? Maybe cost is the wrong way of looking at it. It’s got to drive value.
[00:11:16] Kip: It’s spend, you can look at it as a cost of doing business, or you can look at it as an investment, right? There’s different ways you can frame the spend. I leave that up to you to decide how you want to frame it. However you frame it, you need to realize that it’s not negotiable for the most part.
[00:11:30] Would you negotiate a way a material risk of any other kind? You wouldn’t right. You wouldn’t just accept a material risk as being, well that’s just the way the world works and I’m not going to spend any money on it. You wouldn’t do that. So this is the same thing here. But you’ve got to make sure that there’s great business value.
[00:11:45] Andrew: Yeah. I got to come in there, Kip, because we’re putting the business that one side for it. It just reminds me come back into my head. The first story you’re telling your book is about the fake president’s email. And I’m thinking well, even from a career perspective, it can be fairly limiting on a CFO in that story. Actually, you tell the story actually on that one, said it was so much better than me.
[00:12:05] Kip: So really simply put, there was a fake email that came into, an accounts payable department at a maker of spare parts for Airbus and Boeing. And it was purported to have been sent by the president of the company. And it asked the accounts, I think it was an accounts payable person to transfer some money. Now, this email was terse. It was vague. It came in at a weird time of the day, and it was designed very purposefully to manipulate the emotions of the person who received it. And they felt like they were serving the president well, by responding to this email to move this money.
[00:12:40] But at the end of the day, what it turned out was it was a multimillion fraud and the money disappeared. They recovered a little bit of it, but the majority of it was stolen. Now that caused the entire financial outcome of the firm for the year to go from a net profit to a net loss.
[00:12:56] The entire organization went into a net loss for the year because of one carefully crafted email, right? One malicious little email did that. And so the business consequence of that was that the board of directors lost confidence in the president and released him. And then they went and released the CFO and then they went and released the accounts payable person.
[00:13:17] Now you can argue whether that was fair or not, but it happens. The trajectory of that company was changed forever. And the careers of those people were never the same.
[00:13:27] Andrew: I think with a lot of these, there’s a financial implication, a financial outcome, and I think that’s why it’s very hard to divorce the CFO or the finance team, even someone on accounts payable from it.
[00:13:36] Kip: And think about it. A typical finance leader would probably say something well, that wasn’t fair because it was a phish and the IT people should have stopped it. And no, thanks for playing our game. You’re wrong because you can’t depend on the IT people to stop all phishing attacks and phishing attacks come, by the millions.
[00:13:54] And they’re very carefully crafted. These are not really technological attacks at all. These are cons. These are emotional manipulations. This is what you call social engineering. And so the right mitigation for that quite frankly, is better process. It has nothing to do with technology really.
[00:14:09] Andrew: Yep. Thanks for breaking that down because I can imagine that was going through some people’s heads. That’s not fair.
[00:14:13] Kip: Yeah. Yeah, I’m sure. But really at the end of the day, it just so happens that it was an email that delivered an emotional bomb that went off in somebody’s inner monologue and they were spurred to action and they should have instead had a procedure that prevented them from moving that money.
[00:14:30] There should have been a procedure that said if money transfer request comes by email, no matter what, you must receive a second authorization because we know that email’s so dangerous.
[00:14:40] Andrew: Yeah, exactly. And I get on thinking that second authorization. Something like that’s definitely been with me even in my more junior roles as well, like that control has been there and that’s not an IT control, that isn’t a finance control. that’s just good control.
[00:14:53] Kip: Right, that’s just good control. Exactly. And that’s why my allegation here is that you don’t need to be a technological wizard to understand cyber risk and to treat it.
[00:15:03] Andrew: That’s a great example because it shows, okay. I know it was a bad outcome for finance company, but it actually shows the rest of us the way that we can make a big difference here in finance, as finance leaders, controllers, and so on, Kip. We can really make a difference. That’s why I think it’s important we talk a bit more about cyber risk management, and I know I came in there when you were describing material risk and how we’d go about it.
[00:15:23] Yeah, sorry. I know I interrupted. I love that story so much. I really wanted to share it. Sorry.
[00:15:27] Kip: So it’s in my book, as you said. And I hope people listen to the end of the episode because I have an offer for you, so you can read that story for yourself, okay?
[00:15:34] Andrew: We love free things in finance and accounting, Kip.
[00:15:37] Kip: Yeah, so here comes the free thing, but just hang on because we’re still in the middle of this conversation, right? So the second big responsibility for finance leaders with respect to cyber risk is again, this business value, right? You’ve got to make sure that every dollar spent is going to create as much business value as possible. Now the typical approach to doing a business value calculation would be like a return on investment or a business case. And your listeners might even have a templative business case spreadsheet that they give to people who come along with great ideas. If you give me $25,000, I can make us a better website. And, or I can go generate more sales leads, or I can do better scheduling of the operations team so we can decrease cost. So everybody’s got all these great ideas. The problem with cyber risk and cybersecurity is that, it’s business value is greater. It’s potential is greater than just money back. It is possible to get money back from a spend on cybersecurity but there’s so much more to it. And I do talk about that in my book, of course. And it’s a business value model and maybe I should just step through it lightly.
[00:16:41] Andrew: Yeah. If you could. I like the way broke it down, but actually there was a good story behind you actually arrived at that model as well. Isn’t it? Because that was again from an interaction with finance, I believe.
[00:16:50] Kip: Yeah, that’s right. So before I explain the model, let me tell you how it came around.
[00:16:53] Andrew: There’s a story behind the model.
[00:16:54] Kip: Yeah, There’s always a story. So I became a chief information security officer in 2003 and I was working for an insurance company. The first couple of years I was there, I’d been submitting, requests, budget requests and so forth.
[00:17:05] And so then after a couple of years goes by, my boss calls me and I was working for the chief information officer and he said Steve, the CFO has just talk to me and he’s asking me all these questions about your budgets. And I said, okay, what does he wants to know? And he goes, I actually, I think you should just go talk to him, which I thought was strange. It’s wait, you want me to go talk to your peer? Why don’t you tell him I got things to do. Like I don’t get this. So it was just a little confused. So I went to go talk to Steve, the CFO and he was great. I didn’t know what to expect, but he was fantastic.
[00:17:33] And really what he said to me was, I’ve been seeing your budget requests come through and I just don’t know how to think about them. And I said say more and he said you want $25,000. He picked one up, right? So you want $25,000 for this, gizmo, this cybersecurity thing that’s going to help us do something with phishing.
[00:17:49] And I said, yes, that’s right. And he goes well, but over here, I’ve got another business case for 20 and they want to redo our website. And I’ve got one here where they want to generate more sales leads. And I’ve got one here for a new scheduling system, for the customer service department.
[00:18:03] He goes, I understand those other ones, but I don’t know how to understand yours. I got $25,000 to spend, what do I spend it on, right. Now, he was actually doing me a big favor because I think he could have easily have said Kips proposal is gobbledy goop. I don’t understand it. And I don’t have any time for this. I’m just going to spend it on something I understand. And that the CEO will understand, because remember the CFO has to tell the CEO Hey, we’re going to approve this $25,000, 25,000 euros, whatever to increase sales leads.
[00:18:31] And we know, because this is our conversion rate that should show up as this much top line revenue increase. So it’s very straightforward, but if he’s going to approve mine, how does he explain that? How does he tell them the CEO that was a good spend? So that’s what this was all about. It’s Kip, help me know how to tell people about this.
[00:18:47] And so I said, Ah, this is great, wonderful let’s work together. And so it took months of back and forth and back and forth and back and forth. And me trying something cause I was talking ones and zeros at that point in my career, I didn’t know it. I thought I was actually doing pretty good.
[00:19:00] Not talking to ones and zeroes. This was formative, right? This was formative for my work that I do today. If I hadn’t gone through this with Steve, the CFO, I don’t think I would be nearly as able to help people as I do today.
[00:19:17] Andrew: Yeah. I’m glad you elaborated on the story because again, I think even some of our audience could relate to sometimes when we’re talking to operations or sales, we could be talking in ones and zeros, is just pounds, Pence, dollars Euro. And, Let’s just trying to meet each somewhere in the middle so we can get some common language so that we can explain.
[00:19:33] I think if you can explain what someone’s doing to someone else, you’re doing well. And I think that’s what I love about your business.
[00:19:38] Kip: Yeah. So this is about explaining, why are we doing this? And what’s in it for you, because really what we’re talking about here is a complicated cell, right? It can’t just be kept saying, give me 25 grand. It’s gotta be. And because when every one of those other proposals is denied because Kip got the 25 grand, they all want to know why.
[00:19:55] Andrew: Exactly.
[00:19:56] Kip: Wait a minute. You’re telling me that you’re not going to let me generate more sales leads, redo the website, better schedule by folks. What could possibly be more important than that? That’s the question. The CFO’s got to answer that question. So that’s how I came to create my business value model.
[00:20:10] Now it’s in my book and so I’m not going to unpack it fully, but I’m going to tell you what the four dimensions are. So there’s increased reliability of operations. That’s one way that cybersecurity spend can come back as a bonus or as a positive for the business reduced legal risks.
[00:20:25] Reduced technical risk and then finally financial return. So those are the four. Now what’s interesting about cyber security is that a dollar spent on cybersecurity could deliver value in one of those four dimensions or two or three, or possibly even all four of those dimensions at the same time.
[00:20:43] And so if you’re not fully recognizing all the value that dollar is getting you. Then think that you can’t possibly see all the business value in play.
[00:20:53] Andrew: Yeah you really deconstruct it and unpack it nicely in the book. And again, I even saw a lovely one pager on it as well. So again, it’s a great concept. Made complete sense to me. I encourage our audience to go check it out as well. Kip, that’s I guess, where we could look to make a difference.
[00:21:08] Going forward, where’s cyber risk management evolving. What upcoming trends we need to be mindful of?
[00:21:15] Kip: Right. The most important thing that I like that’s happening right now is we’re actually turning the corner on something really important, which is cyber has been treated dominantly as a technical issue as a technical risk. And for a long time, it was when I first started working in this area it was absolutely almost entirely technical. Now in the Department of Defense in the United States, it was an organizational risk because the real issue was espionage. Is that somebody would steal the secrets. So in that case it was a national defense issue, but still it was dominantly perceived through a technological lens. And that’s where we all come from on this. And I get that, but we’re about to turn a corner and there are lots of organizations that have already turned this corner, but I would say this is like an innovation adoption curve.
[00:21:59] There’s early adopters. There aren’t many of them. They’re turning the corner right now. And so this innovation of treating cyber as a business risk, not just as a technological risk is something that’s starting to take hold. And I think this is amazing because when you treat it as a business risk or as an organizational risk, you can now bring more of your existing resources into the problem space.
[00:22:23] And one example is what we already talked about, which is why shouldn’t there be a dual authorization on a request to move money that comes in as an email, which email has no authentication whatsoever. It’s totally untrusted. Anybody can say anything. Anyone can pose as anybody in email. So why shouldn’t we have that? So there’s process, you can make some process changes to combat cyber risk. You can train people, right? You can actually help them see their work a little differently, so that they’re a bit more on guard. From a management point of view, you can better set up your folks for success by making the right policies, by allocating the right resources and the right quantity of resources.
[00:23:00] And of course, there’s all the technology. So you get four really powerful engines that you can put against cyber risk when you think of it as a business issue. And then I think you’re really rising to the challenge that I’ve put in front of the audience, which is cyber is a material risk. And how else are you going to deal with it, unless you bring all four of those dimensions into the picture.
[00:23:22] Andrew: Yeah. There’s probably a lot more dashboards emerging and organizations that starts breaking that down allowing leaders communicate that to their boards and whatever, this is what we’re doing in this space. This is how we’re dealing with these material risks.
[00:23:35] This is how we’re driving value from some of those as well. So like even down to that training one, are people aware of this?
[00:23:41] Kip: Yeah. And this is really something else I think is really cool about cyber. Not only is it a material risk that needs to be managed, but you can create business value from managing it and think about that. That is really very powerful. And that really gets back to the name of my company.
[00:23:54] My company is called Cyber Risk Opportunities and it’s called that because risk isn’t all downside. Risk has upside, and I’m trying to make people see that is that you can manage this risk and be better for it.
[00:24:07] Andrew: Yeah, there’s two things that come to mind when you say that one is well risk. If you can reduce risk or the discount, it actually should maximize the value. If you’re looking at a net present value form. And I said, look, manage your risk down and it should in theory the value of the operation.
[00:24:22] The other thing is actually again, back to the book, it could be conceived as competitive advantage because I think you had the story of the DHL FedEx TNT. And I can’t remember which one it was, but one of them probably could have done better. Cause I’d know some of our listeners from those companies so I’ll be nice about it, but one of them could have done better and they didn’t. And that opened an opportunity for a competitor who had better, who also was impacted by this thing that was going on the time, allowed them to maybe move ahead slightly
[00:24:52] Kip: In the market. Yeah.
[00:24:54] Yeah. Can I elaborate a little bit about what you just said?
[00:24:55] Andrew: Yeah, go on. Yeah. I was trying to be kind to them, but go on.
[00:24:58] Kip: I’m not going to throw anybody under the bus. I’m not gonna throw anybody under the bus, but I’m going to tell you some things that are in the public. Okay. I’m not going to tell you anything that I can’t point to and say it’s documented right here.
[00:25:08] And so I just want to put some more specificity on this. DHL and TNT Express, are competitors in the European market. TNT Express is owned by FedEx. Right after FedEx purchased TNT and started integrating the businesses, this crypto worm came out of the Ukraine and affected all kinds of businesses. Merck, pharmaceutical, as well. And so they lost control of their computers. Maersk lost control of their country, computers. That was all part of the same incident. What happened was, is that DHL was affected, but not very much, as you said, TNT got destroyed. Their computer systems, they lost total control of them, just like Maersk did.
[00:25:45] And as a result, think about it. People who used to send through TNT, but couldn’t because they couldn’t get anybody to come pick up packages, nor could they receive a package from TNT because all the packages were warehouse and were completely unknowable from one package to the next, because their computers weren’t available.
[00:26:03] It could be a package. You couldn’t deliver a package in their possession, but DHL could. So I’m going to immediately pick up my phone or re-point my computer web browser to DHL. And I’m going to start using them.
[00:26:14] Andrew: Yeah,
[00:26:15] Kip: And that’s what happened if you look at the DHL public reports, the quarterly reports from the 20 17, 20 18 time period, it’s all there in black and white.
[00:26:23] You can see it coming out of NotPetya. They boomed. Revenue up. Volume up. Profit up. You go study the same reports from TNT. Revenue down volume, down profit down. In fact, on a quarterly earnings call, the CEO of FedEx said if TNT had not been owned by FedEx and had not been able to tap into the financial resources of the parent company, they would have been bankrupt over that.
[00:26:47] Andrew: That’s amazing. And so what a competitive advantage,
[00:26:51] Kip: So all DHL did was kept the doors open. That’s all they did.
[00:26:54] Andrew: That’s all. Yeah.
[00:26:55] Kip: They accrued this massive benefit. They didn’t put anything on sale. They ran no promotions. They didn’t have to spend anything on marketing or anything like that. They just kept the doors open. And, oh my goodness. Look at that. Look at that powerful, competitive advantage to just keeping your doors open when your main competitor cannot.
[00:27:12] Andrew: Yes, they’re coming back to Steve to CFOs. So they’re there. He had in front of him, something, a better website and improve the operations. More sales. Should have just givenKip the 25k and be grand. Competitive advantage built.
[00:27:23] Kip: So I like to make it sound all rosy, but I gotta be honest with you. Cyber risk is difficult for people to understand. It’s rarely discussed. The bad things that happen to people that are wildly under-reported. I told you a story about a very, it is embarrassing. There’s a lot of shame.
[00:27:37] And so people don’t want to talk about it. They don’t want to report it to police. And it’s very unpredictable. Cyber, like the NotPetya worm that I just described as more like an earthquake and not a hurricane, people can see it, a hurricane coming. Nobody can see an earthquake coming, although we’re trying to figure out how to forecast that.
[00:27:51] A couple of other things I just want to acknowledge about this area. Perfect security is absolutely indistinguishable from no security at all. Until something bad happens.
[00:28:00] Andrew: It’s like what Mike Tyson say, everyone has a plan until they get punched in the
[00:28:03] Kip: That’s right. That’s right. Anyway, I just wanted to acknowledge that this is a difficult place. But if you can ground yourself on stuff that works, I’m a practitioner. Everything that I wrote into my book and everything I do is based on me being feet on the ground, working with people in real world, getting things done.
[00:28:21] So that’s what I have to share with people.
[00:28:24] Andrew: Awesome. Hey Kip no look, you’ve given us some fantastic advice there. I love the stories. Again I want to be respectful of your time. so switching up a couple of gears, what’s been the best bit of advice you’ve ever received?
[00:28:35] Kip: So I, I don’t know if anybody’s ever heard of a 360 degree feedback or a full circle feedback. There’s different names for them, but I went through that one time and all my goodness did I had my eyes really opened. The bottom line is it really helps me improve my relationships at work and at home. It was one of the most transformative things that’s ever happened to me as a person. I was really nervous going into it. I was scared at what I was going to, what people were going to say. And it was uncomfortable, but oh my gosh, that was just marvelous. It was great. I’m glad I went through it. It was no fun going through it, but I’m glad I went through it.
[00:29:07] Andrew: When you talk about the 360, was that where they interview your peers, your colleagues, people who work with you, report into you, seniors. I don’t know what you think. Did I go so far as family members? I
[00:29:17] Kip: No, not mine.
[00:29:19] Andrew: Oh, goodness.
[00:29:20] Kip: But, what I learned from that on the job, I was able to take home. Because the things I was doing at work were the same things I was doing at home. And that was blind to most of it. Quite frankly, I had no idea that when I said these things or did those things, or didn’t do that thing that everybody expected me to do, but I didn’t, I had no idea how that was affecting my reputation and the way people saw me. And so I had my eyes opened and it really made a difference.
[00:29:44] Andrew: Yeah. I was very lucky, I had a director once and he said, you should go do one one of those and no, thankfully, no, they didn’t interview the family side of things, but so many blind spots. It’s amazing what you’re just not aware of and you think you’re doing a good job, but actually there’s some really good feedback. And I know it definitely helped me go on a better course.
[00:30:01] Kip: Highly recommend.
[00:30:02] Andrew: Highly recommended. Talking of recommendations, I’d definitely recommend our audience check out your website plus your book, but there are any sort of other resources you recommend our audience go check out?
[00:30:12] Kip: Yeah, I just want to say a couple more things. There’s a really great documentary that I want to recommend. That’ll help people understand what’s going on today. Cause there’s some mega themes going on around the use of computersAnd how it’s so deeply entwined now in our culture, in our society and the way we do international relations and so forth.
[00:30:28] So if you haven’t watched this documentary called Citizenfour, okay. This came out in 2014 and it’s a documentary about Edward Snowden and it was produced by Laura Poitras, I believe is the correct spelling. As an ugly American that’s the way I say her last name. Okay. So forgive me. It’s probably
[00:30:44] Andrew: I think we’ll track it down.
[00:30:46] Kip: better way of saying her name, but it’s called Citizenfour.
[00:30:49] And so it’s an unbelievably authentic look at Edward Snowden when he’s in Hong Kong. This is just after he left the United States. He’s in Hong Kong. He’s hiding in a hotel room and he’s trying to figure out. What’s going to happen to him next. And as you watch this drama unfold and this is literally just camera’s rolling as everything’s unfolding, but he tells you why he did what he did and he tells you what the thread is.
[00:31:13] And you can agree with Ed Snowden. You can say that he’s a trader. You can say he’s a Patriot, I don’t care how you characterize him. It doesn’t matter. This movie, this documentary is going to help you understand what some of the big issues are that we still haven’t sorted out yet. And how they might affect you.
[00:31:28] So I think it’s a wonderful story that’s being told in this documentary. And I think it helps people attenuate them to this is just a different cyber risk.
[00:31:37] Andrew: I can’t believe. Seven, eight years ago. It feels like it was only yesterday.
[00:31:41] Kip: It does. It does. Yeah. But if you haven’t seen it yet, I’d say go see it. Now, the other thing other resource that I want to offer to your audiences is actually, we talked about my book today and and I don’t think it’s fair for me to talk about my book, but not give people an easy, access to it.
[00:31:56] Here’s the thing. I want them to have a free PDF version of my book. My books called fire doesn’t innovate and it’s written for non-technical audiences because there’s this massive gap, which we’ve been talking about all during the episode, right? There’s this gap between the technical people and the non-technical people.
[00:32:12] We’ve got to bridge that gap. And that’s what my book is designed to do. So if you’re a non-technical person, read the book and then it’ll help you talk to the techies. And if there’s a technical person, you want to talk to give them a copy of my book and say, okay I want to do a book club with you because what’s going to happen is you’re going to get a shared language and you’re gonna be able to actually communicate about this.
[00:32:29] So I want you to have a free PDF version of my book. And on top of that, I want to throw a second free thing in, because you said people, your audience likes free things, right? So I figured here’s one free thing. Here’s two free things. We actually have a guide that I wrote and it’s to help CFOs know whether they have a ransomware-proof data backup in place or not. And how do you go about figuring that out, if you’re not the person in charge of data backups. How do you do that? Seems impossible. It’s that chasm that I talked about, is that how do you cross that chasm and have a productive conversation about something that’s so desperately important?
[00:33:01] And it’s a free guide and I’m going to love to give that to you as well. So you go to this URL, it’s C R dash map. cr-map.com/andrew. As in the host of this episode, if you go, then you just put your email address in there and we will send those two to you instantly. So I would love for your audience to take advantage of that.
[00:33:23] Andrew: Awesome. Awesome. Look, we’re gonna put that in that link also in the show notes as well. Kip, thank you so much for sharing those free resources. And even down to that second one, there, you just, again, just thoughts went off in my head. That’s an emerging area in finance actually.
[00:33:37] Is it, should we be putting a value on our data. All these companies and organizations collecting data, but apparently you’re only ever using or accessing 10% of it. And should we put that value on our balance sheet? That’s an emerging
[00:33:48] Kip: And another
[00:33:49] Andrew: Should we protect it?
[00:33:50] Kip: You definitely have to protect it because from a GDPR perspective, some of that data is worth a lot because you’re going to get in big trouble. As a percentage of your turnover, do you really want to give up a big percentage of your turnover because you’ve violated privacy?
[00:34:03] And so what I tell my customers is, some of the data that you have is very valuable, but it’s tainted. It’s some of the toxic waste because you don’t need it.
[00:34:12] Andrew: Hm.
[00:34:13] Kip: But if it gets out of control, you’re going to get very hurt. So you’ve got to be way more careful about what data you collect and if you have to have it fine, but you got to protect it.
[00:34:22] Andrew: Yeah, no, I completely agree. And actually just on that GDPR. So a lot of our European listeners would probably get this, but even if you’re an American listener I think Facebook they’re based in Ireland where I live they recently got a big fine from the data commissioner because they hadn’t put the due diligence around some of this GDPR.
[00:34:39] Kip: Oh, there’s so much to unpack there. Andrew, because GDPR, a lot of Americans don’t understand this GDPR is portable. So an E U citizen in the United States still carries the benefit of GDPR.
[00:34:50] Andrew: That’s yeah, have to say it’s an administrative nightmare if you’re building It up and getting it ready, but actually as a European citizen, I think it’s great having it.
[00:34:58] Kip: And California, the big state in the United States, California has a consumer protection law that is very closely modeled on GDPR. And so if you do business with any California resident you’re affected. So I think that the point is that everybody’s affected.
[00:35:11] Andrew: Yeah. Now I think that’s the default assumption we should all make with this as well. I think it’s as good practice. And it’s evolving, so people are getting better at this. Kip again, wonderful thoughts. In terms of wrapping up at, if our audience wished to connect with, continue the conversation and so on where’s the best place?
[00:35:27] Kip: I hang out on LinkedIn quite a bit. So if you just go to LinkedIn and search for my name, Kip Boyle, I think I’m the only one so far. I haven’t met anybody else over there, on LinkedIn with my name, but if you just search my name and then give me a connection request, tell me in the connection request:
[00:35:40] Hey, I heard you on Andrew’s podcast. That way I’ll know because I get a lot of connection requests and I don’t want to miss yours. So connect with me on LinkedIn. Another way you can connect with me as go get those free resources that I offered you when you do that. Then I’ll know who you are.
[00:35:54] And I write a biweekly email where I talk about the various inflection points in the evolution of cyber risk, and I write it for business audiences. And so you might want to get that.
[00:36:05] Andrew: Awesome. Fantastic. I’d say that’s probably another free resource. Maybe we should put three resources there, right now, Kip.
[00:36:11] So Kip thanks a mil for coming on our show. Would you have any parting thoughts for our audience before we say goodbyes?
[00:36:17] Kip: I wish you well in the future, which is just going to be drenched in cyberware.
[00:36:24] Andrew: Yeah. That’s a lovely one. very positive
[00:36:26] Kip: I know, but it’s, but it’s true, right? I’m sorry. I guess I’m the bearer of bad news, but but gosh, I just wouldn’t want anybody to be caught by surprise, right?
[00:36:34] Andrew: Yeah. No, it’s a nice one. And it’s, I think it’s a sincere one as well. It’s coming from a good place.
[00:36:38] Kip: I want things. I want good things for your audience
[00:36:41] Andrew: Hey, Kip, seriously thanks a mil for coming on our show.You have been an awesome guest today. Anytime we talk. I feel like I always learn more from our conversations yeah, I hope we have many more.
[00:36:50] And again, thanks again for sharing yourself with our audience today.
[00:36:53] Kip: You’re welcome, Andrew.