Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Cyber Mayday And The Day After

Dan Lohrmann, award-winning CISO, keynote speaker, mentor, columnist, and bestselling co-author of the book Cyber Mayday and the Day After joins us this week to talk about cybersecurity roles in the public and private sectors, checklists for dealing with disruptions to your business, what organizations can learn from breaches, and much more including a lesson from a blackout on how tabletop exercises should be conducted.

Tune in to this episode of Ask A CISO to hear:

  • Cybersecurity jobs in the public and private sectors
  • What has been neglected in the transition to the cloud?
  • A true ransomware story from the book
  • Planning for disruptions to your business
  • Checklists and why organizations don’t put time and effort into making and following checklists
  • What CISOs and the C-suite can learn from others when recovering from a breach
  • A big lesson from a blackout
  • Looking into the crystal ball — what’s in store for the future?

About The Guest: Dan Lohrmann

Dan Lohrmann is the Field Chief Information Security Officer (CISO) for Public Sector and Client Advisor at Presidio, a global digital services and solutions provider.

Dan has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. 

Dan was Michigan’s first Chief Security Officer and has advised world leaders from the White House to the Department of Homeland Security.

Dan is also an award-winning CISO, keynote speaker, mentor, columnist, and blogger for Government Technology Magazine and CSO Magazine, and bestselling author. His latest book, co-authored with Shamaine Tan, is Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions.

The book offers true stories, checklists, ideas, and best practices that are vital for business leaders today.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Jeremy

Hello, and welcome to another episode of the Ask A CISO podcast. My name is Jeremy Snyder. I'm the founder and CEO of FireTale. I'll be hosting today's episode.

Today, we are delighted to be joined by Dan Lohrmann. Dan is really a luminary in the cybersecurity industry. For those who've been in the space for a while, I'm sure you've heard Dan's name, but for those who haven't, here's a little introduction. Dan is the Field Chief Information Security Officer for public sector and client advisor at Presidio, a global digital services and solution provider.

Dan has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin, formerly Loral Aerospace, and for four years as a technical director for ManTech International in a US-UK military facility. Dan was Michigan's first Chief Security Officer and has advised world leaders from the White House to the Department of Homeland Security.

Dan is also an award-winning CISO, keynote speaker, mentor, columnist, and blogger for Government Technology Magazine and CSO Magazine, and bestselling author. His latest book, co-authored with Shamane Tan, is Cyber Mayday And The Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions. The book offers true stories, checklists, ideas, and best practices that are vital for business leaders today.

Dan, that is truly a really impressive background there. We're really thankful for you for taking some time to join us here today.

Dan

Thanks so much for having me, Jeremy. It's really my pleasure, and I'm really, really excited about our conversation.

Jeremy

Yeah. We've got a lot to cover.

I definitely want to talk about your book, but before we get into that, I wanna spend a little time on some of the lessons you've learned from a background that I think is really kind of unique. You know, we tend to see people in the cybersecurity industry who really either go into public sector or into private sector. And I think you're one of those rare leaders who has actually straddled both and transitioned from public sector to private, and to be honest, you know, we hear a lot of criticism of the public sector that it moves slowly, that it needs to run more like a business, but I sometimes wonder, are there things that the private sector can learn from the public sector, particularly in the cybersecurity arena?

Dan

Absolutely. Well, great question, and I'd love to tell you some ... so many stories that I really am really honored to have my public sector experience and really great opportunities. Both when I started my career at the National Security Agency, the training was just outstanding. So I think the way they go about training people, I tell young people, if you can work for a three-letter agency, go for it.

I mean, it is absolutely a great way to start a career. So a lot of great experiences in training. I actually paid my way through grad school when I got my Master's at Johns Hopkins. So the way they go about training up, both in the military and in the public sector, in many cases, I think is even superior to the private sector.

A lot of times in the private sector, they want you to go straight into one role and,

Jeremy

Yeah.

Dan

you know, you're generating revenue and it can, it can also stove pipe you, you know, into one role. So one thing about the public sector that I loved is often it gave you a wider view, you know, and a larger scope of duties and a lot of opportunities that I did not get in the private sector.

Jeremy

Yeah, that's a really interesting point, and kind of speaking about transitioning into organizations,

I'm curious, you know, a lot of companies are really struggling to hire right now, and I know that hiring crunch is particularly tough in our industry and security. You know, with that transition, did you see differences in the way that different, you know, private sector versus public sector approaches, hiring and attracting talent?

Dan

Yeah, and it's really hard. I mean, it is right now, especially coming out of COVID the talent gap and the pay differences are huge. So I'm not gonna candy coat that, especially I've written articles over the years on this topic, and you can go to my blog at govtech.com as you mentioned, talking about benefits in pros and cons to public and private sector roles.

But you know, one of the big ones with private sector is stock, you know, and other benefits that you can get in the private sector that the public can't pay. So pay is a hard one, especially when the stock market's going straight up. Now, as we're recording this, you know, stock market's in a little downturn right now, and you know, you can plan how you go through a recession, you go through a downturn, maybe stock options aren't worth what they were before or companies, you know, startups aren't as hot as they were before, and all of a sudden public sector opportunities tend to be more attractive and kind of go in cycles.

Jeremy

Yeah.

Dan

But, you know, I would say that, you know, yeah, the private sector generally moves faster on their feet. They generally can provide better pay packages, but, you know, I have seen, you know, I guess I would love to see our audience think of it not as a singular decision, I'm gonna be public sector and private sector, but really to do both. I benefited from both sides of the aisle, if you will.

Working in both roles, it actually strengthens your ability to see the other perspective, you know, both on bidding on contracts, actually, you know, awarding contracts being when the teams making those decisions.

The other thing to keep in mind is our careers are really marathons; they're not sprints. And so don't think of it as a singular one-term decision or three-year decision. I mean, I think about my 30-plus year career, I've done both, and I benefited from both and I have no regrets. You know, I really feel like the public sector offers a lot. You get a lot of great perspectives.

There is one more thing I wanna say to really benefit of the public sector is the mission sense. A lot of times when you really work in the public sector, since you're really serving society, you really feel like you're making a difference. Many times, those kind of feelings are lacking in the private sector. Not always. Those some private take their jobs that have a lot of really great missions, but really the sense of public service is something that I was passionate about, and I think a lot of people are passionate about, and I think public sector offers that.

Jeremy

Yeah, absolutely, and I think it's one of the things that you sometimes hear is that cybersecurity is national security. And I do think there's some truth in that statement, absolutely.

If we think about all the kind of crazy geopolitical dynamics that are going on right now, we're not gonna get into, let's say, the hybrid situation going on between Russia and Ukraine. But even if we just think about kind of intellectual property and cyber espionage and trade secrets that are being developed on either side, both in public sector and in private sector, as opposed to, let's say, a mission that is very narrowly company focused, our products, our profits, our services.

And I think that's a really great point that you bring up. There is a lot of mission motivation that can come out of those experiences. So I'm glad you highlighted that for our audience here today.

So I want to take just a second to talk about your role at Presidio. I know of Presidio is kind of a large-scale global organization providing a lot of strategic services to customers around the world, whether that's in kind of resales and, and implementations and so on. But I guess one of the questions I would have is with that perspective, with some of these key strategic enterprise customers and governments, what are some of the trends that you're seeing right now?

Dan

Yeah, it's a great question.

I get to work with mainly public sector, but I also, you know, probably 80/20 work with the private sector as well. And you know, and I just recently came back to New York City. I got to speak to a hundred CEOs around ransomware and cybersecurity. And so I do speak with both, and everyone is seeing ransomware, we're gonna talk about that in a few minutes about the book and some of the stories around that, but, you know, the attacks are going up.

The threats are, are rising, both from nation-state and criminal actors, I think, you know, but from a positive perspective, I think organizations, the move to digital solutions, the move to the cloud is just clear across the board for so many reasons. I mean, a decade ago, there were a lot of people that were hesitant that I, you know, I'm not putting my sensitive data in the cloud, but those days are, I'm not gonna say they're totally gone. I think some organizations may still be holding back.

Certainly there's a lot of hybrid organizations, but more and more data is going into public and private clouds, and going, and really we're seeing both from a Software-as-a-Service perspective, from an Infrastructure-as-a-Service perspective, that migration is top of mind for many, many people.

I think the whole COVID-related pandemic related move to working from home has been a huge challenge. We've kind of gone through is again, a lot of these things go through kind of pendulum swings. Now people are moving back to the office, and they're trying to sort through, okay, what does that mean? And where is all of our data? Making sure people have good backups and a lot of the themes we have in our book, little preview here, but talking about making sure you have good disaster recovery plans, really thinking through what does it mean to have a tabletop exercise? What does it mean to really plan for different types of incidents and being ready for those?

All those are top themes.

One more I would mention, and we just mentioned it earlier, is talent. I mean, certainly we continue to see challenges, you know, there's a shortage of qualified cyber professionals. And so certainly that's another area.

Jeremy

Yeah, there's a lot to unpack there. There's two things in particular I wanna dive into from what you just said, even with that transition back to the office, that some companies are taking.

One thing that I've heard is that you're not seeing a push to, let's say, take data out of the cloud. You know, the transition we made over the last couple of years to working on, let's say, cloud-first solutions to enable the workforce distributed globally. Even if we're bringing people in, we're not moving away from those cloud solutions. You think that's a fair statement?

And if you think about kind of that room of a hundred CEOs that you talk to, how many of them could go to their boards and say, you know what, we did this cloud thing during the pandemic, but now we're gonna pull back, right? That's not happening, right?

Dan

Jeremy, you're totally, totally right.

I mean, nobody's taking data back outta the cloud right now. I mean, I think clearly the move is, is down again, gaining momentum. It's accelerating. Now there are cases where people don't do it well, which is why they need companies like yours and mine.

I mean, there are cases of organizations that really need to really think through in a real thoughtful way, how do you do this over time? People, Process, and Technology, and really, you know, what are the best ways to really be effective in that move? Because I do know some people that move too fast and had to kind of step back, not so much because of COVID or the pandemic or move work from home or work back at the office, but just because they hadn't planned it out well.

For the most part, the acceleration of the cloud is continuing, and actually I think accelerating.

Jeremy

Yeah, I see the same every day in the work that I do. Along those lines, one of the questions that has really stuck with me, you know, I transitioned more onto kind of the, the vendor side, you know, creating software products after 10 years of running data centers and running cybersecurity operations for a couple SaaS companies, myself ...

Dan

Yeah.

Jeremy

early in my career. During that time, we had a lot of emphasis on what you would call today tabletop exercises, but back then were things like, you know, Hey, what's your business continuity plan? Have you put it through a test? Have you run a DR exercise?

Do you think over the last couple of years, with this accelerated push to the cloud, do you think that kind of tabletop exercise or that kind of, let's say, exercise planning and execution, has that been neglected in this transition?

Dan

You know, it, it's funny. I just came from the Gartner Cyber Risk Summit in DC, and I do think more companies than ever are doing tabletop exercises. Neglected. I would use the word neglected in this sense.

Jeremy

Okay.

Dan

What Gartner said, one of the sessions I really found helpful and there were a lot of good sessions, I'm a fan of that event, was, you know, a lot of companies get to a certain point. They do a tabletop exercise, maybe an hour. Maybe they get their C-suite together. They get their technical team together. They get their lawyers and, and everything in the room. They do an hour or two. Somewhere along the line, they say, okay, at this point, we're gonna hit the green easy button and all the data's gonna be restored perfectly, and everything's gonna come right back up and we'll be done with the exercise.

The problem is that's not the way it really works in the real world. So what I see people doing is shortcuts.

Jeremy

Yes.

Dan

Some people have neglected. I have heard people say, well, we haven't really done. We did a virtual one hour tabletop, or we haven't really done a full get everybody in the room for a couple years. And that is a push. So I do think, but I think most people realize most large organizations, especially they need tabletop exercises. That's what I'm hearing. Oh, we're doing X, Y, and Z, but where they're falling short, where I am seeing the word neglected come in and where I've seen people not go, is they really don't know how long is it gonna take to restore this data?

Is it really available? Have you actually gone through the process to bring your data back, to bring the systems back up? How long did it take? You know, what were those pipes like? And I, you know, there are examples we have of where people had the backups. And they were ready to restore, but it was gonna take them weeks or months to get all the data, to get operations back to where they needed to get it.

And so they had to pay the ransom because I can't have this business down. This business cannot be down for six weeks. That's just not acceptable. And so I think that has been neglected. I think a lot of organizations don't actually do the restores. Not saying you have to do it every month or anything, but you gotta think about how often do you wanna do that full exercise and really make sure that those processes work as you expect.

Jeremy

Yeah. It's such a great point. And I think it's one of these things backup is just this often overlooked core, fundamental thing that we need to think about.

Yes, it's part of IT operations, and so sometimes it kind of gets pushed off to the side a little bit, but it's so critical, particularly in the light of today's, you know, kind of ransomware-heavy environment, which we're gonna come to in a second.

But to your point, one of the things I've kind of worried about with companies as I've made the transition to the cloud. You don't realize necessarily the volume of the data that you're creating as you kind of digitize your business. And so you don't know when you need to transition from kind of a, let's say, a hot-cold to maybe you need a hot-warm and differential restore on your backup because you've got those data volumes just as you said, you know, if you can't be down for a month, because that's what it's going to take you to restore, you're vulnerable whether you've got great backups or not.

That's such a great point. And I do worry about organizations not keeping on top of understanding, you know, kind of the scale of the data that they're creating in this modern environment. So let's transition on to ransomware because it is kind of the hot topic of the day.

I know in your book, you've got a great story to kind of kick-off chapter five of the book. Maybe you could kind of share with the audience, start that story off or share, you know, kind of how that goes, and then I'm gonna have some follow-up questions for you.

Dan

Great. Okay.

Again, for, for those who, uh, just joining now, Cyber Mayday and the Day After: A Leader's Guide to Preparing, Managing, and Recovering from Inevitable Business Disruption. This is a true story. I won't read the whole thing to you. It's gonna be parts of it. We've gotten a lot of really good feedback on this true story.

Your network has been locked. You need to pay 30 million US dollars now. The following was an actual real-life negotiation between a ransomware gang and a 15 billion dollar US victim company that was hit with a 28.75 million ransom demand in January 2021. After a few rounds, the victim company countered with a 2.25 million dollar offer, which was met with a scornful response by the ransomware criminals.

And I paraphrase it. It's very funny to watch a few of your admins trying to install MS Exchange server in three days, and you can't do it. We've encrypted 5,000 of your 6,000 servers. If we do some simple calculations, your expenditure is like, let's say, you offer $50 per hour, maybe even more generous, $65 per hour. So 24 hours spent to store one server multiply by the number of servers that are encrypted by us. That's $10 million in labor expenditure alone.

I always find that interesting, and we have a little side note here about how good the criminals are at quantifying the cost of a ransomware attack, in many cases better than the company themselves. Like what does it mean if your operation is bound, but let's continue, but don't forget you spend all this time on installation and oops, you can't even restore any data because it's gone for the next thousand years.

They added time factor pressure at the end of the message, but also showed mercy at the same time. The timer's ticking, next eight hours, your price tag's gonna go up to 60 million dollars. So either you take our generous offer and pay 28.75 million dollars or invest in quantum computing to expedite your decryption process, kinda a little humor there. When the company finally managed to get the authority to pay 4.75 million dollars, the extortion disagreed to lower their demand at 12 million dollars with the condition that the remaining amount be paid within 72 hours.

After a few additional messages, they came to an agreement where the criminals promised the following: one, the hackers would not launch any new attacks. Two, the company would get the tool to fully decrypt the encrypted data. Three, the hackers would completely leave the network and never target them again. Four, the hackers would give the company access to the data to delete it themselves. The data would never be published or resold. And I love this one the most: number five, the hackers would provide a full report on their actions, how they got into the network, how the attack was carried out, including tips for improving their overall security program and protecting against penetration from other hackers.

I find that the company ultimately paid 11 million dollars ransom, so I'll stop there, but so was 11 million ransom. So I just, just one story.

Jeremy

Wow! There is so much to unpack there. I mean, not to even just get into the human dynamics of the negotiation and tactics and low balling and whatnot, but just focusing on kind of some of the cyber and the operations aspects of it.

I mean, first of all, this has to be a massively expensive business disruption. Whether you pay the ransom or not, every day that you're out of business is, is, you know, is costing you, hurting your share price, everything to that effect. I mean, what's kind of going on at that C-level that you interact with during a crisis like this?

Dan

Yeah, I think right outta the gate is, you know, it's so different depending upon do people have a plan? It starts at, it starts at a basic level of, you know, do you have a plan, as we mentioned earlier? Have you practiced the plan? Who you gonna call? Are you gonna bring in, hopefully, your plan includes things like the C-suite is in there.

It's not just the technology team. It's the financial team. It's the CFO. It's the lawyers that need to be in the room. It's your communications team. How are you communicating both internally? Not obviously with the bad guys, with the hackers, but you know, to the business, to clients, to customers or not communicating to, and of course the law enforcement, when do you bring in law enforcement?

So there's a lot of decision trees in there. Are you prepared? You know, do you even have some organizations who do pay the ransom? Of course, I'm mentioned strongly here, the FBI and others recommend that you don't pay the ransom that you know, that, you know, again, that's a very difficult decision that some states even now have law saying you can't pay the ransom. That's another topic for another day unless you want to go into that discussion.

Of course, we advise you not to, but I understand that in some cases, this is a business-ending decision. Now, the numbers real quick, Jeremy, just give you one example. The numbers are like over 30% of companies hit by major ransomware attacks, smaller or medium-sized companies go bankrupt or don't survive within a year after a major ransomware attack. I've seen reports that say that number's up over 60%, even 70%. I think those numbers are high but some parts of the world, it certainly is higher.

And, uh, so there's a lot on the table. There's a lot of pressure. There's a lot of tension. Certainly everyone's focused on the issue at hand and you just really need to have a cool, steady thought-out process to make sure you're ready for that disruption.

Jeremy

Yeah. I mean that having that process ready for that disruption, I think is so critical.

And one of the things going back to your intro, when we talked about the book, I love this little sentence after the title of the book, the book offers true stories, yes, we know that. That's great. It's awesome to see this example, but then checklists and best practices.

And I think that's so important. I mean, we talk about checklists in many different context of the modern world and you know, any number of podcasts that I listen to can kind of extol the virtues of having checklists from everything to, you know, surgery, to preventing airplane crashes and so on. And yet, so often in cybersecurity and cyber operations, it's kind of, we rely on the expertise of the people. Not necessarily on a planned out process that has been tried and tested, or has even run through a tabletop exercise like this.

So why do you think we don't do more kind of checklist building? What is it in us that stops us from having that as one of our very first tactics?

Dan

Yeah, it it's a great question. And I think one of the things we did in the last chapter, the book, the book has three parts, you know, before, part one, part two, part three is before an incident, what do you do during an incident? And then after an incident, and one of the things we cover in chapter 11 is turning lemons into lemonade.

These were organizations that thought they were ready, but they really weren't. And so what often happens is people take the initial steps.

They say, okay, I have an initial checklist. I have an initial plan. I have something generic. Maybe they've made it somewhat more personal. What we've seen is a number of different scenarios, situations of scenarios. One, they did, Okay, Been there, done that. Got the t-shirt. Okay. We did that back in 2018. Well, if it's 2018, this is four years later, you know, the people have changed. The processes have changed. Your data's in different places.

So it's like somewhere that happens. Believe it or not, sometimes people have plans and they get encrypted. So one of the tips we get right out of the gate, make sure your plans and, you know, are not part of, you know, you have a separate, I'm saying hard copy, but some other place than on your systems and on your server, whether it be in the cloud or whether it be on-premise. We know a number of cases where their plans were all encrypted during the ransomware attack.

And so they couldn't even get to their plans. And so it was all digital and it wasn't even available.

Jeremy

Yeah.

Dan

But the other thing that happens, and I can give you some examples from the book, but it's amazing how many people do not follow through on the things that they even say.

So they go a certain it's kind of, I'd say perseverance, but it's a checklist of different things that organizations really, they maybe know the right thing to do. They do one, two and three, but they don't do four through 20 or they, you know, they kind of give up or it just becomes too hard or they don't have the resources.

So they go through a list of items. One of the things we cover in chapter 11, it's called turning cyber incident lemons into organizational lemonade is a list of 10 excuses why best practices were not implemented. And we have a column. What were the questions you should ask and tips to help overcome some of these, but some of these are very basic, Jeremy, I quickly mentioned, you know, we did not have the time. We could not afford it.

Our company is different than everybody else. The vendor told us it wasn't necessary. We didn't trust our system vendor. We didn't understand why it was necessary. It was just too hard. We tried it before and it didn't work. We were afraid what we might discover so we didn't go down that road. We thought we had a better way.

All of these. I could go on and on and on, but these are typical questions that people thought afterwards when they were hit. They thought they were ready, but they realized they hadn't really gone and peeled back the next layer of the onion or gone further as they should have done and really found those holes in, in their strategy.

Jeremy

So that's a great point and that's kind of where I want to go next. You know, there's a quote from Robin Sharma: The real trick in life is to turn hindsight into foresight that reveals insight. So along those lines, you talked about peeling back the onion there and learning from it.

What else do you think should CISOs and other professionals look out for and make particular note of when you are kind of recovering from an incident or when you're studying a past breach? Hopefully, you can learn from studying someone else's breach and not your own, but, but what should people be thinking about?

Dan

Well, there's lessons from like, we have over 35 stories in the book.

So there's lessons from all of them. Some of these go back, I'll give you one quick tip and a part of a quick story.

I was part of the going, this is not directly cyber related, but it is, you know, we in government, we talk about my government background, but going back to oh-three, we have the story of the blackout in the Northeast blackout in the US.

Jeremy

Yes.

Dan

Back in oh three. And I was the emergency management coordinator for our Department of Information Technology for that event. And a lot of those lessons apply very much to the cybersecurity as well. You can almost really think of these. We can learn a lot from our emergency management partners in our corporations, in our governments, whether it's fire, flood, tornado, natural disaster, a lot of, if the power goes out, the power goes out and things are gonna be happening around you.

Whether that's happening because of cyber, whether that's happening because of a major storm or fire, flood, tornado, you still have some of the same issue.

So, for example, in that incident, I won't walk you through the whole story of what happened and where I was and what happened, but what a couple of the tips we learned through that process: the people don't always show up where you think are gonna show up.

So I showed up at the emergency coordination center in Michigan at this state emergency operations center during this blackout cause we had generators in there. We had power in there. And about initially it's about half, but ultimately over the next four or five hours is about a third of the people we thought were gonna show up didn't show up, and now some of them were on vacation of the, the head person, Captain John was down in Mexico on vacation.

Jeremy

Yeah.

Dan

Some people are on vacation. Some people are other places you just don't know. Some people just don't show up. So what's the lesson you can learn from that?

I tell people when you do a tabletop exercise or you do a full-scale exercise, you're practicing your plans. Go around the room, tap about a third of the people either randomly or think about it in advance. And tell them, you can go stand in the corner. Don't use your cell phone. You can be an observer, or you can go back to your office. You're not a part of this anymore.

They're like, whoa. I often get, we often get a big response. Like, wait a minute. A lot of organizations, just like our whole plan is we got Frank. We have Mary. We have Sarah, right? Well, Sarah's not here. Sarah's in Mexico. Sarah's not available. So bottom line is what are you gonna do now?

Like a lot. You'll see the panic in people's faces. What do you mean Frank's not here? He IS the plan. Frank is the plan, and so many, especially small or mid-sized organizations, they rely on one or two people that may or may not be available.

So practice that way. What are you gonna do if those people aren't available? Be prepared and that's why you're having it written down. Having backups, having other people involved is that's just one tip, but there's like four or five just from that one incident from the blackout.

Jeremy

Yeah, it's such a great point. And I just went through the process of raising a VC round. And in that round, one of the questions that came out is, you know, who are the key people and what would we do if those people, you know, the proverbial what if that person gets hit by a bus? And I think also about, you know, kind of survival training, there's this saying where there's two, there's one, where there's one, there's none, you know, if you don't have kind of some resiliency in the plan and in the team to your point, that's super crucial.

Well, we're coming up on time, Dan, but we could go on for hours and hours talking about stuff, not only from the book, from your experiences, I've got kind of one last question, which is your book starts off with the worst case scenario played out in 2035.

Dan

Yeah.

Jeremy

Do you think that scenario will ever happen? And if it happens, do you think 2035 is the right timeline? Could it be sooner? You know, are we worried here? What's the vibe?

Dan

Yeah, the scenario we actually had, you know, we threw in there autonomous vehicles that pick people up and all kinds of other kind of, you know, we don't really know what, you know, Back to the Future kind of things. What's life gonna be like, you know, in 2035?

So that year is less important, but I often say predictions, I do a prediction report every year. I encourage people to go read it. It gets a lot of play every December in Government Technology Magazine. The year is less important than the items in there and the trends, you know, it may happen this year, may happen next year.

I do think, you know, Janet Napolitano back was Secretary of Homeland security. We had her speak in Michigan, back in 2011 at, at a keynote big event on cybersecurity. This was 11 years ago and she said, My best intelligence says within three years, we're gonna have a cyber Pearl Harbor or cyber 9/11. Now, thank God that didn't happen. We have not had a major incident that brought down the grid or a major cyber thing that brought down the financial system or brought down the hospitals.

Others argue that it's kind of a death by a thousand cuts. You know, we have hospital systems going down if other things go down, but it's kind of it's happening slowly. I do think we're going to have some kind of major incident. You know, some people think the Colonial Pipeline was kind of a wake-up call like that, but it turned out not to be too huge.

You know, it didn't certainly shut down society, but I think we need to be prepared. And I do think whether it's just your company, whether it's society as a whole or parts of the country or parts of the world, we need to be prepared and hope for the best, and plan for the worst. And I do think at some point in my life, you know, God willing, I live another 15 years or 20 years or whatever. I don't know how long I'm gonna live. Maybe 50 years, who knows hopefully.

But I do think that, you know, we're going to have major cyber disruptions in America and around the world and we need to prepare for that.

Jeremy

Preparedness is so important.

Dan Lohrmann, this has been a fascinating conversation. We've hit time for the conversation today, but thank you so much for sharing with our audience today. Again, the book is definitely recommended reading for any CISO. The title is ...

Dan

Cyber Mayday And The Day After.

Jeremy

Awesome. Awesome.

Dan Lohrmann, thank you so much for sharing your thoughts and your time with our audience here today on the Ask A CISO podcast. See you next time.

Dan

Thanks, Jeremy.

Jeremy Snyder

Jeremy serves on the Horangi advisory board. Jeremy Snyder has over 20 years of experience in IT and cybersecurity, with deep industry exposure in the M&A space. Some of his previous employers include Amazon Web Services, DivvyCloud and Rapid7. Jeremy has lived in 5 countries and speaks several languages. He is currently the Founder and CEO of FireTail.io, a leader in API security.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.