425- Security Is Just Business Risk w/ Edward Marchewka

425-Edward Marchewka
Host: Phil Howard
Guest: Edward Marchewka
________________

Phil Howard: All right, everyone, welcome back to You've Been Heard. Today,
Edward Marchewka on the show CIO Illinois Bone and Joint Institute. You've
written a book. I've heard. Or maybe more than one. Why don't we just start off
with that? What's.

Edward Marchewka: Yeah. So, yeah, so I wrote a book, a cybersecurity leader's
journey speaking the language of the board. I, which.

Phil Howard: Is awesome speaking the language of business. I t so I'm sure
there's maybe some parallels, but.

Edward Marchewka: I'm sure there are. So I did my dissertation and so I. took
the principles and ideas from it, and turned it into a narrative story so that
it was actually digestible. And the feedback has been great on other books, I've
contributed to a couple others. The famed Cecil Compass by Todd Fitzgerald. I
contributed a piece to that, and then I co-wrote chapters for NGOs in both the
third and fourth edition of the ABA's Cybersecurity Handbook.

Phil Howard: So when it comes to speaking to the board about security, and I've
had a brilliant CTO on the show before and had worked towards. Oh, what do we
want to say? Was working towards, zero trust for a year and a half had
everyone's buy in. Everyone knew how important it was. And then when it came to.
The announcement of like, guys, great news. We became zero trust certified today
at the boardroom meeting, whatever it was. And. To her, the level of.
Accomplishment. Happiness you would feel when you finally accomplish this goal
was high. But the boardroom response was deflating because it was kind of like,
good, I guess. So maybe you got a few comments on that on how we tell stories to
the boardroom or how we make them actually involved in something that might be
geeky or nerdy to them or above their head, or if you say sock seam and all
different types of things to them and honey pots and I don't know, different
things like that. what's your approach there? You wrote the book.

Edward Marchewka: I did. So first is recognizing that there is what's called an
information asymmetry gap from an academic perspective. But really all it is is,
you know something and they don't, and you have to cross that bridge and you
have to close that gap. And we've all experienced that gap. Like you go to the
doctor, right? You want them to know more than you about whatever your ailment
is. If you have a heart issue, you want your heart doc to have that big
information asymmetry gap. However, in that case, they're just going to do what
they need to do to save you. In our case, we've got to convince them that
there's something going on. The second thing we've got to overcome is what's
called the affect heuristic, or more simply, an emotional response. Research has
shown that people go negative when they hear cybersecurity. So we have to
anticipate that. And one of the ways to close that gap and to anticipate or
prevent the affective response is really through building trust. And the number
one way of doing that is changing the direction and how you discuss what's
happening. And it's by lowering self orientation, make it all about the other
person. The numerator and trust equation is credibility, reliability, and
intimacy. That's all you, your degrees, your certs, how you show up, how close
you get and how much you talk to people. That's the numerator. But when you make
it about them. So how can you help them? And how can you explain things in terms
that they understand? Your CFO probably wants numbers. Your CEO probably wants
availability. Marketing probably wants integrity of reports. the CEO wants
something in terms of how people are working. And so when we have those
discussions with them, find out what they care about. So when we say, oh, zero
trust certified, great, what does that mean to me? How does that impact what I'm
doing every day? And so when we don't come in and say, I got zero trust
certified for the organization. I'm great. Give me my fanfare. The reaction is,
so what? But when you come and say, we got zero trust certified, it's going to
allow us to do X, Y, Z and a, B, c people go, that's awesome. That's great
because you've closed the gap, you've reduced their immediate negative response
because you've made it about them. That's the Tldr version of the book.

Phil Howard: I was a sales manager and trainer back in the day, and The only
reason I got there was because, I was able to do what most of the other people
were not able to do, and kind of was in this like Cisco, what people would call
a churn and burn. And I really attribute my success only to always being a
solution oriented sit on the same side of the table as them. I guess sales
professional. And one of the things that I always told my people and no one was
ever able to break our records, like until this day, like we were always number
one, we're always in the top. We basically broke a lot of the rules, which is a
good book, by the way. First break all the rules. But the one thing that I told
him is it's very, very easy. I was like, there's one thing you have to do them
first, is get everyone smiling. If they smile, they're happy. You've already,
like kind of broken down their initial barrier, so to speak. Number two, ask
five really, really good, damn good questions. But before you speak to anyone,
before you walk into any door, before you do anything you need to say in your
head, it's all about them. It's all about them. It's all about them. It has to
be about them first. And if you just help enough other people get what they
want, you in return will get you what you want. Also famous zig zag thing. And
you're reminding me of all of this, from like twenty years ago. Yeah. And really
as, I would say, as you know, CISO, CTOs, we have to learn to sell and that's
not a bad thing. again, that's another negative thing. But I really am
fascinated by the fact that you said they go negative right away. Why is that?

Edward Marchewka: the. Reason why it's, there's anchoring biases, recency
biases, what they hear in the news. yeah. so, anchoring bias is this idea of
like, you're set in your ways and you're going to be stuck with it. And so when
people think of cyber, they think of hackers, they think of bad guys, they think
of identity theft and they go through it. Or there's a recency bias of something
recently happened, like if your company had a breach or if someone, dealt with
an elder case, they're like, oh yeah, that was horrible. That was terrible. I
didn't want to deal with it. Or, my kid just had to deal with the whole canvas
hack type of thing. She was like, I stayed home from school and I can't do my
homework now. I'm going to be in trouble. It's like you literally couldn't
access it last night, so let's not worry about it. And it's all related to
cyber. And there was a study and I can't remember off the top of my head, but
they just gave people like a happy face button and a sad face button. And it was
puppies, happy flowers, happy cyber sad. And like everyone went negative when
they saw the cyber thing. And so there's this inclination to just be negative.
And so when you walk into the room as the CISO, it's not like, oh, you're the
helpful guy, you're the cyber guy. And if you can overcome that, it really
absolutely helps.

Phil Howard: Okay. Yeah, I would think the negative stuff would help. so maybe
this is the problem. We think that all that negative stuff should help us.

Edward Marchewka: But it doesn't because people then shut down and they become
defensive. So when you go negative emotionally, you become defensive. And then
it's like, well, I don't know if I believe you. I don't know if this is the
right time. There's a lot of hesitation in that.

Phil Howard: How do we make it fun and good?

Edward Marchewka: Yeah. Make it fun. Make it engaging. Build trust, have one on
one preparatory, Discussions. That's one of the things I mentioned in the book
is to overcome these challenges. Is the first time you talk to someone about it
shouldn't be in the boardroom, because board members and executives have egos,
and they're not going to show that they don't know something or that they're not
prepared. But if you can go in ahead of time, they've had a chance to stew on
it. They've had a chance to ask you directly those questions. when you think
about like that emotional response and that negative information asymmetry, if
you've ever had the fun experience of buying a car, right, it's somewhat
adversarial. And when they come in, we're defensive immediately. Oh, hey, I ran
the numbers. Sign here. We'll get this going. Not too many people are like,
yeah, this is good. I'm happy. This is a great transaction. it's like always
negative. I've never talked to anyone that's been like, oh yeah, it's always
smooth and it's great. And it's my most favorite thing to do is go buy a new
car. so when think about it from that perspective, but just I'm, you're selling
the car zero trust a new sim and they're like, I don't believe you.

Phil Howard: So we have a guy in our community, cyber Mike, he kind of leads up
some of the cyber stuff and he built a whole basically having, a cybersecurity
like hero or a mascot in your company that matches with everybody's like, kind
of like the culture of the company. So they had like a little like, I think they
call it snowball, which was like the companies like white dog, basically. So
every time someone clicked on a phishing email or something bad happened in the
company, it was like snowball would pop up or they would use snowball to,
actually be the cyber villain. Oh, what it was. It was a cyber villain. So
snowball actually became the cyber villain. And then the whole company kind of
like their whole cybersecurity vibe, I guess, so to speak, turned around to like
a fun thing like cybersecurity it is.

Edward Marchewka: I did that at a previous organization. It was agent Hope. It
was this like spy sneaky guy. but he was also there. It was like a double agent
was there to protect you. and we had this whole like logo for it

Phil Howard: just back to the beginning again. You mentioned the, what was the
one term at the beginning again, that we must know, that must come out of the
show information asymmetry.

Edward Marchewka: It's the gap between what you know and what they know. And you
have.

Phil Howard: To bridge that gap and make people look stupid that have big egos.
You're going to look.

Edward Marchewka: So yeah. So you close that gap by meeting with them one on one
to help close the gap because they'll come to me like, I have no idea what
you're talking about. I've had tons of conversations where they're like, look,
you could buffalo me all day long and I would have no idea. but when on one on
one, they'll ask the questions, they'll get the clarity because they're not
going to do it in front of their peers unless you've got someone who's just
really strong and confident. But my experience has been most of the people in
the room need that one on one chat beforehand.

Phil Howard: Share with me some of these terms that people were willing to say.
I have no clue what you're talking about. What was that? Just what some of the
most common ones.

Edward Marchewka: I think when we talk about, any of our security metrics, if we
talk about, even like, phishing results or, the antivirus stats that a lot of
people will put out. but what does that mean? Or if we talk about a zero trust
initiative? Okay. Is that good? Is that bad? What does that mean? Like, do zero
people trust us? Do we assume that we can't trust them? Like, where are we at.

Phil Howard: Yes. And. Oh, that sounds great. Yeah. We need to be zero trust.
But then when you actually become zero trust and they realize that there's a
whole bunch of new, policies and procedures that they need to follow, they're
quickly like, well, I didn't sign up for that.

Edward Marchewka: Yeah.

Phil Howard: How do you deal with that?

Edward Marchewka: Well, some of that is how we teach and train adults. And so
then we gotta like go into our educational theory and pull out the assumptions
of andragogy, which is like how we teach adults. And remember that adults want
to know why we're doing something. What's the impact to my day to day? How are
you meeting me where I'm at? So where does this drive in to that desire. Adults
have a wealth of life experience. So how can we bridge what they know to what
we're trying to get them to know and tie those things together? when we bring in
those in our discussions and frame it that way, it can really help, get that
message and story across.

Phil Howard: It's actually quite fascinating. because if you study anything
that's outside of, security or anything that you do for fun, whether it be, I
don't know me, I'm a Brazilian jiu jitsu fan or like, I like surfing and other
things as well. And I had a teacher the other day say, well, yeah, when I have
to teach you differently. And then I teach the kids, I was like, why can't I
just learn with the kids? Just put me in class with the kids. Like, well, kids,
we just tell them to do it and they do it with adults. like what you just said,
it's actually quite fascinating. Why do we need the why? And why do we need all
this? And it is a deeper and then we get into this thing. Well, when you get
older, you can't learn like you can as a kid. Kids can learn things faster. No,
kids just have the time. And we might actually be able to learn things at a
deeper level, like quite fascinating. Oh, yeah.

Edward Marchewka: when you mentioned martial arts, I think like the instructor,
because I trained with my daughter, she'll, they'll be like, do this and the
kids will do it. And then the adults will be like, couldn't we do this? What
about this? Isn't it like this other thing, like we're starting to connect these
things together or like, well, why would we do it that way versus this way? It's
that like, help me explain. So now the instructor is like, okay, so for extra
detail for you adults who are processing this at a higher level, let's go into
some of the different details or like, well, there's this extra thing,

Phil Howard: Yeah. Like sometimes kids will just do it. Just do like, a Granby
roll or they'll just do something. Right. And adults like be like, no, you need
to do it this way. Because if you don't press this way, the hip won't get the
right leverage. And yeah, if you had to teach new IT leader, let's this a lot of
times a lot of people listen to the show are midmarket IT leaders. So they might
not have any budget for a CISO. Okay, this is why I say it leader, but we can
say CISO or fill in the blank as well. Your playbook for creating real business
outcomes, not just fake KPIs that we kind of forge the numbers, I guess. I don't
think anyone does that in it. I think it's possible they might. If you had to
teach a new IT leader your playbook for creating real business outcomes, what
would the top three steps be? And it can be five or seven, I don't care. We just
have a we have a three in there. Yeah.

Edward Marchewka: Number one would be understand your business. So if you're
coming in, find out what it is you do and how you do it. And not just on the
surface of, oh, we sell X, Y, z. But go deeper into how that actually happens
from beginning to end, because that's where you can enable, people use the term
like it or security should enable the business. But if you don't know what it is
you do or how you do it, you can't enable that. And a lot of technology programs
are cost centers, like we all talk about like, oh, you should, be a profit
center. It's like, well, it's not viewed that way in a lot of places. And let's
accept that you are the back of the boat trying to help push it forward. You're
a support organization. let's just be honest.

Phil Howard: People hate the most. If I had to ask all the things that came up
in the show, if I asked like, what do you hate? we do not want to be referred to
as the Department of I t as if we are this separate entity.

Edward Marchewka: Yeah.

Phil Howard: And when everything is broken and not working, we're invaluable.
But when everything is working great, we're a cost center.

Edward Marchewka: Unless you can find a way to resell your services to the
outside world.

Edward Marchewka: That's what it is. Some organizations can profit, like their
security program. When they sell a product. Without it, they can't sell it. And
you are truly enabling and becoming more of a profit center.

Phil Howard: Health care might go to the dark center. I might go to the dark
side. You're convincing me to go back to cost center when I've been saying it is
a business force multiplier for the last eight years, and that we need to switch
it to a business force multiplier.

Edward Marchewka: Let's think about this. All right. We're all familiar with the
idea of a submarine. What's the purpose of a submarine? Put ordnance on target.
Right. That's the purpose of it.

Phil Howard: Please explain that. Because to me, I would be like to go
underwater.

Edward Marchewka: I would we can go underwater with with plenty of stuff, but
you can't go underwater and blow things up. Right? That's the purpose of that
boat. But you can't because of range issues. You can't be in Norfolk and hit the
bad guys on the other side of the world. Okay, so you got to get the boat close
enough. How do you get there? The back half of that submarine makes it drive,
makes it go forward. When you look at like, if you take a diagram of a
submarine, the fire control room is this tiny little box in the whole thing. The
rest of that boat is supporting getting it there so they can push that button.
but that back half is the engine room. That's what gives you power and which
gives you propulsion. Without it, it doesn't work. It just sinks. So it is the
back half of the boat. We're going to make sure you get there so you can put
ordnance on target. Now you can also switch power. And you could actually power
a small city with a submarine. So you could resell those services in an
emergency. In fact, I think it was Last Ship that show on TNT from like fifteen
years ago. They actually did some of that. They hooked up the city to the
destroyer, and the destroyer provided power to the unit. And so, can it be a
profit center? Yes. Is it it often a cost center? Yeah. Because you're
supporting the organization for their mission and what they do at Ibji. We do
orthopedics. We help people that are sick or in pain. They're broken.

Edward Marchewka: I'm not that kind of doctor. We're going to help make that
happen. We're going to provide systems that provide information that gets
patients what they need, the doctors, what they need so they can treat the
patient, provide care. But no one's coming into ibji and buying IT services.
They're buying medical care. We have the information for it unless.

Phil Howard: Without it. Okay, so let's just go back to the screening. So we go
into step one, we go in, we learn the business. We learn the entire process A to
Z. What do we do? How it whatever. How do we make money? Prothesis whatever. In
your industry, I don't know. Knee replacements, hip replacements, I don't know.
Whatever it is, I'm probably way off. Yeah. Have you ever gone in and that's
broken and you're like, why is there a gap here? Like we could do this. And if
it fixes that gap, they now do better. I'm just like, at that point, is it still
a cost center or is it a business enabler at that point?

Edward Marchewka: The question is can they, and but does leadership have that
overall view? And I worked at one place when we were doing a strategy meeting
and it was brought in to be part of it. And the facilitator says, what do you do
here? And the GM says, oh, we make pumps. And the VP of sales says, we make
drives. And they put a full stop to the meeting. And they're like, you need to
decide what you do in this manufacturing facility before we can go forward,
because what we do will determine what all other departments do between
purchasing it, finance, even the manufacturing floor. What you do determines
where you're going and how you make that happen. And so we had like a two hour
discussion on do we do pumps or do we do drives? Yes. The end product will move
fluid via a pump. But the thing that made that happen was this box or a drive.
They just happened to attach a pump head to it. And so if we made pumps, then
that was the product. If we made drives, we could attach other things to the
drive that, spun other items. And it was a deep discussion of what it is we
actually did there because that drove what everyone else did.

Phil Howard: You ended up with drives, I'm assuming.

Edward Marchewka: no, they ended up with pumps.

Phil Howard: Why is that?

Edward Marchewka: It was. Keep it simple. We even, during, a little bit later, I
had worked with some of the engineers and we developed accessories for the
drives. We're like, hey, we have a sister company that's making these like test
tube shakers like this, and they're selling them for eight hundred dollars a
piece. And it was this little desktop cheap thing where like, this is
ridiculous. And we said, hey, in thirty dollars in spare parts. And this was not
at scale. This was just like, we just grabbed it. We went to the machine shop.
We built a test tube shaker that we could attach to our drive. And then we had
the developer code it, so it just oscillated fifteen degrees in each direction.
And we're like, see, we made it, now we have a higher likelihood of burning out
the drive because they're using it more often and they'll buy a new one and
they're like, no, we're not going to risk going into a new business. And we were
like, wow, okay. Do you realize the margin on this is ridiculous? And it was,
too much risk to EBITDA to try and do something new.

Phil Howard: Wow, you just opened up another kind of like a deep hole that I'd
want to go down, but which is why do it people spend one hundred and forty
thousand dollars on Gartner, and I was going over it from a long time ago. And I
was like, because when I speak with a lot of leadership, they're like, well,
yeah, we go to the Expos and we go to the whatever, but it's kind of a mixed bag
of people. It's not really what I'm looking for. I'd rather have sophisticated
conversations with my colleagues. Okay. And we don't really use their library of
stuff because quite frankly, I'm a better Googler than all of this stuff, and I
can find it on my own. And well, what do you pay for then? Sanity checks.

Edward Marchewka: So what do I pay for.

Phil Howard: No, no, no, I'm just saying. I asked them like, what do you pay for
Gartner for? Like, why are you guys paying for Gartner? I'm just like for the
people that pay for Gartner. And the reason what triggered this thought was, too
much risk to EBITDA. How often do we make decisions in business based on fear
and risk over. The right decision or a better decision? Yeah, it might happen to
be both, but I'm just asking like, why is this example important? Why am I
picking on Gartner here? I'm picking on Gartner because a lot of times people
have told me we are with Gartner because we need to make defendable decisions.
Not necessarily the right decision. We just need to be able to defend it.

Edward Marchewka: it's the idea of third party validation. And I've experienced
this throughout my career. I'm sure you have. And I'm sure the listeners have as
well. where, oh, we're doing this and here's what Gartner says. And Gartner is a
trusted resource. It's not just me, your CIO with twenty five years of
experience. And I remember working at one organization. We made a bunch of
recommendations. The CFO and I worked together to present to the CEO. So he had
two of his executives be like, this is the right thing to do. And he's like, I
don't know. So they brought in, I don't know, McKinsey or RSM or someone to say.
And we spent twenty five grand on it. They took our materials, used eighty plus
percent of it. And then the CEO goes, yeah, that's a great idea. We should do
all these things. And the CFO and I looked at each other like, is this guy
serious?

Phil Howard: I've had it happen.

Edward Marchewka: Yeah. And I'm like.

Phil Howard: I've had large firms. I mean, take my insight, no pun intended.
Yeah. And repackage it as their own insight. Just kind of wild to me. And I was
like, why not get all of the defendable decisions that you need, and also the
right one at the same time. I was just like, you can have both.

Edward Marchewka: And you don't need to spend one hundred and forty grand on
Gardner. You don't need to spend twenty five grand on RSM or whoever you bring
in.

Phil Howard: they're going to bring in an entry level guy out of college anyways
and put some butt in the seat for half the stuff. And then it's when I start to
go deep into it, it becomes almost conspiracy level. it's like a triple dip
model. It's like we're gonna charge you and we're going to charge the vendors
and then we're going to charge at the expo also. So it's like crazy to me. Okay,
make a prediction eighteen months from now, what will everyone be talking about
that they're ignoring today?

Edward Marchewka: I like this one. And I think people would think, oh, you're
going to say AI and I'm going to do something different. I think people are
going to be talking about how security. Is. Not needed in the way it is now. And
this is what I mean. The idea of total quality management happened in like the
eighties and 90s. And so the quality profession went from being this standalone
thing. And it just became what you did. And I think security is going to go the
same way where it's going to start to wane, meaning businesses are going to
really realize that's what they just have to do. And it's going to become an
operational concern where as long as you're blocking and tackling and doing the
basic stuff, and with more CIOs coming up with security mindsets versus
availability mindsets, they're going to own the technical piece of it, but the
risk management is going to become operationalized. I think that's what we're
going to be talking about more of is, hey, security is just what we're doing,
and CISOs and those levels are starting to potentially wane. Unless you're in a
very specialized industry, like there are still chief quality officers, okay, in
certain organizations, but a lot of them just have directors that report in and
operations to make sure that, they're checking boxes that are needed because
quality is just what you do. And a lot of manufacturing, a lot of healthcare,
etc..

Phil Howard: Let's break that down because I'd like to go back to the nineties
because I was in high school and I graduated in ninety five and I remember three
eighty six in the nineties, please tell me or enlighten me as to why we weren't
in quality before that. what was this like industrial revolution of changes that
happened in the nineties?

Edward Marchewka: All right. So we actually got to go way back to like nineteen
fifteen for the for this. So nineteen fifteen quality became this like
mathematical standardized thing that you could do. And then Deming kind of
picked this up in like the fifties as it became more popular and then went to
Japan with it. And then he spent twenty years there. And in the seventies,
America realized Japan was kicking their in car manufacturing.

Phil Howard: Yeah.

Edward Marchewka: and so then America decided, oh we got to do something. And so
then you saw the Six Sigma Revolution with Motorola in the eighties and the big
pickup. And then people were, talking a lot about quality. And we got to do this
and we got to make things better.

Edward Marchewka: And then in the nineties, it started to wane. Not necessarily
that it went away, but it became more of what you did. So you had.

Phil Howard: Just out of curiosity, are you telling me before we were making
pickup trucks all randomly, that just like some were good, some were bad. It
just wasn't efficient.

Edward Marchewka: Yeah, I think it just the efficiencies that quality brought in
were, doing quality at the end caused bad product. And so when you integrated
quality into the process, it became what you did. Like even DevSecOps, right?
People talk about, oh, DevSecOps, the latest, greatest new thing. And I was
like, you're talking about that's a quality process. If you embed security
throughout the operations and the development cycle, your end product is secure.
Just like you have quality. Quality throughout the process leads to a quality
product at the end.

Phil Howard: So your prediction is going to be, we're not going to need CISO's
anymore because it's just going to be standard operating procedure.

Edward Marchewka: That's my prediction. I think that's where it's going. and the
idea of total security management is about a twenty year old idea. But that's
kind of what happened with quality. Quality started in nineteen fifty and it
took a while to catch on nineteen fifties. Deming took off with it.

Phil Howard: So is it going to be a product? is it going to be like a
CrowdStrike on steroids? What is it? What's it going to be? Is it going to be a
bunch of different bolt on things that people just do? It's going to be like
email or something. We don't need someone to implement email anymore because we
just buy it. Right.

Edward Marchewka: I think, as a service folks are definitely going to have a
play in it. I think, more of what we do. Yeah. I think it's just going to start
becoming more of an operation.

Phil Howard: Top three security vendors. What are they?

Edward Marchewka: Alright. I really like Okta and what they're doing. I think
identity is so key to the entire ecosystem. they were just doing so now they're
doing more, cloud brokerage, etc. so in the identity space, I've got experience
with Okta. I really like what they're doing there. if I have to name names.
CrowdStrike is doing some really cool stuff on EDR. MDR the sim, bringing it all
together. The kill chain on the call back home. that's some great things

Phil Howard: doesn't have to be a product either. It actually could be like
person, believe it or not. it could be like, because there's like security
training, right? Like, so.

Edward Marchewka: Okay, I'm going to call a person since you mentioned it.
Andrew Hoog from now secure in the mobile app space I think he's absolutely
brilliant in the space and I've seen Andrew present and he's like, so this cool,
fun app, this free game and everyone's like, yeah. And he's like, look at how
much data is leaking out of this. And you're like, oh brilliant. so you
mentioned when you say a person. Yeah, that's who comes to mind.

Phil Howard: for years I didn't get into security or I didn't let's just play. I
didn't play in the sandbox as much because I figured, no, security is for
security guys. And that was a mistake. Because what I realized is that there's a
lot of people disguising themselves as security companies. They'd love to talk
security. They love to talk. I don't even want to say like theory or what do we
want to call it be? very subjective, not objective. But what I find is that
there's a lot of people that are kind of like insecurity, being insecure. And I
don't know if it's, let me just give you a perfect example. I had to help.
Evaluate a bunch of mssps. Okay. And when I started really breaking it down,
terms and conditions seem suck. Whatever EDR all these different things, right?
And then what really matters in security, like what's like kind of like the end
goal for your company, especially in healthcare? Like what's the main goal? So
pretty much to not get screwed. Yeah. I mean, I don't know what what would the
answer be like? I need to hire a security guy. Why? What's the main reason?

Edward Marchewka: Yeah, I think the biggest fear factor, especially in health
care, is a confidentiality loss in a HIPAA issue challenge. and actually, so I
have this diagram, where, around six key business metrics and which industries
care more about which ones and healthcare is usually around. these three,
confidentiality of data impact to financials and a people impact or people
score, meaning can doctors get access to the information that they need? Or can
patients get access to their information that they need? of the six are those
are their three main. Now the next, one that people care about is integrity of
the data. Because if something should happen and actually we've seen this
before, right left leg versus right leg, type of issue. people writing with
marker on their legs, not this one, this leg, you see some of those.

Phil Howard: I actually have a friend, a very close friend. I'm not kidding you.
They replaced his wrong hip, right? They literally replaced the wrong hip. Yeah.
How bad that is like the worst. Literally. They had to use a marker. How did you
get that one wrong? Yeah, I don't know. So crazy.

Edward Marchewka: Yeah. Now other orgs, for instance, telecom, they're going to
care about availability. They're going to care about reputation and then they're
going to care about either finance or integrity of data. Because integrity of
data and accuracy of data is related directly to billing. When you look at like
data usage and phone calls and all the things that they charge for.

Phil Howard: I'd say financial because if you're really heavy telecom user. Then
when you go down, I have some very large clients that if their phones go down,
they lose twenty, forty thousand dollars. Yeah.

Edward Marchewka: But their biggest things are availability of systems and
reputation.

Phil Howard: Yeah.

Edward Marchewka: Because if it's not up, it doesn't work. And if there's a bad
reputation, you're just going to change carriers.

Phil Howard: It's customer experience. Customer experience. Oh, you're saying
telecom as in like the actual telecom provider? Okay. Yeah. You're talking more
telecom from a CTOs perspective, telecom industry. That's what they care about
now. Yes, yes, yes.

Edward Marchewka: Now education.

Phil Howard: No one cares when it comes to the actual telecom carriers, though I
think they're still in third or fourth place for worst customer service in the
industry.

Edward Marchewka: Now, education, what they're going to care about is, any
direct impact to finances because that's like number one concern, then it's
student data confidentiality and availability, our systems up and running so
that we can teach kids. So I mean, it's an interesting graphic.

Phil Howard: I love how you broke it down because you took something that,
again, you made me look like the dumb guy in the room. That was not going to say
anything unless you talked to me one on one. Bringing this full circle now. Do
you see how we're doing this? Bring this full circle. And you said, well, no,
it's really not about being hacked. It's not about ransomware attack. It's not
about the boogeyman. It's really about, data loss, financial loss, and, actually
being able to provide a level of service to our patients so that they can access
valuable medical information without it being like pulling teeth. No pun
intended. Yeah, I love it. it's solid. So what I'm finding, however, is that.
There's a lot of selling of security from the standpoint of. It might actually
be FUD, might be fear, uncertainty, desire. It might be like, there's a lot of
talk about, incident response, but they don't love to talk about remediation. So
I find that there's the classic eighty twenty rule is that you've got a lot of
vendors out there that are really good at response. They're going to talk to you
about response. We will let you know alerts. We will do this, we will do that.
But who's actually doing the remediation? Do you find that there's an imbalance
like that where there's a few really, really good people that do remediation?

Edward Marchewka: I think so. right now we're onboarding a vendor and I'm like,
this is great. We're getting all this info in, but who's doing anything with it?
Yeah, that was the first questions I asked is like, is it you vendor? Is it my.

Phil Howard: Team? No, no, no no, no. If you look on page seven of the fine
print. No no, no, we but we'll charge you.

Edward Marchewka: Right. And so it's like I need to understand like, hey, I'm
gonna love the information, but who's doing what and when, we gotta make sure
that that's clear, but it's like, oh, we have automated tools. We try and do
this and then we reach in. And if we can't, we'll contact you. Okay.

Phil Howard: So, but if it's on a Saturday at two o'clock in the morning, that's
additional.

Edward Marchewka: That's additional, right? Yeah. This is these like standard
hours. I'm like, but we're open till ten p m. Well, five to ten that's beyond.
I'm like.

Phil Howard: We're going to get hacked, though. At two o'clock in the morning,
again, we're back to the hacker thing. Like that's when it's going to happen.
That's where I just didn't know. I mean, so that's when I kind of got hooked.
And I kind of was like, wow, this is really amazing. this is why people kind of
just love to talk about all this stuff. And then so I started grabbing, all the
top scanning tools and stuff like this and started playing around. And they're
coming back at D's and F's and like all kinds of blatant gaps, like what's your
security strategy? What do you guys do? Oh, we use Arctic Wolf. Do you notice
that? Is it like like we're paying a bill? and when I talk to everyone, it's
like, well, it's they help us check the box. I mean, no, this is a story that
we've talked about and this is an old thing. But, they help us check the box
from a data loss, getting sued, HIPAA compliance policy check box thing.

Edward Marchewka: Well, I think it's that careful business balance that we all
have to have of how much are we willing to spend and do to what level of
security. So it starts with a risk appetite discussion. And then how far are we
willing to go to get that risk appetite to something where we're willing to just
go, yeah, we'll eat that. and some of it comes down to how it's displayed. And I
did an interview with another group, it's on YouTube that talks about the ROI of
security or the ROI of technology when it comes to risk by using contingent
liabilities. It's an accounting concept where, it's measurable or estimated and
you have the likelihood. and at a certain point, you should, put that on a
liability line. because it's potentially going to happen now depending on which
accounting method GAAP will say, well, you can just make a disclosure note. You
don't actually have to disclose, you don't have to accrue for it. ISMA, the
international standard will say, well, if you can estimate it and you have the
likelihood you should, put that on there. And if it happens, you now have the
dollars set aside. And if it doesn't happen, it becomes retained earnings and it
goes from net income to, the bottom line on the income statement. So there's
different ways to do it. It's finding the discussion point and having those
chats, too many people are focused on, oh, I rolled out these technologies. I'm
doing these things, but they're not having the business conversations. So, going
back to what do people care about? I've found the graphic that I was talking
about. So like we talked about health care, right? So confidentiality, human
resource. That's the people. And then gold. That's finance. that's what they
tend to care about. And that's who cares about those things. General counsel and
the human resource officer. And then you start to bring in finance and
operations. But on retail, it's reputation of the organization. Is the store
open and are we having lots of fines, like think target, right? Like that's
where they are. manufacturing confidentiality. We've got proprietary
information, how to build our product. Are people able to work? Can they do it?
Can they get to the information they need? And then I need my reports. I need my
orders to be accurate and correct so I can ship on time. The other things like
we'll deal with that. But these are my focuses. Now, we always talk about the
triad of CIA. So it's like, here's your zone. Are you balancing these six key
business type of metrics as it relates to our program? And all of our IT metrics
can be related back to one or six of these ransomware that impacts finances,
confidentiality, and people's ability to work. that's like right here. That's
why healthcare gets hit so hard on ransomware. and you think about.

Phil Howard: What are the statistics because I heard it's some ridiculous high
percentage that it's like well over sixty percent that healthcare organization
will get hit with some sort of security breach.

Edward Marchewka: I don't know the number off the top of my head, but yeah,

Phil Howard: I was trying to find it while I'm watching this. The I need to find
this crazy percentage at the same time. Yeah. Keep going. This is gold.

Edward Marchewka: Yeah. So, other businesses, we talked about telecom, right?
like what's, characters, your reputation, availability and again, your reporting
for billing, etc. not that they don't care about losing people's data, but when
it's a decision point of, well, we can patch this, but it's going to take down
the network or we're going to have this availability question. It's like,
careful balance.

Phil Howard: I found sixty seven percent, sixty, sixty seven percent of health
care orgs, were hit by ransomware in twenty twenty four. I think it's
believable.

Edward Marchewka: Believable hit by something. So I worked with a CISO in the
finance world. And so finance is availability. Finance and confidentiality. But
one of the things their leadership really glommed onto was when they started
relating things to the impact to people when their traders were impacted by
their MFA rollout. And then when they said, what we're going to do for the
traders is if they're inside our network, on our facility, on our computers,
we're going to limit MFA to once or twice a day so that those guys were not
slowed down. Even if it's 10s to press a button on their phone. That could be a
million dollars. So they're saying limit, be smart about the traders. And when
they showed that they were considering the impact of people, it helped their
conversation so much because that's what they were really concerned about. can I
get these high powered people to make money? Systems got to be up. And are we
not bleeding money? So yeah, it's yeah.

Phil Howard: Because in that particular scenario, they would be if they didn't
have that conversation that that could go really wrong. That would really upset
some people.

Edward Marchewka: that's just, a way that I like to think about things and bring
it back to the business. And none of that is it speak. I mean, maybe see, CIAO
little bit, but like people get it when I say confidentiality of data,
availability of systems. And then when you quickly explain integrity as more of
accuracy and is it the right thing? Then they're like, oh yeah, I totally get
that. Let's balance that out. amongst our financial impact or people impact and
our reputation impact.

Phil Howard: So this is very helpful. We got totally lost from the first three
steps. I remember we were on some steps back in the day and oh yeah.

Edward Marchewka: seven minutes ago we said one learn the business. Right. two
is, even with respect to technology, it's not just a security thing, but
understand the risk appetite because it's like I've been asked a lot of times,
even from a technical perspective of like, do we have to do this? Well, you
don't have to do anything, but we should do these things because of impact to
the business and how we operate. Like we have twelve year old computers. Do we
have to replace them? Well, no. But from an availability and productivity
perspective, I highly recommend it. like yes, we should replace them. it's those
types of discussions. That's not a security concern necessarily because
everything's updated in patch, but like it's old and it's going to fail and
you're going to be down and then you replace and you're like, oh it's so much
better. Well, yes, how about that? so I think it's finding that out and what
it's going to be. and then I think lastly is finding out what is its role in the
organization? what is the expectation of the group? And a lot of it is provide
the technology. We just want it to work. And so you're a sidebar, but I think if
you can shift to being a service organization, we're here to help. We want to
work with you and you start having those conversations and building the trust.
People will actually come to you more and look for solutions than just a laptop.

Phil Howard: I want to ask you, if you could get the C-suite to hear loud and
clear from it, what would it be? But I almost feel like the better question is,
what's one lesson every emerging I.t leader should know? If you want to answer
both of them, go ahead.

Edward Marchewka: I think the answer to the second question is the one thing
that every emerging leader needs to be is, you will not go far if you sit behind
your desk. You got to get out and talk to people, build relationships because
everything that you want or need to do is about the relationships you have with
your stakeholders.

Phil Howard: It's all about them.

Edward Marchewka: the C-suite piece is. It is in your business to help move you
forward, just like the engine room is pushing the submarine forward. That's why
they're here. We're here to help push you forward. You just got to let us do it.

Phil Howard: Okay? Is there a disconnect between bad leadership and leadership
telling it what they need to do. Is it it leadership, telling it what they need
to do or is it it leadership telling it the problem we're trying to solve?

Edward Marchewka: IT leadership needs to go to their teams and provide that
vision and mission to achieve the business objectives. So the IT leader needs to
be able to speak both to their teams, but also to their executive teams and
peers. You have to be able to translate in both directions.

Phil Howard: So final question and then I haven't asked you what your your first
computer was. But How did you get started in this whole thing? How did you get
to where you are? Because this may be one of the best. And I know I could just
ask you for frameworks all day long, and you would give them like some of the
frameworks that you gave me for the just the data loss, financial loss, and the
people score acts. I mean, being able to break down security like that is very,
very helpful for people. Like I don't think they could break it down. Like that
is just priceless. anyways, how did you get here? How did this whole thing
start? What was your first computer? Did you play around with computers as a kid
or. No.

Edward Marchewka: I did a little bit. I got my first. I think it was like an old
Refurbish two eighty six POS white box. Thing that like I could type on. and my
uncle was in it and so he ended up hooking me up with a laptop and a fourteen
four Pcmcia modem. and then, began down that path.

Phil Howard: when did you graduate high school? In ninety two.

Edward Marchewka: No, later nineties. Yeah. So, but I went to the Navy. And then
when I came back, I was like, I like math and I've liked all the science stuff I
was doing. I'm going to be a math teacher. And while I was in school, I realized
I wasn't going to be a math teacher because you don't actually teach, you do
lots of letters home. And it was just because. I was doing my observations and
like the teachers were writing more letters home and versus spending time lesson
planning and teaching. I'm like, no. Want I'll teach college all day long. you
want to show up? Great. You don't want to show up. You're an adult. yeah.

Phil Howard: you paid the bill.

Edward Marchewka: Yeah. So my buddy was like, hey, you're kind of good with
computers. We can like, do a little business thing. And so we were doing some
field service work and then I, got some certs and it was just one of those
things of like, oh, I'm good at this. And people will give me money for it. Why
not?

Phil Howard: And that's how it.

Edward Marchewka: Was over time. I ended up doing some bench work and then got
into field service and then corporate it eventually and, security was by
happenstance. we had a stable infrastructure at my business unit and corporate
security put out a call that was like, hey, we need some help. Does anyone have
some bandwidth in my controller was like, my guy does. And so they said, cool,
here's our global pen test. Reach out to everyone and find out who's remediating
it. I'm like, okay, so that was my first foray into infosec.

Phil Howard: and eighty percent of the people didn't do remediation.

Edward Marchewka: And so then it was like, reach out to all of them, get them to
fix their stuff and then generate the report for the CIO. And I was like, okay,
sure.

Phil Howard: That's pretty wild.

Edward Marchewka: Yeah.

Phil Howard: this has been a pleasure, let's end with this. Alright. If you had
to have like a universal framework that we could just plug in different names
for, but they're basically the same themes. So when we talked about. selling
security, not literally selling it, but selling security to the board without it
being a fear, doom and gloom thing and removing the negative barriers. you
talked about data loss, financial loss, and your people score, right? And then
when it was telecom, it was availability, reputation, financial, whatever.
that's where that is there a framework for everyone out there listening that
they can use? Well, we just got to fill in the blanks for selling it or even a
harder sell the security budget to the executive boardroom so that they will say
aha and actually raise their eyes and maybe ask a question.

Edward Marchewka: Yeah. So that like swirl chart that I showed uses a method
that I developed called the Chicago metrics or Chicago framework, because that's
what the metrics, the six stand for. but they're my research that I did my
dissertation on really simply showed that the metrics don't matter. But what
matters is the connection and the story that you tell. So the framework, as long
as people don't dismiss it as garbage. So if you use NIST, you can use NIST, CSF
to tell your story. You can use any framework. I mean, if you pull metrics from
fair. If you use the stuff that Doug Hubbard and Richard Simpson put together,
it's all valid. But what you do with it and how you present it and that
relationship, that's what they want to know. I had a recent discussion with
someone and they're like, look, the what the board wants is to know that they're
in good hands because they have exposure legally, based on the Caremark standard
of ninety six and the Stone precedent set in oh six that they have to know about
risk and do something about it. And as long as they know that you have their
back, you can get the resources you need so that you can protect them as well.
So is there one framework? Well, the framework is trust and reliability and
getting them to understand that you're on their side.

Phil Howard: I think what you did very, very well was be able to take something
from them. And when you said, tell a story and correct me if I'm wrong, what I
got from you is that you're able to first, from your three steps, first, take
the organizational context, so to speak. How does this apply to how we produce
pumps? Yeah. and then talk about how this affects like what our risk engagement
is or our risk score. But how does that affect our assets and maybe data leak
and. How are you guys going to we need to do this. We need to monitor and we
need to put these things in place so that we don't have any adverse monetary
seepage or loss. But what do we do when something does happen? So that's the
last piece. This is the last piece. The last piece is what do we do when
something bad does happen? And they say, well, you said we were going to be
ready for this. So how do we, prepare for the inevitable?

Edward Marchewka: So have a playbook, stay calm and follow the playbook. Part of
that too is drilling and exercising on it. it was when I was interviewing for
this role, they said, when you have an incident, what is how do you get through
it? I was like, you stay ridiculously calm because you can't fight a fire if
you're panicked. And so have a playbook, test it, follow it. And if you've done
it, tested it and followed it, you can. remediate, contain and continue to fight
the ship. And that's something like I learned in the Navy I mean, even when I
was in training and not even on the boat, but actually at our prototype
facility, like we did the same drills in the event that something should happen.

Phil Howard: Were you on a sub or a ship? Like when you say ship, that could be
a sub. Were you on a sub?

Edward Marchewka: Yeah, yeah, I did a brief cruise with the Maryland.

Phil Howard: I don't understand. There's so many guys that have been on this
show were Navy submarine guys.

Edward Marchewka: Because we're all nuts, I don't know.

Phil Howard: Some had fires down below. That's crazy.

Edward Marchewka: Crazy Right. And so if you panic, everyone dies. So you stay
calm, but you drill that stuff nonstop. So it's all second nature. I mean, you
said you said you trained martial arts, right? Like eventually you just start to
feel it and you can just react. Someone moves a knee or they create that inch of
space because they lifted their shoulder off your chest. It lets you shrimp out,
right? But unless you've been training and used to it changes the flow.

Phil Howard: Yeah. So absolutely. And people don't train under pressure as well.
If you're not used to being completely suffocated and in small spaces rolling
around with sweaty guys. And that can be that can be mind blowing. Your mind
might be somewhere else.

Edward Marchewka: Absolutely. Like last night we were training and, I was
setting up someone for an Americano. I was on mount, and I, like, almost had it.
And they were so focused on the arm, they weren't paying attention to the legs.
And so, it's your preparation, it's your tabletop exercises, it's your live fire
exercises, it's getting the team ready to respond to those things in a calm
manner. And hopefully you never have to use it, but sometimes you do.

Phil Howard: Super awesome. any final words to anyone out there listening?
That's an I t new people. Old people. Any final words?

Edward Marchewka: Learn the business. It'll help you go bigger and further. And
don't sit behind your desk.

Phil Howard: Edward Marchewka, you've been heard. Thank you. Thanks.

Edward Marchewka: Appreciate it.