Larry Clinton, President and CEO of the Internet Security Alliance (ISA), has been a pivotal figure in cybersecurity for over two decades. Under his leadership, ISA has been instrumental in integrating technology with economics and public policy to enhance system-wide cybersecurity across critical infrastructures.
Clinton is renowned for authoring the Cyber Risk Oversight Handbook, a vital resource for corporate boards published triennially with the National Association of Corporate Directors (NACD). This handbook is recognized for setting cyber best practices that significantly improve cybersecurity outcomes. In 2023, he was awarded the Challenge Medal for excellence by CISA Director Jen Easterly and has been named to the NACD’s “Corporate 100” list three times for his influence in corporate governance.
Clinton also authored several influential public policy books on cybersecurity, advocating for a strategic public-private partnership approach. His extensive contributions to the field are set to expand with the launch of “Fixing Cybersecurity,” a TV program exclusively addressing cyber issues, set to stream globally in 2024.
Summary of the episode
Larry Clinton, the president and CEO of the Internet Security Alliance (ISA), discusses the organization’s mission to integrate advanced technology with economics and public policy to create a sustained system of cybersecurity.
|Clinton emphasizes the need to address not only the technical vulnerabilities of cybersecurity but also the economic motives behind cyber attacks. He argues that the current economic model favors attackers, and there is a need to rebalance the economic equity to create a more sustainable system. Clinton also highlights the importance of a strategic public-private partnership approach in advancing cybersecurity. He suggests that businesses should conduct a sophisticated cyber-risk assessment and develop a cyber-risk management team that includes representatives from various departments.
Clinton also mentions the launch of a TV program called “Fixing Cybersecurity” that will address cyber issues and feature interviews with leading figures in the field. The program will be available on the Sling platform and the Skytop website.
Listen to the episode
A complete transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is Larry Clinton, the president and CEO of the Internet Security Alliance. We’re going to be discussing advancing cybersecurity, ISA’s vision. I’m going to tell you a little bit about Larry before we bring him in. Larry Clinton, president and CEO of the Internet Security Alliance, or ISA, has been a pivotal figure in cybersecurity for over two decades. Under his leadership, ISA has been instrumental in integrating technology with economics and public policy to enhance system-wide cybersecurity across critical infrastructures.
Clinton is renowned for authoring the Cyber-Risk Oversight Handbook, a vital resource for corporate boards published triennially with the National Association of Corporate Directors. This handbook is recognized for setting cyber best practices that significantly improve cybersecurity outcomes. In 2023, he was awarded the Challenge Medal for Excellence by CISA’s director, Jen Easterly, and has been named to the NACD’s Corporate 100 list three times for his influence in corporate governance.
Clinton also authored several influential public policy books on cybersecurity advocating for a strategic public-private partnership approach. His extensive contributions to the field are set to expand with the launch of Fixing Cybersecurity, a TV program exclusively addressing cyber issues set to stream globally in 2024. With that, welcome, Larry. Thank you for joining me today.
Larry Clinton:
My pleasure, Steven. Thank you for having me.
Steve Bowcut:
Okay. I’m looking forward to this conversation. I’ve followed your work for a number of years and I’m familiar with some of the things that you’re doing, but there’s a lot that I don’t know and so I’m interested in learning more about that as our audience does. So let’s start with an overview of the Internet Security Alliance, or ISA. What’s its core mission in the field of cybersecurity? So what’s it all about?
Larry Clinton:
So the Internet Security Alliance is essentially a coalition of major organizations. The board is typically the chief information security officer for these organizations and they are across all the critical infrastructure sectors. So everything from IT and telecom and defense down to agriculture and education, et cetera, all of whom have basically the same problem.
And you mentioned our mission statement, which is to integrate advanced technology with economics and public policy to create a sustained system of cybersecurity. Let me put that in more direct language.
Steve Bowcut:
Please.
Larry Clinton:
Basically what the ISA believes is that the reason that we are not making progress in cybersecurity and we’re not making progress in cybersecurity, things are getting worse fast, not better. And we think that one of the major reasons for that is because largely the issue has been considered in too narrow a context. Virtually all the work that has been done in cybersecurity over the last couple of decades focuses on the technology. And obviously the technology is important, but that’s not the entire issue. In fact, the technology is only how the attacks occur.
In order to get to a sustained secure system, we also need to understand and address why the attacks occur. And cyber attacks almost always occur for economic reasons, most often financial reasons. About 95% of the attacks are financially motivated. But even when they are nation state attacks, such as the Russians playing around with our elections, that’s being done for a geopolitical profit, if you will.
And so what we focus on is trying to rebalance the economic model of the digital age. Currently, the advantages all favor the attackers. Attacks are comparatively cheap and easy to acquire. The business model for a cyber attacker is fantastic. They make gargantuan profits, trillions of dollars in harm annually based on these cyber attacks, and there’s virtually no law enforcement. We successfully prosecute less than 1% of cyber criminals.
So what we need to do is to rebalance the economic equity so that we can address not only the technical infirmities of the system, which are massive, but also the economic motives. And we think that that’s a better way to get to a more sustainable system because what we’re currently doing is not working.
Steve Bowcut:
That is fascinating and I agree with that wholeheartedly. It seems like such a huge task though. So you’re really speaking, when you try and integrate advanced technology, economics and public policy, you have to have addressed at least three different groups there that I can see immediately. So how do you do that? How do you integrate those? Do you have any examples of how that works?
Larry Clinton:
Well, sure. So we work in two major directions. So we spend a lot of our time focused on the public policy community, the administration, the Congress, to some degree international, and also a substantial amount of time on the enterprise side to get the leaders of corporations to better understand cybersecurity so that they can manage things better.
One of the good things about the policy environment with regard to cybersecurity is that they haven’t made enormous mistakes. The policymakers, for the most part, know what they don’t know and they look to the private sector for direction. So by educating the private sector better as to an effective way to address cybersecurity, we could also therefore affect the public policy community. Of course, we do that directly also.
So let me give you a couple of examples of what we’re trying to do. So the traditional view of cyber, as I said, is to focus almost exclusively on the technical vulnerabilities, which of course need to be addressed. But the traditional view from a government perspective has been if you are attacked, you’re a bad actor, you don’t care enough about security, you don’t invest enough in cybersecurity, you don’t understand cybersecurity, et cetera, et cetera, et cetera. That has never been the case. The government gets attacked as much as the private sector, NSA’s been attacked, the SEC’s been attacked. The problem is not just the technical vulnerabilities, the problem is this imbalance of the attackers.
We were very glad to see that in the recently released cybersecurity strategy from the Biden administration late last year, that they have argued to change the dynamic to instead of focusing exclusively on the victims of cyber attacks and blaming the victims, what they want to do is now begin to look at the underlying economics of cybersecurity. And so if you look at Jen Easterly and Eric Goldstein’s landmark article in Foreign Affairs about a year ago, what they talk about is the need to shift government focus away from blaming the victim and instead look at the underlying economics of the digital world.
And the economic model for hardware and software has been for 20 years, get your product to market quickly and fix it later with updates and patches, et cetera, which as we’ve already discussed doesn’t work. So what the administration now wants to do is change that perspective and look at this from an economic point of view. And so the idea here would then be, let’s see if we can develop incentives so that the developers of IT equipment, hardware, software, will make it secure in design and in default status. Now that’s a big idea.
Steve Bowcut:
It is. It makes me wonder how you do that, but that’s huge. Go ahead.
Larry Clinton:
They’re calling about fundamentally reorienting the model for the IT industry. So that’s difficult, but they are now looking at it from that perspective. We can get into the how-to on that, because it’s very, very difficult, in a second. But basically it’s by reordering incentives, which has been an ISA model for a number of years. Let me give you a different example of how economics and public policy can be worked into this process on a much more, let’s say ground level, public policy implementation space.
The number one problem in cybersecurity, and it’s not recognized as such, but we believe it is, is workforce. We do not have enough people by a lot in order to enact effective cybersecurity. In the United States, we have a workforce gap of 750,000 cybersecurity jobs we can’t fill. We have 35,000 cybersecurity jobs in the federal government that we can’t fill. Nothing works without a workforce. The regulations don’t work, the technology doesn’t work. Nothing can work unless you have people who can implement them and we don’t have them. So our number one problem really is developing a workforce.
Now, there are a lot of problems in cybersecurity we don’t know how to handle, AI, for example. We really don’t know what to do with AI, but we do know how to train a workforce, we just haven’t done it. So the ISA answer to that would be, look at this as an economics issue, supply and demand. The demand for expert workers in cybersecurity is outstripping the supply. And so the answer would be stimulate supply. How do you stimulate supply?
Our idea is you stimulate supply for a cyber workforce the same way you stimulate supply for other defense workforces like the Army and Navy. You establish a national virtual cybersecurity academy and give free tuition to college students who then will have an obligation for government service. This is exactly what we did after World War II. Before World War II, we thought that the skies were not a domain of warfare, and then the Japanese bombed Pearl Harbor. And one of the first things we did was set up the Air Force Academy.
We need to do the same thing now with regard to workforce. In fact, we need to understand that this is not workforce development, this is national defense mobilization. And it’s not workforce development, it’s workforce recruitment. We know how to solve this problem, we can solve this problem. We are not solving the problem because we’re fixated on the technologies, not fixated on the economics.
If we supplied ourselves with an adequate workforce, we could massively and cost-effectively have much better cybersecurity starting at the federal government level. And then as people age out or fill their service requirements as they do with the Army or the Navy, then they would go into the private sector where they would continue to be defending our nation against cyber attacks because a lot of attacks go in the private sector.
So we look at things from an economic point of view, and I’ll give you a couple of other examples as we go through the conversation. We think that shift in perspective is what we need to move forward. And as I say, we are seeing some progress with that on the administrative side, on the administration side, some in the Congress, who are moving more toward a conversation about economic incentives rather than regulatory mandates. And we think a lot of that comes from the work that frankly we’ve been able to do successfully with corporate boards for the last 10 years.
Steve Bowcut:
That is so fascinating. And for those of us who work in this industry and see what’s going on, it can become quite concerning because looking at it from the political side, politicians often they cater to their constituents. That’s their job is to give the constituents what they want. And the constituents I think oftentimes don’t recognize the threats.
We read about, well, actually, I’m biased of course because I work in the industry, but the average guy who’s going to work every day and doing his job, he’s aware that there’s a cybersecurity problem and that attacks are happening all the time. You can’t not be aware of that. But sometimes I think if those were kinetic warfare attacks that were happening that frequently, people would be up in arms, right? They would be saying exactly what you’re saying. They’d say, “We need to fix this problem. We need to get people involved. We need a cyber academy. We need to get this workforce developed.”
But because it’s hard to pinpoint and not as visible as kinetic warfare would be, it’s hard to get people outraged about it. And if people are not outraged about it, politicians don’t necessarily react or as quickly as we might want them to. But that’s your area of expertise. That’s just a layman’s perspective from my view.
But let’s talk about, and we probably don’t need to spend a lot of time on cybersecurity threats because this is a little bit out, I think, of what we want to talk about. But is there anything that you’d like to contribute to the conversation about the most significant cybersecurity threats that we’re facing today and anything that the ISA is doing to mitigate those threats?
Larry Clinton:
Well, sure. I mean, I think when we think of threat, there’s lots of different ways to categorize the threat. I think what we would argue is that the most pressing threat is to realize that we are losing the cybersecurity domain because we’re being outgunned. Our adversaries, nation states, China, Russia, Iran, have much more sophisticated approaches to the digital age than we do here in the United States.
In China, they have something called the Digital Silk Road that is funded at $1.4 trillion. In the book you mentioned, Fixing American Cybersecurity, we have a whole chapter on this showing how successful this Chinese strategy has been and continues to be. Currently, we’re talking about TikTok, but TikTok is just one example. There are many other examples of how China is influencing this, and we are simply not responding in kind.
So the Digital Silk Road, as I say, is funded in 1.4 trillion over the next five years. That’s six times what the United States is intending on spending on cybersecurity. And that’s just China, that’s not Iran, Russia, the cyber criminal nations, et cetera. We have a tremendous imbalance there.
The specific area that I would point to in terms of threat is that the threat is actually morphing in a variety of different ways, but one of the ways that’s really interesting is the move towards systemic cyber attacks. So traditionally, when people think of cyber attacks, we think of the Target attack or the Equifax attack or the attack on the Office of Personnel Management, all of which they stole information from Equifax or Target or whatever.
Systemic attacks which are growing are very different and much more serious. In a systemic attack, what the attacker does is they don’t target a specific entity, they target a specific element in the ecosystem. So a famous example of a systemic attack would be the SolarWinds attack of a couple of years ago. The SolarWinds technology, the Orion technology that was compromised was not a bad technology. In fact, it was judged adequately secure by both the government and most of industry who were deploying it. But because it was so widely deployed, it became a more attractive target. And by attacking that specific technology, they were able to attack multiple hundreds perhaps of different companies just through that one attack. It’s a systemic attack as opposed to an entity attack.
What we’re seeing now with the Choice Healthcare system owned by UnitedHealthcare is the same thing. They attack the system and by attacking the system attack many, many people simultaneously. That’s an entirely different way of thinking about cyber attacks. And ISA would say we need to approach that in a different way.
So what the government is currently doing is saying, “Okay, well, let’s look and see what are our critical sectors.” They’re all critical. What we really need to do is focus more, targeted on specific portions of the cyber ecosystem like the Orion software or the Choiceware software. And when these things reach a certain degree of market penetration, they become a more attractive target, and therefore, at that stage they need to have additional corrective action.
So what we would propose is that whenever a portion of the ecosystem reaches a high level of market penetration, like 50, 60, 70%, then there is a requirement for them to report that to the federal government and they should be working with the federal government to come up with a solution for that particular thing.
In the book that you mentioned earlier, we have a whole section on systemic cyber risk and we identify six different elements of our cyber ecosystem where there is market penetration of 70 to 100% by one, two or three companies. These are the areas of systemic cyber risk. This is where we ought to be paying special attention, and we’re not because we are thinking things too globally by sector, by sector, as opposed to taking that economic point of view. If we would go in and simply work these things out with the companies on the specific technologies, we could make substantial cost-effective improvements to our overall cyber system.
One last thing. For example, in the SolarWinds attack, there were configuration steps that could have been taken had we been looking, that would have secured the Orion technology from many of the attacks that occurred. This is another example where we can, if we think of this better, more sophisticatedly, we can really make an impact on the cyber attacks. But we’re currently not doing it because for the most part, we’re thinking of the problem all wrong. We’re thinking of it just as a massive technology problem as opposed to a specific economic issue.
Steve Bowcut:
That is a fascinating way to look at it. And of course, and maybe it goes without saying, and I’m sure this is something that you’re working on, but it seems to me that it would be critical that if you’re going to add additional reporting responsibilities for organizations once they reach this certain market penetration level, that you have to make sure that it’s not onerous and that organizations are not going to start being penalized economically because they’ve reached this market saturation point or that the government comes in and supports that.
Something has to happen there or we all know what will happen, right? The reporting will be little, oh no, we’re not really at that threshold and we have subdivided the market and we’ve subdivided our product offering, and so no one would ever reach that level. So of course we have to make it something so that there’s maybe even an incentive for them to reach that level, report that level, and then do whatever needs to be done to mitigate the threats that would go along with their market penetration. Anything you want to comment about that?
Larry Clinton:
I think you’re exactly right. And this is again, part of the argument that we make in our books and our other publications is we need to understand that the private sector is now on the front lines of nation state attacks-
Steve Bowcut:
Exactly.
Larry Clinton:
Their economic model is not built to be a national defense entity. So we need to figure out how do we fill that delta between commercial level security, which of course companies are responsible for and this new national level security requirement that comes with these nation state attacks. And one way to do that is by targeting things much more tightly based on the actual threat to a particular part of the ecosystem.
And that sure is going to require making the initiatives cost-effective because sure, we need our utilities to be secure and they are under massive attack, but if we simply say, “Okay, spend all your money on security,” then they don’t have much money to keep the lights on, to hire, to upgrade. We need to make this functional both at a critical industry service level and at a security level.
This is a new paradigm where the private sector is essentially on the front lines of cyber attacks and we need to find a way that we can help them secure themselves in our global interest and still run these critical infrastructures that provide critical services. That’s going to require a rethinking of the economic model and we’re trying to push in that direction, but it is slow going.
Steve Bowcut:
Interesting. All right, so let’s talk about maybe some best practices for businesses. Focused on businesses across the different sectors, does the ISA advocate some best practices that you think businesses should be focused on?
Larry Clinton:
Yeah, and it really loops back into the conversation we just had wherein we think that whatever best practices, regulations, standards, whatever, need to include a cost-benefit analysis in order to work. We have focused at the Internet Security Alliance really at the corporate board level. And of course the corporate board is an important but a different responsibility. Corporate boards are not in charge of cyber-risk management. Management is in charge of cyber-risk management, but the board is in charge of cyber-risk oversight.
So working with the National Association of Corporate Directors and the World Economic Forum and a variety of international partners, European Conference of Directors Association, Japanese Business Federation, OAS, the German BSI, et cetera. We have been developing over the last decade, a set of best practices and principles that we have put in these handbooks, which you mentioned at the front, which are the cyber-risk management handbooks for corporate boards that contain a set of principles and toolkits, practices, that we would advocate that corporate boards use in order to better oversee their management teams’ cybersecurity efforts.
The critical thing about these best practices that we’ve identified is that the best practice in these handbooks are, to the best of my knowledge and I would love somebody to correct me on this, but to the best of my knowledge, these are the only set of best practices in the cybersecurity world that have been independently assessed and found to actually generate additional security. And by that I mean they’ve been assessed by PwC, the World Economic Forum, MIT.
And those three independent agencies separately have determined that organizations that use these handbooks have a better risk management, better alignment of cybersecurity with their business goals, create a better culture of security within the organization, and can expect a reduction in cyber incidents of up to 80%. So we would advocate that if government is going to regulate, that’s what they should be telling people to do. They should be telling people to do things that have been independently shown to be successful.
One of the underlying problems we have in terms of regulation is that we have massive amounts of cybersecurity regulation existing in our system, none of which is cost beneficial. In fact, most of the regulation is redundant. We have studies that indicate that between 40 to 70% of our corporate cybersecurity budgets are being wasted on duplicative regulation, not just regulation, duplicative regulation. This is a waste of very scarce cybersecurity resources, not just financially. We have our very few, and we’ve already talked about the fact that we don’t have enough people, and we are distracting them and making them go over here and fill out repetitive compliance forms when they need to be over there actually working on security.
We need to fundamentally streamline our regulatory process and that includes only mandating practices that have been independently assessed and found to be effective. We think all cybersecurity regulation should be subject to that requirement, that the regulating entity needs to include in their proposal for increased regulation, a process to study it, to demonstrate that it is effective and cost-effective. And if they can’t show it, then those regulations need to sunset.
Others can be put in their place, that’s fine, but we can’t afford to just be doing things because some bureaucrat, sorry, decides that he or she thinks it’s a good idea. They’ve got to prove that it’s a good idea. We are under attack, serious attack from multiple, very sophisticated entities. They’re winning, we’re losing. We have to be doing this in a much more sophisticated fashion. That means that we need to be spending appropriately, partnering appropriately, providing the appropriate incentives where the traditional economic model doesn’t generate the investment, and demonstrating that what we are requiring people to do actually improves security.
I don’t know if you had a chance to, I’m guessing you did, Douglas Hubbard’s excellent book, How to Measure Anything in Cybersecurity, where he did a complete review of all of the existing standards and regulatory regimes and found that none of them, none of them, have ever been shown to enhance security. So we’re wasting tons of money, tons of resources on things that we don’t know work, probably are counterproductive.
Steve Bowcut:
And I so appreciate that you’re presenting that message because there’s so much that government regulation and public policy can and should do. But I know businesses across the board, that very topic just sets their teeth on edge because that’s what they envision. Okay, if the government gets involved, we’re going to have regulations on top of regulations that don’t make any sense, that cost us a ton of money to try and meet all of it, and it’s not going to do anything in the end, we’re not going to achieve the goal in the end.
Because that’s kind of the reputation that government regulation has earned for itself, but I don’t think we can afford to … We have to have it. We just need to find a way out of this cycle where the government gets involved and it costs everybody a bunch of money and it doesn’t achieve what we need to in the end anyway. But we have to find a way out of that cycle.
Larry Clinton:
Absolutely. Yeah, absolutely. So ISA is not anti-regulatory.
Steve Bowcut:
Sure.
Larry Clinton:
We’re anti-bad regulation.
Steve Bowcut:
Exactly.
Larry Clinton:
We absolutely believe that we do need, it’s the title of our book, we do need a strategic partnership with our government. But unfortunately for our government partners, it’s not as easy as just sitting in an office and writing a bunch of regulations and saying, “Here, you guys go do this.”
Steve Bowcut:
Exactly.
Larry Clinton:
It’s a much more sophisticated problem. We are ill-structured for the digital age. Our government systems are not well-structured to deal with the uniqueness of the digital age and the ubiquity of cyber systems throughout everything. So we need to restructure. We have a very sophisticated, we think, proposal with regard to that. We definitely need a partnership with government, but it’s got to be a different partnership.
The traditional independent agency regulatory model, which was developed to deal with the hot technology of the century before the last century, railroads, doesn’t work in the digital age, the cyber systems. That system of regulation works for really stable sorts of technology, of which we have a lot, but in the cyber world, we are dealing with constantly changing technology, constantly changing attack methods, constantly changing attackers. We need to be much more agile.
And frankly, there is research, and we present that again in the book, that illustrates that a number of private sector organizations, for example, the financial institutions, have developed better organizational models to deal with things that are traditionally thought of as government responsibilities like cyber crime.
The FBI is badly structured for the digital age if there’s a cyber attack in Kansas City, [inaudible 00:29:00] Kansas City local FBI office, which is probably not the best place to deal with cybersecurity. Whereas the large banks have reformed their cyber crime entities to be much more modern and agile and more effective. We could learn a lot.
In fact, the federal government should be studying what the private sector guys are doing because in a lot of instances, they’re just better at it than the public sector. And we should be collaborating on those and developing ways to share not just best practices on incidents and vulnerabilities, but on successful models.
Steve Bowcut:
Interesting. So maybe there are some in our audience that are like me. When I think about trying to influence public policy, the image that comes to my mind is taking a bucket and trying to turn a river upstream. How do you do that? What are the approaches that you can share with how does one influence public policy at a national or even an international level?
Larry Clinton:
Well, you first of all need to have a good idea. The number one goal of the Internet Security Alliance is thought leadership. We think that there’s been a lot of activity in cybersecurity, not a lot of thought has gone into a lot of it. A lot of it’s pretty knee-jerk. So what we have attempted to do, and we welcome others doing, is taking a step back and developing, if you will, a theory of cybersecurity. Ours is called the Cybersecurity Social Contract, which defines a new role for industry and government and how they can work together and how we can restructure that.
So first of all, you need to have a theory and we’ve put one forth and [inaudible 00:30:43]. But then when you get to the actual lobbying, if you will, that has to be done on a multidimensional basis. So we work with corporate boards, we work with direct lobbying, we meet with members of Congress, members of the administration as often as we can. We give them copies of our material, which they are generally very welcoming to do. I mean, we are very encouraged.
For example, the Biden administration, the folks at the Office of the National Cyber Director read the book that you referred to in the beginning in manuscript form. They came, they discussed it. We think that the new strategy is ideologically turning in the right direction, focusing on underlying economics of the system. So that’s a good thing.
So we need to do direct lobbying, but we also need to be getting the corporate boards and the corporate community because as I said before, to a large degree, the government folks know that they don’t know what to do, and so they are going to the private sector for advice. So we need to develop a coherent message coming out of the private sector. And we really haven’t done that. Really, unlike for example the environmental community or the diversity community or a number of these communities that have really come together in a fulsome coalition, we really don’t have that in cybersecurity.
So we have virtually every trade association developing their own cybersecurity answers and they tend to be in response. They’re not affirmative. They are responsive to government proposals. So they’re waiting for the government to suggest something and then they say, “No, no, no, that’s a bad idea [inaudible 00:32:24]”
Steve Bowcut:
Right, yeah.
Larry Clinton:
What we really need is for industry to pull together around a series of core policy initiatives, and we would argue that we should start with the ones that are most impactful and cost the least and do those first. So we should be developing a workforce. We should be streamline regulation. We should be developing a macroeconomic model for cybersecurity. We don’t have that.
We have macroeconomic models guiding us in virtually every area of our lives. Weather, they’ll talk about the different weather models. We have models for geopolitical risk, financial risk, environmental risk, et cetera. We do not actually have a macroeconomic model to deal with the economics of cybersecurity, even though cyber infects all of our economy. So we propose that’s a thing that we should be doing.
A fellow named Oliver Hart, won the Nobel Prize in economics a few years ago, has offered to do that. We have suggested this to CISA. They have not moved on that. Again, we find that our government partners tend to be still too focused on the minutia and missing the forest for the trees. We do need to do that work. We do need to be sharing information and identifying frameworks for people to use, et cetera, et cetera. But we also need to be understanding the overarching economics and managing that.
That’s a role for the federal government, and it’s a harder role. It’s not that we don’t think there’s a role for federal government. We’re not anarchists here. We think there is a role for the federal government, but it is a sophisticated, collaborative role. And let me add one more thing on this, Steve.
Steve Bowcut:
Sure.
Larry Clinton:
We have done this before. We have reformed our approaches to government industry. We did this with NASA in the ’60s. We did it with Sematech, which you may be familiar with, to deal with the computer chip problem we had in the ’80s with the Japanese. We did it with Operation Warp Speed to deal with the pandemic, where we said, “Okay, we’re taking this out of the normal process. We’re putting it into a new process. We’re going to have different relationships. We’re going to fund it differently. We’re going to be much more collaborative.” We have done this, we simply haven’t done it on this particular problem.
So we retain some optimism. And we have to remember, Steve, that this is a competition. We’re losing the competition. It’s not that there aren’t a lot of good people doing a lot of good things in cybersecurity. I like to think ISA has done some good things in cybersecurity, but we’re losing and that’s because the bad guys are doing more. They are investing more. They are more sophisticated in their analysis. They are more integrated in their approach.
They are covering the waterfront in terms of initiatives that range from the Huawei example, the TikTok example, which by the way is also true with Tencent and Alibaba and a whole bunch of things all over the place we’re not focused on. We watched the balloon go over the continent last year and everybody focuses on that. It’s a much bigger problem and we need a much more systemic solution. We haven’t done that. We need to step up as a nation and pull together.
One last thing I’ll say about that, and I’ll get off my soapbox for a moment, which is when I say things like this, a lot of times people will push back and say, “Well, you know it’s a lot easier for China or Iran or Russia. They have a unitary economy and an authoritarian state so they can make things happen.” And that’s true, but we have advantages too. We have a bigger economy than those folks. Whereas they are just building relationships, China over the last 30 years, we’ve got relationships that go back 100 years that we can leverage. If we count Western Europe in with our economy we’re vastly bigger than they are.
Plus, I would argue that the market-driven, entrepreneurial, free enterprise system that we have here in the West is a much better fit for dealing with the dynamic issues of the digital age. The centralized economy model, yeah, there are some efficiencies there, but it’s a static sort of model, it is not a responsive model. We have a model where we can incentivize innovation faster, we can deploy things faster, we can move things around faster. We are a more dynamic model. We just have to use the tools that we have and we’re not really doing that yet.
Steve Bowcut:
Excellent. I agree. All right, let’s change our focus here a little bit. As you know, Larry, our audience is mainly made up or largely made up of students and early career professionals, some of whom are still trying to decide, is cybersecurity the way I want to go in my academic journey? Let’s talk directly to them. So what kind of educational paths or skills do you see that people aspiring to get into the cybersecurity field need?
Larry Clinton:
Well, so obviously we are very interested in this space. We have a collaboration with the Association of Governing Boards, which is the organization that represents college and university presidents and chancellors. We’ve developed a separate handbook for AGB dealing specifically with university and college cyber threats, which are unique again because the economics are so out of balance in that particular space.
But in terms of the students, I think certainly we want to incentivize, as I talked about before, getting more students involved in this, but we would argue that we need a broader approach to cybersecurity. So for the most part, the recruitment efforts, which are inadequate, they’re great, but they’re inadequate, have focused on computer science people, people who are interested in the technology, absolutely need those, but cybersecurity is a much broader issue.
We did it, I mentioned these handbooks that we’ve pushed out for corporate boards. We also have a companion textbook, which is Cybersecurity for Business that takes the oversight principles that we offer to corporate boards and translates them for what would that mean for the management team. So what would that mean for the human resources team? What would that mean for the general counsel’s office? What would that mean for the supply chain managers?
So cyber needs to be understood in a much broader context. It is not at heart a technology issue. It is an enterprise-wide risk management issue. So we need skills developed that are aware of cyber aspects in human resources, in finance, in supply chain management, in legal compliance, et cetera. And so, one of the things that we would say is that we need to broaden the curriculum, if you will, for cyber education programs to embrace this larger domain and have a more integrated model.
In terms of stimulating students, I can only say I got into this field 20 plus years ago. I knew nothing about cybersecurity at first. Virtually nobody knew anything about cybersecurity those days. Those days, as you may know, Steve, if you walked into a congressional office, you had to start by spelling cyber.
Steve Bowcut:
Yeah, exactly.
Larry Clinton:
They thought it was Y2K for those of you who know what Y2K was. So we do need to fundamentally change the orientation so that it is a broader thing.
But this is a great field to get into. This is exciting. It is challenging. It is important. It is well-paying. It’s nice white-collar work, not digging ditches, which no disrespect to the ditch diggers. So this is a terrific field and I don’t know anybody who doesn’t get into it, who doesn’t like it.
What I do see, however, and this moves a little bit away from your question, is one of our big problems that we are now facing with respect to the people who work in cybersecurity is the burnout issue. So we are seeing tremendous mental health care requirements for cyber professionals. I think Gartner says that we are expecting to lose up to a quarter of cyber professionals this year who are just going to get out of the field simply because they’re burned out.
I’ve seen this on my board of directors, which I told is mostly CISOs. It is not uncommon that people who would be mid-career, they’re 50 let’s say, in their early 40s even, who say, “Look, I’ve had it. I’m done. This is just too much pressure.” So we definitely need more people.
Steve Bowcut:
I was going to say that’s got to be tied to the skills gap or the shortage. If we didn’t have a shortage, you wouldn’t have to work so many hours and have so much pressure and so much responsibility.
Larry Clinton:
Yeah. So we do need to address the workforce issue at both levels. But in terms of getting into the field, absolutely a terrific field to get in. It’s got all sorts of advantages and you’re doing something that’s great. I mean, I look at the hundreds of thousands of people who are engaged in game tournaments around the world. Those are the people we should be going to saying, “Hey, you like playing with computers in a competitive environment? Have I got a thing for you?”
Steve Bowcut:
A real game with real consequences.
Larry Clinton:
A real game with real people and real stakes, and you can do this for the rest of your life. And I think if we did a better job targeting and recruiting … That’s why I say it’s not workforce development, it’s workforce recruitment that we need to be focused on. There are younger people out there who are fascinated with the technology, love using the technology, are curious about the technology. We have to get in and find them and say, “There is a great economic opportunity for you and your community in this direction.” And that would probably include governments providing incentives for underserved communities such as minority communities and frankly, women.
I’ll just add this one story. It’s one of my favorite stories.
Steve Bowcut:
Sure.
Larry Clinton:
Do you know who Tippi Hedren was?
Steve Bowcut:
Oh, absolutely. Yeah. Yeah.
Larry Clinton:
Right. So most of our audience, if they’re college students, don’t know. Tippi Hedren was a movie star back in the ’60s. Her big movie was The Birds, Alfred Hitchcock movie. And she basically got drummed out of the movie by Alfred Hitchcock who was being Alfred Hitchcock. But the interesting story about Tippi Hedren. So I don’t know, Steve, if you are a person who goes to a nail salon. Maybe your-
Steve Bowcut:
No, my wife and my daughter.
Larry Clinton:
Ask them, virtually all of these people are being run by Vietnamese women.
Steve Bowcut:
Sure.
Larry Clinton:
Why is that? That’s because Tippi Hedren went with the USO show to Vietnam toward the end of the war, found out all the men had been killed, all the boys, all the fathers. They were all dead. These women in their culture had no way to make a living. And she started training them in doing nails and brought them over to the United States. So I think like 40% of nail shops in the United States are run by Vietnamese women and their descendants. People look at it and say, “Why is it all …”
I would love if in 20 years people said, “Why is it that we have so many people of color in cybersecurity? Why is it that we have that?” And the way we would do that is by incentivizing them, by providing ways for them to get out of their current availabilities of forward-looking positions and give them something that is rewarding, helpful, well-paid, et cetera.
I think again, we do have the tools to do this. We’re simply not doing it. We should follow the Tippi Hedren model. We should be going out to those communities. We should be finding these people and saying, “We got a better opportunity for you.” You start them by training in patch management. Here’s how you do this. And then we move on to other things and have that broader perspective. I would like it if organizations would treat their cyber people like Major League Baseball treats their players, develop a minor league system within your organization where you’re bringing these people along on a forward-looking basis.
We don’t have that initiative. We don’t have that program in place. Instead, we’re spending all our time saying, “Okay, let’s get more computer science people to do this.” And the computer science people, even people who are taking computer science, they’re not all going into cyber. A lot of them are going into other aspects of IT stuff. They’re going into coding, they don’t go into cyber.
One of my former chairman of the board just had his son graduate from an Ivy League school in technology and there was not a single course offered on cybersecurity.
Steve Bowcut:
Wow, that is amazing.
Larry Clinton:
Yeah. So we really need to be changing the entire system. And again, I think the tools are available, we simply haven’t used them. And the federal government can help with this.
Steve Bowcut:
I certainly agree. Thank you. So we’re about out of time here. Maybe one more thing I could get you to comment on, but I do want to finish up with what the future for Internet Security Alliance is going to look like if you have some comments about that. But before we get there, maybe if we talk now to businesses, this relationship between economics and business management.
So what kind of advice would you have for … And maybe, if you don’t mind, if we could even look at small to mid-sized businesses. If I’m just running a business in the US somewhere, from your perspective, Larry, what do I need to know? What do I need to be doing probably?
Larry Clinton:
I get this question a lot of times, if you had one thing to tell a business to do, what would they do?
Steve Bowcut:
Sure, exactly.
Larry Clinton:
And my answer is you do a sophisticated cyber-risk assessment.
Steve Bowcut:
Okay.
Larry Clinton:
And a sophisticated cyber-risk assessment varies depending on the resources that you have to do this. So in the handbooks, we advocate for a very sophisticated assessment, and the key here is to assess your risk systematically, and there are processes that you can use to do this. And if possible, do it so that you can develop an empirical and economic understanding of what your cyber risk is. So this begins by understanding what a vulnerability is, a cyber risk that is.
So if you ask people to list cyber risks, they’re liable to list supply chain, insider threats, et cetera. Those aren’t risks, those are categories. Cyber risk is a calculation, it’s not a category. And the calculation is how much money am I going to lose if I have the most likely sort of attack? And there’s a process that we lay out in the handbooks and is laid out in a variety of other places also.
So to walk through and enable to do that so that you can come up with an economics-based, for your business, assessment of what your cyber risk is and then what your cyber-risk appetite is. And then you would systematically go through, okay, how are we going to deal with that risk? Are we going to reject it, so we decide we’re not doing business in China, or are we going to accept it? And if we’re going to accept it, how are we going to mitigate it through whatever mitigation means, or are we going to transfer it? And you go through a very systematic way of analyzing this.
So that’s the process, and we think that the principles in the cyber-risk handbooks really do apply pretty equivalently to small businesses opposed to larger businesses, where the real difference tends to be is on the structure. So if you’re dealing with a multi-mega organization that’s international, has 100,000 employees, you have a much more sophisticated structure. And there are a variety of models that we go into in cybersecurity for business where you can do that.
But if you’re a small business, what we would suggest is that you simply develop a cyber-risk management team. Cyber should not be being handled by the IT department because as the old saying goes, to a hammer, everything looks like a nail. If the IT guy’s in charge of cybersecurity, all you’re going to get is IT solutions. And you need to have some IT solutions, but that’s not going to solve your problem. You’ve got to have that broader perspective.
So what we advocate for a smaller organization is they develop a cyber-risk management team. And that team would include representatives from all the critical departments in that organization. So HR needs to be there, compliance needs to be there, legal needs to be there, supply chain, obviously tech needs to be there. And it probably should be run by a officer who has enterprise-wide vision. So not the CISO. He or she has cyber, they have technical expertise, but somebody like a chief risk officer, a chief operations officer, maybe a chief financial officer, somebody who has view of the entire thing.
And the budget for cyber should not be in IT, it should be a separate budget that is going to address human resources needs and the supply chain needs as well as the technology needs. This all needs to be part of a comprehensive program, and even a small organization can do that. They would need to reorganize slightly and re-conceptualize cyber as an enterprise-wide risk, not just a technical risk.
This is where boards of directors absolutely are going. There’s all sorts of research that indicates that increasingly, boards are not saying, “Okay, the CIO or even the CISO is in charge of cyber risk, but it’s part of a broader team often with direct connection to the board as opposed to through IT.” And that’s probably a better way to do it.
And again, ISA and ANSI laid out a program a number of years ago. By the way, all this stuff other than the book, all this stuff is available free of charge. Our handbooks are available free of charge through NACD, ISA, at DHS. So there’s no sales involved here. But these are principles that you can use. And again, these have been reviewed independently and found to actually work, which we think is an argument in their favor.
Steve Bowcut:
Okay. I love that. And as you were speaking, I was thinking it really is true. I think when small to midsize organizations are looking at cyber threats, anybody that’s involved in risk management understands how important it is to know the criticality of the threats. And I think that’s where with cyber, we lose our focus because it’s so hard to understand the criticality of the threat. We don’t know what bad things are going to happen, what that’s going to cost us? It’s so hard to put that into a dollar figure for companies to deal with because it’s so elusive, if you will. So we’re about out of time, but I do want, if you’ve got something-
Larry Clinton:
One quick thing.
Steve Bowcut:
Go ahead. Go ahead.
Larry Clinton:
A quick thing. There are models that are currently available that will help do that. So there’s [inaudible 00:52:56]-
Steve Bowcut:
Understand the criticality, sure.
Larry Clinton:
… Verisk and there’s X-Analytics. There’s a variety of models that are coming on board. There is innovation in this space that will help organizations put a dollar sign on what their most likely financial cyber-
Steve Bowcut:
Perfect, because that’s what we need sometimes in particularly small to midsize business. We need to know, well, what’s it going to cost me? I got so many things that are competing for my time and my dollars, what dollars are at risk in the cyber arena?
Larry Clinton:
Of course, yeah.
Steve Bowcut:
Let’s wrap up her, if you’ve got something to say about the future of the Internet Security Alliance. Do you have any things on the horizon that you can share with our audience or how do you see this moving forward? Anything there?
Larry Clinton:
Well, we’re very excited about the launch of the TV show. This will be the first weekly-
Steve Bowcut:
Yeah, that was kind of interesting.
Larry Clinton:
… [inaudible 00:53:47] television program. Will be an hour-long program where I’ll get to interview leading people in cybersecurity. Chairman Green from the Homeland Security Committee is committed. Jen Easterly, just did one with Michael Daniel. So we’ll be doing a variety of interviews [inaudible 00:54:03]-
Steve Bowcut:
And what platforms, how will someone find that?
Larry Clinton:
So this will be on the Sling platform-
Steve Bowcut:
Sling.
Larry Clinton:
But it’ll also be available on the Skytop website. And that will be free of charge-
Steve Bowcut:
Okay.
Larry Clinton:
… as part of Sling. And they will be streaming it internationally on a weekly basis. And as I said, we’ll be dealing with government people, but we’re also dealing with corporate people. So I’m trying to get Peter Gleason, head of the National Association of Corporate Directors and various members of my board who will come on and we’ll be discussing these issues that we’re discussing here, how do you actually do this? How does a company actually do this, as well as how would a government and industry work better together? So very excited about that.
We’re probably going to be coming out with another edition or a subsequent edition of Fixing American Cybersecurity next year. We tend to do that every four years. My board gets together and develops a series of policy recommendations for the incoming administration and Congress, irrespective of who that administration and Congress is. So we have the same advice for Obama that we did for Trump, as we did for … I mean, it’s not the same advice, but we create the same advice irrespective of who wins the election. So we’re probably publishing another one of those sometime in early 2025.
Steve Bowcut:
Okay. Awesome. All right. Well, Larry, thank you so much for spending some time with us today. I enjoyed it. I think our audience is going to learn a lot from this. And so we sincerely appreciate your time and your expertise.
Larry Clinton:
Well, I sincerely appreciate you giving me the opportunity to speak to you. It’s been enjoyable. Thanks, Steve.
Steve Bowcut:
All right. And a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide podcast.