Cybertraps Podcast

This episode is a part of a special series of interviews conducted at the INCH360 Cybersecurity Conference in Spokane, Washington. Visit their website to learn more about INCH360 and their mission. 

Host Jethro D. Jones interviews Kayne McGladrey, CSO in residence at Hyperproof, about effective risk management and communication in cybersecurity. Kayne shares insights on translating technical risks into business impacts, building strong relationships across leadership teams, and using key risk indicators to drive better decision-making. The conversation highlights the importance of bridging the gap between technical and business perspectives to improve organizational resilience.

We’re thrilled to be sponsored by IXL and Renaissance. 

IXL’s comprehensive teaching and learning platform for math, language arts, science, and social studies is accelerating achievement in 95 of the top 100 U.S. school districts. Loved by teachers and backed by independent research from Johns Hopkins University, IXL can help you do the following and more:
  • Simplify and streamline technology
  • Save teachers’ time
  • Reliably meet Tier 1 standards
  • Improve student performance on state assessments
🚀 Ready to see why leading districts trust IXL for their educational needs? Visit IXL.com/BE today to learn more about how IXL can elevate your school or district.

Learn more about Renaissance:
 
As a global leader in education technology operating in more than 110 countries, Renaissance is committed to providing educators with insights and resources to accelerate growth and help all students build a strong foundation for success. We believe that technology can unlock a more effective learning experience, ensure that students get the personalized teaching they need to thrive, and help educators and administrators to truly, fully, See Every Student. Learn more at renaissance.com.


What is Cybertraps Podcast?

We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!

Welcome to the Cyber Traps podcast.

Today we have Kane Mcla here who gave the opening speech at Inch 360.

So Kane welcome.

Tell us a little bit about yourself and who you're and what you do,

Yeah, thanks for having me on the show, Jethro.

I am the CSO in residence at Hyper Proof.

I am a senior IEE member, that's the Institute of Electrical and Electronics Engineers.

And I've been in cybersecurity for about three decades now.

I'm at the point where I look forward to coming to events like this and sharing my knowledge and perspective.

Yeah.

Excellent.

Because that is quite the perspective.

And so, people who were not here, do you want to just give a little summary of what you talked about this morning?

Sure, sure.

So I'm apparently the number one thought leader on risk management worldwide.

Interesting thing, I'm writing a book about risk management too, or at least I've written it.

I'm trying to get it published.

And the talk was about.

Some of the content from the book, but also the conflation that cyber risks are a real thing in reality and they're not something that I've consistently found.

And I'm currently at a company called Hyper Proof, where we look at risk management and tying that to business impacts and business outcomes and helping companies to manage their regulatory and contractual burden effectively.

But in the process of doing that, what I've found is a lot of, a lot of companies unfortunately, think that cyber risks are the only type of risks, and CISOs often struggle communicating to their other C-level executives or to the board.

And fundamentally, it comes down to a a difference in

As a ciso.

We have to be tremendously respectful of the fact that we come from a very different educational background than other senior business
leaders who typically would have like an MBA or a similar type educational background where they didn't learn about cyber risks.

They've never heard about these cyber risks, and so.

The talk goes through how do we talk effectively to executives and the board about cyber risks and how do we measure the effectiveness of the controls in mitigating or ameliorating those risks?

And then finally, what do we do with all of this information?

How do we actually know if it's time to, to start talking about business risks and less about these technical risks, which.

Honestly, you don't get funding because somebody said, you've got a CVE in this system over here.

Ain't nobody gonna give you money for that.

But if you say, look, this could cause us a million dollars loss in damages on a daily basis, and there's a 50% likelihood it's gonna happen annually.

Suddenly people just, that sentence sounds very familiar.

Or if you say, well, look, if our accounts.

Our accounts receivable system goes down in two weeks.

We are gonna have a lagging cash flow and we are going to have about, I don't know, two months of runway, just fictitiously before the company collapses.

And that will cause prioritization.

Whereas again, if you just say, well, we've got a CVE in this system, and you don't say it's in accounts receivable, you don't say the material impact, you don't say the potential of event to the business.

We get lost.

And that's something that's.

Consistently frustrated me as a ciso, and I've also done executive advisory to other CISOs and the boards, and what I've found is that.

The ability to communicate effectively and to translate from technical teams to business teams is still a missing skill.

And I think it's why we're continuing to see regulators, whether they're domestically or in the European Union or other areas where they're trying to say, make these breaches stop happening, because they don't understand.

They just understand something bad happened.

They don't like it.

We need to uplevel our communication skills as CISOs in order to be truly effective and Transformative leaders.

/
Yeah.

Well, and I think the key there is that nobody can do it, but the ciso, that you can't rely on others to understand your world, and you have to be able to communicate your world in their terms so they can do something about it.

What's your thought on that?

Yes and no.

I think that a one of the examples I give in the talk is, look, if I went to our sales leader, Mike, and I said, Hey, Mike, if our sales system were to go down for a day.

We'd lose about a dollars a day.

He's gonna laugh me out of my office because I don't know how much money we're making in a given day I don't know what controls are on there.

And I don't own the sales system 'cause I'm the ciso.

CISOs need to look at partnering with other business leaders to help them express and understand their risks effectively.

Something I always encourage that new CISOs do is go make friends with your chief legal officer or your chief counsel.

Go make friends with your chief risk officer.

Go make friends with your chief compliance officer because they understand the larger context in which we're operating.

A lot of CISOs who come from tremendously technical background can evaluate and.

Assess the potential, but they can't communicate it.

And having that additional business context really helps.

And because it's September and we're right now in budget season for a lot of companies, I think it's to have those conversations earlier so that a ciso, if a CISO doesn't have.

Good relationships with council, with compliance, with risk, with you know, the other members of the business.

They don't understand why their budget is or is not getting approved.

But if you've got a company that's, I don't know, maybe they're expanding into medical devices in Latin America.

sure like it if, as a ciso, if you knew that.

So you could A, make some recommendations about what the threat landscape's like in Latin America right now, and B, understand what are
the additional controls you have that you could already apply to those medical device manufacturing in Latin America in this scenario.

So that's a two-way conversation a CISO can.

Some of the smartest CISOs I know, like, Andrew Ji over at Appian is currently saving a hundred thousand dollars.

Every time they want to go add a new auditor at a station they're using hyper proof.

But the way he did it was by measuring what controls they currently have in place today.

And then when a business unit says, Hey Andrew, we wanna go do this thing.

Instead of having this team do spreadsheet nightmare, try and figure what controls they have, they can say, cool, here's what controls we have.

Here's how effectively they're operating.

Do a very quick analysis, which then allows us to have a return on investment conversation.

And you can say, well, if we go into this market, it's gonna cost us this much from a technical cybersecurity perspective, and here's the op upside.

As opposed to, again, in that fictional scenario where the CISO doesn't have those business relationships where they're blindsided.

And they're told, Hey, we're going to Latin America.

We're gonna manufacture romantic devices.

Go figure it out.

And that's not a scenario anybody wants to live in, but it comes down to communications gaps.

Yeah.

Well, and communications gaps are so.

Important in every part of our society, and the more that you can communicate, the better it's going to be.

One of the other things you mentioned was talking about KPIs versus K eyes.

Can you talk a little bit about that?

Oh yeah, absolutely.

I think that any CISO who doesn't understand what those are, you might as well just go get on LinkedIn right now, go find yourself a new job you're not gonna be here in a couple years.

KPIs are a trailing indicator of how likely an executive is to hit their objective.

But unfortunately there are trailing indicators, so whether your KPI is employee happiness, or it's sales volume, or it's international expansion or whatever.

They're a trailing indicator, but we can use kri key risk indicators to assess using both security data as well as business information in order to assess what's the probability of hitting that.

A good example was there was a manufacturing company that I was working with, they just made cardboard boxes.

Right.

It sounds like it's tremendously boring.

Yeah.

Environment, but they had a lot of production data about how fast are their lines running?

What's normal look like?

How much, what's their cash to close process?

Like, what's their efficiency?

Like how how well is the business running overall?

And at the same time that I was after I found out I, 'cause I was brought in to advise them after a thing happened, the security team.

They had the FBI telling them, look, manufacturing companies are being targeted by ransomware actors and the operations team and the plants.

They knew one of their lines was just running slower than usual.

They couldn't figure it out.

But the security team the operations team, they never had a chat.

They never had a way to communicate.

And because they weren't tracking, they just knew their KPIs, which were, Hey, how fast are we making cardboard boxes go out the door?

What's our cash to close?

How fast are we able to sell?

These to our customers, and because they had that data to show this line is running slow, maybe we should go check it out.

Maybe it's not a mechanical fault.

If they'd had that communications bridge, they probably could have got ahead of the ransomware instead of dealing with a regional shutdown for all of their manufacturing facilities and losing about a million dollars a day.

Yeah.

Wow.

Those executives who've got that KPI of manufacturing efficiency or maybe sales efficiency or whatnot, that's a great thing where we can look at the risks that could happen, both business as well as technical risks that could influence that negative outcome.

And then say, who cool?

Is this an acceptable risk for us?

Is it not an acceptable risk?

And that's where we can start to have controls applied as opposed to going, well, ransomware exists.

It seems bad, boss, maybe we should go figure something out.

'Cause there's no CEO who's gonna go, yeah, cool.

Go spend millions of dollars on this thing when I can't understand what you're spending the money on.

we tie it to a KRI and show how that influences their KPI, their key performance indicator job done, executives will line up to do this.

Yeah.

So essentially the key risk indicator is basically saying here.

How that manufacturing is susceptible to some sort of risk.

And if this happens, then this is what the key risk indicator is.

If this happens, and this is what it is.

And so let's say for example, the key risk indicator is something around a password getting hacked in one of the people who has the account that controls that manufacturing piece.

So then you assign a a number or what to that.

Well, how does that work?

you'd assign a value to the probability and the impact associated that.

In your example of a password being disclosed to a threat actor or them otherwise obtaining the password and being able to get in and do things, the password itself is not a risk.

The loss of the employee's password is still not a risk.

The fact that a threat actor got into your network sure feels like a risk, but it's not the thing that's the risk is what happens after.

It's that line shut down.

It's that business interruption.

It's all of those things that affect our organization's ability to be resilient in the face of cyber threats.

'cause this is gonna happen.

I think we've moved past.

The idea that you can not be breached anymore, or at least I certainly hope we've moved past that.

And instead, we need to start focusing on if this thing were to happen, what compensating controls do we have that would reduce the impact of that or reduce the probability or both?

And that's where we need to invest our resources, whether those be people or time or money.

That's how have to start thinking about it.

Yeah.

Well this is great.

Thank you so much and I look forward to learning more from you as time goes on and I'll start following your work and get your book when it comes out.

So thank you very much for being here.

Yeah.

Thanks for having me on Jethro.

And if people wanna follow me on LinkedIn, I am just Kane McGladry.

I write a tremendously boring newsletter about regulatory and legal matters.

And if you want to check out hyper proof, we are@hyperproof.io.

Excellent.

Thank you very much, and we'll have links to those in the show notes as well.

Thanks for being here.

Appreciate it.