Demystifying Cybersecurity and Updating the Human Firewall

Timothy Torres: Hello, everyone. It's so good to be here today, and it's my honor to be the closing pitcher in the bottom of the ninth inning of a wonderful conference. My name is Timothy Torres, I am the chief security officer at TriNet and it is my distinct privilege every day to wake up with passion and purpose to help serve our organization as we protect not only ourselves and defend against adversaries but help protect the tens of thousands of companies that choose to do business with us and enable them to fulfill their mission and vision. And if you can't tell already, I'm excited both to be here, and I love what I do, and I love about the conversation we're about to have.

So, I will be talking a little bit over the next 45 minutes or so around the relevancy of cybersecurity with HR professionals. So I'm gonna talk about how we can demystify the cybersecurity problem itself, because it really is opaque, and there's a lot of people today that shy away from the fundamentals of what the cybersecurity problem really is. And before you can solve a problem, you have to diagnose the problem accurately, so we're gonna do that. Then we're gonna talk about the role of human resource professionals around cybersecurity. Each of you play a critical role in helping protect your organization. So we'll talk about some critical success factors, some thought leadership that you can take home, and then also some very practical elements and tools to add to your toolkit to help both boost yourself and your career and also protect your organization. And then lastly, we'll talk about the challenges on the horizon, what we have to be thinking about on the horizon from a security perspective that's relevant to what you do, and we'll put it all together before we leave.

So, Tolkien describes the Shire as a very delightful place to live, where the hobbits existed in this fruitful and abundant land of blissful peace, free from the threats and vulnerabilities of Middle Earth, free from the adventures beyond the Shire. And if you're a fan of "Lord of the Rings" or if you've ever watched the movie or maybe even "The Hobbit," this image should resonate with you. This is the Shire. And in 2004, I had the distinct privilege of taking my mother, who had three months prior been diagnosed with stage 3C ovarian cancer. Now, as you may know, ovarian cancer is a silent killer. Those that are diagnosed at stage 3C, three out of five women don't make it past five years. We knew that barring a miracle from God that she probably wouldn't make it past five years. So this was the first country that we chose to take her to. This is New Zealand, where they filmed this, and we took her on a series of vacations and spent many years together before we eventually lost her life. I have a memory of standing right here looking at this beautiful picture actually in real life, and there is no painting or picture that can do it justice. This is, it feels like heaven on earth. And it's Tolkien that uses this background and imagery to describe this place of somewhat naivete, people that existed thinking that things were okay and not really understanding what was happening in the real world.

So why is the chief security officer of TriNet choosing this to be my first slide in our conversation? The answer is this is where many organizations and individuals have existed when it comes to cybersecurity. Closing their eyes and ears, not believing that their company or their own personal life is susceptible to a cyberattack and hoping and praying that nothing ever happens. But this is not what success looks like as we move into our future in trying to protect our organization. But this is the backdrop of where many of you today may have existed, and we're gonna demystify cybersecurity, but this is not what success looks like.

However, if you were to hand over an unlimited budget to your security practitioners or an outside consulting firm or some zealous IT professional, they would buy every security tool possible, they would hire every security practitioner possible, they would lock down your company so good that you would go out of business because you can't afford to operate. This is Fort Knox. This is not the quintessential example of what security looks like for organizations, yet as many journey out of the Shire into the real world and realize that there are threats and vulnerabilities in doing business in this era, they think that this is the model position to be. And this is not, this is not success. This is what we're going to demystify today.

But I want to juxtapose the position between the Shire and Fort Knox. There's a place to live, and it's not either of those locations when it comes to success. However, this is actually Main Street for companies today as it relates to cybersecurity. Now, if you know a clever real estate agent, we live here in California, for many of you that live in California, I'm sure they would have a fancy tag on their listing to say something like "beautiful coastal fixer-upper home with great potential." That's not the tagline I see when it relates to this house. As you can see, it's propped up on stilts, it's probably one wave or one storm away from being completely destroyed. Disaster is impending.

And the reason I put this up here is actually this is where a lot of organizations exist. I read a statistic that a significant amount of small and medium-size businesses couldn't even stay in business after they were hit with a cybersecurity attack. And as you start to think about your own company, my question to you is what image pops up in your mind as it relates to your security posture? More than likely, as you look under the hood, you'll find that it's also propped up on stilts, and your security strategy is a hope and a prayer today. But as I mentioned, it's time that we sort of rethink and recalibrate this problem, because as we begin to move into the land of where artificial intelligence and technology innovation is advancing, the game has completely changed. And you can't leave this problem up to a technologist or a security professional, this is a business problem And that's what I'm gonna talk about today.

So the next image is actually even a better way to describe what cybersecurity is all about. At the end of the day, cybersecurity is just another aspect that companies have to manage from a risk perspective. Now, as you can see, whether it's a nuclear power plant that has had an adverse event, whether it's a aircraft carrier, whether it's malpractice, whether it's landing a plane on the Hudson, whether it's even making payroll and being able to serve your colleagues and serve your business partners and customers, everything that sort of we do today from a business standpoint is contingent on technology and is susceptible to adverse events.

And so what I really want as the sort of emphasis on the first point to make today is that cybersecurity is a culture issue and challenge. It is a behavior issue and challenge. It is a human aspect and I'll talk more about that in a minute. And so when it comes to solving the problem and understanding the problem, you shouldn't first think about technology. You have to think about the humans, and you have to think about the systems as a corporate culture and practice that you have in place to help be error-free. Many of you have probably heard of the term high reliability organization principles, HRO. This is a practice that many industries have adopted. It has principles such as deference to expertise, sensitivity to operations, reluctance to simplify, resilience, having a heavy emphasis on resilience.

These are all principles that were sort of adopted into this construct called high reliability organization principles. It first started in sort of the nuclear power plants and aircraft carriers where the most minute errors could have catastrophic consequences. Over time, aviation adopted high reliability organization principles. And then now healthcare has become a large adopter of HRO principles. And I hope that if you haven't heard of HRO, I hope you write it down and that you go look it up and that you think about it in terms of your own organization. Are you a high reliability organization? Does high reliability mean anything? Perhaps your business doesn't need HRO principles.

Maybe having a high trustworthiness quotient isn't as important, but I know the heartbeat of American business relies on the ability to have zero harm to yourself, to your employees and your customers, to have quality outcomes, and to have a high trustworthiness quotient. Well, these are principles that these industries have adopted so that they can impact the way they do business, the way they think, the way they perform, the way they operate, they have processes, and it's that foundation that creates a higher level of consistency and reliability.

Now, I'll give you two examples. You probably don't know this, but the airline industry per year, out of millions and millions of flights, only has about roughly 400 deaths per year. Your odds are around one in 15 million roughly, and it changes and varies, but one in millions to actually die on a flight. Now, let's look at healthcare. Healthcare has over 35 million admissions per year, but they have over 250,000 people that die from being admitted to the hospital due to an error. The error rate is much too high, and the odds of any harm, having a hospital-acquired infection is one in 25. That's not a quality outcome, that's not a zero-harm, high trustworthiness quotient principle, which is why organizations in healthcare are adopting this.

And why am I talking about this? The reason is that cybersecurity is exactly the same type of outcome that you should be thinking about reducing harm. Now, cybercrime is actually a trillion-dollar industry. In fact, if cybercriminals formed their own country, it would be the third largest gross domestic product country in the world, behind the United States and China. It pays to be a cybercriminal. They're people that wake up every day, they have families, they take their kids to baseball, they have hobbies, and they prey on businesses and individuals that have low security standards. And the industry is over a trillion-dollar industry. There are over 30 billion accounts that will be compromised this year. There are over 22,000 successful cyberattacks per day, which means there's about one every 39 seconds. That means right now as we're speaking, there's somebody getting compromised.

This is a big deal and the problem is it is not going backwards. It continues to accelerate. And so the challenge that we have is we'll never get ahead if we think that cybersecurity is the chief security officer's problem. Many of you today don't even have a CSO, you may not have a designated security professional to lead the program. And so it's up to others in the company to sort of take the initiative and that from the start does not set you up for success. That keeps you living in the Shire, or that has you living in a house that's one wave, one storm away from complete disaster.

Cybersecurity is a human problem. It begins and ends with behavior, with culture, a culture that embraces zero harm, a focus on how we can enable the company to move into its future safely, effectively with quality outcomes, a high trustworthiness quotient. And so we're gonna talk about how we can bring this together first by understanding the magnitude of the problem, why it's a problem in the first place, and how we can begin to steer the ship. So you already know that cybercrime does pay, you already know that cybercrime continues to increase, you know that cybercrime is a human problem, not a technology problem. But I'll even talk one more second about that.

When the internet was beginning to be formed and when systems began to be established for communication, architects and engineers had a decision to make: would they engineer the internet and computers to be closed and proprietary and locked down, or would they open it up and allow commerce and communication and all the things that we have today? And when it was designed, it lacked the principles that would've put it in the Fort Knox sort of category. However, we would not, you could make the argument that had they designed the internet and the architecture for modern computing to be sort of this closed model, we would not have the rapid adoption and innovation that we have today.

So it goes hand in hand with the needs and the demands of society and the requirements to sort of build an open and interconnected model. Because of this, we have a massive issue with identity and identity management. That means that anybody can send you an email or communicate with you and can cloak or hide their identity. That's why cybercriminals can send you a phishing email. You don't know who it is. It comes in and it looks like it came from your boss, or it looks like it came from a family member or a trusted company, but you have no way of creating having any level of authenticity that that's actually who they say they are. And so the problem that we have today is anyone can hide and pose as anybody that they want to.

And that's the world that we live in, that's the world that our kids are growing up in, that's the world that we do business with. And so we have this demand to sort of protect companies and we have this demand to have openness and interconnectivity. So then how do we navigate actually creating structure around protecting companies and protecting identities? And so that's exactly what we're gonna talk about. We're actually going to dive into how there's an intersection of cybersecurity and human resources.

Number one, what I really want you to start to think about is your own organization. Do you today have any level of accountability and ownership and oversight around cybersecurity? Do you have policies and procedures? Do you have sort of an architecture from a business standpoint that creates accountability? Now, many organizations I happen to know do not. They may have policies that someone downloaded from the internet, but it doesn't have any real teeth in it, it doesn't have really any purpose. At the end, I'll sort of allude to where you can actually go online and get access to free resources if your organization is smaller and you don't have sort of the consulting sort of access to where subject matter experts can create content for you, but you have to start with establishing an actual program and oversight where human resources is part and parcel to the program. If there's not interconnectivity, it cannot be successful.

Number two, you have the responsibility to advocate and participate as a champion for cybersecurity. To be able to establish governance, to establish a voice at the table. In fact, many people say, "We don't have a cybersecurity team because we're not a large enough company." Well, you know what? The whole company is your security team. Human resources is the security team. You have the ability to sort of influence change and be the voice and be at the table. The other thing that I'll mention in this is I believe that the times have changed. I remember going to business school. I've been a technologist all my life. And I went back and got my MBA actually in Southern California at USC. And I learned principles around accounting and finance and strategy, digital marketing, and other principles. No one's asking me to be the CFO of the company, but I at least am conversant in the disciplines that are critical for the business to operate. I understand, I can have a conversation, I could be part of the decisions, I could be part of the solutions, I can help navigate around those challenges.

The same thing that I wanna interject is the cybersecurity has too long been opaque and has been fuzzy and has been sort of mystical, and professionals today have a responsibility to be conversant, to understand what the challenges are, to have somewhat understanding of the terminology, and to be able to be part of the conversation, part of the solutioning, part of sort of the diagnostics so that you can help influence the company to move in the right direction. You can't expect a leader, a CSO or a security leader, to be the only one in the company that knows anything about security. Each of you have a responsibility to be educated, to at least be conversant on this topic. That's the road to success, is to not live in the Shire, to not live in a place where it's somebody else's problem, but you begin to move into your future and understand how to navigate this new world.

I talked about being a champion, creating a culture of awareness is so important. I've seen organizations use various tactics and fail. I have seen organizations, peers of mine that lead organizations have told me horror stories where they would they would use security as sort of a whip when an individual sort of failed in a certain area that was due to a security incident, they had a very negative culture. My advice and guidance would be change the culture to be a culture of awareness. You have to absolutely have accountability. You absolutely should tie metrics and ensure that you have teeth in your policies, but you have to build a team of yes and a team that is on board with building a movement and a momentum for your company to win and succeed.

And so what I would challenge you is to create a culture of awareness, a positive mindset. And if you adopt high reliability organizational principles, you celebrate near misses, you actually celebrate when you're able to discover something that either went wrong or is about to go wrong. And instead of sort of creating disciplinary measures where you run people out of the company, people have psychological safety to speak up and to catch issues before they materialize. This is about building a culture of security and awareness and psychological safety that allows companies to operate and to focus on success.

The other thing that I would talk about is, and this is a little more tactical but your department controls this, is the whole onboarding and offboarding process. One of the things that I've seen is that security is sort of an afterthought when it comes to onboarding and offboarding. I'll give you a couple examples. Number one, I know that you probably all do your background checks, but I've seen where this has become more of an issue, where individuals, now that we have a work remote environment, individuals are gaming the system. They will hire people to interview for jobs, whether it's a security job, whether it's a technology job, it could be an HR job. They hire professional interviewers, they interview on camera, they get the job. On day one, it's not that person starting the job, it's outsourced to somebody else. I have personally caught these people. It is a growing phenomenon. It is a lucrative aspect, and it circles all around human resources.

So my first question to you is how do you know that the people that you're interviewing remotely are the people that are starting on day one? How do you know that they're actually not an adversary who is getting paid to get into your environment and to do what we call reconnaissance, recon, and to find out where your crown jewels are and to work with outsiders to help compromise you to ransomware and hold your crown jewels hostage, where you have to either pay millions of dollars to get your data and your technology back or you have to spend millions of dollars trying to recover on your own? All because somebody in the process in your department was asleep at the wheel or just living in the Shire, was living in a perfect, naive place, blissful, fruitful land, but failing to realize that the real world is moving quickly and you have to be sharp.

This is a growing problem, and I can tell you we have to be ready to embrace the solutions. And it starts with the onboarding, it starts with due diligence, it starts with secure practices, that you identify who you're interviewing, you identify who you make the offer, you identify who starts on day one. And more important than that, you even have security technology and tools that help reduce the ability for others to share their passwords and access. This is a big issue and we're seeing more and more of that. The other is when when people leave, how do you know that they're not able to still access your network when they've been terminated?

Again, this is a human resource problem, but it is a security issue. And so I guess my question to you is what are the processes and practices today that you are a part of that ensures that at termination you can have a high level of assurance that that colleague or that contractor, that his access has been termed the moment that their employment has been termed. Trust me, these are issues that will explode if they're not managed and the risks aren't reduced. And then, as I mentioned, reinforce accountability. Accountability is so important. I mentioned that there's a balance between the carrot and the stick, but at the end of the day, the company culture has to hear it from the top, has to be felt from you, and has to have a grassroots movement that this is a issue that we together will solve, this is about a culture of high reliability, this is about zero harm, this is about quality outcomes, this is about a high trustworthiness quotient.

All right, so I'm going to talk a little bit about some practical elements. I gave you some of the ways to think about security, but I wanna talk a little bit deeper about understanding insider threats. Now, what you probably don't realize is that one of the biggest issues in security is not the bad guys outside. It's the people inside, whether it's intentional or whether it's unintentional. In my career in security, I can tell you story after story after story of real major security incidents that occurred not at the hands of somebody externally but somebody at the hands internally. I can tell you stories, I won't today, I won't on this stage, but you would not believe some of the scenarios that I can tell you that I personally have observed and had to respond to. It is a human behavior issue. And if there's the right culture, you'll help set up guardrails to help reduce that. But if you don't have that right culture and the right focus, as I mentioned, it becomes an untenable situation.

And so what I want you to realize is not only as a company do you have to protect yourself from the bad people outside, but you've gotta protect yourself from the intentional and unintentional people inside. The insider threat has become such an issue, whether it's even people that unintentionally email all the company employees' social security numbers and names and identities to somebody outside or whether it's an individual during a major cutover from a data center accidentally makes an error and completely brings down the entire data center or whether it's a person that's about to leave wants to take their entire, all the customer data so that they can go to the next company and win on that side of the house.

All these are just day-to-day things that human behavior is confronted with all these various temptations and distractions. And so what you have to have is a focus on sensitivity to operations and the ability to sort of encourage and establish practices to prevent those types of behaviors. Second is, and this is what I should have led off with, which is all of you at one time or another are going to experience a security incident. It is just statistics. It's not a matter of if, it's when. In fact, many of you have already had a security incident, you've maybe already been involved in an investigation. But the reality is it is bound to happen. So what? So how can you be prepared? And it starts obviously with having a security program, having an incident response plan.

And if you don't have a security program, these are some of the things that I listed already, and if you don't have an incident response plan, write it down, go talk to your business leaders and work on it. And I'll share with you, in fact, I'll share with you now, if you go to either sba.gov, you could go to cisa.gov, which is C-I-S-A .gov, or you can go to nist.gov, these are three sites that you can go to. They have an immense amount of resources that you can actually you don't have to reinvent the wheel. But the reality is you've got to have a incident response plan, and people that use it have to understand it. But once you have an incident, you have to be prepared. And so my advice to you would be to curate what we call tabletops. By the show of hands, how many of you have actually been involved in a tabletop exercise for a cybersecurity incident? Be honest, raise your hand. That's about what I thought, like two or three people, four people out of this entire room have actually been a part of a tabletop.

So one of the things that if you remember anything when you go back on Monday or whenever you go back to the office, I want you to ask, "When was the last time we as a company have done a cybersecurity tabletop exercise?" That's the question to ask. And if the answer is, "Well, I don't think we've ever done one," my advice would be plan one in the second half of 2023. I would absolutely do a tabletop this calendar year, this year at your organization. And of course you can't do it tomorrow because you've gotta start with, do we even have an incident response plan? Do we even have roles defined? Do we even define what a security incident is? Do we have people trained? Do they know how to operate that? But I would establish that as if you don't take anything away, I would absolutely walk away, ask that question to your leaders, get the answer, and encourage this year to do a tabletop. Because what will happen is what a tabletop does is it just simulates what you would do.

Let's say that the scenario is a ransomware scenario. It's very simple. You can actually download scenarios online, it will be your playbook to do it. And it will force you to answer questions together. How would you respond? Where are your backups? Who has access to that? When were they last tested? How far do they go back? What's their frequency? Who is your incident response company? Do you have one? Do you have endpoint security? Do you have? It starts going through a series of things that in a real incident you would try to be figuring out and allows you to understand how prepared you are. And by the way, yes, HR has to be a part of that tabletop. It's critical. There are so many aspects to an investigation and an incident response that involve your role. And so it's good to be at least conversant and engaged so that you can actually know how to help the organization protect itself.

Security training and awareness. So, how many of you, by a show of hands, require, make it mandatory, for new employees to take security training on new hire? Show of hands. All right, that's about 65%. Two thirds, let's say. Great, there's still a third out there that doesn't. So my advice would be go home and ask the question, "Why don't we do security training at new hire?" And I don't know that you can find an answer to why other than maybe it's expensive, maybe it's logistically difficult, you don't have the right resources and expertise. By the way, you don't have to anymore, you can actually go online, there's even free content out there. But there's really no excuse why you can't, and I can tell you that it will make a difference in the culture aspect that I talked about. If you can ensure that upfront when your employees start, they're right away told that this company takes security seriously, you have an important role to help protect our organization, and we expect you to know that and to perform that, that begins to set the tone.

Now, show of hands, how many of you require that to be renewed on an annual basis? Okay, that's about one third. So two thirds does the training, one third roughly requires it annually. So I would then again ask yourself, "Why don't you do it annually?" And again, I'm trying to provoke thoughts for you to take back and to help elevate the game for your organization. Now, it could be a business decision, it's too costly in terms of time and how long it takes. All of that is a risk management decision, but I'm telling you, security is all about behavior, and if you take that angle, it's hard to find a reason why you wouldn't have routine training, focus training, and so I encourage you to do that.

All right, next, how many of you conduct phishing simulations? About 20%. So, test your organization, test your training. You can actually, again, you can get a lot of these resources out there for free. There are some companies that are incredibly proactive. TriNet's very proactive, we do this every month. We publish our click-through rate, we have progressive training and education, we have high risk training. And the point is is that cybersecurity is a team sport, and you have to get the team on board and participate, and you have to give them the tools necessary to upgrade their thinking. And this is one way of being able to demonstrate whether they're actually prepared, and when not, you can help educate them and bring up their level of awareness to reduce that susceptibility. So I encourage you, this is actually really important for HR to be engaged, because once you have the program, you have to understand, like, how do you navigate it? Do you have a target benchmark that you set as a company? Do you attach incentives to that? Do you have sort of positive reinforcement? Do you have disciplinary?

I mean, these are all the questions and decisions that HR has to be involved in, but if you set the right tone and you have the right cultural focus, you will get it right. But it's a journey, it's not a sprint, it's a marathon, and you have to keep sort of your eye on the ball. Also, I think that many of you probably do a good job already on training and all that, but do you also consider third-party contractors and consultants and contingent workers as part of your core for training for policy enforcement, for phishing? This is an area where I think most organizations have not contemplated the risk. And what I mean by that is we think about protecting our organization and onboarding and training with our own staff, but we fail to realize that every contingent worker, every 1099, every contractor, every sorta consultant that you give access to can do the same thing that an employee can do. And if you don't enforce your training, if you don't think about your human resources cybersecurity program, if you don't think about including this group of people, you've missed a significant portion, in many cases, of helping raise the awareness and building that safe culture.

So I absolutely would encourage you to go about this in that perspective. I'll give you an example. During the pandemic, when everyone began to move out of the office and into the remote environment, there was a heavy focus on sort of enabling remote work and understanding who had access. And what had happened was contractors who were working sort of in the office began to go home. And because they weren't necessarily always managed, and by the way, this is at my former organization, not current, but they were not necessarily managed in the same way that a colleague is. So we ended up having contractors work in, like, Argentina and starting to work in, like, Belarus, and we would start to see, like, connections from all over the world, and we're wondering who are these people, and in many cases thought that they were actual security incidents where our employees were getting compromised.

And we began to click down, we realized that there were this contingent group of people that when the pandemic happened, they were consultants and they had our laptops or they had VPN access, and they just went on their way and worked from wherever they wanted to work, and who knows what was going on. And so the real issue is you've gotta have the same practices around protecting your data, protecting your technology, and in protecting your environment across even your third parties, across your contingent workers, and if you don't, you're not set up for success.

And then lastly, ensuring job roles match access. I can't stress enough how important it is to follow what's called the minimum necessary need-to-know principles around access. Many times, HR sets the standard because it's job code, it's job family, it's titles, it's all of that starting between human resources and finance. And security should be provisioned based on role. Role-based access is sort of the holy grail of access. Because what happens is somebody comes in the front door, they have this job, they have this access, and then they either get promoted or they move to a different role, and they maintain the access that they had from their prior role. And you end up with a person that has worked at the company for 15 years and has been in like five different roles and has all this access that you never even knew. And the whole point is ensuring that throughout the life cycle of that employee or that contractor that you maintain consistent access along the way.

Trust me when I say this, we talked about insiders, there's a lot of insider issues that happen unintentionally because people didn't realize they had certain access or even they were compromised by an outsider. They were phished, the adversary was able to gain their access and use it and use it against the organization. And had they been given access only to their role, the blast radius of the cyber incident would've been this large as opposed to this. And so you've got to ensure that your access control is very focused and is maintained and managed correctly, and that is a human resources perspective. All right, so, what's on the horizon, Timothy? What should we be thinking about?

It's no surprise that the first thing on the menu is artificial intelligence. I won't sort of bore you and regurgitate a bunch of data that you've already seen on the news, but you already know and feel the weight and gravity of generative AI and artificial intelligence in general. I don't have, this slide deck, I don't have a slide I wanted to use, but I could hearken back a video that actually shows a person talking. And you would think that this is somebody that, you know, is an actor, and it's actually completely artificial. A human being is talking on camera with their normal voice, and then they were able to actually superimpose an actor and the voice tone, intonation and sound, and visual cues are exactly the same. Anyone can be faked is the point. The deepfake era is upon us. We know that fake news and fake information has been around for several years, it's been used as a tool. During the Cold War, even, misinformation has always been a tool. But the era of deepfake and sort of this issue that we are confronted with is only starting, and we have to now begin.

This goes back to authenticity. How do we know what's fake from true? How do we know what's sort of substantive versus fake where content now, emails can be generated by a computer. And I don't need to sort of, you can, you've seen it all, you know it. And so, why is is this an issue for you? Well, the real point that I'm wanting to make is all the way down to employment, especially in a work remote environment, we are now dealing with someone on the other side that we may not even be able to validate is them, that the content that they're generating is even from them, and that the work that they're doing is at the hands of the individual that you either thought you employed, thought you hired, or thought you trusted.

And so this new challenge causes us to focus back on getting it right from an organizational culture and tone. You will never be able to win at the plate, hitting every fastball that's pitched your way from a security perspective. There are balls that are gonna get by, there are balls that are going to be dropped off the table that you can't catch. But if you create an organization that is aware, that is vigilant, that understands that this is critical, you are going to have a more successful outcome than the company that is late to the game, that exists in the Shire, that's not stepping up and embracing the right cultural principles and practices.

And so that is one of the things that I want you to really take to heart, is that there's not sort of a silver bullet solution to some of these challenges that are on the horizon. It's going to require vigilance more than ever. It's going to require you to not just be a human resource professional but to be educated on cybersecurity. It's gonna require your company to be a vigilant high reliability organization so that your focus is constantly on it. What can go wrong and how can we prevent that from happening? Raising the standard to that of an aviation industry, that of an aircraft carrier, that of a hospital. To understand that the stakes are so high that if we don't focus and if we don't plan on winning, something could go wrong that could impact the organization and even you.

Adversaries on the inside, I mentioned that already through some of the other areas, but what's happening now is adversaries don't even need to phish you. They don't even need to send you an email and you to click on it. Now they're getting employed, they're getting paid both in the cybercriminal community, and they're getting paid by organizations. And it's quicker access to navigate how to compromise you and how to ensure that they win from a cybercrime perspective.

Remote work. Again, we talked about it. How do you know that the people that are working are the people that you hired? How do you know that they're doing the right things? How do you know that they haven't given their computer to their spouse or to their neighbor, to some random person? How do you know this? Again, this is cultural practices, you've gotta set guardrails in place. Supply chain is becoming more and more of an issue that we learned during the pandemic. The talent shortage is a major issue. I had a slide earlier that you saw, but a major issue in cybersecurity is that we can't find enough talented workers. There is a tremendous worker shortage. We don't have enough talent. And so I would advise you if you have security people at your company, I would ensure that you partner with them on the recruiting aspect to come up with very creative ways to find avenues to recruit talent.

One way that you can do it is actually go global. We're becoming more of a global supply organization era, and you can actually maintain and attract talent in other countries for not just labor arbitrage but actually subject matter that's available. Today, we don't have enough people to do the job, and so there are ways that you can partner with security to help open up that opportunity. And then as I mentioned already, there is a growing need for not just the CSO or the technology people to be the subject matter experts, but it's time that HR professionals, just like we treat business, accounting, finance, marketing, just like we treat those disciplines for sort of an MBA or a core Swiss Army knife, it's time that we now add security into that Swiss Army knife of competency for conversant opportunities to understand how to be part of the solution. It's time that I'm actually advocating at my own, at USC, my own alma mater, of adding cybersecurity as a discipline into the MBA program so that people coming out of college don't just have the disciplines of accounting and finance, but they have cybersecurity, they understand how to navigate and how to sort of move through this new world that we live in. Again, to move out of the Shire and into a place where we can be successful.

And so, I'm gonna start to wrap up, I think putting it all together, I hope this conversation has been helpful. We understand that the cybersecurity problem is growing and it's not going anywhere but up. We talked about the role that HR plays in helping defend and protect organizations, and it's more critical than ever. We talked about some practical things that you can take away and how you should be thinking about these problems and what's on the horizon. And then lastly, remember, cybersecurity is a human problem. It's not a technology problem. Yes, technology is a platform for this problem to be exacerbated and to be continually exploited. but remember, humans invented technology, too. Everything comes back to humans, it comes back to behavior. It comes back to sort of how you set up your culture and your environment to operate for successful outcomes.

Lastly, I strongly encourage you to leave and to go back and think, how can we build our organization to be a high reliability organization? 'Cause really what I'm not talking about today, I'm not talking about cybersecurity, I'm really talking about creating a way for you to achieve zero harm, quality outcomes and having a high trustworthiness quotient. And cybersecurity is one of many challenges that we have to rise to the occasion and help defend and protect organizations as we safely move into our future. With that, thank you for attending. It's been an honor and a privilege to be able to talk to you today. I hope that you learned something new. Thank you.