Caffeinated Risk – Details, episodes & analysis

"Legal and Regulatory" is a common receptor category  in most enterprise risk matrices but with any luck most organizations have limited direct experience with cyber litigation matters.  This episode jumps right into the deep end with one of Canada's preeminent cyber lawyers,  Brent Arnold.  Business law has evolved over hundreds of years, cybersecurity precedents began to appear on the legal landscape in the late 1980s and AI is the new kid on the block, barely out of diapers. 

While this episode can not be considered legal advice the chance to listen in on the ideas and opinions of from someone on the frontlines of this emerging risk vector should not be missed.

Cyber crime is now a daily fact of life and a significant concern in both the private and public sectors but our response capabilities do not seem to be keeping up.  This episode dives deep into one organization that is combatting this problem with a combination of academic research, industry expertise and hands-on training with the founder and CEO, Herbert Fensury. 

While cyber security is a global problem, economics and politics dictate different solution requirements. The Canadian Cyber Assessment, Training and Experimentation (CATE) Centre is both cutting edge and focused on Canadian cyber resilience at both a regional and national level. 

Ever wondered how top universities protect their cutting-edge research from prying eyes while ensuring seamless access for their scholars? Join us as Michael Spaling, Principal Security Architect at the University of Alberta, takes us behind the scenes of this high-stakes balancing act. Just like any other large organization, research universities have many different stakeholder, operational and regulatory requirements, thousands of employees and tens of thousands of customers.

In a strange twist, both Mr. Spaling and podcast cohost Tim McCreight are also recent recipients of industry awards, prompting a few questions that reveals some darker elements of social media while continuing to offer security leadership.

The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we must now engineer our way out of, and just like risk management, engineering is about balancing constraints.

Andrew Ginter is a recognized thought leader within the industrial security space with decades of real world experience and the willingness to distill that knowledge into a series of book on operational technology cybersecurity. Mr. Ginter's latest book "Engineering-Grade OT Security, a manager's guide" explores risk elements over multiple chapters and provided a great intersection with ESRM principles.  A self professed collector of industry wisdom, Andrew was quick to highlight Cyber Informed Engineering principles for security engineering within OT and call out calculation issues when risk assessing black swans yet also offering an elegant approach to resolution. 

Due to a technical glitch, this episode joins Andrew, Tim and Doug in mid-conversation about Cyber Informed Engineering instead of the typical introduction banter of most episodes.


 

Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies.

This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Houston InfraGard president, joins this episode to further explore the reasons behind this normalization of deviance, a concept first introduced to OT cyber specialists at S4 in 2024.

Mr. Ayala is also CCE proponent and facilitator leading to a discussion on possible options for course correction back off the normalization path.  Although solutions must always be tailored to work within organizational constraints, the early contributors to catastrophic outcomes associated with the Challenger space shuttle and Boeing 737 Max warrant exploration or we will inevitably repeat. 



 

Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore.  While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in significant changes to the PCI-DSS standard. 

Darren Gallop, a serially successful Canadian tech entrepreneur, recounts the early journey into the software as a service business up to his current role as CEO of Carbide. The episode talks frankly about the current challenges with supply chain management, but Mr. Gallop also shares where he sees bright lights on the horizon and a path forward for organizations willing to consider the shift.   

Long before the Matrix captured peoples imaginations, Winn Schwartau was steadily offering red pills for those reading his many books on information warfare.  A scholastic level researcher without the pretense, Mr. Schwartau has been recognized internationally as one of the leading security thinkers of our time and has a special capability for distilling complex security concepts into every day language and metaphor. 

In this episode Tim and Doug talk with Winn about the battle big tech is waging on our cognitive capabilities. Recorded just days before the release of Winn's latest book, this interview is a very frank examination of our current human state and some sound direction on how to counter the effects of coexisting with technology.

Some sample chapters of the new book and links are available here:
https://winnschwartau.com/metawar/

Almost all incident response plans include a "lessons learned" step, and in the post adrenalin phase that follows many breaches,  reviewing what worked and what needs improving doesn't excite a lot of people. Adam McMath is clearly the exception,  leading incident response activities in both the cyber realm and physical. How do resilience and incident response  lessons learned while literally fighting fires translate into risk management practices within cyber security, is a good question explored in depth with this month's guest. 

Mr. McMath's experience and exuberance are evident throughout, with a great deal of additional content that will appear in a future espresso shot bonus episode.

Amongst the industry verticals classified as critical infrastructure, few would argue that telecommunications belongs in the top that list, placing even more weight on a risk management program due to cascading impacts. Consequently, safe reliable operations are essential for success while continuing to grow in a highly competitive marketplace.  A security risk management challenge across many dimensions that has become an ESRM success story. 

This episode features Radek Havlis, Vice President, Director Business Resilience and Chief Security Officer at O2 Telefonica Germany sharing insights into O2 Telefonica's transformation toward a highly converged security model.  An early advocate of ESRM, Mr. Havlis explains how the risk management philosophy remains consistent but the requirements for successful implementation can vary greatly by organization. The Telefonica journey started with visionary leadership  and in less than three years has transformed the view of security as a business enabler. 

  

Regulatory frameworks from PCI-DSS to NERC-CIP  to  the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans.  Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing.  Unfortunately that same lucky streak will   Unlike a fire drill, recent research estimates 85%  of businesses will expereince a cyber incident annually,  and many will find short-comings in their incident response plan.

This episode explores a couple of recent news-worthy Canadian Cyber incidents, challenges with incident response plans and as always, how to use ESRM principles to further your program, even in a time of crisis.