Martin Hinton (00:05) All right then, welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton, and welcome to the podcast. Today, we're going to be talking not about endpoints, but about incentives, silos, and why smart companies keep making the same risks with regard to cyber and cyber risk. To help us do that is Max Martina, president of Cambridge Leadership Associates. Max, welcome to the podcast. Max Martina (00:30) Martin, what a pleasure to be with you. Thanks for having me on your show. ⁓ I love this topic. It's definitely connected to leadership and happy to get into it with you. Martin Hinton (00:40) Wonderful, wonderful. So what I love is words. And one of the things you do is you help with what are called complex adaptive problems. And the idea there is that these are problems that you don't have the existing tools to fix. That's the very Martin version of this. But we're going to move that conversation and that idea into the realm of cyber risk. And in that context, Max, what Max does is talks to boards, C-suites about Max Martina (00:55) Hahaha Martin Hinton (01:07) the evolving real issue wi it's not like something th already. So max, that's ⁓ Max Martina (01:20) Yeah, sure, Martin. That's great. So we were actually founded in the wake of 9-11 in 2001. And our founders, ⁓ are from Harvard, alum and professors, have created this set of tools and frameworks that help individuals, teams, and organizations move forward in ways that encounter complexity. ambiguity, volatility, and uncertainty. I said that out of order, but known as VUCA in the US military. And so a lot of our work is about helping executives and organizations, including boards, navigate these complex challenges. Yeah. ⁓ Martin Hinton (01:57) So what makes, I looked it up after we spoke the first time, the adaptive nature of a problem is this is the idea that we have to come up with a new way to deal with something. I mean, is that too simple a way to think about it? Max Martina (02:10) Yeah. No, I think it's probably true. And so one of the things, maybe the way to frame this idea of a distinction of problems is the distinction between what we would call technical problems and adaptive problems. And so it's a really easy way to think about the nature and scope of problems. In a technical problem, which we often associate with expertise, right? Someone who has a skill or a trade. or a specific know-how that can be applied to a problem that's very clearly defined, right? It sort of fits a box, even if it's a complex box, like heart surgery, for example. But on the other side of the coin, problems that we call adaptive are the ones that necessitate a change in human behavior. There is a requirement for maybe a new way of seeing the world. ⁓ Maybe stakeholders have to accept risks or losses in different ways. And so in this way, These problems are often fundamentally very messy. ⁓ In fact, many problems, we call them a mixture of technical and adaptive. And I think that maybe a quick metaphor here would be if you're driving down the street and your tire ⁓ gets a puncture, you don't need an adaptive leadership consultant, right? You don't need ⁓ anyone, frankly, other than a technical expert. You need a mechanic with expertise in car maintenance and repair. But complex issues, right? Like think about global warming or international conflicts as is current right now. These are complex, multi-layered, multi-scalar, often emotional issues. And so oftentimes we find that those problems are the source of interaction within enterprises. Martin Hinton (03:51) Got it, got it. So now let's move into the specific realm of cyber. And despite how long we've been around and how long we've had the internet, it's a relatively new thing. And it's a relatively new reality for companies, particularly older companies, legacy companies have had to adapt. I wonder whether you could take me into sort of this idea of why viewing the cyber risk as an IT or technical problem is a mistake that companies make. Max Martina (03:56) Yeah. Yes. Yeah, we, ⁓ gosh, we see this a lot. I'm sure you see this too, but I think in most organizations, it's so much easier to think of an issue as a technical problem. And so in this world, cyber risk is definitely considered usually an IT problem, right? Internet technology driven problem with no, usually no clear executive level ownership, limited integration with, with broader enterprise risk where security trade-offs are not explicit. And so unfortunately, the problem is actually more adaptive, which is to say it's an issue that confronts most organizations that requires shared responsibility, a diffuse set of stakeholders. ⁓ I'll go off script here a little bit and talk a little bit about how this issue is really unique from a psychological lens. ⁓ In essence, it's a strange environment because here a success for cyber risk looks like nothing happening, right? But a failure has catastrophic consequences. So you have this inverse, this asymmetry of impacts and results. And what ends up happening in most organizations, particularly at the board level, is that asymmetry actually creates what I call work avoidance. So organizations actually avoid seeing this problem as adaptive and it festers and typically gets worse in many cases, unfortunately. I'm laughing, but I'm only laughing because the complexity of these issues is very high off. And I know the stakeholders in some of these organizations and companies just incredibly frustrated by the lack of perception around the real issues at the company's cyber level. So it's real. Yeah. Martin Hinton (05:59) I mean, so in that context, then, if you've got a cyber event or some kind of mistake involving a cyber security issue, it can be viewed through this lens as a leadership failure. Is that something that... Max Martina (06:05) Yeah. Yes Spot on spot on and I think I think ⁓ it often doesn't it is a leadership failure, right because those ⁓ with positional authority but also influence within the system can't actually Pull the right levers to create focus and engagement around the critical issues ⁓ And so whatever what often happens is what we would call an outcome bias in psychological terms. That just means that great nothing's happened. That means we've been successful but Right? You know that you can have nothing happen and get very lucky or have something happen and maybe have great cybersecurity measures that are highly effective in most cases. Right? So, yeah, definitely a leadership issue. ⁓ And when I say leadership, I might add one more distinction here that oftentimes when someone says leader, I have a little heartburn. ⁓ We have this in our world, we have this really ⁓ maybe ⁓ confusing way of talking about leadership. So. So when I work with executives, I don't call anyone a leader. What most people refer to as leader, as a leader, is someone with positional authority. But that doesn't necessarily mean that they're practicing leadership. It doesn't mean that they're actually driving the real issues forward. So when I think about leadership in systems, particularly as it connects to ⁓ cyber, and risk, I think about who in the system is actually doing what's necessary to move forward, to create progress on these critical issues. And it may or may not be the CISO, right? It may or may not be the board. It may or may not be the CEO. ⁓ But as a decentralized problem, we know that it exists everywhere between multiple silos and departments, right? Risk and legal and ⁓ user error and compliance and IT. And everyone's got a stake in this issue. So it's important. Martin Hinton (08:00) So you touch on something that we talked about when we were planning this podcast. And that's the idea that within virtually every corporation, there's an organizational chart and there are sort of direct reports up through the C-suite and then the board. And then there's a reporting cycle and it's maybe quarterly sort of briefings or whatever it might be. When you think about the way you structure to address cyber risk, where does the org chart create risk? The obvious thing that we're going to get into that you touched on the psychology and the human nature of this is the the seat though of the chief information security officer, which is the what I joke when we first spoke was the sort of new kid on the block. And then, you know, as it arrived at middle school and everyone's sussing them out and not quite sure whether they should let them sit at the cool kids table and that sort of thing. And there is this very kind of human dynamic to integrating the new idea and the new concerns into existing structure. It sounds like something that should be relatively easy, like just, you know, from the point of leadership, a CEO just says, do this, do that, and it happens. What we know is that's not how things happen. And I wonder whether you might sort of talk about the way, just the simplicity of the organizational chart and where the CISO sits in the reporting structure that can impact, you know, the level of, I guess, put it very simply, fear that can be ⁓ generated around cyber and cyber risk. And as a result of that fear, Max Martina (09:06) Yeah. Yeah. Yeah. Yes. Martin Hinton (09:26) the money to spend on the prevention flows. Max Martina (09:30) Yeah, well, you're spot on. I mean, I think a lot of times organizations will look to a point and individual and expert into this role, the CISO. ⁓ And oftentimes that CISO reports to IT. Sometimes they sit adjacent or next to a few couple of companies I work with, we worked really hard to position the CISO as a board ⁓ connected position. So reporting to the CEO or the CISO. CEO or C-suite ⁓ and ancillary from the IT lead. And I think doing that is actually really good because in most cases, ⁓ you know, the incentives do not necessarily consistently overlap between CISO, the CISO and the head of IT. ⁓ And so ⁓ unfortunately, however, I'll throw this in here in terms of who actually fulfills that role and that responsibility. Sometimes the very people that are appointed to be CISOs are themselves technical experts, right? And so they think of their domain in a kind of a zero sum way, right? It's this or nothing. It's a binary approach towards security. But the really talented CISOs, the one that think about risk in a multi-layered way that's not binary, start to see gradations of this, that risk is not a one size fits all approach. And in that way, they actually have to engage with a huge number of stakeholders in the organization to increase and have impact. And the ones that do, the ones that are really deploying leadership, and when I say leadership, mean, facilitating the success of others to see this problem as adaptive and therefore make progress on the issue. The ones that do are incredibly effective. And even then they have hard roads ahead of them because the nature of the challenge is viewed as so technical. Does that make sense? Martin Hinton (11:14) It does. mean, it makes me think that, you know, within the other C-suite, like the CFO or, you know, chief legal counsel, there is an annualized reality to say the budget, and then there's quarterly reality to the budget, and then there's the everyday reality of the finance of expense reports and making the phone bill get paid. These things come with a regular long-standing cadence now, 30-day billing cycles and... Max Martina (11:20) Yep. Yep. That's right. Yeah. Yeah. Yeah. Martin Hinton (11:41) you know, a bill every month from American Express for the travel. And, you know, we're going to spend this much a month or this much a quarter on whatever it might be. And not unlike when you consider the cyber insurance world now where you see this evolution of much more adaptive constant like, you know, MDR and sort of 24 seven, 365 monitoring the CISO has to have, they have to adapt from if they've come from a tech on the background, moving up into the C suite where you have to sort of become Max Martina (11:59) Yep. Yep. Yes. Martin Hinton (12:08) You're at the top. You're looking down across the entire company for the groups that have existed in the C-suite for a long time. There's a lot of track record in how to make that happen. And the problems while they exist are predictable. So there's, if you will, data about what it is you're going to wind up dealing with. that is something that you know is coming. the C-suite's, the CISO is not, pardon me, the CISO is not quite that person because A, it's new and B, the digital realm Max Martina (12:11) Yep. Yep. Martin Hinton (12:38) touches every part of the company, whereas the finance realm or the legal realm or the marketing realm are more siloed. Now we know that in corporations, siloing is something that can have value for the purposes of efficiency, but it also creates communication problems and then perhaps even competitive problems while you maybe want your C-suite to be competitive. You don't want them trying to destroy each other. ⁓ There is the need for this to be now integrated. Max Martina (12:54) Yep. Yep. Right? Martin Hinton (13:06) Is it literally sort of like a situation where you have to reorganize it and just reframe everyone's mindset about their interaction with this particular power structure within the leadership of a company? Max Martina (13:19) So now it's a great question because what your question gets at is organizational dynamics. And ⁓ you inferred this, but I'll say it. And that is that an effective CISO is actually building coalitions. That means that they're viewed as not just a ⁓ central expert and a resource, but actually as a driver for dispersing risk. Because we know in this issue, risk is actually diffuse. You can have someone four layers down, click on an email, and trigger a phishing scam, right? And they're as much culpable as anyone else in the organization for a widespread outage or failure. And so, yeah, I mean, in a way, right, this issue doesn't lend itself to a simple authority as the expert who can make the rules and set the limits, because the issue is much bigger than that, right? It hits everyone. ⁓ So I think CISO as coalition builder, ⁓ is actually a way to think about leadership in this role, right? And when we think about that, it's about how do you enable and empower? And unfortunately, as I said, we've worked with a couple of companies even recently where ⁓ the CISO and the head of IT are frankly, the CTO are frankly at odds because it's almost like they're competing for those limited resources. And the reality is in this issue, like so many issues, but particularly this issue, ⁓ the board and other executives within the enterprise are incentivized to tighten those resources, to restrict margin, to increase revenue. And so ⁓ unfortunately, it's one of those areas that often gets short shrift. It doesn't get the attention that it deserves until there's a crisis. ⁓ And that's that asymmetry we talked about around success and failure. Martin Hinton (15:06) I mean, I'm sure you've seen way more than me, but I see a fair share of reports about the role of CISOs, the burnout of CISOs, the, mean, it's less than three years, average in position. I feel like I've read in some reports. I don't know if there's a lot of these reports out there, but one of the things that I've always thought is that, know, the difficulty most companies have comes down to leadership. And I don't mean. Max Martina (15:15) Yeah, uh-huh. Martin Hinton (15:33) big companies, mean all companies, because it's very easy to come up with an idea for I'm going to sell t-shirts on Etsy and that sort of thing. If you want to scale that, you have to be able to, not unlike an IT back, sort of see, so has to step outside of their past into this new realm. You have to adapt to this kind of complex reality of delivering a message that people maybe think they've heard. You touched on that and you just touched on it now, this sort of drop in idea of like, you can't just Max Martina (15:34) You got it. Martin Hinton (16:01) drop in another person. There has to be an adaptive ability. Do you think it's something that a company needs to be more aggressive about or should they be looking for CISOs that can build that coalition all on their own? You want someone really strong. Max Martina (16:13) ⁓ right. Well, that's a great question because now you're talking about fundamentally what makes effective leadership at any level, but particularly at the CISO level. And I think in an ideal world, right, all the senior level executives, including the board, they are adaptive in how they think and behave and move through systems and build coalitions. ⁓ I think at least with this. We're really fortunate to work with some really effective CISOs. You pointed out that the burnout rate is extremely high. And so cycling back to that point for just a second, ⁓ we even had a CISO, you and I talked about this in our pre-record around potential personal liability that CISOs might be under related to risk, right? And needing an indemnification from that in some cases. talk about a crazy world where if your CISO is now personally liable for the risks and issues of a multi-billion or trillion business. mean, is insanity. So the stakes are high. ⁓ And I do think that really effective executives are the ones, including CISOs, are the ones that are thinking ⁓ diagnostically. They're thinking structurally. They're thinking about layers and engagement, including other authority dynamics within systems. Because if they don't, what's the risk to them and their personal success? They actually onboard this risk, this tension. And that's why the burnout is so high because they simply can't do it by themselves, right? Martin Hinton (17:40) Yeah, I I said, the point I sort of was getting at is just that, this idea that the leadership failures are often why things don't go right. It's not the idea, it's not the marketplace, it's the execution and the direction and clarity of goal that's set. You know, mean, the catchphrase that jumped to my mind is sort of the HR world, or maybe it's more than that, to be honest, is the soft skills, right? What I'm hearing you say is that a CISO with technical Max Martina (17:49) Right on. Yeah. Martin Hinton (18:09) knowledge and whether they're capable of actually doing technical things themselves and the ability to communicate why these things matter. Is it down to something like that simple? when you talk about coalition building and I guess the word politics or office politics or corporate politics comes in or the sort of psychological tools we can get to bring people around and recognize certain training might work. is, I mean, in some respects, as my mind starts to think about this question is that Max Martina (18:14) Yeah. Martin Hinton (18:38) The CISO needs to be one of the more dynamic executives in a company of any size, given the complexity. Max Martina (18:45) Totally agree with you, particularly as the size of company grows, because not only do they have to have a very robust technical skill set, but they have to have a dynamic human skill set. I'll say that ⁓ I think the world of leadership often gets reduced down to this idea of soft skills, ⁓ and in some cases, for good reason. But what we're seeing in the world, the burgeoning world of AI even, ⁓ where fundamentally all the cognitive, linear-driven and cognitive work will effectively be outsourced to a great degree, ⁓ those human skills are actually becoming increasingly important. And part of those human skills are the leadership skills. ⁓ My mentor, a guy that I studied from and learned at Harvard, talks about ⁓ the true definition of leadership, he says, is disappointing people at a rate that they can sustain. And it's kind of funny when you think about it, but from an experiential lens, all of our CISOs that we work with, they feel the same. It's like, no matter what I do, I have to disappoint someone in order to convert behavior and create coalition and build allies and build partnerships, even internal to the organization. And it's like pulling teeth, right? And I often tell these folks, welcome to leadership. That's exactly what it's like. And it's not a one and done thing, right? It's a multi-scaler, a creative, long-term, consistent, dynamic effort. ⁓ And so I think, you know, Rome wasn't built today and neither is an effective leader. It often takes, you know, significant effort to understand the system in a way that you can operate with efficacy and impact. ⁓ And as that increases, when I say, well, what is efficacy and impact? Let's not, let's not reduce it to just basic KPIs of cyber incursions, but let's think about cyber more in terms of building resilience, not response ready. And I think too many CISOs actually do that. They think of, of it. I'm doing my job because we have a plan of attack, right? We have the playbook. We have the response. We have the, all of the dynamic tools and, and, ⁓ outcomes that we know we're going to pursue, but do they actually have resilience? It's, it's different from knowing how to run a race and actually running the race, right? One requires lived stamina and practiced endurance. ⁓ so very different scopes for effective CISOs, I think. Martin Hinton (21:06) You remind me of a piece of advice I was given early in my career when I first started managing people and it was to not delay conversations that I was dreading having and the difficult conversations, once you have them, you typically only regret having delayed, having had the conversation. ⁓ That advice proved to be true. It took me a while to quote unquote, to use the word of the day, adapt to that mindset, right? Like there was a line I had to cross where I had to become comfortable being uncomfortable in that situation with people that Max Martina (21:15) Yes, good advice. Yeah, spot on. Yeah, spot on. Martin Hinton (21:35) Maybe I've been peers with, and this idea that you could pluck someone out of, say, an IT department, which has a really tight environment in my experience in corporations. And now this person has to spread more thinly across the, I guess I wonder whether or not that sort of psychological growth that's required is something that, is there advice to a CISO about how to deal with that if someone's been approached or they're getting this promotion or they've just taken on this role about becoming. I guess not less technical, but more something else, right? You have to add to grow into this role. And there are certainly resources out there to do that, but I wonder whether you might have some, you know, one-off advice for CISO in the making. Max Martina (22:06) Yeah. Yeah. Yeah. Gosh, yeah, I wish there was some magic pixie dust. I'll say a couple things maybe, and that is that ⁓ oftentimes in our world, when we think about what does it take to really lead, to actually mobilize people to do complex things, to create progress on complex issues, ⁓ it's not just insight, right? It's not just being smart. ⁓ Unfortunately, being smart has very little correlation to actively engaging effective behavior. So I would say to any CISO who is now in that role or moving into that space. I'd probably tell him or her, look, your job is no longer to be smart. Your job is not actually to be a problem solver of technical issues. Your job is to think more broadly, actually in some cases to be dumb, right? And learn. Deeply listen to the systems, deeply listen to the stakeholders. Understand. ⁓ even the positioning of the issue within the organization so that you can do the critical tasks of garnering resources, gaining support, mobilizing people, training people, in some cases creating safe environments so that even those multiple layers down, you know, will report ⁓ incursions or threats. Sometimes we see that the problem is a lack of psychological safety in environments because You know, it's viewed as a risk if I report that I've made a mistake, right? So very different role. think an effective CISO, doesn't mean, by the way, it doesn't mean they don't have those technical skills. It means that those are deployed in service of the broader organizational vision and mission. And I think that could be said too, also for really any C-suite executive. I mean, you want a CEO or a CTO or a CHRO to think broadly about how their function engages the overall success. of the business. at the end of the day, ⁓ you know, Yoda said, do or do not, there is no try, right? It's fundamentally about behavior. Can that individual move into that spot and and do the hard work of mobilizing people to make that change? That's the question, right? Yeah. Martin Hinton (24:16) It is, I I forget what the stat is about how many small businesses fail within the first 18 months or something like that. And I remember most of them. And I remember thinking that that's not down to the idea or the colors or the, you know, whatever it might be. That's typically down to leadership, right? Even if it's your own company, being a leader is this next layer of burden where you're, you know, you're taking yourself outside of. Max Martina (24:22) Yeah, most of them. Yeah. Yep. Yes. Martin Hinton (24:41) what your passion is to make a certain product or, you know, whatever, provide a certain service. And now you have to scale that and monetize it and do the taxes and all those things. And it's this layer of burden. And then if you've got employees that, you know, maybe they're not ideal because people are complex and it is one of those things that I think gets overlooked. You you get the chance. It doesn't mean you're going to ⁓ make good with it, right? Lots of people make the big leagues and they don't have glorious careers. Max Martina (24:49) ⁓ spot on. You're so spot on. mean, we can see that from the transition from high school athletics to college athletics to professionals ⁓ in almost every domain. We can see that. And you mentioned the word scale. ⁓ And that's true for CISOs as well. I know of a few folks that have been in CISOs type positions or in that suite. And as the company grows, so do the requirements grow. So do the demands grow. So does the budget, we hope, grow. ⁓ And in that way, oftentimes the need to change behavior also grows. So that expression, what got you here won't get you there. Absolutely true of leadership. This is why most startup entrepreneurs, we're veering from the cyber for a second, but this is why most cyber startup entrepreneurs do not last throughout the duration of the growth of the enterprise. Very much true in venture capital and private equity worlds, where a co-founder or founder might take it from zero to 20 million, but then struggles to get it past 50 or 150 in some cases. So spot on. think the challenge of human behavior change is itself an adaptive issue. And we can apply that to cyber, as I'm sure we'll keep talking about here. But so hard, so hard to change our behavior. Martin Hinton (26:20) We're going to shift into cyber sec. But I feel like the trope that you see, whether it's probably in sitcoms and movies, is that the startup guys are all in their hoodies and hanging out in one room in someone's house. And they scale up and they've got some funding. And now they realize they've got to get a real office. And the board suddenly decides they need to have an adult CEO who come in and be the adult in the room. Max Martina (26:40) But yeah, yeah, happens all the time. And even with CISOs, hey, we need a real CISO. And all that means is someone who's stage appropriate, appropriate to the behaviors and requirements of typically where we're headed, maybe not where we are right now. ⁓ And ⁓ yeah, I mean, I think the same could be said for not just scale, but also innovation, right? Or even disruption in the marketplace. So that same kind of mindset could be used for a CISO who maybe has an incursion. Well, how do we deal with this now? Right? What do we do now? How do we adapt to the pressures and stresses that maybe are realized that we hadn't seen before as opposed to, you know, treat it like a technical bandaid or we're going to just cover it up. mean, that that also, I think. is a behavioral data point for CISOs. How did you handle failure in the context ⁓ of an accursion? ⁓ And if we can look at the behavioral data on that, then we might learn about their capacity to lead as well. Yeah. ⁓ Martin Hinton (27:35) When it comes to leading, a lot of times that's getting people that you may feel inferior to, like perhaps the board, to recognize what it is they need to say yes to or to encourage the company to do from a point of view of being cyber resilient or cyber ready. And the boards tend to push, if I recall our conversation, readiness, right, the idea. But resilience is the capacity to deal with what everyone says is not if, but when, right? It's always coming. So. Max Martina (28:03) Yeah. Yep. Yep. Martin Hinton (28:05) Just to frame this readiness versus resilience, you told a great story about a cyber security response, incident response, and the idea that suddenly nobody could talk to anyone. And there was a reason for that. Do you remember this? I'll remind you with more if you don't. So nobody knew anyone's phone numbers. So tell me about it. suddenly nothing works. Max Martina (28:23) Yeah, keep going because I have like five examples from that. ⁓ yeah. Yeah, yeah, yeah. Yeah, yeah. Yeah. Martin Hinton (28:33) Your phone doesn't open and you're like, really? I don't remember anything with my childhood phone number and that's not going to do me any good. Max Martina (28:39) Yeah, and the irony that company was not a and we work with all types and sizes. But in the case that you're talking about, the example we discussed, this was a ⁓ very, probably probably a hundred million dollar, very large commercial ⁓ roofing company. And they all that's interesting. But well, even they can get hacked, right? They're not thinking about cyber threats, but they had some cyber protection in place. Sure enough, there was a there was an incursion. ⁓ complete disruption and hijacking of their system. It was a ransomware situation. They wanted a million dollars. ⁓ And literally all of the backup data and ⁓ the original data and backup data were both corrupted. Literally no one had any phone numbers unless you were pre-programmed into your phone, right? There were no backup plans. There was very little resilience. Now this organization, they did have a baseline readiness approach. ⁓ And it's ultimately what saved them in the end. took them two almost six weeks, almost two months to actually recover the data. They ended up not paying the ransom. But the reality is that's not resilience, right? It would be like, yeah, I can, I probably can run the race. Maybe I've maybe I can run a half marathon, but am I going to run it in pain and tear my Achilles? Right. Or do I actually have the capacity to do it when the pressure is on? And so think when we think about this specific issue, right, we're comparing readiness and resilience. And I think boards, they push what I call the artifacts of readiness, right, which are policies, playbooks, backup systems, plans and roadmaps. And they're great. That's, that's sort of par for the course. That's important. But real resilience is okay, when, when push gets to comes to shove, can we actually operate under stress? When people are pointing fingers? Can we coordinate across silos? Can we Do we have a practiced response when things go wrong? What would you do in this case? So moving past playbooks into scenario planning and then almost simulation in some cases. The really great CISOs and organizations will actually run some simulations. ⁓ I live off the coast of Seattle here. And will occasionally the city and the local state will do local government and state will do earthquake drills, right? So everyone hears about it in the radio and we want to practice that because the big one is due. So are we doing the same thing with cyber threats? ⁓ The problem is, particularly at the board level, ⁓ folks that view authority in the system as really the arbiter of decision making ⁓ are often not pushed back against. Right? So if the board is restricting assets and resources ⁓ by virtue of the CEO, oftentimes the CISOs, just say, OK, well, I guess we can't do it. And that's the wrong way to think about creating resilience. Right? There are many things that can be done, even on low budgets or virtually no budgets, to build that capacity within the org. Yeah. Martin Hinton (31:40) You remind me of the scenario. Once upon a time, I worked at a large corporate media company and I ran a unit that would do hour long documentaries. And a lot of these documentaries were done very quickly. So there'd be an event in the news and ⁓ on Tuesday you'd be told they wanted an hour of TV for Friday night. Now this was a large media organization. We had a lot of resources. I had a staff as many as 16. And when time goes away, there's only so much you can do, right? Setting that part of it aside, what really, really helped is when I empowered the staff to not wait for me to say yes or for me to be there to communicate with someone, say, in the graphics department or the edit department or the travel department or crews, camera crew department, the idea that they could cross these silos and move through these sort of structural organizational barriers in moments like that specifically to get things done. Max Martina (32:34) Yep. Yep. Martin Hinton (32:36) Is that when you touched on incident response and the phrase you, was expecting to hear very quickly was the famous tabletop exercise, which kind of betrays what is actually happening, because that's the last place you really want to just do it. But this idea that you create a mindset that there is in those moments, in moments of crisis, there's this need to, and I want to say kumbaya, but get along. Be able to step across each other's silo wall and show up and be like, hey, you know, I'm Billy, we met before, but. That needs to happen before the crisis. Is that part of the sort of leadership idea? Max Martina (33:09) absolutely spot on. ⁓ and I might be preempting, well, maybe one of your questions, but, ⁓ when we, when we think about resilience, ⁓ you know, one of the big tells, when resilience doesn't exist and maybe we'll go in the inverse is just like, is when people point fingers and play the blame game. And that happens all the time. It happens in every organization. The question is to what extent. And so I call that behavior and my mentor calls that behavior work avoidance. They're actually doing the they're avoiding the real work, right? And so leadership in some ways is the opposite of that. It's avoiding work avoidance. It's effectively doing the work. And so, you know, there are a couple kind of key indicators when a system has resilience. One is agency, right? Like you just said, your story is a perfect example of that. Do people have agency to pro-activate and engage in the solutions that might be risky, but that probably makes sense, even if they make mistakes, right? And so agency, implies some kind of safety. That's the second piece, right? That there's an element of safety within the organization to solve the problem. So I would say, know, agency, ⁓ relationship and solutions. ⁓ Solution orientation is a critical piece of this, ⁓ Too often in large, fractured organizations, people are hoarding their piece of the pie. ⁓ But I think if the relationship isn't built, then how do you deploy solutions in the context of no agency? It's just impossible. So spot on. Yep. Yeah. Martin Hinton (34:39) Yeah. So when you see an incident breakdown or the incident response breaks down, is it any one particular thing? Is it the tools, the process, the relationships? I mean, it seems to me it could be. Max Martina (34:50) I think it's usually, yeah, mean, unfortunately, it's usually the confluence of all of those and we get what we call a perfect storm, right? ⁓ And ⁓ often say that, you the biggest leadership failure in organizations is misdiagnosing an adaptive problem as a technical problem. It would be like going to the doctor, right? And saying, hey, my elbow hurts. And the doctor says, let's go straight to surgery. And you say, hold on, right? How about an x-ray? No, I've seen it before. Let's go straight to surgery. What about an MRI? No, under the knife, right? So this inability to really understand the multiple layers of relationship, of response, of agency, of resourcing, of planning, ⁓ it just compounds the problem. And then in the post-mortem, right, typically the unsophisticated and unofficiated are pointing to the technical issues of why it failed. But that's just the surface, right? The real issue is due to a lack of coordinated response. It's due to the limitations of agency. It's people not feeling empowered or having zero relationship across silos that could actually be useful to recover phone numbers and do other backup critical issues or tasks. So yeah, unfortunately, it's usually a confluence of many. ⁓ Perfect storm events, ⁓ maybe like a black swan event in some cases, right? Particularly for the large breaches. Yeah. Yeah. Martin Hinton (36:14) I'm feeling a bit of nostalgia here. I touched on my past in corporate media and documentaries, and I'm just remembering you get the assignment and I think what enters you is absolute dread. How the hell is any of this going to get done is the first thought, even as the leader, I would have. And then I sit down with the staff, maybe there'd be people on the phone, and we'd have a big planning meeting, organize the show, come up with a, I always use something called the backward planning sequence, particularly on short-term things like this to help organize us and not. Max Martina (36:30) Yeah. Martin Hinton (36:43) get too big of the idea. And I had some great colleagues. I remember now at the end of these 45 hour long meetings, you'd send people off to go and do their work. And it was like the great relief. Like you sort of set this amazing energy sort of loose onto the entire world to go gather what it needed to to solve the problem we had, which was we don't have a TV show yet, but we need one by nine o'clock Friday night. So yeah. Max Martina (37:09) I love that story because Martin, that reveals about human nature is so fascinating because it connects directly to leadership, which is that when people have clarity around what they need to do, right, they can focus their skill set and their talents in ways that are incredibly productive. But how do you get to that point where we don't have the alpha telling us what to do? In some cases, we need that, right? And you in that case were that. In some cases, we don't have that. So. I often think about, and I'll say this to C-suite executives and other senior leaders, if it feels easy, then chances are you're probably not leading, right? If it feels easy, then you're probably not doing real work that moves the needle on critical issues that unfortunately others experiences resistant, right? So I think that's usually a pretty good litmus test. If it feels hard, congratulations. Welcome to leadership, right? Martin Hinton (38:01) Yeah, yeah, I it is it's a I'm trying to whether I should equate it to like a good workout in the gym and how you feel when you stop exercising but the the dilemma with leadership is it's always there particularly in a place like cyber and the threats are 24 7 365 is the phrase right. What are the things that we touched on and the sort of the next section is it gets us into this idea of a trust is cyber infrastructure and I sort of case study and that Max Martina (38:19) Yep. Yep. Yeah. Martin Hinton (38:29) And the line I've written down for myself is I wonder if there's like one wow story or breach that proves the governance point. That's an example of how when it's done right or organized right or prepared right that things go well. do you remember that part? Max Martina (38:45) Yeah, well, I'm thinking of a legacy company that we worked with, a company that's almost 100 years old, and they have mills all over the country ⁓ that were not updated to current technology requirements. And ⁓ yeah, I remember the story because our CISO ⁓ actually had to fight against IT to put in the required tools, both to remotely monitor and to protect individual mills. And you know, what should have taken six months was a three and a half year process. In fact, they had bought the physical hardware and all the infrastructure which was located at the mills, but there was such resistance to installing ⁓ the firewalls and the blocks that ⁓ it became a political feud. Fortunately, in this case, there wasn't a specific threat that actually materialized, but it was a three and a half year process of navigating with the head of ⁓ IT. the CTO to actually integrate this in a way that was cost effective and efficient. And if you, you know, if you ask any C cell, well, shouldn't that be an easy job? They'd say, of course, technically it's straightforward, but it's not about the application of hardware. It's about the solutioning mindset of the folks that are blocking you. Right. And in cases like that, you know, you see, you see turf wars all the time. ⁓ turf wars between what's yours and what's mine, whose resource and who can you use to deploy it? And why do you get that? And I don't, ⁓ it's really unfortunate because that's again, that's, that's work avoidance. ⁓ and yeah, I've seen a couple cases of, nationally things that you probably have read, ⁓ national incidents and response, ⁓ around, incursion and risk. And the ones that don't end well are typically the ones where, ⁓ the systemic failure. is not viewed as a learning opportunity, right? If the culture is actually built and predicated upon, let's learn through this failure to become stronger, amazing resilience can be cultivated and developed. But when you then fire half the team and... That's symptomatic of what often ends up in the CISO world and cybersecurity, which is mea culpa or pointing fingers. And it's just unfortunate because those orgs tend not to evolve and adapt in ways that they need to, at least not as quickly. Martin Hinton (41:05) You touched on leadership should feel hard, You should feel a little bit burdened. as you talk then about the scenario where you've got the IT solution, you've got the technical solution, but convincing people to implement it and put it in place took another three and a half years, sounds to me like an example where even at the CEO level, they need to recognize, ⁓ now it's time for me to have some difficult conversations and tell people to get in line. Because if you look across the globe, Max Martina (41:08) Yeah. Martin Hinton (41:32) at what happens to companies that suffer a cyber breach of any scale, like Land Rover Jaguar, Marks and Spencer's, MGM, the cost, both reputationally and in the long tail of, you know, whether it's data breach issues and data issues or just lost business, it's extremely damaging. And that is something that, if you will, North Star of a company, the CEO. Max Martina (42:00) Yep. Martin Hinton (42:01) or the chairman, suppose, depending on your structure, they need Max Martina (42:01) Yep. Yep. Martin Hinton (42:03) to get around this idea and realize, man, I need to make sure that the CISO feels like I've got their back. Is that something that you see or you could have? Max Martina (42:10) Yes. ⁓ gosh, man, I wish I wish more CEOs had that enlightened posture and perspective. ⁓ Oftentimes they're you the CISO are viewed as plug and play. And, know, you're just you're just another cog in the chain of risk of risk protection, which means more cost for me. ⁓ But I but I think in an ideal world, yes. And I'm recalling now the example that you and I probably talked about, which is a very small business, I think maybe three or four million in revenue. ⁓ quick maybe a quick aside here. So just a few weeks ago. ⁓ client wired money, $90,000 lost to a scam that had gotten through the system. And you talk about the branding impacts of that and the devastating downstream issues with the client. And even in a small business, they didn't have cyber insurance. They now do. Guess what they now do. But the impact of brand and operations, my gosh, it was massive. And this is a company that thought they were doing everything right with no CISO. I mean, I think to your point, how do you really help? Organizational leaders, say people in positions of authority, including the board and the C-suite, including the CEO, understand the merits and value of effective work on this. And I don't just mean funding for more security protocols. mean relationship building ⁓ and the navigation of silos, which certainly they're experiencing in other domains. So it's connecting those dots for them. And yeah, I agree. In an ideal world, the CEO's got your back. ⁓ And for all of our CISOs listening, if they've got a CEO, that's supportive, hold on to that CEO. That's great. Martin Hinton (43:57) I mean, it's one of the things that's fascinating most about this last few years of journalism for me is that I went into cyber insurance and cybersecurity reporting thinking it was all going to be technical and so much of it's not even close to that. you think about, you touched on it just now and I remember thinking when you told me that story about the $90,000 fraudulent wire transfer, and I've only seen a few sort of studies about this, the psychological impact on a department when one of their Max Martina (44:09) Right. Martin Hinton (44:26) members clicks the phishing link and it actually results in some sort of really substantial issue for the company. That this, you know, there is this still very common sort of vibe that the person who clicks the phishing link is the one who made the mistake, who's the bad guy or gal, and that it's not the sophisticated multinational ⁓ organized crime network that's backed by a nation state, right? Like this idea that that is there. You, you, you know, in that context, we also talked about earlier, Max Martina (44:31) Yeah. Right, right. Martin Hinton (44:56) The idea that CISOs have in some of the reporting I've done and some of the sort of surveys of CISOs that you see come across the transom. This idea that unlike other C-suite executives, they like to talk to CISOs at other companies because the threats that they're seeing are shared but also dynamic. So a CISO might get threat intelligence from someone they work with or something they read that is not, there's so many of them. Max Martina (45:15) Yes. Yes. Martin Hinton (45:25) There's so much to keep up with that there's a lot, right? There's a lot of incoming. And that collaborative across even company silos is something that I've seen CISOs talk about, which is very counter, particularly if you're talking about a competitive company, to the general mindset. And I wonder whether or not, is there something to do about that? Or is there, like, ⁓ you know, like, is there a rubber room for CISOs where they can go in and they can talk about stuff with? Max Martina (45:25) Yeah. Yeah. Martin Hinton (45:50) except for the threat stuff, everything, every other secret stays in the room or something like that. A code is silent. Max Martina (45:54) Yeah, there are a few, many people have informal networks and there are a few particularly localized and regional forums. There's probably a couple national actually where CISOs gather and idea share. this is one of those domains that probably like CFOs depending on if you're an accounting or operations focused CEO or you're an M &A. There are experts in all of these domains, but I think the CISO, position specifically lends itself to learning and integrating because a lot of what the threat ⁓ landscape looks like is really not about the innovative or proprietary IP or knowledge of your company. It's about how to defend from an external threat. ⁓ We actually did a project and maybe you remember talking about this in our pre-call ⁓ with an entity. I think I've told you the story. several years ago, the US government ⁓ actually spoke to the world's largest banks, the US banks, should say top five banks and said, look, there's a lot of cyber risk in the financial system. And we're worried about the financial architecture in this country. So if you don't create an entity that shares this to your point around sharing, then we will do it for you. So they said, no, no, we'll do it. So the five biggest banks created an entity. ⁓ called the Center for ⁓ Resilience and Risk. think they've changed the names a couple times, but this is an entity, a quasi private public sector entity that would interface between the CIA, FBI, DHS and NSA and the major banks. And they take all of the bank's cyber data, individual bank cyber data, which most of them don't really want to share. They'd anonymize it, right? They'd put it through their machine and then compare it to all of the ⁓ governmental security data. And then they'd use this in a collective effort to actually ⁓ prevent incursions and actually in some cases target ⁓ major bad actors in the market, international marketplace. ⁓ Talk about, you know, doing adaptive work. Talk about creating system structures and processes that can do the work that would otherwise be deeply technical, but also risk ⁓ sharing too much on an individual level. So I think there's an example where maybe at an organizational level where this is really powerful and effective. But to do that at both the individual and the org level, really great idea. Really great idea. Yeah. Martin Hinton (48:21) I don't want to put a pin in that because what you're describing there is contrary to so much of what people learn in business school, this idea that you would willingly, I mean, we hear about shadow AI and people putting things into AI and all that kind of thing. I think the idea that you would share stuff that is vital to your success or ongoing success, however you want to phrase it in this way. Max Martina (48:24) Yeah. Yeah. Yeah. Yeah. Martin Hinton (48:47) In the UK, you see cyber resilience on a national scale being framed by the government as a function of basically protecting the country. while the threat of a cyber attack is not bombs from the sky, the damage can be just as great, whether it's closing in. The line I like is if someone had used a bomb to blow up a Jaguar factory, it would have been on the cover of the paper for weeks, and there would have been parliamentary inquiries. But because it was a cyber attack, I mean, the GDP of the UK took a hit. Max Martina (49:02) Not so. Martin Hinton (49:16) I think the government shelled out of one and a half billion dollars. We're talking about real money here to prevent companies from going out of business and thousands of people from losing their jobs. There is sort of a need for that idea that these threats are, it's not normal crime. It's not a fire burning your warehouse down. And that mindset is one that is still, with the help of people like you, making its way into the leadership mentality and mindset of Max Martina (49:21) Yeah. Yeah. Yeah. Martin Hinton (49:43) companies of every size. I mean, I know it's a bit of an aside, is that something that you see? Max Martina (49:47) No, you spot on you. There's a psychological principle that we call the normalcy bias, which actually refers to exactly that right. So it hasn't happened yet. So therefore it won't happen. That would be at a version that would be one version of that. Another version is well, it happened, but no one died. So therefore it's okay. And the problem is neither of those are adequate. Certainly they're not adequate to to projecting and planning. and leading through that before the encounter, right? And so, ⁓ yeah, it's a funny thing because particularly in this area too, we have diffusion of responsibility. ⁓ And so, you know, like the Jaguar incident, mean, massive disruptive impacts. ⁓ And yet, who's gonna, the issue, the conversation always turns to, well, whose fault is it? Right? Not to, how do we prevent this from happening again in the future? What's the real work in this case? It's to prevent this from happening in the future, right? I mean, that's the important stuff. So it's a new landscape. ⁓ I'm also starting to look at what AI is doing to security. I'm sure you've got a bunch of experts that know how to think about that, but curious on your perspective on how that's shaping this as well. Martin Hinton (50:56) Yeah, well, I'm happy to share it. As you were talking just then, I was like, we're going to get lucky is not a business plan. I mean, it's all right to think as your head hits the pillow, maybe I'll get lucky, but don't plan on it. Make your luck. I mean, think I said to you when we spoke that I view AI like a lot of things. And the example I've used and I've been trying to write something for my sub stack about is that AI has the capacity Max Martina (51:03) Right. ⁓ Yeah, yeah, yep. Martin Hinton (51:25) from a particularly from an intellectual point of view and a creative point of view to energize the next, you know, 100 years of human thinking and the results of it, the same way that steam engine energized the industrial age. Now you got to get a lot right. And it's fair to say you might argue that I'm not even talking about, pardon me, global warming, with the industrial age, we got a lot wrong. And ⁓ the number of superfund sites would be evidence of that or the labor laws that allowed Max Martina (51:38) Yeah, yeah. Yeah. Martin Hinton (51:55) way more people to die building railroads than they should have or bridges than they should have. Those are examples of that. To not repeat those sorts of mistakes as we move into AI is one of the ways we keep everyone optimistic about it and embracing the idea that, OK, cars do crash, but on balance, they're way better than whatever, the horse, for a variety of reasons, which I'm sure people would debate. But also that when we created the car, it didn't have seatbelts or airbags or a lane avoidance detection or whatever else might come along. Max Martina (52:20) Right. Martin Hinton (52:24) for generations after the Model T hit the sort of assembly line, if you will. So I think that in that context, not unlike leadership, this idea needs to be one where you get up every day knowing you did a lot yesterday and there's a lot to do today. Some of it you're going to get done, some of it's going to go the way you want, and then some of it's going to fall victim to the plans of adversaries or the weather or all sorts of things that the future has in mind that we don't control. So I, you know, again, I think that, I mean, Max Martina (52:28) Yep. Yep. Yeah. Yes. Yep. Yep. Martin Hinton (52:53) It's really interesting to be honest. And I think that when you touched on it just now and I thought of it was its ability to go through data, which obviously is the big conversation now with the lawsuit between the government and Anthropic about, but the amount of information we collect and the amount of threat data there is. listened to a podcast over the weekend and I think there's a single US government agency that collects so much data that it would take 8 million Max Martina (53:04) Yes. Yep. Martin Hinton (53:23) Employees a year to go through what they collect in a year, which is obviously not practical, right? Like you would never hire that many people you couldn't afford to hire many that many people So I think that that's way one way I see AI working very quickly for raw material like it it turns a thousand pounds of dirt into you know a one-carat diamond in the same way ten thousand people might in the intellectual sense, right? You know the the technical side of it and the coding part of it. I dare say that's a bit beyond me But what I do know is particularly with the coding Max Martina (53:27) Yeah, yeah. Yeah, yeah. Martin Hinton (53:53) That is enormously labor intensive, right? It takes a lot of time to write good code and it needs to be constantly improved and that sort of thing. The idea that you could augment that with a tool basically is one that makes it clear to me that there's enormous value in the way this can take. We barely know how much of our brain works. The idea that we've created a tool that could help it work more efficiently and that's where I think that there's... Max Martina (54:03) Yeah. Yes. Martin Hinton (54:19) you know, I'm optimistic. You know, another, I don't know, green red flag or red flag, but that's what I have to say about it. Max Martina (54:20) Well, and maybe, well, that's fascinating. And I've heard reports too recently about the use of AI to tighten security holes, you know, within platforms that could actually be a massive boost for the security infrastructure and approach for future safety. And so maybe there's an upside there too, to reduce the overall risk profile of incidents. Martin Hinton (54:43) Yeah, yeah, I, yeah, I, again, I mean, it's, someone made fun of this comment and I know, I made the mistake of reading the comments on some social media posts of this previous podcast, which was, again, that's my fault. But the joke, and it is a joke, but it's simplified, a hammer can drive the nail home, or if you misuse it, it's gonna smash your thumb. Now, that is incredibly simplified and there's way more scale to the AI question than anything. But from a basic point of view, Max Martina (54:53) Oops. Yes. Yeah. Martin Hinton (55:12) That's kind of how I look at it. Now, we know some people use hammers well to this day and they've been around a while and some people don't and you get good and bad, which I don't think is ever going to go away. So this idea that we can make it all good or make it all bad is kind of a foolish argument. Like we need to be, we need more adaptive approach to this problem. ⁓ Max Martina (55:20) Yeah. It's a fantasy. Yeah. Spot on. Spot on. Well, I'm with you. And that adaptive piece is really about how do we change the needed behavior at the organizational level across people to make something productive, right? And a great progress. Yeah. Martin Hinton (55:40) Yeah, exactly. Without removing their agency. that was really interesting. You touched on human agency and the sort of automated or artificial agency. The idea that we could find a way to combine those to great output is one I believe possible. I'm hoping to be around to see that unfold to a degree. So I am an optimist. I'm an Ameri-CAN, not an Ameri-CAN'T. Max Martina (55:56) Yep. We're optimists, Martin, we're optimists. Well, right, I am too, and that's why I think, you know, that's why I do the work that I do, because I believe that people, when properly ⁓ motivated are, they wanna make a difference in the world, they wanna make an impact, you know? Martin Hinton (56:18) I completely, we're so far from the cyber insurance world now, it's all people, right? Like this idea that people are solving these problems. And I think that you're absolutely right. Given the tools, the resources and the clarity about what it is they're trying to do, there's not much people can achieve barring the impossible, like flying without being in an airplane, that kind of stuff. ⁓ But speaking of the impossible, and we know this in corporations, Max Martina (56:24) Yeah. Agreed. Yeah, spot on. Yeah. Yep. Martin Hinton (56:45) If you come asking for money, you're the cost center and nobody likes you. They love the profit center, but the cost center and cyber and cybersecurity is viewed as a spend. So the board goes, now what we're increasingly seeing is the idea that, we can spend a million dollars today and it'll save us 50 million next year maybe, or it'll make the breach that we know is coming and everyone says we should expect manageable because we've done IR, incident response, and we've done profit table talk exercises and we've got our plan written down and there's a copy of it in a safe in every executive's home so we can make phone calls to people who actually reach each other. I wonder if about that sort of cost center chronic condition that exists, that psychology a CISO needs to take to the board to get the right funding so that they can get the cybersecurity in place that makes MFA genuinely sort of the way it's supposed to be so that their cyber insurance premiums come down to the cost center five that this world can bring to boards. Max Martina (57:22) Yeah. Yeah. Martin Hinton (57:43) is maybe Max Martina (57:43) Yeah. Martin Hinton (57:44) a little bit reduced by recognizing that, you know, one of the reasons we have employee benefits is because employees that are well taken care of, they work better, right? We don't, so tell me a bit about that sort of weird part of the psychology. Max Martina (57:49) Yep. Yes. Yep. Yeah, well, you're right. mean, I think the current security context and state of risk is what we would think of as a chronic condition. It's an overlay that exists. It's like the human condition, right? And so unfortunately, as we discussed earlier, that a lot of executives and boards want to treat this as a technical problem. And so when there's a technical problem, it's fairly easy to... ⁓ prescribe solutions. Well, here's the bandage. Here's the training that you need to do. Here's the security solution deployment that's required. But it's just not that simple. And so I think part of what the CISO has to do or the folks handling security at this level, they need to use a few different tools to support the movement of this issue. no matter who we are in the context of leadership, to some extent, we're always selling. always about ⁓ advocating for the things that we believe in. That's the non-cynical view of selling, and it's the one that I believe in. So, CISOs that really believe in the critical security requirements for their organizations aren't just selling security. They're actually promoting a way of being within the enterprise that actually supports and optimizes a ⁓ conditional set of behaviors and structures that support ⁓ efficacy and impact. So one of the I had a C show that I worked with recently who used the fear tactic and he said, look, if I use fear, I'm going to get more audience. And I said, yeah, I get that. But you can't just use fear. We talked a lot about the role of change in organizations, but people actually don't fear the change. They typically fear the loss is associated with change. And so, you know, like if I gave you a winning lottery ticket for 30 million bucks. You wouldn't say no, thanks, right? You'd say, okay, I'll take that. But the reality is for lottery winners, they're more likely statistically to get divorced, to go bankrupt, to die prematurely, whole bunch of bad ills and effects from winning the lottery potentially if not manageable. And yet that represents gain, right? So you got to help ⁓ the boards and C-suite officers understand what the changes that you're advocating for imply, right? What are the gains that are associated with this change? What can we actually, instead of focusing on the fear, what's the upside of this? What's the positive downstream impact that's the corollary to the risk if we do nothing? And that's hard. That's oftentimes future forecasting, planning exercises. And this is where I think oftentimes knowing other CISOs that have had examples or incursions or problems. using that data to paint a real picture becomes so important. Martin Hinton (1:00:40) Yeah, I mean, you touch on a reality. You can get people in the door with fear, but you keep them with the fix, right? There's gotta be, there's like a takeaway and a solution. You know, like we see a lot of the same things happening again. Like we repeat the same failures and we're at about an hour now. We've got a couple of topics left. So maybe we'll move, we'll pick up the pace a little bit, but we see the same failures repeat. And I'm wondering whether you could touch on why you think that is, you know, what's happening that means, you know, another breach and another breach. Max Martina (1:00:45) That's right. You gotta have the solution. Yeah. Well said. Yeah. Okay, sure. Yeah. Martin Hinton (1:01:09) Now, the obvious answer is there's a very sophisticated adversary here looking to steal from everybody. But talk to me about what's sort of the barrier there on the other side of that coin. Max Martina (1:01:15) Yeah. Yeah. Yeah, I mean, I think the way that security issues are often framed is like where where where is the water getting through like a leaky roof, right? Where's the fence that's open? Where's the gate that's just letting this stuff in? And so we tend to stare at who built it? Why is why is the gate open? How does the lock look on it? ⁓ And in the organizational corollary, it's like how do permissions work? How do silos compete? How do permissions work? You know, are we using multi factor authentication and the technical solutions? or even how silos compete for budget, right? But that's old school thinking, right? I think effective CISOs have to go beyond that. They move past audits and they start thinking about readiness tests, right? They think about ⁓ blending budgets and engaging budgets in productive ways. So these are not binary solutions, Martin. These are deeply thought, well-constructed, almost crafted approaches that are programmatic, structural and planned. Right. And when they're well done, then you create buy in across other other organizations within other silos within the company ⁓ to get people on board and they become part of the solution. ⁓ What's the great Huckleberry Finn, Tom Sawyer, a vignette where Tom Sawyer gets out then to paint the fence for him because it's a great joy and privilege. You know, that's a little disingenuous here, but part of it is understanding what's in everyone's best interest and making that really clear. So really important to stop. diagnosing the technical components and think about the holistic capacity of the strategy connected to cyber. Really, really crucial. And that's a lot of words, maybe not a lot of how to, because every context is different, but by and large, I think that's a generic approach that I would recommend. Martin Hinton (1:03:03) Yeah, I mean, again, as far as we might feel, some of us that we've been in, as long as we've been in the sort technical information age, this idea that there's so much more of it is before us. And I think I use this analogy. It's almost like we've gotten to 30, 35 years old and gone to get a physical. And I've used this analogy before. And you what? You can't keep going like this. You can maybe eat little more greens and you know, like. Max Martina (1:03:15) Yes. Yeah. Martin Hinton (1:03:30) cut back on the drink in or lose a little weight because eventually this is going to catch up to you. And we are in a moment now where this has caught up to us. The cost of cybercrime, the disruption. I mean, we know what happens. We've had a few technical outages lately with AWS and Verizon. you know, we are paralyzed when all of the things that we rely on in the cyber and digital sense stop working. We don't know where to go. And we can't actually call anyone because all our phones are, you know, Max Martina (1:03:32) Yeah. Yeah. Yep, Cloudflare. Yep. Yeah. Yeah. Martin Hinton (1:04:00) in a ⁓ digital device that we maybe can't get into properly because it's not working right. mean, it is interesting. As with everything, we sort of touched on AI. But when you think about the AI rewiring companies and sort of the governance issues around employees using AI and, know, the CISO having to introduce this new thing and back to the psychological pressure, particularly at a publicly traded company. Max Martina (1:04:04) Yeah. Yeah. Yep. Martin Hinton (1:04:25) Everyone wants to be all AI, right? we're going to use these to be more efficient and our next quarter is going to be better. And we're going to be able to do this. And we, you know, we had, is it, ⁓ Dorsey just laid off a ton of people at his company because 40 % of the staff is no longer needed and that sort of thing. The new, thing has a real appeal. You've got quarterly reporting and you've got to seem like you're on the pulse of the latest this and that. How does that work for the CISO where suddenly it's like, yeah, we've got to say we're doing AI, we've got to be using AI, make sure we're not getting ⁓ jeopardized security-wise. Have a nice weekend. Max Martina (1:05:00) Yeah, I agree. I mean, I think this is the current, probably the biggest current issue that they're thinking about and where there's an AI ⁓ acolyte or head, right? And some companies are now creating an AI, the chief of AI, chief AI officer, right? To contend with this. And now you introduce additional competition between the CTO and the chief AI officer and the C cell. And so now you say, well, now we're actually getting more complex. Now we actually have to, if AI is rewiring systems, and decentralizing decision making, then how do we use a new governance model to support moving through in productive ways that create feedback loops and that engage really the critical conversations at the right time? That's the challenge. mean, that is the challenge. And to your point earlier, you know, It's like if we keep drinking soda, it's fine when you're 16 to some extent, but by the time you're 30 or 40 or close to my age, my gosh, the soda catches up to you pretty fast. And, it's a creative, right? So meaning, not necessarily for the better, but for the worse. And so if we're not on top of this, both AI and cyber connected infrastructure and work now, then I think it compounds. And when it does compound, by the way, you end up getting, you know, massive investment required later. And then systems have to be completely overhauled. And there's a whole bunch of offline and online risks as well that become problematic. I think you're right. mean, think this is when you can't keep up with a decentralized decision making, how do you move? That makes leadership even more important. It's more critical, more essential. Martin Hinton (1:06:34) Yeah, I mean, you made two good points there. The first I'll touch on is the idea that you can take care of that bad knee starting at 30, or you can wind up having that two knee replacements at 50 and 70 because you didn't take care of it. And that's the unfortunate thing is that sort of prior planning is not sexy, right? Like, yeah, we should, know, like I'm gonna get, I'm gonna go good night's sleep and get up early and go to the gym every morning. You know, it's a great lifestyle. I like it myself, but it's hard to introduce to something that's been. Max Martina (1:06:36) No. Yup. Yeah. Yeah. Yeah Martin Hinton (1:07:04) doing it differently for a long, long time. You all, good. Max Martina (1:07:06) Well, and yeah, spot on. No, I mean, to your point, it's like, it's like, ⁓ you know, the accretive nature of the the behavior changing in that context doesn't have to be massive, you know, like if I'm pounding on my knees and creating massive strain on my knees, ⁓ you know, maybe I just tweak my workout a little bit, or I try swimming a couple days a week, right? So I don't know that I don't know that there's a wholesale, you know, I don't think that this adaptive challenge requires wholesale transformation. ⁓ I do think it requires the committed effort of a handful of folks that know how to lead and can integrate to centralize decision-making to create relationships and stakeholders to understand the critical risks confronting companies. And that can spell that out in really productive ways. Yeah. No, I was going to say about a narrative. Like some of the work of leadership is creating narratives that get people behind ⁓ your issue that help you focus on the issue, right? Martin Hinton (1:07:52) I don't know if it's exact. Go ahead, sir. ⁓ You don't have to tell me about the value of storytelling. So I agree. You say decentralized. I think we were just touching, we talked just a moment ago about AI. And in my mind, I'm imagining a situation where you might have an internal AI that has the capacity to know what the board or the C-suite would do in any situation 99 out of 100 times. so employees well down the sort of power structure can get that feedback without having to get time on that. Max Martina (1:08:06) Yeah. ⁓ Yep. Yep. Martin Hinton (1:08:32) in the CEO's office or, know, which generally doesn't happen for company employees at big companies and that sort of thing. But this idea that that power exists to have that knowledge spread throughout and readily available all the time is, know, as we touched on earlier, it just struck me as you were talking then that that's another idea is that you've got this, you know, agency that can be infused into the staff where they feel like a closer connection to the mindset and the vision of the leaders, which is sometimes a real barrier for companies to understand the story of why we're here and what's the purpose of this job other than my paycheck and my mortgage. So yeah. Max Martina (1:09:09) Yeah, well, you're going to get me sounding like ⁓ like an acolyte of Von Mises, a classic free market economist, ⁓ you know, over 100 years ago. I mean, right. Accurate information close to the source creates better decision making. And so, I mean, I think this is why that article maybe saw it went viral by Connor Boyack. I think his name, it was called A.I. Isn't Coming for Your Future Fear is. You know, he talks about the real upside of this. And I think that exists on the CISO and cyber side as well, which is to say the upside is in potentially the creation of new and improved solutions and approaches to actually engaging these critical issues. So maybe we're going to see some upsides and new jobs. Yeah. Martin Hinton (1:09:41) Yeah. I agree with you. In fact, I've said to a few people now, I think that some of the, the next 20 years, five of the top 25 CEOs are going to be Google who came through the CISO path. A, because they're going to have learned their stripes, but they also have a mindset that's vital for this moment in business with regard to the digital sort of world and everything like that. it is, yeah. Max Martina (1:09:59) Yeah. Yeah. Yeah, well, they're not isolated to I agree with you that I think anyone that has to confront this these issues and does so well they're going to be in prime position to be you know the future leaders of companies and organizations worldwide frankly because because the pressures are high the pressures are real. Yeah. Martin Hinton (1:10:25) ⁓ Yeah. Yeah, yeah. So we've been talking a little over an hour and as promised, we didn't get quite everything. But before we move on to the very end, is there anything we didn't touch on that you'd like to bring up or anything we did that you'd like to say any final thoughts about? Max Martina (1:10:42) Gosh, I just think that the nature of this work has to extend, and maybe this is a recap, but for any CISO out there, or frankly, anyone assessing risk, ⁓ it has to extend beyond actuarial ⁓ data. We have to think deeply about behavioral response ⁓ and frankly, the components of leadership that... really galvanize folks to making progress on these critical issues. If we can't do that, then we're not going to be very effective. yeah. Go ahead. Martin Hinton (1:11:16) No, well, I was going to say, think that I agree with you there. And I think that whether or not I'm being optimistic about this, I'll leave for others to decide. this idea that we've got a moment where we've got a pushback on social media and phones for kids too young and phones in schools, even now Harvard's talking about banning laptops because the multi-screen environment distracts with learning and there's now science to back that idea up. Combine that with what we've been talking about and there is sort of a, okay, wait a minute, broadly from a personal point of view, we all spend too much time on our screens to the corporate point of view. We rely too much on technology, but we can't. So what do we do about being resilient when that technology ⁓ lets us down to put it very broadly, whether it's a technical problem or malicious act, that idea that there is a moment that I would, I hope that there is this sort of revelation that, we kind of got to come up with a ⁓ a better way of doing it. We have to adapt again for the word of the day. Yeah. Max Martina (1:12:17) Yeah, yeah, agreed Martin. And I think that's pretty dangerous. Maybe final thought for me here is that it's a little dangerous to assume that technology will be a panacea. ⁓ My take is that what makes us fundamentally human at the end of the day is really what gives us our species, frankly, the greatest opportunity to succeed moving forward. And that's by and large how we've related and connected in tribes. for hundreds of thousands of years. So we need to hone those skills because our organizations need it. Martin Hinton (1:12:49) No, ⁓ I was having a conversation the other day about the beauty of forced encounters where you sort of, you you didn't plan on that and how common they used to be when if your car broke down once upon a time, that was it. You had to go knock on the door or walk down the street. Max Martina (1:12:55) Yeah. No cell phone. Yeah. Even my kids, you know, I tell them stories and they're mystified about how I could have ever come through to who I am today. Martin Hinton (1:13:10) Yeah, I know, I I know. I remember writing my first check. ⁓ So Max, I'm going to round out. We're going to close real quick. I'm going to ask you a couple of quick questions. One piece of takeaway. Pardon me. One piece of takeaway for boards. What would it be? Max Martina (1:13:17) Yeah. Yeah, view cyber risk and cybersecurity as a non-technical problem and find people that think with real leadership. Martin Hinton (1:13:35) One bit of takeaway for CISOs. Max Martina (1:13:38) Yeah, CISOs, ⁓ please, because your companies need you to do this. Think beyond the technical demand of your expertise. Go to build stakeholders and alliances across all of the functions and factions within your company. Martin Hinton (1:13:53) and anything for insurers. Max Martina (1:13:55) Insurers, yeah, you're going to be needed. You already are needed. We work with a big insurance company where this is a core offering for their work. In I should put you in touch with them. they, yeah, I would say, I would say, you ⁓ know, staff up, get ready because we need more of you. Martin Hinton (1:14:13) Yeah, mean, the CAGR of cyber alone is an indication that that's the sentiment. ⁓ So anything else, Max? Max Martina (1:14:21) Yep. Just what a pleasure, Martin. ⁓ Love chatting with you. You're a thinker on this and you're helping us pioneer moving forward. So thank you. Thanks for the time. I really appreciate being with you. Martin Hinton (1:14:35) Well, that's very kind of you to say I've really enjoyed the conversation too and I suspect we could we could go on. We'll we'll have to do it again, right? So that that'll that'll be for sure. Great. Max Martina (1:14:42) Love to. We might bore your audience, I don't know, but we could talk forever on this. Martin Hinton (1:14:48) Yeah, well, it's a niche topic. one of the things about it is it may be boring to you, but it's impacting your life right now. And if you're not paying attention to your own personal cybersecurity and the impact the digital lives we live has on all of us, then you're selling yourself short. So that would be my pushback there on board. Max Martina (1:14:55) Absolutely. Well, and the board, I'm just, I'm hoping that the way we've explained some of this was not boring, but the topic you write is absolutely critical. So essential. Yeah. Martin Hinton (1:15:16) Well, again, Max, thank you so very much. Max Martina, President of Cambridge Leadership Associates near Seattle, Washington. Thanks again for the time. Thank you. Again, I'm Martin Hinton. This is the Cyber Insurance News and Information Podcast. Thank you so very much for watching and listening. If you've got a comment or a question, you can leave it down there and I'll try and give you an answer or we'll get an answer from Max. We've discussed a few things today and there'll be some links in Max Martina (1:15:25) Yep. Thanks so much, Martin. Pleasure. Martin Hinton (1:15:44) and that sort of thing in the show notes to find Max and to find Cambridge. ⁓ But again, if you don't see what you're looking for, let us know. We're easy to find. Again, Martin Hinton, the Cyber Insurance News and Information Podcast. Thanks again for watching. Enjoy the rest of your day.