Norman Kromberg: Securing the Digital World
Richard Lowe (00:01.737)
Hi, I'm Richard Lowe with the Leaders and Their Stories podcast. I'm the writing king and ghost writing guru. And I'm here with Norman Kronberg, who is a security person who's been got years and years and years of experience. Norman, why don't you tell us a little bit about that?
Norman Kromberg (00:17.894)
Hey, be happy to Richard. As you can see in my background, I have a Jersey from the University of Nebraska in Lincoln. I actually graduated from the university there. I grew up in Lincoln now live in Omaha, Nebraska.
I've been described as a unicorn in the cybersecurity information security industry. Why am I unicorn? Because I started out as a business major in college, went into banking. I leveraged that background in business to move into technology. I did that by being a commissioned national bank exam with the control of the currency. After spending some time there, some of the smallest banks in the United States to a couple of the largest being B of A, Citibank.
I started to be a leader in technology audit at financial institutions, credit card processors, and IT services companies. That was on a global scale. From there, I was asked to start helping companies with a little thing called Sarbanes-Ossley in 2004, 2005. Firms really needed help rationalizing technology controls relative to financial statements. I parlayed that into
Roles in QA, roles in security, especially at telecommunications companies, payment companies, IT service companies, and even retail and distribution. Today I'm acting as the Chief Information Security Officer on a fractional level for several companies along with doing strategy assessments and serving on a couple of advisory boards.
Richard Lowe (01:48.959)
That sounds like a very interesting career. What would you say was the highlight of that career?
Norman Kromberg (01:55.214)
Well, the highlight is I think backing, know, ask for highlights and I like to reference the, know, it's like picking your, your, your, which child is the best or which pet is the best. And you can never really do that. But as I think back, the role I've got the most reward at or think about when you make a question like that is when I was the chief information security officer at Southern Carlson, that's a retail and distribution company that specialized in light construction equipment. Our clients were contractors.
so business to business relationship. And I was brought in to build a security program from scratch. Partnered with the CEO, the CFO, the CIO, and most the organization at the C level to build a program from scratch. Our goal was to build a program that enabled the company to get sold within three years. We actually did it in two years. And what's rewarding about it is,
We weren't audited or regulated. So we were able to make decisions based on business factors, on needs of the business. And what we've surmised is for every dollar we spent in security, we believe we added over $100 of value to the company, which helped for that sale. And that was pretty rewarding. now high tolerance of risk, we were able to do that because our customers were in the permanent offices, the local municipalities.
We didn't have intellectual property. Our prices were predominantly on the internet. Our locations were stores and our people went out to the construction site. So it was really tied to what was needed to sustain the business. So that was probably the most rewarding from that standpoint.
Richard Lowe (03:29.479)
Interesting, interesting. Yeah. I worked at Trader Joe's as the director of computer operations and I had to deal with cybersecurity. did the PCI compliance and a few other things and, PCI compliance is a bit of a pain, especially the first one. my Lord.
Norman Kromberg (03:45.358)
Yeah.
Norman Kromberg (03:48.75)
Oh yeah. Well, if you caught, was in credit card processing of the companies that first data ACI and intimately fill it with PCI. As a matter of fact, even prior to that, when it was the cardholder information security program under visa, cause each agency or group had their own standards and PCI was the role of those merging from AMEX, Discover, Visa, MasterCard. So I could go for hours on PCI if you'd like Richard. My sense is it's all painful for you.
Richard Lowe (04:15.133)
No, that's okay.
That's okay. People will fall asleep anyway. PCI by the way for our listeners is a credit card compliance so that you make sure that as your credit card goes through, wherever it goes, that there's not at risk and that hackers can't steal it and stuff like that. It's very important and it covers things from, do you have locks on the doors of your computer room to the encryption used between systems and things. It covers everything. It's very, very intensive and it changes all the time.
Norman Kromberg (04:19.502)
Exactly.
Norman Kromberg (04:31.093)
Exactly.
Norman Kromberg (04:47.375)
Yes, as you need to. would actually say though, from my standpoint, if I look at over the last 20 some years, I think an achievement was intended to. Let's face it, some of the most protected transactions are those credit card ones now.
Richard Lowe (05:01.329)
Indeed, Yeah, in fact, some of the people who are breached, if they use similar type guidelines, they probably wouldn't have been breached or at least it would have been less.
Norman Kromberg (05:11.48)
Yep, the impact is reduced quite a bit by what PCI has done, both on the merchant side and the bank side.
Richard Lowe (05:17.139)
Yep. Yep. And I also did a bit of with NIST 853, which is a different standard for compute for security. And that one's even more of a pain. And I documented things. made it help make up the procedures and documented things. the, the policy might say you have to segregate duties, which means the CFO can't create the checks and then okay, the checks.
Cause that would obviously be a conflict. And I had so much trouble convincing the CFO that that he couldn't do that. It was so I was in charge of setting up the roles for everybody and what they could and couldn't do and how, how they could do it and the procedures and things talk about interesting. I on one hand it was boring as watching paint dry. On the other hand, it was kind of interesting talking to these people and trying to get them to comply. We'll just pretend to comply something, you know, they might say, or,
Norman Kromberg (05:46.317)
Yeah.
Norman Kromberg (05:54.198)
Okay.
Norman Kromberg (06:05.72)
yeah.
Richard Lowe (06:15.741)
I'm the CEFO, I can do anything I want.
Norman Kromberg (06:18.946)
Yeah. And I find that fascinating because it's almost how you have to lead organizations through change. I mean, it's explaining the why and what the options are. And PCI was a great example that we still deal with it today. I mean, we could go through, again, the alphabet soup of all the things that make up security today. But one of the current ones is CMMC. It's the federal standard that they're holding their vendors and partners to. it's much like PCI, very broad.
and not necessarily directive as much as communicating intention. And then says, okay, how are going to adapt to put in policy against that procedure, the standards against it? So, yeah.
Richard Lowe (06:59.187)
Is that the one that's known as FedRAMP?
Norman Kromberg (07:01.944)
FATRAMP was there and then CMMC is the next evolution of it, if you will. So, closely related.
Richard Lowe (07:05.151)
Okay.
I heard lot of cursing in relation to that one from my friends who were in that area. Apparently it's pretty strict.
Norman Kromberg (07:13.812)
Yeah, and FedRAMP may be replaced by CMMC. There's gonna be a lot of cussing around that one too. I've worked with a couple of clients already on it and it is, it's an evolution much like you were describing with your story on the CFO.
Richard Lowe (07:27.817)
So for our listeners who they have a problem they may not even know or understand at this point. The problem is there are hackers out there and now there are a lot of nation state supported hackers where like Iran or Russia or China might support hacking to cause infrastructure damage. This raises the stakes. It's not just a breach anymore. It's a breach that could cause more.
concerns like a dam not working or electricity going out or I think Ukraine had a bunch of attacks on their infrastructure before way before the invasion where their electrical system was destroyed for damage for a little while not destroyed.
Norman Kromberg (08:06.357)
Mm-hmm.
Richard Lowe (08:12.489)
How do you protect against nation state stuff? mean, what was the one that was in the Middle East? Stoogstap was actually a US Israel based one. And it was so cleverly written that it was called an air gap. went across the air gap. There was no connection to the internet. So it still got to the systems. How do you protect against that kind of stuff?
Norman Kromberg (08:21.294)
Love ya.
Norman Kromberg (08:37.998)
Well, first off, I don't think you can protect against everything. There is no silver bullet. You can't do 100%. That's one of the challenges we face is, you we're trying to chase something that's evolving and changing. You know, one of the comparisons I use, Richard, you know, part of the security world has to come to the realization, it's much like a tornado or the fires in LA or a hurricane or even a boat hitting a bridge in the Baltimore Harbor.
Things happen. So some of this is how do you respond and detect what's happened. But also as part of having that conversation, I go back to some of the examples over my career, we would sit down and have the conversation talk about what we're exposed to. So the example you just gave was nation state. Let's face it, not every organization has an impact on the critical infrastructure. So it's understanding where those threat vectors come from and what you're facing. We just talked about credit cards and the PCI one. Well, that's financial institutions.
My example with where I was the CISO and we added value, quite frankly, we were a level four merchant. Credit card transactions were lower on our risk profile. So think part of protecting it is knowing what your threat vector is, what your risk profile is, what's at risk. And I usually look to four different categories. First of all, let's face it, we have amateurs. People out there who are trying to do things they think they read something on the internet, they're going to try it. Pretty easy to protect against, creates nuisance.
Richard Lowe (10:01.117)
like in the movie War Games, an older movie, but Blade and Amateur breaking in accidentally.
Norman Kromberg (10:07.412)
Exactly. very rarely are they as successful as in that one, but you're right. It's those kids, I call them script kiddies. They just play, they're trying. Hey, we have to defend against it. The second one I look to is nation state, critical infrastructure. Terrorism sometimes plays into that threat vector too. And those are hard too, because it's an emotional motivation.
Let's face it, they're going after something that's not monetary or you can't tie a value to because it's on an emotional one. The next one is I look at intellectual property theft, designs of say fire suppression, SIP designs, things like that where you can get an advantage business plans. Generally that threat vector comes out of places like China, North Korea. They're looking for a business advantage, if you will. Then finally, the one I have to deal with most of the time is just flat out criminals, organized crime.
And Richard, their motive is pretty easy to understand. They want money, their profit motive. But it's helpful to understand that because part of what they do is they're not going to spend a billion dollars to go through an expensive computer system to decrypt a line or a file. They're going to go through the path of least resistance, which is the human factor in most cases. So a lot of the issues we deal with is the human side.
Richard Lowe (11:07.091)
Money.
Norman Kromberg (11:27.65)
Hey, somebody accidentally clicks on the link, shares their password and ID, you've just opened the door. So much to your example before, it's much easier to go through the human side than it is investing billions. And that criminal side, they're very good business people. Income minus expense equals net profit. They're going to minimize the expense side the best they can. So I found that that helps explaining that when you ask the one about nation state, putting it in context. Now I've worked with municipalities and, you know, water companies and things like that. So we've had to address those exposures.
of compromising the water supply. So it just has to come into that context. That's what I tend to look at.
Richard Lowe (12:03.421)
Yeah, yeah, I was actually reading about the water supply and it's actually really, really difficult to compromise because chemicals tend to disperse very quickly. So dumping a bunch of chemicals or viruses in the water supply doesn't do as much as you think it'd do. There's a famous example of a terrorist in Japan who dumped tons and tons, I think thousands of tons of chemicals in the subways. Nobody even really knew because it dispersed.
Norman Kromberg (12:30.894)
you
Yeah, well, I was going to jump in there and say, also, we have to do is say, what is information and cybersecurity versus overall security? Someone you're describing with the water facilities as physical security. Now, we account for that in a lot of our programs, but it's the physical parameter too, along with the logical and cyber-based ones. And that's sometimes how we have to describe this too, is what's that primary boundary we're working to protect.
Richard Lowe (12:33.599)
And
Richard Lowe (13:00.691)
And it gets even more hairy when you start talking about networking and the internet, because then you got remote stuff to protect as well. And every one of those remote stations, whether it's human or AI or a machine or a sensor is a vector. how do you, and IOT is famously not well protected. IOT is the internet of things. It's your smart bulbs and your smart alarms and cars and things like that. Thermostats. Yeah. Pacemakers.
Norman Kromberg (13:14.975)
Exactly.
Norman Kromberg (13:20.376)
Yeah.
Norman Kromberg (13:25.634)
thermostats.
Alexa devices. Yeah.
Richard Lowe (13:30.911)
Well, pacemakers actually falls under the medical internet of Yeah. But imagine somebody getting control of a pacemaker of say the president of the United States. That would be a problem. That would be a problem.
Norman Kromberg (13:42.318)
Well, interesting. Well, in holding it hostage, you know, we've had ransomware. I hadn't thought about it. That's a great example of, you start using your ransomware techniques on medical devices and holding people that way versus the data side? Interesting vector. I'm going to borrow that one, Richard. I like that.
Richard Lowe (14:01.279)
Yeah, we should write a science fiction book together on it, you know?
Norman Kromberg (14:05.916)
that would be fun. Well, it's copyrighted now. I actually though like what you referenced there. Cause one thing I've been describing a lot with people in the assessments I do is, and this plays into cloud too. You didn't mention cloud, but as people have gotten out of physical data centers more into AWS, Azure, or GCP, however you would define that. I am now saying the primary perimeter of an organization.
Richard Lowe (14:08.009)
Nobody steal that idea, it's ours.
Norman Kromberg (14:33.504)
is defined by the identity, not by a physical boundary or wall. And that plays into your point on remote and AI and all this. So you have to think on a different perspective. It's that identity or that movement of data, not a physical boundary.
Richard Lowe (14:36.799)
All
Richard Lowe (14:49.427)
I was reading during the pandemic that Capital One has a great case study. They moved like hundreds of thousands of people to remote in a matter of weeks. They were ready for it and they had a plan. And part of that involves security. How do you secure hundreds of thousands of people who aren't necessarily experienced people with computers? How do you keep those people secure? It was a big problem. And they figured it out. They figured out something. I didn't really.
get into it, you know, can put, you can put a vert shells around their system or all kinds of stuff to make it secure, but still a hundred thousand people remote going into the same cloud structure is a lot of people, a lot of vectors.
Norman Kromberg (15:36.072)
Well, it's actually pretty easy to protect, but you also put it in the risk category. But probably the bigger issue they face was just the change. Let's face it, one day you are all in the office building, the next day, you pointed out, thousands, if not hundreds of thousands of people in a different location. You have to change your monitoring, how you look at it, what you do to respond to incidences. So I think it's as much just the process around it. But was interesting what you said there.
that they had a plan for it, which tells me they had man thought through scenarios and probably hadn't figured a pandemic of that nature, but enough of a foundation to be able to respond in a timely fashion. And they kept it secure because we didn't hear of anything. So they solved it or layered in things or evolved through it. I give them a lot of credit for being able to respond that way.
Richard Lowe (16:22.111)
Yeah, I went to the disaster recovery seminar from the lady who was in charge of the computers that had the stock floor and they were of course underneath the trade center before it collapsed. And she was in charge of the disaster recovery for that. And the loss is the trade center cannot be down for more than a day. So that was the problem she had. And when the 9-11 happened, the trade center was not down for more than a day, even though it was under the building that collapsed.
the stuff she was talking about, know, having them manage buses of people going from one place to another, to the disaster site and their hotel rooms and food. Cause we're talking to a lot of people and you know, all of a sudden, and it was amazing to hear her talk. I was in charge of disaster recovery at Trader Joe's and just listening to that, was like, yeah, that's a different order of magnitude of problem than I had.
Norman Kromberg (17:03.508)
Yeah.
Norman Kromberg (17:15.182)
I'm sure you've been an incident commander, having you run this much like you're describing with her. I've done that on security incidences. And what's interesting that you didn't mention that I'm sure she had to deal with that I think we need to pay attention to as, as leaders and dealing with these things is the emotional side of things. Think about what those people were going through during 9 11. I mean, Hey, you've got work issues and pressures, but you've got family and especially in New York.
Richard Lowe (17:34.876)
yeah.
Norman Kromberg (17:43.64)
Just think of the instability and the chaos they were facing.
Richard Lowe (17:47.176)
Yeah, yeah, everybody was very emotional. we had a warehouse burned down and we had to shift things around and ship from the East, from the West coast of the East coast, instead of from the warehouse in the East coast. And just that, the emotional level there and being in an emergency and everybody working 18 hour days to keep it running and, get the food there for people. Wow. That was, that was a big, that was big.
Norman Kromberg (18:09.201)
Mm-hmm.
Norman Kromberg (18:13.122)
You know, and I think as we're managing these, we have to pay attention to the team. can recall one incident I was dealing with and it was a Friday and we're on the status call and we've got, you know, technical teams raising things. We've got people demanding things and you could just see the tension and it was increasing. It was tight. So as the commander of the incident, I just said, folks, we're taking the weekend off. I can see everybody needs some time away. So I said, everybody.
Come back Monday, but go spend time with your family. Relax, clear your minds. We can handle this. We're not at the time crunch. We have the ability to manage through this. I gotta tell you, we sped up the process by doing that for the weekend. And I now use that to say, even on some instance, I look to say, can HR provide some counselors, some of that help to help us get through it as we do this?
Richard Lowe (19:05.969)
even bringing in pizzas for the troops can be good. We had an operations director who was in charge of the operations side. I was in charge of the computer operations side. And I'll give her a shout out. Her name was Lili Brum. And she, we had that fire disaster and we're all scrambling around. We're all going crazy trying to figure out everybody's talking at once. And she got up and she just hit her shoe on the desk or something like that and said, everybody shut up. I'm in charge.
Norman Kromberg (19:09.34)
yeah.
Norman Kromberg (19:16.302)
Okay.
Richard Lowe (19:34.686)
And we all shut up and she was in charge. Sometimes you got to do that. It worked. We got everything going the way we needed it to go to get to basically how are we going to ship product there? Well, we've got a warehouse on the West coast. It's going to cost us more, but that's better than having shelves empty and customers going over to different store. And it was expensive, but we managed to do it all because she said, everybody shut up.
Norman Kromberg (19:38.442)
And did it work? Yeah.
Richard Lowe (20:04.992)
There were some senior people in that room and they shut up too.
Norman Kromberg (20:10.04)
You know, it's fascinating two points there. One, what people need to realize in these incidents, especially on the cyber side now, there's a nice little thing that's called insurance that can fund some of those expenses. And that's why you have it. You know, I referenced the tornadoes, the hurricanes, the fires. So insurance is a player in this risk evaluation. The other one is understanding that you've got a bunch of alphas and with her slamming the shoe and getting the attention.
putting those people in place or managing them into the appropriate rooms or sub rooms on a system so you can manage the conversations. I've found that that's as powerful as, you know, anything else you do is just paying attention to the personalities and who people are.
Richard Lowe (20:53.769)
Yeah. Yeah. Well, I mean, somebody had to take charge and all of us were trying to take charge at once and she, she knew what she was doing. I mean, we're heading more into the risk area than the security area in this talk, but risk is a big part of security.
Norman Kromberg (21:03.384)
Yeah. it is. Very much so.
Richard Lowe (21:07.263)
Because what's your risk? I one thing we didn't realize was the risk of those POS terminals, point of sale terminals, things we put your credit cards through. Social engineering. People used to walk in and they looked like techs and they'd have this POS terminal in their hand and they'd replace them. They weren't our POS terminals.
Norman Kromberg (21:25.358)
where they put fake keypads over the top of them. So when you're doing the pin numbers, were they?
Richard Lowe (21:30.079)
Well, these were actually replaced. They, they put in a whole new terminals and those terminals were compromised and fortunately got caught on the first one because the guy was a bonehead, the set to hacker. But I mean, they hired low end people to do that part where they shouldn't have whoever, whoever was doing the hacking. But, we were like, Oh, this is, this would have compromised the whole organization.
Norman Kromberg (21:36.098)
Okay.
Norman Kromberg (21:48.867)
Yeah.
Richard Lowe (21:55.58)
And it was just a person, a person who wasn't vetted at the store.
Norman Kromberg (21:56.238)
You know what they're
Norman Kromberg (22:00.162)
Well, you know what else is happening today? I'm sure you've seen this, the use of, well, first of all, started with emails, impersonating people. Now we get text messages. And I think as we get all these chat systems with Slack and Teams and whatever you have out there, the amount of people that will impersonate a CFO, you mentioned the CFO before, why did the CFO not cut checks? Because they are the ones authorizing. So you want some, you want to avoid millions of dollars going out on a single event, but that's the social engineering.
That's my example of path of least resistance. Confirmizing the human with those things is so much easier to do.
Richard Lowe (22:35.583)
of the books that I wrote, it's called cyber heist for know before, is a big company that deals with fishing. And I wrote the book that they give away for free. It's like 300 pages. And it talks all about these different spear fishing, which is a targeted attack against certain individuals and CEO fishing, which is a targeted attack against the CEO and so forth. These things are hard to spot, especially with AI and AI voices and things there. You just gotta really use your brain.
And it's like, stop, wait, the CEO, why would he be ordering me to transfer $20 million today on a Saturday? Call him up.
Norman Kromberg (23:17.745)
You know, you just highlighted one of the things that I have used and had back to my conversation with CFO CEOs. go, some of the best defenses is just logic and reminding people of this. So I go, are we ever going to do business on a Saturday or Sunday? And if our business cycles, such stores are closed, offices are closed, we just don't do anything. Then folks,
You'll be fine. You don't have to move money. And if you're even questioning it, you'll be rewarded for asking me on Monday, not on Saturday. So just give an awareness of the business processes and logical things like you just said. It makes no sense. Then don't do it.
Richard Lowe (23:57.696)
It's like the bank always says, you get this call that says you should do this and this and this. You go, you say fine. And you go to the website and you call the number yourself and ask them if that's really happening. And it's the same with the CEO or CFO. you get a call that sounds just like the CEO that says transfer $40 million, cause this actually happened in New Zealand, transfer $40 million. Go call the CEO. Believe me, whether he's golfing or whether he's on vacation or whether he's
whatever he's doing, he's going to thank you for that. He's either going to say, yeah, do it, or he's going to say, what? But you potentially save $40 million.
Norman Kromberg (24:34.062)
Well, which could be his bonus. I come back to some of the personal motivations. The CEOs and CFOs really get compensated on the profitability of the company. Well, if you just wired out what would be the equivalent of the profit, guess what? A good part of their compensation went away. But you might appreciate this. One of the things I go back to is some of the fundamentals that I don't think necessarily change with all the advancement in technology. And I'm guessing, Richard, you'll remember this. Remember the old mainframes?
Richard Lowe (25:06.473)
Hoia!
Norman Kromberg (25:08.458)
IBM and those guys needed to do maintenance, they would call into the machine, you know, through the modems and stuff. Well, every one of those mainframes properly configured, what they would do is disconnect and call back to the predefined number so you could do the maintenance. So it's your description. Yep. And, but that's what you just described. It was call the CFO, call outside the current communication path to confirm it.
Richard Lowe (25:20.201)
That's how we defined it.
Richard Lowe (25:31.123)
Now, even though that can be compromised if you have a man in the middle type thing, but still it's much harder. It's much more difficult. I mean, you could have, you know, a nasty or compromised switchboard operator, so to speak, or something in the middle that intercepts the call, but you're talking nation state level stuff at that point.
Norman Kromberg (25:39.426)
Yes.
Norman Kromberg (25:54.67)
Yeah, we're back to those four threat vectors I mentioned, right? So I just went to one of the four and it's also, I usually put in multi-layer defense and depth programs. That's kind of what we've been describing to a degree. So you have other layers that ideally mitigate that and all that. So for example, if the call came in from Algiers and you never do business in Algiers, a flag ought to go up too on top of the out of normal path stuff. So I look for those layers you can deploy.
Richard Lowe (25:57.984)
Yeah. Yeah.
Richard Lowe (26:06.537)
Me too.
Norman Kromberg (26:22.422)
even get creative with or back to some fundamental stuff that just, it may not make sense, so don't do it.
Richard Lowe (26:29.407)
I wrote a book called Safe Computing is like safe sex. If you don't practice it, doesn't do you any good.
Norman Kromberg (26:37.422)
That's good.
Richard Lowe (26:39.751)
It compares it to a castle. The way they used to build castles was a ring defense. So you'd have a moat and then you'd have stakes and then you'd have like big sticks in the ground. And then you might have the archers and then you might have another moat. So if they get through one, they run into another one and they're different. And that's, that's the way the ideal defense works is you have different types of security at different levels. And then you even have the deeper security inside. Like maybe, maybe, you know, the
Norman Kromberg (26:57.239)
Uh-huh.
Richard Lowe (27:09.267)
the financial system, like it has all your data shuts down if if it was a compromise. Now I can't do much if it's not getting no electricity.
Norman Kromberg (27:19.734)
Well, it's funny you say that as I work with firms, one of the things I say is I can secure any company organization in less than 30 minutes, completely secure.
Richard Lowe (27:27.714)
yeah, turn it off. Unplug it, put it in your pole in the ground.
Norman Kromberg (27:33.486)
The problem with that usually is you can't do any business and generate revenue. So that kind of upsets a few people, but we are secure. So that allows us then to back up and say, what's the right level? What kind of controls to your point? do you pull the, know, the hit the fire button that shuts everything down with Halon. If you're in a data center that, you know, crisis button, it stops everything.
Richard Lowe (27:55.562)
Yep. Yep. You mentioned cloud earlier. The thing to remember about cloud is you've got multiple levels of multiple vectors there. One of which is the telecommunications over the internet. That can be compromised if you, if you don't have good, good, good security in place, encryption and things. So you could have your cloud compromised and not even know it. I don't know if it's happened yet, but it's certainly feasible.
Norman Kromberg (28:23.034)
I would contend it has happened. think traffic's been diverted there. You you could be in the middle and what I think we have to pay attention to, and this is what, you know, maybe I'm crazy and have to think different ways. go, let's think about what we don't know or what could be happening. And sometimes they'll lay there for a year or two and just capturing data and information. So in your example there, they may be just monitoring and try to understand how your business operates. What are the key factors and then act at a certain time, but
You're right, because even then, if you moved to the cloud from an internal system, you've now put some trust into a third party. It's AWS, it's Microsoft, it's Google. How much do you trust them? Where is that level of trust at?
Richard Lowe (29:02.185)
Well, it-
And do you have audits on the cloud side? mean, you auditing the cloud system. How do you do that? If you're a small company, you probably can't. If you're a larger company like bank of America. Oh yeah, you can have audits, but it depends. know, is, is, is, um, Apple going to let you walk in and monitor and audit their AWS systems and make sure they're secure? Probably not. They'll give you a report, but who made that report? Do you trust?
Norman Kromberg (29:29.251)
Yeah.
Richard Lowe (29:32.403)
Who watches the Watchers? That's an old Heinlein book, you Who Watches the Watchers? Heinlein's concept, Robert A. Heinlein's a science fiction author.
Norman Kromberg (29:40.206)
Yeah. but verify plays into that is I think what you're describing. Okay. I got trust here, but how do I verify that trust? That's where those audits, SOC 2, type 2 reports are big. But again, who performed it? Is it down here or here? It's back to what you mentioned on PCI. They had assessors come in. Well, those assessors had to be blessed by the PCI agency so that you had some integrity with what they were doing and they had enforcement. So that all plays into this.
Richard Lowe (29:44.019)
Yeah. Yeah.
Norman Kromberg (30:07.34)
those multiple layers and how you establish trust. So you're right on the cloud is who do you trust and how do you trust it?
Richard Lowe (30:13.759)
And DNS is one of the most insecure things of all, even the more secure ones. It can be re-vectored any way you want with a command if you've got control of that DNS server. They've tightened it up a little bit, but the nature of the beast is it's very difficult to secure. Thank you early internet people. Of course, IP6 is a little bit better, but you know.
Norman Kromberg (30:19.342)
Ha
Norman Kromberg (30:36.718)
Well, you know what? yeah. But what's interesting though on that is as we evolve and you know, the next generations come up, an interesting thing I find is do they know how to make a phone call by hitting the digits? Because some of what you're describing is if you can't connect on the internet, how do you make a call on a different channel or protocol? And so much is driven by the internet. So your DNS things come into play, doesn't it?
I guess it's the backbone of a lot of what happens.
Richard Lowe (31:08.809)
Yeah. Back in a nine 11, when the towers collapsed, the big problem was the Verizon switch was underneath the towers. There was no cell, no total traffic cell traffic because there were no cell computers, at least not Verizon ones. So your commu, if your communication was cell, especially today and most cell phones go over landlines anyway, they just go to a tower and then go to, they don't, they're not all in the air. So.
Norman Kromberg (31:23.301)
Yes.
Norman Kromberg (31:33.953)
In fact.
Norman Kromberg (31:37.451)
Exactly.
Richard Lowe (31:38.417)
It's, you don't want to depend on that. In fact, landlines are usually more robust than cell towers.
Norman Kromberg (31:45.986)
higher volume and have a lot more capacity. The interesting on 9-11, and we'll see this on certain events now, probably not to that degree, but just the volume shut down the network too. So for AT &T, Sprant who was still around then, they all were not available because everybody's on the phone. trying to call loved ones. They're trying to get 9-11, know, emergency services in there coordinating things. My tier example of recovering the trading floor, they're having to communicate and
Yeah. Do you think every means possible?
Richard Lowe (32:18.431)
And I imagine during the LA fires or the hurricanes, example, communications went to heck. I was here in the hurricane. I got a direct hit from Milton. And I didn't try the communications. The internet went down for eight hours and it was back and everything was back and it cool. Like, thank you. Thank you, Spectrum. Thank you, Duke. You did good. You're my buddies. We were only down eight hours, but.
Norman Kromberg (32:36.915)
You
Richard Lowe (32:46.963)
Now their neighborhood was down for four days. It turns out that Duke actually said, there's a hurricane and they shut off the power intentionally so that they just had to turn it back on rather than blow a bunch of transformers.
Norman Kromberg (33:02.03)
But that's back to the example you had with Capital One with the pandemic. Having plans and decisions you can make to A, minimize the impact, but also get back up and operational. let's face it, hurricanes are common in Florida. My wife is from there. She spent 20 years in Jacksonville. It's amazing hearing her talk about how you know a hurricane's coming, what you do to prepare, you get things ready. I live in the Midwest. One of our most common ones is tornadoes.
not necessarily predictable like hurricanes, but the concentration of damage is so focused that we can work around it. The fires are an interesting one too, as it's randomly going through what could be done to provide for recovery quicker.
Richard Lowe (33:46.986)
Yeah. Yeah. And it's all very interesting when you start thinking about the, I mean, just how big the United States is and how much infrastructure we have. I mean, it's in, you know, the $500 trillion range of infrastructure. It's that's, you know, half a quadrillion dollars of infrastructure. Wow. And that's more than any other country in the world by far. And all of that stuff has vulnerabilities and all that stuff has old stuff, pipes, water pipes that are decaying.
that have been there a hundred years. Bridges that get hit by, that don't have pylons to protect them against a boat. You'd they'd have something in front of it, you know. But you know, when they built them, they didn't think about it or they didn't have the money for it.
Norman Kromberg (34:23.95)
Yeah. Yeah.
Norman Kromberg (34:32.238)
Well, and you get into the cost. Well, and I was just going to say the cost benefit analysis back to the example I used when I was at Southern Carlson's to see. So we're making decisions on what do you spend with the likelihood and the impact. And you're always doing that trade off. So those pylons, I mean, how many times has a boat hit that bridge?
Richard Lowe (34:50.089)
How many times has a container ship that's huge hit a bridge going that speed? Probably that was probably the first time.
Norman Kromberg (35:00.174)
Yeah, I mean, you know, I used to do this when I was an auditor and examiner. We talked, you mentioned disaster recovery, business continuity planning. We used to do audits on that. We'd ask questions on it from an examiner standpoint to challenge how well they're prepared. And I like to share the story now is prior to 9-11, if I'd gone into a senior level executive, a CEO, CFO, CIO, anybody at that level and said, let's talk about your disaster recovery. Here's the scenario. We've got four planes hijacked. Two of have taken out the World Trade Center. One of them's hit the
Pentagon and there's another one we don't know about but ends up in a field in Pennsylvania worked a situation. Their first response was that's not reasonable. That's never going to happen. Well, you mentioned it before with the, the container ship going too fast, hitting a bridge. It's that, you know, they're big container ship. First time it happens. Something always happens back to the, you know, the capital one being prepared to at least have command control and make decisions.
We can use these to help be prepared and least manage the risk so the impact of the list might not change the likelihood that the impact can be least coordinated and managed.
Richard Lowe (36:05.663)
There's a book that I've read four or five times. It's called touching history, I think. And it's about the, the FAA is role in nine 11 and what they had to do. it's like, wow. Like there was no procedure period. were only four military jets in the Eastern seaboard period. They weren't armed. So that one in Pennsylvania, if they'd had to shoot it down, it was a Ram. They were going to hit it and they were going to.
Norman Kromberg (36:27.918)
Richard Lowe (36:37.241)
can you imagine being the pilot and having to make that decision and the fighter you're sacrificing your own life and all of the live passengers, which is it a false alarm? know, just at the FAA did the first and only shutdown of the entire United States. He didn't have the, that was the day he started his job.
Norman Kromberg (36:43.074)
Well, of the fighter jet, of flying it to get your sacrifice and your own life for it, probably.
Norman Kromberg (36:55.566)
Richard Lowe (37:04.307)
He started working there and he had to shut down the entire US airspace and he didn't have the authority. He just said do it.
Norman Kromberg (37:11.63)
Well, sometimes I tend to be an optimist and I look at it this way. I'm pretty sure he never had a worse day than that for the rest of his career though.
Richard Lowe (37:20.767)
Probably not, probably not. And then there was a movie I saw of documentary about the, they had to divert, all these planes come over Greenland and they come to the United States through Canada. They had to divert something like 300 planes into Canada. Emergency. Those airports weren't ready for that. And they picked up the slack. Talk about a disaster situation. They picked up the slack, they landed all the airplanes, no problems. Then they had to get food in and.
buses and all this other stuff. And wow.
Norman Kromberg (37:54.793)
There is a town, I think it might have been in Greenland or Iceland, a small airport that can handle the jets, but they took a lot of them. And the town just rolled out the red carpet, took care of passengers. And I've since learned that a lot of the passengers have gone back and they've had reunions because of the close relationships that were developed for people helping out.
Richard Lowe (38:15.007)
That was exactly the town I'm talking about. think it was in Canada, you know, in the upper area, like Nova Scotia type area. I'm not familiar with the area, but it was up there. Yeah, I think they landed 200 planes when they're like, how do you do that? When you, when you get like four a day, you know, at the most and they did it. And then they said, because we're, Canadians, we're friends.
Norman Kromberg (38:17.848)
Okay.
Norman Kromberg (38:36.419)
Yeah, it's.
Norman Kromberg (38:40.84)
And it's amazing that what can happen in situations like that when you just start communicating and talking and I give credit to the guy who said let's bring down the whole system because how else you gonna protect the population?
Richard Lowe (38:54.141)
Yeah. Yeah. He just brought them all down. He did ground. It was called a ground stop. It's amazing. It's an amazing book. I would highly recommend it. it's not really security related. It's more disaster related, but it's, it goes over it from the point of view that I haven't heard before. What about all these people who control all those planes and the pilots? It talks about the pilots, how this pilot was told turn right, turn right now fast, do it. And they never do that. No, turn left, turn left quick.
Norman Kromberg (39:20.046)
Yeah
Richard Lowe (39:24.208)
steeper steeper go into stall yeah it's like whoa you're a pilot going what the hell
Norman Kromberg (39:28.526)
Yep.
Norman Kromberg (39:32.014)
You know, it's fascinating when you just said that about this isn't security, but what I like to use and this helps with the challenge we have in security because everybody goes, it's an expense. Let's face it. You are asking people to spend money for nothing to happen. But where can I use things that they're used to seeing or heard about that are outside just technical world that helps them understand? So if I have to do tabletop exercises, pulling in some of those things to help them.
come to an understanding of how their role is in this or to think through it or the ramifications and let's face it, it's still incident response. It's risk management, it's likelihood, impact, decision-making. And I look at those a lot as I go through and try to rationalize where do you put in layers, what layers you put, what do you invest in or where do you just accept I'm taking the risk? I like your example. A huge container ship going too fast hits the bridge.
How many times did that happen? Probably the first time. Okay. We can deal with what to do if we want to prevent it in the future or how do we respond in the future? So.
Richard Lowe (40:38.835)
Yeah. Yeah. The irony there is I think all the other pylons had the pylons in front, but that one didn't. But so was just probably an oversight, but, stuff happens, you know, I mean, the infrastructure is large. We've got hundreds of thousands of bridges.
Norman Kromberg (40:56.162)
Yeah.
Richard Lowe (40:57.917)
That's fascinating. It's fascinating. We've wandered all over the place on this discussion, but it's fun.
Norman Kromberg (41:02.52)
yeah, what I enjoy. I love wandering like that. It helps me stay sharp.
Richard Lowe (41:07.955)
Yeah, but I think that what would you say the takeaway for our listeners is on security?
Norman Kromberg (41:13.713)
Well, it depends on who's listening. So if you're a consumer, listen to what everybody's telling you. Simple things. And it's fundamentals. Today, turn on multi-factor and alerting on every account you've got. Why it may seem annoying, it stops things from happening. Well, and since I'm in the industry, I use three different.
Richard Lowe (41:30.899)
It's more than annoying, but it definitely helps.
Norman Kromberg (41:39.52)
authentication apps, I use the text messaging, I use emails, and I mix it up and I use complex passwords. So I listen to some of the guidance. But for the consumers, I'd say, listen to that and use it. I know it's challenging, but at least it gives you a layer of protection. On the business side, what I'd say is have the conversation. One of my mentors taught me a long time ago about risk management, and I use this in security, is it's not necessarily the outcome, it's the process and the conversation, the discussions.
talking like we've just done for the last hour. What are scenarios, things like that, thinking through it and then making the decision where you want to put those lines is powerful. So that's where I'd say is be patient, focus on fundamentals and have a conversation.
Richard Lowe (42:25.523)
have a conversation. the other thing I would say is learn to speak the language of your audience. So if your audience is C levels and you're a CISO, don't talk CISO terms, talk C terms. So you're talking KPIs, you're talking risk, you're not talking wireless techniques and passwords and stuff to them. You're talking business. That was a mistake I made many times when I was younger.
Norman Kromberg (42:52.389)
Well, and I go back to what we started with when I said it was the unicorn, having been in banking, being a business major in college, you know, I tell people what messed me up working in banking is when I look at a balance sheet, loans or an asset, checking accounts or a liability, that's how banks operate. But I've actually used that to say you talk to your point in the language of that industry and what those business people think of and you try to learn it. That's where I said listening, have the conversation.
to put it in that context and you're dead on. CISO should be in the business side of the organization, understand what they face from the financial standpoint.
Richard Lowe (43:28.723)
Yep. And when I ghostwrite books, cause I'm a ghostwriter, what I do is write the book in the language of the audience. So if a CISO came to me, we wouldn't, unless it was a technical book, we wouldn't be talking in CISO terms. We'd be talking in C level terms or whoever the audience is. and that's very, very important because otherwise your book is flop doesn't achieve your goals. So, well, this
Norman Kromberg (43:52.342)
sure. what, we're like, one thing a mentor told me, I think plays into that as we close. Can you describe it as if you're talking to your grandmother or a kindergartner?
Richard Lowe (44:03.263)
That works. That works. Break it down and use the term terminology that they're used to. It would be the other thing. So if you're talking to a kindergarten, you're going to use kindergarten terms. I had to write a children's book. That was one of the things I've done. And it was a young adult book and went through beta testing where they read it, beta reading and so forth. The only thing that they said was this is really, really good. We love it, except we don't understand some of these words.
Norman Kromberg (44:16.437)
Exactly.
Richard Lowe (44:33.727)
because I'm an adult. So I had to fix that. That was easy fix. But those things are lessons. Talk in the language of your audience. And that will help if you're in the security business, that alone will help you succeed even better.
Norman Kromberg (44:34.317)
Ha ha ha.
Norman Kromberg (44:50.858)
Agreed. Well said.
Richard Lowe (44:52.125)
All right. Well, you've been on the, the, leaders and their stories podcast. This one was a bit long, but that's cool. I had an interesting conversation with an interesting guy. you can, where can we find you?
Norman Kromberg (45:00.387)
you
Norman Kromberg (45:05.964)
You can look for me on LinkedIn, Norman Cronberg. That's the best place to find me.
Richard Lowe (45:11.323)
Excellent. Excellent. Well, I'm Richard Lowe. This is from The Writing King and I'm the ghost writing guru. And you can find me at thewritingking.com or ghostwriting.guru. And we've had a fascinating conversation about cybersecurity and this podcast is generally daily. So, you know, hunt down more episodes and have a good time. Thank you.
