Cyber Defense: Dr James Norrie Of cyberconIQ On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

An Interview With Ben Ari

Think about how to build a fearless and effective “security 1st culture” across your entire organization. That comes from the right tone from the top and not just from the security team. Because, since humans are our last line of defense, instead of feeling like a part of the problem we need to make sure they feel empowered and appreciated to become part of the solution.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Dr. James Norrie.

Dr. James Norrie is the Founder & CEO of cyberconIQ. Dr. Norrie has more than 30 years of experience in business management, psychology and the cybersecurity industry. His mission is to tilt the global conversation about social technologies toward hope and dissipate fear by modifying online behavior, mitigating the risks of third-party inspired human hacks, and make the internet a safer place for us all. He is the Founding Dean of the Graham School of Business at York College of Pennsylvania, and is currently a tenured faculty member at the school.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My parents were both educators, and my Dad was a mathematician by training. So I was always intellectually curious, and lucky enough to have the IQ to understand what I was seeing and doing early on. During middle school, I use to read Popular Electronics — to which each year Santa gave me a new annual subscription! And one summer, I built an MIPS Altair computer kit, just because! It didn’t do much, but I got the tech bug! So growing up in the era of the nascent personal computer era (Commodore “PET” 64’s, the Radio Shack “Color Computer” and then eventually the Apple II series — which at the time was a BIG deal — was amazing). By the time I got to college, tech and business were already firmly established as my path, including launching my first software company with some buddies from a local computer club to build applications for many of those first home computers. An amazing time — and my love of new tech has never waned as a result of those formative, early years of experience.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was always interested in the latest and greatest tech trends. In my early professional consulting days, we called cybersecurity the much less sexy title of “Information Privacy and Security”. ISP was a bit boring and mostly involved more simplicity than we have across the full range of technologies like the web, networks, and cloud for example. So there is not ONE particular thing, but perhaps just the knowledge that when you have looked at a problem deeply and for so long, you actually believe you have something to offer that might make a difference. For me, that is righting the balance so that defenders have the same tools, methods and effectiveness for avoiding threats as the bad guys do at creating them to use against us!

Can you share the most interesting story that happened to you since you began this fascinating career?

As many of my clients are very sophisticated global enterprises, I was often amazed early on in my career by how much power attorneys had within the organization. It seemed to me that — regardless of the quality or validity of their advice — everyone deferred. And often to their ultimate detriment in some instances because the law, by its very nature, looks backward for insight and attempts to minimize risk but not doing anything first that is too novel to have been legally tested. So — as I watched client after client defer in the early days of cybersecurity to attorneys and counsel who were not yet informed to the extent that a specialist in this field is today — I decided to go to law school late in life. I was amazed at not only what a wonderful educational experience it was and how much I loved to study the law itself — but also how practical it was to have a law degree which essentially gave you a license to be the one in the room who DOES challenge the attorney, but respectfully and with an informed legal lens. That convinced me and is ultimately advice I would give any professional in any field — never be afraid to venture out and learn something entirely new that is tangential or an adjunct to technology. It makes you a better and more sophisticated practitioner.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Integrity — Do not pretend that you know when you don’t. Give credit where credit is due. Don’t steal other people’s ideas. Treat people the way you want to be treated. While practically biblical in its standing as the most important human trait, I think no particular story is required here to emphasize how important it is for a leader to ensure that their words and actions are aligned and consistent. Also, if you make a mistake, be quick to acknowledge it and fast to the apology!

Resilience — As an entrepreneur, professional, consultant, inventor, or investor, it almost doesn’t matter the role so much as your willingness to be resilient in executing it. For me as an entrepreneur, there is always risk in everything that we do. You cannot exhibit “paralysis by analysis” because you need to keep your organization agile, adaptable and moving forward. But, you also must provide sufficient structure and process to ensure you avoid chaos. That is a careful balance and one that every entrepreneur understands. But it’s no different if you are an employee who is being relied on, a consultant advising clients, or an investor for example. Each of these requires its own form of resilience and the ability to be positive, humorous and supportive even in those moments where the stress, anxiety and fear might overwhelm you. Pick a path or stay the course, but do something because a lack of action never delivers results.

Are you working on any exciting new projects now? How do you think that will help people?

For cyberconIQ at this very moment in time — like any business — generative AI is on our minds all the time. What is happening and at what speed? What are the positives and negatives of this nascent technology and how is it likely to impact humanity’s future? As we already operate at the intersection of cybersecurity and AI today, we have domain knowledge that gives us an edge — and that is something we are currently sharing freely simply because we believe in the collaboration of tech and intellect. A spoiler alert: to be able to preview this free upcoming content, simply visit either cyberconIQ.com and subscribe, or check out our new social enterprise site at techellect.com where listeners can engage in the conversation, secure free resources, and be directed to reliable help as every business around the globe tries to figure out AI’s future impact.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

To be honest, I am not. Nor do I think anyone can credibly claim that because the total domain of knowledge for the totality of what cybersecurity really is, for me, too big to master in the level of detail I would need to claim as being an expert in all things cyber. Instead, my focus is entirely on the intersection of cybersecurity and behavioral science as it relates to human factor risks and driving a voluntary change in people’s online choices to improve organizational security posture. That is all that we do — but as a result of that razor-sharp focus — the patented, proven nature of our solution delivers results that no other vendor or platform can match. In that, we are experts!

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

I am frequently asked this question, and it is a good one. But a simple answer is actually quite elusive. Here is what I tell folks: Since technology has created the cybersecurity problem, more technology alone will not solve it. There are two different types of risks as they relate to cybersecurity breaches: those whose origins lie in technology and where our perimeter defenses, end-point security, email filters and threat databases can resolve 90–95% of the risk if a company invests the time and money required to deploy optimal cybersecurity hygiene. BUT any of those methods can only detect a known threat — as opposed to a zero-day or novel new threat. So there will also be a residual technical risk of a breach from an undetected technical source of some kind, although that is now the minority of successful breaches. The second type of threat is created by the human who is using the technology. They are already inside those defenses and the effort to corrupt them and turn them into an “accidental insider” who is willing to compromise their credentials by clicking and downloading malware unintentionally; or redirecting funds to criminals by being duped. Perhaps it’s human error in not processing the latest patch on the software you use or not getting to logs quickly enough to detect a looming threat, and so on. Whether it is user behavior or human error, these are NOT technology issues that technology can correct. They are human issues that only humans can correct and that is what makes what I do so fascinating!

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Here are a few quick thoughts: We ALL have to be concerned about being attacked — both personally and professionally — especially now during this emergent age of AI-enabled attacks which will increasingly come at scale, be more compelling and personalized, and become even more dangerous. I might also add that I frequently hear from business owners and professionals that “we are too small to be attacked”. With global crime gangs operating at scale, especially in Eastern Europe, nobody is too small to be attacked and it is worth their while to do automated attacks against you at no cost!

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

The answers to those questions are always specific to your legal jurisdiction, and particularly by the state in the US. As far as the type of attack and what was compromised, the extent to which a ransom is demanded and your intention to pay it or not, and the extent to which technical remediation and reversion to back-ups can help. So, a quick all-encompassing answer would be: just like a game show, be ready to call a friend IF something happens. This could be a trusted advisor, your lawyer, your outsourced or insourced IT team, a friend in the business, or one of the many skilled MDR firms that do remediation work in our business. Regardless, think about that now in advance of when it may happen to think through what you will do in advance if that dreaded day comes.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The biggest and most common mistake is when a company, or organization, assumes they are too small to be attacked. Nobody is too small!

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

The biggest concern right now is getting ahead of AI. The attackers are already experimenting with it and will be using it at scale quickly. What can we do to help? NOT regulation but by providing real assistance in real-time because AI is going to make online security even a bigger problem for American companies than it is today.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

1. Think about how to build a fearless and effective “security 1st culture” across your entire organization. That comes from the right tone from the top and not just from the security team. Because, since humans are our last line of defense, instead of feeling like a part of the problem we need to make sure they feel empowered and appreciated to become part of the solution.
2. Engage your organization in how the pending shift to AI is both a threat and an opportunity — see techellect.com as an example — for more resources to accomplish that. The AI genie cannot be put back into the proverbial bottle…so we are here and sooner than we all thought. We need to get ahead of this curve and not wait for government or big tech to protect us from ourselves!
3. Do NOT assume you are too small to be attacked: In the age of AI-enabled crime as a service, there is a declining amount of money invested by attackers in even more precise and potent attacks. As the cost of mounting an automated attack decreases, the attack surface will increasingly grow to include smaller companies that, while they yield less return per attack, are also more vulnerability potentially to those attacks and there are many more of them. So the laws of marginal return indicate a growing focus on ever-smaller companies as being cost-effective.
4. Remember that if technology has created cybersecurity risks, in turn, more technology is unlikely to solve those same problems. That means you should look carefully at your investments in cybersecurity and ask yourself: Do my spending patterns support addressing the entire security problem? For example, are you investing in culture and behavior change, or simply assuming that telling people what they need to do will automatically change their behavior? In no other circumstance, is knowing something sufficient enough to actually do something. I can know all the rules of the road and acknowledge that I should drive safely, but unless I INTEND to do so and take steps to drive more safely, nothing changes. Are you directing investment in your people as well as technology so that the combination of both makes you more secure?
5. My final thing is that often I see CEOs who are good at talking about the importance of security but perhaps less willing to do the personal things required to be secure. So, for example, have you completed the same training regime as all other employees? Have you communicated in various ways how importantly you personally take security — and put it first? Do you make an effort to improve communication of this problem not as a technical one or as the security team’s problem, but as each and every employee’s personal responsibility? Walking the talk is the #1 thing that employees look to when trying to confirm whether or not the corporate rhetoric is accompanied by demonstrated personal engagement and commitment. The leader’s actions always matter and are under constant scrutiny. Behave in a way that confirms that cybersecurity must matter to all and make your CISO’s job a bit easier!

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Well, we have already begun taking baby steps to start a movement (please see techellect.com). Our purpose is to ensure that we remove the fear of AI and enable a reliable source of reflection on what a human-dominated but AI-assisted future looks like. We call this the merger of AI and IQ — but also believe that human intellect will always be superior and prevail. It is not AI that will be the death of humanity, it is humanity itself. We can realize a tremendous advantage from AI, but only if we embrace it carefully and thoughtfully and that is what our purpose is in launching techellect.com!

How can our readers further follow your work online?

Visit us at cyberconIQ.com or, for free public resources around AI, visit techellect.com.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!