Cybersecurity CEO and former diplomat Dana Linnet shares her journey from diplomacy to cybersecurity, emphasizing the significance of culture and human behavior in addressing cyber threats. The conversation explores the importance of leadership and diverse perspectives in fostering a security-conscious environment.
Guest: Dana Linnet, President and CEO of The Summit Group DC
On LinkedIn | https://linkedin.com/in/dana-linnet-5bb2a85
At RSAC | https://www.rsaconference.com/experts/Dana%20Linnet
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
BlackCloak | https://itspm.ag/itspbcweb
Brinqa | https://itspm.ag/brinqa-pmdp
SandboxAQ | https://itspm.ag/sandboxaq-j2en
____________________________
Episode Notes
In this Chats on the Road to RSA Conference podcast episode, former US diplomat Dana Linnet speaks about her transition from diplomacy to cybersecurity, highlighting her experiences and the lessons she learned along the way.
Joining hosts Sean Martin and Marco Ciappelli, Linnet offers insights into how culture plays a crucial role in addressing cyber threats. She discusses her time as a government CISO (Chief Information Security Officer) and ISSO (Information System Security Officer), which began during the early days of cybersecurity. She also discusses her involvement in establishing the NATO Cybersecurity Center of Excellence (CCOE) in Estonia after the nation experienced cyber-attacks from neighboring Russia and how important it is for governments to listen to people who know more than they do about cybersecurity.
As the conversation turns to the importance of culture in cybersecurity and how human behavior is a critical factor in preventing cyber-attacks, Linnet highlights the importance of information sharing, learning from digital threats, and adapting to the ever-changing cyber landscape. The hosts and Dana also discuss personal responsibility in cybersecurity and the need for leaders to take ownership of the problem.
The conversation highlights Linnet’s upcoming panel at RSA Conference. Focused on the topic of leadership culture in cybersecurity, the panel will dive into the role of boards and C-suites in leading and nurturing a security-conscious culture. The panel also touches on the value of diverse backgrounds in the cybersecurity industry, the challenges of changing culture, and how companies need to address the cultural gap between what they know and what they do.
Tune in to learn from Linnet’s experiences and get a fresh perspective on the intersection of cybersecurity, culture, and leadership. Don't forget to follow all of ITSPmagazine’s RSA Conference coverage. Be sure to share and subscribe to Redefining CyberSecurity Podcast to keep up with the latest trends in technology and cybersecurity.
____________________________
Resources
Session | How to Create a Breach-Deterrent Culture of Cybersecurity, from Board Down: https://www.rsaconference.com/USA/agenda/session/How%20to%20Create%20a%20BreachDeterrent%20Culture%20of%20Cybersecurity%20from%20Board%20Down
Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw
____________________________
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Be sure to share and subscribe!
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SUMMARY KEYWORDS
people, board, panel, cybersecurity, cyber, government, culture, private sector, problem, learning, experts, breaches, mindset, marco, panelists, sharing, opportunity, important
SPEAKERS
Marco Ciappelli, Dana Linnet, Sean Martin
Sean Martin00:05
Are we there yet? We are there yet. We're on the road to San Francisco by Washington DC. We're doing we're doing a flyover.
Marco Ciappelli00:19
Now I'm out there nowadays with digital and virtual you can do a lot of crazy stuff. years ago,
Sean Martin00:27
exactly. So we're gonna, we're gonna take a pause in the capital and, and talk about the role of the board in driving cybersecurity programs. And, and first thing that comes to mind, Marcos, let's look to government agencies for advice on that. We, we share information, threat information, we share standards, but somehow I feel is my own perspective, I feel we fail to ask department leaders in government. How do you look at security programs? How do you look at insider threats? How do you look at and I think there's a lot to the game in the public sector, sorry, the private sector, from the public.
Marco Ciappelli01:13
It's all connected. You can't just think in in silence. And I think we've learned that in cybersecurity quite a bit. So let's do that. Let's talk about that. Let's, let's
Sean Martin01:24
talk about that. So this is in connection to a panel that our guests is hosted, moderating, I should say, RSA conference coming up. And Danna Lynette, thanks for. Thanks for joining us. Good. Good to meet you. Good to chat with you.
Dana Linnet01:40
Thank you, Shauna. Marco, it's a pleasure to be here.
Sean Martin01:44
Hopefully, I pronounced your name right to it. But now's your chance to correct me
Marco Ciappelli01:49
know when it Yeah.
Sean Martin01:51
There you go. As you share a bit about who you are and your journey. I know, there's a lot there. So please, please take your time to talk about your different experiences and different lives. All leading up to this point.
Dana Linnet02:07
Yeah, no, thank you so much for the opportunity to be here. And I mean, in the setup we talked about, you talked about how we could glean a lot from government. But actually, I think, as you mentioned, government and the private sector have a lot to offer, have a lot to offer one another. And the key is taking the best practices and advice from all sides and coming up with something that is, you know, going to work. You know, we cannot work as a country if our companies are constantly at risk. And that's not a government problem. That's a private sector problem. But yeah, I can share some of the fun highlights from my career. If you want to hear a couple of tales.
Sean Martin02:46
Please do please do. I often say I go back to when I was hatched. You can go back as far as
Dana Linnet02:52
you know, Hatching is not that important. But I mean, you mentioned my my past life and my past life, I was a US diplomat. And I first became a government CISO and ISO Information System Security Officer. It was baptism by fire in 2000. I was assigned overseas, and the State Department budget had been starved for decades. So we didn't have any of the IT systems personnel that we needed for all of the places. So they trained regular diplomats, like political officers, and economic officers and so on, to become ISOs and CISOs. And that fulfill to me, I had to be trained on how to become a network network. See, so in ISIS, oh, and I thought, gee, is that what I signed up for? Not really, but it was really great, really great learning. And back then, obviously, the tools were not as sophisticated. And the threats were not as pervasive, but they were there nonetheless. But also, because the budgets were starved. Within the funding stop there, I also got to be the, you know, we didn't have a regional security office or any intel officers. So then they threw a couple extra hats on me on top of that. So I had all of the security operations at my overseas consulate from cyber, to counter surveillance to counter terrorism, and so on. And those were really wild times. I'm glad they have since gotten the budget to hire the right people. But you know, because of that, budget starvation, it really wasn't that great on our national security. And before we
Sean Martin04:29
move on, forgive my English is that the early days of what is now known as Sissa.
Dana Linnet04:34
No, this was in the Department of State we had our own like CIO infrastructure. It was run out of the IRM Bureau, the CIO of the State Department runs their information management systems. You they yes, they too will be on zero trust and all the other cloud lockdowns and so but those were the early days of cyber, you know, when we did have, you know, things happening, but they were not quite on the scale?
Marco Ciappelli05:02
Well, I have to make an observation here. Because it seems to me that every time we have conversation about cybersecurity, we're always like, well, we finally learned that is not just a tech issue. And now, you know, we not only because of the gap in the industry, because we need to talk and tell story to the board and connect the business and everything else. We see that there is value in all background, right? I mean, psychology, philosophy, political science, policy and everything. In a way. I'm thinking like, when this happened to you, and you've been like, what do I have to do with this? And but he's kind of like, foreseen what, now we are, we're actually embracing. So some thoughts on that?
Dana Linnet05:49
Yeah, I have to say, sometimes things happen for a reason. But back then, you know, we're a very, you know, you, you take your orders, as long as they're lawful, you do them to the best of your ability. So I saw it as a real opportunity, because I like technology. And I had my own consulting company. You know, before I was a diplomat, so, you know, I really loved all those sort of early adoptions of all the little things you remember, ICQ was, you know, an instant messaging back then, and all the fun things. So I was very attracted to the tech side. And I felt grateful that, through this horrible circumstances, I was given the opportunity to do that. And then subsequently, you know, and throughout my whole career, you know, later on my next tour, after that, I was a political military officer in Estonia, and the Estonians were actively getting hacked and stuff by the Russians, the Russians, and the Chinese were all targeting me by then as well. And it was pretty obviously, you know, we we sussed out pretty quickly what was going on, but I had the opportunity to help them spear I spearheaded the US support back in 2004, for the establishment of the NATO Cybersecurity Center of Excellence where we could, you know, get the Estonian, you know, their advanced IT and their mindset and their learnings from all of this, and get that into the NATO ecosystem and get the information sharing going among allies, because, you know, back then they were a new member, they joined in 2004. And by 2008, they had opened the NATO cybersecurity, Center of Excellence. So again, I felt serendipitously grateful for, you know, being able to stand up this, this teaching institution and this information sharing institution that was benefiting not just our country or Estonia, but the whole NATO Alliance. That was a huge opportunity. Okay,
Sean Martin07:42
can I pause you there? Because I know, I know, just enough to be dangerous about some of this. Most
Dana Linnet07:47
people are so
Sean Martin07:49
that's right. But because you said the word learning, right. And so I want to hone in on that a bit with this center of excellence, because the attacks were digital in Estonia, and it wasn't just targeting government entities, it was also targeting financial systems and other things like that. And, to your point earlier, if our businesses can survive, the country can't either. So anything, obviously, don't give anything away, that's gonna put anybody in jeopardy. But anything you can share from that experience building the CCIE. And, and its subsequent benefits and outcomes that have come from it that really hone in on that learning, aspect, sharing.
Dana Linnet08:36
That's a great question, Shawn. I think, first of all, what was really interesting, back then, from a US perspective, is I had to fight my own government to show that this was really important because they're like, but they're on the border, and they should only have tanks, and they should only have stingers, and they should only have things like the sort of traditional defenses. And I said, You guys are missing the ball, like listen to the people who know more than you do about, you know, about cyber and you can't go to infantry people detailed to the US European command, who that's their whole mindset. And that's the whole security cooperation mindset. I think that was the early wake up call was in 2004. We were I was really fighting like people in my own government were like, You're wrong, and this isn't what they need. And this isn't the priority for the funding. And I'm like, You guys are gonna miss the ball. Because this is the problem like this is going to be the asymmetric warfare problem. And then a year later, they get hacked, like you said. So I think the first learning is listen to people who know better who are experiencing the digital threats against them. The other learning was think ahead, you know, like what's coming around the corner, not just, you know, the obvious of the big bad neighbor that has now invaded Ukraine. But it has has to be more than that. But in terms of your question about the sort of cyber learning, I think the information sharing since 2008, has gotten so much more robust and comprehensive. And I think people have become more comfortable sharing their learnings and their information, and putting that into the operational plan. So it has been quite gratifying to see and I can't discuss what's in any of that, that's all classified, but you know, in the public domain, to see that the learnings that they were actively, you know, sharing have gone into new strategic hub concepts subsequently, on how we, the US and our allies can deal with this better, but also, like operationally like Okay, so what do we do? Like, what is the protocol when someone is shutting down your central bank? You know, where your financial institutions, what are the protocols steps? And then the training that goes along with that, like, you know, I think that's when NATO really started to train on the civil military cooperation, like, well, what can we share with the private sector? And what should we share with the private sector, and then to get over some of the legal hurdles from there? So I think they've learned a lot. But you know, like we say, the attack sophistication, the attack surface, as it's commonly referred to, in the in the businesses has become so wide and so deep. Yeah, so we have to, we have to constantly learn the lessons.
Marco Ciappelli11:35
Well, I can think one war that kind of summarize what you describe, and at least until until the actions that are taken by the old transformation, the perception of what is going on the will to say, well, I know we have always done things this way, we always prioritize these and that, but maybe it's time to listen to, as you said, the experts the one that are kind of foreseeing the future. And, and for me, that word is culture. Right? So I want to make a connection with your panel at a conference, but culture take long time to change the social that societal level takes a long, long time. But even in smaller group, it's a process. So your your thoughts on that and how this came together? And maybe, I mean, is it a culture of accepting the change is the only constant? I don't wanna use the quarter here. But you know, yeah, I've
Dana Linnet12:37
seen that. Yeah, no, it's, it's great. And I think our whole panel is, as you rightly said, Marco, is around the cultural question. And so you have to ask yourself, you know, people are so focused on firewalls and technology and, and spearfishing, and all this stuff, like, how do we stop it from? How do we stop it before it gets our stuff? And, you know, we've spent a lot of time talking about that, you know, whether it's zero trust in government, or whether it's, like, you know, socks and, and other types of tools. I think we as human beings, like easy buttons. This is why diet pills are super, you know why people spend billions and dollar diet pills. We spend billions and things that, you know, are kind of this easy button or things that we think should fix it. And I think as humans, just on a human nature level, we need to look at ourselves. And I think as much as boards, this is my personal perception, having worked been on boards served on boards, seen boards operate. I think boards like to, they like to delegate things. And they like to say as long as I'm on top, and I see what's going on, but they don't necessarily see themselves as the answer to everything unless they're assigned a specific role. Right. And I think my panel is going to, I think the two experts that we have, are going to dive into that. And if I could, I think one of the if you asked how the how this panel came together, right. So yeah, I mean, I'd love to share the story. It's a great story. So Mark, and I mark Sachs, who's also one of the panelists and I we found our way. We met up with a guy, Andre sidarsky, who runs cyber nation Central. And if you go to his website, you know, he'll tell you the story of how you know how his company got hacked years ago and how he never wanted this to happen to anyone else. And I looked at this having brought in my government experience. I mean, we didn't even talk about all this insider threat work that I've done both in the private sector and in government. But you know, when you when I was looking at what he was offering And what he was what his research had touched on what his experience had touched on them, what the company built their, their systems around, it was really clear that that was aligning up very clearly, with what Jen easterly abscissa said is the problem, which is human behavior. And you know, we have to look at ourselves to do things differently. And I went through his, I went through his protocol and everything, and I, since then have always recommended boards and C suites to go through that. Because that's the sort of gap between like, you know, what, what they are talking about, is really addressing that gap between what boards learn, you know, they go through the checklist, and they have this and they're told this is what they should know. And by the way, most people I know, when I talk to fellow board members, they go, Yeah, you know, I have to go to this special training to learn how to be a board member, you know, like they don't, not all board members are created equally, right. And even the ones who are really sophisticated and experienced, they might not have the mindset that it's their job, to lead that culture. And so I really found cyber nation central to be very like, like, have cracked the code, and they were kind of the only ones I saw out there really doing something that addressed that. And by the way, full disclosure, I get no money I get no, I get zero referral money, I get no money, not a dime from them. You know, so just want to put him here. Yeah, so there you go. But but you can use my name if you if you look on the website, but no, seriously, I urge you to go there. Because, you know, when you look at where the breaches are coming from, it's like then Amis us, you know, then know that enemies out there, but we don't have to help the enemy. Right. And so I think that this panel and Mark, Mark, you know, he's like me, he's been all over a private sector government at an even much higher level, and much more cyber focus than then, you know, be. And I think we both found this topic of personal responsibility, and behavior and culture, leadership culture to be the missing link in all of this, right? Like, you can't have just the tech, you have to have the tech and the culture and the leadership mindset.
Sean Martin17:24
So many questions. So little time, I mean, one thing that's in my mind, and we'll see if we go there or not, but just this taking responsibility, I'm gonna leave that sit there. And maybe we ended up back there again. But you mentioned something about being trained to be a good board member, which to me, then says, We're, in one sense, maybe a good thing, sharing a broad set of knowledge and best practices with everyone on the board. So we all think the same and act the same, which can be good. But I, but then the converse, or the alternate to that is, every person on the board has their own experiences and their own expertise, that brings a diverse view of this. That may actually be better, because they may represent more of the organization and the people within it. And so I don't know your thoughts on that. Yeah. Or the other both? And
Dana Linnet18:28
no, I think you're you're right. I mean, everyone on a board has a role. And I don't want to tip off the panel too much. But I know Andre is going to discuss like, what does it mean that you have these diverse roles? And what does that mean for your your own cybersecurity? So I think the audience is going to get a lot out of his perspectives in particular, about what that means. I don't think the approach is I don't think the approach that our panel will discuss is about watering down the diversity and perspectives of the board. It's quite the opposite. It's, it's more like, given your responsibility, what should you be doing? What should you be thinking about? How should you be behaving and why that's your job and your job alone and not somebody else's to delegate to like, if everyone takes the responsibility with their own role, you know, you should have a much more successful approach here cybersecurity, both strategically and tactically. What do you think they're gonna talk about? I'm not stealing.
Sean Martin19:47
I'm sure there's a lot to cover.
Marco Ciappelli19:48
Our goal is to tease enough for people to actually come there and if we're gonna give away the end isn't a fun and
Dana Linnet19:59
I will say A Marco there, the room is almost full. So I think there are about 50 seats left. And so depending on this, there may be a bigger room available. Who knows? But I know I think we're almost at we're just like, around 4050 shy of 300. So very clearly there's an interest. Yeah.
Sean Martin20:21
I mean, it's an important topic, which is why we're Yeah, get your tickets now.
Marco Ciappelli20:27
To talk to you get on the website,
Dana Linnet20:30
reserve your seat? Yeah.
Marco Ciappelli20:33
Well, I was gonna ask you something like, I know, you don't want to talk anymore, or give away any more about the panel, and I wouldn't allow you to do so. It's my responsibility. Not to give up too much. But what do you expect from this year conference? Do you have something in mind? I mean, are you? Are you kind of sensing the theme of the conference? Or apart from what they choose RSA conference, but like, what do you think is gonna be the vibe? You know, the words of my peers in the corridors?
Dana Linnet21:07
Well, that's a really, yeah, that's, that's something I've been thinking about. And this will surprise you. But this is my first ever RSA. So I'm really excited to be here. You know, I'm really excited to, to promote the panel and promote this information. But I'm also excited to kind of soak it up and take it all in, and I have a lot of contacts in the cybersecurity world, which won't surprise you, as I my, you know, my my day job company, is a public sector facing, you know, we help companies that, you know, support the public sector, a lot of tech. A lot of policy and governance, and, you know, and CMC and compliance and all that kind of stuff. But, but yeah, I think, I think people are starting to realize that this isn't a you or a me problem, this is a weed problem. Like, you know, we're not alone. If we continue to work as silos either as companies, private sector and governments. You know, obviously, there's a competitive constraint. But I think ultimately, the theme stronger together is really important. Because if you have a weak link in your board, or weak link in your, in your leadership team, your executive leadership team that's going to Tank everybody, it only takes one, right? Like it takes one mistake, one human behavioral mistake, or one person who doesn't have the right mindset, or who is incapable of leading a CyberSecure culture from the top down. I mean, the people at the bottom there, they're already being told, Hey, don't click on any links, don't click on it, you know, but it's, you know, the folks at the top they can't, you know, I think there's a realization that we keep doing these things over and over again, like we keep trying to get at this problem over and over again, and it's not slowing the problem, like, the number of hack attempts or insider threat or other attempts is not getting any less like the amount of cyber crime isn't decreasing, because we've all gotten smarter over the years, right? We're all armed with so much information. But the approach clearly isn't deterring the problem. So how can we work together? In this and I think we're gonna see a lot of people come out of our panel going, aha, and what who can I work with? What can I do? What can I take back to my ELT? What can I take back to my team or my board? What can I how can I partner with? How can we really raise our game? And I think by sharing these insights with each other, it's really important. I really do believe in the theme stronger together anyways, a life philosophy, by the way. And I think, you know, what I'm going to do is I'm going to talk to a lot of people, I'm going to just hear what they have to say, where they think things are going, I think people are at a crossroads right now, again, because the problem keeps getting worse. We keep going to conferences, and we keep doing more and more things, but are we doing the right things? And so I'm going to be listening for what kind of changes are out there. Other than, you know, locking down your whole system even more like there's like is I'm going to be trying to pick up on who out there is addressing that personal responsibility or who out there is addressing, like, how do we work together with other people to, you know, really create deterrence?
Marco Ciappelli24:44
Well, I know Shawn is going to close and make the call to action, but there is one one sentence that you said it's kind of stick in my head it's, at least don't help the enemy. I feel like that's really strong meaning You don't have to be an expert, but at least know enough that, you know, together we could we can avoid a lot of things then don't be so responsible or I don't know if that's the right word, but you know, conscious about what we do, because we are all potential entry door for.
Dana Linnet25:22
Yeah, exactly Marco. And I think the other piece of advice is arrogance, I think because we have so many experts, like, I'm excited to learn from this, like the 50,000 experts that are gonna descend and swarm all around me at RSA and pick up the buzz and all the knowledge and all the things but sometimes we get wrapped up, like we're promoting ourselves as the experts or private, you know, like, I think we need all need to take a humility pill. At you know, like this stuff can really truly happen to anybody, and it is happening almost to everybody, you know, the probabilities are kind of high. So, you know, I think humility and learning and like, taking down their against factor a couple notches will help all of us, no matter how advanced, we think we are in the field, and how much we know. I think that that's, I know, that's what I'm going to do. And that's what I'll be looking for people who adopt that kind of philosophy. And, you know, I think there was something like, there have been different statistics out there, you know, CNC on their website has, like, 97% of breaches are human, Verizon did a study, it's 82, I don't really care if it's 82 or 97. That's way too high. Like, like you say, Marco, like, you know, don't help the enemy. You know, we are we are too often helping the enemy. So, you know, how can we, how can we lower our own arrogance, not enough to learn and to help each other and, you know, really live up to this year's theme?
Sean Martin27:03
Helping the enemies, not the Better Together help
Dana Linnet27:04
each other? Right? Not the enemy. Right?
Sean Martin27:09
The other. All right, and one way, folks listening and watching to this can actually start to do that is by attending this panel, how to create a breach deterrent culture of cybersecurity from board down that's Monday, the 24th 940 to 1030, Moscone West, evidently, only a handful, couple handfuls, depending how many fingers you have couple handfuls of seats
Dana Linnet27:33
left at 4045. I can't remember. But something something like that. And I will say, you know, Andre and Mark, they are truly great to have on stage. You know, they're, they're pretty charismatic, they know what they're talking about. So I'm really blessed to have two phenomenal panelists on the panel. And this really is key for everyone. Whether, you know, whether you were intending to, to step up your game, I think when you walk out, you're gonna be like, Oh, my God, what am I not doing? You're gonna want to take, take action. Yeah, take action. I
Sean Martin28:07
love it. That's all point think differently, take take action better together. I think those are the three points. And with that, I want to thank you so much. I'm thrilled we were able to pull this together. excited to meet you. In San Francisco. Hopefully, hopefully, we get a chance to do that. And encourage everybody to join your join your session for for a lively conversation, it seems and lots of good, lots of good insight. And with that in mind, everybody listening, watching, there'll be links to that session and Dana's social profile info so you can connect with her and our panelists and grab that seat. And of course, stay tuned for all of our coverage for RSA Conference, itsp magazine.com, forward slash RSA. See this conversation and many others. Thanks, everybody, for joining us on our chats on the road. San Francisco, especially Dana, I think we'll call it there and we'll see you all soon.
Dana Linnet29:08
Great. Thank you both so much. I appreciate the opportunity to be here.
Marco Ciappelli29:13
Thank you. Bye, everybody. Stay tuned. Subscribe, follow us.