The 5 pillars of cybersecurity framework

[00:00:00] CS: Today on Cyber Work, Mathieu Gorge walks your C-suite board through the scary task of getting serious about cyber security using his five pillars of cyber security framework and his book, The Cyber Elephant in the Boardroom. Mathieu takes complex, confusing regulatory frameworks and maps them in a language that non-tech fluent board members can easily understand. That's all today on Cyber Work.

I’m also excited to announce a new hands-on training series called Cyber Work Applied. Every week, expert infosec instructors and industry practitioners teach you a new cyber security skill and show you how that skill applies to real world scenarios. You'll learn how to carry out different cyber attacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more. It's all free. Just go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It's a new way to learn crucial cyber security skills and keep the skills you have relevant. That's infosecinstitute.com/learn. And now on with the show welcome.

[00:01:07] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for those who are breaking in or moving up the ladder in the cyber security industry. Mathieu Gorge is the author of the new Forbes book release, The Cyber Elephant in the Boardroom: Cyber-Accountability With the Five Pillars of Security Framework. He's also the CEO and founder of VigiTrust, a cybersecurity company with clients in 120 countries. Mathieu describes his five pillars as an industry-agnostic methodology and is aimed at C-suite executives with a goal of enabling businesses of all sizes to map cyber security risk and demonstrate cyber accountability to regulators, government bodies and law enforcement agencies. Mathieu has over 20 years of IT security and risk management experience and is much sought after for his experience. As an authority on cybersecurity solutions, he has been asked to speak at conferences including RSA, ISSA and ISACA. We're going to take a closer look at the five pillars today, find the similarities and difference with other regulatory frameworks as well as talking in some detail about bringing your c-suite into the cybersecurity conversation.

Mathieu, welcome to Cyber Work.

[00:02:22] MG: Thank you so much. I’m delighted to be here.

[00:02:24] CS: So let's start out, as we do with most of our guests, with a little bit about your background. How long have you been in the cybersecurity industry? It sounds like quite a while. But what got you first interested in to cyber risk strategies and cyber security in general?

[00:02:39] MG: Yeah. So, I've been in cyber security for over 20 years now. I started out working for a value-added reseller in Dublin, in Ireland, selling firewalls and content security and web security. And then I developed a passion for actual data security, so the legal aspect and the risk management aspect of data. And very quickly I decided to start my own business, which is VigiTrust. And I started VigiTrust in 2003 initially actually to provide data security training. But at the time it was a little bit ahead of its time. So I had to wait for a couple of years until I could really start selling with services.

And then fast-forward to today, the main essence of what we do at VigiTrust is provide integrated risk management solutions to comply with legal and industry security standards, so PCI, GDPR, HIPAA, ISO, many of them. And to your point earlier on, what I was always looking to find was common denominators between all of those standards and regulations worldwide. And that's where the five pillars of security came from.

[00:03:58] CS: Okay. So you said you had to kind of wait a few years before like things caught up. Like can you can you talk a little more about that? Like you were offering services as early as 2003, but you said you started need to wait for the industry to catch up. Like what was it that you needed to have in place before you could do what you wanted to do?

[00:04:14] MG: Yeah. So at the time people were really into firewalls and intrusion detection and more geared towards technology rather than process and people. And so what I wanted to bring to the market was a way of explaining data security and data protection to standard users. And one of the things that always struck me is that if you explain to a standard user that a firewall is like a passport control at the airport and that content security is like customs. Suddenly they start understanding the value of data, right? So am I allowed to come in and am I allowed to bring in data and so on? And so I was always driven by demystifying technology.

[00:05:03] CS: Okay. Yeah, I was going to ask about that. What is it that you find so interesting and rewarding about protecting digital assets on such a large scale?

[00:05:12] MG: Well, I think that security and data protection is not rocket science. If you explain it in plain business English and if you get people to relate to their job and to what they do on a regular basis, they'll understand it much better and then they'll start spotting when something is wrong, when something is odd. They'll start being able to report incidents and they'll start behaving better as well online and when they work with systems.

When you deliver security awareness training, which I've been doing for years and you know that by the end of the workshop people go away with some key messages and they remember a few things. They remember some key messages. It's great. So I often say that security is a journey and not a destination. So it's an ongoing journey and you'll get a few pit stops along the way. You can breathe. You can demonstrate compliance to regulators and enforcement bodies and so on, but you can't really rest on your laurels. You have to keep going because the attacks keep moving. And one of the key problems right now especially with large enterprises is that you need to explain that in plain English to the board and to the senior executives. If you come in with GDPR, you'll get their attention. But once you start explaining how to comply, you'll lose them very quickly.

[00:06:38] CS: Right. Yeah, let's sort of start right here with the five pillars of cyber security framework. This is the main slant of your book, The Cyber Elephant in the Room. So since many of our listeners might be new to some of these concepts, we did a survey recently and many of our listeners have zero to four years of cyber security experience under their belts. So we want to sort of appeal to everyone here. So for people who are new to the concept of risk assessment in a career, can you explain the five pillars of cybersecurity and the framework around it?

[00:07:12] MG: Yeah. So it's based on the idea that whatever industry you're working in, whatever the size of your business, you'll end up having to comply with legal and regulatory frameworks that require you to have various controls in place, and some of them will be technical, some of them will be policies, procedures, skills transfer and so on. And when you start looking at them, it can be daunting, because the industry loves to use three-letter acronyms that only security professionals really understand. And even so, sometimes we do get confused.

And so the idea behind the five pillars of security is to bring back risk assessment and risk auditing and risk treatment, which is really how you address risk and how you reduce risk and mitigate risk into five common denominators. And these are physical security, people security, data security, infrastructure security, which is your wider infrastructure. So anything behind your firewalls, your networks, your extranets, your applications, your third-parties, and your remote workers, for instance. And then crisis management, what do you do when something goes wrong?

So if you try and explain any type of regulation anywhere in the world and you map all of the controls to those five pillars, you'll get a much more captive audience, because everybody understands that you need physical security. Not everybody can get into your home or into the company premises. Everybody gets that. People security; well you're not going to let just anybody in and out, and once wherein you have a duty of care to make sure that nothing happens to them. Data security; what kind of data do you have? Is it a paper-based? Is it electronic? Is it structured is it unstructured? So that's kind of easy to understand. Infrastructure. Oh, okay. I've got 150 vendors that I need to use. Is that risk? Is it not? How do I map that risk? I use 25 applications, two of which I built myself. Is there a security risk with that? And in crisis management, if something goes wrong with any of the other four pillars, do I know what to do? Do I know who to call? Do I know what systems to shut down? Do I have a disaster recovery plan and so on? And so once you start explaining it in those very simple terms, you find that it's easier for people to start a strategy and to start understanding what they need to do.

So the next step after that once you educate people into the value of the five pillars is to do some simple questionnaires. So within the five pillars of security framework, in the methodology, there're two types of questionnaires. There's a short questionnaire, which is five questions per pillar, so 25 questions. And we call that a super strategic questionnaire typically for board members. And then we've got a strategic questionnaire, which is 12 questions per pillar, so 60 questions. And out of the results of the questions, you can derive what we call red flags and action items. Red flag would be, say for instance, if you're a cloud provider and your infrastructure security isn't great, but you still get maybe a score of 85%, but for physical security within your server farm, you answered the wrong way. Then that's a red flag. It basically says that despite your overall score, there are some red flags and stuff that you need to address immediately.

And then action items could be policies, procedures, training. And the questions are very simple. For instance, it could be in the super strategic questions. I am 100% confident that I have a physical security systems that allow me to legally monitor who comes in and out of the business. And the answer is, “Yes, absolutely.” “Yes, I think so.” “No, I’m not sure.” “No, absolutely not.” “I don't care,” or, “It doesn't apply to my business.” And as you can already understand, if you say I don't care, that might automatically raise a red flag.

[00:11:28] CS: It’s a red flag. Yeah.

[00:11:29] MG: Yeah. Absolutely, yeah. But it's in plain business English and it's stuff that the board and C-level folks understand very well.

[00:11:39] CS: Okay. I feel like what I’m hearing – And you can correct me on this, but this is almost kind of like an intro to the idea of security compliances, because there's a lot of compliances out there, there's NIST, there's Privacy Shield, COBIT. Payment ones like PCI, DSS, and HIPAA for healthcare and Sarbanes-Oxley. So how does how does the five pillars? i seems like this is almost kind of like get your – Sort of get initial assets mapped. And then from there you can use that to sort of apply to other compliance regulations that you need. Or can you explain that to me better?

[00:12:14] MG: Yeah. I mean, to some extent, the five pillars can supersede all of the frameworks and regulations that you've mentioned. In fact, we've mapped out the five pillars and PCI and GDPR and HIPAA and a few others. And the idea is to be able to get into a boardroom. Say, if you're the chief security officer or the chief compliance officer, you come in once a month and then you tell the board, “Hey, we need to comply with HIPAA. We need to comply with High Trust. We need to comply with PCI,” or whatever. And then you dial back into the five pillars in a language that they'll understand.

And to some extent they don't necessarily need to understand all the or nitty-gritty of the actual controls for HIPAA or PCI. All they need to understand is that in order to have good physical people, data and infrastructure security and crisis management, they need to be in compliance with HIPAA and PCI. And it's kind of a cascading from that angle, if that makes sense.

[00:13:17] CS: Yeah. Oh yeah, that totally makes sense and that sort of shows me where it lands and where it sort of like covers other things and sort of envelops it and so forth. So I think from there we want to sort of talk about one of the key aspects of the five pillars. As you said, it's written kind of in business language, and specifically of the book, is that there's this integration with the C-suite between the IT and cyber security departments. So this has been an ongoing problem for a while now that that we hear about, is that you know getting the C-suite on board with allocating funds for security problems or headspace or resources can resemble the five stages of grief. As you said, with leadership passing through denial and anger and grief and bargaining and acceptance on their way to implementation, but some C-suites might never make it past the denial stage. So there're a lot of problems to conquer.

So to start with, for cyber security pros who are dealing with a C-suite that thinks of the company's cyber security posture is “IT’s problem”, how do you get leadership to realize their crucial role in driving and directing security and risk strategy?

[00:14:25] MG: So, again, I think that the first step is to make sure that you speak their language, right? So if you look at board level, C-level folks, what they're focused on is strategy, growth, potentially profits, economies of scale, recruitment and so on. So you need to be able to position security and compliance as a value-add to those KPIs that they're used to. And one way to do that, and it's covered actually in the book by one of the guest chapter contributors, Bob Gartner, is he talks about enterprise risk management and talks about putting cyber and compliance on the company's balance sheet and on the P&L so that there are models out there that allow you to say, “Okay, don't necessarily just look at the cost of an incident.” So the cost of an incident could be a cost per record or per breach or whatever. And that's the cost that to some extent can be offset by some cyber insurance and other insurance. But it's definitely a cost, but it doesn't actually add value. It's just like it's a cost of fixing things. Whereas if you explain it in the right way and you use the right models, you're able to say, “By investing in cyber security, technology, process and people, you'll actually add value to the organization and you literally add value to the share price,” Because you're able to add a line in your balance sheet that actually provides value to all of that efforts as opposed to coming in from the angle of, “Something went wrong. We need to fix it.” So if we don't prepare for that, it might cost us 40 million. The way to look at it is to say, “Well, if we invest 10 million, we'll never really have to worry about that problem.” That's one way of doing it.

The next thing is to try and explain to them that it's not rocket science. At the end of the day, technology is there, technology is good. It keeps evolving. It's easier to manage. Back in the day, actually, when I started in cyber, you needed an engineer to install a firewall. Nowadays you just click next, next, next and anybody can install a firewall.

So the technology is easier to implement. Well, standard technology, standard, like first line of defense, second line of defense. So we need to get them to focus on the process, the policies and the role of the users and we need to make sure that users understand that they add value to the overall security posture of the business. And that's done through ongoing security awareness. Not just like once a year to tick the box. I like PCI. It's a great framework if you don't know where to start, because it's very prescriptive.

If you look at requirement 12.6 of PCI, it states that you need to train employees upon hire and once annually thereafter on credit card security. But that's great. It's a good start, but it's not enough. I’m a great believer in ongoing training every month. A little bit of information and then a couple of events around cyber security awareness month, maybe global privacy day, to do this on a regular basis.

And then to go back to your initial question about what else can you do to get the attention of the board? I would stay away from fear, uncertainty and doubts. I actually don't really like that approach. I don't think there's anything wrong in providing details of competitors that have been hacked. But I also think that you need to put that into an overall global context. So I would highly recommend that when you try and raise the awareness and if you really want to have numbers or if you want to have names, you use reports like the Verizon Data Breach Investigations Report. Now in its 13th edition, which shows you the evolution of threats and which shows you the difference between a security incident and a breach.

Again, reasonably, in plain English as well, because the last thing you want to do is tell the board that your competitors have been breached because they didn't have technology X, Y, Z that the board will be saying, “Do we have it? Do we not?”

[00:19:12] CS: Yeah. That leads into my next question, because I thought I knew what the answer was going to be, but now that I’m hearing it, we have a different thing going on. So one of the things that we always hear about is my C-suite is very set in their ways and they don't have a baseline tech knowledge. I’ve had former bosses that didn't own a computer and they had their secretary print out their emails for them and things like that. But it doesn't sound like there's as much of a focus here on needing the C-suite to have a baseline technical knowledge as much as just understanding the scope of the problem. Is that the case? Do you think that they still sort of need to know a small amount of like the process that you're asking them to authorize and implement?

[00:19:57] MG: So, yeah. I mean there's kind of an underlying aspect that you would expect them to understand what a file is, what a network, what an extranet is, what a website might be. The difference between company-owned devices and personal devices, that kind of stuff. But you certainly wouldn't want to – You wouldn't need to have them understand the latest point-to-point encryption technology. I don't think they need to know that. But knowing the scope and the breadth of the work that needs to be done, yes, that's something that the framework is very good at doing, because it does it in very simple terms.

[00:20:44] CS: Okay. So there's sort of a guide in there of getting them just enough knowledge that they know to sort of understand what they need to know.

[00:20:54] MG: Yeah. And so if you look at the book, The Cyber Elephant in the Boardroom, the book actually starts out by going over a number of security incidents and security breaches. And in very simple terms, some of them that I've seen throughout my career. Then it starts talking about the regulations and the kind of stuff that you need to take away from the regulation. For instance, if you look at the OCC in the us for banks, it's all about third-party risk and managing your vendors. If you look at PCI, it's all about managing any entity that will store process or transmit credit card holder data. You look at GDPR, it's all about personal data in Europe, CCPA in the US and so on.

And so you do need to convey all of those messages quickly so that they understand that some requirements are more technical than others. Some are regional. Some might look like they're regional, but they're actually extra territorial like GDPR or CCPA. But once you explain those concepts within five or ten minutes, that's really all you need.

[00:22:04] CS: Okay. And so the five pillars concept, so it sounds like it integrates pretty well into things like GDPR and European regulations.

[00:22:14] MG: It does, yes. So we've done a complete mapping of the articles and recitals of GDPR and the five pillars. And so you find them within each of the pillars. Some of them are actually in a couple of pillars because they cover different areas. But it's actually easy to use that that way. So picture this. So if the CSO says to the board, “Well, we have an issue. We've had a data subject request.” They explain what that is to the board and they say, “Okay, what we need to do now is we need to prepare so that if that happens again we can demonstrate compliance with GDPR.” So they explain GDPR and they say, “Okay. Well, there's 99 things to do with GDPR and we've mapped them back to physical security, people security, data security, infrastructure and crisis management.” And suddenly you can say, “Oh yeah, we can do that. That's not rocket science.”

[00:23:08] CS: Okay. Yeah. So I guess moving to that to move from sort of theory to action, once our hypothetical C-suite moves past denial and springs into action and even get some fast education, what they need to know. What are the first steps to creating and crafting a comprehensive risk assessment plan and security strategy especially if you haven't really had one up to this point?

[00:23:33] MG: So I think you need to firstly understand what you can do with risk, right? So risk is something that could happen to an asset. And the asset could be physical or logical or a mix, right? So you would have a risk to your laptop being stolen. That's an asset. A risk to your staff, because we can be victims of social engineering attack, or maybe risk to a process, which would be a mix of staff and physical and/or logical assets. So you could have a risk to a piece of software that you've written because it's full of holes and a hacker could get in. There're only a few things that you can do with risk, and it's important that you get your board and your C-level folks to understand that. You can ignore the risk and you should never ignore the risk. That's really not a good strategy moving forward. You can reduce the risk.

Now, when you reduce the risk, essentially you mitigate the risk typically by putting in place a mix of technical safeguards using technology or settings, policies and procedures, governing how you're going to do that, and then training. Making sure that people know what to do. You can transfer the risk to some extent. So you might say, “Well, the risk associated with my call center doesn't really belong to me because the call center is managed by a third-party.” So the good thing about that is that the guys that manage their call center will know what to do and will probably be more proficient in call center security than you are. However, the risk still belongs to you. So you can transfer the operational risk, but not the actual legal risk or ownership of risk.

And then eventually you end up with a residual risk. So you've mapped the risk. You know what assets it applies to. You then safeguard, put in safeguards, and you end up with a residual risk surface. And at that stage you have to decide, “Am I willing to accept that risk or not?” And it could be that you have no choice but to accept the risk.

I'll give you an example of that. If you want to take payment by credit card and you need a point-of-sale device, well, the point-of-sale device is as secure as it is. It's typically very secure, but there's always a risk that at some stage the software won't be updated the right way. And you just have to accept that risk to do business.

So you explain the concept of risk to your target audience, to the board and the C-level and then you explain to them that you're going to assess the risk um for a given scope. Again, the scope could be the call center. It could be the server farm. It could be factory A or factory B. It could be premises one or two, and you assess the risk there against typical attacks. And normally to do that, you use methodologies like ISO or NIST or CIS. Again, that's very good for operational people.

What the five pillars does is it makes it possible. It empowers the C-level folks to do their own risk assessment, right? So am I confident that I have good physical security? Yes. No. Maybe. I don't care. It's not my problem. Do you see where I’m going with that?

[00:27:08] CS: Yeah. Yeah. Yeah, absolutely. So I want to sort of jump past that. So let's say for an instance that in our hypothetical C-suite example here we got what we wanted. They said, “We're going to do it. We understand the scope of the problem.” They implement it. They allocate the funds. They allocate, hire new people. So the next concern I guess is to make sure that creating the plan isn't something that's done once and never updated. So how do you get your C-suite who at this point might be sick of hearing from you about all these things to create an open-ended system that's able to be updated, improved as time and circumstances require?

[00:27:45] MG: Right. And the first thing is you're right, they'll be sick of hearing from you all the time.

[00:27:51] CS: Especially the last couple of months. Yeah.

[00:27:53] MG: Yeah. They'll want you off their back. So I go back to the concept that security is a journey and not a single destination. So that's one of the key messages that we need to impart on them. The next thing is that they also need to understand that, inherently, when you look at security, there are some tasks that are unique and there are some tasks that are recurring. An example of a task that is unique is doing a risk assessment the first time you onboard a new client, for instance. That's a unique task because it's the first time you do it. But that task becomes a recurring task if you keep the vendor on board or if you keep that business unit on board, because you need to assess them on a regular basis.

If you look at PCI, which again is a good starting point. PCI has a mix of daily, weekly, monthly, quarterly and yearly tasks. An example of a daily task would be looking at the logs. An example of a weekly task would be making sure that the antivirus is updated, although it should be done daily. But an example of a monthly task is reviewing the file rule base. A quarterly task is doing a quarterly scan. And then a yearly task is a full pen test.

So when you do your risk assessment, you'll be able to see which assets belong to the unique type task and the ones that belong to the recurring tasks, and whether it's weekly, daily, monthly or whatever. And once you have all of that in place, you can put a continuous compliance in place. So you either do it manually, managing it through a CRM or a help desk system. Or you use an integrated risk management tool, which essentially will provide you with the ability to disseminate policies, do training, conduct the assessments, schedule all of the tasks. And then a click of a button give you a report as to where you are.

[00:29:58] CS: Okay. So because the theme of our show is cyber work, we like to get our guests’ insight on breaking into the industry at the points at which they're currently experts. So for someone who wants to do the sorts of things we're doing in these thought exercises, i.e., the creation and updating of security strategies or frameworks, compliance, risk strategies. What are some skills and certifications and projects that they should be working on right now that would move them towards the goal of getting into that part of the industry?

[00:30:25] MG: Yeah. So some of the certifications that are actually quite good for that would be some of the ISACA certifications, like CISA, CISM, CRISK. Certainly, getting training in ISO is quite good. ISO 27000 series is based on that idea of continuous compliance. That's quite good. PCI is good too, because PCI has that thing called making security BAU, business as usual. So it has that angle and that methodology.

Certainly, the five pillars of security is very simple to learn and it's very easy to implement. And I would also recommend, I suppose, that that anyone who wants to do that, makes sure that they keep an eye to – They keep their ear to the ground as regards new regulations and new mappings, right?

And so an example of that is CCPA, being very often compared to GDPR, right? So CCPA being the US answer to GDPR. Well, yes and no. There's a common baseline, but with some key differences, for instance, in consent and so on. And so I would urge people to make sure that they double check everything. And there are some very good frameworks out there that do multiple framework mappings.

[00:32:00] CS: Can you talk about some of the soft skills or other talents that make people especially good at doing this type of job apart from learning regulations and so forth?

[00:32:11] MG: Patience is a good skill to have, especially when dealing with boards. Diplomacy too. I think that – And it's an example that I give in the book that I was asked once to do a 20-minute presentation to the board of a Nasdaq company and just to talk about cyber accountability. And what I did is I looked them all up on the internet. I got some information, and they had way too much information that was available. So I was able within five or ten minutes to do apprehensions too. I knew that some of them were playing golf in that area. I even knew their handicap and so on.

And so some people were laughing. Other people were extremely offended. And so that was a lesson for me, because I think that some of the soft skills would be to try and explain to them that they play an important role without offending them, right? And so no fear and uncertainty and doubt and just get them – It's okay to be a little bit cheeky, but not too cheeky, because otherwise it's a little bit counterproductive. Some of the other skills would be the ability to leave them with key messages, like uh news bytes or little digests that they can go away with, right?

So if they can go away with a few key messages, like security is not rocket science, security is a journey, not a destination. There're only four things you can do with risk, right? So if they already go away with those three messages, I think that's good and it's a nice sub-skill to have.

[00:33:56] CS: Yeah. So to flip to the other side of that, do you feel like there's a baseline level of technical expertise that someone who wants to do this kind of work needs? If, let’s say, the board starts sort of prodding you with questions. Well, what exactly do we need here? What type of firewall? Is that something that you farm out to other parts of the security team or should you also be kind of a little bit of an expert in a lot of different things?

[00:34:24] MG: So I think you need a good general knowledge of network security and web security and cyber security. Again, you don't need to be able to install the network, but you need to be able to understand how the network is hanging together and the different components and so on. But, again, it's really not rocket science. So I studied languages. I never studied IT. I never studied compliance until I was in the industry and then I got training from various vendors and then I started reading a lot of books. I read a lot of security books. I spent about an hour a day reading security newsletters. And I don't do it in one hour. It's like I’d get up in the morning, I have a cup of coffee. I might spend 10, 15 minutes reading on some stuff. And I do this three or four times a day in order to keep with the program, because things move very, very quickly.

I don't know if I can provide a very topical example, but we've seen with the pandemic a rise in ransomware and phishing attacks, right? So the criminals have understood that the attack surface is much bigger today than it was before the pandemic, because everybody's working from home with home devices, no training, no policy, no security. And even though companies are catching up on that, the attack surface is so big that there's been a rise in phishing attacks, and also in ransomware for that matter. And so the attacks move on very, very quickly. And as vaccines are starting to come out, I would bet a few drinks that we're going to see in the next few in the next few weeks a lot of phishing scams around, “Click here to get the vaccine way quicker for half the price.” And that is one of the other skills that I suppose – I don't know if it's a skill, but it's suddenly a requirement that you need to keep with the program, because it moves very, very quickly. The attacks move very quickly.

[00:36:39] CS: I just wanted to jump – Without jumping to the next question, you said you read a lot of books and you keep up with things. Can you give us a short reading list of books that have come out recently that you – Obviously, The Cyber Elephant in the Boardroom, is a top one. But can you give me some other examples of books that you think are especially interesting right now to people in this area that they should check out or websites that you really like?

[00:37:04] MG: Yeah. So there's a book that is actually just out now, or literally just about to come out from IRA Winkler that you might know. The book is called You Can Stop Stupid. And the idea is that it's not a case that you can't stop stupid people. It's the case that perhaps there are no stupid people. It's just a case that they need to be educated. So I would highly recommend that book. In terms of publications that I read on a regular basis and the usual suspects, the CSO online, the SC magazines and so on. But I tend to read a lot of the reports from the parliament institute. I find them very good. I read a lot of reports from the ECIT and CCIT who specialize in critical infrastructure protection and protection of airports and that kind of stuff.

I also spend a good bit of time – Well, a good bit of time, a reasonable amount of time every year doing guest lectures in universities. And that allows me to talk to research students and find out what we're doing. Right now it's all about AI and ML. Two years ago it was all about blockchain that was going to solve the world. Still hasn't happened, but it might. Who knows? But you have to keep with the program that way, yeah.

[00:38:34] CS: So as we wrap up today, what tips or advice would you have for C-suites or the security teams working with them who might feel overwhelmed by all these difficult decisions they need to make? So where do you start if you really are just afraid to even sort of dip your toe in the water?

[00:38:52] MG: I think using a very simple framework like the five pillars of security. Just one slide saying, “Hey, guys. We need to comply with 35 different regulations.” We’ve mapped them out to those five pillars. It's a well-known methodology. It's very easy to understand very easy to use and it's going to help us drive the strategy and translate our requirements from an operational perspective into your strategic requirements. That's easy to do. Of course, they can buy the book and read the book, but not everybody has time to read the full book.

I would certainly get them to watch podcasts and like this podcast and try and understand the key messages, because at the end of the day, it really is not rocket science. I know I’m repeating myself, but the good news is that everybody can understand it. Everybody can very quickly see where they are. Are they going the right direction security and compliance-wise or are they lagging behind? And nobody wants to like behind. And so I would start that way and then I would make sure that I get a seat at the table on a regular basis, ideally, every month. But if not every month, every quarter. Once a year is not enough.

[00:40:17] CS: Yeah. So, last question here and then we'll send you on your way. If people want to know more about The Cyber Elephant in the Boardroom or your five pillars of cyber security framework, where should they go online? Is there a central website for that?

[00:40:29] MG: Yeah. So they can go to two places. They can obviously go to VigiTrust, which is www.vigitrust.com. They can go to my own website, which is mathieugorge.com. And of course they can go to forbesbooks.com where the book will be listed.

[00:40:45] CS: Okay. Mathieu, thank you for uh being our guest today on Cyber Work. This was very insightful.

[00:40:50] MG: Thank you so much. I appreciate the opportunity.

[00:40:52] CS: And thank you all for listening and watching. If you enjoyed today's video, we come out every Monday at 1 p.m. on our YouTube page. It streams live at 1 p.m. You can chat along if you want to talk with people who are watching the episode for the first time. Also, if you want to hear us in your ears during your work week, we obviously will do this as an audio podcast as well. Just search Cyber Work with Infosec in your podcast catcher of choice. I’m also excited to announce a new hands-on training series called Cyber Work Applied. Each week expert infosec instructors and industry practitioners teach you a new cyber security skill and show you how that skill applies to real world scenarios. You'll learn how to carry out different cyber attacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more. And it's all free. So go to infosecinstitute.com/learn or check the link in the description and get started with hands-on training in a fun environment. That's infosecinstitute.com/learn.

Thank you once again to Mathieu Gorge and VigiTrust. And thank you all for watching and listening. We'll speak to you next week.