As technologies become even more interconnected and deeply embedded in our lives, facing cyber risks has become more real than ever. Cyber security could be the only thing that keeps you and your business safe. In this episode, John Riley and George Usi sit down with the President of PingWind, Inc., Clarence Dingman, to discuss how executives and leaders can prevent cyber-attacks from happening and keep their businesses safe. What is the most significant cyber threat executives are facing right now? How should a CEO prioritize cyber risks and how can a CFO budget for that? What does a cyber disaster look like for executives? Bringing insights not only from his experience in the industry but also from his background as a former military, Clarence gives a fresh point-of-view on facing the dangers in today’s cyber world. Join him as he shares more about fortifying cybersecurity as leaders today!
Watch the episode here
How Executives Can Navigate Cyber Risks Today With Clarence Dingman
In this episode, we have this awesome guest who’s been practicing his Brazilian jiu-jitsu for over eight years. He leads a balanced work life with his three children. He can be found with his son’s and daughters’ troops as a scoutmaster. He’s a retired Special Forces officer in the Army, and he’s the President of PingWind. Welcome, Clarence Dingman.
It’s great to be here.
Great to have you. We are going to start here with some tough questions. How would you explain the difference between what cybersecurity is and what cyber risk is?
It’s important that we distinguish between cybersecurity and cyber risk. They are interconnected, but they are not the same thing. Cybersecurity to me is more about preventing cyber attacks from happening, whereas cyber risks are the dangers we face as technologies continue to become even more interconnected.
These risks can be broken out in a couple of ways, categories in which they harm your business, your clients, or your ecosystem. You look at things like operational, financial growth, and malicious personnel intent. You have a disgruntled employee, data stealing, ransoming, or things that could result in partial destruction of your business, or ignorance. Software license or antivirus software expiration. That sounds simple and mundane, but these are potentially unforeseen risks in systems.
You have systems in integration and that’s becoming even more important as we become more interconnected, as well as the means of delivery, things like malware, supply chain, human factors, and social engineering. Cyber risks can also present themselves based on an organization’s dependencies. If we depend on one system exclusively for a function and have no backups around that, it presents a significant risk to your business.
Cybersecurity, generally, is the system of protective measures that you put in place to hopefully avoid or mitigate the impact or probability of these risks as we look at things like your organization and your system dependencies. I don’t think anyone or any combination of cybersecurity measures is ever 100% foolproof, but if you put measures in place you have to look at your cost of benefit and how secure you want your system to be. That’s based on what the level of importance is for you or your business.
Cyber risk is very similar in the fact that you can never reduce your cyber risk to zero. As long as you are connected to the internet and have employees, your cyber risk can never be zero. You can never be 100% secure from a cybersecurity standpoint. That was a great explanation.
John, to that point, you have to look at your data half-life. When does that data that you are trying to protect or that thing that you are trying to protect lose its value or depreciate to the point where it’s not necessary to have those stringent measures in place? Cybersecurity is not inexpensive either. You have to look at that and say, “If my data half-life goes out beyond a certain number of years, maybe I can reexamine the measures that I have in place.”
I often find and wonder if you see the same thing too. A lot of non-technical executives grapple with the concept of understanding what it is that they are leading because they are not familiar with the technology. That is one of the best ways to define cyber risk for executives. As you would help any other department, you want to make sure that things stay safe within your organization.
With HR, you are keeping the building safe. Maybe you have security guards if you are working in an office, but it depends on where you are at in terms of your leadership style as well. If you are going to be able to address risk in general, this falls into that bucket. The cyber risk component is more business-oriented in the decisions that you make, especially for the CFO who’s saying yes or no to a budget.
George, to that point, it goes that even if you are not a technical executive, you have to have some degree of awareness in terms of cyber risk and cybersecurity, what these things are, and what the tools are available. The philosophical stance that your business has around its data and what’s important and what’s not or the degrees of importance. It’s not necessarily a black-and-white thing.
What would you say is the most important thing for the executive that is there? What would be the most significant threat that they would be facing? What are the top three for you and what is the focus there?
You highlight a little bit about my background before, coming from Special Forces and coming from the Army. I always go back to one component and that’s the human factor. I firmly believe that the human factor plays the most critical role in any type of cyber threat. Especially in the last years or there’s probably an asterisk to that and I will talk about that here in a second. I learned, when I was in the Army, that humans are far more important than hardware. A similar mindset applies to cybersecurity threats. Humans are the most dynamic element of a given scenario. We can trust our tools to operate as they are predicted to operate.
You have a system that pushes data from B to C, scans and validates in D and E, and then it’s distributed to its end users. A human might unintentionally click on a link disguised as a legitimate communication. That one click has opened the door of access across your network. Humans might have poor cyber hygiene. They might have weak passwords that they don’t frequently update, or you might not use something called multi-factor authentication. It’s a fancy way that says, “I get a text on my phone” when I try to log into something. It’s another means of securing yourself and validating your identity as you are trying to get access. Humans or a team of humans may not consider data exposure. George alluded to that earlier with your HR data. There are health and HIPAA concerns with that as well.
Humans might forget to disable certain functions, and you see this as a risk in small and emerging businesses to which everybody has access. Everybody has admin access to machines when you first start. As you evolve, those permissions need to be taken into consideration. The same thing with my work. I deal with a lot of data surplus. There is old data that may not be configured in the most relevant cybersecurity protocol. That in and of itself, that data pool is a risk.
There are a lot of things that can always be traced back to the human factor, but there is an asterisk, and that asterisk is AI. Inclusion and proliferation of AI, especially over the last several months with ChatGPT and things of that nature. AI is being used by bad actors for malicious and nefarious actions. The human factor has always been a threat, but AI is still an element that is presenting a scenario that we are not fully prepared to deal with adequately as an industry. You see these intelligent bots keep pushing theft and identity attacks.
Even deep fakes and being able to authenticate via voice or things like that, we are going to have some issues with how that works. We consider biometrics, but I don’t know if we have considered voice recognition in some of those things.
I don’t remember where I read it, where AI had convinced a disabled human operator and could not see a captcha, and the human let them in.
I did see that. AI is a new thing and we will need some training. How’s that?
Training for sure. I also think, if you are looking at AI as a nefarious actor, you also have to consider its benefit as well. Training and helping AI to evolve to recognize threats that a human might not recognize is something we also might want to consider.
This triggers a little bit of history in my mind. There was a time when there was no internet in businesses and it came along. Let’s say that there were a lot of people in technology who were concerned about what essentially was going to happen when you started going online. The ’90s timeframe was that time.
That issue of artificial intelligence is the next concept where people are saying, “Should I use it? Should I go online? Should I use AI? Should I not?” Those topics are stewing. In cyber risk arenas, AI is essentially utilized by the hacking community, which we have seen happening already. It further enhances the idea that getting compromised is a matter of when. Are you prepared for when it happens and do your best to protect but add that as discipline? That is the challenge, I think.
I agree with you, George. It goes back to what I was saying before where you consider that this is an isotope or an element. You have a half-life. Your data value decays over time and it’s on the executive and the executive team to figure out, “What is that half-life rate and where do I invest?”
What leaders need to be aware of is that although data does have a half-life, let’s say personal information, they move. They are no longer in a specific area or state. There’s an example of the half-life of address information of the individual, which is considered legally protected in some states now. That’s what you have to look at. That’s the missing piece. It’s great that we are trying to stop that hacker, but what about the regulations? If it doesn’t have a half-life, the data doesn’t have a half-life. You have look to at the regulations because that’s what will tell you what the half-life has to be.
That in and of itself becomes increasingly more complex. The industry that I work in with the Department of Defense has these things called Security Technical Implementation Guides or STIGs that you have to check against if you have a new protocol or you go to that earlier point of an old data pool. You have to make sure they are up to the most recent STIG guidance. I have teams that are making decision-ready recommendations every day of like, “This is a certain degree of red flag that we need to address immediately. This is less of a degree of red flag and here’s why.” These are the types of recommendations that we are making to DOD on a daily basis.
These security technical implementation guides are also tied to other things that your technical team might deal with and so we tend to flaunt a lot of what we call or what I call TLAs the three-letter acronym. There are 4 and there are 5. That’s the challenge. You do expect as a leader for others to have that competency.
Too often, the concept of a regulation deals with something with a blinking light. As an executive, they are going to look at that and say, “The technical guidance.” What’s happening in areas of cyber risk is they don’t. They have to school themselves, and then you start to deal with that question of who’s responsible for understanding risk that’s not technical.
That’s always the challenge in this idea of not just half-life of data, but what other things are the organization struggling with? You have to look to outside helpers to understand those ideas. As you build your teams as executives, I’m sure there are struggles there as well. How do you find those people? The biggest eye-opening moment I had was when I attended a conference called RSA Conference.
One of the speakers was the prior CISO or Chief Information Security Officer of Cars.com. He was no longer a CISO. He went back to school got his JD and is now a practicing attorney. There’s such a huge gap in that area of understanding the regulations. Straddling the fence is a lot more than just the idea of stopping hackers and understanding the TLAs. Not only the technical people are the ones who exclusively understand the right people to help.
You can add to that earlier point you had, George, of finding the right team. I think it goes beyond that because things continuously evolve. It’s training and it’s educating your team as they grow. When I look at especially strategic hires that are coming to my organization, I’m looking at their personality. I’m looking at their soft skills probably more so than anything else.
One of the things that is always in the back of my head is, “Is this person open to new ideas and trainable?” If we have things like this pop up where cybersecurity is becoming exponentially more important to the continuity of your business and your ability to grow as that becomes more prominent, we have to evolve as well. There are trainings that you can take. There are additional certifications. You have to look at that across the organization from those who are on your client site, your day-to-day to your corporate staff, and what level of training makes sense for them.
The world has also changed a little bit with outsourced application providers. The SaaS applications. As George said everything was with a blinking light. There are a lot fewer blinking lights that are happening within an organization these days, and it’s more about the data and the transference of that data, and how to integrate that data between service providers. It’s a different skillset than what it was 5 or 10 years ago.
Executives have to take a look at that and understand what data they are tracking, what is needed, and all the other pieces that go around that. Along with that, there’s a two-part question here. How should a CEO prioritize that cyber risk, and then how does the CFO budget for that? What kind of cyber risk budgets should be set?
I will talk a little bit about the prioritization or risk. Something that I’m doing in my role is making sure that the attitude of myself and other senior leaders within the organization sets that baseline and focus on cybersecurity. First and foremost, you have to understand the cyber risks that are facing the organization so that we can prioritize our efforts to integrate cybersecurity into everything that we do, and to what extent. It’s not just black or white. It’s a gradient. We have to be looking at it from a gradient perspective. It’s important that CEOs and senior leaders establish an organizational stance on specific projects, programs, or elements of their business. Also, listen to trusted members of their enterprise to tailor the cyber risk responses.
This is where things like subject matter experts like a CTO or CISO come into play, but having both internal and external resources to consult with to build your strategy. Three years ago, I knew nothing about cybersecurity to the extent that I do now. I’m still expected to perform and comply with certain standards and still expected to maintain a cybersecurity posture. The way I was able to do that, it’s been through consulting subject matter experts in that area.
I know enough to be dangerous usually to myself at this point. With that being said, it’s very important that a CEO considers that inner organization so that we can align our enterprise-level goals with taking cybersecurity into consideration. That could be everything from prioritizing organizational health and taking care of people where they are at.
Avoiding or reducing the chance for cyber risk through disgruntled employees or malicious intent. Operating from a high ethical standard is another thing you need to look at. If you are seen as a good entity within the business community, you are less likely. To go to our earlier point, you are never 0% likely of a cyber-attack, but you want to try to reduce likely sources.
Investing in resources is another thing that we can look at. It’s something that we have looked at in my organization, recruiting and retaining those IT subject matter experts, prioritizing different initiatives, and taking ownership of them. This is the second small business that I have worked at in my post-Army career where we have evolved as an organization and taken rightful steps as we have scaled.
In each of those organizations, the initiatives that have done well with regard to cybersecurity have had the executive support that they need. Those that have floundered and maybe had to be re-examined were those that weren’t necessarily on the radar of the CEO or the owner of the company at the time.
Those are some of the main things with regard to the CEO. For the CFO, some may believe that this isn’t true. We have teased it out in the course of our discussion here. Some might believe that the CFO doesn’t play much of a role in cybersecurity. I would 100% disagree with that. The CFO needs to be involved in setting the policy for data protection, as well as internal controls. Some of the most protected information inside of the company falls under the CFO’s purview. For us, in the world that I come from, that’s our pricing. That’s our billing information. Those are our clients.
There’s a lot of very important information specific to the CFO that needs to be protected from cybersecurity. When we are looking at whether it’s the half-life of data or the fact that something must be protected throughout its entire life, the CFO plays a key role in approving or otherwise suggesting potential solutions to protect their disparate pool data. It’s both a technical and a financial role.
There’s something that you said that was spot on as far as the budget. You didn’t say it this way, but I’m going to clarify it a little bit. As far as the budgeting goes, it’s not necessarily a dollar amount that has to be budgeted. It’s an executive time amount that has to be budgeted because that’s what regulates the success of a project and the company mindset moving forward.
When you start talking about the budget specifically, we look at things in 1, 3, and 5-year roadmaps. The roadmap is if everything goes well and you got things moderate, then everything goes poorly. You have those three potential courses that you could find yourself on. In each of those, it’s incumbent on the CFO who’s working with that subject matter expert in the CISO, CTO, and the CEO to build out risk pools for those different courses on that roadmap.
If things are going poorly, our risk pool may not be as big, so we may need to look at all alternate options. If it’s going well, now we are more of a target for our competitors or potentially threat actors with regards to cyber-attacks. How do we bolster our cybersecurity and what are the pools that we are going to be pulling from for those additional platforms, training, or architecture that we are going to put in place?
I understand that the biggest challenge for many executives is, “How do I do this?” I have heard it over and over again. “I’m not technically competent. What am I supposed to do? I have to delegate it.” All of these things that we are talking about in cyber risk become almost a reeducation plan for executives or possibly the call for essentially moving on to something that’s more their style, depending upon where their sweet spot is.
That’s what lawmakers are doing with a lot of the legislation, especially in the omnibus data privacy laws that are hitting the ground running state by state. There’s some traction right now with a Federal privacy law. That’s the piece that the executives are now paying attention to because they realize, “This is a risk.”
I think back to my time in the military where you can say you can delegate responsibility but not authority. In my opinion, the CEO, whether they are technical or not. On my best day, I’m probably moderately technical. I try to surround myself with people who are very technical and then ask operationally and strategically related questions to help inform a decision that ultimately I’m going to make, but I want to err into that decision with a full appreciation for either the risk that I’m assuming or the risk that I’m avoiding.
As an executive, I do wonder if there’s a lesson to be learned, at least in reading, in how you deal with cyber risk. I don’t know if you have read the book Turn the Ship Around! by David Marquet. This is a book about if you don’t know what you are doing. Take an example from this book, which is about a submarine captain who is charged with leading a vessel that he had zero training on.
Turn the Ship Around!: A True Story of Turning Followers into Leaders
He was trained on the wrong vessel for a year and a half straight. All of a sudden, he’s assigned to this particular vesselthat had poor reenlistment stats, which is a problem if you are familiar with at least that part of the Navy. Long story short, it talks about a different leadership style that he used and he turned the ship around. He went from poor performing to exceptional.
Even if you don’t know, there is a leadership method that you can at least embrace as you delegate because you also have to be qualified enough to know whether you leader, especially at the CEO or at the board level. To make sure that they understand what it is that they are doing. If you are not familiar with it, don’t be afraid. Consider a different potential leadership style at least in the area of anything light as we like to say. We are the ones asking you about the book, so I apologize if I jump in. John will smirk a little bit when I bring a book up. At least for our audience, I know that it’s always a challenge to understand how I lead something that’s been not my thing.
Both of you hit the nail on the head. Before, it was to a large extent personality-driven and soft-skill-driven. Are you willing to accept counsel? Are you willing to accept additional training and progress inside of an organization? Once you are in that position, you are never going to have all the answers, especially if there’s something new that’s evolving. How good are you at selecting individuals to be part of that cadre of advisors who are going to help you make the most informed and the best business decisions to move forward?
The lesson in the book is you still have to understand what you are doing. He was trained on another submarine. To some degree, he still has trained up. That’s always the challenge with executives. They do grapple with that problem. It’s like, “There’s a reason why I have a CIO or CISO is because I don’t know what I’m doing.”
The biggest challenge is how a CEO deals with this. How does a CFO do a better job of leading a team of people who are probably as analytical as they are to get a result? Nevertheless, I digressed. John, I know that you had some perspective as well on some emerging trends. I’m not sure if we asked that question, did we?
I have to say this. The reason I smirk on that one always is because it reminds me of the movie version of that, which is called Down Periscope with Kelsey Grammer.
I have seen that one.
He turns the whole ship around. The misfits. It always makes me laugh when I hear that one because that makes me think of the movie that came out in 1985 or something. He must have watched that movie before he took that job.
We have another question for you as it relates to the emerging trends. We talked about AI, so perhaps a better question is what do you think the cyber disaster journey looks like for most of the executives?
If you are still around afterward, that’s a good thing. There is a tendency to want to change leadership and have a change of pace when there is a catastrophic attack, but even for a small attack. When I first got out of the military, one of my supervisor’s computers was ransomed. This was a non-DOD company that I was working for at the time. He was in an airport connected to some WiFi, trying to get some work done. Luckily, it was just that machine and isolated, but it was a very stressful and emotional rollercoaster of an experience.
That only goes up exponentially as you look at what of your network systems data has been exposed. You will have some shock and disbelief learning that you have been hacked. You go through that element of the grieving process and try to move forward in processing the information. Once the shock wears off, you are going to see some anger and some frustration. Depending on that level, you may wind up having to look for a new role or new position. You want to make sure that during those periods, you are actively working with the security team and any outside organizations that may be helping you to prevent or otherwise mitigate the extent of the attack.
There’s going to be a healthy amount of fear and anxiety that come out of this. It’s the organization’s reputation. It’s the finances. It’s the ongoing operations. Kidding a little bit around here but for me, this certainly has a significant impact as we are supporting ongoing Department of Defense operations. As a small business, if this were to happen, it would be very significant and could result in some fairly catastrophic consequences for overseas service members. We don’t ever want that to happen. Not necessarily as important, but certainly up there especially if you want to continue your business. You have your organization’s reputation. That takes precedence over some of the other potential impacts of finances and operations.
If your reputation is tarnished, it’s very hard to pick that up and keep moving. You go through a disclosure and remediation. Once your executive team has had a chance to process that and identify, “This is what we are doing about it.” You want to be as open to discussion as possible. It’s a stressful time-consuming process.
If you don’t have somebody on your team already who is forward-facing and deals with things of media relations, especially depending on the severity of it or the size of your organization, you may want to consider bringing in some consultant to talk about how you want to communicate honestly and ethically about what has taken place within your organization.
As this is all passed, you hope to be able to mitigate it to the point where you can recover and rebuild following remediation. Repairing the damage from the data breach, restoring the organization’s reputation, and implementing new security measures. A lot of companies don’t get that chance when things like this happen.
It’s a long and enduring process. Something important, and I will stress it again, is communication with your employees and customers. It’s essential that you communicate not only what you are doing in terms of remediation for the specific thing that’s been attacked, but also what you are doing to minimize or remove the risk to their personal security to help reduce the anxiety and confusion that’s often associated with that.
Lastly, have talked about this already, but being transparent with everyone who’s involved and the extent. If you are transparent from the beginning, that will be very helpful, especially during those initial phases of discovery, mitigation, and remediation. That will play itself out as you are trying to recover and rebuild your reputation.
We are talking about a digital disaster. Perhaps there is some recognition here in the sense that this is a storm coming. This is the challenge where CEOs are like, “The IT team or the security team got me.” In reality, it’s the issue of responsibility versus accountability. If we talk about the term digital hacks, perhaps this is like being a weatherman. Who has the weatherman’s job? The weatherman is always responsible for telling you what’s coming.
When the storm hits, they are not necessarily accountable for the storm because maybe it was a hurricane. The challenge is that the weatherman does have accountability and responsibility in making sure leaders know the storm is coming. It’s the idea behind understanding all these acronyms and technical things.
You have to listen to these teams and make sure that you understand at least the basics of the weather. That’s the challenge. We used to have a satellite that forecast the weather for us years ago. Maybe some other things happening in the background, but the accuracy was not that great. Over time, there are more tools and more functions to prepare us for those disasters. Here we are. We are in the cybersecurity world. We are living in an internet-delivered world where hackers are always right next to the building.
The worst part of world digitally is they are always at your front door. The weatherman, the security teams, and the IT teams are saying, “A tornado is coming into our industry specifically.” It’s up to the executive team to also be aware of, “Is my industry under attack?” That leadership goes from leadership at the CEO level or CFO level and goes all the way up to the boardroom as well.
They focus on risk and ways to utilize what essentially these storms to notify people and communicate with them, “Board up your windows. There’s a hurricane coming.” The technical team will tell you, “The forecast isn’t so good,” and the executive then has to make a decision, “What am I going to do here?” It’s never easy. If they don’t get it right they have to go, “These storms always blow over,” and then wham and you are in the situation that you described, which is, “The storm is here. I need to do this.” Calm down and relax.
What I wanted to do there and talk about is look at a maelstrom, which is that one machine that’s been compromised and that can be dealt with. Maybe that mid-level executive gets training and you can move about your day, but then you have those catastrophic exposures. To take to your point about talking to your team and communicating with them, it’s incumbent on the CEO and maybe even the boardroom to not only talk and engage but to create space for your senior executives to engage with them so that they can hear the forecast.
That needs to become a part of your meeting cadences. I’m sure we are not the only organization that’s out there that has meetings twice a week with our headquarters. I’m sure other businesses do this all the time. What you want to do, in my opinion, is you want to create that space so that you can have that awareness not just with you as the CEO, president, or whomever, but with your entire executive team.
Our next question is going to be more about you. How does somebody become Clarence Dingman, the CEO of PingWind, and all these great things that you have done? Tell us a little bit about your journey.
A minor correction. My role is the President of Exeter, which is a wholly-owned subsidiary of PingWind. I joined the PingWind team back in November of 2022. Professionally, I started, I did my undergrad in Carlisle, Pennsylvania at a school called Dickinson College. I was commissioned in the Army as a lieutenant in the infantry, and then later became a Special Forces officer. I met my wife there. This is our 19th-year wedding anniversary. I had several deployments to the Middle East when I was on active duty from 2003 through 2014.
In transitioning from the military, I had initially gone completely away from DOD and government work for about a year. This was in commercial property management. It was very insightful. It’s where I first saw the impact of what an actual business threat and ransomware are on a cybersecurity attack. In DOD, when I was on active duty, it was always this abstract concept and very much focused on those catastrophic impacts, but you never stop to think about, “What if it’s just one machine trying to get a couple thousand?” It’s very contained. That was my first exposure to cybersecurity.
Over the course of a year, I found that I wanted to get back to some of the work that I was doing when I was on active duty. I started to get into DOD contracting. I leveraged my network. I found an employer I was with for a total of about seven consolidated years. I started as a project manager. I worked my way up to a program manager position and then got more involved in the operations and the business development piece. One success after another led to a good bit of progression.
The company that I was with was services-based, and I was approached by a products-based company to support them in their business venture. It was an interesting year with that company that they make great products, but it was not a good fit on either side. I was looking at a number of different offers and I left that previous company on good terms, and they asked me to return. It was a good arrangement for both and I stayed for about another four years with them.
The CEO of PingWind and I were platoon leaders together in Iraq from 2005 to 2006. In the summer of 2022, he approached me and said, “We are getting ready to make this acquisition of Exeter Information Technologies. Do you want to come over and support that?” I said, “Yes.” Here I am about eight and a half months later, and we have come through that acquisition. Our mantra going into it was don’t break anything. We have succeeded there.
It’s doing some exciting work, building a team with PingWind. Prior to the acquisition, they were IT services focused much like Exeter is, but they were on the Federal civilian side. They were doing a lot of work with the VA, CDC, and DHS. When I say IT services, you are looking at tier 1 through 4 help us support systems, database administration, software development to a certain extent, DevSecOps, and with a big capital C on cybersecurity. There’s a good bit of overlap between what our acquired entity and what I lead up do and what PingWind was doing. It’s a good synergy between the two organizations.
Outside of work, you are a scoutmaster.
I’m passionate about that. I had the opportunity to get involved. First, my son is a Cub Scout. In my locality, I was one of the first areas to set up a girls’ troop within Scouts BSA. I was an assistant scoutmaster with my daughter, as well as with my son, for about two years. Things developed so that I took over as a scoutmaster for my daughter’s troop.
It’s great because they are both brother and sister troops. They do separate activities most of the time. During the summer, most years they have gone to the same camp, which for parents is super convenient. It’s very helpful because you only have one week where your child or children are off versus trying to plan summer activities around that. We had a summer camp recently. We spent some time out in Southern Virginia with both my daughter and my son and it was a lot of fun.
One of the questions we’d like to ask is, if you could go back in time and give your younger self advice, what would that be?
I looked at this question before the show because I’d been thinking to myself for probably about a week and a half about how I wanted to say this. I’m going to do my best. Investing early in the best version of yourself would be the biggest advice. That’s not just who you are professionally. That’s self-care, family, faith, fitness, finances, and friends.
If you invest in yourself and take that time, it may feel selfish but you are going to have exponential results on the other end. It took me a very long time to realize that. As I have progressed throughout my career, that has certainly become more of a focus of mine and as it has, I seem to have been able to understand human interaction better. I have been able to understand business better because of it.
You might have a book there, The Five F’s or something. For our final question, we’d like to leave our audience with some action items. What’s one piece of advice or a tip that you would give to the audience about reducing their regulatory cyber risk or what’s the biggest thing that they can do?
It’s threefold. You have a diverse audience that’s going to be tuning in to this. The first thing is to stay informed. Everybody can do that. Threats and regulatory guidance are always maturing and adapting as our solutions and platforms. It’s critical regardless of your role, to contribute to that understanding and provide the space for that information to get exchanged.
That goes hand in hand with training. It might sound trite for your employees to click through training on cybersecurity, but when you become complacent especially as we are trying to grow skillsets within our workforce, things like data protection, data handling, phishing attempts, and incident reporting procedures become increasingly important.
What you don’t want to have happen is your employee receives a weird email with a weird link and they don’t know how to report it. Their ignorance of reporting is not on that employee. It’s on you as the team leader. It’s on you ultimately as the president or the CEO. Lastly, you are going to check yourself. Conducting periodic audits and assessments on your cyber hygiene and your cyber program. Internal assessments and maybe having another organization externally. Setting up and creating that space for discovery. Setting up penetration test events are all the things you could do to reduce cyber risk to yourself, as well as to your organization.
That’s some of the best advice that we have got so far on the show. I appreciate that. I hope our audience listens to that, takes that to heart, and shares it with other people who might need to hear that. We appreciate your time with this and thank you for your insight on this. It’s been wonderful to talk about the cyber risk, your company, and everything that’s happening. I’m looking forward to the future of cyber risk and cybersecurity.
We as well.
To our audience, thank you for tuning in. If you have learned something and laughed or played with Down Periscope, please tell someone about this show. Share the book that George had talked about. That’s been another great episode of the show. We will see you next time. Thanks again, Clarence.
Thank you. I appreciate it.
About Clarence Dingman
Customer-focused, experienced operations professional with demonstrated performance in Government products and services industries. Skilled in operations, program and product life cycle management, talent acquisition, team building, technical solution development, quantitative and qualitative measurement, risk management, and logistics sourcing.