They say prevention is better than cure, but how can we prevent a security breach? Mitigating risks in cybersecurity is best done through awareness. In this episode, Ryan Hogge, the Chief Executive Officer of Nebula Cybersecurity, delves into building a security-aware culture in organizations. Building a human firewall through awareness and use training is the highest return on investment you can get as an organization. The framework has to start at the C-suite level and down to its team. If you want to know more about how you can mitigate risk in the cyberspace, tune in to this episode today.
Watch the episode here
Listen to the podcast here
Nebula Cybersecurity: Building A Security-Aware Culture With Ryan Hogge
We have a wonderful and amazing guest who’s joining us. He’s the Chief Executive Officer of Nebula Cybersecurity. He’s also a seasoned IT security and cyber risk management leader. He’s got over ten years of experience and as well as a veteran. Welcome, Ryan Hogge, we appreciate you joining us.
Thank you. I appreciate you having me.
We try to keep these conversations pretty casual. We got to jump straight into the first question. The whole reason we are here for Pineapple on Pizza bears down on this first question of, if cyber risk was a pizza, what’s the riskiest topping you have seen and what topping would you equate it to?
The riskiest topping would be patching and vulnerability management. I would equate that to putting jalapeños on your pizza. Some people like it, and some people don’t. If you don’t patch, that’s a spice and a heartburn that you may have to pay a lot of other green out in order to be able to recover from it. That’s probably the riskiest topping for me.
I was going to say lots of peppers, but jalapeños have a special place. Definitely not those mild jalapeños, we’re talking about the real ones.
It’s got to be the real one. Not the pickled and desensitized or de-spiced kind. We’re talking bite right into it.
We’ve had all kinds of interesting responses. This is the first time we’ve had the jalapeño response. That’s an exciting new arena. We do know at least from the perspective of depending upon what topping you put on your pizza, you might have some heartburn. Curiously, in your role as CEO in cyber risk, what is it that keeps you up at night when it relates to the cyber risk problem?
It’s the fact that we’re behind. We’ve been playing catchup for decades. Cybersecurity was always looked at as an IT problem. That stigma has carried on into recent years. Now, with the progression of cybersecurity risk management, coming into the spotlight, and making its way into boardrooms, people are starting to understand that this is not just an IT problem. It’s a holistic problem. Risk management in general has to address all of the threat surfaces, but the risk surface that you have in order to be a complete program.
Not only would I agree with that for sure, but there’s also more like an and. There’s not a lot of awareness out there, especially relating to the cyber risk topic. It’s refreshing to hear somebody with a similar perspective as we’ve seen the same challenges. Generally, when you say risk, the department whose ears perk up is legal. There are regulatory requirements and statutory requirements.
This is your average team fighting the ground war with the tooling, the know-how, the patching, and those sorts of things. All of a sudden, there are all these new regulations and things that are happening. What’s your biggest challenge in helping your customers or yourself meet the regulatory requirement?
Regulatory and compliance, I’ve spent a lot of my career helping customers, coming in, and helping do vendor assessments for some clients to help them understand the risks of taking on a new vendor into their organization. When I look at the risk associated with willy-nilly bringing on different companies into that supply chain, it’s starting with a framework for me. It’s the basis of where your program starts.
As these different headline news of this cyber-attack and that cyber-attack come into play, you start understanding that if you have a baseline framework and place, it makes it a whole lot easier for you to adjust to all of the changes in guidelines, and regulatory and statutory requirements. It makes that pivot a whole lot easier because you’re just adding the controls that you need to satisfy that requirement.
Coming up in the military, it was always, “You can add to the policy, but you can’t take away from it. My thought process is coming into these organizations that don’t have a foundational security program. They’re looking for that IT silver bullet to solve the problem of, which really is a systemic issue, lack of aware culture in the company, and then a lack of dedicated staff. That can only do so much with the technology that they’re getting.
We look at that framework as the crust for our pizza. Everybody’s got to have it. That’s where they start, and then you can have your different flavors with your different toppings. Whether it’s a barbecue pizza or whether it’s a regular pizza, that flavor is where each customer gets to have their own input on what they implement.
Expectations abound outside of what essentially is the norm or the habit in the past is anything with a blinking, like it’s tossed over the IT team, including cybersecurity. Now, the expectation of both our lawmakers, now insurance companies, and even your own customers through cascading checklists of, “Can you prove how secure you are?” That becomes a holistic problem.
What solution do you develop for an organization where you have an eager technology team and security team, but perhaps the rest of the business is not as into it? Is it for bad behavior that happens outside of what essentially are the folks that are trying to enforce, but don’t have the authority over behavior, even at the C-Suite level? What does that solution look like in your eyes?
A lot of it does come down to what we started with, awareness and user training. Building a human firewall is one of the highest returns on investment that you can get, which is what the boards want to hear. The executives want to hear, “Where are we going to invest our money?” When it comes to deciding how you’re going to corral the Wild West, as we used to call it.
Before all of these frameworks and regulatory requirements were making their way into all of these IT teams, leadership has to drive the policies, procedures, and a security-aware culture for the organization. If it doesn’t start at the top and work its way down, what I’ve seen with clients that I’ve serviced before is this. I’ll have a senior leader or an executive CISO bring myself or a team in to develop a data loss prevention program and do a pilot with them.
It’s the process of walking through, “These are the nuts and bolts of what we’re going to implement in the pilot. This is how the users will be impacted.” We’ve tried to do it as low touch as possible on their behalf, but we’re going to train them before we kick things into high gear. We’ll then gather the feedback. As long as we sit, debate, talk, and get it to where everyone’s happy with the end result, we’re going to implement day one of the configurations being implemented.
From the trenches up, the squeaky wheel is squeaking. Leadership is backing off because they don’t want to offend or they want to keep the end users happy. I’ve had a situation where I scaled it back to have to give them the disclaimer and say, “It’s there. It’s in place, but you have no protections on what you wanted to do right now. There is no encryption going on as long as you’re comfortable with that. I’m not sure exactly what we’re doing, but we have to drive the end users to understand the why. They’re the ones that are hands-on-keyboard every day, and they’re the ones that will leave the door open for your data to walk out of.”
I do wonder often about these new cyber laws. It could be data privacy breaches or new mandates for critical infrastructure protection. How do you think things are now? Specifically, on the leadership side, like executives and board members being held accountable, do you think they’re more open to the awareness solution? Where do you see things headed, whether it’s a catastrophe or a happy ending, in the terms of whether or not these leaders can deal with this problem?
We’re at that crossroads right now of leadership and boards understanding that we had this security blanket we called cyber insurance for all these years. For many years, our IT administrators and security administrators have been telling us we needed to upgrade this technology. This is what we needed to do to become more secure and help secure the data. Priorities that exist in the bottom line continue to jump ahead and those projects get sidelined until next time.
Regardless, there’s a certain annual maintenance cost just for hardware and software subscriptions that has to be paid. When you’re talking about implementing a solution to improve or enhance, that means it’s going to come with an initial price tag that a lot of boards aren’t willing to accept and focus more on what is the risk or the impact to our bottom line and revenue versus looking at it from the perspective of, “We can allocate our funds for growth, and then we have a great year in revenue.”
We’ve neglected these incremental projects that could have kept us a little closer behind for many years. Not make it to where it’s such a critical risk now that the price tag is almost astronomical for some just because it’s like a rip and replace. We got to change how we’re doing things. The last report I saw was several months back.
The cost of an average security breach to an organization is over $4 million now. That’s not cheap and insurance companies aren’t going to be paying out anymore. Regulatory programs are similar to the DoD’s CMMC. It’s an actual third-party assessment that organizations can prepare for or they can go through. It adds that certified credential to its name to say, “We can prove that we have a good security posture and a program in place.”
You mentioned insurance. I had attended a number of events throughout the years. What I heard about articles for 2023, they’re forecasting that your insurance underwriter is anticipating that there will be a requirement for a third-party attestation and audit. It means a hands-off keyboard analysis of the security program as well as the controls that are suggested in the application that weren’t for cyber insurance.
When I hear things like that, as painful as that might sound, it almost seems like we’re learning through going to events, reading, and understanding what’s happening with laws or changes. There are so many of them that you got to get out there to see what’s coming. If you don’t have your ear to the rail, that regulatory train’s going to come steaming down the track. All tech-oriented service providers are tied to those tracks pretty much across the board. That’s the event question. I know what events I go to, but what events do you go to get that view and that forward-looking to learn about things like that so you know what’s coming?
I like to hit as many events as I can. Thankfully, one of the better outcomes from the COVID lockdown was a lot of these events have some virtual offerings that make it a little easier to be able to at least catch some of the keynotes or see some of the vendors that have some presentations there. I did get to go to DEF CON 30. That was very exciting.
I enjoyed that place. They had it in the Caesars Forum. It’s such a diverse group of people. With the varying sections and topics from offensive to defensive executive, Skytalks is great with the introspective of what makes up the cybersecurity community. People from all walks of life are all there for one common interest and it’s security. How can we be more secure?
If you don’t have people that are out there trying to figure out, “This is a great tool. How can I break it? Here’s how I broke it,” that’s what allows us to fix things. In DEF CON, I try to catch Black Hat. I try to look at some of the more government-sponsored ones like DoDIIS. That is one of the ones they do down in the Tampa area, which is an expo of different vendors that are doing different products and solutions.
Sometimes there are a lot of unique offerings that are starting to come out on the market. I’m all for catching some Microsoft build. Some things like that give us insights into a lot of these tools and the suite of tools that we all use. I am a sucker for some webinars. I like to do a beer tasting. I’ve done a couple of beer tastings with Mason’s Brewing up in Maine. They send you a little box and we all get together on a virtual call. We get to talk security and see some demos, and then we get to talk about beer a little bit. Those ones are some nice after-work-hours events to be able to catch up.
Those are more privatized events or invite-only things. Pre-COVID, I know one event that seemed to be very popular was the Brew Your Own Beer event. Everyone would show up to the place where you get to brew a batch of beer. The sales teams were always excited because it meant a guaranteed follow-up appointment to deliver their beer to them because the beer had to sit for a period of time.
You don’t even see these kinds of events. All of a sudden, you have COVID, and it’s off. Those are done. Even with the rebound, everyone likes the webinar where we get an education or at least a foresight and see what’s coming. An event is convenient, but sometimes books are a great option as well. Do you have any books that you recommend for our audience?
I was trying to think about some of the books. I’ve got a bookshelf of books. I read through a lot of things. I’m ingesting so much digital content now. My schedule, as you can imagine, is pretty wide open at the moment. I’m taking in short bursts of information. One of the books that come to mind is abt cybersecurity. I’ve been reading a lot more into open source intelligence.
Discipline and spawning off of that track and starting to gain a better understanding of how open source intelligence feeds all of the threat and special intelligence specialties. This is one of the books that is relevant to the threat intelligence perspective. It’s called Threat Intelligence. Collecting, analyzing, and using information to detect cyber-attacks, it’s a Robert M. Lee book.
That’s not specifically just about open source intelligence. Open source intelligence was what I was digging into and it led me to start to read some of this book. One of the issues that the government and private organizations are starting to realize is the era of siloed systems has run its course. The push to the cloud was good in ways. It might not have been executed as elegantly as it could have been, but there’s an enormous amount of technology out there and organizations that are trying to protect and defend. There’s so much intelligence that comes in and so many data points.
When I was running the incident response team in 2018, even then, there is too much data that comes in that the human eye can observe and verify without a doubt that this is a false positive or something that needs to be investigated. Being able to share the work of other analysts, threat intelligence, and threat-sharing programs is the way that the future’s going. If we can get our hands around better authentication, better encryption, and more secured channels of sharing this information the knowledge that we all have is going to start to grow across the industry in the cyber domain.
Security Aware Culture: Being able to share the work of other analysts, threat intelligence, and threat-sharing programs is the way that the future’s going.
There’s always the challenge of natural inhibition. We’re all humans. There are certain things like behavior. Bad is greater than good by a factor of five, according to many of the researchers out there in organizational behavior research areas. It takes one executive’s bad behavior and how they address, handle, or deal with the cybersecurity problem.
If they’re doing something habitually that they shouldn’t be doing, they have to do it the right way at least five times in front of those same people, so those same people follow that habit. Bad is that much greater than good. If they’ll see a bad habit, they’ll duplicate that bad habit. We know the CEO does it or my boss does it.
You hear things like that. As impractical as they are to address, they need to be addressed. The more literature I consume and the things that I read, I realize that there’s a lot of great fighting, protecting, detecting, and responding ground war of cybersecurity. It’s a wonderful thing that needs to continue, but there is some stuff that falls out of the purview.
It doesn’t matter how wonderful your monitoring tools are, if people have bad behavior, they’re going to slip up in some other way that is going to either cause a lost business or, eventually, someone’s going to make a mistake. It becomes the beginning of the end incident is upon you. I hate to use the cliché, “Knowledge is power,” but it is true. Good behavior is the hard part to teach.
If you’ve got somebody that’s not behaving properly according to written policies or procedures, it’s something that’s practical and easy to understand. When I hear about these different pieces of literature, we’re starting to see more things evolve in the community. I’ll be honest. I’ve got a big stack of books behind me as well, but I haven’t read all of them. I read the Blinkist. If you heard of Blinkist, it gives you the fifteen-minute version of the book. I’ll buy that book, put it behind me, and put it on my agenda to read. It’s Blinkist.com. This is not a plug. They don’t sponsor us, but that’s what I do. I’d like to be clear on that.
I’m building a library for retirement. Whenever I get around to that in the future, then I’m going to have a library to sit in and plenty of books to read cover to cover. I ingest things pretty quickly so a lot of times, I can thumb through a book pretty quickly and hit the key points myself. I’m going to have to look into that and expedite my speed reading.
It’s also a great reminder.
What excites you about the future? Is there anything that you can think of?
John had mentioned exponential capabilities catching up. We are in this new fourth industrial revolution. Cybersecurity and the space domain are getting me excited. I want to help do my part to build a secure infrastructure and help people understand that there’s cybersecurity. We’ve been trying to do our best to secure all of our networks.
As the space economy starts to emerge and all of these private companies are getting out there and leaning on the edge of space exploration and commercial trips into space, the criticality of securing that area has ignited the passion in my blood. I’m looking forward to being able to enhance that capability. You’ve got AI technologies that are coming more into the mainstream to be able to assist professionals.
If we don’t start learning and letting them assist, the threat actors are already using it to assist them. It’s one of those things where it can be something that maybe you don’t agree with or are concerned about. It doesn’t mean that you can’t start learning about it and start figuring out, “What do I have to ensure from a security standpoint and process standpoint to utilize this technology in a secure manner?”
The evolution of quantum capabilities in the space domain is going to allow us to bring quantum computing into more reality because we’re not worried about all the cooling and power consumption that we are terrestrial. The two of these are starting to merge, and it’s going to be a wild ride once we’re there. I don’t even know if exponential is the right word for how fast things are going to go once those are intersecting.
Your insight’s been wonderful. Now, we get to do the fun part, which is learning a little bit about you, specifically. We already know that you’re on the East Coast from some information that we collected. You’re a Deputy Director of IT in the cybersecurity division for what essentially is USSOC or Special Operations Command. Thank you so much for your service, as well as being a veteran, which I hadn’t mentioned earlier. At Hogge Cybersecurity, we know that we have similar mindsets in terms of our why, our passion, and what we deliver. What I like to know is, if you go back in time and give your younger self some advice, what would it be?
I’ve always done things the hard way. I need to learn it better. I don’t know if I would change things, but there are some insights I would have put a little more effort into computers and technology when I was growing up. It was in school more regularly. As I was coming up, I remember playing the Oregon Trail and that had me hooked.
During that era, when the internet was coming on board, starting to focus on those technologies and having the insight that this isn’t just an entertainment thing. It’s not, “This is a new cool video game.” It’s having the insight to say, “This is going to be huge. You need to stick with this and learn everything there is to learn about the progress along the way.”
I’ve always said it was a gift and a curse that I learned very quickly. I can come in and pick things up quickly and execute them. It does often lead me to get bored quickly. One of the biggest allures of cybersecurity for me is I’m never bored. There is always something to learn and something to do there are just not enough hours in a day.
Before I go any further, for a correction, I do know that you work for Nebula Cybersecurity. With the work topic, our work is wonderful. We love what we do. What about outside work?
This is a hard one for me. I saw a quote that was talking about the work-life balance and that it’s important. I was thinking about being in the start-up realm and helping build businesses. I’m like, “It’s hard to have a work-life balance, and it doesn’t work in every season of life.” I do think that it’s important to be able to carve out those times for yourself to unplug and kick back.
When I unplug, I’m a pretty big cooker. I’ve got a nice little outdoor kitchen and all the gadgets and gizmos. I enjoy cooking. It’s something I got from my dad. He was big into cooking. I’ve got some dogs I’d like to train with outside. Be in nature as much as I can on the beach or mountains. I’m trying to take it slow. That’s when I’m not working if I’m not on the computer and actively engaged.
I feel like the demands of life always make us so busy and have a little bit of anxiety for, “I’ve got to do this,” but I’m already thinking about the next thing that I have to do. When it’s quiet, I’m just sitting in my chair downstairs, and there’s nothing on; it’s like, “Let’s see if I can slow time down at this moment.” Enjoying those simple things is what I like to do. I play a little guitar as well.
There’s a book that I read years ago called Don’t Sweat the Small Stuff and It’s All Small Stuff. It’s not a book read. It was like these little passages, so it’s a quick read. Just like you, I’ll play guitar. That’s my release. The funny thing about music is that it’s my passion, whether I’m listening or playing. I’ve learned in life that everyone has to find the cliché as their happy place. In reality, it is that peaceful moment when they do come. In our industry, it’s 24 by 7 by 365 often. They’re not always scheduled. I can relate to that. I appreciate you sharing a little bit more about yourself. Where can people find you, Ryan?
People can find me on the normal. I’m on LinkedIn and Twitter. I’m primarily a little more active on LinkedIn. I like LinkedIn for being able to help curate my different content, sites, blogs, and things that start to populate. My morning news almost is, what’s going on latest? I’m going to catch the latest breach or cyber-attack. I’m going to have ten people that have posted about it or shared an article, and then that allows me to stay connected a little bit. I don’t trust all the headlines I read. It keeps you a little in touch with what’s out there day to day.
Thank you so much for taking the time to be at our show. Your insight and experiences are very valuable to us and to our audience as well. For the audience, thank you so much for tuning in. If you did learn something new or laughed at something, please tell somebody about our show. We appreciate your time again, Ryan. Thank you so much. There you have it. This has been another great episode on the show. We’ll see you next time. We appreciate you tuning in. Thanks so much.
About Ryan Hogge
Chief Executive Officer of Nebula Cybersecurity
Executive Cybersecurity leader with a wide range of consulting and program management experience in large cybersecurity organizations. Recognized by management for deep understanding of information security practices and standards. Especially effective at training and supporting teams of security experts to establish policies and systems while ensuring compliance standards are met.
Natural leader, lifelong learner, always exceeding expectations are a few words to describe my professional character. As an experienced Cybersecurity professional, I’m consistently dedicated to maintaining an up to date understanding of the IT threat landscape in my industry. Organizations recognize me for my consistent ability to drive performance improvement in efficiency and effectiveness. As a problem solver I take pride in undertaking difficult challenges and successfully exceeding goals.
Ryan is a seasoned IT security and risk management leader with over 10 years of experience working in technical and leadership roles as a defense contractor. He is passionate about helping clients achieve their mission objectives by championing development of holistic security operations, manageable security programs, and driving effectiveness through reduction of disjointed solutions to maximize visibility, centralize management, and enhance detection and response capabilities. Ryan’s areas of expertise include security operations, data loss prevention, incident response, regulatory compliance (GDPR, HIPAA, PCI DSS, CCPA), security frameworks (NIST Cybersecurity, 800-53/171, ISO 27001/2, and CIS), risk management, and data protection / governance.
Ryan earned his undergraduate degree in Software Engineering from the University of Phoenix, and graduate degree in Cybersecurity and Information Assurance from Western Governors University. Ryan holds the Certified Information Systems Security Professional (CISSP) certification, Computer Hacking Forensic Investigator (CHFI), and is also a Certified Ethical Hacker (CEH).
Prior to joining CREO, Ryan was a senior computer network defense analyst and led a regional cyber security incident response team for Jacobs Technology supporting the United States Special Operations Command (USSOCOM) global enterprise network on the SITEC II Contract. Ryan’s team was responsible for coverage of approximately 60 percent of the global enterprise covering the United States Army Special Operations Command (USASOC) continental US assets.
Ryan was instrumental in building and strengthening the team and improving operational efficiency and accuracy by 300 percent over first 90 days as team lead. Prior to Jacobs, Ryan worked for General Dynamics IT, where he spent 8 years working in multiple roles starting as system administrator, network administrator, technical instructor, and the last 3 years as information systems security officer (ISSO).