ByteWise

Unraveling the (con)fusion between Tech & Risk Management

Listen on:

  • Apple Podcasts
  • Podbean App
  • Spotify
  • Amazon Music
  • iHeartRadio
  • PlayerFM
  • Podchaser

Episodes

12 hours ago

Welcome back to ByteWise! Today, with the episode launching on April Fool's Day, we're diving into the world of phishing tests. It's a topic that often straddles the line between a security measure and, let's be honest, a workplace prank. We're here to discuss how these tests have evolved, moving from potentially punitive tools to a more nuanced approach. Glen kicks us off by defining phishing as a subset of social engineering, focusing on email-based manipulation. He outlines the common tactics cybercriminals use, like malicious links and fraudulent requests.
We then delve into how the approach to phishing tests has changed. Initially, they were often predictable and monthly, but now, they're more random and ad-hoc. Glen explains how fear-based approaches have been counterproductive, damaging trust between employees and the IT/security team. We share personal anecdotes, like Daniela's memorable e-card phishing test experience, to illustrate this evolution.
The conversation shifts to moving beyond punitive measures. We discuss why mandatory training videos and disciplinary actions are ineffective, and instead, we emphasize the importance of clear reporting processes and effective training. We also touch on the necessity of including everyone, even IT, in these tests. Glen suggests focusing on varied training methods, like webinars and bite-sized modules, and creating a supportive environment for reporting suspicious activities.
We emphasize the importance of clear reporting and communication, ensuring employees know how and where to report suspicious activity. The gray area of dealing with repeat offenders is explored, discussing the balance between employee development and organizational risk. We discuss the importance of having a policy for repeat offenders.
Finally, we discuss fostering a security-aware culture, moving away from fear-based approaches and building trust. We emphasize the role of the IT/security team as a resource and the importance of friendly, approachable security personnel. Daniela wraps up the episode with final thoughts and a reminder to stay vigilant, especially on April Fool's Day.
Key Takeaways:
Phishing tests should be educational tools, not punitive measures.
Building a security-aware culture requires trust and open communication.
Clear reporting processes are essential for effective security.
Resources:
https://tech.co/news/study-workplace-phishing-tests-success-rate
https://www.usenix.org/system/files/usenixsecurity24-schops.pdf
 
 

Friday Mar 14, 2025

Ever wonder if your disaster recovery (DR) plan would actually work when you need it? Daniela, Brian, and Glen cut through the jargon and get real about DR, focusing on the security gaps you might be missing. They unpack why backups aren't a silver bullet, how problems can lurk in your recovery plans, and why relying solely on cyber insurance can leave you exposed.
What You'll Learn:
Backups: Not Your Security Blanket: Glen explains why hackers target backups and how to fortify them. Think of it as securing the vault, not just the money.
Cloud Caution: Brian warns against putting all your eggs in the cloud basket. Learn why you need your own data copies and how to make that happen.
Ransomware's Hidden Threat: Glen reveals the scary truth: infected backups can re-infect your systems. Discover how to spot and eliminate this risk.
Insurance Reality Check: Daniela and Brian break down what your cyber insurance really covers. Don't get caught off guard when you need it most.
Recovery is a Team Sport: Daniela emphasizes that DR isn't just an IT problem. Learn how to involve everyone and why your team's input is crucial. Especially the people who work with the systems daily.
Actionable DR Tips: Get practical advice on testing your DR plan, identifying critical systems (BIA), and building a resilient recovery strategy.
Key Takeaways:
Don't assume your backups are safe. Proactively secure them.
Diversify your data storage. Don't rely solely on cloud providers.
Scan backups for malware. Assume the worst.
Understand your cyber insurance policy's limitations.
Involve your entire team in DR planning.
Test your plan regularly. Real-world events are unpredictable.
A BIA, Business Impact Analysis, is your road map.
 

Tuesday Mar 04, 2025

In this episode, Daniela welcomes Treena Reilkoff, an expert in conflict management and resilient risk mitigation, to discuss the human side of risk management. Treena shares her insights on how trauma and stress can manifest in the workplace, the importance of creating a psychologically safe environment, and practical strategies for leaders and employees to navigate challenging situations.
Treena emphasizes the need for trauma-informed practices in organizations, highlighting the importance of recognizing the signs of trauma and stress, and having systems in place to support employees who have experienced a critical incident. She also discusses the concept of resilient leadership, which involves not only bouncing back from adversity but also learning from it and preparing for future challenges.
The conversation touches on the cost of conflict, both in terms of financial impact and the toll it takes on employees' well-being. Treena provides practical communication strategies that can be used to de-escalate conflict and support employees in need.
Finally, Treena encourages listeners to educate themselves about implicit bias and its potential impact on decision-making and workplace culture.
Resources:
TLR Solutions for Conflict: https://tlrsolutions4conflict.ca/
Implicit Bias Test - Harvard University: https://implicit.harvard.edu/implicit/takeatestv2.html
Connect with Treena Reilkoff:
LinkedIn:https://www.linkedin.com/in/treenareilkoff-tlr-solutions4conflict/
Website: https://tlrsolutions4conflict.ca/
Key Topics:
Trauma-informed conflict management
The impact of trauma and stress on the workplace
The importance of psychological safety
Resilient leadership
The cost of conflict
Practical communication strategies
Implicit bias

Tuesday Feb 18, 2025

Daniela and Brian tackle the topic of disaster recovery (DR). They define DR, discuss its importance, and explore how it relates to business continuity. They also delve into the role of cloud computing, the importance of backups, and the challenges of testing and budgeting for DR.
Key Takeaways:
DR is a subset of business continuity: It focuses on the technology component of recovery.
DR is not just for major disasters: It applies to any disruptive event that impacts your technology and data.
Every business needs a DR plan: No matter how small, every organization relies on technology and needs a plan to recover it.
Cloud computing can help, but it's not foolproof: While cloud services can transfer some risk, organizations still need to consider their own DR needs.
Backups are essential: Having copies of your data and systems is crucial for recovery.
Testing is key: Regularly testing your DR plan is the only way to ensure it will work when you need it.
Budgeting for DR can be challenging: But it's a critical investment in your organization's resilience.
Connect with Us! 
Brian Tallon
Daniela Parker
Glen Sorensen
 

Monday Feb 03, 2025

This episode of ByteWise Podcast features Mark Carroll, a senior business executive and founder of the Masters of Science in Enterprise Risk Management program at Boston University. Mark discusses the evolution of risk management, the importance of understanding operational risk, and the critical skills needed for success in the field. He also shares insights into the unique aspects of the BU Risk Management Program and offers advice for those considering a career in risk management.
Key Takeaways:
The Genesis and Evolution of Risk Management:Mark Carroll discusses the inspiration behind BU's Enterprise Risk Management program, addressing the gap in comprehensive risk education, and how the field has evolved from an insurance focus to a holistic, enterprise-wide approach incorporating security, business continuity, and supply chain resilience.
Navigating the "Resilience" Buzzword and Emerging Risks:Mark shares his perspective on the overuse of "resilience" and the need for tangible changes in practice. He also emphasizes understanding the root causes of emerging risks, even as they manifest differently, and the importance of critically evaluating and debunking perceived risks.
Key Skills and Career Paths in Risk Management:Mark identifies curiosity, challenging assumptions, and deep business understanding as crucial skills for risk managers. He also describes the diverse career paths BU graduates pursue, leveraging their rounded business education and risk expertise in roles across supply chain, finance, and operations.
The BU Risk Management Program: A Unique Approach:Mark highlights the program's focus on operational risk (differentiated from market/credit risk), its field-based approach drawing on instructors' practical experience, and its emphasis on harmonizing various risk disciplines within an organization.
Advice for Aspiring Risk Managers:Mark emphasizes continuous learning, adaptability, and understanding business operations to effectively identify and manage risks, offering valuable guidance for those entering the field.
Resources:
Connect with Mark on LinkedIn
Boston University MS Enterprise Risk Management
 

Tuesday Jan 21, 2025

In this episode of ByteWise, we welcome our first international guest, Klaus Agnoletti, a security professional with 20 years of experience and a passion for improving security policies. Klaus discusses why security policies are often overlooked, the importance of clear and concise language, and how AI can be used to create more effective policies. He also shares his insights on the cultural differences in approaching security policies and the importance of open communication.
Key Takeaways:
Readability is crucial: Security policies should be written in simple, easy-to-understand language to ensure that everyone in the organization can comprehend and follow them.
Inclusivity fosters a security culture: Using inclusive language in policies helps to create a sense of shared responsibility for security across the organization.
AI can be a valuable tool: AI tools can assist in writing, analyzing, and maintaining consistency across security documents.  
 
Don't be afraid to challenge the status quo: If a policy doesn't make sense, speak up! Open communication is essential for creating effective security practices.
Cultural differences matter: Different cultures may have varying approaches to following and enforcing policies. Understanding these differences can improve communication and compliance.
Resources:
Connect with Klaus! 
Website
LinkedIn
Klaus Agnoletti's LinkedIn Articles:
Can AI make security policies more human?
Simplicity is your best security tool
Security Policies: when did we decide they had to be boring and written by lawyers?
LIX Score
Connect with your Hosts:
Daniela
Glen
Brian
Call to Action:
Review your organization's security policies and consider how they can be improved for readability and inclusivity.
Experiment with AI tools to help with policy writing and analysis.
Foster a culture of open communication around security policies.
Subscribe to ByteWise

Tuesday Jan 07, 2025

In this episode of ByteWise, Daniela Parker connects with Margaret J. Millett, winner of the 2023 BCI Lifetime Achievement Award, to discuss her remarkable journey in business continuity management. Margaret shares valuable insights on navigating the ever-changing landscape of risk, emphasizing the need for adaptability, continuous learning, and strong leadership support. They delve into the challenges of securing executive buy-in and board engagement, highlighting the importance of clear communication and demonstrating the value of business continuity in mitigating a wide range of disruptions. This insightful conversation explores the evolving nature of risk, from cybersecurity and supply chain disruptions to the growing impact of climate change, and underscores the need for integrated, holistic approaches to resilience.
Margaret and Daniela also discuss the importance of breaking down silos between disciplines like cybersecurity and business continuity, recognizing that these areas are interconnected and require collaborative efforts. They touch on the unique challenges faced by women in the field and offer advice for those entering this dynamic profession, emphasizing the value of mentorship and continuous self-advocacy. Throughout the episode, Margaret shares her perspectives on common misconceptions about business continuity and encourages listeners to embrace a proactive approach to risk management and live each day to the fullest.
Key Takeaways:
Adaptability is key: The business continuity landscape is constantly evolving, requiring professionals to stay informed and embrace new challenges.
Leadership buy-in is crucial: Securing support from executives and boards is essential for building and maintaining strong resilience programs.
Break down the silos: Cybersecurity, business continuity, and other disciplines must work together to create a holistic approach to risk management.
Embrace mentorship: Guidance from experienced professionals can be invaluable for navigating the challenges and opportunities in this field.
Live with intention: Don't take any day for granted and approach your work with passion and purpose.
Connect with Margaret! 
For the video, head on over to our YouTube account!
 

Tuesday Dec 24, 2024

It's the last episode of 2024 and the ByteWise crew is taking a look back at the year that was! Join Daniela, Brian, and Glen for a casual conversation about their biggest takeaways from the past year, including the rise of AI, the evolving Agile landscape, and the importance of collaboration and communication in organizations.
Key Takeaways:
AI is here to stay. While the initial hype may be fading, AI tools like ChatGPT and Gemini are proving to be valuable assets. The team discusses the importance of understanding AI's capabilities and limitations, as well as the need for organizational guardrails to mitigate potential risks.
Agile is more than just speed. Brian emphasizes the need for a reset in the Agile community, focusing on the holistic benefits of Agile methodologies beyond just faster delivery. The team highlights the importance of customer centricity, continuous improvement, and realistic expectations when implementing Agile.
Collaboration is key. The hosts reflect on the unique synergy they experienced while working together, emphasizing the importance of cross-functional collaboration between risk, InfoSec, and IT teams. They stress the need for open communication, understanding different perspectives, and breaking down silos within organizations.
Cybersecurity is everyone's responsibility. The team discusses the persistent misconception that smaller organizations are not targets for cyberattacks. They stress the importance of understanding and quantifying risk, and using effective communication strategies to engage employees and promote a security-conscious culture.
Looking Ahead to 2025:
The ByteWise team is excited for what 2025 holds, with plans for new guests, engaging topics, and continued exploration of the ever-evolving world of cybersecurity, risk management, and technology.

Tuesday Dec 10, 2024

Join us as we chat with Eddie Miro, a cybersecurity expert with an unconventional path into the field. From dial-up tech support to teaching at community colleges and creating games for DefCon, Eddie shares his unique journey and insights.
We delve into the world of Capture the Flag competitions, discuss the challenges of breaking into cybersecurity, and get Eddie's advice for aspiring professionals. Plus, we explore the importance of community and mentorship in the cybersecurity world.
Key Takeaways:
Multiple Paths to Cybersecurity: Eddie emphasizes that there's no single "right" way to enter cybersecurity. College, certifications, home labs, and community involvement all offer valuable avenues.
The Power of Community: Active participation in the cybersecurity community, including attending conferences, volunteering, and networking, can open doors and provide essential support.
CTFs as Learning Tools: Capture the Flag competitions offer a fun and engaging way to develop cybersecurity skills and gain practical experience.
Overcoming Hiring Hurdles: Eddie provides tips for navigating the cybersecurity job market, including tailoring resumes, networking, and seeking referrals.
Cybersecurity for Everyone: Even those in non-technical roles can benefit from a basic understanding of cybersecurity concepts. Eddie offers up some helpful tips. 
 
Resources:
Antisyphon Training: https://www.antisyphontraining.com/
Octopus Game: https://defcon.social/@OctopusGame
DEF CON: https://defcon.org/
Cyber Skyline: https://cyberskyline.com/
National Cyber League: https://nationalcyberleague.org/
CTFtime: https://ctftime.org/
 
Connect with Eddie Miro:
LinkedIn: https://www.linkedin.com/in/theedmiroshow/

Tuesday Nov 26, 2024

In this episode of ByteWise, Daniela, Brian, and Glen tackle the ever-present challenge of prioritization, especially as the year ends and new goals loom. They discuss the difficulties of prioritizing in a shared organizational structure, where everyone believes their work is the most important. The conversation explores the importance of saying "no," managing expectations, and aligning projects with strategic goals. They also delve into practical strategies for staying focused and productive, including minimizing distractions, using planning poker for prioritization, and taking time for self-care.
Key Takeaways:
Prioritization is tough: Everyone thinks their work is the most critical, making objective prioritization difficult.
Saying "no" is crucial: Learn to decline projects that don't align with strategic goals or are consistently low priority.
Focus on a few things: Trying to do everything often leads to doing nothing well.
Context switching kills productivity: Minimize distractions and interruptions to maintain focus.
Use planning poker: This tool helps teams collaboratively prioritize tasks and projects.
Align with strategic goals: Connect your work to the organization's overall objectives to increase its perceived value.
Document everything: Keep records of decisions and recommendations, especially when your advice is overruled.
Take care of yourself: Prioritize your well-being to avoid burnout and maintain productivity.
Resources Mentioned:
Planning Poker
Related Episodes:
The Agile Secret Sauce
Call to Action:
How do you prioritize your work? Share your tips and strategies in the comments!
Connect with ByteWise:
Website
Follow us on LinkedIn

Image

 

In today's digital landscape, the convergence of Technology, Information Security, and Risk Management is not just beneficial, but essential. Technology drives innovation and progress, but with this advancement comes increased vulnerabilities and potential threats. Information Security acts as the guardian, protecting data integrity and safeguarding against cyber threats. Meanwhile, Risk Management provides a strategic framework to anticipate, evaluate, and mitigate these risks, ensuring that technological growth is both sustainable and secure. Together, these disciplines form a robust shield, fortifying our digital world against the ever-evolving landscape of threats. By understanding and integrating these three pillars, organizations can achieve a harmonious balance between growth, security, and resilience. We invite our listeners to join this crucial conversation: subscribe to "ByteWise" share your thoughts, and be a part of shaping a safer, more innovative future in technology.

Copyright 2024 All rights reserved.

Podcast Powered By Podbean

Version: 20241125