Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader Badge

Download Report

By Industry

By Use Case

Services ZERO TRUST AS A SERVICE

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
February 18, 2026 | 36 min

Breach Readiness for Organizational Resilience in a Digital World

In Episode 6 of Breach Ready Dialogues, Agnidipta Sarkar speaks with Dr. Keri Pearlson, Principal Research Scientist at MIT Sloan, about why cyber resilience must go beyond protection and become a board-level priority.

This conversation explores:
• Organizational resilience vs. traditional cybersecurity
• Balanced scorecards for cyber resilience
• Board oversight and accountability
• Tabletop exercises and resilience drills
• Supply chain and vendor risk
• Security culture vs. compliance training
• Microsegmentation and operational continuity

From resilience scorecards to building “resilience muscles” across people, processes, and technology, this episode challenges leaders to assume breach, measure material impact tolerance, and prepare for inevitable disruption.

If you are focused on organizational resilience, board governance, digital transformation, or cyber risk strategy, this discussion will reshape how you think about breach readiness.

Agnidipta Sarkar: Hi everyone. This is Agni again and I’m back with the next version of the Breached Dialogues. And today my guest is are searcher, very different from the people we’ve been meeting. She’s one of the finest working at MIT Sloan and she’s researching on cybersecurity. Please welcome. Go ahead. Could you please introduce yourself?

Dr. Keri Pearlson: Oh, thanks, Agni. Yes, I’m Dr. Keri Pearlson. I’m currently a principal research scientist at MIT Sloan. I work on problems that have to do with the management, the governance, the security, and the the strategy and the organizational decisions around security and resilience. I actually like to talk about it as cyber resilience rather than cyber security.

Dr. Keri Pearlson: And I’ve looked at a number of different projects over the course of my 10 years, almost 10 years. It’s almost nine years at MIT so far. Previous to MITI have been, I’ve held a number of different jobs. I’ve been a CIO I’ve designed and delivered executive education programs in the IT space in the cybersecurity space, in the analytic space.

Dr. Keri Pearlson: I’ve developed companies and sold them. I’ve been anentrepreneur. I started my career as a data analyst and a, information systemsanalyst at an aerospace company. So I’ve had a number of jobs over my career.I’ve seen a lot of things and I’m delighted to be here today Agni, to talk aboutmy cybersecurity work at MIT.

Dr. Keri Pearlson: So thank you for inviting me.

Dr. Keri Pearlson: No. I’m actually fascinated by the work that you’re doing and. And let me be very honest, that for many of us who’ve been in cybersecurity for a long time meeting someone who’s doing research on cybersecurity and prefers to focus on cyber resilience is not everyday.

Dr. Keri Pearlson: It’s rare because everyone we meet is focused on how do we stop the bad guys? Then I met someone a few days ago and she said, it seems like everybody’s chasing the mouse while all that you need to do is stand in front of the refrigerator with the cheeses.

Dr. Keri Pearlson: I think she meant the same thing, but tell me more aboutyour research or what is it that you’re doing and how is it progressing?

Dr. Keri Pearlson: I love your story. The bad guys, the malicious actors,they’re gonna come to us, whether we hold the cheese or whether we don’t hold the cheese, especially as we see these new technologies that increase their ability to find the cheese, if you will.

Dr. Keri Pearlson: All the bots they can create and using tools whether it’s AI or just regular old IT tools to find the little v the vulnerabilities that they need to find in our systems. My interest is primarily in what I call cyber resilience. I think pretty much what you were just saying really fits, we spend a lot of money building our levels of defense.

Dr. Keri Pearlson: And building levels of defense defense in depth. That’s our strategy for keeping the bad guys out. And every time we find a new vulnerability or a new risk we come up with we being the general ecosystem of cybersecurity professionals. Come up with a new level, a new tool, a new way to stop the the, that particular vulnerability or risk from potentially hurting our companies.

Dr. Keri Pearlson: And it, to me, that’s really important. We have to do that.And it’s important work and I’m really glad there are people focused on that work. But I like to talk about changing our mindset instead of just being,focusing on protection which is keeping the bad guys out. I think we need at the senior level and at the board level, I do a lot of research in the board level to think about resilience, which is what do we do assuming that we have an incident, assuming we have an event, what do we, what can we do now before we have that event so that in the event we have already prepared ourselves?

Dr. Keri Pearlson: And to me that is that we do protection, that’s a piece of,that we protect as much as we can so that we rarely have the damage. And if we have the damage, it’s as minimal as it can be. And that’s things like backing up our technologies and putting in identity and access management, using zero trust architectures, doing penetration testing, doing all sorts of offensive types of security activities.

Dr. Keri Pearlson: But it’s more than that. To me. It’s about thinking about our people. And doing things so that our people can help us be resilient. And it’s about our processes. Thinking about our processes from the perspective of which of our processes are critical and which of our processes what part of our processes could we, prioritize so that we offer a minimum level of service,should there be an incident? We don’t, our customers aren’t as affected by it. It’s about practicing. It’s about taking the the unknown and saying, we don’t know what’s gonna happen, but what’s critical from our organization so that we can get back up to an operational level as, as quickly as possible.

Dr. Keri Pearlson: To me, resilience is a different mindset. It’s thinking. Let’s assume for a moment we might have an incident. What is, what in our organization can we do now so that we have as little damage, as little financial hit, as little operational hit as little reputational hit, and any other area where we would see damage best possible?

Dr. Keri Pearlson: Then we do it. So it’s really a way to manage the unknown things we can’t really quantify right now ’cause we don’t know where those things are coming from. So lemme stop there for just a minute and maybe we can talk a little bit about your perspective on resilience.

Agnidipta Sarkar: Oh yes. While we were speaking, I was thinking this is so the president, the team that I go around talking. But there’s something very interesting in what you said, and that was about that was about processes. And I realized, in, when I was a CSO earlier in my life one of the things I, I walked across to somebody on one fine morning and he put his hand around my shoulder and he said, one of the leaders that is, he said, how secure are we? And I realized that was probably the most difficult question I would ever encounter. And though I was able to walk away that day by simply telling him that I can give you in percentages, but tell me what you really need to know. What, where are you going? Then I can tell you how secure you are There.

Agnidipta Sarkar: But so I averted that day, but it gave me an awakening that’s probably the most difficult question to answer because we need to be, if we need, if we are not prepared for the next breach, then we really can’t do anything. And that changed my perspective of board investment into cybersecurity.

Agnidipta Sarkar: I realize that if the board starts giving money to me as a cso. And expects me to go and shield everybody else. It’s not making sense because he is. The board is also giving money to someone else to lead a digital initiative, whose initiative is not connected to my security program. So all that I recommended them was that we should have three, just three things to focus on at a board level.

Agnidipta Sarkar: One, make sure that everybody who comes to you for a digital initiative. Whether he is trying to create a digital warehouse in the factory by connecting data from older machines and creating a new data warehouse, which can be leveraged for higher innovation, business growth, etcetera, et cetera.

Agnidipta Sarkar: Or somebody is trying to build a new ERP component of whatever that they want. They’re digitalizing. Gate entries they’re innovate.They’re in no, they’re putting innovation in how goods are transferred. Supply chain, it doesn’t really matter as long as the board says, you’ve come to me with a request.

Agnidipta Sarkar: Tell me, is digital resilience built in? And that’s a difficult question to answer again. So I said, okay, you can then break it down to two questions. Focus on two parameters. Indicators. The first indicator is how much,and this is what exactly you said too. How much of material impact or financial losses or reputational loss are we willing to accept for the digital innovation to take shape?

Agnidipta Sarkar: Because it’ll take time to take shape. And until that time,until it becomes completely re, resilient, how much are we willing to accept,number one. Number two, and this is also what you said. Is we should try and keep as much business operations on during a, during a disruption as much as we can.

Agnidipta Sarkar: So the focus is on how much of our businesses will remain unaffected by bias a cyber attack if we are focusing on a digital innovation. And to do that, they have just three questions that they should be asking. The next level of leadership, whoever’s come with a proposal, number one. Given your digital proposal, what are the chances that we can anticipate the next attack given all our investment?

Agnidipta Sarkar: Now you may say zero or you may say a hundred. You may say 50. It’s okay. Start with a number next. If we can anticipate that much, how much of it can we contain and keep under control if there is a cyber attack? And number three. If those numbers are not as good as we expect, because it has to be correlated to the numbers that we are looking for in terms of material impact and in terms of viable digital business how much investment is needed to improve them to meet the expectation of your business growth.

Agnidipta Sarkar: And that’s it. Rest of it, people below will figure it out.Now, whether they need an EDR, they need, whatever thing that they need, a security tool or they need to change the processes. That’s why I found your comment on processes very important because there are a lot of processes in an organization which are insecure by themselves.

Agnidipta Sarkar: We have retained processes from old times. We have not upgraded them in the digital world. So that’s been my experience on dig on this,on cyber resilience. I, I feel. Resilience has to be the ability to withstand a cyber attack, and that is really cyber resilience. How can you withstand and continue doing what you’re doing and probably win from there?

Agnidipta Sarkar: Because I, I remember I saw a video by somebody and he was showing me a, he was showing a graph. And that was about operational resilience, not digital resilience. And he said that there are three stages after a nop an operational disruption. The first stage is that you try and comeback to as nor as close as to what was earlier the old normal.

Agnidipta Sarkar: And then you would not be able to, and we saw that during COVID that we were not able to go back to the old normal. Then he said then to create a new normal, that the new normal might be higher. Giving benefits or lower losing something that could be the future. The point is, if you have thought about this earlier, which goes to your point that you were making if you think about it from before that act happens, and you probably would be doing it with benefits, which means you would be at a new normal, which would be better than the older normal what do you think about that?

Dr. Keri Pearlson: Oh I view resilience a little bit differently than you do. And I think thinking about digital resilience is a little bit too narrow. I like the operational and organizational resilience idea because today everything’s digital.But not everything in the past was, and as you said, we have processes that might.

Dr. Keri Pearlson: Still be operating in a less high, I guess high level of digital capacity. And as we bring in AI and new tools, we’re changing processes and the way that we do business all the time. To me, cyber resilience means that we can we’ve thought about and anticipated the the impact a cyber incident might have on our organization.

Dr. Keri Pearlson: We’ve put things in place so that we can come back at least as good, if not better. So let me dive another level down. First of all, I’ve written a lot about this at Harvard Business Review, so if some of your listeners are interested, they can do a Google search on my name, Carrie Sen, and find some of the articles at Harvard Business Review on how I define resilience.

Dr. Keri Pearlson: One of the tools that I. I like to talk about with the board is what I call a balanced scorecard for cyber resilience. And it asks similar questions to what you just described. One of the questions is the main question is to look at, it’s based on this work done by some colleagues at Harvard Business Review many years ago, which was a balanced score card for financial reporting.

Dr. Keri Pearlson: So I knew that work and I adapted that work to the cyberworld. I said, let’s take a look at the key components that of our operational environment, which are typically things like our people our technology our supply chain. Maybe there’s a piece of there’s certainly financial health.

Dr. Keri Pearlson: There’s a piece of maybe regulation and compliance. And let’s ask as a board member, let me ask my operating managers, what do you see as the biggest risk? What are we doing about it? What is the biggest risk from a cyber incident and what are we doing about it? So that kind of speaks to your point of what, where are we with our processes and what’s the minimum amount of risk we’re willing to, or the maximum amount of risk we’re willing to accept?

Dr. Keri Pearlson: Except it’s a little bit more pointed because I’m not sure our operational managers think about risk quite the same way that the board does.That’s the whole reason for the board. They’ve got a oversight function and so when the board says What’s the biggest risk to our company from, say, our.

Dr. Keri Pearlson: Technology, should there be a cyber incident? Then that speaks to something our technology leaders are very comfortable with. That speaks to things like backups and it speaks to things like new tools in place that help us recover. It speaks to things like you were mentioning about building in resilience to the technology.

Dr. Keri Pearlson: But we ask the question a little differently and we say,what’s the biggest risk? Why do you think it’s the risk? What’s the magnitude of the risk? And then let’s discuss what it is you’ve put in place. To mitigate that risk. Do we have insurance to cover it? Do we have backup systems? Which also, by the way, in a cyber incident, are highly suspect because if something’s been in your system for a long time, it’s probably in your backup systems also.

Dr. Keri Pearlson: So what are we doing about the risk? And and then practicing it. And that’s another key piece of resilience. I talk a lot about what we call, I’m sure you’re. Listeners are familiar with tabletop exercises and fire drills. We do that a lot with our technology. We try our backups to make sure they’re fail safe and we know how to move to a backup system.

Dr. Keri Pearlson: But do we do that with our processes? Do we do that with our people? Do we do that with our our. Relationships with our customers. So when we start to think more broadly about tabletop exercises and fire drills one way to be resilient is to practice. Put yourself in a situation, hypothetically,hopefully a cyber incident, and go through what you would do about it and actually do it if you can.

Dr. Keri Pearlson: The talk about it is really good, but doing it is really important. You gave the analogy earlier of the person at the refrigerator with the cheese to attract the mice. I give the example of with resilience of, the more we talk about it, it’s like going to the gym. You can join a gym, but that’s not gonna give you muscles.

Dr. Keri Pearlson: If you actually go to the gym and work out and practice IE work your muscles. Then when the time comes and you need your muscles, you will have them. And I think that same analogy applies with resilience. One of the key ways to be resilience. Is to practice. Practice the backup.Practice the comeback, and not just from a technology perspective, but have aboard tabletop exercise where the board talks about what they would do, have a C-level exec or an executive team.

Dr. Keri Pearlson: Tabletop and not just once, maybe regularly, maybe every six months maybe more often than that. If you really wanna build those muscles to a strong level of competence so that you don’t know exactly what the situation’s gonna be like when you actually have a cyber incident, but you know that you’re gonna need.

Dr. Keri Pearlson: To call on vendors. Some of your vendors, are they available? If a cyber incident happens to your whole sector, are you gonna be the one that doesn’t get the vendor support that you need? If you need to know who your local law enforcement people are that might help you with a cyber incident, have you called them before?

Dr. Keri Pearlson: Let’s not wait until there’s an incident to figure out if we have all of these things in place. That’s what I mean by building your. Your resresiliency muscles is to really practice and think about those things in a table top exercise. So putting together a balanced scorecard of cyber resilience, where you identify the key risks.

Dr. Keri Pearlson: Your operating managers identify the key risks and what they’re doing about it, and doing things like building tabletop exercises or some other kind of exercises so you build those resiliency muscles. Are two really important factors, I think, for resilience thinking, and neither of those really come in when you do prevention.

Dr. Keri Pearlson: Thinking prevention is important. I’m not minimizing protect protection. I’m just saying those are two exam examples of things that wouldn’t come up in a discussion of what protection should we put in place. No,I agree with you. I think I was saying the same thing. Maybe I articulated it differently, but the structure that I talked about, ability to, the three questions that.

Agnidipta Sarkar: The operational people would re should really focus on is given our current investments, how much can we anticipate the next attack?Now that has a few more few components in it. How do you anticipate an attack? The good news is there’s enough research available. CS a, for example, has on their website.

Agnidipta Sarkar: A list of known attackers and their attack types. Mitre, for example, has got a whole plethora, and now version 18 has come out where they have gone into more finer ways of de of defining how attacks happen. If we are able to consume that information, that intelligence, and then say, okay, given our infrastructure, given our current state possibly we could get impacted if we don’t defend these, if we don’t change these procedures or these processes that we have.

Agnidipta Sarkar: And I’ll give you a very simple example. The process could be as simple as on boarding a new vendor. Now current processes may need that they need to follow. Go somewhere, get an ID, and come on, and then and get registered through a particular process. But the new process would say that you can use passwordless cryptographic authentication.

Agnidipta Sarkar: Which is available by signing off on this website, given you, you get this identity from your company, we are going to allow you to download a specific authentication mechanism, which is only tied to one of your machines and you don’t need any other approvals from us anymore. And you would only be able to get four of them because only four have been allocated to your company, to these named individuals.

Agnidipta Sarkar: Now, if you’re if you’re able to change this, bring in this level of granularity into your operational processes, it means you are anticipating that possibly a supplier can a supplier, a valid account of a supplier can be misused and then someone can navigate. If you have thought ahead in advance, you could even think of granularly micros segmenting your organization.

Agnidipta Sarkar: Which means now you have a different box for suppliers.You have a different box for critical assets, you have a different box for senior leadership. You have a different box, you have boxes everywhere so that even if there’s a cyber attack tomorrow in the most freely available one, the other boxes continued to operate the way they were supposed to operate.

Agnidipta Sarkar: So that was where I was getting to. And then you also have the ability to contain, which means, like you said, prevention is a very important task. So if there were to be a cyber attack tomorrow, you have your detection tools, you’d be able to detect an attack, you’d be able to contain the attack and keep it limited to where it happened.

Agnidipta Sarkar: And that means your impact is now reduced to one or 2%of. The enterprise is, you hear, we hear all this time in the news, there has been an unprecedented cyber attack and in order to save the company from these kind of situations it is an unprecedented cyber attack. So we shut down the operations.

Agnidipta Sarkar: You don’t need to do that anymore if you are well prepared. I think what you and I are saying are probably the same thing. But let me ask you this. You talked a lot about people and resilience of them and then you talked about processes as well. What do you think would be a good program if someone were to think about how do we build resilience in people?

Dr. Keri Pearlson: I’m so glad you asked that. I love to talk about the people side of resilience. Some of my work is what I call building a culture of cyber security, and I think that’s another really important component of are siliency plan. When I talk about building a culture of cyber security, I talk about thinking about the values, attitudes, and beliefs that we in still in our people so that they do the right behaviors that we want.

Dr. Keri Pearlson: If you think about it, most organizations do a lot of training.I don’t know of an organization today that doesn’t make people who join the company go through some sort of cyber training at the beginning of their onboarding process. And usually in that training we tell people guardrails, you gotta change your password.

Dr. Keri Pearlson: You’re gonna have to take this course every six months or every year. These are the kind of things we wanna see you do. They’re told that in the. First week or month of their employment. And think about all the things you’re learning in your first week or month of your employment, how much of that’s really gonna stick.

Dr. Keri Pearlson: And then we give them training once a year. And most people do their training online while they’re doing words with friends or texting their friends or something else on their phone because the training is usually compliance based. And it’s maybe interesting, maybe not. And it’s just a checkbox.

Dr. Keri Pearlson: And when it’s a checkbox, it doesn’t mean very much. It has very little impact on our thinking about it. The other tool that a lot of organizations use are awareness campaigns. This is cyber we’re now in November it was October. October is cybersecurity month, and everybody’stalking cybersecurity.

Dr. Keri Pearlson: And every organization I know sends out at least one email that says something like, oh, by the way, it’s cybersecurity month. Here’s how you can recognize a phishing email today. Or don’t forget to change your password this month, or whatever else they might wanna tell you. It’s awareness.

Dr. Keri Pearlson: Maybe they have things on the walls that say, the data is yours and mine, so let’s make sure we keep it all protected. They have awareness campaigns, again, really important to remind people of things, but not very motivating to change behaviors. So when we talk about the people side of the equation, I like to talk about building a culture of cybersecurity.

Dr. Keri Pearlson: What do I mean by that? If we think about it and we think about what makes you wanna do something, you do the activities you do because they’re valuable to you or because you like doing them, or because your boss told you it’s important and you wanna please your boss. There’s some motivation, there’s some emotional motivation behind why you do what you do.

Dr. Keri Pearlson: There’s a lot of things you could do and you can’t do everything. So you pick and choose what you need to do and you do for some reason, not just because it was a training program. The training program might in, might make you aware of what to do and it may be give you some in indication of what your company thinks is important.

Dr. Keri Pearlson: But you do it because you feel it’s, you’re supposed to do it and you want to please, you want to have a check book check the box offer or some other motivation. And it’s that motivation that drives behavior. So once we realize that there’s this other motivation that drives behavior, then if we back up, there’s a number of other things we could do besides a training program.

Dr. Keri Pearlson: For example, in one company that I studied they don’t want people to click on phishing emails. Nobody wants to click on phishing emails.But in this company. They put consequences in if you click on a phishing email the first time, you have to take a little short course on to remind you what a phishing email looks like, and hopefully it’s still accurate.

Dr. Keri Pearlson: Today’s world phishing emails are much more sophisticated, so what you learn might or might not apply, but let’s just say that.It’s a consequence. You have to take a little five minute class. It’s very disruptive. You’re in the middle of doing your work. You click on an email, you have to go and stop and go do this other course.

Dr. Keri Pearlson: So it’s a pain. It causes pain. And then, and it changes our values about clicking on emails. But if you click in this company on a email, a phishing email, the second time you meet with your manager, the third time you meet with hr, the fourth time you get a final warning and the fifth time you’re fired, you could get fired from that company for clicking on an email, five ti a phishing email, phishing test.

Dr. Keri Pearlson: Five times. Now that doesn’t necessarily work in every company. I’ve shared this example with hundreds of executives and many of them roll their eyes and go, there’s no way we’re firing anybody. ’cause they click on a phishing email, and that’s fine. However, in this company, you can be sure that nobody clicks on a phishing email more than once a test, more than once, maybe twice.

Dr. Keri Pearlson: You certainly don’t click on it five times. They learn because in this company, the consequences drive a belief that this is really important. Therefore that changes their behavior. And another company, a CEO,starts his all hands meetings all hands. So everybody in the company with a cybersecurity story, a cybersecurity moment, he might do things like talk about a, an article that he just read, or he might talk about an incident that he learned about on the golf course, or he might actually bring up his cybersecurity person to talk about something they’re seeing in their environment.

Dr. Keri Pearlson: But the point is for zero money, the CEO is sending amessage to the company how important cybersecurity is to him. And by the CEO spending that message, spending five minutes of their all hands meeting on cybersecurity, he is changing the values, the attitudes, and the beliefs of the people that work for him.

Dr. Keri Pearlson: And by changing the values and attitudes and beliefs, he’s driving a new set of behaviors. So I’d like to mark a book about cyber security can be free. I’m not sure it’s totally free, but this is five minutes of the CEO’s time and the all hands people’s time, but certainly a lot less expensive than designing an expensive awareness campaign to spend five minutes.

Dr. Keri Pearlson: And you know what? Every manager that has people that work for him or her can do that same thing. If you turn around and you’re next all hands meeting and you say, I saw this cyber girl from MIT talk about. How important it was for us to talk about cybersecurity and to bring it into the light.

Dr. Keri Pearlson: You’re gonna change the values, attitudes, and beliefs of the people around you. You’re gonna build a culture of cybersecurity and that’s gonna change the behaviors of the people in your organization. So when we talk about the people side, another piece of resilience. To really think about putting in a culture or making explicit a culture of cybersecurity.

Dr. Keri Pearlson: I have a project right now where I’m trying to, I articulate a process for evaluating the effectiveness of a cybersecurity culture. I’ve written a lot about culture. I’ve written this model of value management tools that lead to values, attitudes, and beliefs that lead to behaviors. Now I wanna find a way to measure it so that we can help managers.

Dr. Keri Pearlson: Figure out where they stand today and give them action able insights on things that they can do tomorrow to increase the cybersecurity culture of their organization or increase the effectiveness of the culture. But I’ve given you a couple examples there. I’m sure you and your listeners can think of dozens more examples of things you could do.

Agnidipta Sarkar: Yeah,

Dr. Keri Pearlson: not that. Change that our training and awareness, certainly, I wouldn’t say firing somebody was training or awareness. Make heroes out of the people that do the good stuff. If you tell somebody in front of an audience how great somebody else is, they feel good about themselves, and
the people in the audience say, oh, I wanna feel that good about myself, I’mgonna try to do those kind of behaviors too.

Dr. Keri Pearlson: And you’re changing the value, attitudes and beliefs. So there’s a lot of things we can learn from my colleagues in the organizational behavior groups about how people are motivated. Positively and negatively and to use those examples for changing the values, attitudes, and beliefs which will drive cyber secure behaviors.

Dr. Keri Pearlson: So lemme stop there, see if you have any thoughts on that.

Agnidipta Sarkar: No, I just want to contribute to what you just said and I fully agree with you. Waiting for the cybersecurity month is the wrong attitude.And let me give you another example. What we created were called as information security working groups, and these were at CO plus level.

Agnidipta Sarkar: So every department had to have two senior members in that group who were supposed to just they report all other business progress. They were supposed to report the progress of their business unit for cybersecurity to their manager, a metric and. How do they get that metric? They get that metric from down below.

Agnidipta Sarkar: How do they get that metric? They get the metric from down below. So that’s how the whole thing progresses, and it goes all the way up to the board that this is how it works, and all those people who were doing good. Used to be like you said, made champions out of, and one of the metrics were how many people were made champions because they did something good.

Agnidipta Sarkar: They spread the awareness more or whatever. This is over and above whatever other programs they were having. So I found that model to be equally quite good. In each month they would have they would have a champion. And then during the cybersecurity month, all they were doing. Was recognizing everybody who worked very hard during the year and they were framing up the new program that would come up for the next 12 months.

Agnidipta Sarkar: So to me it was inspirational because it meant that the organization had complete focus on what they need to do about cybersecurity. But let me come to cyber resilience once again because I think we started about.Cyber resilience as well. And you talked about the people aspect. There is one thing that I am seeing and I think you are seeing that too, and I think that’s what started this conversation to begin with, and that is the kind of attacks that are happening across the world today.

Agnidipta Sarkar: They’re focusing more on overwhelming the people you.Look at the Cantas breach that happened. Somebody called the help desk posing as a cantas employee, overwhelmed that the help desk analyst into resetting his password, and that’s how he got into his valid account. And then he walked in.

Agnidipta Sarkar: Something similar happened in mark and Spencer.Something similar happened in on JLR. So and so forth to the extent that I think Marks and Spencer one company lost a big deal as well. The point is not about who’s right and who’s wrong. The point is, even the supply chain needs to have a very strong cybersecurity program.

Agnidipta Sarkar: And it’s not only about the employees, it’s more about all those outsourced functions that we have and how good they are because. You think you’ve trained your people, but if you have not done those two parts, the first part is the foundational micro-segmentation thing that I talked about, and the second part is optimizing the processes.

Agnidipta Sarkar: And the third thing is making the people, like you said, if we don’t cover all these bases. I think I fully agree with you. We are never going to be resilient for the next attack. We’re never going to be prepared or be ready for. I’m just

Dr. Keri Pearlson: let’s talk about the supply chain for a minute. ’cause youb rought that up.

Dr. Keri Pearlson: I think that’s really important. It’s another area that my research team and I have written about and done some work in. So let’s talk about supply chain because of course we see a lot of. Vulnerabilities introduced into our organizations from the supply chain. And one area that we’ve been looking at that might be of interest to your listeners is the small and medium enterprise.

Dr. Keri Pearlson: Many of many companies, 99% ironically, of companies are small and medium enterprises. The big buys are really big, but there are thousands and thousands of small and medium enterprises. And when you start to talk about the out sourcer, their. Small and medium enterprises are often the people that are the weakest link.

Dr. Keri Pearlson: It might be a person in those companies, but those companies don’t have the resources that larger companies have and maybe they have outsourced their, it maybe they use some sort of cloud application and they assume that their systems are secure because they’re using a cloud application. And we know that the cloud applications are.

Dr. Keri Pearlson: More secure than nothing. But most of the cloud providers or the SaaS providers have limited liability on what they will secure for you. So first of all, if you’re using any kind of cloud or outsourced software, you wanna make sure you understand what part you’re responsible for and what part they’re responsible for.

Dr. Keri Pearlson: But more importantly, the research we’ve been doing looks at how companies can help their suppliers, particularly their smaller suppliers,be more secure. We’ve identified dozens of ways that larger companies are helping their small companies be secure. The first thing most companies do and most cybersecurity leaders think is we’ll give ’em a checklist.

Dr. Keri Pearlson: We’ll tell ’em to check off, do an inventory, or we’ll askt hem if we can come in and do an inventory of what they’re doing, and then we’ll know what their controls are and how safe they are. And maybe we’ll pen test them and we’ll see, where the vulnerabilities are. Just think about a, from a small and medium enterprise perspective, how many of those people can they support?

Dr. Keri Pearlson: How many checklists can they fill out? How many validations can they let people do? It’s very disruptive

Agnidipta Sarkar: bandwidth.

Dr. Keri Pearlson: They can’t do it. They don’t have the bandwidth. So while that’s at the obvious first step for many organizations it’s not useful. It’s like training and awareness programs.

Dr. Keri Pearlson: It’s the obvious first thing to do. It’s just not enough and maybe not even effective. So one of the things we’ve seen. Our companies do things like reach back into their supply chain and offer assistance to their small and medium enterprises. Offer things like your cyber team. Holding office hours once a week for their people to call in and ask questions.

Dr. Keri Pearlson: Offering things like blank like you negotiated with your vendors for decent prices, for your cybersecurity tools. Offer that blanket of pricing to your smaller and medium enterprise offering things even like little tools that you use. One company. Has a spreadsheet, again, free. It’s a spreadsheet they’ve already created it of how they keep track of all the technology in their environment so that if there’s a breach, they know it affected them or not.

Dr. Keri Pearlson: A lot of these breaches affect a particular product. Maybe you don’t even have that product, or maybe you do and you don’t know you have that product. How would a small and medium enterprise even begin to know if they have that product? I’ve seen one company help them, help their ve,their vendors.

Dr. Keri Pearlson: Catalog, what the technologies are in their environment so that they know if there’s a breach or not. There are companies like Dragos who have built a whole outreach program for small and medium enterprises to offer these kinds of tools. I believe it’s free for to help these kinds of companies that don’t have the resource of a larger company figure out exactly what it is that that they could do.

Dr. Keri Pearlson: For as low cost as possible. So when we talk about the supply chain, it’s one thing to say that a vendor might introduce a problem like an air conditioning vendor, which we’ve seen multiple times. Even air gapped systems aren’t really air gapped when it comes to remote maintenance. They’re definitely not air gapped when it’s remote maintenance.

Dr. Keri Pearlson: So you might have air gapped a system and it actually is connected somehow that you may not even be thinking about. And that connection could be a source of entry for some sort of vulnerability. So having a approach that helps your suppliers be as secure, more secure, as secure as you need them to be, is something that we’ve been studying here at the Sloan School and we’ve seen a number of different ways that companies can actually help secure their supply chain by helping secure not just their customers, but they’re vendors.

Agnidipta Sarkar: I would love to go on, but I think we are close to our time,let me first thank you for great insights and let me stop here and thank you for being on my show and I, my pleasure. I am hoping we are gonna talk again in some time and then meet, and this.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

In Episode 6 of Breach Ready Dialogues, Agnidipta Sarkar speaks with Dr. Keri Pearlson, Principal Research Scientist at MIT Sloan, about why cyber resilience must go beyond protection and become a board-level priority.

This conversation explores:
• Organizational resilience vs. traditional cybersecurity
• Balanced scorecards for cyber resilience
• Board oversight and accountability
• Tabletop exercises and resilience drills
• Supply chain and vendor risk
• Security culture vs. compliance training
• Microsegmentation and operational continuity

From resilience scorecards to building “resilience muscles” across people, processes, and technology, this episode challenges leaders to assume breach, measure material impact tolerance, and prepare for inevitable disruption.

If you are focused on organizational resilience, board governance, digital transformation, or cyber risk strategy, this discussion will reshape how you think about breach readiness.

Agnidipta Sarkar: Hi everyone. This is Agni again and I’m back with the next version of the Breached Dialogues. And today my guest is are searcher, very different from the people we’ve been meeting. She’s one of the finest working at MIT Sloan and she’s researching on cybersecurity. Please welcome. Go ahead. Could you please introduce yourself?

Dr. Keri Pearlson: Oh, thanks, Agni. Yes, I’m Dr. Keri Pearlson. I’m currently a principal research scientist at MIT Sloan. I work on problems that have to do with the management, the governance, the security, and the the strategy and the organizational decisions around security and resilience. I actually like to talk about it as cyber resilience rather than cyber security.

Dr. Keri Pearlson: And I’ve looked at a number of different projects over the course of my 10 years, almost 10 years. It’s almost nine years at MIT so far. Previous to MITI have been, I’ve held a number of different jobs. I’ve been a CIO I’ve designed and delivered executive education programs in the IT space in the cybersecurity space, in the analytic space.

Dr. Keri Pearlson: I’ve developed companies and sold them. I’ve been anentrepreneur. I started my career as a data analyst and a, information systemsanalyst at an aerospace company. So I’ve had a number of jobs over my career.I’ve seen a lot of things and I’m delighted to be here today Agni, to talk aboutmy cybersecurity work at MIT.

Dr. Keri Pearlson: So thank you for inviting me.

Dr. Keri Pearlson: No. I’m actually fascinated by the work that you’re doing and. And let me be very honest, that for many of us who’ve been in cybersecurity for a long time meeting someone who’s doing research on cybersecurity and prefers to focus on cyber resilience is not everyday.

Dr. Keri Pearlson: It’s rare because everyone we meet is focused on how do we stop the bad guys? Then I met someone a few days ago and she said, it seems like everybody’s chasing the mouse while all that you need to do is stand in front of the refrigerator with the cheeses.

Dr. Keri Pearlson: I think she meant the same thing, but tell me more aboutyour research or what is it that you’re doing and how is it progressing?

Dr. Keri Pearlson: I love your story. The bad guys, the malicious actors,they’re gonna come to us, whether we hold the cheese or whether we don’t hold the cheese, especially as we see these new technologies that increase their ability to find the cheese, if you will.

Dr. Keri Pearlson: All the bots they can create and using tools whether it’s AI or just regular old IT tools to find the little v the vulnerabilities that they need to find in our systems. My interest is primarily in what I call cyber resilience. I think pretty much what you were just saying really fits, we spend a lot of money building our levels of defense.

Dr. Keri Pearlson: And building levels of defense defense in depth. That’s our strategy for keeping the bad guys out. And every time we find a new vulnerability or a new risk we come up with we being the general ecosystem of cybersecurity professionals. Come up with a new level, a new tool, a new way to stop the the, that particular vulnerability or risk from potentially hurting our companies.

Dr. Keri Pearlson: And it, to me, that’s really important. We have to do that.And it’s important work and I’m really glad there are people focused on that work. But I like to talk about changing our mindset instead of just being,focusing on protection which is keeping the bad guys out. I think we need at the senior level and at the board level, I do a lot of research in the board level to think about resilience, which is what do we do assuming that we have an incident, assuming we have an event, what do we, what can we do now before we have that event so that in the event we have already prepared ourselves?

Dr. Keri Pearlson: And to me that is that we do protection, that’s a piece of,that we protect as much as we can so that we rarely have the damage. And if we have the damage, it’s as minimal as it can be. And that’s things like backing up our technologies and putting in identity and access management, using zero trust architectures, doing penetration testing, doing all sorts of offensive types of security activities.

Dr. Keri Pearlson: But it’s more than that. To me. It’s about thinking about our people. And doing things so that our people can help us be resilient. And it’s about our processes. Thinking about our processes from the perspective of which of our processes are critical and which of our processes what part of our processes could we, prioritize so that we offer a minimum level of service,should there be an incident? We don’t, our customers aren’t as affected by it. It’s about practicing. It’s about taking the the unknown and saying, we don’t know what’s gonna happen, but what’s critical from our organization so that we can get back up to an operational level as, as quickly as possible.

Dr. Keri Pearlson: To me, resilience is a different mindset. It’s thinking. Let’s assume for a moment we might have an incident. What is, what in our organization can we do now so that we have as little damage, as little financial hit, as little operational hit as little reputational hit, and any other area where we would see damage best possible?

Dr. Keri Pearlson: Then we do it. So it’s really a way to manage the unknown things we can’t really quantify right now ’cause we don’t know where those things are coming from. So lemme stop there for just a minute and maybe we can talk a little bit about your perspective on resilience.

Agnidipta Sarkar: Oh yes. While we were speaking, I was thinking this is so the president, the team that I go around talking. But there’s something very interesting in what you said, and that was about that was about processes. And I realized, in, when I was a CSO earlier in my life one of the things I, I walked across to somebody on one fine morning and he put his hand around my shoulder and he said, one of the leaders that is, he said, how secure are we? And I realized that was probably the most difficult question I would ever encounter. And though I was able to walk away that day by simply telling him that I can give you in percentages, but tell me what you really need to know. What, where are you going? Then I can tell you how secure you are There.

Agnidipta Sarkar: But so I averted that day, but it gave me an awakening that’s probably the most difficult question to answer because we need to be, if we need, if we are not prepared for the next breach, then we really can’t do anything. And that changed my perspective of board investment into cybersecurity.

Agnidipta Sarkar: I realize that if the board starts giving money to me as a cso. And expects me to go and shield everybody else. It’s not making sense because he is. The board is also giving money to someone else to lead a digital initiative, whose initiative is not connected to my security program. So all that I recommended them was that we should have three, just three things to focus on at a board level.

Agnidipta Sarkar: One, make sure that everybody who comes to you for a digital initiative. Whether he is trying to create a digital warehouse in the factory by connecting data from older machines and creating a new data warehouse, which can be leveraged for higher innovation, business growth, etcetera, et cetera.

Agnidipta Sarkar: Or somebody is trying to build a new ERP component of whatever that they want. They’re digitalizing. Gate entries they’re innovate.They’re in no, they’re putting innovation in how goods are transferred. Supply chain, it doesn’t really matter as long as the board says, you’ve come to me with a request.

Agnidipta Sarkar: Tell me, is digital resilience built in? And that’s a difficult question to answer again. So I said, okay, you can then break it down to two questions. Focus on two parameters. Indicators. The first indicator is how much,and this is what exactly you said too. How much of material impact or financial losses or reputational loss are we willing to accept for the digital innovation to take shape?

Agnidipta Sarkar: Because it’ll take time to take shape. And until that time,until it becomes completely re, resilient, how much are we willing to accept,number one. Number two, and this is also what you said. Is we should try and keep as much business operations on during a, during a disruption as much as we can.

Agnidipta Sarkar: So the focus is on how much of our businesses will remain unaffected by bias a cyber attack if we are focusing on a digital innovation. And to do that, they have just three questions that they should be asking. The next level of leadership, whoever’s come with a proposal, number one. Given your digital proposal, what are the chances that we can anticipate the next attack given all our investment?

Agnidipta Sarkar: Now you may say zero or you may say a hundred. You may say 50. It’s okay. Start with a number next. If we can anticipate that much, how much of it can we contain and keep under control if there is a cyber attack? And number three. If those numbers are not as good as we expect, because it has to be correlated to the numbers that we are looking for in terms of material impact and in terms of viable digital business how much investment is needed to improve them to meet the expectation of your business growth.

Agnidipta Sarkar: And that’s it. Rest of it, people below will figure it out.Now, whether they need an EDR, they need, whatever thing that they need, a security tool or they need to change the processes. That’s why I found your comment on processes very important because there are a lot of processes in an organization which are insecure by themselves.

Agnidipta Sarkar: We have retained processes from old times. We have not upgraded them in the digital world. So that’s been my experience on dig on this,on cyber resilience. I, I feel. Resilience has to be the ability to withstand a cyber attack, and that is really cyber resilience. How can you withstand and continue doing what you’re doing and probably win from there?

Agnidipta Sarkar: Because I, I remember I saw a video by somebody and he was showing me a, he was showing a graph. And that was about operational resilience, not digital resilience. And he said that there are three stages after a nop an operational disruption. The first stage is that you try and comeback to as nor as close as to what was earlier the old normal.

Agnidipta Sarkar: And then you would not be able to, and we saw that during COVID that we were not able to go back to the old normal. Then he said then to create a new normal, that the new normal might be higher. Giving benefits or lower losing something that could be the future. The point is, if you have thought about this earlier, which goes to your point that you were making if you think about it from before that act happens, and you probably would be doing it with benefits, which means you would be at a new normal, which would be better than the older normal what do you think about that?

Dr. Keri Pearlson: Oh I view resilience a little bit differently than you do. And I think thinking about digital resilience is a little bit too narrow. I like the operational and organizational resilience idea because today everything’s digital.But not everything in the past was, and as you said, we have processes that might.

Dr. Keri Pearlson: Still be operating in a less high, I guess high level of digital capacity. And as we bring in AI and new tools, we’re changing processes and the way that we do business all the time. To me, cyber resilience means that we can we’ve thought about and anticipated the the impact a cyber incident might have on our organization.

Dr. Keri Pearlson: We’ve put things in place so that we can come back at least as good, if not better. So let me dive another level down. First of all, I’ve written a lot about this at Harvard Business Review, so if some of your listeners are interested, they can do a Google search on my name, Carrie Sen, and find some of the articles at Harvard Business Review on how I define resilience.

Dr. Keri Pearlson: One of the tools that I. I like to talk about with the board is what I call a balanced scorecard for cyber resilience. And it asks similar questions to what you just described. One of the questions is the main question is to look at, it’s based on this work done by some colleagues at Harvard Business Review many years ago, which was a balanced score card for financial reporting.

Dr. Keri Pearlson: So I knew that work and I adapted that work to the cyberworld. I said, let’s take a look at the key components that of our operational environment, which are typically things like our people our technology our supply chain. Maybe there’s a piece of there’s certainly financial health.

Dr. Keri Pearlson: There’s a piece of maybe regulation and compliance. And let’s ask as a board member, let me ask my operating managers, what do you see as the biggest risk? What are we doing about it? What is the biggest risk from a cyber incident and what are we doing about it? So that kind of speaks to your point of what, where are we with our processes and what’s the minimum amount of risk we’re willing to, or the maximum amount of risk we’re willing to accept?

Dr. Keri Pearlson: Except it’s a little bit more pointed because I’m not sure our operational managers think about risk quite the same way that the board does.That’s the whole reason for the board. They’ve got a oversight function and so when the board says What’s the biggest risk to our company from, say, our.

Dr. Keri Pearlson: Technology, should there be a cyber incident? Then that speaks to something our technology leaders are very comfortable with. That speaks to things like backups and it speaks to things like new tools in place that help us recover. It speaks to things like you were mentioning about building in resilience to the technology.

Dr. Keri Pearlson: But we ask the question a little differently and we say,what’s the biggest risk? Why do you think it’s the risk? What’s the magnitude of the risk? And then let’s discuss what it is you’ve put in place. To mitigate that risk. Do we have insurance to cover it? Do we have backup systems? Which also, by the way, in a cyber incident, are highly suspect because if something’s been in your system for a long time, it’s probably in your backup systems also.

Dr. Keri Pearlson: So what are we doing about the risk? And and then practicing it. And that’s another key piece of resilience. I talk a lot about what we call, I’m sure you’re. Listeners are familiar with tabletop exercises and fire drills. We do that a lot with our technology. We try our backups to make sure they’re fail safe and we know how to move to a backup system.

Dr. Keri Pearlson: But do we do that with our processes? Do we do that with our people? Do we do that with our our. Relationships with our customers. So when we start to think more broadly about tabletop exercises and fire drills one way to be resilient is to practice. Put yourself in a situation, hypothetically,hopefully a cyber incident, and go through what you would do about it and actually do it if you can.

Dr. Keri Pearlson: The talk about it is really good, but doing it is really important. You gave the analogy earlier of the person at the refrigerator with the cheese to attract the mice. I give the example of with resilience of, the more we talk about it, it’s like going to the gym. You can join a gym, but that’s not gonna give you muscles.

Dr. Keri Pearlson: If you actually go to the gym and work out and practice IE work your muscles. Then when the time comes and you need your muscles, you will have them. And I think that same analogy applies with resilience. One of the key ways to be resilience. Is to practice. Practice the backup.Practice the comeback, and not just from a technology perspective, but have aboard tabletop exercise where the board talks about what they would do, have a C-level exec or an executive team.

Dr. Keri Pearlson: Tabletop and not just once, maybe regularly, maybe every six months maybe more often than that. If you really wanna build those muscles to a strong level of competence so that you don’t know exactly what the situation’s gonna be like when you actually have a cyber incident, but you know that you’re gonna need.

Dr. Keri Pearlson: To call on vendors. Some of your vendors, are they available? If a cyber incident happens to your whole sector, are you gonna be the one that doesn’t get the vendor support that you need? If you need to know who your local law enforcement people are that might help you with a cyber incident, have you called them before?

Dr. Keri Pearlson: Let’s not wait until there’s an incident to figure out if we have all of these things in place. That’s what I mean by building your. Your resresiliency muscles is to really practice and think about those things in a table top exercise. So putting together a balanced scorecard of cyber resilience, where you identify the key risks.

Dr. Keri Pearlson: Your operating managers identify the key risks and what they’re doing about it, and doing things like building tabletop exercises or some other kind of exercises so you build those resiliency muscles. Are two really important factors, I think, for resilience thinking, and neither of those really come in when you do prevention.

Dr. Keri Pearlson: Thinking prevention is important. I’m not minimizing protect protection. I’m just saying those are two exam examples of things that wouldn’t come up in a discussion of what protection should we put in place. No,I agree with you. I think I was saying the same thing. Maybe I articulated it differently, but the structure that I talked about, ability to, the three questions that.

Agnidipta Sarkar: The operational people would re should really focus on is given our current investments, how much can we anticipate the next attack?Now that has a few more few components in it. How do you anticipate an attack? The good news is there’s enough research available. CS a, for example, has on their website.

Agnidipta Sarkar: A list of known attackers and their attack types. Mitre, for example, has got a whole plethora, and now version 18 has come out where they have gone into more finer ways of de of defining how attacks happen. If we are able to consume that information, that intelligence, and then say, okay, given our infrastructure, given our current state possibly we could get impacted if we don’t defend these, if we don’t change these procedures or these processes that we have.

Agnidipta Sarkar: And I’ll give you a very simple example. The process could be as simple as on boarding a new vendor. Now current processes may need that they need to follow. Go somewhere, get an ID, and come on, and then and get registered through a particular process. But the new process would say that you can use passwordless cryptographic authentication.

Agnidipta Sarkar: Which is available by signing off on this website, given you, you get this identity from your company, we are going to allow you to download a specific authentication mechanism, which is only tied to one of your machines and you don’t need any other approvals from us anymore. And you would only be able to get four of them because only four have been allocated to your company, to these named individuals.

Agnidipta Sarkar: Now, if you’re if you’re able to change this, bring in this level of granularity into your operational processes, it means you are anticipating that possibly a supplier can a supplier, a valid account of a supplier can be misused and then someone can navigate. If you have thought ahead in advance, you could even think of granularly micros segmenting your organization.

Agnidipta Sarkar: Which means now you have a different box for suppliers.You have a different box for critical assets, you have a different box for senior leadership. You have a different box, you have boxes everywhere so that even if there’s a cyber attack tomorrow in the most freely available one, the other boxes continued to operate the way they were supposed to operate.

Agnidipta Sarkar: So that was where I was getting to. And then you also have the ability to contain, which means, like you said, prevention is a very important task. So if there were to be a cyber attack tomorrow, you have your detection tools, you’d be able to detect an attack, you’d be able to contain the attack and keep it limited to where it happened.

Agnidipta Sarkar: And that means your impact is now reduced to one or 2%of. The enterprise is, you hear, we hear all this time in the news, there has been an unprecedented cyber attack and in order to save the company from these kind of situations it is an unprecedented cyber attack. So we shut down the operations.

Agnidipta Sarkar: You don’t need to do that anymore if you are well prepared. I think what you and I are saying are probably the same thing. But let me ask you this. You talked a lot about people and resilience of them and then you talked about processes as well. What do you think would be a good program if someone were to think about how do we build resilience in people?

Dr. Keri Pearlson: I’m so glad you asked that. I love to talk about the people side of resilience. Some of my work is what I call building a culture of cyber security, and I think that’s another really important component of are siliency plan. When I talk about building a culture of cyber security, I talk about thinking about the values, attitudes, and beliefs that we in still in our people so that they do the right behaviors that we want.

Dr. Keri Pearlson: If you think about it, most organizations do a lot of training.I don’t know of an organization today that doesn’t make people who join the company go through some sort of cyber training at the beginning of their onboarding process. And usually in that training we tell people guardrails, you gotta change your password.

Dr. Keri Pearlson: You’re gonna have to take this course every six months or every year. These are the kind of things we wanna see you do. They’re told that in the. First week or month of their employment. And think about all the things you’re learning in your first week or month of your employment, how much of that’s really gonna stick.

Dr. Keri Pearlson: And then we give them training once a year. And most people do their training online while they’re doing words with friends or texting their friends or something else on their phone because the training is usually compliance based. And it’s maybe interesting, maybe not. And it’s just a checkbox.

Dr. Keri Pearlson: And when it’s a checkbox, it doesn’t mean very much. It has very little impact on our thinking about it. The other tool that a lot of organizations use are awareness campaigns. This is cyber we’re now in November it was October. October is cybersecurity month, and everybody’stalking cybersecurity.

Dr. Keri Pearlson: And every organization I know sends out at least one email that says something like, oh, by the way, it’s cybersecurity month. Here’s how you can recognize a phishing email today. Or don’t forget to change your password this month, or whatever else they might wanna tell you. It’s awareness.

Dr. Keri Pearlson: Maybe they have things on the walls that say, the data is yours and mine, so let’s make sure we keep it all protected. They have awareness campaigns, again, really important to remind people of things, but not very motivating to change behaviors. So when we talk about the people side of the equation, I like to talk about building a culture of cybersecurity.

Dr. Keri Pearlson: What do I mean by that? If we think about it and we think about what makes you wanna do something, you do the activities you do because they’re valuable to you or because you like doing them, or because your boss told you it’s important and you wanna please your boss. There’s some motivation, there’s some emotional motivation behind why you do what you do.

Dr. Keri Pearlson: There’s a lot of things you could do and you can’t do everything. So you pick and choose what you need to do and you do for some reason, not just because it was a training program. The training program might in, might make you aware of what to do and it may be give you some in indication of what your company thinks is important.

Dr. Keri Pearlson: But you do it because you feel it’s, you’re supposed to do it and you want to please, you want to have a check book check the box offer or some other motivation. And it’s that motivation that drives behavior. So once we realize that there’s this other motivation that drives behavior, then if we back up, there’s a number of other things we could do besides a training program.

Dr. Keri Pearlson: For example, in one company that I studied they don’t want people to click on phishing emails. Nobody wants to click on phishing emails.But in this company. They put consequences in if you click on a phishing email the first time, you have to take a little short course on to remind you what a phishing email looks like, and hopefully it’s still accurate.

Dr. Keri Pearlson: Today’s world phishing emails are much more sophisticated, so what you learn might or might not apply, but let’s just say that.It’s a consequence. You have to take a little five minute class. It’s very disruptive. You’re in the middle of doing your work. You click on an email, you have to go and stop and go do this other course.

Dr. Keri Pearlson: So it’s a pain. It causes pain. And then, and it changes our values about clicking on emails. But if you click in this company on a email, a phishing email, the second time you meet with your manager, the third time you meet with hr, the fourth time you get a final warning and the fifth time you’re fired, you could get fired from that company for clicking on an email, five ti a phishing email, phishing test.

Dr. Keri Pearlson: Five times. Now that doesn’t necessarily work in every company. I’ve shared this example with hundreds of executives and many of them roll their eyes and go, there’s no way we’re firing anybody. ’cause they click on a phishing email, and that’s fine. However, in this company, you can be sure that nobody clicks on a phishing email more than once a test, more than once, maybe twice.

Dr. Keri Pearlson: You certainly don’t click on it five times. They learn because in this company, the consequences drive a belief that this is really important. Therefore that changes their behavior. And another company, a CEO,starts his all hands meetings all hands. So everybody in the company with a cybersecurity story, a cybersecurity moment, he might do things like talk about a, an article that he just read, or he might talk about an incident that he learned about on the golf course, or he might actually bring up his cybersecurity person to talk about something they’re seeing in their environment.

Dr. Keri Pearlson: But the point is for zero money, the CEO is sending amessage to the company how important cybersecurity is to him. And by the CEO spending that message, spending five minutes of their all hands meeting on cybersecurity, he is changing the values, the attitudes, and the beliefs of the people that work for him.

Dr. Keri Pearlson: And by changing the values and attitudes and beliefs, he’s driving a new set of behaviors. So I’d like to mark a book about cyber security can be free. I’m not sure it’s totally free, but this is five minutes of the CEO’s time and the all hands people’s time, but certainly a lot less expensive than designing an expensive awareness campaign to spend five minutes.

Dr. Keri Pearlson: And you know what? Every manager that has people that work for him or her can do that same thing. If you turn around and you’re next all hands meeting and you say, I saw this cyber girl from MIT talk about. How important it was for us to talk about cybersecurity and to bring it into the light.

Dr. Keri Pearlson: You’re gonna change the values, attitudes, and beliefs of the people around you. You’re gonna build a culture of cybersecurity and that’s gonna change the behaviors of the people in your organization. So when we talk about the people side, another piece of resilience. To really think about putting in a culture or making explicit a culture of cybersecurity.

Dr. Keri Pearlson: I have a project right now where I’m trying to, I articulate a process for evaluating the effectiveness of a cybersecurity culture. I’ve written a lot about culture. I’ve written this model of value management tools that lead to values, attitudes, and beliefs that lead to behaviors. Now I wanna find a way to measure it so that we can help managers.

Dr. Keri Pearlson: Figure out where they stand today and give them action able insights on things that they can do tomorrow to increase the cybersecurity culture of their organization or increase the effectiveness of the culture. But I’ve given you a couple examples there. I’m sure you and your listeners can think of dozens more examples of things you could do.

Agnidipta Sarkar: Yeah,

Dr. Keri Pearlson: not that. Change that our training and awareness, certainly, I wouldn’t say firing somebody was training or awareness. Make heroes out of the people that do the good stuff. If you tell somebody in front of an audience how great somebody else is, they feel good about themselves, and
the people in the audience say, oh, I wanna feel that good about myself, I’mgonna try to do those kind of behaviors too.

Dr. Keri Pearlson: And you’re changing the value, attitudes and beliefs. So there’s a lot of things we can learn from my colleagues in the organizational behavior groups about how people are motivated. Positively and negatively and to use those examples for changing the values, attitudes, and beliefs which will drive cyber secure behaviors.

Dr. Keri Pearlson: So lemme stop there, see if you have any thoughts on that.

Agnidipta Sarkar: No, I just want to contribute to what you just said and I fully agree with you. Waiting for the cybersecurity month is the wrong attitude.And let me give you another example. What we created were called as information security working groups, and these were at CO plus level.

Agnidipta Sarkar: So every department had to have two senior members in that group who were supposed to just they report all other business progress. They were supposed to report the progress of their business unit for cybersecurity to their manager, a metric and. How do they get that metric? They get that metric from down below.

Agnidipta Sarkar: How do they get that metric? They get the metric from down below. So that’s how the whole thing progresses, and it goes all the way up to the board that this is how it works, and all those people who were doing good. Used to be like you said, made champions out of, and one of the metrics were how many people were made champions because they did something good.

Agnidipta Sarkar: They spread the awareness more or whatever. This is over and above whatever other programs they were having. So I found that model to be equally quite good. In each month they would have they would have a champion. And then during the cybersecurity month, all they were doing. Was recognizing everybody who worked very hard during the year and they were framing up the new program that would come up for the next 12 months.

Agnidipta Sarkar: So to me it was inspirational because it meant that the organization had complete focus on what they need to do about cybersecurity. But let me come to cyber resilience once again because I think we started about.Cyber resilience as well. And you talked about the people aspect. There is one thing that I am seeing and I think you are seeing that too, and I think that’s what started this conversation to begin with, and that is the kind of attacks that are happening across the world today.

Agnidipta Sarkar: They’re focusing more on overwhelming the people you.Look at the Cantas breach that happened. Somebody called the help desk posing as a cantas employee, overwhelmed that the help desk analyst into resetting his password, and that’s how he got into his valid account. And then he walked in.

Agnidipta Sarkar: Something similar happened in mark and Spencer.Something similar happened in on JLR. So and so forth to the extent that I think Marks and Spencer one company lost a big deal as well. The point is not about who’s right and who’s wrong. The point is, even the supply chain needs to have a very strong cybersecurity program.

Agnidipta Sarkar: And it’s not only about the employees, it’s more about all those outsourced functions that we have and how good they are because. You think you’ve trained your people, but if you have not done those two parts, the first part is the foundational micro-segmentation thing that I talked about, and the second part is optimizing the processes.

Agnidipta Sarkar: And the third thing is making the people, like you said, if we don’t cover all these bases. I think I fully agree with you. We are never going to be resilient for the next attack. We’re never going to be prepared or be ready for. I’m just

Dr. Keri Pearlson: let’s talk about the supply chain for a minute. ’cause youb rought that up.

Dr. Keri Pearlson: I think that’s really important. It’s another area that my research team and I have written about and done some work in. So let’s talk about supply chain because of course we see a lot of. Vulnerabilities introduced into our organizations from the supply chain. And one area that we’ve been looking at that might be of interest to your listeners is the small and medium enterprise.

Dr. Keri Pearlson: Many of many companies, 99% ironically, of companies are small and medium enterprises. The big buys are really big, but there are thousands and thousands of small and medium enterprises. And when you start to talk about the out sourcer, their. Small and medium enterprises are often the people that are the weakest link.

Dr. Keri Pearlson: It might be a person in those companies, but those companies don’t have the resources that larger companies have and maybe they have outsourced their, it maybe they use some sort of cloud application and they assume that their systems are secure because they’re using a cloud application. And we know that the cloud applications are.

Dr. Keri Pearlson: More secure than nothing. But most of the cloud providers or the SaaS providers have limited liability on what they will secure for you. So first of all, if you’re using any kind of cloud or outsourced software, you wanna make sure you understand what part you’re responsible for and what part they’re responsible for.

Dr. Keri Pearlson: But more importantly, the research we’ve been doing looks at how companies can help their suppliers, particularly their smaller suppliers,be more secure. We’ve identified dozens of ways that larger companies are helping their small companies be secure. The first thing most companies do and most cybersecurity leaders think is we’ll give ’em a checklist.

Dr. Keri Pearlson: We’ll tell ’em to check off, do an inventory, or we’ll askt hem if we can come in and do an inventory of what they’re doing, and then we’ll know what their controls are and how safe they are. And maybe we’ll pen test them and we’ll see, where the vulnerabilities are. Just think about a, from a small and medium enterprise perspective, how many of those people can they support?

Dr. Keri Pearlson: How many checklists can they fill out? How many validations can they let people do? It’s very disruptive

Agnidipta Sarkar: bandwidth.

Dr. Keri Pearlson: They can’t do it. They don’t have the bandwidth. So while that’s at the obvious first step for many organizations it’s not useful. It’s like training and awareness programs.

Dr. Keri Pearlson: It’s the obvious first thing to do. It’s just not enough and maybe not even effective. So one of the things we’ve seen. Our companies do things like reach back into their supply chain and offer assistance to their small and medium enterprises. Offer things like your cyber team. Holding office hours once a week for their people to call in and ask questions.

Dr. Keri Pearlson: Offering things like blank like you negotiated with your vendors for decent prices, for your cybersecurity tools. Offer that blanket of pricing to your smaller and medium enterprise offering things even like little tools that you use. One company. Has a spreadsheet, again, free. It’s a spreadsheet they’ve already created it of how they keep track of all the technology in their environment so that if there’s a breach, they know it affected them or not.

Dr. Keri Pearlson: A lot of these breaches affect a particular product. Maybe you don’t even have that product, or maybe you do and you don’t know you have that product. How would a small and medium enterprise even begin to know if they have that product? I’ve seen one company help them, help their ve,their vendors.

Dr. Keri Pearlson: Catalog, what the technologies are in their environment so that they know if there’s a breach or not. There are companies like Dragos who have built a whole outreach program for small and medium enterprises to offer these kinds of tools. I believe it’s free for to help these kinds of companies that don’t have the resource of a larger company figure out exactly what it is that that they could do.

Dr. Keri Pearlson: For as low cost as possible. So when we talk about the supply chain, it’s one thing to say that a vendor might introduce a problem like an air conditioning vendor, which we’ve seen multiple times. Even air gapped systems aren’t really air gapped when it comes to remote maintenance. They’re definitely not air gapped when it’s remote maintenance.

Dr. Keri Pearlson: So you might have air gapped a system and it actually is connected somehow that you may not even be thinking about. And that connection could be a source of entry for some sort of vulnerability. So having a approach that helps your suppliers be as secure, more secure, as secure as you need them to be, is something that we’ve been studying here at the Sloan School and we’ve seen a number of different ways that companies can actually help secure their supply chain by helping secure not just their customers, but they’re vendors.

Agnidipta Sarkar: I would love to go on, but I think we are close to our time,let me first thank you for great insights and let me stop here and thank you for being on my show and I, my pleasure. I am hoping we are gonna talk again in some time and then meet, and this.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.