Elevate Security

Solutions

Use Cases

Identity & User Risk Authentication
For Identity and Access Management (IAM) and Identity Governance and Administration (IGA) professionals, Elevate Security provides proactive protection against workforce cybersecurity risk by applying the unique risk each user represents as a conditional factor in the authentication and access governance review processes.

Security Awareness & Human Risk Management
For Security Awareness professionals, Elevate Security helps you engage employees to become your best defenders. By deeply understanding the behavior of each individual, Elevate helps you make better decisions for protecting your organization, and fostering a culture of security accountability.

Security Operations & Case Management
For Security Operations (SecOps) professionals, Elevate Security reduces operational burdens on the SOC resulting from high-risk user generated incidents. By injecting individual risk data into SecOps policies, tooling, and controls automation, you'll free up resources to fight real adversaries, strengthen workforce safeguards, and improve response efficiencies.

Products

Elevate Identity
Inject user risk intelligence into IAM and IGA systems and processes as a conditional factor for authenticating or revoking system access, and enhancing access governance workflows.

Elevate Engage
Actively deliver personalized feedback nudges, scorecards, and direct targeted training based on individual computing behaviors and current security risk.

Elevate Control
Inject user risk intelligence into security operations tooling and processes to accelerate incident triage and response, enable better help desk decision making, and automate controls for risky individuals.

Use Cases

Identity & User Risk Authentication
Security Awareness & Human Risk Management
Security Operations & Case Management

Products

Elevate Identity
Elevate Engage
Elevate Control

Resources

Partners

Partners

Technology Partners
Value-Add Partners

Company

Company

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases

Careers
Awards & Recognition
Contact Us

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases
Careers
Awards & Recognition
Contact Us

Support
Book a Demo

Search
Podcast

The True Need For Cybersecurity: Creating A Secure World In The Modern Era With
Dr. Ed Amoroso

Elevate Security

Cybersecurity is one of the most important issues facing businesses and organizations today. The increasing reliance on technology has also increased the threat of cyberattacks. While there are many challenges associated with cybersecurity, there are also opportunities for organizations to improve their cybersecurity posture. Dr. Edward Amoroso, CEO of TAG Cyber, sits with Matthew Stephenson to bring insights about keeping the world secure in the modern era. He also talks about the role of people in building a cybersecurity strategy and the three dogmas of cybersecurity. Ed started TAG Cyber in 2016 to democratize research and advisory services and unleash his inner entrepreneur. Business Insider tapped him as one of the country’s 50 leaders “who helped lead the cybersecurity industry.”

Listen to the podcast here

Leave a Review

The True Need For Cybersecurity: Creating A Secure World In The Modern Era With Dr. Ed Amoroso

We are bringing you all the top experts in the industry for a chat about everything. It’s interesting in keeping our world secure. Speaking of keeping our world secure, we are excited to welcome Ed Amoroso to the show. Ed is the Founder and CEO of TAG Cyber. He is a Research Professor at New York University, an Adjunct Professor at Stevens Institute of Technology, and Senior Advisor to the Asymmetric Operations Group at The Johns Hopkins University Applied Physics Laboratory. Business Insider tapped him as 1 of the country’s 50 leaders “who helped lead the cybersecurity industry.” This is a coup. Ed, welcome to the show.

It’s my pleasure to be here.

You got a lot of fingers in a lot of pies, even from reading that out loud and remembering when we talked about it. That’s amazing. The biggest thing in the industry that everybody is trying to wrangle, the lifeblood of security, is people. In your experience, is there anything more chaotic when building a cybersecurity strategy than the people who make up an organization?

First off, I don’t think it’s ever a good idea to “blame” people for security problems. We’ve done it wrong if it’s too easy for my mother to click on something, download a fish or get bots on her computer. Next thing you know, she’s attacking China all day from a computer. I don’t think that’s my mother’s fault. It’s like the doctor blaming the patient. That’s a principle that when you talk about people and casts and so on. It’s not reasonable to blame people. That said, the way our systems work, it is spectacularly easy for people to make bad decisions.

We are not going to be able to change that with tech overnight. Over time, that should be our goal. The goal should be, it’s almost impossible for a human being to make a bad decision. That’s what tech should do. Until we get there, we are obliged to make sure that we try to help people make better decisions. I don’t know what the stats are but 1/4 of people still smoke or something.

If you can’t talk people out of smoking, you are going to have a hard time talking them out of making some bad security decisions. That’s the conundrum. We shouldn’t be blaming them. It’s not right. We have to rely on them, and a certain percentage will never listen. That’s partly why we are in such a deep you know what in cyber. That’s one of the reasons.

I’m with you. Blaming it’s not the right way to go but people by nature are chaotic. We want them to be chaotic because from chaos comes creativity but that’s a fine line to walk when you are building a strategy to encourage creativity. At the same time, make sure that they don’t put themselves in a position to do something unwittingly that is harmful.

Here’s maybe an analogy, almost a metaphor that has always worked for me when this topic comes up. My father-in-law was an older guy. He died a few years ago. He’s 98 or something. He lived with us. I remember he had this TV. It wasn’t a smart TV. He had a clicker. He’s standing there with the clicker and the TV and says, “Is there any one thing I could break with this?” In an older TV connected to a set-top box, a cable thing, and you are clicking around. There’s not very much you could do. It was a limiting experience but it was safe. You were working in a box, essentially. By the way, my son was a little hacker at the time. He would hit the mute button so my father-in-law couldn’t hear the sound.

The point was that when he was standing there with this clicker in a limited environment, he could be as chaotic as he wanted. He can hit this, hit that. “Pop, you won’t break anything. Relax. The tech is set up, so you can’t break it.” If he were around now, the TVs we have in the house, these things are like little mini servers, basically. They are connected to the internet.

If he was standing there with the clicker now saying, “Could I break something?” I would say, “You better believe you can.” He could probably create a disaster for me at the account level, with my Apple accounts, my streaming accounts, and this and that, and connections to the internet. The box has been removed. It’s now a much more creative experience, but there’s the danger now that that chaos could create lots of problems.

It’s a metaphor for where we are. You can either put people in a box and make it nice and safe or you can remove the box and give them the ability to have this spectacular creativity but then that chaotic behavior could lead to a problem. Again, that’s a good description of the challenge that we have every single day. You put it well. You want to let people be creative but you also want to find a way to make sure that you minimize the damage.

It’s never a good idea to “blame people” for security problems.

You want to be somewhere between those two extremes so that people can get their work done and be creative. We are getting there but a little more slowly than I would like. There’s way too much risk in cyber. It’s all out of whack. You will never get the risk to zero but the things are way too out of whack. We have to fix that.

If the risk gets to zero, then we are in brave new world territory, and nothing is interesting anymore. You need a little bit of risk to get a little bit of seasoning on the food, I would think but that’s, again, spurs the creativity.

It will never be zero. I spent a little time on the board of a large Fortune 500 bank as a Director on their board. I hadn’t grown up in financial services. I grew up in telecom. What I learned was there are still physical bank robberies. COVID was good for bank robbers. You wear a mask. I was like, “Are you kidding me?” “Yes. We are looking at the stats.” It’s rough on the teller. It could be an uncomfortable experience when you go through it but it doesn’t cascade. Usually, there’s not a lot of violence typically but there is a percentage of them. The risk of physical bank robbery is not zero.

When was the last time you laid awake at night, worrying about bank robberies? When was the last time it even came up on the news? We don’t even think about it. It’s not part of our day-to-day ethos at all but it’s there. That’s the goal for cyber to get to the point where there are still attacks but I could go six months without thinking about it because society has gotten to the point where we are totally cool with it. There’s going to be some background activity that happens. You factor it in but it’s not out of whack.
That’s not where we are now. Where we are is you still have these spectacular attacks that are disproportionate to the consequence they should have. We’ve got to get it down more like bank robbery where it’s, “Yeah, whatever.” It should be this specialized thing. We shouldn’t have thousands of cybersecurity companies, and every single company has a new employee and a few hundred people to look for incoming. It’s crazy. It’s an insane setup that we’ve got in Cyber. It will be temporary, and I would say twenty years from now. I don’t believe the cybersecurity profession will be what it is now. It will be something different.

On the heels of the bank robbery referenced, make sure to check out another episode where we talk with Freaky Clown from Cygenta, who does physical pen testing and has literally been breaking into banks for many years, stealing servers, and then bringing them back the next day. How about to that point as we talk about the risk that people are because with people, we want them to be what they are?

You talk about bank robberies made me think of that opening scene in Pulp Fiction, where he tells a story about how he robbed the bank with a phone. This was 1992, so social engineering. You are literally handing someone a phone saying, “We’ve got this girl kidnapped. If you don’t give me the money, we are going to take it.”

When you are quantifying your employee population, how can you quantify who is good at what and know who is susceptible to potential physical attacks, potential social engineering attacks, and technology attacks? You are not just the CEO of a company but of a security company. Your role is even more intense because you are the expert running a company of experts. You’ve got to make sure your experts are not posing a risk.

There are two dimensions to that. The first is personal. The second is around a job. Let’s start with the second one, the job dimension. Let’s say you, and I work in a call center where everything that comes in is pretty predictable. We both have a headset on. We’ve got a computer in front of us. We work on one app. People call in, they are having trouble with their blah, blah, blah. We help them with that. We close out the thing, and we go on. They call in the same problem. We help them and close it. It’s a job that I would claim would be low-risk for us to be doing something untoward. We are not transferring money. We are not making big, consequential decisions about resources. It’s not a varied mix of things from all over the place that must be interpreted.

Cybersecurity: The goal of tech should be where it’s almost impossible for a human being to make a bad decision. But until we get there, we are obliged to make sure that we try to help people make better decisions.

We are probably not rushed. We do our work day in, day out. That’s a low-risk job. That stands in contrast to maybe a different job in the business. Let’s say you work in the finance group, and you deal with 2,000 suppliers and all kinds of people you’ve never heard of before sending you invoices, purchase orders, and all kinds of crazy things coming in. You have to make sense of that. That’s a high-risk job. That’s one where it might be possible that if you make a mistake, a whole bunch of money could be at risk in contrast to the other job. The first dimension is regardless of the type of person you are and how trained you are, those jobs are different. That’s why when we talk monolithically about security awareness, it’s wrong because some jobs are not important. Others, it’s important. That’s the first dimension.

The second is the individual. A rough, I hope this doesn’t come out wrong but a crude guide to how capable you are. He’s probably your age. The actuarial tables probably fix a lot of bad behavior. The higher you go up in an organization, usually, people that have a little bit more years’ experience are the worst of all. A corporate board can turn on the iPad.

For individuals who have less instinct around cybersecurity, I don’t mean training, I mean instinct. For example, my daughter is a senior at NYU. She’s grown up. She’s a digital native. Something will hit her phone, and she laughs about it. I will go, “What is that?” “Look how dumb that is.” I go, “How do you know that’s dumb?” She goes, “Dad, I’m no idiot.” I look at it and think, “I must be an idiot because I’m not sure I see it.”

“I own a cybersecurity company, and you are rolling your eyes at me.”

She speaks natively. She grew up speaking the language, and I didn’t. I grew up at a time when I didn’t have an iPhone and a laptop. I’m sitting here on my MacBook Air talking to you. I didn’t have one of these when I was a teenager. I’ve heard them speak with an accent in tech, even though I’ve been immersed in it my whole life but I’m still not as good as my daughter.

I’m totally stealing, they speak with an accent. That is the best description of people our age who do this thing. You and I appear within a couple of years of each other. That’s incredible.

We learned the language. We know what we are doing but it’s an accent. You put those two things together and can build a little matrix. Obviously, the riskiest situation is someone who’s not a digital native, has poor instincts, and is in a scary, dangerous job. The best case of all is somebody who’s in a low-risk job and has amazing instincts about cybersecurity, tech, and scams.

A business should be looking at that. It shouldn’t be, again, this monolithic we are going to sweep through and send fish testing to everybody, and 83% of the company did okay but 17% didn’t. I was looking at that and saying, “That’s so brain dead.” That assumes everybody is in the same job. Everybody is in the same place. That’s not the way to do it.

What you want to do is you want to go to your high-risk individuals in high-risk jobs and spend as much time as you can with them. Low impact folks, don’t waste your time. You are not going to teach my daughter anything. You are just going to waste her time and get her annoyed about cybersecurity because it becomes a nuisance. She could probably teach the class. That’s the way it works. People should be putting a little bit more thought into how you educate. I hope that makes sense. There’s a high risk, and there’s a low risk. We treat everything monolithically. I know that’s wrong.

You can either put people in a box and make it nice and safe or remove the box and give them the ability to have spectacular creativity. But then there’s that chaotic behavior that could lead to a problem.

The industry and all of Corporate America have changed a lot where you see younger people rising up through the ranks higher. When you talk about high-risk, high-impact, when we get to the top of any business’ food chain, we go beyond the C-Suite into the boardroom, what about your experience there? Naturally, they are going to tend to be older than some of the lower risk, lower impact people but correspondingly, are they tech savvy? Are they security savvy? In your experience, when you come in to sit down with board members or have sat on boards, what is the security awareness and level of your peers sitting around that table?

For some background, I probably have as much board experience in cyber as anybody on the planet. I’ve sat on boards. I briefed them. I had to deal with a gigantic board through many years of my career. I consult with them. I run war games with them. I know boards quite well. I’m going to give some tough love here. I’m going to say a couple of things here that you don’t normally hear. The first thing is it is absurd that they request or demand training in cyber. Let’s think a bit about what it is to be a board member. It means when you are invited to be an independent director of a company, that means you have been a person of some stature.

You run a company. You’ve done something important. You’ve had a career where your judgment is useful to that company because that’s why you hire a board. You hire them for their judgment. You don’t hire them to make management decisions. You want judgment around governance, big decisions, and whether you’ve hired the right people. It’s judgment, not management. It’s not about processing data and making a management decision.

It’s about your judgment, about who you are. Again, we talked earlier about speaking with an accent. Here’s what that means. If you join a board and, let’s say, for example, you don’t know the first thing about finance and you say, “Thank you for putting me on this board. Would you teach me what an income statement is? What are profit and loss? What is EBITDA? What is that thing?”

There would be some social consequences to that at breaks during meetings and be like, “Who let that person on the board? He didn’t know what an income statement is, are you kidding me?” What if you get on and you say, “Thank you so much for putting me on this board? Would somebody teach me about marketing? What is that? What is a brand? What does it mean to segment your customers? What’s the difference between advertising and marketing? I don’t understand any of this.”

Should you be on that damn board? No, absolutely not. Marketing, HR, personnel, finance, and business operations are things that you need to understand. You don’t have to be the world’s leading expert in marketing but you should know enough about it to have judgment so that when you are sitting on the board, you are pulling on your expertise and your judgment, your experience without somebody training you about marketing.

Let’s go to cyber or tech. You joined the board, you are sitting there and go, “I don’t even know how to turn on my iPad. I have my thirteen-year-old to do that. Would you give us training in tech? We need one-on-one remedial training in cybersecurity.” Tech and cyber are as important to modern business as marketing and HR. Do you want to know something? You shouldn’t be on the board if you need training.

Can you imagine the look on their faces when you bring in your college senior daughter? She’s the best person to teach you this. They are expecting some 55-year-old PhD walk in like, “No. This young woman is about to show you more than you’ve ever learned.

Let me make sure I’m being clear. I don’t think anybody should be teaching them. If you need to be taught, then you shouldn’t be on the board. You don’t belong there. You should self-select out. You should resign now if you don’t understand cybersecurity and are on a board.

You said, tough love. That is the toughest love.

Cybersecurity: The best case of all is having somebody who’s in a very low-risk job who has amazing instincts about cybersecurity, tech, and scams.

Can you be on a board if you don’t understand finance? You will look like an idiot. People would say, “Who let you on? There are basic things you need to have. Let me give you another example here because this is an important point. When you sit in a board meeting and have a heavy tech and security audience, probably a lot of them, when they are interacting with the board, it’s around tech.

I’m going to give you a little insight into what it’s like in other areas. Let’s say the finance team comes in, and you have been a board member, listen to the finance, and talk about the results. It’s great, and they go through. There’s a presentation, a deck, PowerPoint, Excel, and all this stuff that you are reading through. Afterwards everybody thanks them. The CFO and everybody gets kicked out of the room, and then the board closes the door.

Everybody pushes the paper away, leans back, and you hear things like this, “I saw those damn numbers but I don’t believe any of that. I have been doing this for 40 years. Here’s what I think it is.” Somebody goes, “I also saw that 5 years ago, 10 years ago. I know that. I get the numbers but trust me. It’s this other thing.” A decision gets made based on judgment, experience, and expertise that we had. Are you going to buy this bank? Are you going to merge with it? Governance is based on judgment. In contrast, the security team comes in and presents all this stuff as dashboard crap, risk, and our SIM, attacks, security ratings, and third party, on PowerPoint and Excel and all this stuff.

Everybody thanks them. They go off and close the door. The board looks around. There’s usually one person on the board who has five minutes of cybersecurity experience. All the heads turn to her and they go, “What do you think?” Suddenly, the decision is made based on her judgment because nobody else has instincts in this at all. They don’t know what to say. It seemed okay. It looks like the presentation was right.

The person didn’t seem nervous when they were presenting. It must be good. It’s a lot of b*******. That’s the problem. When boards are making cyber decisions with no judgment, they are not even speaking with an accent. They don’t even speak the language, much less speak with an accent. That’s what you have in current boards. They all have a token person, including me. When I’ve done my board work, I have always been the one where they turn their heads, “Ed, what do you think?”

Suddenly, I made the decision. That is wrong. Over the next 5 to 10 years, it will be partly just people. The actuarial tables, people die, quit or whatever. They get replaced by people who have a little bit more judgment. In the meantime, a board member who has no experience in tech or cyber in any business should turn in their resignation tomorrow and say, “I’m not fit to be on a corporate board in 2023 because this is too important, and I have no judgment in that area.” That would be the honest, reasonable thing to do. Nobody will because they want the money, the private jet, and the whole status thing of being on a board but it’s the truth.

Tell me, if this is an oversimplification, is the board potentially the biggest insider threat because the risk they could pose is at scale?

No. They don’t manage. The board doesn’t do anything other than provide governance. It’s an important function. It’s a judgment function that a senior executive team should be pulling on. There’s a lot of years of experience. When the company has to make a major decision, they can weigh in. Boards are important but boards don’t manage. They don’t make budget decisions. They are not involved in operations. They don’t have access to systems. There’s nothing there other than the little thing that gets put onboard vantage every month. Before the meeting, they would see some financials and stuff.

They could mishandle that but most board secretaries provide that now in a protected cloud. In most companies, the board members don’t get a packet mailed to them anymore. They are not handling anything. They come in. It’s presented usually in a sound and safe manner. They will look at it on a company-issued iPad sitting in front of them. There’s not much damage that a board can do other than to be utterly inept at providing governance. That’s the problem.

Different types of threat.

Where we are today is you still have these spectacular attacks that are just disproportionate to the kind of consequence they should have.

I don’t think that there would be targeting. I worry about fake news on deep fakes. I worry about board members being put into compromising things, saying dumb things where it’s pure deepfake. Companies now need to include that in their equation and have the ability to spot quickly and respond quickly to an obvious deep fake video that might have their CEO or board members or executives doing something they didn’t do but that was manufactured using the software.

Let’s extrapolate this up to the next level once we get out of the private sector and into government. When we are talking about the Senate and Congress, making decisions about cybersecurity and cyber warfare, we’ve all seen probably not a lot of cyber expertise at the actual elected official level. From your observations, are we putting them in the position to make the right decisions when it comes to cybersecurity at a state or even a local than the national level?

Two things to say. First is that there’s a heavy concentration in the government of people who spend some time in the military. They tend to have pretty good instincts about information warfare or cyber defense, particularly if you were in the Army or Air Force, one of the services. Those individuals tend to have good instincts about cyber.

When you meet members of Congress who served in the military are usually pretty good. My Congressman here in New Jersey is Mikie Sherrill. She was a helicopter pilot. I’ve met and talked to her. She got a pretty good understanding of this stuff. That’s the first thing. That’s good news that when people come from a military background, I’m sure you’ve seen that in your work, they usually get it. You don’t have to convince them of the threat.

It isn’t perfect. It doesn’t always extrapolate like to a bank or something but it’s pretty close. That’s the good thing. The bad problem we have in Fed gov, and it’s not something that you can blame on the Republicans, Democrats or anybody but it’s this common dogma that I’ve criticized. I criticized, by the way, with love. I’m old enough that I can get up at a podium and talk trash about DHS and then get off and still be best friends with them. I’m this old guy. I’m like Bernard Baruch or something.

He used to sit on the bench and look out at the White House. Baruch said he was like the overseer, the old guy. There’s a little bit of me that’s like that. I know them all. They let me get away with saying what I want to say but let me share with you the dogma that is wrong in government. It existed from Clinton to Bush, to Obama, to Trump, to Biden. They all believe the same dogma.

Dogma number one is that information sharing solves cybersecurity problems. The truth is that we have been doing information sharing since PDD 63 under Clinton, written by Dick Clarke. It does not solve cybersecurity problems. That’s a good thing to do. We have been doing it for many years. Do you feel safer now than you did many years ago? I don’t think so.

You probably feel less safe than you did then. The first dogma is information sharing is not the solution. Number two is this crazy belief that 99% of the attacks all use these simple, basic things. If you fixed those few basic things, we are good. That’s completely wrong. Here’s an example. Let’s say you have a barn. The doors are wide open in the front, the windows are off, and there are cracks in the roof. The thing’s a mess. You notice that when people go in to steal horses out of your barn, 99% of the time, they go through the front doors that are open. You say, “All I have to do is close the front doors, and then I won’t lose any more animals.” Ignoring the fact that the windows are not on, the roof is leaky.

I can climb on the side. The wall I could pull aside and walk in. I’m not going to do that if you left the damn doors open but I’m going to go through that. They miss the fact that the reason the obvious stuff is used is that who’s stupid enough to do not obvious stuff when you can do the easy stuff? We complain about Huawei and ZTE.

We say they are going to bug their equipment to steal our data. Does anybody stop and think the Chinese are already stealing our data? Why would they need to rig the equipment? They don’t because they come in through our front door. They do APTs. The whole thing is crazy. Our supply chain strategy for China is to stay away from ZTE and Huawei, and then we will lose our data. They have been living in a cave for the last few years.

Cybersecurity: Cybersecurity: You don’t have to be the world’s leading expert in marketing, but you should know enough about it to have judgment so that when you’re sitting on the board, you’re pulling on your expertise and experience without somebody training you about marketing.

Those two companies then we should be good if we stay away from them.

They worry about closing the crack on the roof, and the doors are wide open. That’s dogma number two. Dogma number three is maybe the most dangerous. The Federal Government believes that people like myself who live in the commercial industry. I’m still deeply ingrained at TAG Cyber, we’ve worked directly with 82 companies on their cybersecurity strategy, their work, and their day-to-day stuff.

We are a bunch of teams of former CISOs that are immersed in the day-to-day protection of a lot of companies. We are right in the middle of it. The Federal Government believes that we do know how to stop cyber-attacks. We are just too lazy to do it. We have to be fined, cajoled, called into court or yelled at because we are too focused on profit and not spending enough, not getting the fact that we are trying as hard as we can here.

We need the government to be helping, not fining and taking people to court and making a whole big fuss if you do something wrong as if we know exactly what we are doing. We are just being lazy. Those three pieces of dogma are all wrong. They have been consistent through 4 or 5 presidential administrations. When I go down to DC, and I’m sitting there with the senator, with the members of Congress or they are in the West wing, wherever the hell you are? I say that. It’s met with good nature but they don’t absorb my points that that dogma was wrong.

Information sharing doesn’t stop cyberattacks. Stopping the top 2 or 3 basic stuff doesn’t stop an advanced persistent threat from nation-states. Yelling at CISOs and finding companies and demanding that they report everything that’s not going to make us better because we are already trying as hard as we can. I don’t buy the fact that business is lazy. Everybody is trying really hard it is a hard problem. That’s where the government gets it wrong. Those three elements have been wrong for many years.

Back to the opening bit about chaos, we managed to make it through about 60% of the questions that I had. Consider this the official invitation for a return engagement. I do want to hit a couple of questions on the leadership corner. What are you listening to now? Are there any bands on your playlist? Are you reading anything good? Have you discovered a recipe that you want to share with the world? Take me inside the house.

I have an eclectic interests. I’m always reading older business, sales books, and leadership books. I’m addicted to books that are around self-help. I always go back and look at older books. There are some that I loved that I go back and reread. At TAG Cyber, we are selling. There’s this wonderful book written in the ‘30s. It’s got the goofiest title. I literally have it on my table, and I’m reading it. It’s called How I Raised Myself from Failure to Success in Selling. That sounds goofy. It sounds like the kind of thing that would be written in the ‘30s but it’s a beautiful book by a guy named Frank Bettger, who was the third baseman for the St Louis Cardinals.

He threw out his arm, went into the insurance business, and learned how to sell. He wrote these beautiful little chapters about how you interact with people. He was like Dale Carnegie’s best friend. It’s that folksy stuff. I’m addicted to those older books that have simple messages. A few months ago, I went back through Alfred Sloan’s, My Years with General Motors.

It’s a book written in 1960 but he had org charts for General Motors in the ‘20s, ‘30s, ‘40s, ‘50s, and ‘60s. You can watch the progression of that corporation through 40 years. For me, I love reading that older stuff. Here’s a problem we have in tech. The vast majority of the people reading are front windshield people, meaning big front windshield, real small rear-view mirror. That’s tech.

A little bit about where we came from but not so much. Everything, go, go, go, future, innovate, new. I like to live my life differently. I have a small front windshield. I’m careful about where we go but I try to immerse myself in the rear-view mirror. Where did we come from? What did we learn? What mistakes did we make? What can we learn from generations that have been through this?

Information sharing doesn’t stop cyberattacks.

Tech usually doesn’t do that. Who the hell does that in tech? We don’t look in the rear-view mirror. The things I’m usually listening to and reading tend to be older things. I’m always trying to learn from something old and then inject that into my teaching at NYU, my coaching at TAG, my support work for enterprises and vendors, and always trying to pull on principles from many years ago.

They always say, “You are so smart.” I don’t correct them. Let them think I’m some genius. I’m just reading these older things and going, “That fits here,” and then I will throw it out and they will say, “You are smart.” I will go, “Yeah, I’m smart,” but I’m not. It’s just doing something a lot of people don’t do. If you went to my bookshelf or at least my desk, you would see a lot of older books on the table.

It’s like the periodic table of elements. You can make the coolest, newest, bubbly, flavored water, whatever. Do you know what you need? Water. Do you know what you need before that? Hydrogen and oxygen. Maybe let’s go back a little deeper into where this came from to figure out where we can go next. Last thing, shameless plugs. People are looking for you, looking for more information about TAG Cyber, classes you are teaching, and all the cool stuff that you’re up to. Where can people go?

I will give you a few things. First, TAG-Cyber.com is our website. We research as a service. We support vendors. We love doing that. It’s a growing business. We are about 40 now. We double every year. We compete with Gartner. It’s fun every day doing that thing. At NYU, I teach in a couple of different programs. If people are interested, it’s a Master’s degree in Cyber Risk and Strategy. It’s popular. We have sitting members of Congress who come and take our one-year Master’s course. You can find it MSCRS @NYU. I’m one of the program leads. I teach two courses in the series. It’s quite fun. On LinkedIn, you can look at that. I’m always posting my Charlie CISO cartoons that I do with Rich Powell.

I can vouch for that. Not sucking up. Those are good.

He’s my alter ego. We are always trying to find little ways that Charlie can find himself in some crazy situation and then behave in a way that most others do. At TAG, we are expanding our practice into climate science. We are starting to deal with climate science vendors and startups and do a similar advisory for companies that are building products and technologies that help the world get to zero carbon.

That’s the advisory we are looking at. In 2023 we will do AI and Web3 but we will try to pick things that are socially responsible and put expert analysts in front of businesses who can help them with problems that are meaningful. We think cyber is hugely meaningful. We could blow ourselves to smithereens if we don’t get the cyber thing right. We think the climate is in the same category. We are building out a practice there.

That’s going to be the thread that’s going to run through your next appearance here as soon as you are available. We can get everybody booked at the same time. That is it for this episode. I want to thank everyone for tuning in and joining us on Friendly Fire. For more information on all that’s good specific to insider threats, the chaos of people but cybersecurity writ large, make sure you check us out. Look for us on LinkedIn and Facebook. The website is ElevateSecurity.com. You can find me @PackMatt73 across all the socials. Ed is officially invited back. We have been doing some great stuff but we’ve got a lot more great stuff to come. Make sure you join us. Check it out. All we ask is you subscribe, rate, and review, and you will never miss all the great folks. We will see you next time.

Important Links

About Dr. Ed Amoroso

Dr. Ed Amoroso is CEO of TAG Cyber. An NYU professor and former AT&T executive, Ed started TAG Cyber in 2016 to democratize research and advisory services and unleash his inner entrepreneur.

Business Insider tapped him as one of the country’s 50 leaders “who helped lead the cyber security industry.”

Share This

Elevate Security

The Elevate Security Platform identifies and responds proactively to your organization’s riskiest users, providing security teams with the visibility and playbooks necessary to prevent the next security breach.
74% of breaches involve the human element. The only way to combat this is to strengthen your IAM. Get started with these IAM best practices.

4 IAM Best Practices for Securing Your Organization in 2023

According to Verizon’s 2023 Data Breach Investigations Report, “74% of breaches involved the human element, which includes social engineering attacks, errors or misuse.” The DBIR […]

Read More
Dive into a couple of use cases to show off what Elevate + Cisco can do together.

Elevate + Cisco: Redefining Cybersecurity Together

Having built several security programs from scratch, a strategic combination of “best of suite” and “best of breed” can go a long way in securing […]

Read More
IAM in the Age of Remote Work: Ensuring Security and Productivity

IAM in the Age of Remote Work: Ensuring Security and Productivity

Today, organizations need to adapt their Identity and Access Management (IAM) strategies to ensure their remote workforces are secure and productive. Above all else, today’s […]

Read More

Get Started Today

Quantify risk across the organization, and identify areas where increased safeguards and processes are needed to reduce your risk profile and protect your team.
Book a Demo
>