[00:00:35] Tom Garrison: Hi and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always as my co-host Camille Morhardt. How are you doing Camille?
[00:01:14] Camille Morhardt: Fantastic.
[00:00:35] Tom Garrison: Well, we have got somebody coming to us from France or from a French background, as you will all pick up on his accent, but we’re gonna talk about how to talk about security to higher level individuals, whether they be it’s things like board of directors or very, very senior positions and companies. And we’ll hear about what exactly not to do with that crowd when talking about security.
[00:01:14] Camille Morhardt: As a side note, he’s a knight, which I didn’t actually know existed in France. So he explains that, too, but he’s pretty funny about some of the missteps he made along the way in trying to educate boards and senior executives about cyber security.
[00:01:29] Tom Garrison: So let’s jump right into it. Our guest today is Mathieu Gorge. He is CEO and founder of Vigitrust, providing integrated risk management SaaS solutions to clients in 120 countries across various industries, helping CEOs and CXOs and board of directors handle cyber security accountability challenges through good cyber hygiene and proactive cyber security compliance programs. He’s also a Forbes books, author and speaker. So welcome to the podcast, Mathieu.
[00:02:09] Mathieu Gorge: Thank you very much. Thank you for having me.
[00:02:13] Tom Garrison: So I have to start off. We learned a very interesting fact, and that is that in 2021, the French government awarded you the rank of Knight of the Order of Merit. And I’m gonna try my best French here. Chevalier de l’Ordre National du Mérite. That was my best French.
[00:02:38] Mathieu Gorge: We should do the broadcast in French.
[00:02:40] Tom Garrison: Yeah, that would be a comic. Um, but this is for your work for the French-Irish bilateral trade and in cyber security. So can you give us the background and what was it like to get a Knight of the Order of Merit from the French government?
[00:02:55] Mathieu Gorge: Yeah. You know, so most people would be familiar with the Legion of Honor that you get from the French government. But, um, Charles De Gaulle, back when he was president of France, decided to start a new order called the Order of Merit. And it’s awarded to you when, for your years of service as somebody who helps promote France and bilateral trade with France, in their country of adoption in my case, Ireland.
Um, so it was, it was a great moment. Uh, you get the, you get a medal. In my case, it was the French ambassador in Dublin who gave me the medal. And you get to invite your colleagues and your family. So it’s, it’s a very special moment. You know, we, all volunteers were not paid for the work, so it’s kind of nice to get a, a little bit of recognition and it has that kind of cache that, you know, everybody thinks that you can only be in night in, in the UK for instance, but actually there is a knighthood in France.
[00:03:58] Tom Garrison: No, that’s great. And so is there a title or not a title, but do people have to call you like, Sir Mathieu?
[00:04:04] Mathieu Gorge: So I believe that technically in French, you should call me Monsieur Chevalier, which would translate into Sir, but Mathieu will do.
[00:04:12] Tom Garrison: Yeah, well, very good. All right. So, you know, as part of the introduction, I mentioned that you work with board of directors and CEO/CXOs around cyber accountability and just good cyber hygiene. So I wonder if you could just spend a minute or two and kind of give us the high level of what does that mean to you? And, and how do you work with these companies.
[00:04:38] Mathieu Gorge: One of the issues that I spotted earlier on in my career in cyber–I’ve been in cyber for 25 years–was that there was a disconnect between what companies need to do from a compliance and security perspective and what the board and the C level understood they needed to do. So anything that was technical or that was compliance-driven, they would normally just say, “not our problem. Just you deal with it.”
What’s happening now with new regulations worldwide–so you look at CCPA in California, you look at HIPAA in the US, you look at PCR, you look at GDPR, you look at the new ?Paipah? regulation in China–there’s a lot of emphasis on responsibility for the key decision makers of the business. And so one of the things that I try to do is I try and translate the requirements for technical controls, policies and procedures and, and specialized skills transfer from legal jargon, into a language that business people at board level and C level can fully understand. And it’s not always easy, but it’s trying to translate technical or legal risk into a business risk.
[00:05:52] Camille Morhardt: I know you said that you’ve been kicked out of boardrooms before, so I am curious, what did you do to get kicked out of the boardroom and you know, what advice do you have to people to say what you wanted to say and not get kicked out?
[00:06:08] Mathieu Gorge: Yeah. Um, I, I was kicked out a few times for providing probably a good message for the board in order for them to essentially be more secure and more security aware, but providing the message in a non diplomatic way. So I, I think that we need to understand, and we need to respect that people at board level and at that C level, they’re not here by mistake. They’ve got great expertise and so on. They deal with risk every day. So they deal with financial risk. They deal with MNA risk, HR risk. They had to deal with COVID in the pandemic and so on. And so, we can’t really talk to them in a way that would make them feel like they didn’t understand what was going on–even if, sometimes we don’t understand it.
So the best advice I would have would be to try and bring the discussion back to what they know best, which is risk management in order to fuel growth, create profits with shareholders and create employment, cuz that’s really what they’re measured on. And so turning cyber security into an enabler for the KPIs that they have to follow.
[00:07:16] Tom Garrison: Yeah, I think that’s good advice. It’s actually partly– not partly, it’s a big portion of–what Camille and I have been trying to do with this podcast, which is talk about security, not shy away from any of the issues, but do so in a way that people can understand and approach, bring it to language they can understand. So I think it’s great advice.
[00:07:30] Camille Morhardt: What do you think people in — I know it’s pretty generic to say boardrooms, you know, but if you could, if we could genericize it a little bit and just say, what kinds of things are they thinking about now that they weren’t before? I mean, you are saying, okay, now they’re thinking about cyber security in a way that maybe they previously weren’t thinking that they had to deal with it personally. They were putting it on another, you know, colleague. But how are they looking at it differently than they may have in the past?
[00:07:59] Mathieu Gorge: I think that generally speaking, the board of directors go through what I call the Five Stages of Cyber Security Grief. So the first stage is Denial. “That doesn’t apply to us.” As I said, our role is to grow the business shareholder profits, employment, paying tax for the countries where we work and so on.
The next one is Anger. “Leave us alone. We’ve already given you money to hire a CISO, to hire a risk manager. We’ve given you money for firewalls, for antivirus, for that type of stuff. Just go and talk to those guys. They’ll sort you out.”
The next one is Bargaining and that’s really the, the, the crux of your questions, which is that they realize that their competitors and their peers are actually being audited by regulators and/or have been hacked. And so at that stage, we’re like, “well, okay, maybe we should do a few things.” And so we’re generally speaking higher, a very well-known firm to come in and, and do a security audit, a gap analysis and a roadmap. And that’s a great start, but that’s not the silver bullet.
Then comes the Depression. “We have been hacked. The regulator is at the door. What are we gonna do?”
And eventually there’s Acceptance, acceptance that it’s not rocket science. They’re probably doing 60 to 70% of what they’re supposed to do, if not more– maybe not in a way that we can demonstrate that they’re doing it, but in a way that they can still put their house in order and bridge that gap.
And so I think that we are now all realizing. There’s more and more regulatory audits. But it was a bit of a pause during the pandemic. But as things are slowly getting back to normal, the number of audits is growing up again. And, and unfortunately during the pandemic, the number of hacks went up in every industry. So it’s kind of a wake up call.
[00:09:49] Tom Garrison: So how do you work with other companies and I guess maybe peers of you that are trying to tackle these same problems of getting people to listen. Is there a group of folks that all come together and, you know, share tips and tricks or how, how do you do it?
[00:10:07 ] Mathieu Gorge: Yeah. So from my perspective, and from Vigitrust perspective, we run what’s known as the Vigitrust Global Advisory Board. And that’s a non-commercial think tank that we’ve been running for about 11 years at this stage. We’ve got 750 plus members from 32 countries and the members are generally speaking board of directors, C Level, law enforcement like FBI Interpol, uh, French police, Irish police, UK police, and a few others, some regulators, uh, independent security experts and, and compliance experts and security researchers from academia.
And one of the things that is really important for us to understand is that all of the bad guys, they collaborate. They might be competitors, but they are so good at collaborating. We, as the industry are not as good as doing that. And even at government level, there’s good collaboration, there’s good platforms and so on; but we’re not collaborating as much as the bad guys.
And so the purpose of the advisory board is to provide a judgment-free zone where not only are we gonna talk about the changes and the good practices and so on, but we’re gonna talk about what we’ve all done personally, that didn’t work. So that if I’ve made a mistake, of course, I need to learn from it myself, but you can also learn from it. And perhaps you can tell me about your mistakes so I don’t have to make them. And so that sense of building a community is very important because the job of a security officer or a compliance officer is a very lonely job. Nobody knows your name until something goes wrong. And then you’re public enemy number one. And, and that’s not right, you know?
[00:11:50] Camille Morhardt: Are you seeing a shift towards kind of a sense of resilience? I mean, when you’re talking about learning from each other’s mistakes, to me, that’s sort of saying, okay, it’s no longer this thing where you don’t want anybody to know; it’s this horrible thing. And you have to get over it as fast as possible and, and hope that people forget it was you, to more of a “this is a fact of life and we have to learn to be resilient after it occurs.”
[00:12:14] Mathieu Gorge: Yeah, with a few disclaimers that there are more and more mandatory disclosure requirements on the various regulations worldwide. So of course, years ago, when less people had to notify that they’d been breached, if you had been breached, your name was used by people like me as an example; whereas today there are so many organizations that need to disclose that unless it’s a huge breach nobody’s gonna hear about it.
You know, there’s a saying in the industry that I’m sure you you’ve heard, which is that “there are only two types of companies: those that have been breached and those that don’t know they’ve been breached.” And so to your point, I, I don’t think it’s, um, it has that stigma “Oh, these guys don’t know what we are doing.”
I mean, the reality is that as a company, when you defend, you have to get it right all the time, every day; when you attack, you only need to get it right once. Right. So you can take your time to scan for vulnerabilities, to have a look at how’s our network changing. And then once, you know, you launch your attack.
One of the other things to keep in mind, as well, is that there’s a huge difference between a security breach and a security incident. All companies have security incident nearly every day. And a security incident is defined, uh, in the Verizon Data Breach Investigation Report as an incident that will potentially impact the confidentiality integrity or the availability of the data or a system, but doesn’t result in a breach that you need to notify. Whereas the breach that you need to notify is where a security incident has resulted. In protected data ending up in the public domain in the wrong hands. So that’s slightly different. I think we all experience security breaches every day.
[00:14:05] Tom Garrison: I’m interested about something you said just a minute ago on this group that you have together. How did you get the group to be less concerned about competing against each other and more concerned with obviously sharing information? That, to me seems like a, a very important transition that you were able to make with that group.
[00:14:28] Mathieu Gorge: People come in to learn from each other. So I always say. When we do events and we prepare with some of the panelists, they always ask us, “are we gonna get questions?” And I’m like, “of course you’re gonna get questions because the people that are here are here voluntarily. They’re not here because they have to be there. They’re here to learn and to share their knowledge.”
I don’t know. I mean, maybe call me a cyber security shrink or therapist. I don’t know. But I manage to get people in a room that otherwise would, would not think of even talking to each other. And they’re very grateful for that. So I’ve had interaction with everyone within the group, and it’s, it’s an amazing privilege for me because I’m learning so much. From all of the different backgrounds, I can see trends. I can see regional trends. I can see what keeps them awake at night. Uh, I can see what we’re interested in.
As I said, it’s, it’s a very lonely job up there in, in the cyber security and compliance world because the board of directors, generally speaking, sees you as the “Department of no” and as opposed to as, as an enabler. And so you don’t wanna be the Department of No; you need to be able to explain to them all of that investment that we’ve made in cyber–whether it’s for policies, solutions or training–that actually adds value to the business, the assets are worth money that we can depreciate and that we can show on, on their financial statements. And the minute it ends up on their financial statements, they’re then able to get their seat at the board on a regular basis.
[00:16:00] Tom Garrison: That’s right. You wanna transition from the department of no, N-O to the department of know, K-N-O-W.
[00:16:08] Mathieu Gorge: Yeah, potentially. Yeah, absolutely.
[00:16:10] Tom Garrison: Uh, one other area along these same lines is when you talk to these companies–the board of directors and so forth–it seems to me like what they really want you to do is make the problem go away, or at least make us safe from this problem. I wonder if there is something that you could share with us in terms of, are there sort of almost infantile steps that they want to take that wouldn’t be sufficient enough, but they’re like, “well, that should be enough.” You know, “if I just do this, that should be enough.”
[00:16:42] Mathieu Gorge: Again, with every respect to those people that have amazing experience and deal with risk every day, they don’t necessarily understand the cyber risk. And so when I go back to my five stages of, of accountability grief, the third one–where they start doing the Bargaining–is the most dangerous one because that’s where they say “we’re going to hire a big firm with a big name. And that will be our Get Out of Jail card. That will be sufficient to essentially say we’re doing the right thing.” And then they might even believe that we’re doing the right thing. That’s very, very dangerous.
The other thing would be to say, “I’m appointing a CISO,” but not giving the CISO a team or budget or a seat at the board because that’s really just being able to say “we have somebody in charge of security” but really they have no say that is extremely dangerous. So I would much rather a board of directors came and said, “I’ve heard about GDPR. What’s that thing? I don’t know what it is. Tell me why would I need to worry about it?” As opposed to somebody who comes in and says, “I’ve already invested a million dollars today in technical solutions. I don’t need to worry about anything. The compliance people will deal with it” because it’s, it’s not a true reflection of reality.
[00:18:01] Camille Morhardt: Is there something that you feel everybody is kind of worried about right now in general? And then is there something that they’re in general, not worried about that they really ought to be?
[00:18:13] Mathieu Gorge: That’s a great question. So the thing that everybody is worried about right now is ransomware. And ransomware is rampant and that’s true. But the reality again, is that ransomware, when you look at the way it propagates, still propagates because people are not trained the right way. So they’re not trained to seeing a phishing email with a link that’s gonna execute the software. And they’re not trained to ring their security department if they see that something is, is not right. They’re not trained not to talk to their best friend who is a, an IT guru of some sort and they’re gonna sort out the company computer that’s been infected. We see that everywhere.
And we see a lot of money being put into training on phishing and ransomware and that’s good. What I think we’re not seeing enough is work around critical infrastructure protection at two levels: at the kind of national level–so protecting the grid, protecting the banking, the health system and so on–but also at a personal level, and this is what I call “personal critical infrastructure.” So today I would guarantee that each of you, you have three to five connected devices beside you right now; when you get home, you probably have about 20 to 25. If you’ve got a smart home, then suddenly you’ve got critical infrastructure in your smart home. And so if you don’t protect your smart home, you’re not gonna be careful at work. If you’re not told how to be careful at work, you’re not gonna protect your home. And one day you’ll use your company device at home, and that will be the backdoor back into the corporate network.
So I do think that the industry is currently not doing enough around, uh, education around what constitutes your own personal infrastructure?
[00:20:08] Tom Garrison: That’s, that’s fascinating. I, I think we could probably spend a whole podcast on the whole work-from-home thing and what, what should we be, uh, doing to protect ourselves about that, but maybe you’ve already covered this, but I, I think where we’re at, it would be great to understand if you were only going to give one piece of advice to the people, listening to this podcast–who may themself be the leaders of companies, but probably worked for the leaders of the company—advice would you give them from all your experience in your current company?
[00:20:39] Mathieu Gorge: I always say that security is a journey and not a destination. And that if you look at security as a journey, you’ll know that you can work and you can have a few pit stops along the way, where you are able to validate compliance with PCI, HIPAA, GDPR, whatever it is. But you also know that your risk surface changes all the time. And we’ve seen that during the pandemic where the risk surface went really, really big because everybody started working from home and all the boundaries that we had before were completely changed.
So if you think of security as a journey, rather than a destination, and you are able to impart that knowledge to the board and to the C Level, and even all the way down to anybody in, in the company, you are probably going to get some good results because everybody will feel that we are part of the same journey and that they, they have to, to play a role in, in the success of that journey. But there’s no real destination at the end because it keeps changing. There’s gonna be new regulations, new attacks and new attack vector. And your surface is changing all the time.
[00:21:56] Tom Garrison: As you know, before we end any podcast, we like to have a segment that we call Fun Facts. And so I know that you have one and, uh, I would love to hear what your Fun Fact for today is.
[00:22:09] Mathieu Gorge: So my fun fact is that when I was a teenager, I was a Boy Scouts and I went to attend Jamboree, which is every four year, all the world Scouts meet up in a different country, different continent. In that year, 1991, it was in, uh, South Korea and the leaders of my group–which was a French group– decided it would be a good idea to go to the border with North Korea to see if they might let us in because we’re Scouts, we’re not military, we’re just here to learn. And so there’s a picture of me outside at the border between, uh, South and North Korea. And I think that in a way, it was interesting for me to see that because. I started to see the impact of geopolitical things on what you can and cannot do. And I still use that example on, on a regular basis for my workshops.
[00:23:04] Tom Garrison: Wow. You have been to the border of North and South Korea. That’s interesting. Well, Camille, how about you? What’s your fun fact today?
[00:23:12] Camille Morhardt: So my fun fact is I lived for a little while in Japan. And so I discovered this there and I just went and double checked it. A long time ago in Japan, about a millennium ago before the Heian Dynasty, t hey really used the same word to denote green and blue. The word is Aoi. And it wasn’t until after that Heian period that they introduced a specific word for green, which is midori. But you still have these vestiges of Aoi being both green and blue. So for example, when the traffic light turns what we would say, green, I think in France and the United States, uh, they would call it Aoi they call it blue.
Interesting. And there’s a couple of other things too, like we have this expression in English for you’re green, meaning you’re inexperienced. Uh, and they actually use the word Aoi for that as well. So it’s, you’re blue.
[00:24:10] Tom Garrison: Wow. Very cool. So, uh, my fun fact has to do with lightning. So when I think about lightning, there’s, I’ve known this before. I think most listeners know this, that there’s two types of lightning, right? There’s the lightning that goes down to the ground. And then there’s the cloud-to-cloud lightning.
Well, it turns out that these lightning flashes the cloud-to-cloud ones can be quite long. And back in April of 2020 there was a single flash of lightning that extended 477.2 miles across Texas, Louisiana and Mississippi. So, uh, there is a little fun fact, 477-mile bolt of lightning. Um, by the way, that eclipsed, the previous record of 440.6 miles, which was set in 2018 down in Brazil.
So apparently they do measure these things. All right. Well with that, Mathieu, thank you so much for joining us. And it was a great conversation about how, how we talk about cyber security and getting boards to listen and is a very, very interesting topic. So thanks for being here.
[00:25:24] Camille Morhardt: I feel privileged to have spoken with us Chevalier.
[00:25:27] Tom, Garrison: Yes.
[00:25:28] Mathieu Gorge: (laughs) Thank you so much guys, anytime and thanks for the opportunity. I really appreciate it.