Helping leaders motivate their people to a higher level of performance through strong human relations, team building and GOLA GV. This is the seven Minute Leadership Podcast with your host Paul Fellavaliedo.
Hello everyone, and welcome to the Seven Minute Leadership Podcast. It's episode five eighty three. Today we're talking about cybersecurity, not from the IT department chair, not from a vendor trying to sell you software, but from the leader seat. Because cybersecurity is no longer a technical issue. It is a leadership issue. It lives in your decisions, your habits, your discipline, and in your blind spots. If you think this is something you can delegate away completely, you are
already exposed. So today I want to give you a practical cybersecurity checklist for leaders, not theory, not corporate bs, a real world checklist that you can mentally run through the same way a pilot runs a pre flight or a paramedic checks their ambulance before a call. And for this episode, I have brought back into the studio probably the most listened to and requested guest in seven Minute
Leadership history. He is a cybersecurity subject matter expert, a nationally recognized cybersecurity educator Josh Gelman, Welcome back to the seven Minute Leadership Podcast.
It's quite the introduction, thank you.
Yeah, I know here, you've got a lot to unpack with that. You ready to go. Yeah, let's do it all right. So the first item on the checklist is ownership. Every breach story starts the same way. No one owned it. It was it's problem, it was outsource, it was assumed to be handled. Leadership never asked the question who owns cybersecurity here? And if you cannot name the person responsible, including yourself, then you have a gap. Ownership doesn't mean
that you're the one configuring fire walls. It means you're accountable for the outcome. Leaders own outcomes even when others own tasks.
Yeah, and it's ultimately all about accountability, as you said, because anytime there's a cyber incident, you always get people pointing fingers at each other who's responsible. And sometimes it's not even just isolated to the organization itself.
They'll say, oh, the.
Insurance company is responsible, or a third party managed service providers responsible. So that's not something you want to be dealing with during or even after a cyber incident.
You need to have it.
Very clearly written, very clearly established, who is being held accountable for cybersecurity in the organization prior to anything actually ever happening.
The second I them is access discipline. Who has access to what and why? Former employees, vendors, contractors, temporary staff, shared passwords, generic logins. This is where organizations bleed without realizing it. If someone leaves your organization today, how long before their access is shut off? Is it minutes, hours, days? If you don't know the answer, that's the problem. And access is like I think of it as like keys to the building. Leaders would never say, well, we think
the keys are probably back. Digital keys deserve the same respect.
And I think with the topic of access, there's two quick things that people should be aware of. One is least privileged, So if you have access to a system, you should only have access to that system if you need it to do your job. So everybody shouldn't be administrators. You should only have the minimum access necessary to do
your job. And then the other thing is after you leave the organization, you don't necessarily want to go in there and delete or wipe out the account altogether, but you want to disable it because you still may need to get access to whatever that person was doing, especially if they didn't leave on good terms, You may need to get access to their storage. So you want to disable the account initially. You don't want to just wipe it out right away.
Great point. Third item is backup reality. Everyone says they have backups. I think few have tested their backups. Backups that can't be restored are not backups. They are a false sense of security. So I think you can ask one simple question, when was the last time we restored from backup fully, successfully and under pressure? If the answer is never or no one is sure, you are gambling and hope is not a strategy, especially when ransomware does not care about your budget or your mission.
The other question is always going to be how do you know it's a good backup? How do you know your back hasn't been compromised?
As well?
You might be restoring to a backup that's already compromised. So how far back are you taking backups? And absolutely, like you said, are you testing them? Are you trying to restore them and see if you're actually able to do it?
Excellent?
Fourth item is training that sticks. Most cybersecurity training is forgettable. Josh I've traveled across the country to support you and attend your trainings. They are unforgettable, which is why you're here again. But people just click through the slides, They do the annual box checking, no real retention. Your people are your biggest vulnerability and your strongest defense. Leaders must demand training that actually changes behavior, things like do your
people know how phishing works? Do they know what a suspicious login looks like? They know what to do if something feels off? And more importantly, do they feel safe reporting this miss stakes quickly? Or do they hide out of fear and silence? Is how these small issues become catastrophic ones.
You could do a whole podcast just on training. I think the only things I would add to that are number One, it's always good to do some level of in person training because the online stuff, some of it's good, some of it's bad, but people will always find ways to just go through the motions and not actually retain or learn anything. So in person training from a reputable
trainer is always good. And then if you can incentivize it in any way, and I don't mean negative reinforcement, I don't mean like you fail so many phishing emails and you get fired, but some way to incentivize it in a positive way, to motivate people to actually want to complete the trainings and do well and the look out for themselves. I always try to put things in terms that how it's going to protect the individual and
not just protect the organization, because most people don't. Frankly, if you're an employee, you don't really care so much about the organization, but you care about yourself, So how is it going to affect you?
The fifth item device control What devices are touching your network? Is it personal phones, home laptops, tablets, USB drives, public Wi Fi? If you allow remote access, bring your own device or cloud tools. You need clear rules, not suggestions. You need real rules because leaders set standards. Standards protect people and systems. Ambiguity creates gaps and attackers live in gaps.
And don't forget to scan your networks regularly and look for any shadow it too. Those are devices that people within your organization might add without you knowing it or without your authorization.
Yeah, I forgot about that.
Thanks, That's why I'm here.
I know. The sixth item is vendor trust. Every organization now depends on third parties. Software platforms, billing companies, eduling tools, cloud storage. Leaders I think have to stop assuming that vendors are secure and start asking questions like how do they protect data? And what happens if they are breached? How fast do they notify you? Because right trust is earned through verification and this applies to people and technology.
And there are services out there that will do third party risk management or third party risk assessments to assess your vendors. And some of the services that are out there are free. I mean, if you do a Google search for a vendor, third party risk management, third party risk assessment, you'll find different thing, different services that might be able to help with that. If you don't have a department or a person devoted to performing those tasks internally.
Yeah, very cool. The seventh item on the list is incident readiness, not if. When do you have a plan for a cyber incident? Who gets called, who speaks publicly, who shuts systems down? Who makes the call to pay or not pay? And if your answer is we'll figure it out, that's not leadership. That's improvising under stress and stress exposes weak systems fast, So run the scenario now, calmly. Instead of for the first time. When everything's on fire.
Yeah, do a tabletop exercise at least to identify some of the gaps. One of the questions I ask students a lot in classes is at what point, if you have cyber insurance, at what point are you going to engage with your cyber insurance provider? And they often don't have an answer to that either, so that gives you the opportunity to ask and answer some of those questions prior to an ACTRO incident.
The eighth item is leader behavior, and this one's a little bit uncomfortable. Leaders who bypass controls, reuse passwords, ignore updates, or demand shortcuts teach the organization that security doesn't matter. Your behavior sets the culture. If you treat cybersecurity as annoying friction, your team will too. But if you treat
it like safety, discipline and professionalism, they will follow. This is like red key leadership territory, high consequence moments, small decisions with massive downstream impact.
If your leaders have poor cyber hygiene, you can't expect your employees to have anything other than for cyber hygiene. It's just like any other characteristic. If your leaders walk into your organization, with a disgruntled attitude every day, then how can you expect your employees tacked any differently?
Yeah, the ninth item is continuous attention. And Gealman, you're going to be so proud of me for saying this, because I wasn't always this guy before I stumbled into all of your education. But cybersecurity is not an annual conversation. It is a standing agenda item. Leaders revisit it the same way they revisit finances, staffing, scheduling, and risk regularly, calmly, and without ask better questions over time, what changed? What new threats exist? What are we exposed to today that
we were not exposed to last quarter? Because this is leadership vigilance, not paranoia.
Yeah, I mean just like any other security topic. If you think of physical security, for example, you know you don't just plan once for something. You're always revisiting it, always thinking what other threats might be out there. I mean, especially in today's world with cyber and artificial intelligence, and the threats are evolving faster than we can keep up with them. So it's something that needs to be a continual discussion, not just hey, we're going to revisit this annually.
Thanks for drilling that into my head over all the years.
Well, it's glad to see it stuck.
Yeah it did. But here's a hard truth and a hard pill to swallow. A cyber incident doesn't care if you're a nonprofit, a public safety agency, a small business, or a global company. Doesn't care about your mission, statement or your intent. It only exploits gaps, and leaders reduce gaps through clarity, ownership, standards, and follow through. Cybersecurity is not about being perfect. It's about being prepared, disciplined, and honest about where you stand.
I think the last thing I would add to to that is you get a lot of organizations that say, why would anyone attack me? Why would anyone hack me? And the answer is why not. You don't have to be a multi billion dollar corporation for attackers to come after you. You just have to be an easy enough target.
So leadership today is not only about people in the room. It's about systems you cannot see, risks you cannot touch, and decisions that protect others long before they ever know they were at risk. So take this checklist seriously. Lead it from the front in your organization will be stronger for it Josh Gelman, thank you once again for coming into the studio for this episode.
Ah, this was fun. I appreciate you having me.
This has been the seven minute Leadership podcast, and I thank you for listening.
For more Paul fell of Alito podcasts, visit paulfellowalito dot com.