In the midst of today’s rapidly changing business environment, organizations are increasingly acknowledging the importance of a robust Risk and Resilience strategy. iluminr’s “Gamechangers in Resilience” interview series is specifically designed to showcase the inspiring journeys of leaders who have exemplified remarkable resilience, enabling their organizations to flourish in the face of unprecedented challenges.
October is Cybersecurity Awareness Month, a time when we focus on the critical importance of safeguarding our digital world. At iluminr, we are proud to support this initiative by highlighting the exceptional stories of cybersecurity leaders. These individuals have not only protected their organizations and communities but have also fostered an environment where innovation and growth thrive in the midst of cybersecurity challenges. Their inspiring journeys serve as a testament to the power of resilience in the realm of cybersecurity.
Greg Tomchick is a former professional baseball player turned award-winning cybersecurity coach. He has worked with more than 250 world-renowned companies including American Airlines, Caterpillar, and Trinity Rail. He is regularly featured live on ABC, Fox News, and is an expert contributor to Inc. Magazine. After building multiple seven-figure companies for America’s most prestigious families, he is now the CEO of Valor Cybersecurity and host of The Connected Mindset Live Show. Greg helps industry leading executives and brands connect to the mindsets that enable them to protect what they value most, in life and in business.
Q: Can you share your background and experience in the field of cybersecurity and resilience? What drew you to this field, and what key lessons have you learned along the way?
Greg: I am a cybersecurity coach and advisor, specializing in working with executives to digitally protect their businesses and ensure secure digital transformation. My company, Valor Cybersecurity, provides implementation services and coaching to mitigate digital risks. I was introduced to cybersecurity from having a cyber-attack on my first business, a software development agency. It cost us $75,000 in 2016, later causing us to shut down the business. At the time, I was in Spring Training playing Minor League Baseball with the St. Louis Cardinals. I decided at that time that I was going to be the go-to-resource to help business executives understand and prevent cyber-attacks from taking place in their business.
Key Lessons:
1. Every business leader must understand the term “Technical Debt”.
2. Never underestimate the human factor in security, security is a mindset.
3. Know what you and your business value most, focus on protecting that.
Q: Can you provide a brief overview of what cyber resilience means in today’s ever-evolving threat landscape, and why it’s crucial for organizations?
Greg: It is critical to first recognize that resilience is both mental and physical, we often reference it as just mental. We must build both. Cyber resilience is the ability of an organization to prepare to withstand and recover from cyber threats.
Given today’s rapidly evolving threat landscape, it’s not just about prevention but also about having the ability to continue operations while managing an incident and recovering from it.
It will happen to your organization at some point in time.
Q: Cyberattacks are becoming increasingly sophisticated. What are some of the most common vulnerabilities or attack vectors that organizations should be particularly vigilant about in their cyber resilience efforts?
Greg: If an organization was to start from scratch today, they should start by combating these vulnerabilities and attack vectors:
1. Phishing attacks: 85% of attacks will be executed by social engineering a person. Training and security as a mindset are critical.
2. Unpatched software: Vendors update software to address critical holes in the system that attackers know about. Leaving these ‘windows and doors’ open increase your risk of an attack.
3. Poor access controls: Poor access controls are like locking your front door but giving everyone in your community a key, without the need. Manage and review who has access to what and what they are able to do.
Q: When developing a cyber resilience strategy, how should organizations strike a balance between prevention, detection, and response? What role does each of these components play in an effective cybersecurity posture?
Greg: This is a very delicate balance. It ultimately depends on what you have to lose. We always start with response, foundational prevention, then detection. False positives and alert fatigue will burn your team out if you don’t have a clear understanding of your digital infrastructure, this happens when tackling response and prevention activities.
Prevention: The first line of defense. Aim to stop attacks before they happen.
Detection: Identifies that an attack is happening or has happened. Time is of the essence.
Response: How you react to an incident. It can mean the difference between a manageable situation and a disastrous one.
Q: Cyber resilience often involves people, processes, and technology. Can you share some best practices for ensuring that these three elements are aligned and integrated seamlessly to enhance an organization’s ability to withstand cyber threats?
Greg: People, Process, and Technology addressed in that order. People run a company, they use process to effectively accomplish business objectives, and technology makes that process easier. To align and integrate these three, here are a few pointers:
People: Training programs should be frequent and updated.
Processes: Identify what critical process that the business depends on and what are the key dependencies that the specific process depends upon to be completed. Establish clear protocols for every possible type of cyber incident.
Technology: Use a layered security approach that includes firewalls, endpoint protection, and network monitoring. Be sure to have a prioritization scheme around technologies that the business uses.
Q: Third-party vendors and supply chain partners are often sources of cybersecurity risk. What strategies can organizations employ to assess and mitigate these risks while maintaining strong working relationships with their partners?
Greg: This is HUGE, and the biggest area of weakness for organizations today. On average, more than 90% of business systems are outsourced to vendors, that means your resilience is in their control.
ASK, conduct security audits of your vendors.
Include cybersecurity clauses and service level agreements in contracts.
Maintain segmented networks to minimize risks.
Q: Cyber resilience is an ongoing process that requires constant adaptation. What are some emerging trends or technologies in cybersecurity that organizations should be aware of and consider integrating into their cyber resilience strategies to stay ahead of threats?
Greg: New technologies are rushing to the market, a few that we are most excited about:
Proactive security standards: We need more, well-understood digital standards across the economy.
AI in cybersecurity: We are all excited about AI, it will enable security teams to find great efficiencies and focus on actual incidents. We need more business leaders to think about how they are using AI business systems and what they mean to protecting the organization from it turning against or unauthorized sharing.
Enhanced focus on work from home and mobile device security: Most of us are on the move, our business operations are blending with personal devices and home routers, this exposes your company to uncontrollable risks. Find solutions that can help you control these risks, ask if you don’t know.
Q: What is the leadership playbook you are writing for yourself in real time?
Greg: I host a live show every Friday, called The Connected Mindset, where I talk with executives, authors, and community leaders about what it means to be more conscious about how connected we are. We need to collectively elevate our consciousness around technology and how to protect ourselves against its downsides. I am currently focusing on scaling my business and growing our team to multiply our impact.
We are on a mission to help businesses standardize security and translate the complexities of a more technical topic. Everyone must understand this topic to preserve a healthy business environment going forward.
Q: How do you apply the lessons of resilience in your own life?
Greg: As a former professional athlete and now a CEO of a growing cybersecurity company, Resilience is always top of mind. It is a muscle, mental and physical, that I train each day. I rely on a mix of preparation, adaptability, and rapid recovery to stay resilient. These qualities form the cornerstone of both a strong cybersecurity posture and a successful life.
