Ep. 18: Joseph Brunsman - Cybersecurity

"12 Rules for Cyber You MUST Know" by Joseph
Brunsman:
https://www.linkedin.com/pulse/my-12-rules-cyber-joseph-brunsman/


CPL Brokers, Inc.: http://cplbrokers.com/


Contact Joseph Brunsman:LinkedIn:
https://www.linkedin.com/in/joseph-brunsman-3a1102101/


FULL EPISODE TRANSCRIPT


Music: (00:00)

Adam: (00:04) Hey everyone. Welcome back to
count me in. I am your host Adam Larson and with me once again
with me once again, it's my cohost Mitch Roshong. As we continue
to offer insight into all things affecting the accounting and
finance world, this episode is going to focus on cybersecurity,
as we hear from cybersecurity expert and bestselling author
Joseph Brunson. Mitch, can you give us some background on Joseph
and what your conversation was about?

Mitchell: (00:35) Sure. Adam, thank you. Joseph
is the vice president and CCO at Chesapeake professional
liability brokers in Annapolis, Maryland. He most recently served
as a Lieutenant in the United States Navy working as an anti
terrorism and force protection officer. He has a background in
systems engineering and cyber law and he is in the process of
writing two books on cyber insurance. We focused on the
progression of cybersecurity and how to create organizational
cybersecurity policies to avoid some of the potentially
disastrous costs following a cyber attack. So let's take a
listen.

Music: (01:11)

Mitchell: (01:17) So data and technology are two
of the most popular topics in accounting and finance. With so
much data available to companies today and subsequent information
being shared, what kind of emphasis should businesses place on
cyber security?

Joseph: (01:32) Sure. So, you know, that's a
great question, I'd say that information is like the new oil. So
data security is a huge deal and you know, of all the breaches
that I've researched that I've written about, that I've worked
on, you're really kind of see a common trend and it's that
everybody who's been breached suddenly finds a way to spend more
money and more time and more resources on cyber security after a
breach. So kind of the lesson there is it would have been much
easier to prevent that breach beforehand, you know, and that
really kind of gets into, you know, starting from the top down
where if a company wants to place an emphasis on cyber security
and they all should, then, you know, it's really got to start
from the top and work its way down. So that's from, you know, the
board of directors has to get educated on the topic. Even if it's
just, you know, a couple of YouTube videos that generally
understand, you know, the basics of cyber security or network
security and then from there filter that down through the
organization.

Mitchell: (02:38) So with that kind of top down
structure, when it comes to implementing a different
cybersecurity policies, what are some of the common strengths,
weaknesses, opportunities, threats that you've come across when
you're trying to help coach these businesses?

Joseph: (02:54) Sure. So you know, kind of some
of the common things we see obviously going to be different for
each business, right? Because it's going to depend on the
industry. They're in various environmental factors of what
they're dealing with. But you know, we do see some common trends.
The first one's going to be, you know, cyber security policies
should not read like war and peace or some legal primer on
contract law right there and we, we see a lot of that and always
kind of makes me cringe because the primary purpose of a cyber
security policy is really, you're supposed to be guiding the
staff into making correct decisions, right? You're trying to tell
them, Hey, this is what's acceptable and what's not. But more
than that, really the biggest flaw that I see is, and this is,
you know, it takes a little more time and effort to do this, but
it pays off in the long run is, you know, they need to tell the
staff members and employees, you know, Hey, this is the purpose
behind the policy that we've implemented. And that really makes
adherence to it much simpler, which makes the cybersecurity of
that business, you know, exponentially stronger because, you
can't plan for every possible scenario, but you can really stick
to those major threats that you're reasonably foreseeing that
could hit the business, you know, you don't need to plan for the
apocalypse. So you want the cybersecurity policy to be
understandable by the common person. Just complex enough that
you're hitting the major wickets there. And that if there's
something that you couldn't plan for or there's something missing
in that cybersecurity policy, you could reasonably expect the
average person, you know, to at least have a general
understanding of who to go to to pose the question.

Mitchell: (04:42) So what if you're new to this,
what if you have never drafted a cybersecurity policy before and
you're not even completely sure of what the potential risks are
with all the new data and technology that's out there. What are
some best practices for doing your own personal research and
developing a process for implementing a new cybersecurity
policy?

Joseph: (05:03) Great question. So, you know,
first off, Google is your friend, so that is an amazing place to
start. There is a ton of great information out there. You know,
try to steer clear of, you know, kind of minor organizations that
you'd never heard of, but there's a bunch of major players out
there. They're really kind of have templates for you. You know,
best practices, you know, it's going to depend on each
organization. But you know, kind of broad stroke here is get all
the decision makers inside the room, block off a period of time
and you know, that could be the board of directors, the C suite
executives, it legal, your HR team, bring them all together, you
know, and kind of start hashing through these templates that are
available to you. So that way you get all of the different
perspectives on what could potentially happen and how you should
really respond to that. And that's going to be probably, you
know, the best in terms of best practices because if it's, you
know, if you have your cyber security policy and you say, hey IT
guy do this delivered on Tuesday, and then you just try and, you
know, push that out to the entire business, it's going to be a
train wreck and there's going to be a million questions and
you're going to have to go and redo the entire thing. So get
everybody involved from the beginning. It's going to be much
easier for everybody.

Mitchell: (06:31) So as you start to, implement
these processes, right, and we have all these different people
working together, all the different functions of the business.
What have you seen from, you know, different industries or just
different firms in general as far as the progression of
cybersecurity and what that means in our economy today?

Joseph: (06:54) Sure so I think, you know,
everybody is saying that they're taking cybersecurity seriously
now, and I would really kind of push back against that because,
you know, I think most businesses now are saying, hey, we take
cyber security seriously. we have this one guy who does it right,
who's in charge of it. But cyber security is really a full
organization front that has to occur there. So, you know, it's
something where the world is just getting more complex. And so,
you know, that's on the regulatory si...