Working as a cybersecurity researcher and industry analyst

[00:00:00] Chris Sienko: Today on Cyber Work, I speak with French Caldwell, longtime Gartner Research Fellow and Co-Founder of the Analyst Syndicate. We talked about the founding of the Analyst Syndicate, as well as the creation of a cyber terrorist simulator game designed for White House staff, and why you shouldn't allocate too much of your security resources guarding your digital garbage. That's all today on Cyber Work.

I also want to tell you about Cyber Work Applied, a new series from cyber work. Whether you want to learn how cross-site scripting attacks work, set up a man in the middle attack, or get a blow-by-blow recap of the Equifax breach, expert Infosec instructors and industry practitioners will teach these cybersecurity skills and show you how these skills apply to real-world scenarios. Best of all, it is a 100% free. Go to infosecinstitute.com/learn, or check out the link in the description below and get started with fun hands-on training that keeps the cybersecurity skills you have relevant. That's infosecinstitute.com/learn. Now, on with the show.

[00:01:06] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in, or moving up the ladder in the cybersecurity industry.

French Caldwell is the leading strategist and thought leader in RegTech, including GRC and ESG, cybersecurity, social and digital risk and regulation and the impact of disruptive technologies on policy and strategy. He's a former Gartner Fellow and following Gartner, he became Global Head of Marketing at a Silicon Valley firm that delivers RegTech solutions for governance risk and compliance in the analytics and reporting. Skilled at the alignment of strategy, communication, technology processes, analysis, policy and people to improve business and mission outcomes, experience in advising senior executives and corporate directors on disruptive technology, strategic risk management, cybersecurity and public policy issues.

Prior to joining Gartner, French was the director of Knowledge Services at Arthur Andersen's Office of Government service, where he worked with strategic clients including the Central Intelligence Agency, the Internal Revenue Service and the Department of Defense. French completed a career as a nuclear submarine officer. It's the first one on our show. He has directed special congressional projects for the Secretary of the Navy and the Secretary of Defense.

Upon retiring from the Navy, he served in the international liaison and special projects officer for Congressional Commission on Roles and Missions of the Armed Services. French earned his Bachelor of Science degree in Oceanography at the US Naval Academy, Master of Arts in International Studies at Old Dominion University and a doctor of law and policy at Northeastern University.

He earned his command and taff degree at the US Naval War College. He's been a federal executive fellow at the Brookings Institution, and adjunct fellow at the Center for Strategic and International Studies, and an adjunct professor and board member of the Institute for Innovation and Knowledge Management in the graduate Engineering Management Program at George Washington University.

He's also the author of the book, Arctic Leverage: Canadian Sovereignty and Security and has contributed to over 400 research papers and articles. A while back, we interviewed French's colleague, Diana Kelly about their work with the Analyst Syndicate. It's a topic that I wanted to continue with the founder and chief researcher of the group. We're going to talk about French's time at Gartner research, and also his passion for cybersecurity research as a whole. French, thank you for joining us on Cyber Work.

[00:03:30] French Caldwell: I'm certainly glad to be here. Thanks for sharing all my biographical information with the audience.

[00:03:37] CS: Yeah. Sorry for the long bio. I didn't have time to make it shorter, as Mark Twain once said. I wanted to start out with your varied and prestigious careers. You've done everything from time spent working on public policy and a think tank, to oceanography on a nuclear sub in the Navy. Within the past 10 years or so, especially your careers and interests have coalesced largely around IT and cybersecurity. What is the draw to cybersecurity, since our listeners are mostly cybersecurity professionals? Have you always had an interest in this area, computers in tech, or was that a later in life discovery for you?

[00:04:09] FC: It was definitely later in life discovery. When I was at Gartner, I helped to found the risk management and compliance research community and we set up a whole new team of analysts there. Not knowing where to put us, the powers to be at Gartner said, “Well, this team, we’ll put it in the security group.” We could just as well have gone into the business intelligence group. There was no right place to put us in. Being in the the security group, all of a sudden, I found myself surrounded by security analysts and I learned quite a bit. It was there.

Now, I'd had quite a bit to do with the security analysts before that. When I got to Gartner, I started up this technology and public policy research community. One of the questions that a lot of people had back in the early 2000s, this was timeframe was 2000-2001, was could you actually do a strategic cyber-attack on a opponent?

Richard Clark, who was then at the White House, and the cybersecurity – he and I were on a Gartner panel together, discussing this topic. Afterwards, he asked me, “Is this real? Could it really be done?” With the backing of the White House and Gartner, I approached the Naval War College and had a friend there who was a terrorist expert. Say, “Well, could terrorists launch a cyber-attack on the United States? What would it take?” He said, “I don't know.”

He was actually the academic dean of the War College. He said, “I have this whole group here that does nothing but Wargaming, so let's wargame it.” We pulled together and this by now was 2002. Of course, 9/11 had happened. We pulled together about a 100 CIOs, CISOs, subject matter experts, couple of dozen Gartner analysts, and ran a three-day war game, in which we discovered that yes, you could design a cyber security attack that would be strategic, that would actually shift the balance of power, turn it over; maybe momentarily, but it could be done. That was in 2002. That was my real introduction to the security world.

[00:06:58] CS: Now, I was going to ask about that later on. Is that the cyber terrorism war game, I think it’s called Digital Pearl Harbor here. Is that the thing?

[00:07:04] FC: Digital Pearl Harbor. In fact, I have the parking sign for it right outside my office door, pointing to my door. It says, “Parking for Digital Pearl Harbor.”

[00:07:15] CS: Okay. Oh, wow. That's fantastic. All right. We'll get back to that. I definitely want to ask you more about that, because I think there's a lot to be dug into there. I'm talking about angling into cyber security from similar things. I noticed, I looked through your bio, and several jobs within your career involved knowledge management, which is, I guess, a new concept to me, but it seems to involve sharing of knowledge and information in a way that suggests at least some kinship with information security and access management. Is there a connection between years working in knowledge management and your move toward IT and information security?

[00:07:51] FC: Absolutely. I think it's something that's suddenly becoming more topical. Knowledge management was really about making sure that you're managing that data and information, that actually has real business value to the organization. You're not spending a lot of time managing your trash. All right. When you look at security experts, we spend a lot of time guarding our trash.

[00:08:24] CS: Okay. Can you speak to that a little more?

[00:08:26] FC: Well, as often, quite often, since many organizations are very, very poor at information governance. In other words, deciding what's trash and what's valuable. We have a tendency to go and then try to protect everything. It's relatively the same level of protection, which means that our resources as security teams are pretty spread out. With information governance, which I think is important about knowledge management, and to cybersecurity, is we decide really what is valuable? What is valuable to the organization? What is it that is required that we protect it by law? Privacy laws and so on, they require us to protect customer information, or employee information.

What are those things that we really want to protect? What are those things we have to protect? Do we really need to worry as much about all the other information assets that are out there? Obviously, you're going to put some level of protection around everything, but you don't have to have the same level of protection around everything.

[00:09:54] CS: Yeah. Now, I mean extending the metaphor of our digital trash, you always hear stories about detectives, or Paparazzi going through celebrities’ trash and finding – I understand that there's some degree of that. When we talk about protecting your digital trash, is it just because it's trash, because there's not even really realistically much of a way for hackers to get in through there? Is it that useless of data? Or is it just a priority thing?

[00:10:26] FC: Well ideally, you'd get rid of stuff that you really don't need, but we never hear it.

[00:10:33] CS: No, no. I'm finding so much of this job involves just flipping off switches that have been left on for a decade, or whatever.

[00:10:41] FC: Right. We have all kinds of assets that are used to manage our trash. Not because we may need some information from some backup tape that was created in 1985. It just astounds me as to how much time we spend on both managing and protecting stuff that really has very little value to the organization.

[00:11:14] CS: I mean, if I can suggest – I mean, it's like people just accumulating debris in their house. Because you know, it's just going to take so many decisions to know like, can we really get rid of that tape spool from 1985 and there's no ramifications whatsoever? People who already have 10 plates of spinning right now are probably thinking, “I don't want to think about that right now and stuff like that.” The can just gets kicked down the street for years and years and years.

[00:11:44] FC: It always does. I do think there is this renewed interest in information governance. A good information governance can make security more effective Yeah. We can also have value to the organization, because you determine, what has value? What is legally required to protect? What is not? What should we get rid of, and what do we really need to keep? Once we've done that, then we're going to get a lot more value out of all of our information management efforts.

[00:12:21] CS: Yeah. I completely agree. Our recent guest, Rita Gurevich, talked about data governance strategies and information governance. Yeah, definitely go back and check that out. That's a huge topic right now. I want to start out by talking a little bit about your time working as VP and Gartner fellow with the research organization, Gartner. What were some of the main beats that you covered in your 15 years there? You hit a lot of different things, including risk assessment and so forth. What was your day-to-day work like and how did you see technical research methodology change in the time that you were there?

[00:12:56] FC: Well, I got to Gartner in 1999. It was, once again, an accidental thing. I had retired from the Navy a few years before and had looked and realized that after all, my experience in the Navy and having been a federal executive fellow at Brookings, and serving on the Secretary of the Navy staff, and having made several strategic deterrent patrols and fleet ballistic missile submarines and things like that, I had absolutely no skills for the private sector.

[00:13:39] CS: Good thing you learned that early.

[00:13:40] FC: Yeah. I became a consultant. Worked for Arthur Andersen for a couple of years, I got a call. That's where I really started learning about knowledge management. They were very, very good at it. I took what was being done internally at Arthur Andersen around knowledge management and actually shared that with a number of government clients. That was really my beat there at Arthur Andersen.

Someone at Arthur Andersen, who had been interviewing with Gartner said, “Well, look. I've decided to go work for another firm, but not Gartner.” They asked, “Well, who could we think about?” This colleague of mine gave him my name, and so I ended up at Gartner. I really liked it. The nice thing about being a Gartner analyst, as opposed to say a consultant, is a good consultant needs to spend a third of their time working, or whatever engagement they have, a third of their time managing their people, if you're your manager, or partner at a firm. Then a third of your time is spent looking for the next job.

At Gartner, I was not managing people, much less having to manage client relationships. I didn't have to look for the next engagement. It was all a subscription model. Now, the whole world is caught on to this whole subscription gig these days. Everything subscription. We don't own anything. We're even subscribing for our infrastructure. Gartner was very early on that. The subscription thing, you actually pay ahead of time, too. You don't actually have to complete the work before you get paid.

I thought, “Man, this is a remarkable business model. What a gig.” Until, I was got well-known, then I was doing 500 to a 1,000 mini-client engagements a year. We call them inquiries. Or if you go to a conference, it's a one-on-one, 30 minutes of that, which means in your daone-on-one-day job, you're doing lots of these. You may be doing half a dozen, or more yellow of these inquiries.

Then at conferences, you may be doing 14 one-on-ones a day, with a little bit of a break to get something to drink. Then, if you're lucky, you can head out to the toilet. It’s pretty intense in that regard. Then it leaves you. You really have to be diligent about trying to find creative ways to carve out time for your research. You really do have to do research. A lot of the research, by the way, is done just by doing the one-on-ones. You learn every possible client problem there is.

It's not as in depth as a consultant would go, but it's lots of people, lots of data points. You become pretty good at pattern analysis. If you're a good analyst, you're good at pattern analysis, which then tells you where to go dig deeper and do the research. You are going to spend some time each week doing the basic research. I read an awful lot as a habit that I had, but got even more intense at Gartner. Even today, I read, read, read, read, read Trade Press, Wall Street Journal, Financial Times, Washington Post, New York Times, Guardian, The Economist, and whatever, like I said, whatever trade press comes across my desk. I spend a lot of time reading.

[00:18:00] CS: Yeah. I mean, when you started in ’99, the Internet was certainly around, but it was not as ubiquitous as now. It sounds like you still – I mean, has the just the ubiquity of the Internet as a research tool changed how you research at all? Or are you still having to go deep enough to do deep stack library research and things out in the world like that? Or is it a lot more at your fingertips?

[00:18:27] FC: I used to love that. Yeah, you go into the library and there was a card catalog and you try and find what you're looking for and you find a book that looks close to what you're looking for. Then you go do that –

[00:18:37] CS: Know the research library, and then a first name basis.

[00:18:40] FC: Yeah. Then, you're going to do that shelf search. I hear is all this information that you just – the Dewey Decimal System was a wonderful, wonderful tool. Now, we have Google. We have Google and Bing and DuckDuckGo, and whatever, that people want to use. I think, it's made it easier considerably. I mean, and get just not any reference paper I want that’s been written. Any research document, I can find it out there, one way or another.

[00:19:17] CS: Yeah. It seems like your knowledge detector is good enough that it's easy to sift through and find the real stuff as well, just from years of doing it.

[00:19:28] FC: Yeah, you do. You get better at it. I tell you, the one thing is still very important, I think as an analyst, is having that community. It was, you can get too narrow in what you're trying to do. You get too narrow in your research. I earned my doctorate late in life, and so I know how you just to get narrow and narrower, the higher your degree goes. The same thing can happen with your research specialty, where you get more and more narrow.

Having a research community around you is fantastic. Actually, making sure that you're not just in, say, the security research community, but are members of a broader research communities as well. That way, you really have people you can bounce ideas off of, and you can brainstorm, people who will give you honest peer review of what you've done. That's extraordinarily important to get that rolling, because they'll point you in directions that you had never would have thought of going on your own. I think that's one of the big values that the analysts, that the analyst syndicate find is having that – having that peer community that they can work with.

[00:20:50] CS: Yeah. Yeah, that five-degree course correct that someone else can turn you, can make all the difference in terms of getting to where you want to go.

[00:20:58] FC: Exactly, exactly. Makes a big difference. Sometimes you don't even know where you're going and what are those recently.

[00:21:04] CS: Just heading out. Yeah.

[00:21:05] FC: I had one of those recently on the big – It was the big Amazon kerfuffle over the delivery drivers and putting the essentially, putting them under continuous surveillance. Of course, everything on their routes is under surveillance, is these cameras that they put in. Not only are they looking at the driver, but they're looking 270 degrees out from the driver, both sides of the van, Ford, monitoring everything. I was looking at that and being very, very critical of Amazon.

One of my peers said, “Yeah, but this is all very well and good, but what are the lessons learned here that other companies can apply?” I thought, “Yeah. That's good.” Unfortunately, that sent me back quite a bit. It's a lot easier to just be critical than to think about what are the really the recommendations you can make to other companies that are increasing their own employee monitoring. What did Amazon do right about the way they rolled this out, versus what did they do wrong? I should publish that here sometime soon. It really sent me way back. Peer review, I really do think as a blessing. Sometimes, it's more than a five-degree course direction.

[00:22:44] CS: You have to turn the whole ship around.

[00:22:45] FC: Exactly.

[00:22:48] CS: Well, the thing that's, I think, exciting and I really wanted to talk to you is I noticed that in working from Gartner and then Gartner and then moving on to the Analyst Syndicate, which as I mentioned, is a multi-dimensional platform through which the world's best technology and business analysts published the research and recommendations. It feels to me like a cross between a think tank and a daily blog, because it's not just the recommendations from on high. A schlub like me can go on there and at least get a sense of what's being thought about over there.

What I really liked about your story is that you don't seem like you've ever drifted back into a management role. You are excited about research up to and including today. I wanted to talk to you about how you founded this organization and what the original impetus was for it, and what problems you were trying to solve with its creation?

[00:23:39] FC: Well, I actually did drift back into a management role after I left Gartner, my intention was to go ahead and start up my own research firm around risk management and compliance and around legal IT. I needed to do something while I was still under a non-compete. I went to work for Metric Stream, which was a GRC firm. Ended up spending four years there, instead of just one or two, like I intended.

I was the chief evangelist, not really a management role. Then within six months, the marketing left and marketing fell in my lap, and so I managed the marketing team for the next three and a half years until I left. I had a great time doing it. I have something new. Really enjoyed it at a rate bunch of people. It was difficult in that most of them were in India, and I was on the East Coast and the company headquartered on the West Coast.

[00:24:44] CS: Not only in hours.

[00:24:45] FC: Yeah. A lot of time zones to juggle. I did enjoy it. Now, what led to the Analyst Syndicate is I'd always had this idea of founding my own independent research practice around my areas of specialization. Then, I was talking to a couple of other former Gartner colleagues, who had left recently and they had the same idea. We decided, “Well, why don't we put together this thing, sort of a consortium of analysts, of independent analysts?”

The three of us founded the Analyst Syndicate and as the managing partners. Then, we found it was very easy to recruit. We're at about 30 independent analysts, who mostly former Gartner. We have some from other places. Yeah, and what all the analysts seem to find of value is this community. Now, we are also out doing what I would say, is more of a cross between and being an analyst and a consultant. Then, we’ll go in and work with either an IT executive, or work with a vendor on projects that they see our value, and we go in a lot deeper.

Each analyst, instead of managing – talking to 500 to a 1,000 clients a year is managing relationships with five or six, maybe up to a dozen clients a year. You're a strategic advisor. We do a lot of hands on work as well. We got our hands dirty here than we did at Gardner. That's for sure.

[00:26:43] FC: Yeah. What is your workday with the Analyst Syndicate? Our listeners always want to know what job roles look on a day-to-day, or even hour-by-hour basis. It sounds like you still do a lot of research, but do you spend your days with clients, or other writers or setting policy? Or do you do still mostly just have your face in a book?

[00:27:04] FC: Well, definitely don't have my face in a book most of the time. I would say, I spend a couple hours each day reading. I do still spend time getting vendor briefings, any vendor who really wants to brief members of the syndicate can brief members of the syndicate. You don't have to be a client.

There, I spend also time writing. Not as much as I would like to. We do spend time writing. Being one of the managing partners and being CFO, I have a number of administrative functions I have to do. I'm still doing work as an independent analyst, working with clients on a regular basis. You'll helping them with their analyst strategies, with their go-to market strategies and with their product strategies. It's very busy. Very busy.

[00:28:07] CS: Yeah, for sure. It's gratifying to hear that. What are you, in terms of what you're actively researching, is it for a project you're planning on working on? Or do you have certain stories, or beats that you just follow them, just because you're interested in what's going to happen next?

[00:28:28] FC: Well, I'm actually working on a book on GRC, governance risk and compliance. That's something I'm working on. I'm also have another book out there that’s really looking at expanding my dissertation from my doctoral program, which was called tweeting dystopia. The impact of cyber mediaries on the making of public policy. How is social media disintermediated, the regulators and the legislators, and people are making public policy directly with direct interaction with the industry and with companies these days? These are topics that really interests me. The risk management aspect of what I'm doing and the compliance aspect, or where the side where I overlap into the cybersecurity community quite a bit.

[00:29:32] CS: Now that now the social media, tweeting dystopia, as you say, is that – what are you expanding on based on what your original dissertation is? Where are you taking it from there? You're trying to turn into a book.

[00:29:44] FC: The original dissertation was, I was curious about how is disruptive technology actually changing how public policy is made? There's a lot of people who have looked at how technology and public policy interact. I was curious as to how does disruptive technology actually disrupt? How does it disrupt society and so on like that? In fact, I basically came to a definition of disruptive technology that really, it doesn't – it's not disruptive, unless you actually are changing how society operates. All right. There's a lot of technology that vendors claim is disrupted. Really, does it really change our lives?

[00:30:37] CS: Yeah. That's becoming a bit of a catchphrase at this point, rather than an actual phenomenon.

[00:30:43] FC: Yeah. Exactly. It is a comedy show about Silicon Valley, right? The conference called Disrupt every year, so they disrupt conference. I really think it's not truly disruptive, unless you disrupt how society itself is organized, or works and so on.

[00:31:08] CS: Yeah. Are there any particular disruptive trends that you see coming down the pipe that people should be preparing themselves for in that regard?

[00:31:18] FC: Well, I think that when you look at this thing, combined with social media, has terrifically disrupted how we operate as a society. It's still doing so. Now, if you look at all kinds of new technologies, I would say, potentially the most disruptive thing that we face on the horizon are changing, or is certainly biotech and genetic engineering. That can seriously change, could cause very serious disruptions. What does it mean to be human?

I think, one of the books I'd like to write, as to be a nice little short one; be 50 pages or so, is how to stay employed in your robot future? You either work and either work for the robots, or you can actually have the robots work for you. Maybe you're a truck driver, and instead of driving the truck, you get an automated – you get couple of automated trucks, autonomous vehicles, and you and you own those. Or you have the option of becoming one. You can become a cyborg yourself and just compete directly with robots. There's a future for all of us there.

[00:32:53] CS: Right. Yeah. That's always interesting to me. I'm sorry, go ahead.

[00:32:57] FC: I don't think that most of what we look at from robotics is actually seriously disrupted it. It's not disruptive, if it occurs over a long period of time. In other words, we can adjust to it. We evolve with the technology. When things get disruptive is when all of a sudden, some genius comes up and he says, “I can compare faces of women to faces of cows, or whatever,” and you create a new social media. Begins to get a life of its own. Then, not only that, we can take it where we go, anywhere we go and even sleep with it. That becomes pretty disruptive.

[00:33:47] CS: I would imagine things like deep fakes as well, where it's happened so quickly and so thoroughly that it's very, very hard to even imagine to how to vet, or fact check, or anything like that. It's just happened right now.

[00:34:02] FC: Yeah, exactly. It is. Things like that, it can just pop up overnight, and they become extraordinarily disruptive. Thanks to the fact that most of what we make the – most of what we spend time as humans making these days is digital; is made with digital petty. These things can just pop up and be very surprising.

[00:34:28] CS: Yeah. Now, we want to pivot over to the cyber – the work side of cyber work here as well. With all the predictions for the future of security and the things that you're seeing happening, could you give any advice, or tips that you would have for students and early professionals in this field who are just getting their feet wet in the cybersecurity work sphere? I mean, are there things that they should be watching out for, as you say, in terms of disruptive technology, or changes, or policy changes, or anything like that, that, if you want to be a security researcher, what would you say to someone who's starting to do that now?

[00:35:06] FC: It’s totally different than when I started in it, and that there were people came from a lot of different backgrounds, I noticed, into the IT profession and into security, both. There was no really set background from where you came. Certainly, there were computer science majors even back in the day when I was in college, but it wasn't really prevalent. As IT industry grew, people were hired from all kinds of fields. I think, one of the things that I've noticed with, I think really helps with cybersecurity professionals, is to be able to, I would say, do really good analytical thinking.

Along with that, so really hone your analytical skills. As a researcher, that's extraordinarily important. Be able to put yourself outside of your own, I guess, be able to put yourself out. I don't know how to describe it, but almost outside of your own body, and just look at things from your perspective. Be able to open to looking at things from other perspectives. Now, the only way you can do that is to be part of communities, be part of peer communities that cross the boundaries of work and cross – In other words, if all you're doing is hanging around with the same people all the time, in the same work environment, then you're not really going to be able to do that almost – like I said, put yourself outside of yourself. You can't do that. You'll never think out. You'll never be able to think outside the box.

I also think, you can get a lot of – you need to be recognized when you're losing sight of the box. Okay. I see a lot of people in the thought leadership areas of thought leadership and so on, that are just way so far. They've gotten so far away from practical reality that they couldn't find the box if they had to. If they are running out of oxygen, wherever they are and all the oxygen is in the box, they would die. They would die. Okay. Can they get back inside that box if they had to? Say, you need to recognize – be careful.

[00:37:36] CS: Yeah. You can't be living in a simulator the entire – You can't sit there. Well, with all of these things being ideal, then this will definitely work, right?

[00:37:46] FC: Exactly, exactly. Now, you had to deal with the practical realities. I think, one of the – once again, it’s that connection with other people; other people in your field, but also people outside your field. Other people in your workplace, but also people outside your workplace. I think, one of the things that's helped me a lot is just staying in touch with people that I used to work with, or that I used to go to school with. Because they may have been doing – you may have all been doing the same thing at one time, but everybody diverges a little. If you can just stay in touch and build this little alumni community around you, then I think, it's important. Don't lose touch with those great people that you've worked with every time, because you'll learn from them, too.

[00:38:39] CS: Yeah. They're all learning at the same time that you're learning, so they might have different advice for you now than they did 20 years ago.

[00:38:44] FC: They certainly should. If not, there's something wrong.

[00:38:48] CS: Then you need to you need to educate them or something.

[00:38:50] FC: They may still be in the basement. Yes. Gradual with them.

[00:38:54] CS: Yeah. Floating away from the box again.

[00:38:56] FC: Yeah, exactly.

[00:38:57] CS: I want to go back to Digital Pearl Harbor a little bit. Our company just launched a collaboration with ChooseCo to create a Choose Your Own Adventure theme security awareness training program, which is very appealing to people in their 30s and 40s, or younger, whatever. I wanted to ask about this, the simulator that you did. Was this aimed at simply finding what the result would be? Or was there an education component? If the latter, can you talk about the role of gameplay and strengthening retention of knowledge in these kinds of situations?

[00:39:29] FC: Yeah. I mean, it was really fascinating. I mean, I'm still odd at what happened there. I was going to say what we did, but I don't think it really describes what happened. We brought in, and we had people that like I said, are living the day-to-day world of managing information systems, managing security, and then subject matter experts that they brought with them. We had all kinds of companies there, from banks to we had banks with Cisco, we had all kinds of different companies there.

What we did is for the year prior to that, we designed the game. We spent a year doing it, obviously. Wasn't that frank, but I mean, we would have meetings down then with the war college. With those of us at Gartner who were involved in this, and we narrowed it down to four areas of critical infrastructure that we were going to gain. One was the financial services sector. Another was the telecom. Then, the other was, well, there was the grid. Then, there was the actual backbone of the Internet itself. Okay.

It’s distinct from Telecom. Once we had the game designed, we brought everybody together and we had pretty much just two teams. Typically, you have three teams. You have the blue team, or the good guys, the red team, the bad guys, and then the white team, which is the command and control, the controlling the game as such. They're not really players. They're observers. We just did a red team and a white team, because we had no blue team. We had no really winning, no idea what is the blue team supposed to do. We don't even know what –

[00:41:40] CS: They’re learning to build a blue team by playing the game in this case, it sounds like.

[00:41:44] FC: Exactly. The question we're trying to answer is, could we create a scenario for a strategic cyber-attack? We didn't know anyone with a scenario. We have no idea. We just said, here are the four industries. Here's what we think a strategic cyber-attack would look like. We basically modeled it on the Quebec ice storm, a couple of decades ago. Said, took out Quebec for six weeks. Could we do that with a cyber-attack?

Then we ran the game. Everybody got to play terrorist, or bad guy. We had those four teams that were – well, we essentially had four teams. Those four teams would be given a challenge by the white team. They would send observers to the other three infrastructure areas, so it was all coordinated. Then we'd have a period of time where they did physically come together to coordinate. Then they'd read out that part of the war game. We went through all the phases of an attack, from the design, the planning and design to the execution, and came up with this.

Now, how do we let the world know? This is done at the Naval War College, so we're very – sponsored by the White House. The War College, actually, we at Gartner, we wrote up the results as best we could. The Naval War College sent it to the War College for a security review. They reviewed it. Very few changes were actually made. Then we published it. I wish I can tell the story about this one government organization that pulled us on the carpet and said that our scenario cannot possibly happen.

Richard Hunter, who was my co-director, he and I got raked across the carpet for a couple hours while they chewed us out and talked about how they were going to pull their Gartner contracts. We didn’t care. We're analysts. Then a couple months later, we found out that one of the senior board members of this particular government organization had triggered this ranking over the coals. It turns out, that he was never told by this organization that they had read a similar war game, just on the particular sector, financial services sector, and had come up with a very similar result.

[00:44:53] CS: Oh, interesting.

[00:44:55] FC: They'd never been brought up to the senior executives and board of this organization.

[00:45:00] CS: It was already just gathering dust somewhere at that point.

[00:45:03] FC: Yeah. Here, we published it all out there. I credit a lot of changes to that. For instance, at the time, you could go to King County, Washington and find out all the kinds of information around pipelines, natural gas pipelines, electrical lines, all kinds of stuff was just publicly available. At the time, remember the early 2000s, government organizations and even private commercial organizations are putting all kinds of sensitive information on the internet, but just because they could.

You lost what's in legal terminology, called practical obscurity. In other words, with practical obscurity, it may be publicly available information, but I have to go through some steps to get to it. I have to reveal who I am. I have to go into the county courthouse. Things like that. That made it harder to get to this – what today is thought of is very sensitive information, is much harder to get, but people were starting to put it right out on the web.

[00:46:20] CS: Yeah. Well, I want to wrap up today, we're coming up to about an hour and I want to be able to not take up too much more of your time. This has been absolutely fascinating and we could talk for hours. I want to tie this up with the cybercrime, cyber terrorism situation with previous episodes we've had. We talked to Emily Miller of Mocana, who is all about infrastructure security. She's you covered the water supply hacked in Florida and all sorts of legacy systems that are out of date in municipal systems. Then also last week, I spoke with Dirk Schrader of New Net Technologies, about legacy systems and healthcare. He said that there are literal million plus pieces of medical data, including X-rays, and 3D scans open to the world, that you could add or subtract cancer from, or change a diagnosis.

We get these stories where it's like, there's all this openness. As you said, you need to know the ability to what to surround, what your perimeter is of your data and your information and so forth. Ten you talked about the Digital Pearl Harbor and saying, well, that could never happen. As a way of wrapping up, first of all, how possible do you think these kinds of attacks are? Two, if they are really possible, how do we intensify the message so that people start to realize that there's just the acres and acres of wide, open, sensitive data out there that is just waiting to be attacked, especially in a coordinated way?

[00:47:59] FC: Well, I think there's all kinds of nuisance attacks. Then, thanks to the way information is shared so rapidly and easily these days. They have a much bigger impact than they did say, in 2002. The social amplification of risk, as well, I call that. What may seem to be relatively insignificant risk to an expert, to people who are out in the rest of the world seems to be an extraordinarily big issue.

You magnify the risk many times over with social amplification. I think these nuisance attacks, what I would consider a nuisance attack, even the hack, or the water supply controls there in Florida as a nuisance attack. Taking down a good part of the grid for 24 hours would frankly, be a nuisance attack. It's not going to change the balance of power. It's going to be awfully inconveniencing. Ransomware attacks, where we've seen that hospitals have even delayed surgeries and so on. These on the scale, on a national security scale, are nuisance attacks

Now, take all of that and do it all at one time, it actually cause some damage. Now, that would be potentially strategic. What we found, I think, at Digital Pearl Harbor, and this still holds true, is that a combination of a physical attack and a cyber-attack has a much greater effect than either one by itself. Okay. Let's say you're doing some cyber-attacks on the grid, but you also blow up a couple of those 250,000-volt substations, of which there are only three spares at any given moment in the United States. That physical attack combined with the cyber-attack, I would say, it comes closer to a strategic attack.

[00:50:16] CS: Yeah. Yeah. I think on that note, I think we're going to wrap things up today. For the final question here, if our listeners want to learn more about French Caldwell, or the Analyst Syndicate, where should they go online?

[00:50:28] FC: Well, you can look at my LinkedIn profile, and you also go to the Analyst Syndicate, which is you can just type in theanalystsyndicate.com, or analystsyndicate.com, or our primary URL, which is thansyn.com.

[00:50:46] CS: Okay. Yeah. What will they find? I know, like you said, that there's the high-level stuff. Is this something that just really, schmoes like me, can look in there and derive value from?

[00:51:00] FC: Right now, well, unlike the larger research firms, everything our analysts writes is publicly available. You can just go in. You'll find the blog. You'll go be able to go in there, you can search on my name or search, for Richard Steenan, for instance. He used to write for Forbes, is now re publishing a lot of his commentary with us. You can search for any analyst, or any topic and see what our thoughts are on it, what our insights are.

[00:51:34] CS: I think that's a good –

[00:51:35] FC: We've tried to put the thought leadership out in front, but I think one of the things that we're doing now is we're definitely defining better kinds of services that we can offer to both the technology providers and the technology users.

[00:51:53] CS: Great. I think that's a really great place for our students and new professionals. Go check out The Analyst Syndicate and get up to date with what people are thinking about in the industry. Right now, you're probably just thinking about how to get into it. Get a sense of what people are doing on the frontlines right now. I think it's a really good place to start. Again, thank you.

[00:52:12] FC: By the way, I just want to say, I've never turned down an inquiry from a student. Okay.

[00:52:19] CS: Oh, there you have it.

[00:52:20] FC: You don’t have to pay. I don't think any of our analysts would ever turn that down. We support young people who are studying and researching, just about any area of the field.

[00:52:31] CS: You heard it here first, folks. Go talk to French. He is available. All right. Well, thank you again, French. I really appreciate your time today.

[00:52:40] FC: You're welcome. Glad to be here.

[00:52:43] CS: As always, thank you to everyone listening at home, or at work today. New episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video on our YouTube page and on audio wherever you find podcasts are downloaded.

As always, don't forget to check out our hands-on training series, Cyber Work Applied. Tune in is expert Infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. Go to infosecinstitute.com/learn to stay up to date on all things cyber work.

Thank you once again to French Caldwell. Thank you all again for watching and listening this week. We will speak to you next week.