The goal of cybersecurity is to protect the data and integrity of your computing from malicious digital attacks. The challenge for a project manager is to implement effective cybersecurity measures to secure yourself, your team, your clients, and your projects as attackers become more innovative. Our guest is Andy Sauer a cybersecurity leader who helps organizations build cybersecurity maturity.

Table of Contents

01:47 … Meet Andy02:29 … Raising Awareness of Cybersecurity for PMs03:34 … A Case Study06:55 … Lessons Learned from a Cyber Attack09:23 … “Least Privilege Necessary” Model10:48 … Lack of Multifactor Authentication11:39 … Staying Ahead of Attackers13:35 … 10 Steps to Better Cybersecurity13:42 … Training for Phishing15:25 … Multifactor Authentication16:14 … Least Privilege Necessary17:34 … Apply Patches to Systems and Applications18:40 … Delete Old Accounts19:53 … Kevin & Kyle21:13 … Adopt Cloud Services22:15 … Building an Incident Response Plan25:16 … Establish Hardened System Baselines26:13 … Keep Your Backups Air Gapped27:21 … Store Security Logs and Watch for Unusual Behavior.30:18 … Security is Your Responsibility31:09 … External Cybersecurity32:25 … Concerning Emerging Technologies34:31 … Evolving Cybersecurity Threats36:32 … Get in Touch with Andy37:38 … Closing

ANDY SAUER: ...it’s very easy to look at cybersecurity concerns and think, that is not my problem.  We have a security team.  We have an IT team.  But I promise you when the compromise happens, the folks in the IT and cybersecurity teams are often focused on the technical and getting the systems back up.  They’re not particularly concerned about your specific project and your workload. You have to take that responsibility.

WENDY GROUNDS:  Hello, and welcome to Manage This, the podcast by project managers for project managers.  Thank you for joining us today.  My name is Wendy Grounds, and joining me is Bill Yates.  If you like what you hear, we’d love to hear from you.  You can leave us a comment on our website Velociteach.com, on social media, or whichever podcast listening app you use.

Today our guest is Andy Sauer.  Andy’s a cybersecurity leader who helps organizations build cybersecurity maturity.  Now, this was someone that Bill had been in touch with.

BILL YATES:  Yeah.  This is how I came across Andy.  I heard him speaking to a group of CEOs.  And what struck me was, okay, not only does he know cybersecurity, but he’s having an impact on this group.  I watched the CEOs taking notes, and some were texting.  It was funny, they were apologizing to Andy after his presentation.  “Hey, I wasn’t ignoring you.  You said something that struck me, so I was texting members of our team to see if we had done that yet.”  You know, I felt like, okay, for project managers, this is something we need to hear.  It’s something we need to be reminded of and raise our awareness.  So Andy’s going to be a great resource for that.

WENDY GROUNDS:  We talked to Don Hunt before on cybersecurity, and that was a few years ago.

BILL YATES:  Yes, yeah.

WENDY GROUNDS:  So I think it’s good that we retouch the topic again.

BILL YATES:  Right.

WENDY GROUNDS:  Hi, Andy.  Welcome to Manage This.  Thanks for joining us.

ANDY SAUER:  Hey, there.  Thanks for having me on.

Meet Andy

WENDY GROUNDS:  So tell us a little bit about your background in cybersecurity before we get into talking about this topic.  And something about your role at Sentinel Blue.

ANDY SAUER:  Sure.  I’m the CISO, the Chief Information Security Officer, for a small company called Sentinel Blue.  I’ve been in IT and cybersecurity for about 13 years, with the last five years really being focused in on cybersecurity, rather than IT.  Sentinel Blue is a cybersecurity services firm that works with small and medium-sized businesses, particular in the U.S. defense industry.  And our main focus is really on building cybersecurity maturity for those businesses.  And cybersecurity maturity can mean many things, which I imagine we’ll get into here.

Raising Awareness of Cybersecurity for PMs

BILL YATES:  That’s true.  Yeah, I appreciate the fact that, Andy, you’ve worked with small and medium-size companies.  And like we were talking about before we started recording, I think that’s really powerful for our project managers because many times they’re looking at their situation like, okay, I have to run this like a CEO of a small company.  I need to run this project team.  I need to be responsible for their behaviors.  And there’s just a lot at stake with cybersecurity.

So we think, you know, the more we can talk about this topic and just raise awareness, it raises everybody’s game and helps them know.  Plus you’re on the cutting edge.  When I was thinking about, all right, Andy not only is in cybersecurity, but he’s doing this for defense contractors, that’s where the stakes are so high. 

ANDY SAUER:  I think, you know, your project managers might be often not thought about in a cybersecurity context in terms of their contributions and their responsibilities.  It’s often so focused on the guys like me, the technical guys and whatnot, where what you bring up, a PM’s basically a CEO of that project they’re managing.  And security is a major component that I’m excited to talk to the audience about.

A Case Study

BILL YATES:  Yeah.  I think maybe the best thing for us to do is to jump into a case study.  You’ve got one that we’ve talked about before.

ANDY SAUER:  Yeah, I do.

BILL YATES:  Walk us through that.  That’ll kind of give us a construct to build off of. 

ANDY SAUER:  Sure.  So everyone will have, you know, read about incidents in the news and whatnot.  But it can feel pretty distant when you read about what’s happening to Uber.  For small-medium businesses, Uber means nothing to us in terms of being able to relate to how things are run there.  So I’m going to share a story from a company that I’ve worked with a couple years ago, about two years ago.  They’re a defense contractor of about 500 to a thousand people.  They kind of ebb and flow.  A well-funded, doing well kind of contractor business, with an IT team, with a small security team, sort of all the things you want to see from an IT standpoint.  A mature company, making all the right moves.

And in the middle of 2020, on a summer night, on a Friday night, after everyone goes home, something happened, and Saturday morning everything’s down.  And all the alarm bells are going off, all the phones are ringing, including my personal phone.  On my way down to the beach, in fact, I got a call, a very panicked call from the IT director there and said, “Hey, you’ve done some work for us in the past and some cybersecurity consulting.  We’re having what we think is an incident.  Can you jump on and help us out?”  And I ended up spending the next several days of my beach vacation listening in on conference calls in the war room that was established to respond to this incident.

Now, they were hit by ransomware, which is something I think pretty much everyone in the business world has heard of at this point.  And you’ve heard some pretty horrific stories of businesses shutting doors.  Essentially what ransomware does is an attacker gets in, they drop some software in your environment, and that software encrypts your data.  And encryption’s going to prevent you from accessing it unless you basically have the key, the password to unlock it.  But the attackers have the password.  And the ransom is they drop some notes in there that say, “Hey, send us money, we’ll give you that password.”  And they hold your data for ransom.

And that’s what happened here.  They were being held for ransom to the amount of about a quarter million dollars in bitcoin.  All of their systems were down.  All of their backups that they had made were gone.  This affected all their locations.  They have several locations across the United States.  Pretty rough situation for them, and they ended up paying out that ransom.  So just like that, a quarter of a million dollars in cash gone from the business.  Then the attackers returned the key, but it’s often a gamble whether or not they’re going to.  These are criminals.  They don’t have any code to follow.  But in general, you know, they’ll return the key, and which they did in this case.  But it was partially functional, so it didn’t get everything back up and running.

So this company still suffered several weeks of downtime of critical systems, bleeding into months of restore work where their IT team was completely wrapped up in this.  They had to bring in external consultants to help with all manner of things.  So in total, you know, when I spoke to him in the aftermath, it was somewhere around half a million dollars that was spent that they were able to track in terms of cash moving off their books.  The opportunity cost, the lost time, the lost trust in that business, the fact that they had to go to all their partners and say, “Hey, look, this happened to us.”  You know, a lot of that’s intangible, but meaningful.  So very serious for them.

Lessons Learned from a Cyber Attack

BILL YATES:  And the impact on the team, you know, I’m just thinking of that, too, Andy.  It’s so frustrating when your work gets stopped.  And you have to let the customer know, or you have to let somebody else, you know, many times there are external stakeholders.  And it’s just such a point of frustration for the entire company.  So you’re right, that opportunity cost, it’s hard to put a dollar amount on that.  So talk us through what are some of the lessons learned from this particular incident.

ANDY SAUER:  Sure.  So I think maybe the smartest thing to kind of go through is the sequence of events.  And, you know, what started as something that could be small and contained, exploded into this giant thing,