0:00
/
Generate transcript
A transcript unlocks clips, previews, and editing.

When binaries break and what that means for enterprise technology

An interview with Charlie Lewis

Charlie Lewis is one of my favorite colleagues. He was a soldier-intellectual who taught at West Point’s storied Department of Social Sciences. Now he’s a technologist-intellectual who helps important institutions manage technology risk.

This episode talks about a world where old boundaries seem to be disappearing:

  • Between the intellectual and the practical worlds, as we need to apply theoretical knowledge almost as soon as it’s developed

  • Between the sciences and the humanities — senior executives need to draw on both

  • Between the business and the technology domains — as companies connect everything to a network

  • Between strategy and execution — as companies set up closed loops between ambitious plans and granular improvement levers

  • Between the world of commerce and the world of geopolitics, as non-state actors may attack commercial enterprises for strategic reasons

Thanks for reading Prosaic Times — share it with a friend!

Share

From the 101st to McKinsey

James Kaplan: Welcome to the Prosaic Times video podcast. One of my very favorite colleagues, Charlie Lewis, is joining us today. Charlie, can you introduce yourself and tell us a little bit about your professional journey from the U.S. Army to McKinsey?

Charlie Lewis: James, you covered it all right there. But no, it’s truly an honor to be here. James. I think, you know, I’ve, loved getting a chance to work with you over the last eight years or so, but. You know, I am in the fortunate position now where I get to help our clients think about how they address their most critical security challenges, across a variety of industries, mainly banking, but also critical infrastructure.

You know, as you think about the utilities and energy, we think about life science and medical technology, and we think about broader healthcare. So really what frames, you know. Sort of the day-to-day life and what our requirements are within there. And I get to do this as, as sort of the leader of our service line in cyber in North America and Europe.

And I’ve been at the firm for about, you know, as I just said, eight years and before that was in the US Army. And while I was in the Army, I was at, I started as an artillery officer with the 101st Airborne Division with a Ranger tab. So, you know, a lot of esprit de corps within that organization.

and then went and had the, the fortunate opportunity to go to Harvard Kennedy School, where I learned from Eric Rosenbach and Richard Clark on, on cyber war and terrorism. And then I ended up. Teaching in the Department of Social Sciences at West Point. And at the time, the Department of Social Sciences at West Point, sort of three of the core leaders in that department had worked with General Alexander to help stand up cyber command.

It was Colonel Suzanne Nielsen, who was the deputy head, and then, just retired as the head of the department. now Colonel, Heidi, Brockman Deist, who is now the head of the department and Scott Handler, and you may not know Scott Handler, but he is close to us because of Stephanie Handler, his partner and wife, who is now a partner in a law firm, was one of our cyber legal folks.

and is actually, they’re very close to the Reserves as well because Maura and Stephanie Handler went through the basic school together in the Marines. but I was able to be with them and the army stood up, the cyber branch and as I thought about it at the time, it was, is artillery the right. Spot for me to be long term?

Or how do I think about the evolving nature of warfare? and where sort of the core one shaping of the battlefield, the intelligence around the battlefield. What do I need to defend? And then how do we think about influencing operations prior to actually getting in there and being able to conduct operations in a way that don’t put.

you know, humans and, and Americans and our allies in harm’s way. And so I switched to cyber when I was down at Fort Gordon, helping stand up their sort of leader course down there. I realized that there’s a lot more to do in cyber than just from a defensive standpoint, and that led me through the interview process and to McKinsey.

James Kaplan: Fantastic. I’m glad you brought up Stephanie Handler. I should drop her a note. She was one of the most — I hadn’t realized she went to basic school with Maura — but Stephanie I always thought was one of the most thoughtful people I’ve ever encountered on the intersection of legal issues in cybersecurity.

Charlie Lewis: I agree. And she’s catching a little bit of a stray here. Right. But I hope it’s a good positive stray on, on this one. But she’s been really good at it. Right. And, you know, and, It wasn’t easy. Right. You know, we, at the time when she was right, it was COVID. we were doing a lot of the more advanced technical testing at the time, which required her input and, and support and making sure that we were protecting our clients in the firm the most.

And so there were many weekend and late night calls with her as we were getting the work, going.

James Kaplan: And I’m also — you know, a chuckle, not chuckle — I’m glad you brought up Eric Rosenbach. When Tucker Bailey and I were doing the research that became the book Beyond Cybersecurity, Eric was very generous with his time.

Charlie Lewis: he, he’s been great. I remember, there were some individuals who had unfortunately ended up in the US that we had, You know that w we had arrested in in Iraq and I had to go meet with folks, and Eric had given me some advice and all of that guidance, and I think that Richard Clark would be a little upset if I did.

Also didn’t highlight that he was a faculty member who gave us his book for free — the Cyber War book — which still sits above my left shoulder up there. Actually, oddly enough, it’s — if you look, you have Cyber War right here,

and then you have beyond cybersecurity, right, right up there. So,

Oh I take the dust jacket off ‘cause it, it is a cleaner look with just the, the black. And that is, it’s, sometime, it’s sometimes a bit more about form than function for me. So.


Soldier-intellectual, technologist-intellectual

James Kaplan: So here’s one of the things I wanted to cover today, why I especially want to have you on the podcast. You know, many years ago I read the book The Fourth Star about the Department of Social Sciences in the U.S. Army. One of the reasons I find you especially intriguing, Charlie — you’re interesting — is you’ve gone from being what I would describe as a soldier-intellectual to being a technologist-intellectual. Right. I find that to be an especially interesting transition, and I just wonder if you could reflect a bit for us about what it means to be a soldier-intellectual.

What the transition to being a technologist intellectual means and what intellectual inquiry means in the Army and what it means to the private sector and how that differs a little bit. So I realize that’s a lot.

Charlie Lewis: That’s a, that’s a weighty question that we would, you know, teach to our cadets in a, in a lab. I, you know, for me, I think there’s one sort of through line on, on all of those, and it’s what it means to be a professional. Right? And so, you know, you could anchor in, you know.

you could anchor in Huntington’s sort of definition of it in the, the liberal arts education, the continued learning and what that requires, you know, you could anchor into even where I think a really good example of this is in the medical profession, and I grew up with. To parents in that my, my father, a pediatrician, my mother, a pediatric nurse practitioner, and their sort of continued need to learn and the requirements that they had to have to learn.

And then broadly, if you think about the profession of consulting and what that means and the academic requirements and the intellectual curiosity that I think we need to have. you know, I think being in, so, and, and it’s no longer there, but the halls of, you know, the, the hallways in Lincoln Hall, it, at, at West Point at the time were sort of, you know, a place where we could have large debates and some big thinking about what is the future of the force and how do we think about the future of the force and the freedom to study what.

We needed to study. I studied the impact of military voting on local election officials with Dr. Rachel Sondheimer. we, I wrote about social capital and the impact that it has on the military force in our ability to come together and work cohesively as a unit. But then there were some. Broader thinking that existed.

Right. Learning to Eat Soup with a Knife by Dr. John Nagl, right? Sort of the core foundation before the field manual on counterinsurgency was written by a social scientist, and there was just frequent debate, you know? And then how we actually think about the talent and the human capital management within the force.

Those ideas came out of a joint venture between the Army G-1 and Department of Social Sciences, and with OEMA, the Office of Economic and Manpower Analysis. Right. And like there’s just so much brain power that. Sat in there and, you know, we’d have like Thursday afternoon debates on the Oxford comma and I, I don’t think there’s, you know, many units in the army, but it was a bunch of folks who were super professional, who understood what they were doing there and sort of teaching, the, the, the future leaders of the Army who all had combat experience.

Right. Most of us had either commissioned right before nine 11 or right, you know, within the three years after nine 11. I think like the least amount of deployed time, in, in that group was like 27, 28 months. Right. of time overseas. And so it was just great to be able to have that. But the ability to go back and think and broaden and understand what your profession does, I think that’s.

Core to the military. You think about Army Futures Command, you think about sort of the broader strategist position, the ORSA positions, all of these sort of thinking and engagement with the broader community allows you to, you know, understand a bit of the broader impacts, right. And think more strategically about what could happen.

And that intellectual power is sort of a bit of what I’ve tried to take and what I’ve found a lot at the firm in terms of thinking about from a technologist standpoint. I get it — you know, I just got back from RSA, it’s nerve wracking to try to stay ahead of the threat and the changes that are there, right?

Because it’s no longer, you can, no longer, you have to, like I am, folks have to be super technical in identity and access management.

Right, but it — you used to get really deep on a specific technology and a specific component of that, but now we’ve gotta think about how that plays into the broader agentic landscape and what you need to do around identity and making sure that you meet the autonomy, the capability, and the controls that need to get put in place there.

But how do you learn? You have to read, you have to study, and you also have to do, right. I think that’s one. You know, a bit of a difference here on the like intellectual curiosity, right? You have to be able to play with the toys, understand what it is, and so you can explain some of those difficulties to to clients as they go forward.


Tinkering, agents, and evidence

James Kaplan: You know, one of the things to me is in the business world, sometimes it feels like technology is the most intellectually forward-looking of the business functions. Right. And then within technology, cybersecurity, you know, that feels like the most intellectually on the front foot domains, you know, within, within, within enterprise technology. And it’s a domain where people are constantly experimenting and also constantly trying to engage with, you know, the academic community in order to stay ahead of the threat.

Charlie Lewis: There’s, I know there are a few academic articles that are out there. Right. And I think this is an interesting place ‘cause the academics get to do some of the testing and it’s really about the impact of agentic AI on security. And then one about, you know, more broadly around.

You know, LLM security and, really thinking about what the various attack paths and the risks could be and how they get implemented, right? So we’re taking that at the exact same time. We’re looking at technology that’s being implemented, and it is a fascinating blend, right? And you have to have the researcher angle that goes in there.

I’ve seen more organizations start to stand up like an innovation and research arm, right? A group of sort of researchers or a leader who can pull in others. I also think there’s like a talent incentive there too, right? There’s an a sort of a, a constant tinkering where like I go back to like the videos like you and I have shared about tinkering or when my, you know, my Harley died and I was able to get that back up and running and how proud I was of myself, right?

There’s a bit of like a tinkering that goes on in here. And you have to have the patience. Right. The same way that, I’m a, I’m a geography major, so Right. But like I remember my roommate who was a CS minor, right? And like how much tinkering they would have to do, I would always go to bed early ‘cause I was a, you know, we called it dirt.

I was a people dirt, human, regional geography major. Right? But my roommate would, would, keep, would keep tinkering, right? And they’d have, and that’s sort of the mindset. And so I think there’s always this desire to tinker. And get better. And that fits a bit into the innovation side, right?

And I think that any CISO or security organization that is sort of resting on their laurels or previous success is going to find themselves behind a little bit. And I also think there has to be that communication, right? I think about the difference between a brand new technology environment and where I spend a lot of my time — legacy, overly complex environments, potentially IT, OT, multiple global systems, maybe four or five different identity programs in place.

A horrendous, IT asset management program with an incorrect and out of date CMDB, right? Like so sometimes it’s that education, but it’s also understanding what the foundational requirements are to be able to move forward too. And security folks are pretty good at understanding that. Right. Where we stink is communicating the value of that to the business and why they have to invest in that if they wanna continue to grow and scale.

And I think now security folks have to be able to do that. And then explain why. I’ve got, there’s an argument that I think we could make that the first use case for agentic deployment in any organization should be security. Right? And you say, why does it need to be security? And it’s because that’s where the hackers are going, right?

We’ve seen that with Truffle Security in their report on what they were able to do with a Claude agent. We’ve seen this on what has been built out in terms of the Microsoft sort of attack path with an agentic attack path; we’ve seen novel attack paths for legacy vulns. And so now I actually think like there’s the real value there in getting ahead of it.

‘cause if you don’t start now, you’re gonna lose. And the only way that you can keep the value you want going forward is to have that security on the backend to sort of protect the folks coming in as the business pushes out.

James Kaplan: There’s one thing you said a couple of minutes ago that I just wanted to emphasize about tinkering and the patience required for tinkering. And as someone who — you know, personally — maybe has the patience of a fruit fly, I’m so excited now because the patience required for tinkering has gone down, right? You know, the tools help you with the syntax — think about the underlying issues more — and therefore reduce the barrier to tinkering and, you know, sort of — I don’t wanna say democratize — it’s tinkering because it allows more senior people to tinker more, but allows maybe people who might have, like myself, who might have said, oh, God, I don’t have time for this, I gotta go write this memo — to get their fingers back on the keyboard in a way that’s, you know, very constructive along multiple dimensions.

Charlie Lewis: Mm-hmm. I, I’m, you, you’ve worked enough with me to know that my level of patience is, is slim to nil. right. Like, you know, I’m, I try to make my life as efficient as, possible. You know, and, and you know, to include even like, sitting on the same seat every flight on an airplane, if I’m, if I’m able to, right.

And, and that way I don’t have to to choose. and I, and I think that, that the tinkering allows us, there is no excuse now to not tinker. There is no excuse because it is just so, it is so easy. Right. And I think like. The first thing I will do no matter what, is just like we’ve built, right task and research agents, right?

Super easy, super basic to build them. It’s a 15 to 20 minute upfront investment. One of my buddies says, how’d you write a good prompt? I was like, I asked chat GPT to write me the prompt that I want, and then I. And then I go and I edit it, but they can write phenomenal prompts. And that take, that saves me a bunch of time.

And then I run that prompt and I, and then I start building out like the GPT and ChatGPT. And it’s like, and you know, now we’ve got, you know, Gemini and the rest of the stack — it’s super easy to build an agent within there. And so — it makes life just a lot easier and it’s fun just to see small changes in how you can get the right output that can come from it, and it can improve an output, it can improve everything you need.

And for me, you know, I think one of the best things that we’ve done is we had one of our colleagues, Jose, found an entire GitHub repository that had like every 2024 threat report, and that was out there, right? We downloaded it. I, was like, oh, this could be great for the practice to understand what the threats are by industry by.

By threat, actor by region, et cetera. We pulled that in, but we had to, like, I had to fiddle around with, learn the instructions on how to be able to do it and zip ‘em and you know, extract from the zip and do right. And it took me 30 minutes, 45 minutes to be able to do it on a Friday. But it has probably saved us hours of time and has given better answers to our clients when they’ve asked.

James Kaplan: And you were touching on one of the important themes to me, which is the power of using AI to convert unstructured text to structured data, which you can synthesize, analyze, and act on much more effectively.

Charlie Lewis: Correct. And you’ve gotta check it. Right? And I think one of the things I’ve learned from you and from, from Rich is how to build in the checks that go into there to make sure it’s right. You can’t just assume that all the data is right — you should never assume the data is right. Right? Like, look at a footnote.

Go to the, go to the, the source, and, read and read the source. Right? My students used to be like, well. Like, where do I find all these sources? And I was like, you can’t use, you can’t cite Wikipedia, but sometimes Wikipedia has pretty good sources, and all you need is one source from a Wikipedia page that then drives you into the original primary sources from there.

And then you’ve done a bit of your research and now you’re able to do that as well. And if I have to do deep type research on it, right, you are checking all of the sources. You’re making sure that the sources are, are correct and it, it is just about. Asking. It’s, learning how to ask better questions.

I use it with my daughter to teach her how to ask better questions.

James Kaplan: As I like to say, if your mother says she loves you, check it — as the old newspaper editors used to tell you.

Charlie Lewis: Yep,

James Kaplan: One of the phenomenal things about Wikipedia — it’s not that every sentence must be sourced, but sometimes it has sources. You know —

Charlie Lewis: That’s true. You can always check.

James Kaplan: And you and I have talked a little bit about how much I like the book Military Power: Explaining Victory and Defeat in Modern Battle by Stephen Biddle.

I love this concept of force employment. I think you are in some way describing force employment as applied to knowledge work. Everyone has access — Biddle said, at some point, many people may have access to the underlying technologies, but it takes discipline in an organization to apply them effectively in an integrated way. And you are describing, I think, how to apply a set of technologies that are available to pretty much everyone in a more integrated and disciplined way in the service of knowledge discovery, which I find really interesting.

Charlie Lewis: I think, it’s fascinating the number of times that. Someone sends me a job description and it’s like, must have a BS in information technology or computer science, and I just like cut that out. Right? And, and it’s like, I don’t care about that. Right? Because what you learned in CS 50, while it’s good from a foundational standpoint, when you’re moving out into the cyber world, what you learned in that.

You know, over those four years at this stage, what you learned four weeks ago may be out of date. And so you wanna be able to build and scale and have a team that’ll learn and doesn’t wanna just rest, right? Like the question, like, you know, what do you do on your free time? Right? Where are, where are you focused?

Are you sitting down? Just wasting and, and scrolling through something on a plane or like you right, you were running some work, a workflow on, on, on, you know, your flight from, from London to la right? And so what are you doing in the background and sort of the downtime to keep learning? And, and that’s what I tell clients to look for in people.

And, and the best example that I have is that the first class of cyber, Of, cyber basic officer leader course graduates. Now, these folks, they don’t, they, they take the core basic military, so they’re going out to the range. They’re doing land navigation. Right, but they’re also taking CISSP, right?

They’re taking CCNA. They’re taking a whole slew of SANS courses because they have to get this training up and running. The the top grad, the Honor grad, was not a computer science grad from. West Point was not a computer science grad from an ROTC program, but was an economics major from the University of Central Florida.

Right. And he was able to do it because he understood the application of what we were learning in the class. And so I think a lot of the learning allows you to then there, there’s not just learning, it’s the actual application within your day to day that then creates that broader scale that you need to have.

And then allows for something you’ve taught me is sort of like always question, right? Always see is there a slightly better way that we can do this? Is there an improved output that we can get because of it? Yes or no? Is it worth that investment? Most of the time it is, right? And then how do we get there and how do we help our clients get there?


Humanities, ‘be human,’ and geopolitics

James Kaplan: There’s an interesting tension here. On the one hand, I had a good discussion with Associate Provost Michael Littman from Brown about this — that the principles of computer science are now more important than ever. You know, the syntax of this language versus that language, who cares — but principles around things like data modeling and abstraction are more central than they ever were. On the other hand, I think you’ve talked a little bit about how essential curiosity is, how people who may not have majored in computer science can get up to speed. You are a geography major; I’m a history major. Right. And —

Charlie Lewis: Rich is an English major.

James Kaplan: — and Rich is an English major. Okay. We gotta talk about that with Rich too. I was wondering if you could comment on the relevance of the humanities and the social sciences in a business and a technology context. And let’s face it, Rich is also incredibly technical and someone who has done technical stuff. So I was wondering — how do you think about integrating the culture of the sciences and the culture of the humanities, and what’s the relevance of the humanities and the social sciences in a technology context, in a business context?

Charlie Lewis: I, and I wanna be like a bit, so like one? like. I was convinced to major in geography and people geography, right? Again, the people Dirt. And my, my EV 2 0 3, so my Principles of geography professor, right at West Point when I was there your sophomore year, everyone’s putting a cell on to get more majors.

More majors means more classes. More classes equals more, you know, faculty, more funding, more, more prestige, and You know, he stood up in the, in the class when we were picking our major and he was like, if you like to look out at the airplane window and wonder what people are doing down below, you might be a good, you know, human regional geography major.

And I was like, that’s it. Right? That’s what I want to do. Right? Like there wasn’t, for me, there wasn’t much thought I wanted to be a history major. Right. Unfortunately, I had a bad experience in my first year of history at. At West Point, no offense to anyone who was there. I just had a bad experience and it wasn’t where I wanted to go.

Same reason why. What, what pushed me into artillery, right? Like there were people I liked to went artillery, there were people I liked who went infantry, right? But the people I didn’t like also were infantry. Not the people, but the officers, right. Who had had a bit of a problem with Right. And I tend to like flow with where I want it to go.

But I think, you know, as you think more broadly about the role of, of sort of the humanities, within that space and sort of more of the, the soft sciences, right? It’s the same reason why they’ve scaled and grown those majors at an engineering school like. West Point is the ability to critically think and analyze, right?

There is a structure that goes within there and we can apply the same sort of structured thinking, the hypothesis tending testing in a, In a political science way, in a historical way, and even looking at broadly at some of say the logic arguments in philosophy and apply those specifically to life in general and then understanding there.

And I think. You know, there is a ton of value in the foundational learning, right? The, the firm just, you know, you know, hired someone who was a physics and philosophy major at West Point. I asked him, when I taught him at West Point, why are you doing those two? And he said, because if I understand the foundations and I can do better at understanding everything else.

And I think there’s a clear, you know, fundamental thinking behind that. But the humanities to me. Provide that broader thinking and that broader understanding. And you know, I’ve, I’ve been telling people frequently in a world where everything is becoming a robot, be human right. And I think that a lot of times being a human requires the humanities and, and a bit of an understanding within there and the application and the impact that something could have on the world.

And, and, and that’s where I think like when you get to. Thinking about where we are in terms of technology now, it’s like, what is the impact it can have on a business? Is this good or bad? Right? What is the impact that this can have on the society that the business serves? Is this good or bad? Right? And for me, we, I spend my time trying to stop the bad that’s impacting society by improving, you know, the defenses that a business may have.

And like, you know. we’re fighting, like businesses are fighting nation states right now. Right. And businesses are fighting, you know, international criminal syndicates that you would never think would wanna go after a paper company, right. Or, or a drink company or anything like that. But they are because, or a small town, they are because they can make money off of it.

James Kaplan: Well, okay, let’s, let’s lean into the history a little bit. You made an interesting point the, we’ve seen a, you know, compared to, say, the Cold War era, there’s much less of a — or maybe even the post–Cold War — Much less of a hard line between the world of geopolitics and the world of business, or as you point out that we have non-state actors with geopolitical aspirations engaging in conflict with pri, you know, private sector institutions.

Right. I, you know, know, this was not what we’re used to, but it’s not historically. Unprecedented. Right? If you think about the history of the East India company, you think about the history of privateering. You know, you, you go back a couple of hundred years and there was, you know, at that point a much blurry line between the world of geopolitics and the world of commerce.

Charlie Lewis: Like I, I think, I, you know, like I enjoy reading, even though I live in coastal Connecticut and look goofy in cowboy boots in a cowboy hat, right? Like, I like reading about Western expansion and, and one of ‘em is, you know, read a book recently on fur trading, right? And the impact that, and the success that American Fur Traders had.

Keeping like the Canadians in really Hudson Bay out of sort of the northwest of the US and, and, and sort of that broader view when you think about just these, these men, these like they were men at the time, but like rough men who went out and basically. Didn’t think they were conquering territory, but they were conquering territory for, for a business end and sort of to own that business globally when it came to the broader fur trading.

Right now, they, they basically worked themselves out. There was not a conservationist thing, it was just make as much money as I possibly could. Exceptionally violent, all of that, right? But they were, they were. Private citizens that were going out and conducting business on their own and getting into conflict on their own.

With, with, with, you know, the Native Americans at the time, same exact thing with some of the, the privateering from ships, right? And like what you find on like the Treasure Coast and in, in Florida and the potential of gold still rolling up there in some of those requirements. and so I think that.

The, the difference now though is this is one, it’s not nearly as visible. Right. Like it is very hard to, to see and understand what this means. I think about the various, you know, volt and, and salt typhoon and what that means for our society, right? And really going and targeting core telcos and core utilities within the United States.

So it’s one, it’s not visible, and two, the scale is just massive, right? Like previously, those fur traders had to go out to California, in Oregon, in Washington, right now, someone could sit in Eastern Europe or Asia or anywhere that they wanna sit and still be able to conduct operations. Where, wherever they’re able to, and then now when you build in the ability to build agents to go out and do that one, it’s faster.

And two, you can build sort of robotic, you know, robotic armies that are operating in, in, in terms of ones and zeros through. Through what we use for, to communicate all the time, and it that becomes just an avenue of, of, of approach and an avenue for them to get into the environment in a scale that, like I, you know, you’ve had Phil Venables on here, he talked about it in his recent blog coming out of, o out, out of RSA, right?

Like it is just. I think there’s just a, a nervousness within the security community about like what is gonna happen in the next six months. Right? And look, in February we’re talking about what’s gonna happen over the next year. Right. You know, and now we’re a month later and it’s like, it’s here. It’s not the next year.

And so now everyone’s like trying to tighten the timeline down a bit. But not to sound too spooky, but it really could be tomorrow. Right. And I think that’s like, that’s the, the scariness and like how do you, you not get ahead, but get up, get up to speed.


When binaries break

James Kaplan: You know, if I were to take a step back and I were to synthesize the discussion we’re having, the theme is one of blurring lines, right? We talked about blurring of lines between the academy and the intellectual world and the business world. We’ve talked at some level, I don’t know whether it’s the blurring of lines or the overlap. between the sciences, the social sciences, and the humanities, how important, the humanities are for applying social, you know, computer science, for example, effectively. now we’ve talked about the blurring of lines between the geopolitical world and the commercial world, right? At least in the, in the current tier. I was wondering, you know, and yes, I admit this is a bit of a weighty question. If you just take a step back and. How should a CISO A CIO think about this? Like we have this world with many fewer binaries, and what does that mean for a leader who is trying to translate all this uncertainty into practical action?

Charlie Lewis: You know, that that is the, the, the million or — in many companies’ cases — the billion-dollar question. And I think it really comes down to — I know, I know — and I think there’s sort of a structured flow that I try to think about when having these conversations and like it’s imperfect, right?

The conversations have to happen at the C-suite level, right? And we try to get into those as much as possible and you have to be able to. I actually get really nervous when I talk to a client and they’re trying to hire a CISO. Like I want a really technical person who’s worried about the inside, doesn’t have a lot of broad engagement, right?

And I’m like, you need that technical person, plus you need. Someone who can communicate to the business. Plus, if you sell something, you need someone that customers can talk to and feel confident that you’re securing their product. Right? And so I think broadly that the leadership of a business has to look at not just technology now, but security of the business.

As a core sort of business enabler is a cheap way, but as part, as a core component of the business, right? You wouldn’t run a business without investing in hr. You wouldn’t run a business without investing in your finance arm, right? You’re, you, you need to do the exact same thing from a security standpoint and make sure that it is treated as that level of importance and it is a critical component.

But the way you have to do that from a C-Suite or from a CIO or a CSO talking right, is one, it’s critical to outline what are the requirements to run the business, right? Phil will talk about the minimum viable organization, right? And, and so. What is critical to run that broad business, you have to have the engagement with business leaders and say, for you to conduct your operations, what are the three applications, the four applications you need?

What is that process? All right, great. I’ve now gone through there. What this actually means for you is I have to maintain and prioritize these following pieces of infrastructure, right? Like down to like the load balancer level. So you understand what that is, a business person, and then you say, here’s where we’re performing against what our expectations are.

So you have to work with the business to say, what is your risk appetite? This is what you and I spent a lot of time on before, right? What amount of risk are you willing to take on? How long are you willing to be down? It Right. How. You know, how, how, much data are you willing to lose, right? What are you thinking about from a reputational and trust issue?

Now, from an integrity standpoint, we used to not talk much about integrity. Now, the data poisoning, data leakage broadly throughout it. Like that’s a massive risk, right? And then you have to frame that and what that investment is in, what it means to the business, right? So it’s not, oh, we, we have risk of, of, of ransomware, or we have risk of, you know.

X number of apps don’t have MFA. That doesn’t mean anything, right? What really means is like, unless we implement this, I actually think we’re more, we’re not within risk. We’re not within our risk appetite for disruption for a standard operation. Look, there are. On the extremes, you’re not gonna solve for those, right?

Like if you’re not, you’re not gonna solve for those. But if you’re able to bring all of that together and to have that conversation across the business one-on-one, show them what they actually use from a technology standpoint to get their work done, show them what that requires, all the way down and then, right, that gives you a good opportunity to get your CMDB up and running.

Right to make sure that your IT asset management program is good, that you can run through business continuity plans, right? And, and if, if, if, God forbid, something happens and you are disrupted from a tech resilience standpoint, which we’ve seen in some of the largest banks to ransomware, which we’re all much more familiar with, I think you understand what the recovery process is and what the order is to get everything up and running.

James Kaplan: I hear you, Charlie. If I play this back, I’m proposing the destruction of another binary between the strategic and the tactical. If I hear what you’re saying, you need both — to connect all the dots, right? — to engage as a systems thinker who can connect the business to the architecture, to the controls, to the security operations. And at the same time, you need to translate those implications down into a set of actions that will change the nature of the environment. You know, okay, we’ve thought about all these things and this means we have to do this about the web application firewall or this about which data we encrypt.

Charlie Lewis: Or. Exactly, or, or even where you are running or storing your data, if you have that level of fidelity on a server in a, in a, in a data center in one country or one region versus another, making sure you have that. You know, and there’s little things too, right? Everyone wants to offshore every their, their work right now and.

Great. Tons of cost savings. Right? There is good opportunity, a ridiculous amount of talent where everyone wants to offshore in India, right? But what they’re doing is they’re offshoring the, what’s that?

James Kaplan: Vietnam, Latin America,

Charlie Lewis: Eastern Europe. Right. Vietnam. The Philippines, Uruguay. Right. Mexico City, San Jose. Right.

There’s a ton there. Right. But most organizations are just thinking about it in one spot, opposite side of the globe. But they also don’t think about like, what does that mean if the people go down, right? If something happens in their systems are down.

We worry about hurricanes in the southeast of the us right?

You’ve gotta worry about. You know, large range, you have potentially have to worry about flooding and power issues. Right. And, and so how are you thinking like structurally, like you said, operations, strategically we’re making this decision like technically and tactically this means this, and then operationally, like you said, there’s that little bit of that piece in there and how do I connect those two to make sure that we’re prioritizing and the other things like.

Tech teams and CISOs need to be aware of, right? Is is there’s a lot of technology. It’s not shadow it, right? But there’s a lot of technology that the business owns. That does not get managed as well or in the same exact way as what the technology team and the security team own, and you have to do more now than just the annual manual attestation of where that, what it is, what it’s used for.

Does it have the controls and where does it sit? You have to have those conversations. If anything moves. Or priorities change, and that has to be more continuous or at least more frequently than, than, than, you know, once a year.

James Kaplan: That’s another binary that’s being blown up between what is it and what is not. It,

Charlie Lewis: Correct?

James Kaplan: more things get connected to the network and, and operating theater is part of your technology environment. A factory line is part of your technology

Charlie Lewis: Yep.

James Kaplan: A bench in a lab, in a pharmaceutical company is part of your, technology environment.

The vending machines in a break room are part of your technology environment.

Charlie Lewis: The conference rooms. Right. It’s, it’s, it’s all there. And it, you know, and, and in fact you could say, you know, if you think broadly on the security side, your ID badge. Right. And where can my ID badge get me into? that’s part of the technology. ‘cause as soon as someone can get in, they’re able to figure they can get around and they can, they can see a lot more.

I can learn a ton about what’s going on just by getting into a business. Right. And we look for the badge, not the face. Right.

James Kaplan: Okay. Charlie, anything else? I, we’ve covered a ton. Anything, any, and, there’s a ton we haven’t covered. we only

Charlie Lewis: I know you didn’t mention, you didn’t mention constructivism, but that’s fine because that’s for another conversation.

I think that’s been, that’s been blown away anyway, so

James Kaplan: we, we drove by and waved at Samuel Huntington, but didn’t stop, to talk about him.

But anything else?

That you want to, cover in this discussion? Any, any last thoughts you wanna leave, people with?

Charlie Lewis: I am obviously biased ‘cause I love what I do, right? I love security, right? And I think that, being a good security professional means I need to understand the business, I have to understand the technology, and then I have to be able to protect both of them, and find ways to also help them achieve what they they need to achieve.

The push towards Agentic AI is making for security operators in one, understanding how they secure their own internal environment and what is being built so the business is able to achieve what they want to and that. Slow them down. And there’s tons of good opportunity there, specifically around the development life cycle, right?

The, the, the, various security checks will start being run by agents and you just have sort of a, a QA towards the tail end, and that’s awesome, right? You can run threat modeling much faster, more effectively, right? But it also means that the threat actor is coming and this is changing. The vulnerability landscape and requiring an entire review of what used to be a low VUL or a medium vul, and is it now potentially a critical vul?

And there has to be thinking about what does this require and security teams should start investing now and anticipating it because if you, it happens before you’re ready, right? There’s very little chance that you can catch up effectively without a ton of spend or additional risk and, of, threats being realized.

James Kaplan: So let’s close with one final question that’s even more serious than vulnerability management. When I spoke with Rich, he said The Hartford Whalers would beat the Buffalo Bills and shuffleboard. Let’s say the game was Scrabble. Okay? The Buffalo Bills versus the Hartford Whalers and Scrabble, who wins?

Charlie Lewis: Bills first off, the Hartford Whalers don’t exist anymore.

James Kaplan: Well, the.

Charlie Lewis: I’m just gonna be very objective on this one. Right. The NFL has rules on how far you have to go in college before you can play professionally, whereas the NHL does not.

So I’m going to make, I’m gonna go back against what I said before, ‘cause I also believe security folks don’t need a degree. . But in a world where you’re comparing those two, right, I think that having to get into college and go through college Will, will roll, will roll with, with, with that one.

Plus, Josh Allen, you know, brilliant, brilliant human being. and so he’s able to go there. But that, I, I also just wanna say that the first ever professional hockey game I went to was the Buffalo Saber versus the Hartford Whalers. and again, that’s why like above your book over there, I have a Pat LaFontaine, so to be frank, I don’t remember who won, but I remember standing on the boards and some Hartford Whaler took a slap shot right at the board and the puck like would’ve.

Hit me right in the face. And so I’ve always had a bit of a, even though I live in Connecticut, a bit of a negative view, on, on that one.

James Kaplan: The first professional sports evet I attended was the Yankees versus the Oakland A. In 1978, the Yankees won and it was less violent. Nobody, there were no slap stakes. They slap shots aimed at the at the

Charlie Lewis: No, hockey, like, I love that sport is an incredible sport. The movement, it’s, it is, it is a beautiful sport, I think. but I also can never let Rich win, anything. So that’s,

that’s the core.

James Kaplan: We’ll have to have the two of you on together. You can debate

Charlie Lewis: I could, I knew I couldn’t compete with his microphone the last time, so that’s why I couldn’t join.

James Kaplan: that is exactly true.

Thank you

Charlie Lewis: thank you, James.

Thanks for reading Prosaic Times — subscribe to get every issue!

Discussion about this video

User's avatar

Ready for more?