Greg Crabb, One Night in Bangkok
Buckle up for this week’s episode because it is quite a ride! Greg Crabb, founder of TenEight Cyber and former CISO for the United States Postal Service. He shares insights from his more than 25 years in law enforcement and bringing cyber criminals to justice.
Hear perspective on CISO best practices for a 630k+ employee organization with 43k facilities and 160 million daily delivery points and how he took a 40-person cyber team to 600 in just a few years.
Also learn how his team partnered with CISA to secure the 2020 U.S. election, how postal inspectors serve as first responders (hint: anthrax vs cornstarch), the importance of identifying and quantifying risk for your organization today and the DevSecOps opportunity ahead.
Greg Crabb, One Night in Bangkok
[01:29]Greg Crabb, The Protector of Digital Assets
Rachael: We have Greg Crabb who is the former chief information security officer for the United States Postal Service. I do want to preface this, people don't realize how big that is. 630,000 employees, 34,000 facilities, and 160 million delivery points daily. He was working with a team of 600 cybersecurity workers.
Rachael: He was also, for 21 years, the U.S. Postal Service inspector general. He’s the founder of TenEight which provides CISO expertise to organizations to help them protect their digital assets today. Welcome to the podcast, Greg.
Greg: Oh, it's great to be here. Thank you, Rachael and Eric, I'm really excited to share my experiences. Now that I'm retired, all I've got is good, old war stories. So I'm here to talk about the good old days and what it means to cybersecurity.
Rachael: Love it.
Eric: So Greg, you started with the post office when? Quite a bit of experience here.
Greg: When you retire with 30 years of creditable service, it was somewhere in the mid-nineties where I started with the Postal Service. I had a great career as a federal law enforcement officer with the Postal Inspection Service. And I was just grateful for the last six years to be the chief information security officer for the post office.
Eric: You've been bet-busting bad people. I almost said bad guys, but keep it. You've been taking care of the bad people for 30 years.
Chasing Eastern European Organized Cyber Crime
Greg: It was a great career. The first four years of my career, I wasn't an investigator. I was an auditor. But the last 26, spent a lot of time chasing Eastern European organized cybercrime. That was where I got my experience relative to cybersecurity.
Eric: You've got a good bit in the Eastern European area where they're probably some of the best in the world at cybercrime.
Greg: Yes, it was amazing. I started my first Eastern European organized cybercrime case in 2000 and the U.S. Attorney's office. At the time I was based in San Francisco and working with the U.S. Attorney's office in San Jose. They asked me to work on a case involving the shipment of counterfeit software into the United States. Back in the day, companies actually used to put their software on CDs and you had to mail those things around the country.
Eric: I'm thinking about the AOL CDs now. I know that's not what you're talking about.
Greg: Back in the day. So one of the big victims there in the Bay Area was Adobe. And so Adobe's investigators, I worked very closely with them in the U.S. Attorney's office to try to protect the copywriting of their products. The materials were coming in from the Ukraine and I spent three years trying to work the case. We were able to target the specific individual. He had set up a bunch of financial intermediaries to launder money all over the United States. His primary distribution method was through fraudulent eBay auctions.
The First Person to Take Over eBay Accounts
Greg: He was actually the first person to ever take over eBay accounts and run fraudulent auctions with them. So he advanced from selling counterfeit software to actually putting up computer equipment fraudulently on the eBay site. He would take over power seller accounts. And then run these false auctions and get people to wire him thousands of dollars all over the world.
Greg: I was able to get a wiretap on his email communications, which was pretty cool. He had like 30 to 40,000 of those email messages. It really detailed and propelled me into an unbelievable investigation activity in an Eastern European organized crime. But we were ultimately able to get him arrested in May of 2003 in Bangkok. That was a great end to a very difficult investigation. I got an opportunity to interview him there and testify in Thai court in his extradition hearing. It was a fun time.
Eric: So he was extradited to the U.S.?
Eric: Is that the gentleman who had the rough night in the Bangkok prison?
Greg: He did.
Eric: That's too bad. I feel really heartbroken.
Greg: So the subject, he was amazed that U.S. law enforcement had come around the world to capture him.
Eric: And he's Ukrainian.
Greg: Yes, he's Ukrainian. His name's Maxime Kovalchuk from Ternopil Ukraine. Maxime, the night of his arrest, he thought he was like Frank Abagnale. That U.S. law enforcement had come halfway around the world in order to be able to apprehend him. He spent one night in Bangkok prison, and we went to interview him and he wasn't cooperative.
How the Cyber Story of Greg Crabb Started
Greg: I'll never forget. A little foreign service national that worked for the U.S. Secret Service was accompanying us in the interview. She was 4'10", about a hundred pounds soaking wet.
Eric: This is where it gets good.
Greg: He just does not want to cooperate with us. She goes up to him and she says, "You remember last night? I make it a thousand times worse”. And poor Maxime starts crying and spills everything about the organized group that he's part of and how he executed these schemes. It was too much, I have to say, but one night in Bangkok made a hard man humble.
Eric: Your cyber story begins from there. I actually had an eBay transaction. It might've been an AOL transaction back in the day. I bought a $400 coffee mug. It was supposed to be a hard drive. I was building my own computers back in those days, and I got this $400 coffee mug instead of a hard drive. Clearly mail fraud. And they mailed it to me.
Eric: So I opened up a case with the post office, but I never heard. So hopefully it was my Ukrainian friend, and you did me a favor. I don't know. That would have been probably eight years later. But got the nice AOL coffee mug instead of the whatever Maxtor or whatever hard drive it would have been.
Greg: Sorry about that.
Rachael: You still have it, at least? I mean, if you paid $400 for it.
Eric: No, it was a generic coffee mug. I guess they had to prove they shipped something.
Greg: That was so they would release the PayPal funds.
[09:18] A Whole History of Cyber Crime
Eric: That was well before PayPal. I mean, that was probably '94, if I had to take it, that was my first time getting-
Greg: That was early on.
Eric: It was really early. If you want to call it cybercrime, but then you are the assistant director of economic crimes at Interpol. I mean, you've got a whole history here of cybercrime and chasing the bad guys down globally. What makes you go to become a CISO?
Greg: So significant emotional events occur in a company's lifecycle. And in 2014, the Postal Service was victim to a mass data compromise. At the time, I was responsible for global cyber investigations with the Postal Service. I had a couple of other hats that I wore around global security. But at the time, and when all the employee data of the organization is compromised, they need someone to come in and really lead the charge.
Greg: So I was responsible for the investigative, as well as consequence management and remediation activities for the organization. It was a tough time for the Postal Service. As you can imagine, there's a lot of coordination that needs to be made in that particular situation. And it really opened me up to work with a number of organizations that I'm proud of the relationships that we've developed today. CISO was one of them.
Greg: So at the time it was U.S. Cert and they helped lead the incident response activities and worked very closely with guys like Chris Futerra. Chris was actually the incident lead on the case. He had been at U.S. Cert for a year at that time and I'm really grateful for him and the whole CISO team.
Greg Crabb as Chief Information Officer
Greg: As well as working with the FBI and the intelligence community to understand everything that had happened and why. So we acted quickly. We identified the mass data compromise in late October. We had to remediate before the Christmas rush in 2014 and coordinate with a lot of different parties. You can imagine all that's necessary. We were able to do the remediation there over Veteran's Day weekend. That was really what propelled me into the opportunity to sit as chief information security officer.
Eric: So you moved from really worldwide responsibility where you're going out and apprehending the adversary in some way, shape or form to looking at global postal information security, really cybersecurity information security for the entire global enterprise?
Greg: Yes. So I went from being the hunter to the hunted.
Eric: I see what you're saying. Good point.
Greg: That was a very significant shift in my thinking. Obviously, having had the experience of going after Eastern European organized cyber crime helped me to understand what I needed to do. To be able to view my organization from a defensive perspective and build a capability. So when I inherited the information security practice, there were 20 employees and 20 contractor personnel. And really spent the next several years scaling up that capability to provide a robust cybersecurity practice for the organization.
Eric: Well, and it's not just the 600,000 employees, but you have offices, you have IOT device. You have devices everywhere.
Greg: Yes. So, for example, we didn't have a good idea of the amount of IOT infrastructure that we had. And so we went through a massive inventorying effort and identified the 66,000 SCADA systems.
A Proper Risk Management Practice
Greg: SCADA pieces of equipment that we have to move the mail in our 4,000 processing facilities around the country. You can just imagine everything else that's necessary in order to have a proper risk management practice within the organization. When I inherited the capability, it was the poor folks who had trouble handling it, lost and stolen device.
Greg: The incident response capability was sort of eight to five, Monday through Friday with a 30-minute lunch break. I built the incident response to be a 24 by 7, 365, 85 person capability. The cybersecurity operations capability, that organization is very robust now. But that's a lot of blood, sweat, and tears that goes into being able to properly scale an information security practice to a large federal enterprise.
Eric: So Greg, you come in, I think 2015?
Greg: Yes, 2015. 2014 is the event. 2015, I'm basically assigned to lead the information security practice.
Eric: You're now being hunted. You're responsible for the entire United States Postal Service Global Enterprise. You've now said, "Uh-oh, I'm being hunted here."
Eric: Okay. I mean, you took us through baselining, we've got 40 people, 20 contractors, 20 full-time. But how do you even get your head around? Where do you start? How do you prioritize? What do you think about this awesome promotion? I think it's a promotion. Now, honey, what do I do?
Greg: Yes, totally. And from my perspective, any CISO that goes into a new organization, they need to understand the risk equation and threats, vulnerabilities, business impact. Those are the most important characteristics or components that a chief information security officer really needs to attend to.
[16:36] A Massive Training and Awareness Campaign Manned by Greg Crabb
Greg: I understood the threat side of the equation much greater than most. But the vulnerability side was an area where I needed to really scale up and understand the 1.2 million technology assets that the organization had. As well as the 600,000 employees are, from a social engineering perspective, a massive vulnerability spot. So we went about a massive training and awareness campaign across the entire enterprise.
Greg: To teach them about not clicking on links in emails or all those kinds of things that you need to do, and then hardening the infrastructure and everything in between. And then business impact. The relationship that you have with the company is extremely important to understand the operational needs of the organization.
Greg: And how does the technology that the organization relies upon translate into business impacts? That's a discipline that really is core to understanding how to protect an organization. If you don't understand the business impacts of the technology that you depend on and how to prioritize those assets, it's extremely difficult to really meet the organizational needs for operational resilience.
Eric: Do you feel a lot of CISOs come in thinking about the risk profile and really need to understand this?
Greg: Unfortunately, no.
Eric: That would have been my answer.
Greg: Too many folks come up through the IT ranks and think about this as a technology problem. It has nothing to do with technology. This isn't a technology problem. I was helping a CEO of a company. He has a 350 employee construction company. And he was the victim of a business email compromise a couple of weeks ago, lost $150,000. That’s not a technology problem, that's a social engineering problem.
Not an IT Problem
Greg: And, he started off by saying, “Hey, I've got great IT. I outsourced all my IT to this particular company”. And I was like, "I'm sorry, but this is not an IT problem. We need to start by understanding your risk profile from a technology perspective and what we depend upon from a technology management perspective in order to be able to run your business. All the architectural design documents that you have and how you translate those architectural design documents into value for your company.”
Greg: Those are extremely important business processes. And so, as I tried to realign him around thinking about this problem, as more than just knowing that the IT assets are properly administered. I think we're starting to understand the importance of that human to computer interaction. And talking about two-factor authentication and what impacts that has on the company and all those kinds of things. So, that's just a good example of the types of challenges that organizations and as a culture we are trying to transform ourselves into understanding.
Eric: Sometimes I take it into the physical world for people. You talk about badging and fences and security cameras. I feel that it's just more tangible for them.
Greg: Yes. No, I love to use this example. So for a number of years I was responsible for global security for the Postal Service, from 2011 to 2014.
Eric: Physical security?
Greg: It was both physical and cyber. I had global security for the Postal Inspection Service.
Eric: Got it.
Greg: And in late 2010, Al-Qaeda AQAP on the Arabian peninsula had put some parcel bombs into the commercial mail stream and completely changed the profile of the problem set.
Working With The Global Postal Administrators Around the World
Greg: Most people know this today, is that their inability to carry water bottles through the security at airports. So they developed a technique that allowed for basically a liquid explosive. And so they placed this liquid explosive into a printer cartridge in a printer and had a couple of these into the UPS and FedEx streams. And completely changed our profile for how threats were going to be presented in the parcel stream.
Greg: And obviously TSA changed all of the security requirements at airports. But I had to go about working with global postal administrations around the world at that time. To be able to reconfigure how we did aviation screening, as well as the physical security at all of the offices of exchange. That's the points of departure within each country where postal items go into the mail stream or into the aviation stream. It was a massive effort and worked through the United Nations in order to be able to make that work. But it's the same thing.
Greg: The same physical access challenges that you have in the real world translated into the virtual. And when you think about zero trust, zero trust is about knowing that the person that is entering your building is who they say they are, and they are authorized to be there. When you've got a security guard that's at the door that's making sure that the right person is coming in, that's that zero trust.
Eric: That's almost like the IBM eye cam piece in the physical world.
Greg: Totally. And so, in my estimation, a lot of what I tried to install had been rooted in strong physical security controls for years and decades.
Understanding the Value and the Risk
Eric: But you're really understanding the value of something. And then the risk of having that being compromised, whether sabotage, espionage, whatever it may be. That's really what you were describing as you were talking about educating personnel and understanding where risk was when you first started. I feel that we miss that step sometimes.
Greg:Yes. I think that as a society, we are not seeing the dependence that we have on technology. You look at the Colonial Pipeline situation and that's a major risk management activity. I got a dear friend. She was going to go up and pick her daughter up from college that same week that the Colonial Pipeline situation occurred.
Greg: And I said, "You better make sure to go get your vehicle filled up with gas." And unfortunately, when she went to go get her vehicle filled up, we couldn't get gas in the community. So from an impact perspective, I think we don't necessarily know the dependence that has come to us as a result of all these technology changes that have occurred.
Greg: And I think that's a significant consequence on a personal level, but you've got it. When you're a CISO or a chief risk officer, you've got to really hone in on how you identify and quantify those risks for your organization. That was something that I spent a lot of cycles working with the Postal Service on, what's the value of each of the IT assets that have on the business. And the inaccessibility of those assets is very important.
[26:19] Greg Crabb Tracks White Powder in the Mails
Greg: Another very important physical world example to move it out of technology. The anthrax attacks on the Postal Service were a huge nightmare and they occurred in October 2001. The Postal Service deals with, unfortunately, a lot of white powder in the mail.
Greg: At the time we were calling hazmat units and FBI local field offices to go to respond to white powders found on machinery. And we would clear the facility. So a clerk would find a white powder on a belt that was used to move a parcel and they'd call the hazmat team in and clear the facility. And so we learned very quickly what the operational impacts of those were.
Greg: Obviously we were having a significant impact on the productivity of those offices. We're paying for these employees to be standing outside while the hazmat team was in the facility. And little did we know that cornstarch is used between magazines to make sure that they don't stick. Who would have known, right?.
Eric: I was going down the cocaine angle. I thought it was a lot of cocaine from South America, but okay. Cornstarch.
Greg: Yes, there was that too. However, we were able to articulate a very significant investment to have our postal inspectors become first responders as opposed to hazmat units. I think the lesson that I want to transfer from the physical world to the cyber world is when you as a leader can articulate what the business value of a particular asset is and the unavailability of that asset. Or the compromise of that asset translates into a loss for the organization.
Greg Crabb as a CISO User Chief Risk Officer
Greg: You, as a CISO user chief risk officer can use that in order to articulate the investment that's necessary to be able to protect that asset. We trained up 400 first responders that had chemistry kits and spectrometry kits in order to be able to go out and identify that, yes, this was cornstarch or flour or cocaine.
Greg: That was a huge savings for the organization because we didn't have to basically shut everything down. And so, when I tell a chief risk officer or CISO how to properly go about articulating their investments, that's just an excellent example.
Eric: Because the Postal Service it's a quasi-government organization. It's really a commercial business though, in many ways. So we have these problems everywhere. Did you find that when you went out to the business owners they had an understanding of the value of what they provided, the cost of downtime, the impact? So they could articulate to you what the risk of shutting down was, or the risk of some kind of impact.
Greg: Yes. We would see it in our secure DevOps activities. Obviously, DevOps is a great opportunity for an information security practitioner or a risk officer to become very engaged with the business needs of the organization. It's in those melees of trying to get new functionality out where you have to argue for the appropriate amount of security controls versus the flexibility.
Greg: All the things that the customer and the business are demanding in order to be able to deliver. Also you've got the fraud equation that comes into some commercial applications, consumer applications.
The Area Where Greg Crabb Really Thrived
Greg: That was an area where my ISSO's and my risk practice really thrived in being able to meet the organization as to where it's at. Understand where it is needed to grow and then also argue for the appropriate implementation of controls along the way.
Greg: Obviously, the business always tries to get customers first. However, when that customer experience is negatively impacted by cyber or some programming, that always was a great learning opportunity for my business folks and a great engagement opportunity for my information security practitioners.
Eric: I think DevSecOps is going to be one of the biggest movers or impacts to cybersecurity in our time.
Greg: Yes. I think that some information security officers don't think it's their business because it's too much of a development activity. But I completely disagree. It is where your business is at and it's where you need to be in order to be adding value to that organization, period.
Eric: Yes, I agree. I always said that IT was an enabling function of the business. Whatever IT's building or doing for the business, they're not there to do it just to make cool stuff. They're there to help enable the business. But cybersecurity is almost an enabling function of IT for the business. So if you can build it all in from the beginning, we're better off. I mean, that's my theory. I'm sticking with it.
Eric: The more people we talk to on this show, the more customers I talk to, the more I'm hearing about DevSecOps. And building it in early, I do think that's a big piece of the equation. Keep bolting these tools on.
Getting Down to Basics
Eric: As a tool vendor, I'm going to tell everybody, it just doesn't work. You've got to get the basics down upfront. It's not a technology problem, it's how you implement technology problem, maybe.
Greg: Yes. I agree with you completely.
Eric: Well, I think we'll see more this time. I hope we do. We keep falling further and further behind. So I hope so.
Rachael: I think it's something that we should probably be talking about a lot more. We've been talking about it more on this podcast, but I don't know that it's something that has bubbled up into mass conversation. We probably should get it too.
Eric: You can't sell anything, necessarily. I can't go to Greg Crabb, CISO and say, "Hey, I want you to buy X, Y, Z." Which is what the whole industry revolves around.
Rachael: Are we talking a lot about, and Greg probably last year was a good indicator of this. You have to change how you think about security today. A lot of it is the mindset change and then how do you move that forward? I think of last year, what you must've gone through, Greg. This pivot, this remote worker pivot when you've got 630,000 employees.
Eric: Don't forget the election.
Rachael: It was a very busy year. So there are 18,000 different election authorities that the Post Office had to interact with. I'd read an article about blockchain-enabling technology there to help keep things organized.
Greg: Yes, Rachael you've just about put eight different pointers to a story.
Eric: You forgot artificial intelligence, machine learning. We missed a little zero trust that goes with it.
Deploying Fingerprint and Capabilities
Greg: I only deployed fingerprint and capabilities to a hundred post offices and got approval to expand it to 4,000. I mean, the Postal Service is going to be the core of identity here in the future.
Eric: Do you think so?
Greg: I think so.
Eric: Not Social Security. You think postal?
Greg: Yes. I think Social Security is becoming a relying party.
Eric: To that info.
Greg: 31,000 retail locations across the United States, in a couple of years, 4,000 of those will be able to be used as proofing points. I think it'll be a great opportunity for the physical, the digital connection of real consumer identity. But the 2020 elections were a great example of partnership between my organization, CISO, and the election authorities across the US.
Greg: As you can imagine, there were some sleepless nights along the way. When you're responsible for the 66,000 pieces of equipment that moved the mail from the election authorities to the voters and from the voters back to the election authorities. We moved about 40, just shy of 45% of the ballots for the national election, huge dependency.
Eric: Total ballots? 45% of the total ballots worldwide.
Greg: Yes. Or not, nationwide.
Eric: Right. But if I'm in Afghanistan, I'm mailing my ballot back through the postal side.
Greg: Yes. Totally
Eric: 45%. Who would have known?
Eric: You would have.
Greg: We saw it coming.
Eric: The common person doesn't recognize the sheer volume you're dealing with.
[37:48] Amazing American Heroes Like Greg Crabb
Greg: Yes. We did a lot to shore up the infrastructure that the investments that we had been making over the years. To make sure that we knew all of the technology assets provide integrity on the routing schemes in that infrastructure and the whole perimeter. As far as reporting all of the tracking events that election authorities needed in order to assure that they knew where all the ballots were.
Greg: And to be able to certify for election authorities that they had everything and all was clear, was a major exercise. I was grateful to be part of the system that was responsible for that. And really tip my hat to those professionals that work for me that spent a lot of sleepless hours making sure that was done in a secure manner.
Eric: Yes. I'll tell you, we talk about the optimism in these episodes sometimes. It's missing, it's always the bad. This isn't working, but CISO and the postal office kept the election on track without impact. They kept it going and there are some amazing American heroes out there that allowed our government in multiple ways to function. Remember, that's coming off of a pandemic too. Not just cyber risk, like you've got a pandemic where people can't get close together. They kept it going. Huge kudos to those organizations.
Eric: Greg, thank you for you and all the people underneath you and working around you. I think sometimes we fail to recognize what it takes.
Rachael: Yes. Thank you.
Eric: It was 45%. I didn't know. Rachael, did you know?
Rachael: No, of course I had no idea.
Hundreds of Millions of Mails
Eric: That's got to be hundreds of millions of pieces of mail.
Rachael: To wrap my head around how you would even manage.
Eric: That's huge, what they accomplished.
Greg: Off the top of my head. I think it was about 75 million return ballots, if that's right.
Eric: Return ballots?
Greg: The outbound was more than that.
Eric: I probably from the state of Maryland had three or four pieces per voting family member. My wife and I in this case, and one of my sons came into the house in preparation for the election. And that was all on time. Now I will say I sent some Christmas cards on December 14th and they got to people in February. But prioritization, understanding risk, as we've been talking about, I think that was perfectly acceptable to me.
Greg: I hear you, Eric.
Eric: I think that's acceptable. So, Greg, as we wrap up and Rachael, I feel like I'm dominating today. Maybe I'm just more excited than you. I don't know.
Rachael: No. It was just, I could listen to Greg talk all day long. I don't even think we need to ask him any questions. He's got so many fascinating stories. I could just listen.
Eric: Isn't he great? The anthrax was on this date, the postal cyber event.
Rachael: What do you expect from an investigator?
Eric: I think it was in this decade, I remember it vividly. I don't remember the dates and details, but you're right, Greg. You're the hunter to the hunted.
The Almost Like a Movie Stories of Greg Crabb
Rachael: After putting in an amazing career, all the things that you've seen and the underbelly, all the great stories and it's almost like a movie. I feel like I've been listening to a movie of your life.
Eric: One night in Bangkok is the star. We're going to finish it.
Greg: I love when I hear that song.
Eric: It will have to be the title of the show. They probably have anything to do with it.
Rachael: How do you retire after that? I mean, are you like a dare devil now? Do you have a motorcycle, you jump out of airplanes.
Greg: I have jumped out of an airplane, but I'm not seeking to do that. I love endurance sports so you'll see me out on the Iron Man trail, but no, it was an unbelievable career. I'm very grateful for having had the opportunity to serve the country and to protect the assets that were entrusted in me. I really enjoyed it and love the opportunity to share those experiences as well.
Greg: And as I look at the future of cybersecurity for the country, I can't help but reflect on some words that I learned from James Woolsey. He was a former CIA director. In 2003, I had arrested a subject that was responsible for stealing 8.7 million credit card numbers. He was from Symprohee, Ukraine. James Woolsey told me, "There's little difference between a Russian businessman, a Russian politician and a Russian organized crime figure. They're one and the same."
The Challenges That We Face As a Country
Greg: And when I think about what's going on today, and they're attributing these ransomware attacks to organized groups in Russia. Just think about that statement and think about the challenges that we face as a country to address those issues. It's not a technology problem and it's something that we need to figure out in order to be able to protect our national resources.
Eric: Absolutely. So are you working with organizations to help them think differently then?
Greg: Yes. Right now I'm very grateful to have had the relationship with CISO. I'm currently working with Eric Goldstein and Matt Hartman in the cybersecurity division there at CISO. To help them figure out how to address these issues and working on helping them operationalize their strategies.
Eric: Eric was on the show a couple of weeks ago.
Greg: Yes. Eric's a great guy. He is a thinker and he's the right guy for the job. I'm really excited. He got this mantra of transforming that organization from being a risk advisor to a risk reducer. That's a massive challenge. I think his vision will help materialize a lot of risk reduction across not only the federal enterprise, but critical infrastructure and state and local as well. So we all need to pitch in and help CISO. They have a massive mission.
Greg: And I really look forward to continuing that and then I'm helping a lot of companies engage from a cyber resilience perspective. I think that cybersecurity is, if you're shooting for compliance in the area of security, you're shooting way low. If you're shooting for security, you're shooting way low.
[44:08] Shooting For Organizational Resilience
Greg: We need to be shooting for organizational resilience when it comes to the management of our technology assets. And through resilience, we can get past all of these ransomware and other types of events that are occurring. But too often organizations need to be told what to do as opposed to doing the right thing and protecting their operational interests.
Rachael: Yes. A hundred percent. That could be an episode all on its own, that conversation.
Eric: It could be, and guess what just happened? The United States Postal Service just drove by and delivered my mail. Same time every day, rain, shine doesn't matter.
Greg: 160 million delivery points every day. Thank God.
Eric: They're still doing it, Greg. I mean, there's no slow down there.
Rachael: That's great.
Greg: It's why I did it. My grandfather was a letter carrier and the one thing that I really remember about granddad was he understood the sense of community that the Postal Service could bring. And at the time a portion of his career, they actually delivered mail twice a day. It really taught me the importance of the Postal Service in connecting the nation. I'm glad to have had the opportunity to serve that organization for 26 years.
Eric: Thank you for that service. Not just you, but your family. Going forward though, cyber resilience is really going to be the big thing you think?
Greg: Oh, there's no ands, ifs, or buts about it.
Eric: We convert the industry to think in that mindset so I hope we can do it.
A Community That Has a Voice
Greg: Yes. Well, it's going to take a community and it's going to take folks that have a voice like you and Rachael in order to be able to make that happen. And Eric, we're in this together and whatever I can do to pitch in and help you guys, don't hesitate to reach out.
Eric: I think it's a great message. We'll do our little part in getting it out there. The audience is growing. So Rachael, if people smash that subscribe button, it grows even faster, right?
Rachael: It sure does, so smash it. Smash it hard.
Eric: You only get once too. You're a subscriber. You're only once. Give us your feedback. Let us know what you think. Greg you're running TenEight. TenEight is the company name?
Eric: How do we find you?
Greg: So TenEightcyber.com is how you find me, and on LinkedIn as well.
Eric: Awesome. Well, thank you for your time today.
About Our Guest
Gregory Crabb is the founder of TenEight. Greg specializes in supporting organizations that need CISO expertise to protect their digital assets. Offering CISO & advisory services to the C suite, their boards, and those accountable for security across their operations or their products.
Listen and subscribe on your favorite platform