Episode 5: Crisis After Crisis with Kayle Giroud
Hello, and welcome to what the hack is a CISO anyway? This podcast will help you in your journey to be a better cybersecurity leader. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Rayna Stamboliyska , EU Digital Ambassador covering the intersection of tech security and policy, and the CEO at IR Strategy. In this week's episode, I'm talking to Kayle Giroud
Rayna Stamboliyska:Hi, Kayle. Hi. Good morning. You are the director of the Common Good Cyber Initiative at the Global Cyber Alliance, a nonprofit organization that is dedicated to making the Internet a safer place by reducing cyber risk. You know, that's already a big program.
Rayna Stamboliyska:So you engage with stakeholders across the community to deliver results for better security. Kayle, you also lead work for the Common Good Cyber Initiative. We'll talk about a little later in this podcast. It is a global effort launched in February 2024 with the goal of identifying and implementing innovative models for sustaining groups, organizations, and individuals involved in critical cybersecurity functions for the broader Internet community. And because you're not busy enough, obviously, you also volunteer for, Women For Cyber in Belgium engaged in promoting, encouraging, and supporting the participation of women in the field of cybersecurity.
Rayna Stamboliyska:So thank you for being with us today.
Kayle Giroud:Well, thank you for having me. I'm excited for this conversation.
Rayna Stamboliyska:So in your career, you have worked on community and collaboration. Is this something that you think is being done successfully in security today?
Kayle Giroud:Thank you for that first question. No. I think it's a it's it's a good introduction, and there's many many aspects to the answers. So I think the answer is yes. We see a lot of new initiatives that promotes corporation, cross sector corporation, cross industry, you know, corporation as well.
Kayle Giroud:And, and really that whole of society approach to cybersecurity. I mean, every element of our lives today rely on on the Internet and rely on the Internet being secure from electric grid, water treatments, health care facilities, everything you do every day really needs the Internet to be secure. And that relies on everyone doing their their parts and for everyone to do their parts effectively, we need them to cooperate as well. So, I think I think we've seen we've seen a lot of good global cooperation among law enforcement, Internet industry, governments, and also the nonprofits. Quite, quite positive on this note to start the podcast.
Rayna Stamboliyska:So there is little conversation in the industry, you know, about cybersecurity for nonprofits. You you just mentioned them as full, you know, whole stakeholders. So can you elaborate a little on how you approach this at the Global Cyber Alliance?
Kayle Giroud:Of course. Well, Global Cyber Alliance has been around since 2015. So we've almost been around for 10 years now, which is quite long for cybersecurity nonprofits. We've seen many things coming up. And over the past 2 years, we decided we needed more cooperation among cybersecurity nonprofits because globally a lot of initiatives popped up, which is great.
Kayle Giroud:But we also saw that some of them were duplicating a little bit and they were not getting a lot of visibility because nonprofits tend to stay quite small. And so we we started what we a coalition called Nonprofit Cyber. It now has 45 members. They're all operational cybersecurity nonprofits. And the goal was really to to do what I just to avoid what I just said, to avoid application of efforts and to promote more visibility and and more cooperation among among these nonprofits.
Rayna Stamboliyska:Yeah. This is interesting because indeed, we don't really hear much about this. You know, you're not making the headlines. Come on. Do something bad.
Kayle Giroud:No, I'm kidding.
Rayna Stamboliyska:But you know, this
Kayle Giroud:No, but it's it's true that cybersecurity nonprofit, I mean, we we don't when we think about the Internet and cybersecurity, we think about the big corporations and those big players that we see every day on the news, and of course the big attackers that we also see every day on the news. But we don't think that much about NGOs being active in in technical fields and in cybersecurity, but, they are. And and often they stepped in for two particular reasons. One is because within the the shared common digital infrastructure that we have, there are spaces that were not bringing really business, you know, financial returns and and there was no good business models behind them. So the industry did not look into it that much.
Kayle Giroud:So I'm thinking about like routing protocols and frameworks that are now maintained by nonprofits. Nonprofits stepped in there because they were essentially commons and someone had to maintain these things. And nonprofits also stepped in when the community at rest had, you know, didn't have the financial capabilities to afford the solutions that are being offered by the industry. And so a lot of nonprofits really focuses on providing cyber security tools, services to high risk communities like journalists, election officials, individuals and specific communities that don't have a lot of budgets. So small businesses really are a big example in that.
Rayna Stamboliyska:So I have a lot of follow-up questions here. You know, let me let me be very clear. But first one, like, what are the lessons that you have learned around, you know, ensuring security, not necessarily delivering yourself, but making sure security is, reaches those who need it. When you are in a purpose driven organization, trying to secure other purpose driven organizations.
Kayle Giroud:But reaching the communities is really difficult. And, I mean, it's not something unique to cybersecurity nonprofits trying to reach them. It's it's difficult because first, you have to ensure that they are aware that they can be a target. I was talking about small businesses. They're really good example in that because we've been trying to secure small businesses for as long as GCA existed, really.
Kayle Giroud:And we build that cybersecurity toolkit with only free solutions. So it really removes the financial barrier to cybersecurity. They can they can implement that and reach a really a basic good level, which, we we think I mean, research we've done research, so it's not only we think, but can secure them up to to 70% from, you know, the most common cyber attacks. Say, it's not perfect, but at least it's already something. But it was the first difficulty is having them realize that they need it.
Kayle Giroud:So it's not only because it's free that, you know, they're gonna be interested. And then there was that barrier as well of not trusting free things that we had to overcome, which was interesting. So, we relied a lot on partnerships with trusted partners. A small business, they tend to trust, law enforcement. They they tend to trust their bank.
Kayle Giroud:And so we we have a lot of partnerships with these types of entities. The toolkit's now sponsored by Mastercard, for example. So we brought in some partners that the communities trusted, and I think that is is really an essential element to it is is the trust. And then is is the language. How do you reach these communities in words that they understand?
Kayle Giroud:So we cannot bring them cybersecurity as you and I understand it because we work in the field. We have to bring them cybersecurity and meet them where they are. Bring them cybersecurity in in words that they understand and, you know, in in in the context as well. And and so that that is also a big big challenge.
Rayna Stamboliyska:Yeah. Yeah. No. No. It's it's very interesting because we've we've been having conversations, we as a community around, you know, what is good security, you know, it's not being perfect, you will never be perfect.
Rayna Stamboliyska:It's good enough. You know, it's good for where you are, and good that you can consume it so you can build upon it for, you know, improving. But you said something earlier that got me kind of thinking and I would like us to get, you know, back to this. So if I got it, you know, correctly, nonprofits with precarious funding are actually protecting vulnerable or high risk populations. And we'll get to the precarious funding in a bit, you know, because money is always the nerve of whatever everyone is doing.
Rayna Stamboliyska:But now can you elaborate on what that means for these populations that need help, you know, and and but also for the people who extend that helping hand? You know, if you yourself are in in a difficult situation, how do you think or even act, you know, to help others?
Kayle Giroud:Well, that's the mission. So that was the easy part at the end. I mean, all the cybersecurity nonprofits design themselves as a nonprofit with the same mission. We we want everyone to benefit from all the great thing that Internet brings. And for that to happen, they need to be secured.
Kayle Giroud:And if they cannot forward the current offerings of security that the industry provides, then as nonprofits, it is our role and mission to fill in that gap really. And then it goes beyond that, I think, because, you know, you know, everything is interlinked and a risk can really quickly spill over, one organization to another and then causing harm to people and and eroding trust globally. So we need everyone to be secured. So the mission goes beyond just securing that community. It goes into securing all our society as a whole.
Kayle Giroud:How do we do that? That is a very big question. There are many programs, really. At GCA, we we focus on the tools. So we put together those toolkits when we look at the community's work, because we do many other things as well, as you mentioned in your introduction.
Kayle Giroud:And then you have other nonprofits like the Cyber Peace Institute. They focus on the skills. They have that platform, the Cyber Peace Builders that really matches the communities that need skills, cybersecurity skills, and the community that can provide that for them. So NGOs who need help, they can address that to the platform, and then they will receive support from cybersecurity experts on in return. Other really focus on providing day to day assistance or does that access now has this digital helpline that, activists and journalists can call when they face a particular issue.
Kayle Giroud:So there's really a broad range of services that are being offered by the nonprofits.
Rayna Stamboliyska:Mhmm. And does that kind of encourage funding, you know, to to flow in? Or or is it like we are making ends meet in a way, you know, and hopefully, you know, crossing fingers, we continue doing so?
Kayle Giroud:It's it's more the second than the first. So, unfortunately, cybersecurity does not fit in the box of donors. You know, it's not it's really hard to to give the donors a narrative that fits in what they essentially want to do, which is helping children and, you know, the usual, making sure everyone has food and water and, which is all really great missions. But then cybersecurity kinda like is horizontal to all of this because now all of these services, international development programs, they rely on digital tools and they need to be secured. So cybersecurity is horizontal, but it's never really in in the program itself.
Kayle Giroud:So that is one difficulty is fitting in the agenda of the donors. And and then there's there's just the scale of the demand. I was talking about journalists, NGOs, and activists seeking cybersecurity support. There's so many of them and so little services. And as cybersecurity nonprofits, we try to provide them those services, but we have really limited capacity.
Kayle Giroud:So, what we would really want is be able to help everyone. But without more funding, without the donors opening a box for it, then it's it's gonna be really difficult.
Rayna Stamboliyska:So since we are talking about, you know, precarious funding, here's another not very fun fact. I mean, I'm I'm just about, you know, to to bringing doom and gloom on everyone and, like, really breaking the mood here. So, you know, all in. From like, from what you described earlier, the functioning and security of the Internet itself rely on nonprofit organisations, so many of which depend on uncertain, let's put it mildly, you know, funding streams and a lot of volunteer networks. So how does that still function?
Rayna Stamboliyska:I mean, you know, this is all critical infrastructure. Why are we leaving it to exist in such a financial limbo?
Kayle Giroud:I think there's, I'm taking the last question first. I think there's an awareness issue. So a lot of people, like I said at the beginning, don't know that there are cyber security nonprofits. So if they all know that there are cyber security nonprofits, there's no way that they know the roles that these nonprofits, you know, fill. So there's a lot of there's a lot of awareness needed that we're working on at the moment.
Kayle Giroud:I'm just, like, explaining how the Internet works and within its side, its security and within it, the role of the nonprofit. So that is that is something that we need to be better at. And traditionally as well, nonprofits in the space have been really operational, like, heads on the work crisis after crisis, which is something the CISOs listening to this podcast know really well. And so they've not really they didn't really take the time to collect metrics, impact metrics, and, you know, and think about how to translate that in words that then the donors will understand. So that is also something that we need to get better at through that awareness and also helping the cybersecurity nonprofits build their business case essentially.
Kayle Giroud:Be able to to sell their missions in in words that translates for the donors. So that's the second aspect of the awareness that we're working on at the moment. How does it still function? I think it was also one of your question. Well, I think like any other nonprofits, those people are really resilient.
Kayle Giroud:And, there's a lot of volunteers in the in the Internet, you know, is built within this whole idea of openness. And so there's a lot of volunteers, a lot of the the the the nonprofits rely on these networks. I'm thinking about First, for example, or Wasp as well. I mean, so many of these initiatives are really relying on entire networks of volunteers. Then hope there are good donors.
Kayle Giroud:There are people, thankfully, that know about us and know about the mission. I'm thinking about Craig Newmark Philanthropies, which, over the past 2 years has announced 200,000,000 to cybersecurity nonprofit. So he's really one of the biggest. And before that, there was an initiative from, WHOLETS as well. So there were a few that helped us being maintained over the years.
Kayle Giroud:But what really now we're really calling for a more sustainable way of funding because we we know that the demand is growing. We already cannot meet that demand, and, we don't know for how long we're gonna be able to to keep up.
Rayna Stamboliyska:I'm really struck by what you're sharing today. I mean, I knew it was dire, but I didn't know it was that dire. On this podcast, we are also exploring the evolution of the role of a cybersecurity leader, you know, being in delivering being in ensuring other can deliver, you know, so I would like to get that conversation back to you a little bit. Because, again, we often hear from cybersecurity leadership voices from the corporate world or in positions with the government. Yet we rarely hear from leaders like yourself who are with purpose driven, well, not nonprofit organizations, and who are doing so much, generally in the shadows, which can be a problem in in your, let's say, world.
Rayna Stamboliyska:So on this podcast, we have already heard from Alexandra Godoy, who delivers security at Oxfam. So your role is a little different. You know, you make it possible for people already delivering security for critical infrastructures to do what they do. Right? So what is it like to be you?
Kayle Giroud:I'm what is it like to be us? It's really hard to define. And we're over the I've been at JCA for almost 5 years now. We never changed our mission, but we discussed a lot how to explain that mission to people because it's a lot of things. So we have 3 programs, and one is at that community level that I explained is really removing that financial barriers and finding ways to provide communities the tools they need and and the tailored tools they need, and they will be able to implement because it's all about implementation.
Kayle Giroud:The the second program is more infrastructure level. So what we dream of is an infrastructure that would be resilient enough to avoid, you know, the the phishing and the ransomware and the just the infrastructure will be so well built. There would be no need for the end community to worry that much. That would be really incredible. But you know well, and then the the people know well that it's it's not how it was built.
Kayle Giroud:There's work to be done, and that's what the infrastructure, level work that GCA does is looking into. So how can we fix some of these bits of the infrastructures that were not, you know, resilient and secure from the core. So there we have the international collaboration projects, bringing around the table the industry, the governments, the nonprofits, the academia. It's nobody's responsibility to secure the infrastructure because nobody owns it. It's global.
Kayle Giroud:It's a very weird beast, essentially, and very new as well. And, so we look at how can we make the DNS more secure as a domain name system, the routing and the networks. These are more technical and more long term types of efforts. And then thirdly is that ecosystem. So, how can we build that collaboration and especially collaboration among the nonprofits to make sure that what they do is is also maintained.
Kayle Giroud:So that's what our day to day life is like.
Rayna Stamboliyska:Yeah. Well, I mean, you're not being bored, obviously. So but, yeah, a lot of challenges, which I mean, you kind of started opening on it, you know, about the future. You know, that's why we get up in the morning. And so planning for things that, you know, might go wrong.
Rayna Stamboliyska:This is about budget and getting ahead of things. So we talked about money. But how about planning for things that you don't know about? You know, this about strategy, anticipation, experience, having partners, processes that help you pivot, you know. So how do you do that at the GCA?
Rayna Stamboliyska:You know, like, can you elaborate more on this? I'm I'm I'm really curious about how you get future ready in such a well, it's not hostile per se, but very uncertain environment in in terms of sustainability.
Kayle Giroud:So we rely a lot on our partners. We have over a 100 partners globally. We have as well I mean, like any other organization, we have a board that we try to make as diverse as possible. We also, have an ambassadors program. So these ambassadors especially sit in, countries and in sectors that where we don't have any staff so that we can we can have that broader approach.
Kayle Giroud:And we have a number of strategic advisers as well. So quite a, like, a broad range of people that ensure and and feed our programs to make sure that these programs are agile and adapt to the changes. And over the years, many pro projects that we started started on, the advice of one of these one of these people, really.
Rayna Stamboliyska:Mhmm. Is so in one word, like, one, what is the biggest opportunity for the common good cyber initiative over the next, say, 7 to 10 years?
Kayle Giroud:One word is hard. I know. I think no. So I'll I'll I'll elaborate, and maybe that will help me find one word. I think the unique opportunity in that is for for the cybersecurity industry to shape not only the security of their own organization, but also to strengthen society's digital resilience at large.
Kayle Giroud:So ensuring that technology remains a force for good in people's lives. Looking beyond just, you know, your own organization's security, it's such how we see people operate today. And and I'm not pointing at anyone it's normal because the threat's so big that you barely have the time to secure your own organization. Then so but I think that is a unique opportunity and where we're trying to drive people for the future is that you can you will not only look at yourselves, but also think about the broader words. And while I was speaking, I used the word that I think would be that, one word you're looking for is resilience.
Rayna Stamboliyska:Mhmm. I like it. So last question. What do you think the cybersecurity community and cybersecurity leaders can do to improve or develop better, more sustainable practices?
Kayle Giroud:Alright. When I when I think about the common good cyber project and and its mission, I always try and think about the roads. I mean, often in cybersecurity, I use the roads analogy that helps me because I don't have a technical background. You know? So when when you think about security in the roads, so the drivers are the the users, the everyday people, and then the manufacturers of those cybersecurity and digital Internet of things with it.
Kayle Giroud:The the all those all these things are the manufacturers of the cars, and then you have the governments who are supposed to maintain the roads and then look at this, you know, whole structure, infrastructure. Of course, it doesn't translate perfectly for the Internet because like I said, it's it's so global that there's no government responsible for the roads. But when when looking at the manufacturers, what I just said about thinking beyond just your own responsibility, you you could think with the roads that it translates into, you know, now we're asking those creating the cars to not only think about creating cars that are secure enough, but creating cars that also are eco friendly enough. And, I'm trying to think about that analogy to answer your question, but I don't think I'm making a lot of sense.
Rayna Stamboliyska:No. No. It's again, you know, it's not about making the good answer, like, very, sexy framed and everything. It's about taking the opportunity to kind of give back responsibility for people who don't see that they have one, you know, and that's why I framed it as cybersecurity community and leaders because we talked about the states, we talked about funding. But at some point, people whose job it is and who rely on this to function, they should also sort of chime in.
Rayna Stamboliyska:You know?
Kayle Giroud:Yeah. Yeah. No. No. I agree.
Kayle Giroud:And that's, you know, thinking about building cars that are also taking global climate and and and global society at its core. So same same for cybersecurity. Like you said, the the industry has been thriving, for, what, 30 years. So we want them as well to think about the climate and the green and the eco friendly, and think a little bit beyond their own self interest, but also beyond and and, you know, the whole the whole society. I think they have a lot of potential return in the long term by doing so because, you know, if we can uplift the whole society, that will create new markets.
Kayle Giroud:That will also maybe create savings for them because they might need to spend less on their own security because the whole infrastructure would become more resilient. And so I want them I want them to think about that long term return and not only that, today's interest and and financial benefits that they have by acting like they do today.
Rayna Stamboliyska:Thank you. So that was Kaylee Giroux sharing her experience and insights. I'd like to thank her for her time, and for sharing the urgent need to increase awareness and resilience of the Internet, which we all rely on. Thank you, Kaley.
Kayle Giroud:Thank you for having me.
Rayna Stamboliyska:That's all for this episode of what the hack is a CISO supported by Sysdig. Like and subscribe to our feed so you don't miss a bit. I'm Reina Stambouliska, and I'll see you next time.
