Episode 1: Hackers Love Holidays with Greg Crowley
Hello, and welcome to What the Hack is a CISO, anyway. This podcast will help you in your journey to be a better CISO. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. My name is Rayna Stamboliyska. I'm an EU Digital Ambassador covering the intersection of tech, security and policy, and the CEO at RS Strategy.
Rayna Stamboliyska:In this week's episode, I'm talking to Greg Crowley, CISO at eSentire. Welcome, Greg.
Grey Crowley:Thank you very much for having me on.
Rayna Stamboliyska:Greg has been with eSentire since 2022, and before that spent 17 years in network and cybersecurity for the WWE, which stands for World Wrestling Entertainment. And I'm sure we'll have a lot of anecdotes, about this, Greg. So with this eSentire, Greg leads security for a company that is responsible for managed detection and response across more than 2,000 companies in 80 countries. And previously, at the WWE, he led Global Cybersecurity for a company that publishes content 52 weeks a year to more than 900,000,000 homes worldwide and with offices and operations across the globe. So I'm impressed.
Rayna Stamboliyska:I mean, you've got quite the resume, really. Very humbling. But, you know, as every superhero does, you must have an origin story. So, how did you get the cyber security bug? Yeah. So, actually first go back even a little further. So, you mentioned 17 years at WWE, and I did just started off there as a systems administrator and worked my way up. I'll get to that in a minute. But actually, I was there for 20 years, and LinkedIn just didn't do a really good job at calculating my my years of tenure, to be honest. One thing that might be a little bit unique about my bio as a CISO is I was also a co founder of a local martial arts, studio in my town here in Connecticut. And I opened up that with a friend of mine who is a martial arts instructor and it was a really good experience because it was a passion project of mine that I just did, you know, at night times after work. Great way to let out stress, you know, hitting people, hitting bags and but also it really lent to my my defender type of personality. So you're saying, you know, how did I get the the cyber bug? I think it's always been in my personality type to be a defender. I've always had standing up for people or defending what's right and just and cause and technology as well. You know, out of college, I didn't actually start off in IT or cyber security. It was in broadcast communications, but I quickly realized that wasn't for me. And I went back to school and I got a ton of certifications. I had MCSC, I had a Novell CNE. No one even knows what Novell is anymore, but I was a Nobel CNE and Cisco certifications, etcetera. And I really knew that I wanted to get into systems engineering at first, and that's what I did. And I started off my career as that. And I was just always curious. And cybersecurity was always kind of part of the job of somebody in systems engineering or IT, and it's only in recent years that's it's kinda split out. And that was part of my journey as well.
Rayna Stamboliyska:Wow. That's impressive. And, yeah, sorry for, you know, not fact checking LinkedIn on this one. You know, we we we tend to trust technology a little bit too much sometimes. So we are talking about, you know, superheroes, and you are one of those.
Rayna Stamboliyska:So learning I consider, you know, that learning from past messes and successes, is a superpower. Not everyone can do that. Right? So what's the one thing, you know, that you learned perhaps the hard way, regretfully, during all those years that you were and you still are on the job, the one thing you learned.
Grey Crowley:So I'll get into the one thing I learned, but, you know, you mentioned learning the hardware and, that usually is the one the way you learn best, but I also it's painful and, I like to learn from other people's mistakes. So if you look at any recent breach that comes out, I always curious, alright, what happened here? How could that apply to us? And then how do we make sure that that doesn't happen to us so I don't go through that pain? I'd rather much learn from other people's mistakes than experience in my own.
Grey Crowley:But yes, there is no doubt about it in this industry, in this field and over a long career here, I definitely have had some painful lessons learned. I think the definitely have had some painful lessons learned. I think the top one that just sticks out in my mind that I learned, you know, years ago, you know, at a different company was that, hackers love holidays. So I was I was lucky to learn this lesson, you know, early on with kind of a minimal impact, but US based and 2 holidays that I remember, you know, getting attacked on were July 4th. I was on my deck, cracked open a beer and I, I get a phone call from an engineer who just never has called me before.
Grey Crowley:So I knew it was not gonna be good. And, then another one was on Christmas break. So hackers love to take advantage of those holidays because they know where CSOs have a stressful job, security people have a just people in general take a break on those holidays. That's what they're meant for. But in this industry, we really can't let your guard down.
Grey Crowley:So, you know, I experienced cyberattacks on both of those holidays, and it may be annoying to check your email or kind of pressure your team or remind your team, hey. I I know you're on break, but we really have to pay attention to the alerts because, trust me, it's it might be annoying to do that, but it it pales in comparison to the pain and regret that you have if you don't.
Rayna Stamboliyska:Yeah. Thank you for bringing, you know, forward the people aspect because, I mean, we can talk all day long about tools, about, you know, processes and stuff, but ultimately cybersecurity is a discipline where people are the perimeter. Right? So I'd like us to talk about us, you know, the ones who do cyber, the ones who endure, you know, not being able to sit with family, the ones who also endure, you know, the fatigue of being there for others, you know, but also the ones who decide about stuff. So let's start with the people in suits, you know, that sit atop a skyscraper looking important, you know, the board.
Rayna Stamboliyska:So we assume, and quite often we rightly assume so, that the board, you know, the decision makers, the c levels, they're ill educated about our world, you know, cyber, our challenges. Hence, I don't know, it's crony budgets and hiring freeze for around 365 days a year, you know. So how do you engage the board to make them understand how essential cybersecurity is to the organization itself? But perhaps first and foremost, to the people it employs from one side, but also to the people it serves.
Grey Crowley:Common theme that you might hear throughout this podcast in my answers is that it's important to elevate the CSO to a level to make sure that they are having these communications with the board of directors, first of all. That's not always the case. It definitely hasn't been the case in years past. It is becoming more commonplace now, which is fantastic to see. And you'll still need the the CISOs to be a seat at the table, you know, with the decision makers to be part of the business strategy, to to hear things firsthand up front and be more proactive rather than reactive because it also helps if the business is planning these innovations and strategies.
Grey Crowley:It's it's better that they get the guidance from the CSO on how to do so securely and be that and we can get a chance to be that business enabler Rather than they go down this path, they spend time, money, resources, and then the CISO finds out later, and then now they have to unravel and backtrack and say, oh, we didn't think about that. So it's it's kind of important for the business to leverage the CISO that they have or if they don't have a CISO, hire a CISO to leverage them early on as a strategic partner to the business. But to answer a little bit more specifically about your question on the board, yeah, depending on the board, depending on how the makeup of the board, you may or may not have cyber expertise on there, you may or may not have technology expertise on there. So you never want to assume that you have that. You should gauge, you should understand your audience.
Grey Crowley:I always find that telling stories is the best way to relay the message, become a story. This is something I learned at WWE. 1 of the as you can imagine, sports entertainment and yes, it's wrestling and it's, sport, but it's entertainment, right? It is predetermined. It is scripted to an extent.
Grey Crowley:It's all about the storylines and time. So that's something they they really, instilled in us and that actually applies very well to what I do and in communicating with leadership and the board because everybody can relate to a story. It's more memorable. So if you can tie things in. As I mentioned earlier, you I'd much rather learn from, other people's pain and mistakes rather than my own.
Grey Crowley:So I think one of the effective ways to communicate the necessity for a cybersecurity program or why we'll need resources or budget aligned to certain things is to say, alright. This is the industry we're in and this is something that has happened. And this is actually how I got a security program going at WWE is I was in IT and I worked my way up through the ranks from just the technical into management and director level and eventually vice president of cybersecurity and network infrastructure. But cybersecurity organization, a department, a program within WWE didn't always exist. And it wasn't until I think around 2014 maybe where Sony Media Pictures had a major cybersecurity incident.
Grey Crowley:And again, there that's media and entertainment type of business which WWE was as well. So it was very easy to make that correlation to say, hey, you know, all the security things I've been asking for and things that we need, well, this is why. Look at the impact it's had on Sony. And believe me, that hit the Wall Street Journal and everything else that the executives and board were reading. So they were very much aware.
Grey Crowley:So they were very open at that time to say, you know what? Yeah. It is time to get that cybersecurity program started and I was able to build the organization department. So if you can find something that they can relate to, it doesn't always have to be dollars and cents. That's eventually what it comes down to.
Grey Crowley:Yes. They saw the impact on the business. They didn't need to know the exact dollars amounts of what an incident would cause in finances. They they saw the impact of what it had on the business. They know the impact on the reputation.
Grey Crowley:And if you think about it, WWE at the time when I was there and having this conversation, it was live shows constantly, streaming channels constantly. The show must go on. Right? Literally has to be on the air. It's live.
Grey Crowley:There can't be interruptions like that. So it's very easy. You wanna say, hey. This is what the business is about. This is what an impact will have.
Grey Crowley:If you have an interruption in just downtime alone for, like, a 1,000 employee business, something around just for downtime alone is about $220,000 a day. And how long does that downtime last? And that doesn't include the cost of bringing forensics teams. It doesn't include the cost of if it's ransomware paying ransom, etcetera. So I know I've kinda went on a tangent here a little bit, but again, I think the key point is connecting them with a story, something that resonates.
Rayna Stamboliyska:Yeah. From previous experiences, I've found that whenever you can tie the potential impact to potential, well, loss of value, this is what works best. But it's not always possible. Right? I mean, like, would you share a situation where you tried and you failed to convince them to, you know, because it's I mean, in my experience, it's more often that we fail to convince them about something that we succeed, you know.
Grey Crowley:Yeah. There it's often it's there's an image that comes to mind. There is 3 jars with full of coins. Right? The first jar is barely filled with any coins and it's, you know, cyber budget before an incident.
Grey Crowley:The next one, you know, is cyber budget after an incident and then the third one is even fuller and that's, you know, the the cyber budget after whatever insurance and everything else comes into play. But it is more common to run into the frustrations of not getting the budget you need. And we have to pick our battles wisely. We have to tie it back to risk management. So if I if I'm thinking back to this particular story or something that you're saying, I think if I look back at early on in my career when MFA was really just first coming out, people didn't wanna do it because what?
Grey Crowley:It was an extra step. It was friction and they didn't understand. There weren't these cases yet of why it was necessary. I've got a good enough password. What do I need this for?
Grey Crowley:And it it's challenging. And so you you put it out there and you're you're trying to make the case as best you can. It was earlier on in my career, so I wasn't necessarily the best at making these cases at that time. And so if you can find ways to do things affordably as you can, and then you have to find a way to make things as frictionless as possible. So this way, it can make potentially the process even easier for the business or at least not intrude on the business, then you have a better chance.
Grey Crowley:But, yeah, I think you're right. We do we do get told no to budget a lot more than we get told yes.
Rayna Stamboliyska:Yeah. And then, you know, we come through as the no as a service department, but, actually, it's not us. It's other people.
Grey Crowley:Right.
Rayna Stamboliyska:And how about your team? Because, you know, I mean, the Sizer role, it's a leadership role. It's not just a management role, but it's also a leadership role. And, you know, as leaders, we have also people who rely on us for directions, for guidance, for support, for for for so many things. And I found it particularly enriching, you know, difficult, obviously, but also particularly enriching to take care of the team, you know, to ensure that they have that they develop and grow the skills beyond, you know, tech savviness that help them to move forward, you know, with their careers with as humans.
Rayna Stamboliyska:So how how do you do that? Because we've mentioned, you know, the regular nose, and our limited budgets, and the fact that we need to be reasonable about how we spend our money, how we put forward our responsibilities and priorities. So how do you do this? You know, how do you what's been easy for you? What's been difficult for you in supporting the team, you know, in making it grow?
Grey Crowley:Sure. So first of all, I'd recommend that everybody out there who's being put into a cybersecurity leadership role, whatever the title may be, CISO vice president of cyber, whatever the title is if you're in that role, realize exactly what you said that it is a leadership role, and that should come first and foremost. Because we if you're if you're just by yourself, well, then you gotta start making the business case that you need a team because it cannot rely on 1 person's self and you need a team and you're you're gonna succeed because of your team. So in order to do that successfully, you have to be a good leader. So educate yourself on how to become a good leader.
Grey Crowley:Go to leadership programs, just learn by example. Everybody's had good and bad leaders, pick out the good pieces and eliminate the bad pieces. I I take a very people first approach to my management style because it is very taxing. It's stressful. You're getting told no all the time.
Grey Crowley:And we're also have to deliver the news of we don't wanna say no, but how do we say it in a way where, you know, it's more appealing? It's we're never really welcome. People see us coming and, like, they don't want us around because it's it's gonna slow them down in their perception. So it it is taxing on the team. And we often don't have the budget to have a fully staffed team to meet the demands of the business and keep all the bad guys out.
Grey Crowley:So, yeah, you have to find the wins, celebrate the wins. You have to realize that people do need to disconnect. You should have some type of plan to have a primary and secondary, not just always relying on one person. So give them a break. And you you find a way to celebrate and and be the champion for your team, letting the business know, hey.
Grey Crowley:This is how we've helped. This is what the team does. So that's one thing. And the other thing it is gonna come down to is you could be champion. You can say say all the good things.
Grey Crowley:You can be flexible with your team. You can do all that great stuff, but eventually burnout is burnout. So what you really need to do as a leader is if that is happening, you have to go to bat and you have to find a way to ease that pain. As I mentioned, my lessons learned of hackers love holidays. Well, my team likes to take breaks to go on vacation, celebrate the holidays, but we can't just leave the business unattended.
Grey Crowley:We also know that the attacks don't happen just within business hours, so there's also that aspect. So the way I looked at that in the past was what's the cost of building out a 20 fourseven SOC so we don't have to just keep burning out the same people. And it was kind of just too expensive to do out internally, but there's partners and services. Yes. I know I work for Essentire, but I was actually a customer of eCentire at WWE, and I brought in eCentire for that reason because we needed to augment our team because my team was getting burnt out.
Grey Crowley:It was 247. It's holidays. It's everything. So you need just get a get a service, get a get a company, manage detection and response type of company that will will do this work, will look at the alerts when they come in, that will take that that grunt work, that burnout work off of your team and don't have to spurn them out around the clock and on holidays.
Rayna Stamboliyska:Yeah. Let me be very candid here because, again, we you know, I'm I'm from Europe. And there is something that strikes me about liability for Sizos in the US. You know, the the impression I get, candidly, is that there is a huge I mean, you you can get sued quite fast. Right?
Rayna Stamboliyska:And it's really scary for me to imagine that you may be held accountable in court about a perfectly discerning approach that you had, which still ended badly. You know, and in this kind of, to me especially for the CISOs, not so much for the team but for the CISOs, it adds up quite the pressure on you, on the person who has the title. So how do you I mean dealing, taking care of the team is one thing. Interfacing with the board and so on is another thing. With users, with partners, that's yet another thing.
Rayna Stamboliyska:But how do you live with and work with? Like, how does that factor in your decision making process?
Grey Crowley:Yeah. So CISOs have a lot to worry and be concerned about, you know, it and yes, we are very litigious society, so we have to make sure that we are protected because, again, being, you know, my personality type of being a defender and I always try and, you know, and CISOs in general, we're working our butts off just to protect the company, to protect the customers, to protect the board, everything. And it's just a a game of your something is going to happen. So it has to be it it's very stressful from that aspect alone. And then to be then challenged when something happens and saying, oh, now you're accountable and, hey, we're seeing things with, the former Uber and SolarWind CISOs of, you know, facing potential jail time or the SEC going after them.
Grey Crowley:And luckily, these cases, the precedent hasn't been too bad. I mean, they I don't remember the details, but I think on the Uber seesaw, you know, they that, you know, he got sentenced, but his time was, you know, what he didn't actually have to spend time in prison as far as as I know. And then I think just recently, the SolarWinds, former CISO, I think that got dismissed, which is which is good. So it hasn't set too bad of a precedent, but this isn't gonna stop. So we still have to worry about that.
Grey Crowley:Again, going back to we need to elevate the CSO because that's the last of our concerns. We should we're doing our job and protecting the company, the customers, and everything as best we can. We have to get the other members of the company. Right? That it has to be a shared risk.
Grey Crowley:There should be an office of the CISO. It should include other leaders. There should be a split out of this data privacy officer. There should there could be other roles that are in there, but also the the CEO, the CFO, everybody, all the other c levels executives, their responsibility has to be known, communicated, and they have to be part of the process of documenting everything, making sure that the it's being clearly communicated that this is the risk, explain it on, here's the impact here, and here is the likelihood and this is the relative impact it could have. Do we want to accept this risk or here's how I recommend that we mitigate it or some things we could do or avoid it and then document their responses, you know, because that's how you're gonna get the budget, the resources and at least showing that you're doing the right things.
Grey Crowley:Even if you do all the right things, anybody can sue anybody so it's still a worry out there. Make sure, you know, you're asking for the right things. Make sure you got have the directors and officers, D and O, insurance. Unfortunately, look at your personal insurance that you carry yourself and make sure you have enough insurance there for these type of situations. But, yeah, it is a it's a it's a scary thing that, if I spent too much time thinking about it, I probably wouldn't be a CISO anymore.
Rayna Stamboliyska:Yeah. No. No. I mean, from afar, like, from that side of the pond, it really scares me.
Grey Crowley:Yeah. You
Rayna Stamboliyska:know? So I'm not envious of your positions, you know, there. Although, I mean, on paper it looks great and it's a prestigious role and everything. But, yeah. It's still a complicated thing to look at.
Rayna Stamboliyska:But let me kind of lighten the mood here a little bit.
Grey Crowley:Yes. Let's do that.
Rayna Stamboliyska:Yeah. So we've we've talked, you know, about the past, about our roots, your roots. We've talked about the present, you know, what keeps us up at night. But now let's talk about the future. You know what?
Rayna Stamboliyska:That's after all why we get up in the morning. Right? So we know that planning for things that might go wrong, this is about budget, this is about getting ahead of things. Planning for things that you don't know about, that's a different beast. You know, this is about strategy, anticipation, experience, rock solid processes that allow you to pivot, and so on.
Rayna Stamboliyska:I mean, we've we've talked about so let me push that a little, you know, further as an opening and food for thought for our listeners. What is the risk that you think needs more attention? Or is, for example, is there, like, a black swan event that you could imagine affecting Sizos, you know, and that they should consider. So, for our listeners, the black swan event is something that's rare, you know, that's difficult to anticipate, but when it happens it has a major negative impact. So tell us about this one risk.
Grey Crowley:Well, actually, 2 things come to mind. But first of all, that's a that's a fantastic question that has never been posed to me in that fashion before, and I really like the way that that that that you phrased that with the the black swan event. So the first one I'll talk about just because I think, well, it wouldn't be a podcast if we didn't talk about AI, but I really do think that's a good example is that AI has to be one of those things that, you know, I know we're talking about the risks now, and I think how can this not become a black swan event? So we don't know exactly what that high impact event will be, but we now have unleashed this power, and I think we will look back at whatever this that high impact event is and we'll look back and say, well, duh, of of course this would happen. And we're we're trying to protect against it but that's one of the things where I think it's gonna happen in a way that we didn't anticipate or realize that could actually come to fruition.
Grey Crowley:So I think that's anticipate or realize that could actually come to fruition. So I think that's one of those things. But as far as a risk that needs more attention or a black swan event for CISOs themselves, I think it's yeah. Again, it's it goes to that that personal liability. That's that's the other piece I would think about.
Grey Crowley:We're used to being this scapegoat, but there's going to be something that changes things. I think we're starting to see that now. These events of the litigation probably will change things and I think more CISOs should be, you know, championing to elevate the CISO, to get the DNO insurance to be a seat at the table, to make sure that the board and other C levels are part of that risk management process. So hopefully that answers the question, but I do love the way that it was posed.
Rayna Stamboliyska:Thank you so much. I mean, there is no right or wrong answer. Right? The idea is that we start by asking ourselves that sort of questions, which gets me to sort of a follow-up on that question is how do you encourage, you know, your team and yourself obviously to think ahead around security? Because we are so busy on an everyday, like on a day to day business, you know.
Rayna Stamboliyska:So we don't necessarily have the time to sit down and think about what could hit the fan. So how do you do that? How do you establish, let's say, a permissive environment or encouraging even environment where you, your team, can sit down and actually prepare for the future?
Grey Crowley:Yeah. I it's it's an everyday occurrence. It's an everyday thing that I try to instill in my team and has been helpful for me throughout my career. And, again, I I would attribute this to, a, just my the natural personality trait that I have of always staying curious, but it's also something that WWE had as a core value, always stay curious, and that's always been one of my strong suits. So, WWE also mentioned, you know, look at each day as first day on the job, and that's something that has stuck with me.
Grey Crowley:So if you're if you're coming in and this is your 1st day on the job, how would you be doing things different? What would you be looking at today? Forget all the baggage. Forget of why we couldn't do this. We don't you don't know any of that history.
Grey Crowley:What should we be doing? And then I think just always ask how can this be exploited? So for bringing in something new or just looking back again, 1st day on the job, seeing whatever we have in the environment, how can this be exploited? Yeah. You have to do that that curiosity element.
Grey Crowley:So, yes, I instill this in my team. It comes naturally to me. Thank goodness. And as a security professional, yeah, be paranoid and be curious. I guess those would be 2 things.
Rayna Stamboliyska:Alright. So yet another superpower that you have there. I mean, from experience, it's not so easy to prime people to think about the future, you know, when they're neck deep into day to day activities. Right?
Grey Crowley:Right.
Rayna Stamboliyska:So as a, let's say, final word, a conclusion, but perhaps even more so as an opening in one word, but like only one. What is the biggest hope or the biggest opportunity, if you wish, for the size overall over the next, say, 7 to 10 years? One word. I know this one is tough.
Grey Crowley:Oh, that that that is a tough one. I can use a hashtag, but that would be combining 3 words of elevate the CISO, but you've heard me say that enough today. It's gotta be I think the word is team.
Rayna Stamboliyska:Team. Wonderful.
Grey Crowley:And what I mean by that is it's CISO is not one person. It's a team.
Rayna Stamboliyska:No. This is wonderful. I mean, I I remember one of my earlier bosses when welcoming, like, presenting, himself to to the company, it was an annual gathering. And he basically opened his arms and said, the cybersecurity team, it's not me. It's not the engineers.
Rayna Stamboliyska:It's all of us. So it's and it was a very different way of, you know, setting the stage for what's to come and and involving people in something that is vital to everyone, out there. So, well, thank you so much for being with us, for dedicating this time to enlighten and elevate the conversation.
Grey Crowley:I will end with this with just saying, right now, I really did enjoy this conversation, and that's what this was, a conversation. More podcasts should be like this. Getting the CSO to to think outside of the just the daily kind of pull yourself out, take a bird's eye look, and really evaluate. And I think that's that's gonna help us in our role, and I think you did a a fantastic job at, challenging me and pushing me to think a little bit, especially on that last question. So thank
Rayna Stamboliyska:you. That was Greg Crowley sharing his experience and insight. Thank you for your time and for highlighting that we protect humans above all, be them on the team or end users. So that's all for this episode of What the Hack is at CISO, supported by Sysdig. I'm Ryan Asdamboliska, and I'll see you next time.
