Blue Ocean Global Technology in conversation with Kip Boyle, an expert in information and cyber security. Kip takes us through different points of his journey, from his vision behind Cyber Risk Opportunities, LLC., what he finds rewarding in the field, and why safeguarding one’s self in the cyberspace is imperative.
Blue Ocean: Tell us about your professional life. Why did you choose to work in this industry?
Kip: I actually backed into my career in cybersecurity. After graduating from college, I went to pilot training with the US Air Force. When I was five months into the 12-month program, I realized being a pilot was not a good fit for me. As my bachelor’s degree was in Information Systems, I was reassigned to work on highly classified air-to-air weapons systems test and development projects.
I really enjoyed the work. I had to learn about computer security and data protection. I was one of the few people who thought this part of our work was interesting, so I got to do a lot of it!
After I left active military duty, I worked in a series of jobs in the private sector, where I focused on cybersecurity. Over the years, I’ve worked with some really fantastic people and organizations. One of the most interesting projects was leading a team that secured a new payment system for the US Federal Reserve System.
In 2003 I became Chief Information Security Officer (CISO) for an insurance company. And then, in 2015, I started my own company called Cyber Risk Opportunities (CRO). Now I’m a virtual CISO for many different organizations, and I love what I do!
Blue Ocean: What does your typical day look like?
Kip: I wear multiple hats, so a typical day at work for me will depend on which hat I’m wearing.
As a CISO, I talk to customers about their top cyber risks and how to mitigate them. I do quite a bit of educating as I work with customers because cybersecurity is not their area of expertise. That’s true whether I’m talking to a chief financial officer or even a chief technology officer. Every couple of weeks, I record an episode of the Cyber Risk Management Podcast with my co-host, Jake Bernstein.
I’m also a small business owner. So when I’m wearing that hat, I might revise our customer avatar, test a new referral-based marketing strategy, create new offers that our customers will want to purchase or spend time with our sales development representative, looking at her metrics and figuring out how to serve both new and existing customers.
Finally, I have a hat that I wear when I manage my CRO team. My goal is to make sure that my team members feel psychologically safe in our work environment, that they’re doing work that is interesting to them, plays to their strengths, and that they’re growing professionally through the process.
Blue Ocean: What is one trend from your industry that excites you?
Kip: I’m enjoying the leadership role that insurance companies are taking on a national basis. Their goal is to sort out which cybersecurity tools, processes, and management actions will tangibly reduce the risk of some sort of cyber breach, like ransomware.
They’re not the first ones to try to figure this out. There are a lot of other organizations that have been attempting to do this. For example, there’s the Center for Internet Security (CIS) Top 20, NIST Cybersecurity Framework, and ISO 27001, to name a few.
But insurance companies have a very high financial incentive to get cybersecurity right. I also find that they’re being extremely practical about it. They don’t seem to be as constrained by dogmatic thinking that cybersecurity professionals sometimes get tripped up.
Blue Ocean: How have you differentiated yourself, and what underpins your success?
Kip: We treat cyber as the material organizational risk that it has become. It means understanding where cyber risk may be across the organization and not just in their technology stack. We consider people, process, management, and technology when we identify top cyber risks and when we design mitigations to reduce those risks to an acceptable level.
So, for example, we know that phishing is a very effective form of cyber-attack. The target is the emotions of the people who are receiving the messages. So, our mitigations tend to focus on standard operating procedures for two-party approval of funds transfer as well as training and technical controls. By orchestrating all these resources into a single package, we can better mitigate risk while not losing business agility. My long-term vision for my customers is to make clicking on a phishing link irrelevant.
A big reason why I’m different is mainly due to my natural interest in the intersection of technology and business. I believe technology provides the greatest value when solving real business problems. And I think cybersecurity needs to create business value as well. In my book, Fire Doesn’t Innovate, I explain how cybersecurity leaders can show the business value of their mitigations.
Blue Ocean: What is something unique you offer to your clients?
Kip: We strongly believe in the value of education to help your decision-makers become better cyber risk managers. So we provide a lot of free or low-cost educational opportunities for them. This includes the Cyber Risk Management Podcast, my book, Fire Doesn’t Innovate, and many online video courses on Udemy and LinkedIn Learning.
When we work with customers, we’re also very big about knowledge transfer. Sometimes our customer just wants us to write a procedure or make a configuration change and then move on to the next thing. But I always ask them if they are trying to be self-sufficient with the different mitigations we help implement. And if so, we build time into the work for training their people.
We also have a deployment kit full of templates that we share with our customers to jumpstart their Cyber Risk Management Action Plan (CR-MAP). This is our premier product. It’s a repeatable, scalable process that identifies your key vulnerabilities and gives you a prioritized roadmap to mitigate cyber risk across all areas of your business: infrastructure, workforce, and management.
Blue Ocean: What is your advice to your younger self?
Kip: Get better at building and enjoying healthy human relationships sooner rather than later!
Blue Ocean: Tell us what you are grateful for.
Kip: There are so many people and so many things I’m grateful for!
In the professional realm, I learned so much about my foundation for being an effective cybersecurity manager and leader from the people I worked with in the US Air Force and the Stanford Research Institute (SRI).
And at every one of my employers afterward, I was able to grow both personally and professionally, which is extremely rewarding for me. One of the greatest development opportunities I’ve ever had was sponsored by PEMCO Insurance. They made it possible for me to earn a graduate certificate in executive leadership from Seattle University. That experience transformed my life in a number of significant ways.
And it just wouldn’t be possible to serve our customers without my team at Cyber Risk Opportunities and my family, who supports me and keeps me from losing myself in work (too much).
Blue Ocean: What are your sources of happiness and inspiration?
Kip: I live in the Pacific Northwest, and there is so much natural beauty here. Whenever my mind needs refreshing, a hike in the woods usually does the trick.
I love to learn and to share what I know. A note from a student who has benefitted from anything I’ve ever said can send me directly to cloud nine for days!
Blue Ocean: When you have time outside the office, what passions or interests do you pursue?
Kip: Right now, I’m planning a four-day backpacking trip on the Inca Trail to Machu Picchu. A few years ago, I explored the excavated city of Pompeii in Italy. And back in 2007, I went on a three-week trip around the world. Big adventures like that are super fun and motivate me to stay physically fit.
Blue Ocean: What is your favorite quote?
Kip: “There’s no such thing as bad weather, only unsuitable clothing”– Alfred Wainwright, A Coast to Coast Walk
Do you have a personal or professional story that can inspire other people into becoming the best version of themselves?
You are welcome to share your journey with our audience.