Community//

“Threats can be costly”, With Jason Remilard and Michael Rohrs of Control Risks

In preparing for a potential threat, it’s critical that businesses know where all of their data and information is located. Business leaders and executives must know where their data is stored and who is responsible for it, and leaders should consistently check in with that person or group of people to ensure the data is secure. […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

In preparing for a potential threat, it’s critical that businesses know where all of their data and information is located. Business leaders and executives must know where their data is stored and who is responsible for it, and leaders should consistently check in with that person or group of people to ensure the data is secure.


As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Michael Rohrs, a Principal at Control Risks where he leads the cyber consulting practice in the Americas. Based in Washington, D.C., Michael has extensive experience in global information and technology risk, cyber security, crisis management, incident response, intelligence and geopolitical analysis.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Annapolis, Maryland — a charming colonial town where the Severn River meets the Chesapeake Bay. I was raised in a close-knit military family — me, my Mom, Dad, and younger brother — with a large and somewhat rambunctious cohort of extended relatives nearby. You couldn’t get away with much in my family! I played what was probably an ill-advised amount of sports growing up and loved every minute of it, despite plenty of broken bones, stitches, and a couple of minor concussions.

I went off to undergrad at a small liberal arts college where I studied both political science and English literature, played varsity soccer, and went sailing on the weekends. Then it was on to the real world of work in Washington, DC straight after that. I was fortunate and am very grateful to have had all of those dynamics growing up and am careful never to forget where I came from or the opportunities I was given.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It’s hard to draw a clear line between my background, education, and the career I have now in cybersecurity. Despite my family pedigree, I knew that I didn’t want to join the military — mostly because I don’t like to shave. But I felt a strong sense of duty to serve our country in my own way. I also wanted to travel, experience the world first-hand, and be involved in events that were influencing the global society we lived in. Working in the US Intelligence Community was, for me, the perfect way to do all of that.

My first job was as an analyst working on domestic counter-terrorism issues for the Department of Homeland Security (DHS), the FBI, and the Federal Emergency Management Agency (FEMA). I later began working with the Defense Intelligence Agency (DIA) on foreign intelligence issues in the Middle East and North Africa. At the time, many foreign governments had just begun to develop their offensive and defensive cyber capabilities within their military, so it was likewise increasingly DIA’s responsibility to address military cyber issues.

At the time, there weren’t a ton of cyber intelligence analysts at DIA and I remember the day the department I was in needed someone to work on a new cybersecurity portfolio. I thought to myself, “Well, if whoever takes the job will have to learn cybersecurity anyway, it might as well be me.” So, I volunteered. I haven’t looked back from cybersecurity since.

Can you share the most interesting story that happened to you since you began this fascinating career?

Cyber incident response cases happen at the worst times and make for the most interesting stories. Some of my favorites are the inopportune places I’ve had to take the dreaded first call that a client has a big problem.

A few years ago, I was visiting the India subsidiary of an American company. It was the eye of monsoon season and I was riding in the back of a tuk-tuk in Mumbai, stuck in the noisiest evening rush hour traffic of my life, when the skies opened up with torrential rain, thunder, and lightning — a river of mud actually started running through the streets and in through the sides of our ride which didn’t have any doors. It was at that moment that my phone rang to tell me that a client back in the States had been hit with a widespread ransomware attack and needed to talk to me.

I have also taken incident response calls from more than one professional baseball stadium. From experience, I can tell you that the best place to take a call, in relative quiet, is in the gift shop

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Yes, but it’s a group of people. I’m grateful for the series of intelligent, determined women who mentored me, showed me the strength of emotionally-intelligent leadership, and who pushed me to be the best version of myself, all while succeeding in male-dominated industries. It was a foundation that my grandmother and my mother laid, but I’ve also been fortunate enough to work for more women than men during my career both in the intelligence community and in the private sector.

Are you working on any exciting new projects now? How do you think that will help people?

Insider risk has been a big focus of mine recently. COVID-19 has really heightened organizations’ challenges with potential insider issues. Individuals and organizations are dealing with a lot of extra stressors these days. Companies’ ability to proactively identify and manage concerning behaviors that could indicate harmful or hostile action by employees is critical, especially now in such an unsettling and unforgiving economic environment. But insider risk can be a very sensitive subject and handling it poorly can quickly corrode trust and culture in an organization. So my colleagues and I help our clients address the human side of insider risk, which enables the organization to focus on empathy and resilience right alongside security because at the end of the day, every organization’s most valuable asset — and also its most vulnerable — is its human capital. Protecting that helps the company writ large and its individual employees.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Sooner rather than later, decide that you are going to demand a healthy work-life balance from yourself and of your employer. It’s easy, and necessary at times, to over-extend and put time in to prove ourselves — but it’s ultimately a losing race. If you focus on the quality of your work rather than the quantity of it, you stick to your word and follow through, and set your boundaries and stick to them, people will respect you and your time.

And when it comes to cyber in particular, it’s about risk not just security. An organization’s cyber risk will never be zero and its security will never be 100%, so I always recommend that my fellow cyber professionals focus on risk tolerance and resilience equally as much as on security.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

So far, there hasn’t been a dull day since I got into cyber, but three things that excite me right now about the industry are:

  • As cyber issues continue to pose even greater threats and cause greater impacts to the core operations of organizations of all sizes and sectors, in the more mature markets cyber is finally being talked about as an integral part of managing all other enterprise-level risks.
  • A whole generation is currently benefitting from a renewed focus on education in science and technology, including cyber. As a result, the highest levels of elite education are not required to succeed in this industry because it rewards naturally talented individuals who are intellectually curious, creative, critical thinkers regardless of whether or not you went to the most expensive schools.
  • It still has a lot of maturing to do, but I’m also excited about quantum computing. When the research and development of the technology improves to become more stable, less “noisy,” and more accessible, it could be truly revolutionary. It could change not just everything about the way we handle cyber risk, but it could also completely change business and daily life in a lot of ways.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

One of the threats that concerns me the most are malicious attacks on the integrity of information. In the cyber community we talk about the C.I.A. triad — that is protecting the confidentiality, integrity, and availability of information and systems. Ten years or so ago, there began a series of cyber-attacks that stole massive amounts of data from organizations including healthcare insurance companies, retail stores, and government agencies. Data breaches like that violate the confidentiality of information and systems. Over the past five years, ransomware attacks emerged and have become dangerously potent and prolific. Maliciously encrypting an organization’s data and systems violates their availability.

We have not yet seen widespread attacks that manipulate the integrity of an organization’s data but the possibility of that happening is really troubling. As a society we rely so heavily on the accuracy of our information, and that information moves so quickly, that organizations unwittingly making decisions based on data that has been quietly manipulated would make things really ugly. As part of a properly risk-driven and resilience-focused approach to cyber, companies should include systemic capability to consistently ensure the integrity of their information and systems.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

These days, I spend a lot of time helping companies manage ransomware attacks, many of which rise to the level of a corporate crisis. Recently, the criminals who perpetrate these attacks have started to steal data from their victims before encrypting their systems, which enables them to attempt to extort the company on multiple fronts — first to regain access and second not to publicly release the information.

Being extorted can be very emotional — the criminal’s prey on their victims’ fear and uncertainty to control the situation and get more of what they want, which is usually money. But the underlying circumstances of the situation are often not in reality what the attacker wants the company to think they are. Part of my job is to help the company cut through that fight or flight reaction and sort through the elements in a more measured way. That usually means first determining whether the attacker is actually capable of what they claim and helping the company evaluate the cost versus the benefit of their response options.

On a lot of occasions the results of my work with the victim company has led to them recognizing when it doesn’t make sense to pay ransom and in fact changing their approach completely to handling the crisis, including how forthcoming they are with their employees and customers about the incident. It’s rewarding to be able to help a company resolve a crisis like that — and of course the world is a better place each time one less ransom gets paid.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Through my work with companies, I encounter a lot of leading-edge enterprise cybersecurity tools, but the ones I use most frequently are those I have as an individual consumer in my day-to-day life, like everyone else. These tools are the most important, because they keep me and my family and friends secure. They’re also the ones I recommend to anyone that will listen!

For example, all of my password-protected accounts have multi-factor authentication enabled. I have a password manager app on my phone so I can create unique complex credentials for everything without reusing or forgetting them. I have a mobile VPN that I use anytime I am connected to a Wi-Fi network I can’t trust, and all of my devices are encrypted and protected with a screen lock in case they’re ever lost or stolen.

It can take a little extra effort to learn about and maintain these habits, but basic security tools are more often being built into the things we use every day and a small amount of time, money, and education goes a really long way to keeping you and the people who trust you secure. It’s definitely worth it!

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Answering that question highlights the importance of a company taking a truly risk-driven approach — it enables them to determine exactly what makes the most sense for them and what resources they really need based on the profile of their company, the value they have at stake, and their tolerance for risk. In my experience, when companies take the time to honestly go through that risk assessment process — which many organizations find it valuable to have a consultant help with — it becomes clear what level of security investment is right for them.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Hopefully the first sign that something is wrong isn’t that you’ve discovered a ransom note demanding bitcoin on your now encrypted laptop — or it isn’t a reporter calling to ask if you know that your company’s financial information has been posted online and do you have a comment. Assuming you’re still in a position to catch the problem before any of that happens, there are some keys to look for.

Although we have seen a lot of different types of cyber-attacks over the years, most people don’t know that attackers often have to take similar steps to perpetrate them successfully. This concept is often called the attack framework or the kill chain. For example, one element that is involved in a lot of attacks is compromising the account of a legitimate user. Doing that enables the attacker to remotely do things that the user has permissions to do, as if they were within the network themselves. A few fairly obvious indications that something is wrong would be noticeable in the list of logs in activity for that person. If a user is curiously locked out of their account, you notice repeated failed attempts to log in, or activity on that account has been happening at times or from locations that are abnormal or can’t be explained by the legitimate user, those would all be good signs that something is wrong.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

If a company is made aware of a data or security breach, it’s critical that the company engages in a solid business impact analysis to assess the weaker points within the organization. The first step in this is to ensure that company leaders and executives have a deep understanding of what parts of the business were impacted during the breach to create a robust recovery plan.

Oftentimes, companies have to walk back the things business leaders said or did at the beginning of a crisis because the business acted too quickly, without having a clear picture of what went wrong or a full understanding of how widespread the issue was. In order to avoid this, businesses must be proactive and anticipate that things will go wrong: A robust crisis management plan will force businesses to think about the issues that could arise and anticipate the questions that customers will have.

When handling a breach, the most important thing to remember is to be as transparent as possible. There is less of a stigma around businesses that have suffered an incident than there used to be and more of a stigma around businesses that were not forthcoming and transparent in their incident response.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

If a company is made aware of a data or security breach, it’s critical that the company engages in a solid business impact analysis to assess the weaker points within the organization. The first step in this is to ensure that company leaders and executives have a deep understanding of what parts of the business were impacted during the breach to create a robust recovery plan.

Oftentimes, companies have to walk back the things business leaders said or did at the beginning of a crisis because the business acted too quickly, without having a clear picture of what went wrong or a full understanding of how widespread the issue was. In order to avoid this, businesses must be proactive and anticipate that things will go wrong: A robust crisis management plan will force businesses to think about the issues that could arise and anticipate the questions that customers will have.

When handling a breach, the most important thing to remember is to be as transparent as possible. There is less of a stigma around businesses that have suffered an incident than there used to be and more of a stigma around businesses that were not forthcoming and transparent in their incident response.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Generally, businesses under-invest in their cyber security programs and business leaders do what is minimally acceptable to prepare their organizations for a potential risk. Companies that have been in business for a long time end up in a pattern of holding their network controls together with duct tape and gum, with the goal of spending as little money as possible on security protections and system upgrades. Additionally, companies often put the responsibility of data and cybersecurity on one person or a small group of people that don’t have sufficient resources or decision-making authority to properly address the issues that come up. Business leaders should be involved in the risk monitoring process on a day-to-day basis to be able to step in and make important decisions in the event of a crisis. At the end of the day, having systems that are properly managed and well-funded are critical to having a successful business.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Since the pandemic began, companies have been acting out of necessity under emergency circumstances and dealing with issues as they arise rather than planning for future potential threats.

During COVID-19, there has also been an uptick in the collection and storing of health information because the virus required it. Health information is protected information and during the pandemic most companies have collected personal data without regard for the individual. Prior to the pandemic, businesses would not have collected health data and information, but now it has become integral to businesses who are hyper-aware of employees’ health. Contact tracing is a great example of this — businesses must collect employee health data in the event that an employee contracts the virus, but the privacy concerns arise when a business has to inform employees of an outbreak and contact trace without revealing the names of individuals or employees who are already sick.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

  1. In order to respond better to future crises, businesses should conduct an impact analysis to analyze past decisions and why those decisions were or were not successful. It’s important that businesses don’t wait to conduct an impact analysis until an incident has been discovered.
  2. Businesses should implement a risk management plan to prepare for potential data privacy and cybersecurity issues. When a threat presents itself, businesses often react instead of providing a well thought out, measured response to the crisis at hand. A risk management plan will serve as a big-picture guide for business leaders and give them the opportunity to focus on the details of the crisis.
  3. In preparing for a potential threat, it’s critical that businesses know where all of their data and information is located. Business leaders and executives must know where their data is stored and who is responsible for it, and leaders should consistently check in with that person or group of people to ensure the data is secure.
  4. Businesses must develop a robust team of individuals to monitor for and prepare for potential cyber threats or breaches. To ensure that data is being properly managed and that possible threats are not being overlooked, business leaders should routinely check in with the designated team so that he or she is aware of potential threats and the business is not blindsided in the event of a breach.
  5. Threats can be costly. It’s important that businesses understand how much money a potential threat will cost and how much money can be lost if the company is not prepared to handle a risk when it presents itself. It is difficult for a business to make risk-driven decisions in the middle of a crisis if business executives do not have a bigger-picture sense of impact and cost.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Well, how much time do you have? If I have to choose just one, right now I would inspire a movement for truth and context in media — especially in social media. As a recovering intelligence analyst and now cyber risk professional, I know first-hand how much the context and details of situations or subjects matter to how people interpret and make decisions about the media they’re exposed to. Even small omissions or misperceptions have serious and enduring effects on how people interact with each other and how they judge themselves. We owe it to our common humanity and for the betterment of the future to fight back against the amount of disinformation, deep fakes, historical whitewashing, beauty filtering, and willful ignorance to facts, science, and difficult realities that are so prevalent in the content that we consume. It’s holding us back from being our best and most genuine to each other and to ourselves.

How can our readers further follow your work online?

Readers can follow my work online via my LinkedIn and the Control Risks website. I’d also encourage your readers to follow @Control_Risks on Twitter for interesting risk-related updates and insights.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!


    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...

    Community//

    “Right to be forgotten”, With Jason Remilard and Tony Velleca

    by Jason Remillard
    Community//

    Jack Kudale of Cowbell Cyber: “Innovation always comes with some form of disruption to established ways of doing business”

    by Jason Hartman
    Community//

    “Protection”, With Jason Remilard and Jason Shockey of mycyberpath.com

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.