Boyd Clewis’s journey to building a career in cybersecurity began with learning how to persevere and problem solve in the face of setbacks – advice he now shares with companies for managing their cyber risk.
After having to drop out of college and getting laid off from his first job, he discovered his knack for problem solving and his passion for cybersecurity while working the night shift at a software company.
“I was working for a software company in Dallas, and I was working nights. I had this interest in cybersecurity because I saw the way everything was going digital, so I was thinking of this as career preservation. It’s like this is a trend that I need to get on. I know it’s going somewhere,” he said on this episode of The Insuring Cyber Podcast. “This was over a decade ago.”
He began building his career in cybersecurity and has since become a recognized cybersecurity expert and a member of the Forbes Technology Council. He founded Baxter Clewis Cybersecurity, a consulting firm, and authored two books, Through the Firewall: The Alchemy of Turning Crisis Into Opportunity and Corporate Security: Proven Ways to Reduce Cybersecurity Breaches.
Clewis eventually found himself driven by a desire to help others on a similar path. This led to the co-founding of Baxter Clewis Training Academy, a platform designed to guide aspiring cybersecurity professionals, alongside his wife and co-founder, Tiana Clewis. He attributes the success of the training academy, once again, to problem-solving.
“I was actually working at a consulting company, and I was working with some of the biggest names in the world doing security assessments,” he said. “I’m flying all over the world. I’m in India. I am in Australia doing all of these security assessments, and I kept running into the problem that when I’m coming out to do these audits, the company staff – they didn’t know what was going on.”
Clewis said as projects kept getting extended while companies grappled with fixing the cyber issues raised during audits, an idea came to him.
“I was like, ‘If these problems are existing at these gigantic companies, what if I just trained the people and created the [employees] to actually serve these roles?'” he said.
Early lessons in persevering through difficulty served him well as he worked to train not only future cybersecurity employees, but companies about managing their cyber risk.
“At the end of every event, whether it’s good or bad, there’s an opportunity to reflect on what happened,” he said. “And so, if a company has been breached, or maybe they’re concerned about being vulnerable, there’s nothing wrong with having a risk assessment done and actually facing those issues head on.”
He said companies often assume they are secure and their employees are up to speed with training and protocols. However, that’s not always the case.
“When it comes to business, especially cybersecurity, making assumptions could be detrimental to the company,” he said. “You have to have assurance.”
In fact, he said the biggest threat to a company’s cybersecurity comes from the inside due to something known as insider threats, when an employee or third party vendor either maliciously or accidentally compromises the organization’s security.
“It’s so funny because when I consult with companies, they show me these fancy firewalls that they have to keep the bad guys out, all of this threat detection for perimeter threats, and then I just walk right over to an employee’s desk, sit down, plug my laptop in, or just get onto their computer,” he said. “I’m like, ‘So, what are you doing about this?’ They’re like, ‘Huh, didn’t consider that.'”
One of the tactics Clewis would employ as a security assessor was to see how far he could get into a company’s building using social engineering methods, or as Clewis describes it, “the ability to persuade employees to do something or believe someone isn’t a threat.”
“I happen to think I’m a handsome guy, and I like to smile,” he said. “I’ll smile my way into any room, and then I’ll tell them, ‘Hey, this smile just defeated your multi-million dollar security equipment.'”
He said that although much has changed in the field of cybersecurity, many of the threats remain the same, whether it’s insider threats, business email compromise, or ransomware.
“It’s the same dog and pony show,” he said. “Companies, change your passwords, patch your systems, have strong access controls, back up to a remote site. Don’t do it after the fact. This is going to cost you 10x, right? It’s simple, simple hygiene, but it starts with the users to help offset a lot of these threats.”
Check out the rest of the episode to hear what else Boyd had to say and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.