[00:00:03:15–00:00:30:09]

Navroop Mitter:
Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

[00:00:34:13–00:01:38:20]

Matt Calligan:
Hey there! Welcome to The Lock and Key Lounge podcast. I’m Matt Calligan, your host for today. And today, we’re actually going to be discussing something I bet you’ve never thought about. Nonprofits, NGOs, foundations, humanitarian awards. We’re all familiar with them. These are actually frontline targets for cyberattacks. And as our guest will tell you, these organizations behave very much like—and even rival—some of the largest banks in the world as far as assets. They hold lots of money, sensitive data, have global influence, and frequently engage in work that does attract cyber criminals and even nation-state actors.

So today, we’ll explore how these risks led to the creation of the NGO-ISAC, a threat sharing and collective defense organization built specifically for NGOs. And to do this, we’re joined by my friend Frank McGothigan, CISO of the Ford Foundation and VP of Member Services at the NGO-ISAC. Frank, welcome to the show.

[00:01:38:23–00:01:48:22]

Frank McGothigan:
Thanks, Matt. Really happy to be here. This is one of my passion projects, given that the space has been so neglected for so long. Happy to be here.

[00:01:49:00–00:03:26:16]

Matt:

Absolutely. Yeah. And I’m looking forward to getting into that actually. For those listening, Frank is the Chief Information Security Officer at Ford Foundation, one of the world’s largest philanthropic organizations. He also serves as Vice President of Member Services at the NGO-ISAC, which is a collective defense organization helping NGOs collaborate across all the different cybersecurity threats that are out there.

Frank’s career spans over two decades, including work at Penn Medicine, where he focused on critical health care infrastructure, as well as earlier roles in network management and IT operations. And like you said, his passion lies in defending mission-driven organizations and enabling them to operate in what is an increasingly hostile landscape. 

So, for today’s topic, to give you a quick overview—NGOs face a cyber threat landscape that’s as serious, if not more, than private sector organizations, partly because they often face those same challenges or other challenge with fewer resources, leaner teams, fewer people to help out, and less public awareness of their risk profiles. 

So today, we’re going to explore what lessons private sector, like yourselves, can learn from the approach NGOs are taking, how these high-profile boards and leadership teams present unique cybersecurity challenges, the formation of the NGO-ISAC specifically, and then why threat sharing and collective defense is essential for this sector, which is one of our favorite topics. 

So, Frank, if you’re good, I’ll go ahead and just jump right in here.

Frank:
Yeah, let’s do it.

[00:03:26:21–00:05:43:17]

Matt:

When most people think—well, we’ll kind of start at the very top here—probably the thing that’s on the top of every listener’s mind here. When most people think about critical infrastructure, they think the obvious ones—utilities, banks, hospitals, energy companies but not NGOs. Why should the cybersecurity of NGOs matter to the rest of us in the industry? And what’s at risk if we get it wrong?

Frank:
Yeah. So as I said—and you highlighted—this is one of my passions here. And I think first, let’s break down the differences between the NGOs, kind of highlighted—the Ford Foundation, which is a private philanthropy or a grantmaking organization. Then you have policymakers, which are your think tanks. These are the folks like Brookings and Aspen and all the people that are doing work globally to help develop policies.

But then you have others that are what we would call civil society organizations. Think of the International Red Cross. That is a very large civil society organization. But you also have smaller, community-based organizations. Think of afterschool programs in underprivileged communities. They’re all non-governmental organizations. And the threats that we typically deal with—I like to think of it as like this Venn diagram of digital risk or cybersecurity, reputational risk, and then somewhere in the middle is the physical side of it. 

And so, it’s a tough space to navigate. And what happens if we get that wrong is harm—harm and reputational damage. And that could be the trust with a grantmaking organization and their ability to secure that data, or the credibility of a think tank, or the reach of an organization like the International Red Cross.

So, we try to think of these spaces as collectives—that what impacts one organization does have a downstream effect to the others. Getting it wrong? People can get hurt, reputations get damaged, and money doesn’t flow to where it needs to flow.

[00:05:43:19–00:07:46:01]

Matt:

Right? Right. Which causes more harm further down the road. 

Frank:

Exactly. 

Matt:

With that kind of Venn diagram you mentioned, maybe unpack that a little. What does that—

Frank:

—Yeah.

Matt:

—landscape look like in more detail for NGOs? How to—and how does it compare? Maybe if I could add one to what we typically think about from a traditional landscape of an energy or finance critical infrastructure industry.

Frank:
Well, like all critical infrastructure, mainly financial services, we deal with criminal threat actors all the time. We have endowments, and it’s very public, the size of these endowments. So, it puts a pretty significant target on us. So, we’re constantly dealing with your scams, your diversion of funds. But we also deal with a lot of nation-state stuff too.

This can be because of work we’re doing in the region—it’s not quite popular with that government—or we’re trying to operate in hostile environments where there is destabilization happening within the region. So, there’s that element as well. And then we also deal with the third piece of it, which is—and the private sector would be—supply side. 

For us, it’s our grantees. Our grantees would be considered like the supply side. So, if they get compromised, it’s very easy or difficult to detect that the funds that were slated for them are diverted to a criminal actor. So, we’re constantly dealing with those various threats. And then the reputational side of it, which is—I think—unique to private foundations and NGOs as a whole, is the reputational attacks that happen through misinformation, disinformation, doxing, online harassment, political violence, and physical violence.

Matt:
Right, right. And I would imagine—

Frank:
—And also it’s digital.

[00:07:46:03–00:09:16:08]

Matt:
Right. And I would imagine that, especially in the reputational side, it matters because the funds flowing into these organizations are from people who want to be seen doing good. Right. That’s kind of the primary driver. They’ve—not necessarily be seen but to be actively involved. There’s lots of reasons to be doing that into these nonprofits and NGOs.

And the reputation of that NGO, I would imagine—tell me if I’m wrong—but I would imagine that a reputational problem that an NGO has creates incentive to divert these funds to other ones. Is that—does that track in reality?

Frank:
To an extent.

Matt:

Okay.

Frank:

Some of that has to do with—again, it goes to the trust and credibility—especially for your legacy institutions that spent decades curating their brand. And so, a hit on trust or the credibility that has—the ramifications are huge. 

Matt:

Yeah. 

Frank:

Not just from a comms perspective on how a PR team is going to be engaging but also from the grantees side of things.

And I trust this institution—that if something happens, they will be there.

Matt:

Yeah. 

Frank:

One of the things that—just to highlight—one of the things that I’ve been noticing more and more is, solidarity within this community is really what drives it. And it’s really what—at the end of the day—that’s what solves problems. It’s the—

Matt:

—Yeah.

Frank:

—solidarity of the community.

[00:09:16:13–00:11:27:05]

Matt:
That’s a fascinating point. I would have—I, again, I’m coming from the outside, so I’m not—some of this stuff is like an interesting dynamic that I would have never assumed was there, or was—it was a factor into all this. We see that a lot in the—there’s a lot of themes that you say here that have to do with security that we pull from on the threat sharing side. We talk about trust in identities of people, and trust in the technologies they use, as well as trust that they’re going to be responsible with the information.

And there’s similar parallels to the trust you’re talking about with the way these NGOs involve themselves in the markets that they work in. Something you and I had discussed—you mentioned comms in your answer there—and something you and I had discussed prior to this chat, last time we met, was the—I guess—increasingly significant role that communications play in, and not just your internal cybersecurity planning, operations, things like that.

But now, also NGO executives, boards, leadership teams—obviously ArmorText here, we’re all about communications. That’s kind of our bread and butter. But from your perspective, outside of just the specifics of what we do, what do you think is driving that particular—that sort of additional focus on that kind of—that technologies and communications?

Frank:
So, I would say it’s perspective. So, there’s a false perspective that certain apps are secure, but they’re not. They’re just another out-of-band shadow IT type of tool. And for us, the challenge has been getting the perception to align with proper tooling. So, for example, people are so used to texting that they like the familiarity with applications that give them that same look and feel.

Matt:
Right.

Frank:

But it’s not secure. It’s very easy to infiltrate that communications thread.

Matt:

Right.

[00:11:27:07–00:15:16:02]

Frank:
And where you get into a little bit of a difficult area is how these other applications are being infiltrated by mercenary spyware, for example. That’s probably our biggest threat. And then the other piece to it—it’s just so susceptible to smishing and everything that goes along with that. Just more scams.

And the last piece I’ll add to this—visibility. A lack of visibility into what is being discussed is, from a grantmaking organization, that’s a big no-no. We have— 

Matt:

—Right.

Frank:

—to be able to archive and account for everything that’s happening. And when we don’t have that control into the platform or the messages, it’s tricky. And—

Matt:

—Yeah.

Frank:

—now it’s becoming a data retention problem.

Matt:

Interesting, interesting. Do you—this is something that a lot of folks, even really large organizations on outside of NGOs, private sector—they tend to discount when we’re in conversations around the particular technologies and stuff like that. A lot of folks on the cyber side seem to just do a little hand-waving when it comes to that transparency, that audibility.

What—unpack that a little bit more. What’s—what does that mean in terms—when you talk about transparency, there’s—it comes in different terms, right? E-discovery, or auditability, or just sort of transparency as a broader terminology. Talk a little bit more in specifics, if you don’t mind about that. I’m just kind of curious what that means from an NGO standpoint.

Frank:

From an NGO standpoint, that transparency builds trust—that we can show where every penny spent in our grantmaking activity goes. We share that with the world. That’s on our website. We’re very transparent about that, and we’re that way for a reason. On the other side, the transparency comes down to a little bit around archival purposes, so we can see what worked in the past versus what didn’t work.

That helps drive the program side. Then, when you get on to, say, the grant recipient or the think tank, the transparency comes down to credibility on the work that they’re doing. So, it’s really important to put it in. And that’s why I said, it’s about perspective. 

Matt:

Yeah. 

Frank:

And the perspective of us being transparent is trust, credibility, and integrity. Now, there is another piece to it. And that is, foreign regulation for NGOs varies from country to country. So, if we are conducting business through an out-of-band communication channel and something comes up—and they—we get a government entity that says, “Well, can you show us all communications to this grantee that is registered in our country?”—if we have somebody using WhatsApp or Signal or iMess—we don’t have that visibility. I can’t go back and say, “Okay, this PEO was communicating with this person.”

We can say—it’s okay to, “Hey, let’s grab a coffee or grab a lunch.” That’s okay for those one-off conversations. But it’s not okay to conduct business. It’s not okay to say, “We want to discuss this program work,” or “We want to discuss these policies,” or “We’re thinking about this type of structure.” That has all kinds of other ramifications of problems, particularly if they were infiltrated by, say, like the NSO Group or Predator, or there’s somebody sniffing those communications. That’s problematic.

Matt:

Yeah.

Frank:

And then, the last piece has to do with device control. Signal. WhatsApp. They’re great for—let’s face it—end-to-end encryption is a great tool. It provides this level of privacy that didn’t exist before. 

Matt:
Yeah, yeah. We all use it—

Frank:

—But…

Matt:

—right?

Frank:
We all use it. Right. But it’s not enough to conduct business through.

[00:15:16:05–00:16:29:21]

Matt:
What are some of the—you mentioned some of the cases of sniffing and things like that. I mean, do you—have you actually experienced this? Have you seen specific cases where that something has been intercepted or these kind of vulnerabilities out in the field?

Frank:
Oh, yes. In fact, one’s—one was very, very well publicized, which was Amnesty International’s report on Pegasus. That was—that happened because one of our grantees in our Mexico region was compromised. There were journalist. 

Matt:

Ooh.

Frank:

Other examples are—the press is probably the most vulnerable with this. But then, you get into other areas where it comes down to malware being delivered through these applications. Spyware—

Matt:

—Right.

Frank:

—I think, is probably the most well known. But when you get into types of malware that could deliver through these apps, a lot of times what we’re seeing is that the app on the phone is typically read from the computer, which can be personal device, not a—one of the institutionally managed ones.

But there’s still that telemetry that is difficult for my teams to track. So, we always try to stick with something that there’s visibility into.

Matt:
Yeah.

[00:16:29:23–00:17:06:19]

Frank:
Some of the other areas where I see was around the Star Blizzard attacks, which were—I’m trying, I’m thinking of the day—I think it was like around October. But this is where—going back to that collaboration and the circling of the wagons—the NGO-ISAC collaborated with the Department of Justice because the NGOs were attacked.

And so, they were able to build the case against Star Blizzard, worked with Microsoft to get the domains taken down. That was another example of that telemetry coming into a Signal or WhatsApp or an iMessage.

Matt:

No kidding.

Frank:
Yeah, fun stuff. Fun times.

[00:17:07:00–00:21:51:13]

Matt:
Well, and speaking of the NGO-ISAC, like that’s—there’s a big theme we focus on here, and that—specially, it’s 2025, and there’s been a lot of uncertainty around how government funding will be impacted around administrative decisions. And there’s been a lot of concern around cybersecurity programs at the federal level being reduced or defunded.

And so, collective defense—and the rest of us that don’t operate inside the federal government—how to fill in that gap. And so, ISACs in particular are very near and dear to us. And we talked about, sort of within the focus of a single NGO—you have your internal security teams, your particular executives, membership—collaboration being important there.

But it’s also growing for the collective defense approach, right? Sharing of CTI in broader industry. So what—talk to me a little bit about what inspired NGOs, you being one of them, to build and own—build their own, I should say—collective defense organization, which you call the NGO-ISAC. Talk a little bit about that.

Frank:
The short answer is, community is our superpower. Full stop. What—how it started was, the Ford and several other organizations were facing the same cyberthreat in 2015, and we just hopped on kind of a shared Slack channel ‘cause it wasn’t internal to any of our networks. We had a threat actor living in there, and we just used—it started off with trauma bonding. And then, from there, we were like, “Oh, well, we see these artifacts out, and we caught this one.” And so, it started—like we just started collaborating. And then, coming from the health care sector, I was like, “Well, H-ISAC shares this information with the sector.” 

That’s kind of the brainchild. That’s kind of how it started. And—

Matt:

—Right.

Frank:

—as we started talking in our circles, we realized the need was huge. It was huge because—no offense to ArmorText—the entry barrier for security tools is so high— 

Matt:

—Yeah.

Frank:

—that a lot of the NGOs and nonprofits, in general, they can’t afford it. They can’t. It’s difficult for them to afford a CrowdStrike or a Proofpoint or the tools that large financial institutions depend on day in and day out.

Matt:

Yeah.

Frank:

So, we decided to build our own. We decided to take our partners. So, being Ford’s InfoSec partners, we brought them into the ISAC to help. So, we were able to get them to share some of their threat intel. But on the other side, they were able to collect amazing threat Intel from orgs that they’ve never thought of looking at. And that was NGOs. 

Matt:

Yeah. 

Frank:

The threat—the landscape was very unique, and it helped them put a lot of clarity to a lot of the things that they were seeing. So, this is—that’s really the catalyst that drove everything and how we all started very early. Now, it’s matured, where we’re not just doing CTI. We’re also thinking of legal services because a lot of things—take websites and copyrights.

A lot of these institutions—us included, till recently—we use Creative Commons language on our websites. Very difficult to fight a scammer because we said, “No, our images and everything are open to the world to use.” So partnering—some of the legal services, they’re like, “Oh, well, why don’t you change the copyright law because then your images are—they’re protected under the Digital Millennium Copyright.”

Whoa. That’s a great idea. So, what ends up happening is, when there’s like a—say, like a fake Facebook profile or Instagram—I don’t have to wait days for Meta to take it down because it violated our copyright, and they don’t want to deal with it. It’s gone within hours. That’s the power of community. 

Matt:

Yeah.

Frank:

That is how we’re able to get all these minds to think together and solve problems, because the space never had that before.

NGOs were so neglected for so long that the timing just seemed right. That was great for some trauma bonding in the beginning, but now it’s evolved where we’re doing briefings on a weekly basis. We have webinars and trainings. We’re able to do low-cost, no-cost security assessments for the small community organization that maybe has 5 or 10 people to assisting much larger ones with vCISO capabilities and mentorship programs.

[00:21:51:16–00:22:54:10]

Matt:

And do you—so, this is interesting. My head’s going in a couple different directions here, but—so with these services to the smaller ones—do you—what—one of the—and maybe this pattern plays out for you all as well. One of the reasons we were involved in these communities, these threat-sharing communities of various kinds, is for similar reasons that I think that you’re making a point of, and that is, most industries are kind of barbelled, where you have your really big ones that have deeper pockets, have the ability to fund specialists and create actual paid positions that specialize in certain things, even inside of cyber. But then, on the opposite side of this barbell, are a much larger cohort of folks also under the broader industry umbrella. And like you said, it’s like 5 or 10 folks. And maybe IT is something they focus on, but they also got to worry about locking the door when they close up at the end of the night.

Is that something you all find as well on your side?

[00:22:54:10–00:24:40:23]

Frank:
It is 100%. Actually, what we see most common—it’s an IT director that is also the web administrator, that’s also the CISO, that is also the office manager, that is—and so—

Matt:

—Yeah.

Frank:

—they’re spinning all these plates, and what ends up happening is they often feel isolated. 

Matt:

Yeah. 

Frank:

And that’s why I—the joke is, it’s our superpower, ‘cause what ends up happening is, they join and then they realize, oh, I’m not the only one.

Matt:

Yeah.

Frank:

Oh.

Matt:

Yeah. 

Frank:

This is refreshing. And one of the challenges is figuring out how to provide the right size sneaker for all these different organizations. That’s the tricky part.

Matt:

Right. 

Frank:

And in fact, one of the things I—you probably heard me say this—I’m really good at predicting the seasons, but I really struggle when it comes to predicting weather.

And I know I’m not the only one. So, having other people to bounce ideas off of or to share my concerns—they can either help me think it through, or they are also thinking it. Now, that’s—again—that’s where the trauma bonding comes in. But we’re able to start dissecting the problem. Often, it comes down to exactly what you said.

It’s this balance of the different strengths of an organization versus what they need. And that one is—if you have a great answer, I’d love to hear it, ‘cause we’ve experimented with different types of—like from the survey, to doing an actual security assessment, to just doing one-on-one conversations. One-on-one conversations don’t scale, but—

Matt:

—Right.

Frank:

—it seems to be the most effective way of assessing the needs.

[00:24:41:02–00:25:34:16]

Matt:
The—what do you think is driving—because again, talking about resources on the small side versus the large side—the—why is it, from your perspective, there’s this—the misconception about NGOs. Why do you think, again, from your perspective, why is there this misperception around NGOs and lack of focus on them from a criticality standpoint?

Frank:
We don’t advertise.

Matt:
Yeah. There you go.

Frank:
‘Cause the—a lot of the work that is done—it’s done behind the scenes, and—

Matt:

—Yeah.

Frank:

—it’s not front page news. And it’s not things that—NGOs are one of those things that are taken for granted, really. And in all honesty, when you—especially when you think—the relief side, when there’s a disaster or a crisis happening—they just do. They don’t— 

Matt:

Yeah.

Frank:

—announce to the world that they’re going to do it. They just do it.

Matt:
They just show up.

[00:25:34:16–00:27:15:23]

Frank:
And—they just show up. And it’s been that way forever. So, that’s part of it. The other side of it has to do around how NGOs are defined. And, as I’ve said, that’s like the breakdown of private philanthropy versus civil society organizations versus a think tank. Think tanks probably have higher visibility just because, in research papers, they’re often referred to.

But when you get into the other side of it, that—it’s kind of the unsung heroes. 

Matt:

Yeah. 

Frank:

And these are the folks that—I think about some of our grantees that, like, with the S in HTTPS—that was provided by a grant from the Ford Foundation. These are the things that are there, but people take it for granted.

Matt:

Right.

Frank:

And it’s because we like to just kind of be on the side of the stage, not the stage on the stage.

Matt:
Where do you hope to take the NG-ISAC or NGO-ISAC next? What’s—kind of what’s the next few steps for you all? Where do you want to go next?

Frank:
For us, it’s a few things. We want to make a shift from the webinar trainings to be more tactical. We want to definitely expand our incident response—DFIR capabilities so we—that we can offer more at scale. 

Matt:

Yeah. 

Frank:

The other piece that we are excited and really driving towards is the—this next iteration of the ISAC, which is developing our own open-source tools that we can give to the world for free.

Matt:
Fascinating. Pools of—

[00:27:16:01–00:28:32:16]

Frank:
That we would love—yeah, I see where you’re going. Go ahead.

Matt:

No, no. I’m just getting, like, pools of what? What kinds of resources?

Frank:
For example, just to have a place, like a multi-tenant type of SIM, that is low cost to operate, that a small organization can send their Office 365 logs over towards—down to, like, a cheap rudimentary EDR solution—to, say, different tools to protect privacy, identity. And then, the next really big thing that I would love for us to come up with is a block party, like, information scrubbing from the internet.

Privacy is probably going to be the next big focus area—digital privacy and digital rights.

Matt:
Makes sense. Coming full circle—what—kind of getting—going—coming back around to where we started—what advice would you give broadly to any organization, whether NGOs, private sector, folks who are just starting to think about getting involved with collective defense? There’s pretty much always a collective defense community out there for just about every industry—some more well-known than others, some are more well-funded—but a lot of them tend to not be very prod—have a lot of participation.

[00:28:32:16–00:31:03:07]

Matt:
So, for someone who’s looking to get better at securing everything—whether it’s their internal cybersecurity stuff, securing their executives, boards, resources, external resources—and they’re thinking about collective defense. What advice might you give to somebody trying to break into this stuff or figuring out how to maybe sell it to someone else to give them political support to get involved in something like that?

Frank:
Great question. I think where people sort of freeze up, out of the fear factor and stepping into this, is they don’t understand the risk. And my advice is to always think of risk associated with the individual and not the assets, because in this—particularly in this type of the space—everybody’s always focused on—they’re protecting the laptops and the phones and everything.

You really have to think about the individual and how they are interacting with these systems. That’s really the starting point. And from there, you can then go to your legal counsel and discuss risk mitigation from the executive side. Then you can also go to your finance teams. But it help—when you have definable risks, it makes the conversation with outside people a lot easier.

The other advice is to stop thinking of information security and/or cybersecurity and start thinking of digital risk. Because our lives are very different than they were ten years ago, particularly how we interact with technology, where there’s so many—there’s so much more nuance on our interactions—that a digital risk profile is a lot more tangible for results. Where, when you just—I can download CrowdStrike, I can download these tools. Tools are tools. That’s—they’re just meant to assist you.

It’s not really going to solve for you. Technology solves very little as far as real, daunting, complex problems. You still need people to help execute the solution. So, my advice is take a risk-based approach to it. The other—and ‘cause that’s really going to help you also prioritize what needs to be addressed first. You— 

Matt:

—Yeah.

Frank:

—might have to really focus on your authentication. Is my two-factor strong? Do—are my users susceptible to phishing emails? Do I have colleagues that are working off of personal devices? Those are all the risks that you can start the downstream conversations with.

[00:31:03:09–00:32:33:07]

Matt:
Yeah, it’s—you’ve also touch on a theme I’m seeing growing more and more. And that is kind of the pendulum has been—it’s no secret that cybersecurity is dominated by very technical people. That makes a lot of sense, and it attracts very technical people. But the pendulum has almost swung too far to an overly focused effort on the technology, the tools, and data, and it’s—there’s a missing human element to it.

Right? It’s almost like the human component has just been—not necessarily like it’s not there—but it’s just not emphasized as a priority. And I’m seeing a lot of—across all kinds of conversations—whether it’s utilities or banks or whatever, folks are talking about developing the more people side of this industry, the more human side of this, because it’s an essential component to making decisions quickly when you have to.

Frank:
Yeah. And AI is not helping it. 

Matt:
Yeah. Right. It’s this—the next new tool, right?

Frank:
Yeah, exactly. In fact, if anything, it’s making a little bit worse, ‘cause I think we’re probably thinking less.

Matt:
Right. Right. Yeah. 

Frank:
Yeah.

Matt:

We’re losing those soft skills and—

Frank:

—Yeah.

Matt:

—they weren’t really—they—we didn’t have them in spades to begin with.

Frank:

Yeah, 100%.

Matt:
Well, this is great. Frank, any kind of final thoughts from your side?

[00:32:33:09–00:34:17:00]

Frank:
Yeah. Well, first off, I appreciate the invite. I always love talking about this stuff, but—

Matt:

—Yeah.

Frank:

—one of the things that—as I alluded to in the beginning—I think that we are on the cusp of a transformational change in cybersecurity, information security, where we are trying to shift, as you said, from the policy-driven, tools-driven to more people-focused.

And I think that’s where the transformation’s going to happen, where we’re going to have more of the—and I use this term loosely—we’re going to have more human firewalls available. On the other side of that, I think the risk is now expanding, where it’s not just myself that is going to be the target, but it’s going to be our digital circles.

So, it’s going to be our family members that are going to start being targeted by threat actors because I—I’m protected by all the tools at the Ford Foundation, as my phone’s protected, my laptop’s protected. But my kids and my spouse, they’re not. And I think that’s really where we’re going to see the next big attack surface is going to be the family members of executives being targeted by spear phishing emails to gain that entry point into a corporate network.

I wish I had more positive news on that front, but that’s really what I see as being the problem.

Matt:
Yeah, the focus is reality, right? That’s kind of where we like to focus on is the stuff that you should be thinking about, whether it’s fun or not, it’s kind of the—

Frank:

—Yeah.

Matt:

—world we live in. Well, let’s end the note on a fun question then. So we always ask these of every guest we have here.

[00:34:17:00–00:36:23:03]

Matt:
Theoretic—in a theoretical world right—you’re in the mid-conference call with your board and some grantees, and hackers break into this conference call tool, start live streaming personal details of some of your board members and documents and things like that. So you and the NGO-ISAC scramble, kick into gear, neutralize the threat. You’ve saved the day. Everybody’s back to normal.

Crisis has been averted here. What’s your go-to libation as a kind of a kick-back celebratory drink from your side?

Frank:
After the Pepto-Bismol, it would probably be a bourbon. 

Matt:

So you said it would be bourbon?

Frank:

Yes. After the Pepto.

Matt:
What—any particular? Any particular bourbon you like?

Frank:
I am a huge fan of Jefferson’s.

Matt:
Yeah, yeah. Have you ever had the Ocean one?

Frank:
That’s my special occasion one, yes—for sure.

Matt:
Absolutely. Yeah. It has a different taste to it, too. It’s a good one.

Frank:
100%. But that is my go-to celebratory special occasion, a beverage of choice after the Pepto to celebrate the win.

Matt:
Exactly, exactly. So, Frank, I do appreciate your time here. I know you’re a busy guy, so I always appreciate your time. And every time we talk, I always leave with three more things I want to talk to you further about. So hopefully we can do this again sometime. But I do want—

Frank:

—I would love that.

Matt:

—to thank you for taking the time. Yeah, absolutely.

Frank:
Yeah. It’s good. Good stuff, Matt. Thanks. 

Matt:

Yeah, yeah. Well, folks, thank you for joining us here at The Lock & Key Lounge. Remember, whether you’re defending an NGO, a Fortune 500, or even a five-man community bank, the threat actors don’t care who you are if you’re in their way. But a strong community, resilient communications plan, and maybe—maybe—a well-earned drink at the end of that day, that’s how you keep sane. 

And that’s how you stay one step ahead. So, until next time, be well, stay curious, and do good work.

[00:36:23:05–00:36:44:19]

Matt:
We really hope you enjoyed this episode of The Lock & Key Lounge.

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@ArmorText.com or our website, ArmorText.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.