Q&A with Forgepoint EIR Billy Gouveia on Incident Response and Thwarting Ransomware

12.10.21 | Tanya Loh | Blog Post

Billy is an Entrepreneur in Residence at Forgepoint Capital. Learn more about his background and expertise here.

Billy, you began your career with the US Army: Captain Gouveia, thank you for your service! 20 years later, and you’re now one of our industry’s foremost experts on incident response. Can you share your journey and how you got here?
Wow, that’s a humbling question. I’ll begin by stating that serving our great country was the honor of a lifetime, and I’m thankful for the opportunity every day. The military taught me many of the skills I apply in helping clients through cyber incidents: from the value of planning, to thorough preparation, to making sound decisions and communicating clearly—these are all things that I had to learn as a young platoon leader. My journey was a non-linear one, taking me through a variety of consulting and technology leadership roles in a range of environments but there are some overarching themes: I’ve been fortunate to have had wonderful mentors, to have led some amazing people, and to have been trusted by clients during some of their most difficult moments.

You have advised and counseled countless organizations and their leadership through challenging situations. Which stand out the most?
Response cases are like hotel rooms—it’s easy to remember the best and impossible to forget the worst! I have indelible memories of working with organizations fortunate enough to have strong leadership across their senior executive, technical, and security teams., The best leaders I’ve worked with have developed plans for cyber incidents, invested in preparing their teams, reacted to the event with calm decisiveness, and communicated to stakeholders throughout the response cycle. Much of a sound response can be attributed to solid leaders who build skilled teams and orient them to the situation. And while I can’t name names, there are certainly situations where—despite every effort—the response is a real trial: a bad event leads to escalated tensions, stress-filled meetings, questionable decisions, and poor communication. Irrespective of the nature of the response, however, the ransomware events that will long stay with me are those that impacted hospitals providing critical care throughout the pandemic: these events underscore the importance of cyber security, the evil of ransomware groups, and the imperative to improve our profession.

What will you be doing as an EIR here at Forgepoint?
I’ve never been an Entrepreneur in Residence before, and I’m having great fun learning about Forgepoint’s portfolio companies, its team, and its approach to company building. My specific focus during these months will be to help Forgepoint identify how it can contribute to incident response by thinking through the gaps in the current IR market and developing options to innovate new approaches that will help its portfolio and the broader IR ecosystem of clients, insurance brokers, cyber insurance carriers, and breach coach law firms. Given Forgepoint’s record of investing in and building companies, this is a terrific opportunity!

So what exactly is ransomware and how can it impact a business?
There’s a great deal of material about ransomware, and it’s increasingly becoming a noisy topic, so I’ll try to cut through it: ransomware is when a bad actor gains access to data and trades this access for money. Traditionally, this happens because the threat actor encrypts data on the network and demands payment in exchange for a decryption key. An attack method that has emerged over the past few years is when the threat actor steals the data and threatens to publish them online in exchange for payment—this then triggers data breach notification laws and risks reputational harm. What I fear we’ll see more of is threat actors shutting down operational technology—for example, manufacturing lines—in exchange for payment. This happened recently to the large meat processing company JBS, who reportedly paid $11M in ransom. As our reliance on technology grows faster than our ability to secure it, ransomware attacks will continue to exploit the pain that organizations feel when their networks are intruded, their data are stolen, their businesses are interrupted, and their legal and reputational risks grow.
A friend and I have had an ongoing discussion about how ransomware is the perfect crime: it’s easy to conduct, difficult to get caught, and very lucrative.

How can companies prepare for a ransomware attack? What roles and responsibilities do they need to have in place, internally and externally?
Above all, companies need to invest in the right culture, leadership, and capabilities to reduce the likelihood of a cyber incident—most of the time and money spent in cybersecurity goes to managing risk likelihood. Yet firms only become resilient when they also invest in reducing the magnitude of a cyber incident by learning how to “take a punch” and keep fighting. This translates to several specific actions. First, having clear responsibilities and decision rights—figure out who makes the call on whether or not to pay a ransom before ending up in that situation. Second, develop a clear plan with established information flows: who is going to tell what, to whom, in what form, by what time, to enable which decision. Having a solid grasp of communication between executive teams, technical teams, lawyers, insurance brokers and carriers, and incident responders is the difference between a response that is smooth and one that is stressed. Third, work out who is going to help you should you end up the victim of a cyber incident: when you need to break the glass and pull the emergency lever, whom do you need to show up? Fourth, work closely with your insurance broker and your cyber insurer to understand the coverage that you have and ensure that you’re transferring the appropriate amount of risk.

What does the incident response and recovery process and timeline typically look like?
This is a broad question that invites discussion of the many variables involved in incident response. I’d like to share with you what I tell clients when I first meet them under difficult circumstances: it’s going to take weeks, not days, to get through this. Often there is a perception that if you need to get back in business quickly, paying a ransom is the fastest option. This may be true at times, but it’s important to understand that the negotiation process can take several days, the payment process can take several days, the decryption process can take several days, the restoration process…well, you get the idea. When something like this happens, there is a tendency to have an adrenaline-charged “all hands on deck” approach. Instead of setting the team up to crash after three or fours days of a Red Bull-infused response effort, I encourage leaders to map out a staffing plan of at least three weeks so that the team can sustain proper focus and energy while ensuring a well thought-out and successful recovery effort.

What’s the most rewarding aspect of what you do?
There are three parts to my answer: first, I’m honored to work with many devoted incident responders and find it highly rewarding to help them grow in their careers and in their lives. Second, the unique dimensions of incident response work allow me to bring forward these devoted responders to help our clients through their worst professional moments. It’s humbling to commit to standing shoulder-to-shoulder with clients through these challenges. Lastly, we’re in a fight and cyber is a battleground—it’s rewarding to serve in whatever way I can.

What cybersecurity trend are you most excited about?
For nearly twenty years I’ve grown excited about trend after trend. And I still do, of course, there’s some crazy cool stuff happening in all facets of technology. Yet what I’m heartened most by isn’t a shiny new capability but by a longer-term trend that will play out over the decades to come: the level of cyber talent has grown tremendously and, while the labor shortage has no end in sight, the field is attracting much higher caliber people than it did when I began.

If you weren’t advising companies on incident response, what would you be doing?
The Boston Red Sox need to add to their depth at second base, but I’ll skip spring training as long as I’m involved in Forgepoint’s efforts to help companies thwart ransomware.


Thank you for reading. Have a question for Billy? Get in touch: [email protected].

You may also enjoy: