It’s not every day you get to sit down with someone who has literally written the playbook on modern cybersecurity. But when Roger Grimes joins me on the CyberHub Podcast, it’s more than a conversation—it’s a reckoning.

Roger’s newest book, Taming the Hacker Storm, is his sixteenth, and like his previous works (Hacking MFA being one of my go-tos), it doesn’t dance around the issues. It dives straight into them with both fists raised and a roadmap in hand.

But here’s the part that hits hardest: Roger doesn’t believe we need to invent anything radically new to fix the internet. We already have the tools—we’re just not using them. And that’s where this gets uncomfortable, because if we can solve the problem and don’t, then the issue isn’t technical. It’s cultural. It’s political. It’s willpower—or the lack of it.

Is There an Appetite to Fix the Internet?

Roger and I agree on one brutal truth: there is zero appetite to truly fix the internet right now.

You can throw $6 trillion a year in global cybercrime losses on the table—making it the third-largest economy in the world behind the U.S. and China—and it still won’t light the fire needed for systemic change.

What’s missing is a catalyzing moment. Roger calls it our "9/11 equivalent cyber event"—a day when markets freeze, when commerce stops, or when something culturally sacred like Taylor Swift tickets can’t be bought. Until then, we’ll keep slapping Band-Aids on a system hemorrhaging trust.

And part of the problem is that the very frameworks designed to fix these issues—industry standards and best practices—are often toothless and ceremonial. Look at the Secure Software Development Framework (SSDF) from NIST or the push for Software Bill of Materials (SBOMs) after SolarWinds. These initiatives should be foundational—know what code you’re shipping and secure it at every step—yet in reality, they’re treated like optional homework. Vendors rush to slap "SBOM-ready" on a product page, but there’s no standardized enforcement, no meaningful validation, and worse—no consequences for ignoring them.

SBOMs too often become static, outdated PDFs that no one reads, instead of living documents integrated into CI/CD pipelines. The SSDF is aspirational at best—referenced in press releases, rarely fully implemented in code. We’ve built an entire cottage industry around talking about secure development, while shipping software that’s still packed with vulnerable dependencies, default credentials, and weak authentication mechanisms.

We’re not failing for lack of standards—we’re failing because we treat them like suggestions. Until adoption is real, continuous, and enforced—especially at the government procurement and regulatory level—these frameworks are little more than glossy distractions from the systemic rot.

The Real Cost of Cyber Insecurity

Let’s stop talking in hypotheticals and look at reality:

• Clorox suffered a cyberattack in 2023 that disrupted its supply chain for over a month. Their stock dropped nearly 10%, and the company forecasted $356 million in lost sales due to the attack.

• MGM Resorts and Caesars Entertainment were both hit in a string of 2023 ransomware attacks, resulting in nine-figure payouts and over $100 million in combined damages. MGM’s IT systems were crippled for over a week—including slot machines and hotel room keycards—costing them tens of millions in bookings and brand reputation.

• Change Healthcare, owned by UnitedHealth Group, was hit by ransomware in 2024 that halted medical billing across the U.S. for weeks. The cost? Over $870 million in direct damages and billions more in downstream effects on hospitals, patients, and insurers.

• LoanDepot, breached in 2024, saw its reputation tank and operations disrupted for weeks, with over 16 million customer records exposed. They reported an $80 million quarterly financial impact, while their market confidence deteriorated.

These aren't edge cases. This is the normal state of business on today's internet. And most of these incidents didn’t involve James Bond-style espionage—they started with compromised identities, phishing emails, or weak MFA policies.

So when Roger says the internet can be fixed, and we already have 90% of the technology, the real question becomes: why are we tolerating this?

Can the insurance industry sustain these numbers or will business face the harsh reality of being uninsurable or paying exuberant rates to have the right insurance coverage for the business.

Is Real ID the Real Answer?

Roger’s proposal for Pervasive Selective Authentication hinges on an idea called Real ID—a strongly assured digital identity, issued after in-person proofing (or an equivalent secure process), bound to a physical device. Think of it as a passport for your digital self.

This would allow banks, e-commerce platforms, even your email provider, to require verified identity before conducting sensitive operations. Not everything requires Real ID—but you should have the option to require it when it counts.

Let’s not pretend we don’t already accept this in the physical world. You can’t get on a plane, buy alcohol, or get a passport without verified ID. We’ve accepted it because the risk demands it. Why is the internet—where $30,000 can be siphoned from an elderly couple’s bank account in minutes—any different?

We do not need to issue government ID to log into TikTok. But if you're wiring $50K to a new vendor, shouldn’t your bank require identity assurance that can't be spoofed with a burner phone and an email address?

Especially if the bank is the one that will likely end up compensating the customer or dealing with the fall out. Human nature is to point fingers at anyone but themselves but in financial services does there really need regulations to make common sense decisions to protect the customer and the business. The interest is mutually beneficial.

Share

The Reality of Inaction

Here’s where this hits hardest:

Cybercrime is a business. And business is booming.

It’s not just some guy in a hoodie in his mom’s basement anymore. It’s North Korea funding its nuclear program with crypto heists. It’s Russia deploying ransomware for revenue and chaos, it’s China funding and training Iran’s cyber program or stealing IP and devaluing organizations in an effort to push it global agenda. It’s nation-states outsourcing operations to financially motivated gangs—and targeting ordinary companies like yours and mine.

And all of this is possible because we’ve made identity optional on the internet. The same anonymous infrastructure that lets someone catfish on Instagram is also being used to launch industrial espionage, disrupt supply chains, and steal billions.

Until we treat trust and identity with the seriousness it deserves, we’re going to keep losing. Do I think I have the right solution? No, I don’t. Does Roger’s suggestion on RealID have a chance? Maybe, but is industry ready for it and willing to do what it takes, I am not sure we are there yet. I pray we don’t need a massive event to make it happen but I fear that might be what’s necessary.

Final Thoughts

I walked away from this conversation with Roger with two convictions:

1. We are not doomed to this future. We are choosing it.

2. Identity is the new perimeter—and until we get it right, nothing else will work.

The financial costs are no longer theoretical. The reputational damage is long-term. The operational fallout is real. And as practitioners, if we’re not advocating for systemic fixes, we’re enabling systemic failure.

If you're in cybersecurity, read Taming the Hacker Storm. If you're in the C-suite, start asking your teams about identity assurance—not just MFA. If you're a vendor, stop pushing another bolt-on product and start aligning with real-world risk.

We don't need more AI-powered alerts or dashboards. We need guts. We need leadership.
And we need to stop playing whack-a-mole while the forest burns around us.

Let’s stop surviving the hacker storm. Let’s start taming it.

Stay cyber safe.

📚 Grab the book: Taming the Hacker Storm by Roger Grimes on Amazon
🔗 Follow Roger on LinkedIn
🎧 Subscribe to CyberHub Podcast on YouTube, Spotify, or wherever you get your content

Leave a comment