More Information:
Norman Kromberg has spent over 30 years working in cyber and information security, complemented by roles in IT audit and bank regulation, built on a degree in finance and management. Some consider Norman a unicorn in the market.
LinkedIn: https://www.linkedin.com/in/normankromberg/
Website: https://www.hellophello.com/hi/normankromberg
Host: Richard Lowe | Guest: Norman Kromberg
Summary of Transcript
Introduction
Richard Lowe: Hi, I’m Richard Lowe, host of Leaders and Their Stories and The Writing King. Today, I have a very special guest, Norman Kromberg, a cybersecurity veteran with decades of experience. Norman, why don’t you tell us a little about your background?
Norman Kromberg: Thanks, Richard! As you can see, I have a University of Nebraska jersey behind me, that’s where I studied business. I started in banking, moved into technology, and eventually into cybersecurity.
Over the years, I’ve worked as a Chief Information Security Officer in financial institutions, IT services, credit card processors, and even retail and distribution companies. Today, I serve as a fractional CISO for multiple companies and advise businesses on cyber risk strategy.
The Most Rewarding Cybersecurity Challenge
Richard Lowe: That’s a great career path. What would you say has been the most rewarding role so far?
Norman Kromberg: One of the highlights was when I was the CISO at Southern Carlson, a retail and distribution company. My goal was to build a security program from scratch.
We weren’t audited or regulated, so we could focus purely on business needs rather than compliance checkboxes. In the end, we developed a security strategy that not only protected the company but also helped increase its valuation and enabled a successful sale, in just two years instead of three.
For every $1 spent on security, we estimated that we added over $100 in company value. That was a remarkable return on investment.
PCI Compliance
Richard Lowe: I can relate. When I was at Trader Joe’s as Director of Computer Operations, I had to handle PCI compliance. It was a nightmare, especially the first time!
Norman Kromberg: I hear you! I worked with credit card processors like First Data and ACI, so I was deeply involved in PCI from the early days, when Visa had its own Cardholder Information Security Program before PCI became the universal standard.
Richard Lowe: For our listeners, PCI is a set of rules that protect credit card transactions, making sure customer data isn’t stolen. It covers everything from door locks to encryption protocols. And it keeps evolving, making compliance a moving target.
Norman Kromberg: But despite the headaches, PCI has made credit card transactions some of the most secure in the industry.
The Rise of Nation-State Cyber Threats
Richard Lowe: A growing concern today is nation-state cyberattacks. We’ve seen Russia, China, and Iran launching infrastructure-targeted hacks.
Before the war, Ukraine had cyberattacks crippling its electrical grid. And then there was Stuxnet, which bypassed an air-gapped system in an Iranian nuclear facility, crafted by the US and Israel.
How do businesses even begin to protect themselves against threats like that?
Norman Kromberg: That’s the million-dollar question. The reality is you can’t protect against everything. There is no 100% secure system.
But risk management is key. Not every business is a target for nation-state attacks, so it’s about knowing your risk profile and focusing on the most likely threats.
Here’s how I break it down. Script kiddies are amateurs testing out hacking tools they found online. Nation-state actors target critical infrastructure for political or economic advantage. Intellectual property theft is about stealing trade secrets, designs, and proprietary data. And organized cybercrime is profit-driven ransomware attacks and fraud schemes.
Most businesses will deal with criminal hackers rather than nation-states. But social engineering and human error remain the biggest weaknesses.
Social Engineering: The Easiest Way to Get Hacked
Richard Lowe: I wrote a book called Cyber Heist for KnowBe4, which focuses on social engineering, where attackers trick people into giving away information.
CEOs fall for this all the time! A hacker spoofs an executive’s voice using AI and calls the finance department saying, “Hey, I need you to transfer $40 million right now.” And the finance team does it without question!
Norman Kromberg: It’s all about psychological manipulation. And now, deepfake audio and AI-generated emails make these scams even harder to detect.
One of my key strategies? “Stop, Verify, Call Back.” If an email or call sounds urgent, pause. Call the person directly using a number you trust. If it’s legit, you’ll confirm it. If not, you just stopped a multimillion-dollar fraud attempt.
The Intersection of Cybersecurity and Disaster Recovery
Richard Lowe: During 9/11, the FAA had no procedures for grounding the entire US airspace. The guy in charge just made the call, and every plane landed safely.
I went to a seminar with the disaster recovery director for the New York Stock Exchange, who had one day to get everything running again after the attack. And they did it.
What role does disaster planning play in cybersecurity?
Norman Kromberg: It’s critical. I always tell companies: “Security is not about stopping attacks. It’s about how fast you recover.”
Just like in hurricanes, earthquakes, or fires, businesses need cyber emergency plans. That means regular backups stored offline, incident response teams that are trained and ready, and testing disaster plans with real-world simulations.
If a ransomware attack locks your systems, how quickly can you recover? That’s what really matters.
Final Thoughts: The Future of Cybersecurity
Richard Lowe: If you could give one piece of advice to our listeners about staying secure, what would it be?
Norman Kromberg: For businesses: have the security conversation. For everyone else: turn on Multi-Factor Authentication everywhere.
Most attacks happen because of human error, so being aware of risks and having basic protections in place goes a long way.
Richard Lowe: Great advice! Where can people find you?
Norman Kromberg: The best place to connect with me is LinkedIn. I’m always happy to talk security.
Richard Lowe: Thank you, Norman! This has been a great discussion on Leaders and Their Stories. I’m Richard Lowe, The Writing King. Find me at TheWritingKing.com.