The Business of Cybercrime: What a Former FBI Assistant Director Wants Every CISO to Know

Cybercrime isn’t just a technical threat — it’s a thriving global business. And few people understand the evolution of that business better than Brian Boetig.
With more than 35 years in national security and public safety, he’s served as an FBI assistant director, a U.S. diplomat, a CIA liaison, and a partner at an international advisory firm. He’s now principal advisor at Global Trace helping organizations build cyber resilience.
On this episode of The Segment, Brian joined me to share how his experience across law enforcement and intelligence shapes his approach to cybersecurity today and why threat actors are winning where businesses lag behind.
From store robbery to ransomware as a service
Brian has investigated everything from kidnappings abroad to digital extortion at home.
What connects them? The pursuit of leverage.
“We treated kidnappings for ransom the same way we approach ransomware today,” Brian said. “You know who did it, you know how they operate, and you know how to negotiate. It’s a business model, and they run it better than some legitimate companies.”
He says the economics of cybercrime are tilted in favor of attackers.
“If you rob a store in person for $50, a whole police response team shows up,” he said. “But steal $500,000 online? In most jurisdictions, law enforcement won’t know what to do with it.”
Cybercrime is scalable, borderless, and often invisible. In Brian’s opinion, until defenders adopt a similar business-minded approach, they’ll remain outpaced.
If you rob a store in person for $50, a whole police response team shows up. But steal $500,000 online? In most jurisdictions, law enforcement won’t know what to do with it.
Why banning ransom payments isn’t the answer
Few topics spark more debate than whether organizations should be allowed to pay ransoms. Brian has seen both sides from his time at the FBI to consulting with CEOs navigating a breach.
“There’s no blanket answer,” he said. “Some companies will cease to exist if they don’t pay.”
He recalled one law firm whose entire client history was locked down. Without payment, their business and reputation would have been destroyed.
Banning ransom payments outright might seem like a deterrent, but Brian believes it risks double-victimizing organizations: “You’re removing one of the few tools left to survive.”
Instead, he suggests a more nuanced strategy:
- De-incentivize payments through preparedness
- Build general cybersecurity hygiene, including backups
- Implement smart insurance models
- Reduce legislation that oversimplifies complex business realities
Rather than blanket bans, what organizations need is a smarter approach — one that balances resilience, risk, and the realities leaders face in the aftermath of an attack.
Cyber insurance isn’t a safety net
As more companies turn to cyber insurance for peace of mind, Brian offers a reality check.
“It’s not a fix. It’s often more like a negotiation,” he said. “And sometimes the first thing the insurer does is look for a reason not to pay.”
He compared it to car insurance. Yes, you’re covered…unless you missed one detail in the fine print. The result is confusion during a crisis, unclear coverage terms, and delayed recovery.
“Most policies only help you get back online,” Brian warned. “They won’t cover rebuilding trust, reputational damage, or future resilience.”
His advice to CISOs is to know exactly what your policy covers and where your coverage gaps are. Never treat insurance as a substitute for strong defenses, and don’t trust insurance companies to work in your best interest after an attack.
Cyber risk is business risk
Too often, cyber risk is still treated as an IT problem. Brian sees that as a dangerous mistake.
“If the C-suite doesn’t believe in cybersecurity, it won’t get funded, prioritized, or practiced,” he said.
He recalled a time when CEOs didn’t know who their IT leads were. “Now, we’re finally seeing boardrooms start to understand that cybersecurity isn’t about firewalls — it’s about keeping the business alive.”
That shift, he says, is due in part to regulatory pressures, but it also reflects the growing realization that resilience is a competitive advantage.
Brian was also quick to point out that being breached doesn’t mean you failed. In fact, the best security leaders assume it will happen.
“I used to tell CEOs, ‘It’s okay to be the victim of a cyberattack. It’s not okay to be unprepared for one,’” he said.
That mindset is at the heart of Zero Trust which assumes compromise and focuses on reducing the consequences of a breach.
“Preparedness doesn’t just mean backups and policies,” Brian emphasized. “It’s cultural. Everyone in the organization needs to know their role when things go wrong.”
I used to tell CEOs, “It’s okay to be the victim of a cyberattack. It’s not okay to be unprepared for one.”
Closing the gap between risk and reality
Brian’s stories highlight a central truth. Cybersecurity isn’t about avoiding risk; it’s about managing it.
The most resilient organizations treat security as a business function, embrace proactive planning, and invest in containment, not just prevention.
Or as Brian put it, “You don’t wait until a fire to buy a fire extinguisher. You plan, train, and make sure everyone knows where it is.”
Want to hear more? Listen to this week’s full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read the full transcript.