Introducing Illumio Insights — breakthrough AI-powered observability, detection, and containment.
Read more

Experienced a Breach?

|
Contact Us
|
+1 855 426 3983
Blog
/
Cyber Resilience

The Business of Cybercrime: What a Former FBI Assistant Director Wants Every CISO to Know

Raghu Nandakumara
Senior Director, Industry Solutions Marketing
May 27, 2025
23 min. read
Headshot of Brian Boetig
Brian Boetig, Principal Advisor at Global Trace and former FBI Assistant Director

Cybercrime isn’t just a technical threat — it’s a thriving global business. And few people understand the evolution of that business better than Brian Boetig.

With more than 35 years in national security and public safety, he’s served as an FBI assistant director, a U.S. diplomat, a CIA liaison, and a partner at an international advisory firm. He’s now principal advisor at Global Trace helping organizations build cyber resilience.

On this episode of The Segment, Brian joined me to share how his experience across law enforcement and intelligence shapes his approach to cybersecurity today and why threat actors are winning where businesses lag behind.

From store robbery to ransomware as a service

Brian has investigated everything from kidnappings abroad to digital extortion at home.  

What connects them? The pursuit of leverage.

“We treated kidnappings for ransom the same way we approach ransomware today,” Brian said. “You know who did it, you know how they operate, and you know how to negotiate. It’s a business model, and they run it better than some legitimate companies.”

He says the economics of cybercrime are tilted in favor of attackers.

“If you rob a store in person for $50, a whole police response team shows up,” he said. “But steal $500,000 online? In most jurisdictions, law enforcement won’t know what to do with it.”

Cybercrime is scalable, borderless, and often invisible. In Brian’s opinion, until defenders adopt a similar business-minded approach, they’ll remain outpaced.

If you rob a store in person for $50, a whole police response team shows up. But steal $500,000 online? In most jurisdictions, law enforcement won’t know what to do with it.

Why banning ransom payments isn’t the answer

Few topics spark more debate than whether organizations should be allowed to pay ransoms. Brian has seen both sides from his time at the FBI to consulting with CEOs navigating a breach.

“There’s no blanket answer,” he said. “Some companies will cease to exist if they don’t pay.”

He recalled one law firm whose entire client history was locked down. Without payment, their business and reputation would have been destroyed.

Banning ransom payments outright might seem like a deterrent, but Brian believes it risks double-victimizing organizations: “You’re removing one of the few tools left to survive.”

Instead, he suggests a more nuanced strategy:

  • De-incentivize payments through preparedness
  • Build general cybersecurity hygiene, including backups
  • Implement smart insurance models
  • Reduce legislation that oversimplifies complex business realities

Rather than blanket bans, what organizations need is a smarter approach — one that balances resilience, risk, and the realities leaders face in the aftermath of an attack.

Cyber insurance isn’t a safety net  

As more companies turn to cyber insurance for peace of mind, Brian offers a reality check.

“It’s not a fix. It’s often more like a negotiation,” he said. “And sometimes the first thing the insurer does is look for a reason not to pay.”

He compared it to car insurance. Yes, you’re covered…unless you missed one detail in the fine print. The result is confusion during a crisis, unclear coverage terms, and delayed recovery.

“Most policies only help you get back online,” Brian warned. “They won’t cover rebuilding trust, reputational damage, or future resilience.”

His advice to CISOs is to know exactly what your policy covers and where your coverage gaps are. Never treat insurance as a substitute for strong defenses, and don’t trust insurance companies to work in your best interest after an attack.

Cyber risk is business risk

Too often, cyber risk is still treated as an IT problem. Brian sees that as a dangerous mistake.

“If the C-suite doesn’t believe in cybersecurity, it won’t get funded, prioritized, or practiced,” he said.

He recalled a time when CEOs didn’t know who their IT leads were. “Now, we’re finally seeing boardrooms start to understand that cybersecurity isn’t about firewalls — it’s about keeping the business alive.”

That shift, he says, is due in part to regulatory pressures, but it also reflects the growing realization that resilience is a competitive advantage.

Brian was also quick to point out that being breached doesn’t mean you failed. In fact, the best security leaders assume it will happen.

“I used to tell CEOs, ‘It’s okay to be the victim of a cyberattack. It’s not okay to be unprepared for one,’” he said.

That mindset is at the heart of Zero Trust which assumes compromise and focuses on reducing the consequences of a breach.

“Preparedness doesn’t just mean backups and policies,” Brian emphasized. “It’s cultural. Everyone in the organization needs to know their role when things go wrong.”

I used to tell CEOs, “It’s okay to be the victim of a cyberattack. It’s not okay to be unprepared for one.”

Closing the gap between risk and reality

Brian’s stories highlight a central truth. Cybersecurity isn’t about avoiding risk; it’s about managing it.

The most resilient organizations treat security as a business function, embrace proactive planning, and invest in containment, not just prevention.

Or as Brian put it, “You don’t wait until a fire to buy a fire extinguisher. You plan, train, and make sure everyone knows where it is.”

Want to hear more? Listen to this week’s full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read the full transcript.

Related topics

Cyber Resilience

Related articles

John Kindervag's 3 Zero Trust Truths for Government Agencies
Cyber Resilience

John Kindervag's 3 Zero Trust Truths for Government Agencies

Get insight from John Kindervag on the key Zero Trust truths government agencies need to know as they comply with Zero Trust mandates.

Read more
Malware Payloads & Beacons: Types of Malicious Payloads
Cyber Resilience

Malware Payloads & Beacons: Types of Malicious Payloads

Understanding distinct types of payloads and reviewing an example of malicious code they may employ.

Read more
4 Ways Government Cybersecurity Experts Ensure Mission Assurance With Zero Trust
Cyber Resilience

4 Ways Government Cybersecurity Experts Ensure Mission Assurance With Zero Trust

Learn why experts recommend Zero Trust to help government agencies build mission assurance into their security strategy.

Read more
5 Things I Learned From a Former FBI Most-Wanted Hacker
Cyber Resilience

5 Things I Learned From a Former FBI Most-Wanted Hacker

Learn five eye-opening lessons from Brett Johnson, former most-wanted cybercriminal, on deception, trust, and why Zero Trust is more important than ever.

Read more
What Nonprofits are Teaching the Cybersecurity Industry
Zero Trust Segmentation

What Nonprofits are Teaching the Cybersecurity Industry

Learn from nonprofit cybersecurity expert Dr. Kelley Misata on how mission-driven organizations are approaching security with empathy, purpose, and a listen-first mindset.

Read more
A Cyberpsychologist’s Take on Cybersecurity’s Culture of Blame
Zero Trust Segmentation

A Cyberpsychologist’s Take on Cybersecurity’s Culture of Blame

Learn how stress, AI threats, and human behavior make Zero Trust essential for cyber resilience.

Read more

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?

Learn more