Sign Kentucky Banking Moving Checklist Secure

Industry sign banking kentucky moving checklist secure

good morning and thank you for tuning in to episode 118 of the unsecurity podcast today is february 9th 2021 i'm your host today brad and i and joining me as usual is my good friend and co-worker evan francine good morning evan good morning brad uh i can see by the palm trees that you are not here in minnesota enjoying the below zero temperatures i know thank god for that man there are some uh you know once in a while some privileges and you get to get away you definitely uh lucked out with the timing because we this has been the coldest weather of the season for by far yeah that's what i've heard man it sounds like i have chickens you know and uh my chickens my daughter called me when i was well i was down here a couple days ago she says it's gonna get down to 30 below should i bring the chickens in the house and i'm like hell no you leave them outside they have a chicken coop uh and they survived so that was like the coldest weather i think we're gonna get but yeah yeah coming weekends would be pretty brutal but what are you gonna do hey at least that's minnesota everything's closed i don't have to go anywhere so you know there is some positives yeah that's true and it's you know it makes you grateful that you got a furnace that works and blankets you know yeah so much that but it uh it hasn't been it's been kind of a mild winter overall i think don't you think oh yeah yeah our snow seems to be pretty low so far yeah i was reading in the news that uh what the north east i think is getting hit again with a pretty major snowstorm if they haven't already uh so they're busy digging out yeah those nor'easter's gonna drop some snow in a hurry and it's usually it's like wet heavy snow too yeah yeah i'm not i don't know man the older i get when i was younger i used to like you know i think i had more energy and i like playing around but now you know at the age of 50 i'm like no don't want it it hurts everything hurts yeah yeah it is it's a special feeling that when you go outside and you can feel the inside of your nose freezing and crystallizing yeah well that's another thing man i mean you talk about age the older you get to the longer your nose hairs get i don't know if you notice that so they collect more uh you know condensation from your breath and then yeah you get plug your nose up with ice i definitely get it in the mustache with like at the bus stop or whatever it doesn't take i've taken a shower before you've probably done this to taking a shower before and didn't let my beard fully dry and then you know ran it ran an errand or something and yeah it's like my beard becomes ice yeah it's it's uh something i like it i was talking to uh for listeners you've heard him before um oscar oscar banks yesterday now we were talking about weather we were talking about a bunch of things talking about uh some weird stuff with uh forensics and whatever but he um i'm like what kind of weather do you like he goes man 40s is like perfect for me i'm like what the hell is wrong with you that's too damn cold too yeah i don't know it depends i do enjoy the seasons it does make you appreciate the other ones yeah i suppose i suppose you know and like i said you know i don't take for granted the blessing of being able to travel you know so being in mexico right now it's it's weird because you know covet has changed the travel industry so much we're on a resort in puerto vallarta and they're very very safe here everybody wears masks i get a i need to get a coat coved test uh no this morning actually i'm getting a covet test in order to get back into the country back into the u.s you have to have a negative test within three days of your departure so i got that scheduled this morning at 9 15. uh but you know you're down here in the resort that we're staying in it's there are some nights where you feel like you're the only one here in the whole resort wow yeah very different i feel bad because these people especially here you know they're so dependent upon our tourist dollars you know to pay their bills to feed their families so on one hand you know you feel like you know during a pandemic maybe you shouldn't travel but i think as long as you're responsible then on the other hand it's like you feel good about it because you're helping somebody eat yeah um that's crazy yeah well one of these days we're going to get you down here and i'm going to have to bring you i've said that before but you know with uh we're at different stages of life too right i got one child left at home and you still got three mm-hmm so coordinating you know daycare but you're young man i didn't start traveling i mean i'm 50 years old now i didn't start traveling like this until like three years ago so i was 47 so you still got like 18 years before you get to my age we've done a couple of cruises and and done some some some travel but not a lot but yeah it's kind of funny because your youngest is basically the same age as my oldest yep yeah so i know the phase of life that you're going through you were sharing last night about uh you know kind of just all the health things and kids and arranging stuff and man that's chaotic but i remember it yeah yeah so my oldest got sick and had a low grade fever and so the high school called and was like uh you gotta come get her and oh by the way all the siblings have to quarantine until she gets a negative covet test because that's how things go now i got that call like 9 15 and i had a 10 o'clock training session with the executive like board c level director level of one of our big vcso clients so the high school is about 15 minutes or so and then i got to the high school and that's when they told me oh yeah by the way you got to pick up your son in elementary school too so i was like maybe that's a good topic for you know an upcoming show is just juggling family and security yeah well and so i made it i got i got home and logged in to the meeting at 1001 so i was a little panicked but got there and it went really well so that's good but yeah it's tough because my wife's a nurse she can't just be like well sorry right right different kind of expectation around that so just happy we were that you know first gear we were so flexible to kind of allow for that emergency like oh i dropped out of the oil company meeting and missed the consulting meeting i was like i got to do what i got to do well yeah for sure man well that's the culture too though right i mean nobody's going to give you crap when you go run to your family oh no yeah i know it was super supportive like every you know renee was like okay go and then when i got back she was like how's everything is everybody okay you know people actually care it's kind of it's good right yeah ryan you know for people listeners don't know ryan is the chief security consultant or whatever senior security consultant over at security studio and he's uh he's taking his first vacation you know he never i don't know he's never taken a vacation here but he's got like four days and he's running hard man i mean we're all run hard and he emailed me yesterday because we have an important meeting next week and he's going to be on vacation so he's like well do you want me to dial in i'm like hell no yeah no you take a vacation to disconnect and the last thing i want you to do is connecting during your disconnection right yeah yeah it's a it is it's tough to do though i it does take some willpower right you know i i did have vacations scheduled around thanksgiving and then had the health issues which pretty much forced the disconnection but it wasn't exactly relaxing but you know it was it was like 10 days where i couldn't do anything yeah well so now that you know we're talking about it do you have a vacation planned not yet we're trying to figure that out you want some help no it's just scheduling i think yeah yeah we were going to go down and visit uh my sister down for fort myers for spring break last year and obviously that that was the last week of march so we missed you know that right when everything shut down yeah that kind of sucked but that'll be we'll probably go do that again it's fun to see her and her kids and our kids like hanging out with her kids so it's always good yeah absolutely man it's good for that work life balance you know which you know somebody sent me a a book that said the work life balance is a myth i'm like maybe if different interpretations of work-life balance but i think a work-life balance is you know because they are so integrated you know i mean i my work is kind of my life and life is kind of work i mean but it's just that being able to just stop working for a while go do something enjoyable go see the world see you know walk ride a bike do something just get away from you know the connection all the time because if you use it if you're connected too much man it becomes hell well the saying is what is it work to live not live to work right work to do things you enjoy not just work yeah no that's totally true brother wow but yeah it's uh we'll get there it's been everybody is uh going through the same type of stuff so adjusting and moving on totally so what do we what do we uh what security stuff what we got today yeah i would say we could talk a little bit about the difference of uh between security or secure being secure and compliance being in compliance and what does that mean and just because of with you know we're getting a lot of questions and a lot of really good conversations from uh potential customers with cmmc and that being such a big piece in the news and like they're you know what the confusion is or what their expectation and understanding are versus you know kind of how we do things and so that would be a good good topic because i know you're pretty passionate about that as well yeah it's frustrating man because you know we've you and i have managed so many security programs before and i don't know how many times i've heard out of the mouths of board members or ceos you know what's the quickest way we can get whatever compliance which is the cheapest way we can get whatever compliance and that's you know it's it's 100 or 180 degree opposite of the way you're supposed to be right the way we're supposed security's supposed to be integrated into the business it's the only way you're ever going to get any return on your investment it's the uh you know so doing things the secure way it's part part you know making it part of your culture and if you do it the compliance way where compliance is your definition of security then you miss out on all of that and you miss out on a significant amount of risk yep yeah so i'd had um a vc sub that i was working with um that their their security program went through their compliance officer and never made any it was well i won't say they never made progress they did they did actually get some really good stuff done you know like rolling out multi-factors and some of those types of things but it was just painful like security was not a priority in any way and then you know i've got others that are like wanting to do things the right way and it's just such a it's a breath of fresh air it's invigorating to like energize energizing this world to work with a company that is like all in want like hey okay what what should we be doing how should we be doing this what is the right way are we doing this the right way how can we improve it and you know kind of peppering me with with questions like i said yes they ask if they have a whole bunch of new leadership that's come in over the last year and that's why they asked i said hey we've got this meeting scheduled can you join and talk about security and some incident response stuff and it's like absolutely i think anything you can get in front of the you know sea levels and port or whatever directors yeah right no it's and that's it man i mean you can't i don't understand you know i've been studying people for so long it's still hard to understand well i don't understand i think nobody does because in general people don't like to be told what to do these would go against or at least there's some resistance or some uneasiness about being told what to do yet in information security they they like the compliance thing because i mean you're basically doing what you've been told to do but then on the other hand i mean how am i out how do you hear people that actually want to do security the right way that just that also say well just tell me what to do so i think a lot of it's just kind of a mental you know if you start off with your security program or if you are a checklist type of you know company you know doing security by the checklist or the well and it's changing the mind of the way you approach it yeah there there are benefits to having those checklists right like well for sure i i'm all on board with some of that stuff but it's i think you're right it's the mindset behind how those are created how those are implemented right it's not all right i'm just doing this and that's it it's not robotic but it's like when i'm doing this thing i need to make sure i get these things covered yeah yeah i mean and you know that there's and i've always said this too there's two ways to approach compliance you've got the letter of the law versus the intent of the law and what peop the shortest path to compliance is to do the letter of the law because it doesn't require much for interpretation i can create checklists out of it i can just you know follow along now what oftentimes gets enforced though is the intent so you find yourself kind of in this false sense of security like i did all these things uh-oh i may have lost evan see if he comes back well well he wait while we wait for him to oh there he is hi evan you're back hey might be my vpn yeah it it froze up there for a bit but um yeah i was i was on a rant i was on a rant too man i i agree with you though it's like i see the compliance is being building code it's it doesn't mean it's all you have to do it's the bare minimum you have to do all right well so and i think what i was talking about before i got before i cut myself off with my pin by the way vpn public wi-fi good idea oh yeah oh yeah yeah so uh yeah when you do the checkbox security you uh you have this false sense of security because you've checked up all the boxes you think that you're compliant so you're not watching for these other things that are outside of that letter of the law because you can never fully communicate the intent of something uh you know in documentation in you know words right so you you you check off all the boxes you think oh we're secure because you're telling executive management that you're compliant executive management that's the only thing they're maybe caring about because they haven't been told anything different so they think they're fine and then you move off the agenda until the next time you need to become compliant then you have the breach so you follow the letter of the law what do you think gets enforced yeah i mean it's the intent right right exactly i mean there's some of that um where you know it's people going oh well it's defensible because i'm doing what they said no it's i would say what are you in compliance is a uh um it's open for interpretation it is man i mean tell tell the ocr you know after a breach the office for civil rights you know if you're in healthcare and you just had a breach i've never seen them investigate a breach and not have findings not have a corrective action plan not have a fine yeah well so that's always going to happen even if you were managing risk right if you did security the right way but i think the fine would be a lot less because you when you look at those corrective action plans the number one thing and most all of them is to do a comprehensive risk assessment that you didn't do a comprehensive risk assessment so that brings us all the way back to step one when we define what information security is that's the beginning yeah the fact that people still miss that starting step is so frustrating well in so many and we've seen it right we're working with customers that have had that exact situation where they were doing risk assessments against a narrow scope right the health care piece but none of the back office non-healthca e and i think that's what so many miss they're like oh but i did this risk assessment against the clinic but you didn't include hr and finance and accounting and i.t you know all these other supporting business units and right which is the mentality right because when i'm get when i get told by executive management what's the fastest cheapest way we can get compliant well obviously narrow scope right yep you know you know and i will say you know you've been talking about cnmc a lot it's been and it is one of the nice things i talked to actually i was able to to have a conversation with a certified assessor who's number 70. so that's pretty cool uh a really good conversation and and uh you know he's looking to get their company certified and obviously he can't do their certification but he also wants to bring in an independent third party to you know help prepare for it just because it's always good right i really enjoyed talking with him i liked his his approach and uh i said at the end i was like all right well let me ask you a question because i'm curious what does the cnn see what guidance have they provided to you around the requirement for a significant amount of time for evidence what does that mean is that six months is that 12 months like what they're very vague about it and he said they are leaving it up to the assessor to determine if it is uh if it satisfies it but basically the end of the day what they're looking for is you know does the company are they doing it do they have a budget for it you know so are they giving enough money and finance do they have the manpower and staffing to actually do it and then obviously from a documentation standpoint uh is it is it has it been around or is it straight off the presses if it's hot up the presses that's never gonna cut it if it's you know six months old and they say hey look we found out and immediately started doing this and here's our proof that we've been following it since we implemented it and they shouldn't show all the other pieces then yeah it might satisfy it so i thought that was pretty interesting but i i like that approach i mean that's yeah it's kind of it's like any approach you know i think you have it's pluses and minuses the minus or the negative in that approach is it's subjective so you'll have you'll have a different well i want at least a month and in my interpretation you need to have three staff members in order to do this thing whereas another guy might look at it and say it's got to be there for six months and you need eight staff members right you know what i mean yeah and you know that obviously i don't know the full details but i i agree with the overall approach it's better than the check box that we've been seeing right it's not it's not point in time no not and it's getting and i think it's getting closer because uh there's less interpretation there's less uh letter of the law versus intent to the law well and right and the the controls are are pretty well written and that they're it's easy to uh you know like it's pretty clear what they're looking for i don't think there's a lot of confusion there no you know just but again this looks like anything man i mean there's a double-edged sword the thing is with people it's good people design really cool stuff and then people start to use it and then they find ways to abuse it or they find ways you know because the sad thing about some of those controls is they are pretty prescriptive so there may not be any business benefit to you doing this one thing but if you want certification you need to do this one thing and there's also going to be times i think when you do this one thing and based on your circumstances the way your business operates you don't get a lot of security benefit out of that one thing but you're going to need to have it so double the start it's good and part of it so one of the other things that came up is you know right now they have d fars and based on 800 171 and he said that basically the dod estimates only 34 of their supply chain is actually doing it it's meeting their requirement so it's kind of like well hey we gave you this opportunity nobody's doing it too bad now you have to do it yeah that's it one in i give the government some credit too because at the end of the day the government is the customer and customers need to be telling their suppliers their vendors their business partners this is what i expect of you right yeah and you know he did say that the other thing and i think this is gonna we were talking about it before of it growing um he said that it's very very it it's not surprising that all the other government entities are watching this very closely like you know hey if this actually works it you're gonna see it go for basically every government contract is is what yeah expectation is well hopefully it's the same process the same controls the same everything because oh yeah no they said they're gonna adopt bmmc okay because i saw i was reading a state of uh the states are now kind of putting together not all the states but you know small group of them are now putting together a state ramp so you have fed ramp right this estate ramp and you know i get it it's good but my god you keep creating more stuff for people to do that distracts them from running their business don't forget the purpose for a business is to serve their mission not necessarily to secure information so if you figure out a way to integrate security into the mission that's where you get the biggest benefit so if i have just another thing i like cmmc too i mean based on all the other things that i've seen uh but if i've got cmmc and i've got you know this other thing and this other thing in the southern part i got it give me one thing i think that's some of the frustration for business leaders with compliance yeah and you know that that is a good point it'll be interesting to see what if anything if fedramp is impacted by cnfc because fedramp but that's a bear that is a nightmare right yeah and it's expensive as hell man if you're a cloud service provider oh yeah going through that process get out the checkbook man that's another thing about security to us i think so many people in our industry sort of abuse it right uh because i can set up shop because i i was actually talking to uh what oh okay another company uh i'm not gonna mention my name because i don't wanna i don't want that uh but they they're they're an i.t shop and they want to get into security right so they're like well what should we start with you know they're not asking me this this is their own internal discussion well they decided let's get into cmmc i'm like and then they so they told me this like so why did you choose cnmc like well because you know people have to get it so they see it because they don't you know it would be much easier for them to sell because companies have to do it right but i was like well do you know do you know the timeline for the implementation of cmmc do you know how many organizations need to be certified by the time this thing you know is fully implemented so that's your your your target market if you will and then do you understand the competitive landscape there i mean you've got some security companies some huge audit companies they're all involved in this game and how are you gonna buck them out for your business it's just like i don't think you should do it because i think that market's already i mean so quickly that market's already been saturated and with that with that will come i think but i do like the way cmmc did that too right you've got the the gap analysis or the gap assessment and then you've got the certification i like how they kept those separate right yeah and you yeah i i do i really like that you cannot do both right yeah right now there are 300 rpo organizations yeah so you're going to get mag game you've got zero experience and for what and what's the target market i mean how many how many government at this point we can't assume the entire government we can only assume department of defense contracts right how many of those are there and then how many of those are going to be you know need certification this year next year well and then the cmmc this which you're certified it's good for three years so it's not like an annual thing that you're going to do readiness every year but once you get them there it's maintaining it right so if you're not offering those supportive services to help continue it then what what's the benefit for the customer too exactly exactly when we've seen other compliance you know ffiec for sure you know glba you've seen you know hipaa probably the two biggest ones where you've seen a number of companies really abuse that that will claim you know you do these things work with us and we'll get you hipaa certified or hipaa compliant it's like what the hell is hipaa certified that doesn't exist first of all but you've seen it people are charging you know 10 20 30 000 to a healthcare organization that can't afford it same with banking you know now everybody in banking pretty much not everybody most banks credit unions are very much check box security oh yeah yeah right it's like ah you're missing the point that's not how security works yeah yeah it's been interesting but the other thing you know it's it's interesting on these some of these calls to talk to companies that really it becomes very clear that that 34 compliance rate is probably very accurate because these are yeah yeah because i mean well the requirement has been you have to self-certified to defarts and we're having conversations with companies that are current contractors or subcontractors you know so in the supply chain that have like basically nothing and have no understanding of it it's like what have you been doing like do you know the penalty for lying because well that's another thing too i think that our industry could use a lot more of and i know people may not want to hear it but it's more accountability right well you know let me see it so in this it's big because it's uh the false claims act is what it's at it's trouble damages are three times the contract value plus a penalty of eleven thousand dollars per claim and in 2019 fiscal year ending september 2019 department of justice had obtained more than three billion dollars in settlements and judgments for people violating the false claims act it's like you if they if something happens and they they could just crush you and you're not going to get contracts with them again probably right well but i've seen organizations what they do is they they shut shut down shop declare bankruptcy set up shop as another name yeah that's you know it just game stuff you know but so you know one thing pops into my head so compliance is good i like compliance honestly what i don't like is when you get your priorities mixed up and you think that compliance is something that it's not you got to be compliant because we live in a nation of laws right but the right approach is to understand build a good security program and ensure that compliance is built into it yeah exactly that's and that and that's our approach is hey look let's do security correctly let's get you as secure as possible and in that process you're going to become compliant let's do it right and if you do it right you can check the boxes that's not going to be a problem right if you just check the boxes that doesn't mean you're going to be secure exactly exactly you know what i'd like to see maybe in a version 2 or version 3 of maybe cnmc is uh like a mitigating controls checklist kind of thing so like if i don't implement this one control because i have a justifiable reason for it uh meaning i'm addressing risk in other ways or you know my it just doesn't apply to me for some reason they have like a mitigating control they do have that that you can have it not applicable but you better have that very detailed explanation of why it's not applicable so they sort of had that but yeah i get what you're saying uh i think the problem has been the reason they went with a pass fail is people would have these those plan of action milestones and then not really make progress on them right like okay well i know i got to do these things and gosh next year i know i got to do these things and right right so these companies being i don't know i don't want to say negligent or you know however you want to put it but not willfully or i don't want to be anyway you know i don't know right but they force the hand all right like right yeah i mean it's across the spectrum i think once you know for people that there's ignorance they just don't know right people don't like to be called ignorant and i get that but we're all ignorant about something and i don't know lots of things right but there's certain things that you just need to know to become a responsible business leader business owner father husband you know what i mean right they're just things that i can't claim ignorance on i can't claim well i was supposed to pay taxes well nobody told me that right you know i wasn't supposed you know so these things like you have the ignorant and so and i point fingers at both sides for being here and i think a lot of business leaders just don't want to know because i've heard that before too well if you tell me this stuff well then i have to fix it it's like what the hell is the logic in that that doesn't yeah yes you may have to fix it in time or have a reason on why you didn't fix it but that just makes sense that's just good business right right so you got the ignorant on one side and honestly you have the willfully negligent people they're basically criminals running businesses that it's and it's a fine line between going i don't want to hear about it and i don't you know from that ignorance to that negligence it's a very fine line right yeah i have that saying because people would say ignorance is bliss i'd say no it's breach yeah i like that yeah ignorance isn't bliss it's breach so so what about um like the right way then because we see we preach you know all the time the right way to do information security and i think i think we can do a lot better just as an industry and explaining what that actually is how you actually do that and it's a big part of what we're putting in our book too right the vc so handbook is like here you go exactly that yeah i think you know it's it's to me the the end game is to get the organization to buy in everybody top to bottom in what we're doing but in order to get there you have to work with the company right you can't just be this standalone no you know dictator approach which we see all the time of it's my way or the highway for security and you have to do it so you got to listen to me well you're never going gonna get a truly good security program that way and so it's it's reaching out making building those relationships within the organization and getting their trust and working with them to understand what's their risk tolerance what you know how do they how does the organization work and then giving them the options and say hey look here's my recommendation we can do this but if you want to do this here's the risks associated with it and educate them yeah yeah i agree with that i think a lot of times we skate over the fact of you know how important roles and responsibilities are in an organization security doesn't come second nature to everybody right and i think sometimes i i know personally i forget that and so if you don't give somebody specific responsibilities you don't communicate those specific responsibilities you don't train them and enable them then they never do it it never gets done and so you know just i think starting out with an organization figuring out what assets you have to work with what resources what people do i have who's going to do what when you run a security program and at the beginning start high level right until you really understand how this is all going to kind of work so you know getting to know that working with executive management to communicate how information security can be used to accelerate the business how can be used to accelerate the mission how we don't want to have a security program that gets in the way of those things because you're not serving the business right i mean it's if you have a control that you put in place that restricts the ability of the business to make money or serve their mission you really need to reevaluate that control that might not be or probably isn't the right control right yeah so it's the creativity piece and then it's risk management right i mean the definition of information security is managing risk right how am i ever going to manage risk if i've never assessed it if i've never made risk decisions before if i've never put risk decisions out onto a roadmap and assign those to people to accomplish and track that progress however you want to attract that progress well yeah you know it's just fundamentals man yeah you you bring that up and it triggered this thought you know before i started here i'd interviewed it a couple places in background kentucky you know they're always like what are you going to do from a security perspective and i said the first thing i'm going to do is sit down and talk to everyone you know talk to it talk to the different business leads and understand get to know the organization and then figure out what we have you know what what is here and they're like um now we need somebody to come in and just start doing things like okay good i'm i'm done thank you as soon as you hear that it's like no i i can't i can't do that you can't be successful coming in and saying all right everything has to change you're going to lose the ever you're going to lose it it's a company you're not going to have any credibility yeah you're absolutely bound to fail and you will you will 100 become the scapegoat when the poop hits the fan because you don't have those relationships you don't have that support uh you're gonna need that when crap really does hit the fan right it you know i i very clearly remember asking like okay well then you know do you have an asset inventory do you have uh you know him in hawaiian and i was like well how what do you what how do you do that you can't do this it's not how it works well that's what might you know it's ideal but it doesn't happen as much as it should but it's ideal that when you hire a consultant to do information security stuff so or a b c so for instance or a cso whoever's going to be the person that's going to help put this thing together the best place to start the entire engagement is with the ceo have a conversation with him or her and ask what are your expectations what does a good security program look like to you and what you'll find is they either don't know most in most cases or their expectations are unrealistic and so but that's the consulting piece right that's why i'm here that's why i'm here to say i get that let me explain to you why that's why i don't think it's a good idea for us and here's what i think is a good idea for us and the reason why i'm having this conversation with you is i need you at the end of the day to own this i can't own it right how much money you pay me you know no matter what you put in the contract i don't own this thing you do right yeah and you know that that's why i'm really enjoying this this new vc so i'm working with because you know i i didn't meet with the ceo but i met with the their security uh director of security and our information security and then the cio who he reports up to and we had we had an actual like interview prior to them signing the contract so we knew it was like a good fit and i knew kind of had a good idea of where they're at and then you know even yesterday during the training that the the top person was like had really good questions was engaged you know i go through some of the things around you know fishing and some of that stuff and examples and he turns in and is like oh yeah that really resonated you know and thought it was it was super engaged which is rare you know and so i i love that stuff oh it is it's really it's fun at that point it becomes fun it's not pulling teeth to get progress no man i mean the best the best pc so uh things that i've you know projects that i've worked on i became really really good friends with the people that i was working with you know the leadership there because you do it's collaborative right i'm not here to be debbie downer and you know i'm here to collaborate i want to understand the business so i can help this thing succeed if i'm not providing value to the business and this is a message for all security people if you're not providing value to the business what the hell are you doing here right right and you have to know i think too what that value is what is the business expecting right because i do have how to quantify it right i have other ones that i work with that are extremely happy just having that week monthly call to check in and just having it as a resource and you have somebody to bounce ideas off of and things like that so it it it's going to be different for every organization but knowing what they expect and what they want and what they need is what makes it successful or not so yeah i love getting those expectations and then it also helps when i ask a question like that like what do you expect out of the security program what do you envision it being how what would it be for something that you would because what i need from a ceo is i don't need you to tolerate my security program our security program i need you to champion our security program and i'm not asking for a ton of time i'm asking for maybe 15 minutes a month maybe you know just to give you kind of current state of affairs this is what you said your expectations are this is how i'm meeting those but yeah i mean if you don't get that then you're shooting in the dark chances are really good that um you won't meet expectations or that yeah because unrealistic expectations are the shittiest excuse my language i mean they're the worst yeah yeah it agreed and well and not being clear about that like i said it's going to set you up for failure like how can any every time do i know what you're expecting if we don't talk about it how do you know what you know what it's got to go both ways you have to have that communication you have to have a relationship so that there aren't these big misses right well and as a security professional i mean if you're if you're in a position where you don't get space time with the ceo you can't get face time with the ceo no matter what you do you got to question if this is the right place for you to be working because the expectation from the cso i'm not expecting a you know a weekly one-hour meeting right although that would be awesome what i'm asking for is can i get 15 minutes a month can i get 20 minutes you know a month and if you can't get that kind of buy-in from the cease from the ceo that's a great indicator of where this is headed eventually well and i think part of it too is just the way that consulting works and stuff i think you have to build a little bit of a relationship and trust with your primary contact for right like i can't i don't feel like i can go in and demand that right away like i need to assess the situation where they're at where the program is and build that relationship and then say okay here's we now know where we're at here's what we need to do and then bring that up right i don't think it would be successful going in day one and saying hey i need 20 minutes a month with your executive leadership no well maybe i mean it depends on you know why you engaged in the first place if it's just to be a resource versus do you want me to own this and drive this i mean not truly own it because that is i can't do that but i can treat it like i own it you know i can drive this security program i can start you know setting up projects and having people do things yeah i think with your point of contact uh you can always lay that out like hey here's the steps at some point in the next month you know what i mean absolutely we need to talk to the ceo or board or whoever right no i would agree and you know that you guys worked well with the one i'm doing you know now we do we delivered their uh assessment results two weeks ago or so you know we're gonna go through the road map tomorrow i believe but one of the first things after that was hey look we've got this meeting again can you get in front of all these people and you know do this and that's perfect that's exactly what you want right so yeah and and and so you can see that the approach you take that approach the approach we've been talking about the last you know five ten minutes and compare that against the approach of compliance you know i mean it's just vastly different yep yeah you're gonna be far more successful with the approach that we take then that and you know it's not to say that that's going to prevent all breaches we see it happen right it just it's a matter of not a matter of if it's a matter of when we just want to try and push that win out as far as we can and make it as small as possible right and i've told i've had cso ceos i've had these conversations with ceos i've asked them and what are your expectations and a common one meaning i've heard it more than a few times is i want you to keep me out of the news right okay i get that who wants to be in the news for something like this but i can i will never be able to meet that expectation and they're they're they're always kind of surprised like what do you mean i go because i can't guarantee you bad things won't happen they will right when those bad things happen at least you'll have a story to not look like such a you know what i mean to the rest of the world you'll be like yeah well this is what we were doing to prevent this and bad things happen you know what i mean wow yeah i you know it just yeah it still surprises me i know it shouldn't but it's like i just can't get over the fact that people are still given everything we've seen still have that approach oh yeah that's a that's still somewhat common another somewhat com not they don't say in so many words but i've heard it numerous times is and they most of the time i get it in the form of a question and it's kind of a rhetorical question it's you know will information security make me more money i mean like well maybe i mean it depends that will really really really depend upon your involvement with me if if you will be really tightly i mean if you want to work towards that yeah we can make it part of the culture right we can look for all business processes that are over complicated because complication complexity is the enemy of security so we can go through that and streamline as many processes we can take those 30 step processes make them into two three-step processes realize efficiencies and business operations and at the same time you know get the security benefit right we can also brainstorm about how we can use every one of our information security dollars that we're investing as a marketing play as a business differentiator as you know to get more customers so i mean if you get creative so the answer to the ceos that have asked me that before it's like yes but your return on your investment will be directly related to your involvement yeah yeah and and understand it's tough to quantify that right right and that's again why i would need more you know involvement from the ceo because we'd have to agree upon all right i bet you this 10 step 30 step 50 step process was probably costing the company you know work to do some math give them the variables and say well you know i think it was probably costing the company half a million dollars a year now that we've streamlined it into a two-step process it seems you know based on you know how much human involvement and stuff like that maybe we've got it down to 200 or 150 000 a year yeah well that's a 350 000 return on your investment it costs us 30 000 dollars not necessarily return on investment but cost us 30 thousand dollars for you know to go through the process of evaluating refining that process we put in fifty thousand dollars with the security controls so we're more secure and we got a positive roi right it just takes a hell of a lot of creativity and i think a lot of us don't get the time to do that yeah good point and and like you said it's just it's kind of an intangible roi right how do you you have to agree ahead of time that hey this is how we're going to measure it and you know it's hard to get people to to do that sometimes yeah and then and in all honesty uh with all the security projects you know i've done and you've done i've never once had a ceo take me up on that yeah you know where they've said i've heard it more than once that hey well well you know will security make me more money the first time i ever heard that i didn't have an answer i was just like probably not i don't know and then but you know i don't like being in that position so then i obsessed about it for like the next week like how are all the ways i can answer that question yeah of course we can so then you know probably three times after that maybe four times after that ceos have asked me that same question and the answer's been yeah but this is what it's going to take and they're all like um yeah i'm going to go focus my time on marketing or yeah business development i've gotten that approach from more of an i.t perspective but it's the same thing like hey we need here's the justification for this piece of software it takes me 15 minutes a day to do this task that that adds up if we get the software it goes to 15 minutes a week we're now saving you know an hour a week that's 52 hours a year at this price here's what it costs it's gonna it's going to you know save this money over the and allow me to do these other things and it is really effective when you can't do that and show that because otherwise people go you want to spend money on software why why are we doing that you're it's working fine now right yeah it takes me an hour a day well and that's uh that's nothing about culture you know in companies no two companies are exactly the same so what resonates with one ceo of board of directors doesn't resonate with another you know that's why again it's really important that when you start off on this journey or depending no matter where you're at in the journey at some point you need to really understand what's important to them you know do they want to make more money is there a mission and they're so just mission driven that money's kind of a secondary thing well then focus on that damn mission show how everything we're doing in this information security program is making us better towards that mission and then you'll get budget all the time it's crazy how that happens right yeah yeah it's it that's a kind of a uh don't i don't know the right word here but it's a lost skill it's not something that or a missing skill for a lot of people and security is you know talking to and understanding and then being able to execute on what drives the the rest of the company right you have to adjust your approach to meet them otherwise it's going to be really tough yeah yeah for sure man yeah uh it's an art form i think you know and there's just sometimes when you just don't click right well and in those cases we've had this happen where either the the um analyst or the company is like hey i just don't think this is a i think we've had it with the analyst point hey you know what i think so-and-so would be a better fit for this they're going to get their just personalities are going to match them better than and and it's going to be more successful awesome don't be afraid to do that and we've had nobody go and say the same thing like hey you know so-and-so is fantastic but it's just not the right fit and so it's and you don't you can't take that personally no no don't take it personally i'd rather than you know from a from our side of it from my first gear i'd prefer them to tell us hey can we try something else like it's just not working rather than being unhappy and disengage and leave right yeah yeah for sure we got plenty of uh analysts with plenty of different backgrounds and different personality types we can we can get somebody to fit you know i think the essays are pretty good at doing that as well and kind of gauging the customer and making some recommendations of hey i th nk so-and-so would be really good for this one from an analyst perspective too you know it can get personal you know you pour so much heart and soul and time and energy into our work right i mean we genuinely care about the people we serve and uh to be told by somebody that you serve that they don't like you oh you know i don't think or whatever yeah but it comes off that way that's the way you feel it you know yeah i don't i don't know i yeah i can totally see that personally i it it's like okay i get it i know that and usually you know too like you can tell if it's not not going to be if it's not going well but yeah i can see that one and yeah but your advice is about not taking that personal and for every one company that it doesn't fit there's probably 500 that do right you know so just you know dust off and keep going well it's like any relationship right you're not going to get along with everyone it just is the reality right you can do your best so yeah i'm betting like 20 i think one out of five kind of dig you know working with me so that's pretty good yeah i'm gonna guess it's a little higher than that yeah maybe 1.5 out of five yeah all right so news yeah news yeah so i said you laughed by the way man i really enjoy talking with you it's always fun i think we've got it's been it's more fun when we go a little bit more unstructured and just let it happen yeah i agree um so first one i sent last week um suspected chinese hackers used solarwinds bug to spy on u.s payroll agency this is all for voiders um and it was a different let's see it's a different software flaw than what the russian government operatives are using or we're using so i mean pretty brutal for solarwinds orion uh right yeah i think i think the problem is uh not necessarily with solarwinds itself in terms of like maybe they had well they i'm not gonna defend them but just the fact that they're so prevalent um they become as an incredibly high value target right well hindsight inside is 20 20 you know obviously but you you just i just wish they would have you know known some of the things they know now then because i don't think there was any you know malicious intent by solar winds i mean it's easy to vilify them but you know they were doing the best they could they i'm sure it cut them more by surprise than anybody else but the part that sort of i guess concerns me is you know the united states and china and russia and israel and great britain and canada and north korea we are at war you know the chinese government is not our friend period no and i know in a politically correct world we may really really really want to be friends no we're not well i mean it the reality is it's not any different than what has been the case with you know spying and stuff like that it's just how it's being done has changed right well in you know the cold war when when you know with russia and i guess a little bit of china you know the cold war we were much more skeptical of things from russian origin and we were a little more protective of ourselves and our the things that we consume in terms of electronics and and information but today hey we just seem to be so willy-nilly and we just blow this stuff off like these were chinese hackers state-sponsored in our governments in some of the most sensitive places of our government uh-huh yeah yeah this is so it was the national finance center so the federal payroll agency and depart inside the department of agriculture was among the affected organizations so you now have you know potentially very some sensitive information on a lot of government employees so yeah it's gonna be they they serve 160 agencies and 600 000 federal employees it's announced yeah they are separate and distinctly different operations so it's just crazy and so with solarwinds just to re you know recap you know the involvement by who the chinese and the russians have both been implicated in maybe not the same attack but you know that they coordinate i mean it's no coincidence that they were both in and using flaws or whatever in orion it was it's you know this is kind of like well what are they doing to each other that they both knew about this stuff right they're both infiltrating it's like just yeah yeah we share intelligence with our allies i mean we share intelligence with canada with great britain with israel they share intelligence with each other yeah so scary this is just going to continue it's going to be months before we know everything let's fight chris roberts on thursday's show he brought up you know we were talking about this a little bit and he said uh well the united states is doing it too i said yeah but i'm on that team right i don't care if my team's winning i don't want the other team to win yeah so yeah i'm like that what you can do uh second article we had was from the register u.s court system ditches electronic filing goes paper only for sensitive documents following the solarwinds hack so in this lawyers required to hand in dead tree copies no seriously um but yeah the u.s court system has banned electronic submission of legal documents in sensitive cases out of concern that russian hackers have compromised the filing system so any document that contains information that is likely to be of interest to the intelligence service of a foreign government has to be physically printed out and provided in physical format so like okay i like it i uh if anything i like it because lawyers are involved too and i know how much they hate uh anything that's inconvenient you know because nobody's time is more valuable than a lawyer's time so i kind of like that even if they're going to give it to clerks and everything to do with that stuff but uh yeah it's definitely more secure i read something and i have to go back and find it if i'm remembering correctly that some of the german government has gone back to typewriters for some of their more super sensitive stuff like nope you're gonna type some of these types of things up it's offline it's mechanical it's not electronic yeah i mean i'm uh the more i've the longer i've been in security the more i appreciate the simple things and the analog things you know doing things the manual way you know we adopt all these technologies all the time in the name of convenience in the name of making our lives easier and it just hasn't man i mean my life is more chaotic than it's ever been you know yeah uh the last one is one you send over which i hadn't seen which is uh incredibly scary is from bbc uh hacker tries to poison water supply of florida city uh this happened in oldsmar florida uh and they got access to a computer remotely and tried to increase the amount of sodium hydroxide which is lie in the treatment system luckily a worker spotted it and reversed it you know basically immediately but how why why is that system remotely accessible is it was the first thing i thought of well yeah i mean think about the catastrophic i mean it could have been much i don't know how many people would have really died but there would have been many people get sick you know from drinking that water and it could cause widespread panic too right i mean people would maybe stop drinking tap water all together and go to bottled water so you'd have a rush on bottled water we've seen what's happened with you know covid and you know kind of the the mass hysteria you know associated with that this is a big deal man because it it could have very easily gone undetected the fact that the attacker was basically using some sort of remote access software i'm guessing because the operator who was there at the time saw the mouse moving on the screen and that's what it alerted them to like what the hell is going on right if he would have been sitting there or if the attacker would have used something non-gui related right we would have known and it would have gone off successfully yep yeah one and the problem is is and they do mention it in here is that you've got basically your utilities are running on out of date you know stated systems with no redundancy so you know it's like good well we can't take it down because it's critical infrastructure okay well what are you gonna do excuse me when this happens or it gets ransomed because you didn't patch it isn't it yeah you see that and that's where that's where it's such an illogical argument would you rather have a planned outage for you to implement some redundancy into the system and patch it so it makes it much more you know re serviceable or so you want a planned outage or you want an unplanned outage right because if you don't do something about this you're going to have an unplanned outage and if that's your choice well then let's go take a look at your incident response plan and all that other because you're going to need it sooner rather than later right yep and stop building crap without redundancy and stop building crap with yeah oh my gosh really yeah well and the problem is a lot of these were built so long ago that it wasn't considered a lot of them are running xp or nts since mnt yeah so there was there was redundancy in and oh yeah there wasn't a consideration when it was built that wasn't something people were really we're thinking about yeah i guess obviously yeah all right well good conversation uh that is for episode 118 thank you evan got any shout outs i got a shout out for uh yeah i do let me give a shout out for ah people don't know at nasa's development leads the development on the security studio side uh we had our meeting this morning at 4 30 a.m central and he went through a nice laundry list of things man that team is just running at full steam so i'm really impressed with with the progress that they made we've been you know been more involved in the last year really and and just leaps and bounds and just how responsive he is to requests and stuff so yeah i agree with that um i think for my shout out i want to go with you know teachers and educators just based on the experience that i've had with my kids and their teachers that you know with all the e-learning and now the transition back and they've just been phenomenal and very you know flexible and understanding of kind of how difficult this is for the kids and try to make it as positive and experience as it can be and i know it's tough on on them as well so yeah i'll definitely second that man i agree all right uh thank you to all our listeners send us things by email at unsecurity at protonmail.com we have seen uh several emails come in yeah if you're the social type socialize with us on twitter i'm at brad and i and evan is at evan francine and lastly be sure to follow security studio at studio security and fr secure at fr secure for more things they're constantly popping out really really good content way more than i do yeah that's it and we'll talk to you all next week awesome