S3 #21 How to get your cybersecurity policy and practices right

[00:00:00] KRISTINA PODNAR, host: The top priority of organizations is having security protection of their digital and physical assets. Change compliance, cost continuity, and coverage are always at the heart of the discussion, but what does that mean for you and your team? And what should you be doing right now?

[00:00:17] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:36] KRISTINA: Hello, everyone, and thanks again for making time to join me and talk digital policy. Enterprise security is vast. There are lots of theoretical and academic threats, and it can be all very overwhelming. I know it is to me. Today we are joined by Jason Floyd, who's the CTO of Cybersecurity at Ascent, and I've asked him to join us to help us get past the theoretical and into the practical. Just his background, Jason has public and private sector cybersecurity experience. He's been leading large teams throughout very complex information technology and security projects. I thought he would be a really great guest today because he mixes highly technical security acumen but has this business-centric approach to security strategies. He's able to really kind of get in the weeds, but he can also take it up to the strategy level, which is exactly what we need when we're thinking about policy. So, I've asked him to help us sort through the noise, dial in key policy and operational actions, and help us sort it all out. So, Jason, welcome.

[00:01:33] JASON FLOYD, guest: Oh, thanks for having me. Glad to be on.

[00:01:35] KRISTINA: There's so much noise in the ether around security right now. Why are organizations so challenged by security risk? What's happening? Give us a little bit of the low down.

[00:01:46] JASON: Yeah, it's an interesting, interesting problem set for the entire field, but I say that there are a couple of things that pose a significant amount of problems. The first one is there is an extreme amount of fear, uncertainty, and doubt. FUD kind of drives the security industry in general; it's really technical, so only so many people can really sift through the true and the partially true and get to key solutions. So, it requires a certain amount of judgment to determine what is real and what isn't real. So FUD kind of drives the entire industry as a whole. On the flip side or maybe even adjacent to the majority of the field, if you go to something like Black Hat or RSA, which are great conferences but they're, but they're the big conferences in the field. We've gone away from some of the traditional cybersecurity disciplines and into t-shirt cannons and, you know, really impressive presentations with laser shows and smoke machines, and some of the fundamentals of the field have gone by the wayside. One of those is risk. I often talk about risk should be the core of the security technologist discipline. We should, at our core, be able to articulate, mitigate, and manage risk at all levels of the organization. That should be at the tactical and strategic and operational levels. But we've, as a field, we've kind of gone away from that. Unfortunately, only a few and far between still do that. And I think that's probably the primary contributor to the situation we're in. We've abandoned the core of the risk discipline,

[00:03:28] KRISTINA: Folks listening who are maybe part of a small business. Some folks are in a midsize organization, some are in really large global multinationals, and I'm assuming that the kind of threats that they're thinking about right now and that risk aspect differs. So what should each one of those be thinking about, and what are the differences as we scale? And maybe size doesn't matter. I don't know, you tell me.

[00:03:51] JASON: Yeah, that's great; that's a great question. So, it definitely matters specific to each organization, specific to each point of view. One of the things that I think is great about risk is to really hone in on every person, every organization, and every size. Every security technologist should be looking at risk in terms of all of its components. It typically is a threat, vulnerability, or consequence. So we generally want to associate that almost algebraic or mathematical where threat times, vulnerability times consequence equal risk. But if I go into the majority of organizations, even Fortune 500 companies, and I talk to their security architect or their CISO, when I ask them about their risk profile, they repeat back to me their vulnerability profile, which is only one portion of the equation. We've generally lost the ability to see a vulnerability. And tie it to an actual threat that can expose that vulnerability and tie that vulnerability to something that's critical to our organization. So some companies do a great job of identifying their crown jewels. Those are going to be the asset portion. Those can be IT crown jewels. They probably best should be the company's assets themselves. How do you make money? Those should be your biggest crown jewels. And how do you map those vulnerabilities to the consequences? But even more so taking the most advanced step, which is focusing on the threat component. For example, I talk about this all the time. I live in a place a wonderful place where I generally don't lock my car, and I generally don't lock my house. That sounds like a terrible idea. But the net of it is I'm; I'm assessing the risk where I have my house. It's a vulnerability. It is; the door is open. That's a clear, very easily articulated vulnerability. And it's an asset that I super care about. My family is there. Everything I own is there. It's not that I devalue that. That consequence, it's that I assess that there's a very limited threat in the space in which I either park my car; therefore, in the equation that makes my risk near zero and the way that I assess it, I could be assessing it wrong, certainly but the way that I assess it is that my risk is near zero. Organizations need to do the same thing. They need to be able to say this is a specific vulnerability in our environment, and it maps to this specific consequence that's critical to our business, but they cannot forget the threat component. Without a threat, there is no risk. So those are the pieces that I want. There's this art and this science to risk as a whole to the disciplines of risk. And we need to not forget all the critical aspects of it. We need to bring in threats, vulnerabilities, and consequences.

[00:06:35] KRISTINA: I'm wondering how we can get to that type of culture. Because a lot of organizations that I go inside today have those annual training, click, click, click next, ask the question about what Sally and Bob did wrong when they got on the airplane and forgot to use their VPN when they accessed the WIFI. So, it's almost like the check-the-box exercise. How do we actually evolve the culture to get to the point where, you know, the point that you're really describing, which is actionable risk understanding?

[00:07:04] JASON: Yeah. I think it is primarily driven by the security technologists in an organization. That's probably specific to your small business in larger, which has somebody who's responsible for the security posture of an organization. They should be looking at it from that point of view. They should be driving that upward to the business, and they should have the ability to influence peers to be able to incorporate it. For the smaller ones, I think that there's a beautiful thing about risk is it's that there are a lot of things in which I can do about risk. I can transfer it; I can mitigate it, I can even accept it. The problem is I can't accept the risk that I didn't properly articulate. That's just neglect, neglecting a risk. That's not accepting a risk. But if I say as I'm a small business, we have 20 users only, so many of them are on the computer on a regular basis. I probably shouldn't, I, it's, it's a legitimate business decision to say I probably shouldn't buy a best in the suite, you know, hundreds of thousands of dollars articulation or mitigation of that risk to solve that. It's very appropriate for them to be able to say, I'm just going, going ahead to accept that risk which is a different profile than a small, medium, or a larger business would end up taking. And that's fine. But at least doing the brain exercise, at least having the really quick conversation with you and your business partner to be able to say, do we really think that this is a risk? Or what are we accepting? Are we assessing a threat properly? Even small things like ransomware start bringing into this actual challenge as ransomware attackers are going after small businesses for this exact reason. So we have to start thinking about all the critical aspects of it. So have a quick conversation. That's probably the first thing that I would say is to have a conversation as a business if you're in the small business space. But if you're a larger business, this is really the space where security technologists need to champion their business acumen and say, I'm going to drive. I'm going to drive this articulation. I'm going to drive how to talk about risk properly within the rest of the organization, or we are back to the very beginning, which is fear, uncertainty, and doubt. We're back to overspending. We're back to trying to figure out how we fill resources. When there's a resource gap, we're back to all the same challenges because we can't prioritize all of our efforts.

[00:09:35] KRISTINA: So, what's the role then for marketers? For example, marketing directors might be listening to you. I'm kind of thinking to myself, I’m thinking about several of my friends who are marketing directors to say, can I just toss some money at this? What tool do I need to fund? You know, and, and let me be done with it. So, what's their role? What should they be doing?

[00:09:54] JASON: That's a great question. I think marketing teams should probably primarily partner with the spaces in the business. If it's them, that's great. But primarily partnering with the space in the business that is assessing the risk in going to market, and the tools that they're using in order to go to market. The answer that I generally say about tooling solutions themselves is, everybody says people before everybody says people process, technology. I like to say people before process, before technology. Don't start with a technology solution and hope that you can back into the process and then hope that you can back into the people who know how to use that process. Instead, I want to start with a people solution. That's the best possible scenario, which, when I flip it all the way back to your question about fishing training, that's a fine way to start addressing the people challenge. If I can legitimately change people's behavior, I have properly reduced the risk of a phishing attack. Therefore, I don't need to go spend hundreds of thousands of dollars on email protection because I've properly addressed the people aspect of this. So, for marketing teams, an absolutely critical area of the business. The last thing we want to do is slow them down. So what I would probably focus on is, rather than is there a technology that I can put in front of it and then feel better about it, I would stay away from that solution and drive much closer to the process, to the people aspects of it that allow us to get ahead, which is proper risk reduction. I am mitigating that risk by changing people's behavior or mitigating that risk by putting a better process in place.

[00:11:37] KRISTINA: When we think about breaches, data breaches, and I'm sure you've seen regulators respond through audits or reviews of those breaches, do they tend to weigh equally the people and the process and the technology? Are they like, Hey, no. You know what? You had the people in the process, but you missed the technology. I'm going to find you. Have you seen any kind of trends, or do they look favorably on things like, what does it look like out there at that moment where we have a breach, and we're facing regulators in the eyes?

[00:12:05] JASON: Yeah, that's, that's a great question. This is one of my favorite topics about the field itself; regulation or compliance has kind of taken over making decisions in the field itself. And compliance always lags security, or even maybe better said; compliance always lags the threat. A good attacker is going to leverage the way that businesses are designed to work, or the technology is designed to work against itself. So if I've published the minimum standard that everybody has to meet in order to become PCI compliant or MIS compliant, or ISO, you know, name the framework compliant an attacker's going to be able to maneuver around that, that becomes the minimum threshold. So, unfortunately, what has happened is a lot of organizations use compliance frameworks to drive their decision-making when in reality, it is a framework of yesterday. It is a framework of legacy. It is a framework of minimum. And it doesn't really address any of the threat components that are required for a forward-thinking security strategy. So I think your question is astute. If there really hones in on compliance frameworks can't answer it. And I don't want anybody to abandon compliance frameworks. They are good business drivers to get investment and funds, and they are good ways to be able to articulate throughout the business what needs to happen. But what I generally say is if you are putting a certain amount of effort into your compliance framework, you need to be putting at least, at least more effort into your threat framework, into your threat analysis, into a security framework that is designed to get in front of the threats of tomorrow so that you're not meeting the minimum. And then wondering why you get breached a little bit later. GRC or the regulation and compliance aspects of security are overstated onto a certain amount of process or a minimum check in the box that I really think has done a disservice field.

[00:14:16] KRISTINA: If an organization were to be doing a regular threat assessment, for example, but they're not looking at compliance, is that almost a better position to be in? Because that's what I'm reading into this is, I can button down the hatches and really kind of go to town and be protected. And not necessarily worry about compliance. Not that I'm not compliant, I might be compliant in the process of doing that. Because that's what I hear from you. You might be well beyond compliance, right? If you're buttoning down the hatches. But I'm not starting from the compliance perspective. So, I could achieve compliance in the process, but I'm not focused on that. Is that right?

[00:14:50] JASON: Yeah, I think that's exactly right. Yeah. I can be secure. And compliant. And, if you do a proper threat framework, you are probably both. On the other hand, though, if I'm just compliant, it is very possible that I'm not secure. I think it's very, it's a good strategy to start from a security bias or threat model bias and then work your way back into how does that align with our compliance framework? If you're in the banking industry, you're not going to get away from PCI compliance, so it is going to be a critical part of your business. We don't want to remove it, but it shouldn't drive all of your security spending. It shouldn't drive all of your strategies. Your PCI compliance should not be driving your five-year security roadmap. You are going to be missing a bunch of stuff.

[00:15:39] KRISTINA: That's kind of scary. I'm sorry. I'm just thinking about how much people like their checklist and how people get excited that they're like, okay, you know what? I have my controls in place because compliance came through, and I'm good.

[00:15:54] JASON: Yeah, it, it provides a false sense of security, and it, it's not only for the IT organization, IT provides a false sense of security for the executives. It provides a false sense of security for the board. It provides a false sense of security for shareholders. It's the reason people are getting owned by ransomware right now because they had certain checks in the box but didn't approach the way that attackers have maneuvered; they've maneuvered around those compliance frameworks. They've maneuvered around the perimeter, they've maneuvered around the password, minimum password requirements. Those are the things that we find in compliance frameworks, and they're effectively not for an attacker these days.

[00:16:30] KRISTINA: So that makes me wonder about things like changing passwords and forcing people to change their passwords. I caught up with a friend the other day who said to me, eh, you know, shouldn't be worrying about changing passwords. What's your thought on that? And how do we think about not just passwords, but to me, that's symptomatic of people, right? Because it's an inconvenience for people. So how do we solve people's problems? Because that seems to be one of the biggest challenges.

[00:16:54] JASON: Along the passwords and the passwords and the people aspect are just so inherently tied. We used to rotate passwords because there was a general assumption that people would keep them strong, but it's human nature to, if I have to change it every 30 days, I'm going to do something that I can remember. I'm going to default to a birthday, or I'm defaulting to a pet, or I'm going to default to an address. And those passwords become the exact same thing. If I were to pull everybody in our cybersecurity company, everybody would use the same three to five passwords. That's super common. So when we bring that into the security aspect, because we know that's how people behave, it would be better for us to just get rid of passwords altogether. It would be better for us to say, you know what, I'm going to, if people before process, before technology, what I'm going to do is I'm going to intercept this problem with a process. I'm going to say I don't need you to do that at all. I would rather you have one strong password. That you can use that you rarely change, or even better, I'm going to prefer you go pure passwordless. Windows Hello for Business leverage a YubiKey, something that prevents you from having to use a password to authenticate it at all. And just about every primary business application can authenticate via a passwordless solution right now. And I heavily favor that. By far, the most secure way to authenticate these.

[00:18:24] KRISTINA: How expensive is that investment for the business?

[00:18:27] JASON: It used to be really expensive. It is no longer anymore. YubiKeys have become relatively affordable in the 12 to $15 range for some of 'em. And there are a bunch of other brands out there that do some of the same pieces. They used to be expensive. Much less so anymore. The underlying infrastructure doesn't really require a heavy total cost of ownership. I can connect it directly to your identity provider in most cases. It used to be relatively substantial. When I do roadmaps, this is one of the lower-effort security initiatives for organizations and one of the lower costs initiatives for organizations. It's built into the majority of IDP. I am biased toward the Microsoft solution and the Microsoft stack. They do a great job with having that stack available for organizations. I believe in simple security, and it allows people to do something simple. So, there's a lot that's built in that's ready to go. And Windows Hello for Business is one of those Windows Hello itself, which is available to consumers, is also of the same type of technology. And it's well put together. I think it's relatively low effort, and relatively low cost.

[00:19:31] KRISTINA: If people aren't ready to jump into that type of solution, think about it from a password management solution. Yes. No. Use Lastpass don't use Lastpass.

[00:19:40] JASON: Love Lastpass, recommended to everybody. I use it myself. My wife has a small business that she runs. And she was bemoaning to me all the different accounts that she has to manage. And it's like, how come I haven't bought you Lastpass yet? So it turns out I had friends and family opportunities through my account and just enrolled her right in Lastpass. And it's great. She uses it everywhere. I'm a big fan..

[00:20:00] KRISTINA: That's great. I was thinking about that when you were talking about passwords because I like to think that I have a single, very strong password that nobody can guess, which is actually true. My problem is that I repurpose it. So it gets exposed in one place. Guess what? Every place is exposed now, potentially, right?

[00:20:17] JASON: Yeah, I do it all the time. I do a demonstration. I go to haveibeenpwned.com I enter the address in and then see if that address has been leveraged and move from there to be able to say, if your password wasn't here, whatever you use that password now is, can be compromised in a database. So everybody does some of those exact same practices. It's certainly not an indictment. It is human nature the way that things are practiced. So rather than putting a compliance framework in that says you have to change it every 30 days. I'm going to intercept that all together, and remove passwords from the solution, and now I am more secure. I'm legitimately more secure against an emerging threat.

[00:20:55] KRISTINA: So one of my favorite quotes of all time is, is really around being a hundred percent secure and protected online, which is great, right? We can all get to a hundred percent protection. All we have to do is, like, not be online. That's the answer, right? Just don't go digital. Right. Yeah. And then you'll be secure. That's great. That's the right solution. But most people like they need to make money, which requires them to be online. So thinking about how businesses hedge, you've already talked about threat assessments, going beyond that minimum compliance effort. But as executives or marketing directors think about their risk, what should they be thinking about insurance? What other types of tools do we have that we can hedge with?

[00:21:36] JASON: A hundred percent security is non-achievable, as you said. The only way to do it is to turn off your computers, write everything on sticky notes, and you can do business that way. Unfortunately, that is not the way that we do business right now. Maybe, fortunately, I would say fortunately, that's not the way we do business anymore. We've gone faster; we've gone more agile. One of the things I would do if I were to take off my security technologist hat and put on my business executive hat one of the things that I would challenge the security team or challenge IT teams to be able to do is to enable my business. And come up with creative ways in order to enable my business. Too often, security technologists are the ones in the room who leverage their technical acumen to slow down the business. And that's really a travesty. That should not be our job. We should be able to be clever enough; we should be able to be creative enough; we should be able to be technical enough to be able to architect a solution that enables the business to have differentiation, enables the business to have speed. You don't need the security person to be the person of no. And you don't need to be afraid of the threat to your business; you need to be aware of what they are, articulate them, and then transfer them, mitigate them, or accept them. But we don't need to be, have the security point of view, slow down marketing initiatives. We don't need to have a security point of view. Say you can't use that business development tool even though you know it's the right tool for your business. Use it. We should find a way to be able to mitigate any risks that may be associated. Along the same lines, one of my favorite models for security persons is to have them report directly to the CFO. That requires them to be able to learn how to articulate every security initiative in terms of bottom-line numbers; every investment that I'm asking for, it has to have returned in the business rather than reporting under a CIO. Who may accept technical solutions exclusively, but as a security technologist, I need to learn how to connect those to business initiatives and how to say I want to put in dataloss prevention solution so that we can have a more differentiated security point of view in our e-commerce. That should be my value prop to the business. Not, no, we can't go to the market that way because it's not secured. So I, I think that's probably one of the, one of the biggest benefits that security teams can be providing to the business and that executives should be driving down and asking the rest of their business.

[00:24:19] KRISTINA: That's a great tip, especially, I think, from a CFO and an ROI perspective. And I know folks are going to immediately tweet at us and say, well then, how do I prove a negative? How do I prove that you know you're safe and you're secure? Like, how do I get to that? You know, so, so genuinely, right? It's like if we're going to do that and you're a good security person, we're not going to have to talk about numbers because I will have protected the organization or the enterprise. But then how do you calculate that?

[00:24:45] JASON: That's a great question. Yeah, we'll always have the Black Swan problem in security. I can't prove the negative is not going to exist. What I can do is start articulating actual risk because everything that's in the risk equation has something that I can find out from my organization and articulate that risk quantifiable. In any quantifiable articulation, they're only going to be relevant as they're relative to each other. Because we're kind of playing with Monopoly money at this point in time. I've come up with my own economy, and I'm giving it a risk equation, but that's fine because that allows me to determine the right amount of resources to attribute or to put on a specific risk. If it's high, I give it a high amount of resources. If it's low, I give it a low amount of resources in order to be able to mitigate it. That's one of the benefits that we can do though, that we can bring to the business through quantifiable risk regulation. But I am always going to have the Black Swan problem. I was going to have the, but I can't prove that. I'm not going to get hacked. But one of the perspectives that I think we've talked about is compliance and we've talked about security. Another slight lens on this is exclusively talking about it in terms of resilience. How resilient am I as an organization? How resilient is our business? Which I think turns some of that can't prove a negative on itself. I no longer am saying you can't do that because you're going to get hit with ransomware, or, I can't prove that you're not going to get hit with ransomware. Instead, I'm taking a resilience point of view, which is going to say if we do get hit by ransomware, I know that we have mitigating technologies like MFA, like backups. Those are the two primary ways to be able to mitigate ransomware. MFA and backups. We have all those in place, and they've been tested, so I know that we're resilient in that space. I have a hot, cold cloud backup solution that ensures that we're going to be able to recover. I have an alternate site. I have the ability to make sure that our business is legitimately resilient and we can quickly recover at a low cost. That allows me to turn that can't prove a negative black swan probably on its head a little bit.

[00:26:54] KRISTINA: Everybody should be taking notes right now because this is like the gold part. I love that. Well, one really big question because I think, we could probably talk all day long, Jason, I appreciate the fact that you're being very practical, giving us great advice, but I know for a lot of folks, their organizations are starting to like dabble in web 3.0, getting into the metaverse realm, even if we're not really in the metaverse yet. And everybody's like, oh, it'll be so different, or it is so different. Is it different?

[00:27:20] JASON: I would say it's not different. That's my general take. The reason that I would say that is a lot of the same principles apply, and if we go back to something I said earlier, which is attackers use the way technology is designed to work against itself. So, if you give me a different technology and I'm an attack, I'm just going to leverage that technology against itself is now a new way. You didn't provide me with a different problem. What you provided me was a different puzzle, and I'm good at solving puzzles if I'm an attacker. The nice thing is as those technologies evolve, the opposition or the attacker isn't the only one who gets to leverage. So I can leverage those technologies myself, and I can leverage them in order to be able to properly defend or to properly adapt to a security or resilience mindset. We think about these technologies as tools. If you give me a smaller tool, I can be productive. If you give me a power tool, I can be even more productive. And if you give me a really big accelerated technical accelerated tool, I can be even more productive. The exact same thing happens in the way we leverage security against a specific threat. As those technologies evolve, what I'm going to do is properly leverage that technology. Doesn't matter if it's quantum computing or the next internet or the metaverse; all of them end up having the exact same problem, which is attackers are going to leverage it against themselves. And we need to be able to properly leverage that technology in order to mitigate.

[00:29:05] KRISTINA: So folks, don't focus on the shiny thing because it's not the shiny thing that's going to get us anywhere ahead. It's really the good old-fashioned. Think through the risk, think through the opportunity, balance those two out, and then figure out what's going to work for your business. Do I have that right?

[00:29:20] JASON: Absolutely.

[00:29:22] KRISTINA: All right. Well, thanks so much for stopping by today, hanging out with us and helping us understand what we need to be focusing on from a security and operations perspective. I really appreciate the practical insights and your time.

[00:29:34] INTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.

‍