Episode Cover Image

251- Securing the Enterprise: David Kiklis on the Evolution of Cybersecurity and Keys to Success

Dissecting Popular IT Nerds
Dissecting Popular IT Nerds
251- Securing the Enterprise: David Kiklis on the Evolution of Cybersecurity and Keys to Success
Loading
/

David Kiklis

David Kiklis has over 25 years of experience spanning cybersecurity, infrastructure, and enterprise architecture. He specializes in building defensible cybersecurity programs, utilizing essential tools effectively, and framing cybersecurity as an executive business discussion. David has helped numerous companies improve security strategies and avoid common IT pitfalls. His passion is helping organizations build pragmatic cybersecurity strategies focused on risk and aligned with business objectives

Securing the Enterprise: David Kiklis on the Evolution of Cybersecurity and Keys to Success

What does it take to build an effective cybersecurity program? How has the landscape evolved over the past 20 years? In this podcast, we tackle these questions and more in an insightful chat with cybersecurity pro David Kiklis. Drawing on decades of experience, David shares perspectives on managing cyber risk, working with auditors, getting leadership buy-in, and using the right tools. Expect a view on where cybersecurity has been, the challenges we face today, and advice for the future as we cover security frameworks, data governance, and shifting conversations. No matter where you are in your cybersecurity career, you will take away valuable lessons on maturing programs and influencing executives.

Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast

3 Key Takeaways

Episode Show Notes

Shifting Perspective: Investing in Cybersecurity ROI [00:03:44]

The Importance of Cybersecurity in the Modern Workplace [00:05:01]

Safeguarding Data and Obligations as an Employer [00:07:11]

The Growing Regulatory Mandates for Privacy and Cybersecurity [00:09:36]

Auditing and Proving Control in Cybersecurity Policies [00:12:38]

Balancing Document Classification and Cybersecurity Controls [00:14:27]

Shifting IT discussions to business language and outcomes [00:20:38]

Government vs. Private Sector: Key Differences Explored [00:31:31]

The Variations in Cybersecurity Programs [00:33:00]

Understanding Cybersecurity Program vs. Cybersecurity Tools [00:35:09]

Annual Penetration Testing vs. Real-Time Dynamic Testing [00:38:01]

Patching Systems and Building Defensible Cyber Programs [00:42:23]

Transcript

Speaker 0 | 00:07.977

All right, well, welcome back to Dissecting Popular IT Nerds, where we’re allowed to geek out with our fellow nerds. Today, I’m proud to introduce David Kiklis, who wants to help shape our discussion with the business around cybersecurity. So, David, tell us a little about your experience, and let’s talk about how you suggest we frame that conversation.

Speaker 1 | 00:28.023

So, yeah, thank you for having me. I’ve been doing cybersecurity in one shape or another since about the year 2000, even before this was considered a career path.

Speaker 0 | 00:41.454

Yeah,

Speaker 1 | 00:41.714

or even really a term. Yeah, I worked for a company at the time that did a substantial amount of U.S. government contracting. And, you know, really this was beginning to emerge as a threat. And so we had to develop programs. and tools and language to speak with federal auditors where there really weren’t any standards in place. So I’ve been doing this for a long time.

Speaker 0 | 01:06.102

Yeah. Cause I, you know, I started in IT somewhere right around that time and our discussions around cybersecurity or just security back then, um, it was, it’s a world of difference between today and then.

Speaker 1 | 01:21.106

Oh, without a doubt, without a doubt. I mean, you know, threat landscape, obviously the internet, really has progressed and modified so much over the last 23 years now. You could now see so in cybersecurity, our career fields. Back around the turn of the century, they were not. They were just something you did as an IT person without a lot of standards, without a lot of guidance, and quite frankly, hoping for the best. And then all the vendors that really help us, looking at the threat landscape and all the various…

Speaker 0 | 01:56.364

tools that we use they were in their infancy yeah especially back then i i remember having discussions with fellow like i joined infragard back in 2004 and when we started having some of the discussions and we’re talking about security you know i’m talking about uh what was it 2800 um the the magazine that used to come out once a month and um and i talked about like i knew what um oh god what can i think of it um the uh the scanning tool that that checks all of the ports that we still use today. Yeah. And, and other CIOs or managers of, of it departments were like, how do you know all of this stuff? Why do you, why do you know this stuff? They thought I was a threat because I knew it. And all I was trying to do was like you be aware of security.

Speaker 1 | 02:46.890

Right.

Speaker 0 | 02:47.430

And what I was doing was nothing compared to what you were doing.

Speaker 1 | 02:51.292

Yeah, and we had a much heavier burden. Back in that day, I was dealing with a lot of top-secret data, right? So you had standards from the FBI or other federal agencies that were sharing U.S. government top-secret data for purposes of a contract. And even they were struggling on how do you move the data? How do you secure the data? How do you deal with data integrity? All of these things that really hadn’t been thought of because in the past lives. they were literally couriering nine-track tapes back and forth. And that’s how the data transfer would happen, right? It’s physical. The data would be physically transported by, you know, by couriers. And so a lot of the, you know, a lot of the risk was mitigated by just physical possession and then skiff-type rooms, right? So, but, you know, earlier when we connected, you talked about that the… The traditional question that we hear all the time is, how do you convince a company on the ROI or the need to invest in cybersecurity tools? And it’s a question that I think was being asked a lot like 10 years ago. I have not heard anybody asking that question now. Like not, do we need to invest? The question really is, is how much do we invest? And that’s a really tricky, that’s a really tricky calculation to do. Yeah,

Speaker 0 | 04:21.411

because, you know, I was having some of this discussion with the leadership at the former organization I worked at. And they were still on an older mindset on this. I was still trying to have that conversation of, okay, I need these tools and this is why. And it was, they were still on kind of that mindset of. not even of insurance of, well, it’s not happening. We haven’t suffered from this. So why do I need that level of protection?

Speaker 1 | 04:56.231

And it’s hard to defeat that mindset, right? It’s like car insurance, right? I haven’t been in an accident, therefore I don’t need it. But if you don’t have it, right? And the problem with any of these cybersecurity tools is it’s very difficult to prove a negative, right? It’s very difficult to prove that because we had X, Y, and Z, you know, it didn’t happen.

Speaker 0 | 05:18.539

Yeah, our threat landscape was much smaller, thus we didn’t incur any events.

Speaker 1 | 05:24.021

We didn’t incur the downside. I think one of the things that makes this easier in the modern workplace is if you’re publicly traded, then you’re under the umbrella of SOX in the US. And that has mandates for basic cybersecurity. There’s now the new 8K reporting requirement from the SEC as well to disclose any cyber breach that may happen to a company. Right. Which then puts the onus. back onto the leadership of the company to be cyber aware. If you’re doing business with the federal government, there are FedRAMP and NIST guidelines that you must follow to be a business partner. And technically, even if you’re doing business with a prime contractor, they’re responsible for having those requirements flow down to you as a sub.

Speaker 0 | 06:17.407

Yeah, the business partner of the business partner. Correct.

Speaker 1 | 06:20.389

And the way that contracting works is prime is obligated. to make sure the subs are off are following the terms of the prime contract you can’t say i’m abstracted away a little therefore it doesn’t apply to me and then you know if you want to have any reasonable cyber security insurance there are minimum gates that you might go through in order to prove that you’re not a major liability and you’re uninsurable which which when you take all that out you’re you’re left with essentially sole proprietorship or llc tech companies that are not beholden to venture capital or anyone else to dictate their business practices and not interested in the cybersecurity insurance. Which again, there’s arguments whether that’s an effective tool or not, but it’s a relatively small category, right?

Speaker 2 | 07:12.403

Hey guys, this is Phil Howard, founder of Dissecting Popular IT Nerds. I just want to take a few minutes to address something. It has become fairly apparent. I’m sure all of you will agree over the years. that slow vendor response, vendor response times, vendors in general, the average is mediocre. Support is mediocre. Mediocrity is the name of the game. Not only is this a risk to your network security, because I’ve seen vendors on numerous occasions share sensitive information, but there’s also a direct correlation to your budget and your company’s bottom line. Not to mention the sales reps that are trying to sell you and your CEO and your CFO on a daily basis. That causes a whole nother realm of problems that we don’t have time to address. Our back office program at Dissecting Popular IT Nerds, we’ve put together specifically for IT leadership. And it’s on a mission to eliminate this mediocrity. And the best part is that we’re doing this in a way that will not cost your IT department a dime. So. If you’d like us to help you out, get better pricing, better support, and jump on pressing issues in minutes, not days, then contact us now so we can get on a call with you and conduct a value discovery session where we find out what you have, why you have it, and where you want to go and how we can improve your life, your IT department, and your company’s bottom line. What you’re going to end up with is, number one, just faster support from partners. who care about your organization’s uptime and bottom line. And because you’re going to be able to access our $1.2 billion in combined buying power, you’ll be able to benefit significantly from historical data. And on top of that, you’ll also benefit from the skills of hundreds of on-demand experts that we have working behind the scenes that are all attached to our back office support program. So if you’d like, again, none of this is ever going to cost you a dime. At the very… least it’s going to open your eyes to what’s possible. Let our back office team provide you the high touch solutions and support that your IT team deserves so that you can stop calling 1-800-GOLD-POUND-SAN for support. Now, if you’re wondering, what does this apply to? This applies to your ISPs, your telecom providers, all your application providers, whether you’re a Microsoft shop or a Google shop. what you might be paying for AWS, even Azure, co-location space, any of those vendors that you’re paying a monthly bill to, we can help you with.

Speaker 1 | 09:55.606

Hey, it’s Greg, the Frenchman secretly managing the podcast behind the curtain. To request your one-on-one call, contact us at internet at popularit.net. And remember, it will never cost you a dime.

Speaker 0 | 10:08.434

Well, and one of the other things that I saw was that I was getting a little more traction due to the financial institutions that were involved with us. So it wasn’t necessarily the venture capitalists like you were talking about, but just simple, the banks that we wanted a line of credit from. They were doing their own audits to make sure books were good, and they had this whole section on cybersecurity.

Speaker 1 | 10:32.028

Yeah, I missed that whole category, right? Yeah, and every year. For your vendors or your suppliers, oftentimes there’s a contractual obligation, or your customers, a contractual obligation for you to provide evidence of a cybersecurity program, right? If you are a vendor and you are supplying customers. and they’re giving you their intellectual property or their data, you are in fact now responsible for safeguarding that in whatever way, shape, or form it comes to you, right? You are the data steward.

Speaker 0 | 11:06.370

And just steward over the system so that it’s not easy for somebody to get in and steal all the money.

Speaker 1 | 11:12.932

Or steal the intellectual property or steal the downstream company’s contract and data. The other obligation that you have as an employer is to safeguard your own employees’ PII and PHI information because if you’re providing benefits or payroll services, you have your employee’s social security numbers and often cases you have their health history. If they’ve applied for short-term, long-term, any other common thing that happens, you as an organization are obligated to safeguard that information. And that is mandated. by the privacy laws that are in every state or GDPR, if you’re a European Union. And they vary, but they’re getting stronger and stronger and stronger as every year passes. Usually California goes first, Massachusetts goes second, and the rest follow. There’s a few that don’t. There’s a couple that don’t really pay attention to this, but the vast majority of states where you would draw remote employees from, say, if you’re a Boston-based company. they have mandates for privacy. So again, you’re obligated under so many different external regulatory bodies just because you’re in business. So I think the question isn’t, do we spend anymore? It’s how much do we spend? And the thing that happens, unfortunately, is as the cybersecurity vendor market space has developed and then fractured and then continued to develop, What was, you know, QRadar with IBM back in 2000, which was one of the only tools available, suddenly has now become a thousand vendors. And some of them saw one very, very specific problem. That’s all they did.

Speaker 0 | 13:00.452

I would say the majority of them only saw one very small.

Speaker 1 | 13:04.853

Well, I wouldn’t say. I mean, there are some major ones, right, where you’ve got like the big span-felted pools or the big seam tools like Rapid7 or… some of their competitors. But as you go down the path, there are now lots and lots of vendors that’s just sold for one NIST control or one ISO control, and that’s what their product does. And there’s a diminishing return there on the spend, right? Is how much is this particular control a real risk where I have to invest in a pool to manage and mitigate the risk? And in some companies… The answer is yes for everything. And in some companies, the answer is we don’t do that. I’ll give you an example of a company. We do not do any software development. We are not. We’re a pharmaceutical company. So all the tools around vetting code for cybersecurity, or vetting pre-bought modules to make sure they’re safe or there’s no back doors, all that, there are these tools. I know this whole universe is out there. It is not relevant to our business. Therefore, we’re not investing in it.

Speaker 0 | 14:12.322

Right. And this is part of, or it’s really critical to the way that you’re suggesting, or that you’ve seen people reshaping this discussion of… Yeah,

Speaker 1 | 14:23.191

absolutely, right? Is if you really want to try to prove out, in my take on this, building a program, building a program, the real cost in terms of hard dollars involved out the door is buying the tools, the appropriate tool set. And you may not need to buy them all at once. But the other two pieces that you need is you need the governance and the policies, as well as the education of your executives, your users. and your IT staff to make sure you’re meeting the needs and how you’re operating. In my experience, in every audit that I’ve been in with cybersecurity, that’s where they start. Give me your governing document. Show me how you do, how you manage, how you have a policy that manages your security plan, your cybersecurity, your awareness training for staff, acceptable use. The board of their plate documents that we use to say that, We are in control. And if you think about any audit in any, you know, really doesn’t matter how they frame the question. The question really comes down to, do you know what you have? Are you in control of what you have? And how do you prove that you’re in control? And there are really just three distinct steps that the auditors are looking for.

Speaker 0 | 15:44.100

And I think one of the hardest ones is that final, that third one.

Speaker 1 | 15:48.041

Can you prove that you’re in control, right? And proving you’re in control. says, I have a policy that says I will review all my users’ access rights monthly. Do you have evidence that you’ve done that? Have you done it? Here’s the document that says we did. Here’s the document that says what we will do. Here’s the evidence that we did it. Here I can present them both to you, Mr. Auditor, and we’re done. And if they disagree with your methodology for review, they may make a recommendation to shore it up, but they’re not going to say you didn’t think about this. Right? Right. But if your policy says, yeah, and here’s the control, your policy says I review it monthly, you review it once a year, and you can’t provide that evidence, you’re not doing what you say you’re going to do. And then you get into real trouble.

Speaker 0 | 16:35.864

With your experience, have you ever run into a situation yet where you really felt that there was a security control or an aspect of security that the organization you worked for needed, but wasn’t yet? written into any of the compliance or the audits or any of these places? Yeah,

Speaker 1 | 16:56.116

absolutely. Yeah, this happens a lot. Yeah, this happens a lot. Absolutely.

Speaker 0 | 16:59.897

So how do you start that conversation?

Speaker 1 | 17:02.058

It’s really difficult because some of these things bridge into business operation. And I’ll tell you where there’s a lot of fuzziness, right, is I’ll give you a good one. Classification of documents, or DLP, right? Yeah. Right. It’s a squishy area, right? Cybersecurity says you must have DLP. You must prevent these things from exfiltrating your company in a meaningful way. The company says, we don’t want to differentiate or we don’t want to put things into buckets because it’s not useful for our business. Right. And there you have, because there you have a disconnect between how the business culturally or day-to-day operations run and a cyber control. So really, which is much harder to get the language going than say, we will do spin filtering or we will do multi-factor authentication, right? Because those are cut and dry.

Speaker 0 | 18:03.270

Yeah.

Speaker 1 | 18:03.810

Right? And that’s where- And how do you tell what the benefit is? Yeah. And that’s where any of these things, these controls that bridge into business operations get difficult to implement. So with any risk that you come up with, right, there’s essentially three outcomes from the risk. You can accept the risk, you can mitigate the risk, or you can transfer the risk. So taking the DLP or the, let’s just say the classification discussion, which is best practice in some industries, which is not really relevant in some industries, you need to present that risk back to the senior leadership and say, here’s the risk. of us not being able to manage what exfiltrates. And if the business says the burden of data classification is greater than we want to bear, and they understand the risk, then you can accept that risk as a condition of business. However, what you have to remind your leadership is if and when that risk materializes, right? That someone emails the business plan or… Whatever happens, happens, that they’ve signed off and accepted that risk. So when you get the how did this happen, you as a security professional need to CYA and say, we had an agreement that you determined the mitigation of this risk to be too costly to the business operations and didn’t want to do it, didn’t see a value. When that risk materializes, you signed off on this. And then generally what happens after that is there’s a flurry of activity and it gets put in.

Speaker 0 | 19:34.685

Yeah. Because they want to see why they’re asked.

Speaker 1 | 19:40.452

Yeah, never waste a good crisis, right? And those are where I find it to be very sticky, right? It’s retention policies. It’s clean desk policies. It’s, you know, if you’re programming, it’s code libraries. It’s all of those things where it’s not just in the bubble of the cybersecurity practitioner, where it bridges into business operations. And there is a cost, not necessarily a dollar cost, but there’s an operational cost to the business to implement.

Speaker 0 | 20:08.007

So, you bring up one of the things that I struggled with also, and how have you experienced that conversation of expanding that out? Because data loss prevention, oh, that’s… IT stuff. So they like to shove it over at them, but it’s not. Because all of those people generating those documents, they have to classify the information they’re putting into it.

Speaker 1 | 20:36.202

Well, it even goes beyond that, is you need to decide on a classification schema for your company, right? I’ve seen companies that have done 10. It’s like where it’s too nuanced for people to decide what’s the difference between five and six. And I’ve seen people that have done just two, high and low. Fair enough. Most companies I’ve worked at have not wanted to do any because they didn’t want to put that burden of deciding on someone. I think the biggest strategy that you can have with this is to take it out of the realm of cybersecurity and move it into the realm of business risk. And if you work with a legal counsel for your company, that’s a very good partner. Because a lot of what legal does is help mitigate risk to the company, whether it’s contract risk or employee risk or what have you. And they’re generally amenable. to fostering the risk discussion about exfiltration, let’s take DLP, exfiltration of intellectual property, right? What really are our risks? What do we really need to do? And then as you circle back, if you’re cyber and you’re IT are separate, realize that until you include some mechanism to filter DLP, who’s ever, right? Keywords, some mechanism, IT systems are not smart enough. yet to know this one’s good and this one’s not good. Like you have to give it something to work on. If you’re using Microsoft’s DLP, right, it relies on a classification schema, right? There’s all the other ones as well that crawl, they can auto classify, but still it has to be in bucket A, bucket B, bucket C, what have you, in order for systemically the systems to say, you can go, you can stay. That’s how they work, right? And in 10 years, we’ll have AI that… might be able to realize the difference between your document and my document. Right now, we’re not there. And I think the biggest thing is executive leaders don’t respond to cybersecurity. They don’t understand what we do. They don’t understand the landscape, but they do understand risk. And they do understand decisions that impact the risk, whether it’s increasing or decreasing. So I think the key to this is to take it out of the realm of discussing DLP. and discussing what’s the risk if our intellectual property is suddenly posted up on, you know, on the dark web, or worse, on Reddit, or on any of these other forums, where, you know, whether it’s your proprietary engineering diagrams, what have you. Because that type of stuff that’s filtration is generally done by either a hacker, right, or most likely a disgruntled employee that does that, you know. And so I think that’s the key, is to take it out of the IT nerd realm and put it into business speak. And then you have to document the outcome of that meeting. And to say, look, there’s four or five things here that as senior management in your company, you need to think about. How long do you want to keep stuff? Where are we keeping it? Who shouldn’t have access to the keys to the kingdom? Do we want to secure a special place for our highest? level of intellectual property and prevent it from moving? These are questions that you should be asking. And then when they say yes, then you come back with a plan of how you need it. But if you start with, I need to put in DLP and here’s what it does and here’s how it works, they’ll just go right over their head and they’ll shut down.

Speaker 0 | 24:09.024

Yeah. And that’s been my experience, except I have not been able to flip that discussion the way that you’re suggesting.

Speaker 1 | 24:16.228

Yeah. Yeah. Yeah, you got to make it a business discussion, right?

Speaker 0 | 24:21.114

Yeah. Well, and I tried to make it that business discussion, but I still struggled changing the language and actually coming at it from the risk perspective. Although there were times, you know, we talked about, I actually had talked about with the legal team, both of these topics, you know, the classification and the DLP. And they were. They really wanted this themselves because they saw the threat. They knew the threat because of living in the courtrooms and seeing what happened. And the two of us together couldn’t reframe that conversation well enough to get it passed. So I guess really they were back to response number one to the risk, like you said, you know, accept the risk.

Speaker 1 | 25:06.386

Yeah. And if that’s the case where you said, look, we have, you know, we as the CEO and senior leader, whoever is making that decision and that needs to be at that level, they understand what they’re accepting, then there’s not much you can do about it. right? They’ve decided that it is not worth the company’s effort. If you have external counsel or external auditors, you can use them sometimes as a lever. I have used external audits or external assessments as levers to push the leadership into understanding they have a gap, knowing going into an audit, knowing I would fail that control, and it would be highlighted as red as a failure or a miss in order to…

Speaker 0 | 25:49.030

highlight the fact that as a business the business has not addressed this right and and so my experience along those lines too has been a little bit of well why did you let this happen well okay here i let it happen then now let me make sure it doesn’t happen tomorrow so see that’s where you’re mistaken right it’s not that’s the thing is it’s not you that made this happen right

Speaker 1 | 26:12.639

well you can’t yeah right is if you shift the accountability to it or cyber or those controls it That’s not where it is. The control and the definition of the controls are set as corporate policies. You’re just using the tools to enforce the policy.

Speaker 0 | 26:30.408

And I’m using the unspoken or undocumented culture of the organization who shifted it that way. They were redirecting that risk by blaming it over on IT when it was truly a business risk.

Speaker 1 | 26:46.906

Right. I mean, it’s one of those things, you know, putting my IT hat on for a second, you know, we’re, we’re going to go do a shootout and we’re going to decide on a new piece of software to do something in the business, right? We need a new worm. And there’s five competitors. If I look at those five competitors with an IT hat on, they’re all cloud providers. They’re all functionally equivalent, right? From a cyber perspective, they’re all basically functionally equivalent. I don’t care which one you pick. I really don’t. Which, which of these tools best fits your business requirements, your URSs and your needs, right? Because for me with my IT hat and my cyber hat on, they’re basically identical. So it goes from being a decision about a technology to being a business decision that the business has to own, right? Does this thing that I’ve picked match my URS, my functional needs? Because they’ve already met ITs. They’ve already met cybers, right? And that’s the decision. That’s the discussion as we look at these systems. and these acquisitions is these may be enforced by IT because I have the tool that can turn the switch on and off. But the owner of the risk is you, right? Whether it’s COO, CFO, CEO, whoever, CEO, they have to own the risk and make the decision of how they want to be. I go back to, like, let’s talk a little bit about something that I see is very parallel, right? when people were still using file servers for primarily for file storage, right? And you wanted to add permissions to a folder and right, you put help this ticket in and IT would then add that user to that folder for you. Why do we have user because the AD tools were more complicated than we wanted end users to touch. It wasn’t because we added any additional analysis on the appropriateness of the request. It came in, it followed the pattern, and because the tool was complex, we went clicky-clicky, and user now had access. Now you move into SharePoint world, now the user, the owner of the data, is accountable and able to make their own decisions without us in the middle to add permissions to their thing. The accountability for access rights in SharePoint is back with the data owner where it should be. It is not with IT. Now, we can send them audit reports and say, hey, here’s your SharePoint site. Here’s everyone that has access to it. They can do the same thing. The reason, and this is similar to some of these controls, right, is that you need to move the accountability for the decisions around the execution of these controls into business decisions, into business languages, into risk, not into IT controls. And it’s very easy for the executives to throw it on the fence and say, oh, it’s just an IT thing. But it isn’t. If this was simple enough that I could have Mr. COO or Ms. COO go click, click, click and set these rules themselves, then I would have them do it.

Speaker 0 | 29:50.726

Yeah. Yeah. Well, and cause we need it because there’s also, Oh man, I, there were so many, so many little threads in what you just said of experiences that, you know, I watched happen over the decades of, of trying to pass back and forth. Who’s in control of active directory,

Speaker 1 | 30:08.661

you know,

Speaker 0 | 30:09.762

HR wanted active directory because they needed it to be right. And for it to reflect everything, the way the organization was structured yet. Just like you said, it was too complex and we were too afraid to give them control over it. So IT is sitting there clicky, clicky, clicky. But I wanted to make sure that the authority of who approved the movement from this department to that department wasn’t IT because IT has no place in that.

Speaker 1 | 30:36.562

None whatsoever, right? And it’s the same with some of these controls. IT doesn’t have any place in deciding what is, you know, DLP high versus DLP low. We just execute once the framework has been given to us. Now, as a member of a leadership team, you can voice your opinion, but you don’t own the decision.

Speaker 0 | 30:57.742

Right. It should be a combined decision and or to the highest level and let them declare.

Speaker 1 | 31:04.127

And the only place that IT gets involved is if they want to do something that the technology doesn’t support. We can’t do that. So you can be the person that understands the limits of the technology.

Speaker 0 | 31:17.382

Yeah. And, and help define that and help share that, um, so that they understand it and understand more of that risk, kind of like what you’re talking about too. Um, okay. Uh, other thoughts, other things. Um, I mean, we, we kind of talked about those things that step outside of the, the assessments, the, um, the audits, the requirements, the, um, compliance. Um, what other What other things have you heard about this discussion that just drive you crazy?

Speaker 1 | 31:49.080

Well, boy, there’s a lot, right? I think the other big challenge in cyber right now is making sure that your leadership team understands that they are part of the cybersecurity solution. Because if the worst happens, they are beholden to talk to the shareholders, the customers, whatever constituencies that you have, or upstream to… your regulating agencies about what happened. They’re going to be accountable for some of these business decisions. They’re going to be accountable for being in front of the press, in front of whoever, and they own understanding where their risk profile is. And I think the easiest way to do that is to do some tabletop exercises with a third party, not as IT, having someone come in and do tabletop exercises. with a neutral third-party mediator to say, hey, you know, CEO, this just happened, and now Channel 7’s calling. What do you do, right? And understanding that you’re going, if it’s severe enough, you’re going to be national news, right? And the fallout from that is ripples in a pond. I think there’s too easy a, oh, it’s just an IT thing, and throw it over the fence.

Speaker 0 | 33:05.833

Yeah, and it’s been that way for decades.

Speaker 1 | 33:09.156

Yeah.

Speaker 0 | 33:09.997

Yeah.

Speaker 1 | 33:11.774

I think that the days of cybersecurity just being something that was done off in the shadows and the corners is over. The accountability is at the corporate level now for this. Hence, the SEC requirement, right? Not only for someone on the board to be cybersecurity, you know, named as a cybersecurity expert, but also the reporting requirements in the 8Ks now if something does happen. Which goes it. which goes then on top of that, understanding what your obligations are to disclose, both from your state, from your contracts, from your customers, from all of the things that you do business with, right?

Speaker 0 | 33:51.439

Something just kind of came to mind, trying to further the discussion a little more. What’s one of the biggest differences you’ve seen between government or military and private sector and this topic? pops to mind when I ask about the difference there?

Speaker 1 | 34:11.187

Well, I think having FedRAMP and these other things have changed the language quite a bit, right? It has standardized how people manage their cybersecurity compliancy with the government, right? It wasn’t always that, it always wasn’t that way. Each government agency had done its own thing and things were complicated. And then you know, over the last 10 years, that’s, it’s also very, you know, it’s, it’s much more rigid, right? Because in order to play ball, you have to be compliant. And if you’re not compliant, you have to find a way to get essentially a waiver. Now, I haven’t done federal contracting for about 2009, for quite a while, right? 2009. In the private sector, I think the biggest difference is that companies do not understand what their external compliance requirements really are. And because there’s no… real mandate. Even SOX is not a mandate. It’s based on how PwC or Deloitte, whoever wants to interpret the regulations, that the assimilation of cybersecurity programs into the corporate landscape is wildly varied. Wildly, right?

Speaker 0 | 35:38.663

I would just suggest somebody that’s coming into this, you know, some of these people are getting degrees in this. And I don’t know what it’s like for them getting degrees today, but I assume that it’s kind of like it was for me when I got my degree. I walked out of college or out of the university thinking, OK, I know everything. I just got my degree. And then reality slaps you in the face. Yeah. I don’t know. Well,

Speaker 1 | 36:03.669

I think that I think you’re going back to the earlier part of the discussion. The biggest problem that we as IT people face is we chase the shiny object. Oh, gosh. We chase the tools. Right. We chase the tools. And we chase the technology because all the vendor demos look fantastic. And I’m going to go back and say that, yes, I think you need core tools. Yes, I think there are several that are absolutely table stakes. But no one’s going to ask you when they walk in the door for an audit, are you using Mindcast or are you using Barracuda or are you using this one? The question is, are you using the spam filter effectively? Right. Right. And that’s the question, right? So we as IT people can kind of get blinded by the purported differentiation between pools. And we tend to ignore the governance and the documentation and the proof that we are in fact doing what we say we’re going to do. And that’s the first place that people look. They don’t look at your configuration of your spam filter until things have gone. And if you’re at that level in the weeds. things have gone really, really wrong, right? If they’re actually in on your shoulder, looking at your configs or your logs, right?

Speaker 0 | 37:21.058

Yeah,

Speaker 1 | 37:22.058

yeah. So I think, you know, if you’re starting in this industry and, you know, you’re trying to set up a program on your own, then you really need to look at what a good cybersecurity program looks like, not cybersecurity tools. And if you are progressing up the career ladder and you’re in charge of a tool, then you need to understand how that tool is operating inside of your company and how, what dependencies or what interoperabilities you can do with the information that tool is providing to mitigate other cybersecurity controls, right? It’s, am I getting the most ROI out of my tool before I go buy another one and ask for more money, right? And the answer might be yes, the answer might be no, the answer might be that we choose to do it in another interface because it’s easier or better, but… But just chasing, hey, we need another one. And I got an email from this really cool vendor. Let’s go buy this thing too. You end up with too many screens and so much information that you can’t possibly process it. And in some ways you’re worse because you’ve got too much coming in. And if you’re two or three people, your attention is so divided versus you had one or two screens and things bubbled up on it. It may not be the best, but you go look here.

Speaker 0 | 38:36.952

I think back to an old name of an old attack, the Christmas tree attack, where you get every light to light up and blink all at the same time. And now the one critical one, it’s blinking, but it’s just one of a thousand.

Speaker 1 | 38:50.799

One of a thousand, right? I mean, you look at, we’re a small company, right? We’re 500 people. We’re generating probably a million log items, you know, more than a million a day easily, right? There’s no way as a human you’re going to sit through that.

Speaker 0 | 39:04.747

Yeah. Yeah, that’s… That’s where scene tools came from.

Speaker 1 | 39:09.069

Right. Yeah. Right. You’re trying to automate what do I need to pay attention to, right? Yeah. The other piece of advice I would give you is that penetration tests, which has always been one of those standards, unfortunately, are just paper compliancy as far as I’m concerned. And the only reason I say that is every organization I’ve seen that’s done the social networking one, they failed. And then the pen test is only as good as the date you did it on. So you do a pen test last week and a new zero day comes out or a new exploit comes out the following week and you don’t patch for it, your pen test is meaningless. You’re just as wide open. The problem with these static pen tests that are done once a year is it doesn’t reflect the dynamic nature of our environment anymore. There are other tools out there that do dynamic pen testing on a real-time basis. Possibly, and those are much more effective. Yeah, those are the tools that are much more effective if you really want effective security, if you’re just looking to check the box. because it said so on the form, then yeah, do your annual pen test. If you want to scare yourself, do the social networking test, because every company I’ve ever talked to has done it. It’s failed. Even companies where, yeah. No, no, the social networking one, right?

Speaker 0 | 40:30.484

Okay.

Speaker 1 | 40:31.465

Like, I’ll give you the worst one that I saw, which is the fun story, is, you know, the classic, I dropped a few USB sticks in the parking lot. And this was a company where if you plugged in an outside USB stick, It was grounds for termination. People picked him up, brought him in, plugged him in. And of course it fired off a little script that told us that they’d done so. And we went out and talked to him. But, you know, even if it was literally a fireable offense, it didn’t stop people from picking these things up in the parking lot and plugging them in to see what it was. Ouch. Well, it’s human nature. It always, always everything. Right.

Speaker 0 | 41:11.116

And I’m curious.

Speaker 1 | 41:12.457

What did they tell you? Carry a clipboard, act like you belong, and people tend to let you in.

Speaker 0 | 41:18.734

Yeah. Okay. So you made a mention, and we zipped by it because we were talking about where to start, but the table stakes tools. What table stakes tools do you feel are out there?

Speaker 1 | 41:31.985

If you don’t count, yeah, I think you absolutely need some sort of a scene tool, right? Some sort of tool that’s doing log aggregation. It’s to reflect correlation inside your network that is collecting events, analyzing events, and telling you, hey, something’s going on here that doesn’t look right. The other advantage for those tools is because there are lots of customers. They can see what’s happening out in the wild. And even though you may not be a specific target, you may still be vulnerable because you’re connected to the internet. I think you need a next-generation firewall. that is actively, you know, threat hunting, I think you absolutely need a decent malware engine on your endpoints.

Speaker 0 | 42:24.040

Okay. And then, of course, you’ve already mentioned it a couple of times, either the spam filter or the email filter.

Speaker 1 | 42:32.527

A robust one. There’s a dozen to pick from. You know, obviously email is one of the most likely places for you to get. ingestion of malware. I think you need a cybersecurity awareness training program, whether you buy a tool for that or you do it yourself with content. And then finally, the last thing you need is a very good backup and recovery process for any on-premise systems that is secured from ransomware, whether you’re using something like a rubric or other tools. you want that copy to be immutable. And if in fact you’ve done that tool in conjunction with OneDrive, in conjunction with some of the other O365 tools, the chances of you not being able to recover your data center or your end user’s content, you might have to redo the laptop, but the content is safe. And let’s face it, the cost of a $1,200 laptop is far less than the intellectual property that’s on the laptop, right?

Speaker 0 | 43:39.221

Right. Yeah, so that brings up, I’m trying to think of what it’s called, but the secure encryption of the hard drive while at rest.

Speaker 1 | 43:49.847

Well, yeah, that’s native now and almost got all the brand name ones, right? But if ransomware comes along and encrypts it on you and you can’t access things that are only stored in that C drive, they’re gone for all intents and purposes, right? You enforce that they’re copied to another place, whether it’s a Google Drive or… or through onedrive whatever tools you’re using and those in turn are standalone copies that are not tied to the desktop if it’s ransomware you know you’ll be able to recover the intellectual property right you have to look at it you have to look at the thing end to end for data recovery but but you know if we’re talking about what the basic tools are right is something that tells you something’s gone wrong something to protect yourself that you have immutable copies and then spam and malware to prevent it from trying to happen in the first place. And the most advice that I give, that I’ve been given by almost every hack that you look at, is patch your systems, right? If you’re not deploying on-premise patching, desktop patching through Intune, through a Mac control tool, through third-party, you know, Shavlik, Shavlik, whatever, patch your systems because most of these exploits happen because of unpatched systems.

Speaker 0 | 45:06.338

Right, and it’s got to expand beyond just the Windows update because it’s got to catch all of the applications that are in your environment.

Speaker 1 | 45:14.563

Yeah, absolutely. right adobe server side right and again you have a patching sop that says you know patch tuesday we review it that week we push it out the next week you should be able to provide evidence that you did it which means you’re doing automation or you have meetings where you have minutes that you can prove that you discussed so you if if you’re not pat if you know something happens you can prove that you followed what you said you did and that will get you out of negligence and and i’ve This is something I say to everybody, and I think I may have said this to you earlier. The way I view cyber programs is you’re not trying to build the immutable fortress that no one can come in on. If the Russian army or the Chinese army decides they want to hack you, there’s a good chance they’re going to be able to, one way or another, right? What you want to build is a program that is defensible as not being negligent, which means you are at the state of the industry for policies, procedures, operations, tools, or better. in every dimension that you’re concerned about this risk. And when the auditor comes in and they’re doing their forensic analysis after the fact, you can say, we were up, we’re in state of the industry plus X on everything that we do. Here’s how we manage it. Here’s how we controlled it. And if a zero-day exploit comes in that no one’s seen before, right? And the tools were unable to see it and catch it, right? How can you be held negligent for that? You can’t. Yeah. But you don’t patch. You know, you say you patch every Tuesday. You don’t patch every six months. The exploit comes in because it’s a known exploit and then exploit is exploited. And you didn’t patch. You are absolutely negligent at that point.

Speaker 0 | 46:57.623

Especially if you documented the fact that you say that you’re going to pay.

Speaker 1 | 47:01.085

And now you’re liable, right? And now your cybersecurity insurance will say, sorry, we’re not going to pay because, you know, you asserted that you did this process and you didn’t.

Speaker 0 | 47:10.010

Yeah. And that one will bite you. That one. bites so many people or so many organizations or, oh, I’m going to do this. Here’s the process. I’m going to do it. Or here’s the policy that I’m going to do it. And then you can’t back it up.

Speaker 1 | 47:24.481

My advice to everybody on that is if you write a policy in a vacuum and then you try to put it in operationally and they’re diverging, right? You have to have a meeting and understand why they’re diverging. And it might be that you rewrite your policy. Right. It’s, it’s not that the operations always has to come to the policy. It could be the other way around, but they have to match. Yeah. Right. You’ve written your policy into something that your group can’t meet because of conflicting obligations or time or what have you, then you might want to ramp your policy down. So it is something that you can meet.

Speaker 0 | 48:01.288

Okay. No,

Speaker 1 | 48:02.308

right. Remember both sides that have to match.

Speaker 0 | 48:04.729

Yeah. That’s some awesome advice too. You know, cause so many people, I, I’ve seen it where. you write the policy and you can’t change the policy. Yes, you can.

Speaker 1 | 48:14.233

Yes, you can. We wrote it, right? It’s not going to come down from the mountain with Moses, right? We wrote it.

Speaker 0 | 48:19.195

We wrote it. We can change it.

Speaker 1 | 48:21.356

And Stephanie, when you say that, making it reflect reality is a good thing. We looked at our operational constraints, and based on our operational constraints, this is how we want to be. Boom, it’s easy, right? And then the auditor might say to you, or a Republican might say, listen, you really should do that more. or more frequently or whatever. And then you can ramp, but then you have to go back to the business and say, look, these are findings. We need more resources in order to meet this because we can’t do it right now or we have to give something else up. So then you have to manage, it becomes a workload question, right? Not necessarily a cyber question. But remember, you wrote these things and don’t write them so strictly that you can’t meet them.

Speaker 2 | 49:03.560

At Dissecting Popular IT Nerds, we expect to win and we expect our IT directors. to win. And one of those areas where we know that we can help you win is internet service providers. As an IT director tasked with managing internet connectivity, few vendor relationships can prove more painfully frustrating than the one with your internet service provider. The array of challenges seems never ending from unreliable uptime and insufficient bandwidth to poor customer service and hidden fees. It’s like getting stuck in rush hour traffic. Dealing with ISPs can try one’s patience even on the best of days. So whether you are managing one location or a hundred locations, our back office support team and vendor partners are the best in the industry. And the best part about this is none of this will ever cost you a dime due to the partnership and the sponsors that we have behind the scenes at Dissecting Popular IT Nerds. Let us show you. How we can manage away the mediocrity and hit it out of the park. We start by mapping all of the available fiber routes and we use our 1.2 billion in combined customer buying power in massive economy of scale to map all of your locations, to overcome construction fees, to use industry historical data, to encourage providers to compete for the lowest possible pricing, to negotiate. the lowest rates guaranteed, and to provide fast response times in hours, not days. And we leverage aggregators and wholesale relationship to ensure you get the best possible pricing available in the marketplace. And on top of all of this, you get proactive network monitoring and proactive alerts so that you’re not left calling 1-800-GO-POUND-SAN to enter in a ticket number and wonder, why is my internet connection down? In short. We are the partner that you have always wanted, who understands your needs, your frustrations, and knows what you need without you having to ask. So, we’re still human, but we are some of the best, and we aim to win. This all starts with a value discovery call where we find out what you have, why you have it, and what’s on your roadmap. All you need to do is email internet at popularit.net and say, I want help managing all of my internet garbage. Please make my life easier. Thank you. and we’ll get right on it for you. Have a wonderful day.

Speaker 0 | 51:23.299

Any other thoughts? Any other things that you want to pass to those that are following us and haven’t had the benefit of the 20 years of watching all of this stuff shift?

Speaker 1 | 51:33.207

I mean, not at present, but if questions come up after this, I don’t know when this goes live, but when the questions come up, I’m happy to talk to anybody if they want to.

Speaker 0 | 51:43.216

Okay. What’s the best method for people to get in touch with you? Um, and we’ll make sure to put it out there and,

Speaker 1 | 51:49.972

and the easiest way would be to, to shoot me a note on LinkedIn.

Speaker 0 | 51:53.913

Okay.

Speaker 1 | 51:54.993

Yeah.

Speaker 0 | 51:55.974

And, uh, we’ll be posting this on LinkedIn. So people will be able to see it there.

Speaker 1 | 52:00.075

Yeah. Yeah. Just give me a note on LinkedIn. I do help a lot of companies with this type of stuff and, and people. Right. So I’m more than happy. You know, the other, the other, I guess, last little golden nugget I’ll give you is if you’re just starting out in this. and you’re writing your SOPs, and you’re writing your policies. Remember, that’s your intellectual property. And you should make a case to bring the core of the document with you from job to job, right? And accept the use policy that you’ve authored. You obviously don’t want to keep the companies, but keep your output because using those policies, especially if they’ve been through external audit cycles, and people have liked what it said. Bring them with you as the foundation to your next jobs because they are, you know, they are something that will, as I said before, the policies is almost where every auditor starts. Give me this to you. Give us this. Give us these policies. Give us how you operate. And let’s face it, you know, access review policy is in almost every industry almost the same, right? You just need to tweak it for your company. Don’t lose sight of the fact that there’s value and longevity on some of these things, provided that you’ve kept them current for how our compliance world, our legal world, our risk world operates. So you can’t take one from 20 years ago, but you can evolve one from 20 years ago and continue to get better and better and better as you iterate.

Speaker 0 | 53:34.231

It’s a cybersecurity portfolio, just like an artist or a musician has a portfolio of their work.

Speaker 1 | 53:41.775

Right. So. And it will save you so much effort.

Speaker 0 | 53:44.657

Yeah. But it’s also critical that I, when I do this, when I go into a new organization, that I set that framework from day one that I get to keep my intellectual property, that it does not.

Speaker 1 | 53:56.443

Well, if you do. Right. Correct. Right. Right. You’re bringing this into the foundation. When the document is shared at the new company, it’s new company’s property. Yeah. I mean, I find the easiest way to do this is just cutting and pasting into a new document, to be frank. Right. But regardless, it’s important to look in this world, you know, the longevity for policies and procedures and risk management is something that is quite helpful because it gives you comparative analysis.

Speaker 0 | 54:27.852

Okay. Well, David, this has been an awesome discussion. I truly have enjoyed it and appreciate it. And, you know, one of the things that I’m doing real quick is I’m just searching your name on LinkedIn and seeing how many different… There aren’t too many David Kicklases out there.

Speaker 1 | 54:44.249

No, and one of them is not me. One of them is a health account. Really? I can’t seem to get rid of it.

Speaker 0 | 54:52.054

That’s not good. I mean, there’s a few Mike Kellys out there, and we’re very diverse in what we do.

Speaker 1 | 54:58.118

I see you. Yeah.

Speaker 0 | 55:00.759

Yeah. So, well, definitely appreciate you offering up your expertise to our listeners. And thank you for your time today. Let me go ahead and say the exit piece of this, because as we come to another close on Dissecting Popular IT Nerds, I want to invite everybody to comment and rate the podcast. Let us know what you think, whether we’re bringing you valuable content. Today was valuable content. I promise you that. If you’re listening, if you’re in IT. The things we talked about today are going to be helpful in anybody’s career. Knowing and understanding all of those topics that we covered. And heck, that list of the tools. You know, I was thinking about that. I can’t think of any other tool. Of course, there’s all those little nuances and it’s a fractured market like you mentioned. But if you have every one of those tools, your organization is going to be much more secure and much more on its way. As long as you have the policies and you’re following through on them and you can prove it. Thanks, everybody. Thank you, David.

251- Securing the Enterprise: David Kiklis on the Evolution of Cybersecurity and Keys to Success

Speaker 0 | 00:07.977

All right, well, welcome back to Dissecting Popular IT Nerds, where we’re allowed to geek out with our fellow nerds. Today, I’m proud to introduce David Kiklis, who wants to help shape our discussion with the business around cybersecurity. So, David, tell us a little about your experience, and let’s talk about how you suggest we frame that conversation.

Speaker 1 | 00:28.023

So, yeah, thank you for having me. I’ve been doing cybersecurity in one shape or another since about the year 2000, even before this was considered a career path.

Speaker 0 | 00:41.454

Yeah,

Speaker 1 | 00:41.714

or even really a term. Yeah, I worked for a company at the time that did a substantial amount of U.S. government contracting. And, you know, really this was beginning to emerge as a threat. And so we had to develop programs. and tools and language to speak with federal auditors where there really weren’t any standards in place. So I’ve been doing this for a long time.

Speaker 0 | 01:06.102

Yeah. Cause I, you know, I started in IT somewhere right around that time and our discussions around cybersecurity or just security back then, um, it was, it’s a world of difference between today and then.

Speaker 1 | 01:21.106

Oh, without a doubt, without a doubt. I mean, you know, threat landscape, obviously the internet, really has progressed and modified so much over the last 23 years now. You could now see so in cybersecurity, our career fields. Back around the turn of the century, they were not. They were just something you did as an IT person without a lot of standards, without a lot of guidance, and quite frankly, hoping for the best. And then all the vendors that really help us, looking at the threat landscape and all the various…

Speaker 0 | 01:56.364

tools that we use they were in their infancy yeah especially back then i i remember having discussions with fellow like i joined infragard back in 2004 and when we started having some of the discussions and we’re talking about security you know i’m talking about uh what was it 2800 um the the magazine that used to come out once a month and um and i talked about like i knew what um oh god what can i think of it um the uh the scanning tool that that checks all of the ports that we still use today. Yeah. And, and other CIOs or managers of, of it departments were like, how do you know all of this stuff? Why do you, why do you know this stuff? They thought I was a threat because I knew it. And all I was trying to do was like you be aware of security.

Speaker 1 | 02:46.890

Right.

Speaker 0 | 02:47.430

And what I was doing was nothing compared to what you were doing.

Speaker 1 | 02:51.292

Yeah, and we had a much heavier burden. Back in that day, I was dealing with a lot of top-secret data, right? So you had standards from the FBI or other federal agencies that were sharing U.S. government top-secret data for purposes of a contract. And even they were struggling on how do you move the data? How do you secure the data? How do you deal with data integrity? All of these things that really hadn’t been thought of because in the past lives. they were literally couriering nine-track tapes back and forth. And that’s how the data transfer would happen, right? It’s physical. The data would be physically transported by, you know, by couriers. And so a lot of the, you know, a lot of the risk was mitigated by just physical possession and then skiff-type rooms, right? So, but, you know, earlier when we connected, you talked about that the… The traditional question that we hear all the time is, how do you convince a company on the ROI or the need to invest in cybersecurity tools? And it’s a question that I think was being asked a lot like 10 years ago. I have not heard anybody asking that question now. Like not, do we need to invest? The question really is, is how much do we invest? And that’s a really tricky, that’s a really tricky calculation to do. Yeah,

Speaker 0 | 04:21.411

because, you know, I was having some of this discussion with the leadership at the former organization I worked at. And they were still on an older mindset on this. I was still trying to have that conversation of, okay, I need these tools and this is why. And it was, they were still on kind of that mindset of. not even of insurance of, well, it’s not happening. We haven’t suffered from this. So why do I need that level of protection?

Speaker 1 | 04:56.231

And it’s hard to defeat that mindset, right? It’s like car insurance, right? I haven’t been in an accident, therefore I don’t need it. But if you don’t have it, right? And the problem with any of these cybersecurity tools is it’s very difficult to prove a negative, right? It’s very difficult to prove that because we had X, Y, and Z, you know, it didn’t happen.

Speaker 0 | 05:18.539

Yeah, our threat landscape was much smaller, thus we didn’t incur any events.

Speaker 1 | 05:24.021

We didn’t incur the downside. I think one of the things that makes this easier in the modern workplace is if you’re publicly traded, then you’re under the umbrella of SOX in the US. And that has mandates for basic cybersecurity. There’s now the new 8K reporting requirement from the SEC as well to disclose any cyber breach that may happen to a company. Right. Which then puts the onus. back onto the leadership of the company to be cyber aware. If you’re doing business with the federal government, there are FedRAMP and NIST guidelines that you must follow to be a business partner. And technically, even if you’re doing business with a prime contractor, they’re responsible for having those requirements flow down to you as a sub.

Speaker 0 | 06:17.407

Yeah, the business partner of the business partner. Correct.

Speaker 1 | 06:20.389

And the way that contracting works is prime is obligated. to make sure the subs are off are following the terms of the prime contract you can’t say i’m abstracted away a little therefore it doesn’t apply to me and then you know if you want to have any reasonable cyber security insurance there are minimum gates that you might go through in order to prove that you’re not a major liability and you’re uninsurable which which when you take all that out you’re you’re left with essentially sole proprietorship or llc tech companies that are not beholden to venture capital or anyone else to dictate their business practices and not interested in the cybersecurity insurance. Which again, there’s arguments whether that’s an effective tool or not, but it’s a relatively small category, right?

Speaker 2 | 07:12.403

Hey guys, this is Phil Howard, founder of Dissecting Popular IT Nerds. I just want to take a few minutes to address something. It has become fairly apparent. I’m sure all of you will agree over the years. that slow vendor response, vendor response times, vendors in general, the average is mediocre. Support is mediocre. Mediocrity is the name of the game. Not only is this a risk to your network security, because I’ve seen vendors on numerous occasions share sensitive information, but there’s also a direct correlation to your budget and your company’s bottom line. Not to mention the sales reps that are trying to sell you and your CEO and your CFO on a daily basis. That causes a whole nother realm of problems that we don’t have time to address. Our back office program at Dissecting Popular IT Nerds, we’ve put together specifically for IT leadership. And it’s on a mission to eliminate this mediocrity. And the best part is that we’re doing this in a way that will not cost your IT department a dime. So. If you’d like us to help you out, get better pricing, better support, and jump on pressing issues in minutes, not days, then contact us now so we can get on a call with you and conduct a value discovery session where we find out what you have, why you have it, and where you want to go and how we can improve your life, your IT department, and your company’s bottom line. What you’re going to end up with is, number one, just faster support from partners. who care about your organization’s uptime and bottom line. And because you’re going to be able to access our $1.2 billion in combined buying power, you’ll be able to benefit significantly from historical data. And on top of that, you’ll also benefit from the skills of hundreds of on-demand experts that we have working behind the scenes that are all attached to our back office support program. So if you’d like, again, none of this is ever going to cost you a dime. At the very… least it’s going to open your eyes to what’s possible. Let our back office team provide you the high touch solutions and support that your IT team deserves so that you can stop calling 1-800-GOLD-POUND-SAN for support. Now, if you’re wondering, what does this apply to? This applies to your ISPs, your telecom providers, all your application providers, whether you’re a Microsoft shop or a Google shop. what you might be paying for AWS, even Azure, co-location space, any of those vendors that you’re paying a monthly bill to, we can help you with.

Speaker 1 | 09:55.606

Hey, it’s Greg, the Frenchman secretly managing the podcast behind the curtain. To request your one-on-one call, contact us at internet at popularit.net. And remember, it will never cost you a dime.

Speaker 0 | 10:08.434

Well, and one of the other things that I saw was that I was getting a little more traction due to the financial institutions that were involved with us. So it wasn’t necessarily the venture capitalists like you were talking about, but just simple, the banks that we wanted a line of credit from. They were doing their own audits to make sure books were good, and they had this whole section on cybersecurity.

Speaker 1 | 10:32.028

Yeah, I missed that whole category, right? Yeah, and every year. For your vendors or your suppliers, oftentimes there’s a contractual obligation, or your customers, a contractual obligation for you to provide evidence of a cybersecurity program, right? If you are a vendor and you are supplying customers. and they’re giving you their intellectual property or their data, you are in fact now responsible for safeguarding that in whatever way, shape, or form it comes to you, right? You are the data steward.

Speaker 0 | 11:06.370

And just steward over the system so that it’s not easy for somebody to get in and steal all the money.

Speaker 1 | 11:12.932

Or steal the intellectual property or steal the downstream company’s contract and data. The other obligation that you have as an employer is to safeguard your own employees’ PII and PHI information because if you’re providing benefits or payroll services, you have your employee’s social security numbers and often cases you have their health history. If they’ve applied for short-term, long-term, any other common thing that happens, you as an organization are obligated to safeguard that information. And that is mandated. by the privacy laws that are in every state or GDPR, if you’re a European Union. And they vary, but they’re getting stronger and stronger and stronger as every year passes. Usually California goes first, Massachusetts goes second, and the rest follow. There’s a few that don’t. There’s a couple that don’t really pay attention to this, but the vast majority of states where you would draw remote employees from, say, if you’re a Boston-based company. they have mandates for privacy. So again, you’re obligated under so many different external regulatory bodies just because you’re in business. So I think the question isn’t, do we spend anymore? It’s how much do we spend? And the thing that happens, unfortunately, is as the cybersecurity vendor market space has developed and then fractured and then continued to develop, What was, you know, QRadar with IBM back in 2000, which was one of the only tools available, suddenly has now become a thousand vendors. And some of them saw one very, very specific problem. That’s all they did.

Speaker 0 | 13:00.452

I would say the majority of them only saw one very small.

Speaker 1 | 13:04.853

Well, I wouldn’t say. I mean, there are some major ones, right, where you’ve got like the big span-felted pools or the big seam tools like Rapid7 or… some of their competitors. But as you go down the path, there are now lots and lots of vendors that’s just sold for one NIST control or one ISO control, and that’s what their product does. And there’s a diminishing return there on the spend, right? Is how much is this particular control a real risk where I have to invest in a pool to manage and mitigate the risk? And in some companies… The answer is yes for everything. And in some companies, the answer is we don’t do that. I’ll give you an example of a company. We do not do any software development. We are not. We’re a pharmaceutical company. So all the tools around vetting code for cybersecurity, or vetting pre-bought modules to make sure they’re safe or there’s no back doors, all that, there are these tools. I know this whole universe is out there. It is not relevant to our business. Therefore, we’re not investing in it.

Speaker 0 | 14:12.322

Right. And this is part of, or it’s really critical to the way that you’re suggesting, or that you’ve seen people reshaping this discussion of… Yeah,

Speaker 1 | 14:23.191

absolutely, right? Is if you really want to try to prove out, in my take on this, building a program, building a program, the real cost in terms of hard dollars involved out the door is buying the tools, the appropriate tool set. And you may not need to buy them all at once. But the other two pieces that you need is you need the governance and the policies, as well as the education of your executives, your users. and your IT staff to make sure you’re meeting the needs and how you’re operating. In my experience, in every audit that I’ve been in with cybersecurity, that’s where they start. Give me your governing document. Show me how you do, how you manage, how you have a policy that manages your security plan, your cybersecurity, your awareness training for staff, acceptable use. The board of their plate documents that we use to say that, We are in control. And if you think about any audit in any, you know, really doesn’t matter how they frame the question. The question really comes down to, do you know what you have? Are you in control of what you have? And how do you prove that you’re in control? And there are really just three distinct steps that the auditors are looking for.

Speaker 0 | 15:44.100

And I think one of the hardest ones is that final, that third one.

Speaker 1 | 15:48.041

Can you prove that you’re in control, right? And proving you’re in control. says, I have a policy that says I will review all my users’ access rights monthly. Do you have evidence that you’ve done that? Have you done it? Here’s the document that says we did. Here’s the document that says what we will do. Here’s the evidence that we did it. Here I can present them both to you, Mr. Auditor, and we’re done. And if they disagree with your methodology for review, they may make a recommendation to shore it up, but they’re not going to say you didn’t think about this. Right? Right. But if your policy says, yeah, and here’s the control, your policy says I review it monthly, you review it once a year, and you can’t provide that evidence, you’re not doing what you say you’re going to do. And then you get into real trouble.

Speaker 0 | 16:35.864

With your experience, have you ever run into a situation yet where you really felt that there was a security control or an aspect of security that the organization you worked for needed, but wasn’t yet? written into any of the compliance or the audits or any of these places? Yeah,

Speaker 1 | 16:56.116

absolutely. Yeah, this happens a lot. Yeah, this happens a lot. Absolutely.

Speaker 0 | 16:59.897

So how do you start that conversation?

Speaker 1 | 17:02.058

It’s really difficult because some of these things bridge into business operation. And I’ll tell you where there’s a lot of fuzziness, right, is I’ll give you a good one. Classification of documents, or DLP, right? Yeah. Right. It’s a squishy area, right? Cybersecurity says you must have DLP. You must prevent these things from exfiltrating your company in a meaningful way. The company says, we don’t want to differentiate or we don’t want to put things into buckets because it’s not useful for our business. Right. And there you have, because there you have a disconnect between how the business culturally or day-to-day operations run and a cyber control. So really, which is much harder to get the language going than say, we will do spin filtering or we will do multi-factor authentication, right? Because those are cut and dry.

Speaker 0 | 18:03.270

Yeah.

Speaker 1 | 18:03.810

Right? And that’s where- And how do you tell what the benefit is? Yeah. And that’s where any of these things, these controls that bridge into business operations get difficult to implement. So with any risk that you come up with, right, there’s essentially three outcomes from the risk. You can accept the risk, you can mitigate the risk, or you can transfer the risk. So taking the DLP or the, let’s just say the classification discussion, which is best practice in some industries, which is not really relevant in some industries, you need to present that risk back to the senior leadership and say, here’s the risk. of us not being able to manage what exfiltrates. And if the business says the burden of data classification is greater than we want to bear, and they understand the risk, then you can accept that risk as a condition of business. However, what you have to remind your leadership is if and when that risk materializes, right? That someone emails the business plan or… Whatever happens, happens, that they’ve signed off and accepted that risk. So when you get the how did this happen, you as a security professional need to CYA and say, we had an agreement that you determined the mitigation of this risk to be too costly to the business operations and didn’t want to do it, didn’t see a value. When that risk materializes, you signed off on this. And then generally what happens after that is there’s a flurry of activity and it gets put in.

Speaker 0 | 19:34.685

Yeah. Because they want to see why they’re asked.

Speaker 1 | 19:40.452

Yeah, never waste a good crisis, right? And those are where I find it to be very sticky, right? It’s retention policies. It’s clean desk policies. It’s, you know, if you’re programming, it’s code libraries. It’s all of those things where it’s not just in the bubble of the cybersecurity practitioner, where it bridges into business operations. And there is a cost, not necessarily a dollar cost, but there’s an operational cost to the business to implement.

Speaker 0 | 20:08.007

So, you bring up one of the things that I struggled with also, and how have you experienced that conversation of expanding that out? Because data loss prevention, oh, that’s… IT stuff. So they like to shove it over at them, but it’s not. Because all of those people generating those documents, they have to classify the information they’re putting into it.

Speaker 1 | 20:36.202

Well, it even goes beyond that, is you need to decide on a classification schema for your company, right? I’ve seen companies that have done 10. It’s like where it’s too nuanced for people to decide what’s the difference between five and six. And I’ve seen people that have done just two, high and low. Fair enough. Most companies I’ve worked at have not wanted to do any because they didn’t want to put that burden of deciding on someone. I think the biggest strategy that you can have with this is to take it out of the realm of cybersecurity and move it into the realm of business risk. And if you work with a legal counsel for your company, that’s a very good partner. Because a lot of what legal does is help mitigate risk to the company, whether it’s contract risk or employee risk or what have you. And they’re generally amenable. to fostering the risk discussion about exfiltration, let’s take DLP, exfiltration of intellectual property, right? What really are our risks? What do we really need to do? And then as you circle back, if you’re cyber and you’re IT are separate, realize that until you include some mechanism to filter DLP, who’s ever, right? Keywords, some mechanism, IT systems are not smart enough. yet to know this one’s good and this one’s not good. Like you have to give it something to work on. If you’re using Microsoft’s DLP, right, it relies on a classification schema, right? There’s all the other ones as well that crawl, they can auto classify, but still it has to be in bucket A, bucket B, bucket C, what have you, in order for systemically the systems to say, you can go, you can stay. That’s how they work, right? And in 10 years, we’ll have AI that… might be able to realize the difference between your document and my document. Right now, we’re not there. And I think the biggest thing is executive leaders don’t respond to cybersecurity. They don’t understand what we do. They don’t understand the landscape, but they do understand risk. And they do understand decisions that impact the risk, whether it’s increasing or decreasing. So I think the key to this is to take it out of the realm of discussing DLP. and discussing what’s the risk if our intellectual property is suddenly posted up on, you know, on the dark web, or worse, on Reddit, or on any of these other forums, where, you know, whether it’s your proprietary engineering diagrams, what have you. Because that type of stuff that’s filtration is generally done by either a hacker, right, or most likely a disgruntled employee that does that, you know. And so I think that’s the key, is to take it out of the IT nerd realm and put it into business speak. And then you have to document the outcome of that meeting. And to say, look, there’s four or five things here that as senior management in your company, you need to think about. How long do you want to keep stuff? Where are we keeping it? Who shouldn’t have access to the keys to the kingdom? Do we want to secure a special place for our highest? level of intellectual property and prevent it from moving? These are questions that you should be asking. And then when they say yes, then you come back with a plan of how you need it. But if you start with, I need to put in DLP and here’s what it does and here’s how it works, they’ll just go right over their head and they’ll shut down.

Speaker 0 | 24:09.024

Yeah. And that’s been my experience, except I have not been able to flip that discussion the way that you’re suggesting.

Speaker 1 | 24:16.228

Yeah. Yeah. Yeah, you got to make it a business discussion, right?

Speaker 0 | 24:21.114

Yeah. Well, and I tried to make it that business discussion, but I still struggled changing the language and actually coming at it from the risk perspective. Although there were times, you know, we talked about, I actually had talked about with the legal team, both of these topics, you know, the classification and the DLP. And they were. They really wanted this themselves because they saw the threat. They knew the threat because of living in the courtrooms and seeing what happened. And the two of us together couldn’t reframe that conversation well enough to get it passed. So I guess really they were back to response number one to the risk, like you said, you know, accept the risk.

Speaker 1 | 25:06.386

Yeah. And if that’s the case where you said, look, we have, you know, we as the CEO and senior leader, whoever is making that decision and that needs to be at that level, they understand what they’re accepting, then there’s not much you can do about it. right? They’ve decided that it is not worth the company’s effort. If you have external counsel or external auditors, you can use them sometimes as a lever. I have used external audits or external assessments as levers to push the leadership into understanding they have a gap, knowing going into an audit, knowing I would fail that control, and it would be highlighted as red as a failure or a miss in order to…

Speaker 0 | 25:49.030

highlight the fact that as a business the business has not addressed this right and and so my experience along those lines too has been a little bit of well why did you let this happen well okay here i let it happen then now let me make sure it doesn’t happen tomorrow so see that’s where you’re mistaken right it’s not that’s the thing is it’s not you that made this happen right

Speaker 1 | 26:12.639

well you can’t yeah right is if you shift the accountability to it or cyber or those controls it That’s not where it is. The control and the definition of the controls are set as corporate policies. You’re just using the tools to enforce the policy.

Speaker 0 | 26:30.408

And I’m using the unspoken or undocumented culture of the organization who shifted it that way. They were redirecting that risk by blaming it over on IT when it was truly a business risk.

Speaker 1 | 26:46.906

Right. I mean, it’s one of those things, you know, putting my IT hat on for a second, you know, we’re, we’re going to go do a shootout and we’re going to decide on a new piece of software to do something in the business, right? We need a new worm. And there’s five competitors. If I look at those five competitors with an IT hat on, they’re all cloud providers. They’re all functionally equivalent, right? From a cyber perspective, they’re all basically functionally equivalent. I don’t care which one you pick. I really don’t. Which, which of these tools best fits your business requirements, your URSs and your needs, right? Because for me with my IT hat and my cyber hat on, they’re basically identical. So it goes from being a decision about a technology to being a business decision that the business has to own, right? Does this thing that I’ve picked match my URS, my functional needs? Because they’ve already met ITs. They’ve already met cybers, right? And that’s the decision. That’s the discussion as we look at these systems. and these acquisitions is these may be enforced by IT because I have the tool that can turn the switch on and off. But the owner of the risk is you, right? Whether it’s COO, CFO, CEO, whoever, CEO, they have to own the risk and make the decision of how they want to be. I go back to, like, let’s talk a little bit about something that I see is very parallel, right? when people were still using file servers for primarily for file storage, right? And you wanted to add permissions to a folder and right, you put help this ticket in and IT would then add that user to that folder for you. Why do we have user because the AD tools were more complicated than we wanted end users to touch. It wasn’t because we added any additional analysis on the appropriateness of the request. It came in, it followed the pattern, and because the tool was complex, we went clicky-clicky, and user now had access. Now you move into SharePoint world, now the user, the owner of the data, is accountable and able to make their own decisions without us in the middle to add permissions to their thing. The accountability for access rights in SharePoint is back with the data owner where it should be. It is not with IT. Now, we can send them audit reports and say, hey, here’s your SharePoint site. Here’s everyone that has access to it. They can do the same thing. The reason, and this is similar to some of these controls, right, is that you need to move the accountability for the decisions around the execution of these controls into business decisions, into business languages, into risk, not into IT controls. And it’s very easy for the executives to throw it on the fence and say, oh, it’s just an IT thing. But it isn’t. If this was simple enough that I could have Mr. COO or Ms. COO go click, click, click and set these rules themselves, then I would have them do it.

Speaker 0 | 29:50.726

Yeah. Yeah. Well, and cause we need it because there’s also, Oh man, I, there were so many, so many little threads in what you just said of experiences that, you know, I watched happen over the decades of, of trying to pass back and forth. Who’s in control of active directory,

Speaker 1 | 30:08.661

you know,

Speaker 0 | 30:09.762

HR wanted active directory because they needed it to be right. And for it to reflect everything, the way the organization was structured yet. Just like you said, it was too complex and we were too afraid to give them control over it. So IT is sitting there clicky, clicky, clicky. But I wanted to make sure that the authority of who approved the movement from this department to that department wasn’t IT because IT has no place in that.

Speaker 1 | 30:36.562

None whatsoever, right? And it’s the same with some of these controls. IT doesn’t have any place in deciding what is, you know, DLP high versus DLP low. We just execute once the framework has been given to us. Now, as a member of a leadership team, you can voice your opinion, but you don’t own the decision.

Speaker 0 | 30:57.742

Right. It should be a combined decision and or to the highest level and let them declare.

Speaker 1 | 31:04.127

And the only place that IT gets involved is if they want to do something that the technology doesn’t support. We can’t do that. So you can be the person that understands the limits of the technology.

Speaker 0 | 31:17.382

Yeah. And, and help define that and help share that, um, so that they understand it and understand more of that risk, kind of like what you’re talking about too. Um, okay. Uh, other thoughts, other things. Um, I mean, we, we kind of talked about those things that step outside of the, the assessments, the, um, the audits, the requirements, the, um, compliance. Um, what other What other things have you heard about this discussion that just drive you crazy?

Speaker 1 | 31:49.080

Well, boy, there’s a lot, right? I think the other big challenge in cyber right now is making sure that your leadership team understands that they are part of the cybersecurity solution. Because if the worst happens, they are beholden to talk to the shareholders, the customers, whatever constituencies that you have, or upstream to… your regulating agencies about what happened. They’re going to be accountable for some of these business decisions. They’re going to be accountable for being in front of the press, in front of whoever, and they own understanding where their risk profile is. And I think the easiest way to do that is to do some tabletop exercises with a third party, not as IT, having someone come in and do tabletop exercises. with a neutral third-party mediator to say, hey, you know, CEO, this just happened, and now Channel 7’s calling. What do you do, right? And understanding that you’re going, if it’s severe enough, you’re going to be national news, right? And the fallout from that is ripples in a pond. I think there’s too easy a, oh, it’s just an IT thing, and throw it over the fence.

Speaker 0 | 33:05.833

Yeah, and it’s been that way for decades.

Speaker 1 | 33:09.156

Yeah.

Speaker 0 | 33:09.997

Yeah.

Speaker 1 | 33:11.774

I think that the days of cybersecurity just being something that was done off in the shadows and the corners is over. The accountability is at the corporate level now for this. Hence, the SEC requirement, right? Not only for someone on the board to be cybersecurity, you know, named as a cybersecurity expert, but also the reporting requirements in the 8Ks now if something does happen. Which goes it. which goes then on top of that, understanding what your obligations are to disclose, both from your state, from your contracts, from your customers, from all of the things that you do business with, right?

Speaker 0 | 33:51.439

Something just kind of came to mind, trying to further the discussion a little more. What’s one of the biggest differences you’ve seen between government or military and private sector and this topic? pops to mind when I ask about the difference there?

Speaker 1 | 34:11.187

Well, I think having FedRAMP and these other things have changed the language quite a bit, right? It has standardized how people manage their cybersecurity compliancy with the government, right? It wasn’t always that, it always wasn’t that way. Each government agency had done its own thing and things were complicated. And then you know, over the last 10 years, that’s, it’s also very, you know, it’s, it’s much more rigid, right? Because in order to play ball, you have to be compliant. And if you’re not compliant, you have to find a way to get essentially a waiver. Now, I haven’t done federal contracting for about 2009, for quite a while, right? 2009. In the private sector, I think the biggest difference is that companies do not understand what their external compliance requirements really are. And because there’s no… real mandate. Even SOX is not a mandate. It’s based on how PwC or Deloitte, whoever wants to interpret the regulations, that the assimilation of cybersecurity programs into the corporate landscape is wildly varied. Wildly, right?

Speaker 0 | 35:38.663

I would just suggest somebody that’s coming into this, you know, some of these people are getting degrees in this. And I don’t know what it’s like for them getting degrees today, but I assume that it’s kind of like it was for me when I got my degree. I walked out of college or out of the university thinking, OK, I know everything. I just got my degree. And then reality slaps you in the face. Yeah. I don’t know. Well,

Speaker 1 | 36:03.669

I think that I think you’re going back to the earlier part of the discussion. The biggest problem that we as IT people face is we chase the shiny object. Oh, gosh. We chase the tools. Right. We chase the tools. And we chase the technology because all the vendor demos look fantastic. And I’m going to go back and say that, yes, I think you need core tools. Yes, I think there are several that are absolutely table stakes. But no one’s going to ask you when they walk in the door for an audit, are you using Mindcast or are you using Barracuda or are you using this one? The question is, are you using the spam filter effectively? Right. Right. And that’s the question, right? So we as IT people can kind of get blinded by the purported differentiation between pools. And we tend to ignore the governance and the documentation and the proof that we are in fact doing what we say we’re going to do. And that’s the first place that people look. They don’t look at your configuration of your spam filter until things have gone. And if you’re at that level in the weeds. things have gone really, really wrong, right? If they’re actually in on your shoulder, looking at your configs or your logs, right?

Speaker 0 | 37:21.058

Yeah,

Speaker 1 | 37:22.058

yeah. So I think, you know, if you’re starting in this industry and, you know, you’re trying to set up a program on your own, then you really need to look at what a good cybersecurity program looks like, not cybersecurity tools. And if you are progressing up the career ladder and you’re in charge of a tool, then you need to understand how that tool is operating inside of your company and how, what dependencies or what interoperabilities you can do with the information that tool is providing to mitigate other cybersecurity controls, right? It’s, am I getting the most ROI out of my tool before I go buy another one and ask for more money, right? And the answer might be yes, the answer might be no, the answer might be that we choose to do it in another interface because it’s easier or better, but… But just chasing, hey, we need another one. And I got an email from this really cool vendor. Let’s go buy this thing too. You end up with too many screens and so much information that you can’t possibly process it. And in some ways you’re worse because you’ve got too much coming in. And if you’re two or three people, your attention is so divided versus you had one or two screens and things bubbled up on it. It may not be the best, but you go look here.

Speaker 0 | 38:36.952

I think back to an old name of an old attack, the Christmas tree attack, where you get every light to light up and blink all at the same time. And now the one critical one, it’s blinking, but it’s just one of a thousand.

Speaker 1 | 38:50.799

One of a thousand, right? I mean, you look at, we’re a small company, right? We’re 500 people. We’re generating probably a million log items, you know, more than a million a day easily, right? There’s no way as a human you’re going to sit through that.

Speaker 0 | 39:04.747

Yeah. Yeah, that’s… That’s where scene tools came from.

Speaker 1 | 39:09.069

Right. Yeah. Right. You’re trying to automate what do I need to pay attention to, right? Yeah. The other piece of advice I would give you is that penetration tests, which has always been one of those standards, unfortunately, are just paper compliancy as far as I’m concerned. And the only reason I say that is every organization I’ve seen that’s done the social networking one, they failed. And then the pen test is only as good as the date you did it on. So you do a pen test last week and a new zero day comes out or a new exploit comes out the following week and you don’t patch for it, your pen test is meaningless. You’re just as wide open. The problem with these static pen tests that are done once a year is it doesn’t reflect the dynamic nature of our environment anymore. There are other tools out there that do dynamic pen testing on a real-time basis. Possibly, and those are much more effective. Yeah, those are the tools that are much more effective if you really want effective security, if you’re just looking to check the box. because it said so on the form, then yeah, do your annual pen test. If you want to scare yourself, do the social networking test, because every company I’ve ever talked to has done it. It’s failed. Even companies where, yeah. No, no, the social networking one, right?

Speaker 0 | 40:30.484

Okay.

Speaker 1 | 40:31.465

Like, I’ll give you the worst one that I saw, which is the fun story, is, you know, the classic, I dropped a few USB sticks in the parking lot. And this was a company where if you plugged in an outside USB stick, It was grounds for termination. People picked him up, brought him in, plugged him in. And of course it fired off a little script that told us that they’d done so. And we went out and talked to him. But, you know, even if it was literally a fireable offense, it didn’t stop people from picking these things up in the parking lot and plugging them in to see what it was. Ouch. Well, it’s human nature. It always, always everything. Right.

Speaker 0 | 41:11.116

And I’m curious.

Speaker 1 | 41:12.457

What did they tell you? Carry a clipboard, act like you belong, and people tend to let you in.

Speaker 0 | 41:18.734

Yeah. Okay. So you made a mention, and we zipped by it because we were talking about where to start, but the table stakes tools. What table stakes tools do you feel are out there?

Speaker 1 | 41:31.985

If you don’t count, yeah, I think you absolutely need some sort of a scene tool, right? Some sort of tool that’s doing log aggregation. It’s to reflect correlation inside your network that is collecting events, analyzing events, and telling you, hey, something’s going on here that doesn’t look right. The other advantage for those tools is because there are lots of customers. They can see what’s happening out in the wild. And even though you may not be a specific target, you may still be vulnerable because you’re connected to the internet. I think you need a next-generation firewall. that is actively, you know, threat hunting, I think you absolutely need a decent malware engine on your endpoints.

Speaker 0 | 42:24.040

Okay. And then, of course, you’ve already mentioned it a couple of times, either the spam filter or the email filter.

Speaker 1 | 42:32.527

A robust one. There’s a dozen to pick from. You know, obviously email is one of the most likely places for you to get. ingestion of malware. I think you need a cybersecurity awareness training program, whether you buy a tool for that or you do it yourself with content. And then finally, the last thing you need is a very good backup and recovery process for any on-premise systems that is secured from ransomware, whether you’re using something like a rubric or other tools. you want that copy to be immutable. And if in fact you’ve done that tool in conjunction with OneDrive, in conjunction with some of the other O365 tools, the chances of you not being able to recover your data center or your end user’s content, you might have to redo the laptop, but the content is safe. And let’s face it, the cost of a $1,200 laptop is far less than the intellectual property that’s on the laptop, right?

Speaker 0 | 43:39.221

Right. Yeah, so that brings up, I’m trying to think of what it’s called, but the secure encryption of the hard drive while at rest.

Speaker 1 | 43:49.847

Well, yeah, that’s native now and almost got all the brand name ones, right? But if ransomware comes along and encrypts it on you and you can’t access things that are only stored in that C drive, they’re gone for all intents and purposes, right? You enforce that they’re copied to another place, whether it’s a Google Drive or… or through onedrive whatever tools you’re using and those in turn are standalone copies that are not tied to the desktop if it’s ransomware you know you’ll be able to recover the intellectual property right you have to look at it you have to look at the thing end to end for data recovery but but you know if we’re talking about what the basic tools are right is something that tells you something’s gone wrong something to protect yourself that you have immutable copies and then spam and malware to prevent it from trying to happen in the first place. And the most advice that I give, that I’ve been given by almost every hack that you look at, is patch your systems, right? If you’re not deploying on-premise patching, desktop patching through Intune, through a Mac control tool, through third-party, you know, Shavlik, Shavlik, whatever, patch your systems because most of these exploits happen because of unpatched systems.

Speaker 0 | 45:06.338

Right, and it’s got to expand beyond just the Windows update because it’s got to catch all of the applications that are in your environment.

Speaker 1 | 45:14.563

Yeah, absolutely. right adobe server side right and again you have a patching sop that says you know patch tuesday we review it that week we push it out the next week you should be able to provide evidence that you did it which means you’re doing automation or you have meetings where you have minutes that you can prove that you discussed so you if if you’re not pat if you know something happens you can prove that you followed what you said you did and that will get you out of negligence and and i’ve This is something I say to everybody, and I think I may have said this to you earlier. The way I view cyber programs is you’re not trying to build the immutable fortress that no one can come in on. If the Russian army or the Chinese army decides they want to hack you, there’s a good chance they’re going to be able to, one way or another, right? What you want to build is a program that is defensible as not being negligent, which means you are at the state of the industry for policies, procedures, operations, tools, or better. in every dimension that you’re concerned about this risk. And when the auditor comes in and they’re doing their forensic analysis after the fact, you can say, we were up, we’re in state of the industry plus X on everything that we do. Here’s how we manage it. Here’s how we controlled it. And if a zero-day exploit comes in that no one’s seen before, right? And the tools were unable to see it and catch it, right? How can you be held negligent for that? You can’t. Yeah. But you don’t patch. You know, you say you patch every Tuesday. You don’t patch every six months. The exploit comes in because it’s a known exploit and then exploit is exploited. And you didn’t patch. You are absolutely negligent at that point.

Speaker 0 | 46:57.623

Especially if you documented the fact that you say that you’re going to pay.

Speaker 1 | 47:01.085

And now you’re liable, right? And now your cybersecurity insurance will say, sorry, we’re not going to pay because, you know, you asserted that you did this process and you didn’t.

Speaker 0 | 47:10.010

Yeah. And that one will bite you. That one. bites so many people or so many organizations or, oh, I’m going to do this. Here’s the process. I’m going to do it. Or here’s the policy that I’m going to do it. And then you can’t back it up.

Speaker 1 | 47:24.481

My advice to everybody on that is if you write a policy in a vacuum and then you try to put it in operationally and they’re diverging, right? You have to have a meeting and understand why they’re diverging. And it might be that you rewrite your policy. Right. It’s, it’s not that the operations always has to come to the policy. It could be the other way around, but they have to match. Yeah. Right. You’ve written your policy into something that your group can’t meet because of conflicting obligations or time or what have you, then you might want to ramp your policy down. So it is something that you can meet.

Speaker 0 | 48:01.288

Okay. No,

Speaker 1 | 48:02.308

right. Remember both sides that have to match.

Speaker 0 | 48:04.729

Yeah. That’s some awesome advice too. You know, cause so many people, I, I’ve seen it where. you write the policy and you can’t change the policy. Yes, you can.

Speaker 1 | 48:14.233

Yes, you can. We wrote it, right? It’s not going to come down from the mountain with Moses, right? We wrote it.

Speaker 0 | 48:19.195

We wrote it. We can change it.

Speaker 1 | 48:21.356

And Stephanie, when you say that, making it reflect reality is a good thing. We looked at our operational constraints, and based on our operational constraints, this is how we want to be. Boom, it’s easy, right? And then the auditor might say to you, or a Republican might say, listen, you really should do that more. or more frequently or whatever. And then you can ramp, but then you have to go back to the business and say, look, these are findings. We need more resources in order to meet this because we can’t do it right now or we have to give something else up. So then you have to manage, it becomes a workload question, right? Not necessarily a cyber question. But remember, you wrote these things and don’t write them so strictly that you can’t meet them.

Speaker 2 | 49:03.560

At Dissecting Popular IT Nerds, we expect to win and we expect our IT directors. to win. And one of those areas where we know that we can help you win is internet service providers. As an IT director tasked with managing internet connectivity, few vendor relationships can prove more painfully frustrating than the one with your internet service provider. The array of challenges seems never ending from unreliable uptime and insufficient bandwidth to poor customer service and hidden fees. It’s like getting stuck in rush hour traffic. Dealing with ISPs can try one’s patience even on the best of days. So whether you are managing one location or a hundred locations, our back office support team and vendor partners are the best in the industry. And the best part about this is none of this will ever cost you a dime due to the partnership and the sponsors that we have behind the scenes at Dissecting Popular IT Nerds. Let us show you. How we can manage away the mediocrity and hit it out of the park. We start by mapping all of the available fiber routes and we use our 1.2 billion in combined customer buying power in massive economy of scale to map all of your locations, to overcome construction fees, to use industry historical data, to encourage providers to compete for the lowest possible pricing, to negotiate. the lowest rates guaranteed, and to provide fast response times in hours, not days. And we leverage aggregators and wholesale relationship to ensure you get the best possible pricing available in the marketplace. And on top of all of this, you get proactive network monitoring and proactive alerts so that you’re not left calling 1-800-GO-POUND-SAN to enter in a ticket number and wonder, why is my internet connection down? In short. We are the partner that you have always wanted, who understands your needs, your frustrations, and knows what you need without you having to ask. So, we’re still human, but we are some of the best, and we aim to win. This all starts with a value discovery call where we find out what you have, why you have it, and what’s on your roadmap. All you need to do is email internet at popularit.net and say, I want help managing all of my internet garbage. Please make my life easier. Thank you. and we’ll get right on it for you. Have a wonderful day.

Speaker 0 | 51:23.299

Any other thoughts? Any other things that you want to pass to those that are following us and haven’t had the benefit of the 20 years of watching all of this stuff shift?

Speaker 1 | 51:33.207

I mean, not at present, but if questions come up after this, I don’t know when this goes live, but when the questions come up, I’m happy to talk to anybody if they want to.

Speaker 0 | 51:43.216

Okay. What’s the best method for people to get in touch with you? Um, and we’ll make sure to put it out there and,

Speaker 1 | 51:49.972

and the easiest way would be to, to shoot me a note on LinkedIn.

Speaker 0 | 51:53.913

Okay.

Speaker 1 | 51:54.993

Yeah.

Speaker 0 | 51:55.974

And, uh, we’ll be posting this on LinkedIn. So people will be able to see it there.

Speaker 1 | 52:00.075

Yeah. Yeah. Just give me a note on LinkedIn. I do help a lot of companies with this type of stuff and, and people. Right. So I’m more than happy. You know, the other, the other, I guess, last little golden nugget I’ll give you is if you’re just starting out in this. and you’re writing your SOPs, and you’re writing your policies. Remember, that’s your intellectual property. And you should make a case to bring the core of the document with you from job to job, right? And accept the use policy that you’ve authored. You obviously don’t want to keep the companies, but keep your output because using those policies, especially if they’ve been through external audit cycles, and people have liked what it said. Bring them with you as the foundation to your next jobs because they are, you know, they are something that will, as I said before, the policies is almost where every auditor starts. Give me this to you. Give us this. Give us these policies. Give us how you operate. And let’s face it, you know, access review policy is in almost every industry almost the same, right? You just need to tweak it for your company. Don’t lose sight of the fact that there’s value and longevity on some of these things, provided that you’ve kept them current for how our compliance world, our legal world, our risk world operates. So you can’t take one from 20 years ago, but you can evolve one from 20 years ago and continue to get better and better and better as you iterate.

Speaker 0 | 53:34.231

It’s a cybersecurity portfolio, just like an artist or a musician has a portfolio of their work.

Speaker 1 | 53:41.775

Right. So. And it will save you so much effort.

Speaker 0 | 53:44.657

Yeah. But it’s also critical that I, when I do this, when I go into a new organization, that I set that framework from day one that I get to keep my intellectual property, that it does not.

Speaker 1 | 53:56.443

Well, if you do. Right. Correct. Right. Right. You’re bringing this into the foundation. When the document is shared at the new company, it’s new company’s property. Yeah. I mean, I find the easiest way to do this is just cutting and pasting into a new document, to be frank. Right. But regardless, it’s important to look in this world, you know, the longevity for policies and procedures and risk management is something that is quite helpful because it gives you comparative analysis.

Speaker 0 | 54:27.852

Okay. Well, David, this has been an awesome discussion. I truly have enjoyed it and appreciate it. And, you know, one of the things that I’m doing real quick is I’m just searching your name on LinkedIn and seeing how many different… There aren’t too many David Kicklases out there.

Speaker 1 | 54:44.249

No, and one of them is not me. One of them is a health account. Really? I can’t seem to get rid of it.

Speaker 0 | 54:52.054

That’s not good. I mean, there’s a few Mike Kellys out there, and we’re very diverse in what we do.

Speaker 1 | 54:58.118

I see you. Yeah.

Speaker 0 | 55:00.759

Yeah. So, well, definitely appreciate you offering up your expertise to our listeners. And thank you for your time today. Let me go ahead and say the exit piece of this, because as we come to another close on Dissecting Popular IT Nerds, I want to invite everybody to comment and rate the podcast. Let us know what you think, whether we’re bringing you valuable content. Today was valuable content. I promise you that. If you’re listening, if you’re in IT. The things we talked about today are going to be helpful in anybody’s career. Knowing and understanding all of those topics that we covered. And heck, that list of the tools. You know, I was thinking about that. I can’t think of any other tool. Of course, there’s all those little nuances and it’s a fractured market like you mentioned. But if you have every one of those tools, your organization is going to be much more secure and much more on its way. As long as you have the policies and you’re following through on them and you can prove it. Thanks, everybody. Thank you, David.

Share This Episode On:

HOSTED BY PHIL HOWARD

Dissecting Popular IT Nerds Podcast

Weekly strategic insights from technology executives who understand your challenges

Are You The Nerd We're Looking For?

ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.

QR Code