Speaker 0 | 00:09.788
All right, welcome everyone back to Telecom Radio 1. We are continuing our podcast series titled Dissecting Popular IT Nerds. And today we have Christophe Foulon on the show. Christophe, welcome to the show, man. Thanks for being on.
Speaker 1 | 00:24.101
Thank you. Happy to be on and have this conversation with you.
Speaker 0 | 00:27.080
Yeah, and to be honest, you have more experience in the podcast arena than I do doing a podcast on security. So hopefully I do well here by your standards.
Speaker 1 | 00:36.488
I would call myself a novice. I mean, I’m out here dabbling as well. I don’t have all the professional equipment like some people do, but I do my best.
Speaker 0 | 00:44.495
Excellent. You’ve got a great past, a great experience. IT manager in the past, moved up through the ranks, a lot of security experience as well. But let’s just start off. I’ve just been fascinated asking people what their first computer is. I just love going backwards in time and realizing how far we’ve come in the last 10 years. What was your first computer?
Speaker 1 | 01:04.247
I can’t remember exactly, but I know it didn’t have more than 500 megahertz. And I was running Windows 95 at the time. I think I had 128 RAM. So yeah, it was quite a while.
Speaker 0 | 01:15.892
Did you have to boot from DOS? Like type in win.exe?
Speaker 1 | 01:20.014
No, it wasn’t that far back.
Speaker 0 | 01:22.675
Okay. I just have to boot DOS, type in win.exe, enter. And then I think you could have like one window open at a time or something. I would, it’s crazy. So what I’ve been watching and seeing come across, at least from the CISO arena and from the security arena, is a lot of talk of burnout, which I’m fascinated. And you talk a lot about security guys experiencing burnout as well. And when I look at it from kind of an outsider’s perspective, because… I’m not the security guy. I’m not a hacker. I don’t have a ton of security experience. I certainly know a lot of products. I certainly have people trying to get me to sell their security products all the time. But I just wouldn’t know where to begin because it’s becoming so overwhelming lately. And I can understand why it would be a burnout job because it almost seems like the job that you can almost only fail at. I don’t know if there’s really any measuring points where you can say like, hey, where people are going to come walking down the hall and saying, hey, high five, we didn’t get hacked today. our bank account didn’t get drained or we didn’t get locked down in some sort of fashion. So maybe just speak to me for a few minutes on this burnout thing and why is it happening? Because I don’t know really if there’s even a solution for it.
Speaker 1 | 02:30.783
Kind of like you highlighted already, where you have so many vendors trying to sell you products and there’s so many different offerings and you can’t figure out what’s what. That’s part of one of the areas of struggles, trying to figure out what solutions to use, what areas to use. Then on top of that, when you think of all the different areas of security, from working with legal compliance, working with IT, working with developers, many security individuals are responsible with doing all of that all at once and coordinating with all those roles. And as you move up the levels to, for example, the CISO, they have to work with the business, the board on top of that. So they have to manage all those different areas. all at the same time. And you’re right, it is usually a thankless job. And the days where nothing happens, or you think nothing happens, are usually your good days.
Speaker 0 | 03:26.717
Yeah. So now what about from the perspective of an outsider, though, looking in, how do you feel legal? How do you feel various different key stakeholders, CEO, CFO, how do they view the CISO role in general? So what you just explained was a fairly broad, very wide… I guess, a lot of responsibility, especially from a legal standpoint. I mean, it could be very overwhelming, I would imagine. But how do people from the outside view the CISO role? Do you think they view it the same way? Or do you think they also see that it’s almost an unforgiving role? Is it an unforgiving role?
Speaker 1 | 04:02.295
It’s very much so an unforgiving role. You’ve seen many organizations where after they’ve had a breach, it’s the first ones that the blame gets thrown at. And unfortunately… that’s not the right approach because they’re the ones that usually know your environment the best to be able to handle the response and to be able to tackle it from there. Now, after the fact, if you do an analysis as to what happened, then you can try to figure out where your root cause problems happen. But most of the times they assign blame rather quickly. They chop off heads and then they call someone else in who will clean up after them. But then something else happens in the future. It’s just a revolving door.
Speaker 0 | 04:44.808
And the person that comes in has to almost start over from scratch again.
Speaker 1 | 04:48.350
In a time of war.
Speaker 0 | 04:49.610
Yeah, exactly. And not only start over from scratch, but start over building all those relationships again, trying to connect with people, understand the end user culture, all of that.
Speaker 1 | 05:00.323
Yeah. The other challenge that you’re going to find is that making those business relationships right out the door, especially when you’re dealing with a crisis scenario, isn’t the easiest thing to do because most of the time you want to come in during times of calm. You want to build those relationships. You want to find out how the business is run. You want to find out what you could do to enable them versus being the culture of no.
Speaker 0 | 05:24.963
So in general, the CISO is going to know that the infrastructure Got to understand the atmosphere, kind of the whole inner workings of the company, the best as opposed to someone new. And then when something does happen, they’re going to be most likely able to pinpoint why it happened due to how the end users are in that particular company. Or any, I guess, potential areas of the network that were purposely kind of left open because, I don’t know, let’s just say there’s a group of engineers that just don’t want you to implement some kind of security platform. I don’t know. That might happen from time to time. Or they would be most likely able to help mitigate a problem faster than anyone else.
Speaker 1 | 06:05.195
Yeah, correct. And the other point of view could be that the CISO presented a solution. They did a business case on it, but the cost to remediate it was so expensive that the business wanted to accept the risk for whatever gap in security or whatever vulnerability that was found. They tried to put some mitigations in place, but didn’t really hold up. You have to take a holistic view as to how the business might have approached making those decisions ahead of time.
Speaker 0 | 06:36.493
So at the end of the day, though, it might be too bad, so sad, you’re fired. That just might be the state of the union. It’s kind of like a very high-stress job, it seems like, or kind of like Secretary of State, where it just is constantly busy, constantly under fire, and then when something does happen, you’re fired and get out.
Speaker 1 | 06:54.221
Yeah, I mean, think of the ever-evolving threat landscape. You have to understand… how your organization fits into the landscape, into the industry, what threat actors might be targeting your industry, your vertical, whether those are criminal groups, whether those are hacktivists, whether those are nation states, or whether those are just script kiddies, because they think they can do something very easily. And if you’re not prepared for it, they would be the ones to take advantage of that.
Speaker 0 | 07:22.280
Do you know what the average lifespan is of a CISO by any chance? And I don’t mean literal lifespan, I mean…
Speaker 1 | 07:28.002
Yeah, yeah. The most quoted numbers that I’ve heard ranges between 18 to 24 months on average. That could be for one of two reasons. One reason is you tend to have CISOs that love to build. So they’ll come in, they’ll see environment that needs a lot of work. They’ll come in, they’ll build the structure, they’ll build the organization, and then they want to move on. The other aspect of it could be if they get breached and then they get terminated. Or… The organization might not like the approach that you’re taking and terminate them.
Speaker 0 | 08:02.481
And it’s also a fairly new role also. It’s not like it’s the, you know what I mean? Like, I don’t know what kind of statistics people have been able to grab. Okay, so moving back into the burnout thing. So now I think we’ve painted somewhat kind of a small picture of what a CISO might experience. But some of the signs of burnout in general are fatigue, insomnia, addiction, loneliness. Feelings of inadequacy, anger, cynicism, numbness, illness, and a short attention span. All things that I would prefer to avoid. So, I mean, what do you think the solution is? I mean, I’ve had this idea that maybe the CISO role would exist better from a consulting standpoint or an outsourced. If I was in that position, I myself, I don’t know if I would want to place myself. into corporate America, into a position where I could experience any of those feelings of burnout or any of that sense of insecurity, possibly with my job, no matter how good I am, no matter how much I love it, I might rather be consulting maybe 10 to 20 companies instead of working for just one company that may not value me or understand completely the value that I bring to the table.
Speaker 1 | 09:20.887
And that might work at your smaller organization level, so your small businesses. But once you tend to get up to the medium, large, and enterprise-scale businesses, it might not be possible for that to help them thoroughly. As the size of the organization grows, the complexity grows, understanding their mission and all the stakeholders involved, trying to drive a… enablement approach versus a compliance approach takes a lot of time and dedication. And as an outsourced individual, you tend to advise on solutions to be implemented, but you don’t tend to do the implementation. For a small company where they might not have the funding to have someone to do it, or there’s not that much work to do based on their scale and their risk posture in regards to the environment, it’s easy to have a consultant provide that. But once you get up to your multinationals and you’re thinking of, well, not just the American laws, but the European laws, the Australian laws, how does that affect the way the business transfers data or handles relationships in those countries or data centers that you might have there or any infrastructure that you have there? The scale becomes too big to have that outsourced to one individual, especially if they’re then split across many organizations after that fact.
Speaker 0 | 10:51.291
Yeah, makes sense. So maybe walk me through even Just a little bit further, maybe some, let’s say you come in day one as a new CISO, what would your strategy be? What would your planning be?
Speaker 1 | 11:02.763
I haven’t been a CISO, so let’s just preface that there. But what I would say I would do is I would try to understand the landscape, understand the business, the mission, the different service lines within the organization, what you’re looking to accomplish, the different stakeholders, history within the organization, if I can. And… That’s within the first 30 days. So not trying to make any changes, just trying to understand and acclimatize myself. Then from there, you start doing a gap analysis as to where the organization is, where do they want to go? Because if you’re at the bottom of the rung with regards to maturity, you can’t go full force to a level five maturity within an organization. You might want to get to a three or something like that. So you do your gap analysis. figure out where you are, where you want to go. Once you have that, then you have your guidance as to what you need to accomplish, where to get there. And typically that will start with ensuring that there is the buy-in, the governance, the people and the processes lined up there. Then you can start to look at technologies that you can implement. But most of the times, if you have an immature organization, starting with the basics like asset management and the top four in the… the CIS top 20 would be the areas that will give the most bang for the buck coming out of the gate. And even for bigger…
Speaker 0 | 12:30.393
Give me the top four. What’s the biggest bang? Well, I guess that’s a good question. So anyone that can come in and say, is there a way that CISOs can drive revenue?
Speaker 1 | 12:39.121
Yeah, you can drive revenue by enabling business, making them able to stand out from their competitors. But… if that is having better controls than the rest of their competitors or setting them apart where…
Speaker 0 | 12:55.650
In other words, they don’t get hacked and look really, really bad publicly. Correct. Or you could save revenue. So what’s the top four?
Speaker 1 | 13:04.513
Your top four are going to be inventory controls regarding your hardware, software, your vulnerability management, and your privilege access management or managing like CMDB, those sorts of things. So… Understanding your assets, understanding how they’re configured, any vulnerabilities that they may have, understanding your people and what permissions that they may have. I think once you understand those, then you can start to get more sophisticated with the types of controls that you put in place.
Speaker 0 | 13:34.668
That is a good place to start. I can tell you from doing full telecom audits and inventory assessments that there is a ton of crap out there that people have no clue exists.
Speaker 1 | 13:45.015
Yeah.
Speaker 0 | 13:45.555
So that’s a good point. That’s an interesting point. at least from a telecom perspective alone.
Speaker 1 | 13:50.538
And those are the things that are going to come back and bite you. I mean, recently in the news, Microsoft just patched a vulnerability in RDP that goes all the way back to Windows XP. They had fixed it by the time it got to Windows 8, but they sent out a patch for all those Windows XP machines because you know there’s still 11,000 of those still showing up on recent Shodan searches. And the fact that about… 44,000 of those were RDP servers, so the rest are probably machines. But if you have vulnerability like that, which requires no authentication, it’s remotely exploitable. It’s a worm-like vulnerability. So if you don’t know that exists in your environment, that’s a way in for something to get into your environment, and you might not be able to secure that.
Speaker 0 | 14:40.084
Yeah, surprisingly, there’s a lot of XP still out there. I mean, I run into it on a monthly basis. So awesome. So. Let’s see here. So what else? I mean, I guess we just need to drive home a little bit more of the solution of this burnout thing. So what do you think is the best way to avoid burnout in a job where I guess you can’t be an outside consultant because you’ve got to be in the trenches. You’ve got to be deeply involved in every company. I would argue that I think you could be an outside consultant still even for a large company. And I think you could work internally. I think it just would be, you’d really have to get very involved, I guess. You know what I mean? You’d have to have a really, really good team yourself.
Speaker 1 | 15:17.167
As an outside consultant, you’ll typically be a strategic advisor versus the implementer. So you’ll work with the rest of the team. And that’s how you can get your most bang for your buck as well. Being a CISO, they can’t do it all. They have to enable the organization. So they have to promote secure app development practices within the app dev team. They might not have the headcount to have a security individual within the app dev team. But if they could show them the value of… secure coding or integrating security solutions within their CICD pipeline, they can bring security closer to the way that the dev is working. If they find an error, give it back to them in a ticket that they know how to do it. Give it back to them in a manner that they interact with on a daily basis. Or have a lunch and learn with them. Show them, hey, look at this feature. How would this feature be beneficial to your application? And sometimes they’ll be like, oh, it’s a feature. It’s not. a vulnerability. And as soon as you turn it to a feature, you’re like, hmm, I could add a lot of cool security features to this versus you giving them a list of 30 things. And you’re like, this is all the bad stuff that I found. Hey, how about we integrate this security feature over here? And you come into it in a collaborative approach.
Speaker 0 | 16:34.687
It really is endless.
Speaker 1 | 16:35.927
You’re going to want to do the same in all the different aspects of the organization because you can’t be there all the time. You’re going to want to find the security champion within those two. aspects of the organization so that they can help promote security and help build a culture of security throughout the organization.
Speaker 0 | 16:51.016
So that’s a great point. What do you think is the best way to build a culture, a security culture of end users? Find your champions within the end users and have them cheerlead you? I mean, any tips or tricks around that?
Speaker 1 | 17:02.705
Yeah. Well, first of all, it’s going to be a dual-sided approach. You need a top-down approach and you need a bottom-up approach. From the top-down perspective, You can’t have your executive saying, oh, yeah, we’re all about security when they’re asking for exceptions all the time. They’re not following the same security standards as everyone else’s because they’re an executive and they think they need to be exempt because those below will see that you’re doing these things and not believe that security truly is the culture of the organization. Yeah, finding that security champion is helpful. Showing stakeholders how security within. the organization can help them personally. So rather than talking about, hey, this is why you need a unique password for your work account. Let’s take a step back. Let’s look at your Gmail account. What do you have connected to your Gmail account? Your banking, your cable, your credit cards. If someone gets that one password to your Gmail account, they now can go to figure out where you bank at, ask for a password reset. It sends that email back to your Gmail account, and then now they have access to your bank. So, hey, let’s enable multi-factor authentication here at your Gmail. Look, install this application on your phone. It’ll ask you to verify these numbers when you log in to Gmail, and there you go. That’s that extra layer of protection. And even if it’s still using SMS codes, while it’s not the most secure, it’s better than nothing. It provides that extra layer of protection. For the individuals that have a higher risk profile, using SMS as your multi-factor isn’t the best approach, but there’s easy solutions like the authenticator apps or even hardware-based tokens that you plug into your machine or you validate via USB that it’s in close proximity and it does that authentication for you.
Speaker 0 | 19:00.354
You validate via USB. Yeah.
Speaker 1 | 19:04.137
Google Titan and… There’s a couple other security keys out there that you can plug into your USB port, and it’s kind of like a password manager, and it does all the authentication on the key for you.
Speaker 0 | 19:16.344
Now, other than the obvious, why SMS being a weakness?
Speaker 1 | 19:20.125
There’s several cases out there called SIM swapping. So this is where a threat actor will figure out that you’re using SMS authentication. They will then social engineer your mobile carrier to say, hey, I got a new phone. This is my new SIM card. And they will have your line transferred over to their SIM card. That’s easy.
Speaker 0 | 19:43.156
Yeah, okay. That’s real easy. I mean, I am 100% positive that I could sit on the phone and make a phone call to all the different carriers and get into someone’s account.
Speaker 1 | 19:56.802
Yeah. There’s just an article just released a couple of days ago in Medium that a gentleman says that this was the most expensive mistake in his life. And I think it was some huge amount of money that he had in a Bitcoin wallet that was tied to his SIM. And. And they did a SIM swapping and then it allowed them to get that extra layer of authentication and get that code that came to his SMS text.
Speaker 0 | 20:23.719
What other stories you got? Any other great stories? What’s the craziest story that you personally have experienced in the security realm?
Speaker 1 | 20:31.223
I haven’t personally experienced a lot, but listening to different podcasts, reading, I would say I’ve inherited a lot of knowledge from those that do it. Especially those in… Social engineering, like Chris Hagmackie, he specializes in social engineering. And they have the social engineering village at DEF CON where you have competitors that will go out and they’re given a target company and a mission that you’re trying to accomplish. And they will go on stage and be able to accomplish that in an afternoon.
Speaker 0 | 21:03.924
Yeah, absolutely. I’m not even, I could do that. So that brings up even another crazier point. So. are there a lot of CISOs that just turn to the dark side, you think, that maybe just get burned out and completely fried and they’re like, forget it, it’s just so much easier to go to the dark side? Are there any stories of people turning?
Speaker 1 | 21:22.634
I haven’t heard of any. I mean, exactly. You wouldn’t know. But the ones that tend to get burned out tend to, like you mentioned, likely go to consulting where they might have a simpler lifestyle. They can work with the clients they want. And the other thing that you’ll find is… When you’re a consultant, if you’re approached by a client that doesn’t truly have the approach to security that you like, you can tell them no. If you’re in an organization as a CISO or a member of the security team and a business that doesn’t agree with your approach, as much as you can just tell them the risks that are involved. And if the business decision is that they want to accept the risk or to just ignore the risk, there’s not much you can do in those cases.
Speaker 0 | 22:11.522
Yeah. No, there’s not. I’m actually thinking of a company right now that I know has a huge software development team because they’re a manufacturer and obviously they’ve got their whole dev team to work on software for various different printing machines. And it’s actually pretty endless, the amount of manufacturing machines that they have. They were on Lotus Notes at the time, the last time I spoke to them. And that was like two years ago. And just everything in general just seemed very, very… I don’t know if it’s more secure because it’s so antiquated and old, but I would doubt that. But I think the general leadership within the company alone, I think, would be fairly bullheaded to a lot of security stuff for just various different reasons. The same thing I’ve run into organizations where you have really just like 80% of the organization is engineers. And locking down computers and slowing them down and stuff also created… a lot of problems. So any ideas there on how you deal with these conflicts? I’m just sorry. I mean, I know it’s a very broad question. I’m just thinking, you know, like I’m assuming there’s a lot of conflict that you run into and there’s got to be some, you know, how do you deal with these conflicts where you know it’s creating a breach and it might just be, and really what you’re dealing with is, I don’t want to say arrogance, but you might be just dealing with, you know, people big leagueing you because, you know, they’re the engineers and they’re the ones that are building everything. Conflict resolution’s got to be a tough one when you run into those, you know?
Speaker 1 | 23:39.928
Yeah, definitely. I would say that that is definitely a problem, and that’s where the soft skills come in. A lot of times people talk about the hard skills, but that’s the soft skill that people need to learn. Conflict resolution, communication, and if you can’t communicate your message clearly and effectively to the organization, you might not get your way.
Speaker 0 | 24:04.265
Now… do security guys in general have soft skills? Because there’s a lot of stereotypes. There’s stereotypes about security guys and the level of soft skills. So I’m just wondering, you know, so if there was one area that you had to pick that security guys in general had to work on the most, what would it be?
Speaker 1 | 24:20.898
Yeah, I did an interview on my podcast with Kat Murdock. She was working under Chris Hagmackie and she stressed communication as being one of the top skills. So whether that was in… Your report writing, if you don’t want to interact with other people, if you’re writing up your assessments, you want to create a memo for the organization to read it. If you can’t communicate and articulate your message in a value-driven way, you’re going to get… looked over. So whether that is verbal communication or written communication, that’s one of the big areas.
Speaker 0 | 24:56.896
Well, hey, we’ve covered a lot today, Christophe, man. I really appreciate having you on the show or you being on my show. If you had one message a minute you had to deliver out there to the people listening today, what would that be?
Speaker 1 | 25:07.644
Take security personally and start looking at security from within your own life. And then you can take those examples out and use them within your organization. and stay curious.
Speaker 0 | 25:20.733
All right, man. Hey, appreciate it. Have a great day. Thank you.
Speaker 1 | 25:23.857
Okay, thank you very much. Have a great day.